Abstract: This Article outlines two versions of cyberlaw. The first, characteristic of the scholarship of the late 1990s, is typified by a borderless Internet and national laws that cease to have effect at their real-space borders, the regulatory power of code, and the virtue of self-regulatory solutions to Internet and e-commerce issues. In Cyberlaw 2.0, the borderless Internet becomes bordered, bordered laws become borderless, the regulation of code becomes regulated code, and self-regulation becomes industry consultation, as government shifts toward a more traditional regulatory approach. The Article assesses each of these changes, calling attention to recent developments in copyright law, domain name dispute resolution, privacy, and Internet governance. At the heart of each is the question of the appropriate governmental role in Internet regulation and the need for cyberlaw to reconcile how government and regulation fit within the tensions of ever-changing technologies.
The private sector should lead. Though government played a role in financing the initial development of the Internet, its expansion has been driven primarily by the private sector. For electronic commerce to flourish, the private sector must continue to lead.
—President William J. Clinton and Vice President Albert Gore, Jr., Framework for Global Electronic Commerce, October 19971
The 1990s was a time of unlimited possibility for the Internet. Fuelled by the seemingly insatiable appetite for anything “cyber,” the globe was abuzz over the new economy and the race to replace bricks with clicks. From e-commerce to e-mail, the Internet stood ready to transform society’s commercial and communications fabric.
For many, the Internet was also primed to create a sea-change in the law, with many maintaining that fitting traditional regulatory mechanisms into the online environment was the equivalent of squeezing a square peg into a round hole. Governments around the world became early adherents to this belief. Citing the convergence of borderless networks, laws that ended at national borders, and the regulatory power of computer code, governments willingly yielded Internet policy development to private-sector-led, self-regulatory initiatives.2
Today the Internet still represents a medium of great potential but the shine is clearly off the apple. The dot-com crash has led to a reexamination of the impact of the Internet, with many now acknowledging that the opportunity to purchase pet food or CDs online does not a revolution make.3 For many companies and consumers, the Internet is a supplement—not a replacement—to their daily commercial and communication activities.
And what of cyberlaw? It too is undergoing a reevaluation as the new challenges of Internet regulation may not be as insurmountable as we had been led to believe. Version 1.0 of cyberlaw is rapidly giving way to version 2.0, and with it, the emphasis is shifting from a borderless network to borderless law, from code that regulates to code that is regulated, and from self-regulation to government regulation.
This Article explores these two versions of cyberlaw. It argues that we must take note of this metamorphosis because it provides clear signs of the future of Internet regulation. At the core of this examination of cyberlaw is the role of government in the online world. Whether government is characterized as a willing bystander, a powerless policymaker, or a proactive regulatory force that knows no boundaries, cyberlaw must reconcile how government and regulation fit within the tensions of ever-changing technologies.
Although no single event or work can lay claim to capturing the early essence of cyberlaw, one e-mail comes close. John Perry Barlow’s e-mail, known as the “Declaration of the Independence of Cyberspace,”4 served as a clarion call for a new regulatory approach to the Internet, and gave a voice to thousands of “netizens” who watched with increasing anxiety as seemingly overnight the Internet was transformed into a commercial, regulated space. Barlow penned his declaration one day after the U.S. Congress enacted the Communications Decency Act of 1996 (CDA),5 the first national U.S. attempt at Internet content regulation. Although relatively unremarkable by today’s standards, the CDA galvanized the Internet community into action, culminating with the 1997 U.S. Supreme Court ruling that declared the CDA unconstitutional.6 Barlow’s declaration left little doubt about his view of the appropriate role for government in cyberspace:
Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather . . . . Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders.7
The Barlow declaration was soon followed by what is likely the most cited cyberlaw article yet written: David Post and David John[*PG326]son’s Law and Borders: The Rise of Law in Cyberspace.8 The Post and Johnson article added legal clout to the passion of the Barlow declaration, positing that cyberspace was cut off from the rule-making institutions of the physical world.9 The authors argued that geographic, physical borders are a necessary precondition for effective and legitimate law making because it is within those borders that rules are enforced and legitimated by the general public.10 They maintained that the Internet undermines this dynamic, suggesting that it operates independent of real space and with no identifiable borders.11 Given this dilemma, Post and Johnson advocated considering cyberspace as a separate “place,” governed by its own legal framework.12 The sole border would be one dividing the virtual from the physical; by entering cyberspace, a person would literally enter a new jurisdiction.13 The inhabitants would govern this new space, and the authors advocated a decentralized, self-regulatory model in which Internet users created rules best suited to their needs.14
Although the Post and Johnson article generated immediate challenges from some scholars with many dismissing the “cyberspace as a place” school of thought,15 the belief in the virtually insurmountable legal complications created by bordered laws mapped onto a borderless Internet became a truism amongst many observers.16 In fact, many courts accepted this notion, which is reflected by the reluctance to even consider the possibility of mapping geographic borders to the online world. For example, in American Library Ass’n v. Pataki, a [*PG327]Commerce Clause challenge to a New York state law targeting Internet content classified as obscene, the court characterized geography on the Internet in the following manner:
The Internet is wholly insensitive to geographic distinctions. In almost every case, users of the Internet neither know nor care about the physical location of the Internet resources they access. Internet protocols were designed to ignore rather than document geographic location; while computers on the network do have “addresses,” they are logical addresses on the network rather than geographic addresses in real space. The majority of Internet addresses contain no geographic clues and, even where an Internet address provides such a clue, it may be misleading.17
The second defining principle of cyberlaw was the regulatory power of code—that is, “how the software and hardware that makes cyberspace what it is regulate cyberspace as it is.”18 Although Lawrence Lessig is most closely associated with this principle, due in large measure to his seminal work, Code and Other Laws of Cyberspace,19 others such as Joel Reidenberg were also early advocates.20 As Lessig argued in one of his early pieces, The Constitution of Code,
[C]ode . . . regulates behavior in cyberspace. The code, or the software that makes cyberspace as it is, constitutes a set of constraints on how one can behave in cyberspace. The substance of these constraints vary, but they are experienced as conditions on one’s access to cyberspace. In some places, one must enter a password before one gains access; in other places, one can enter whether identified or not. In some places, the transactions that one engages produce traces that link the transactions (the mouse droppings) back to the individual; in other places, this link is achieved only if one wants. In some places, one can select to speak a language that only the recipient can hear (through encryption); in [*PG328]other places encryption is not an option. The code or software or architecture or protocols set these features; they are features selected by code writers; they constrain some behavior by making other behavior possible, or impossible. They too are regulations.21
Lessig’s argument, developed in several other articles prior to the release of Code and Other Laws of Cyberspace,22 noted that not only could technology influence the regulatory framework, but that it could be the regulatory framework.23 Reidenberg also called attention to the power of technology, suggesting that traditional American and European approaches to regulatory policy making are ineffective when applied to the Internet.24 Instead, Reidenberg noted that “a network governance paradigm must emerge to recognize the complexity of regulatory power centers, [and] utilize new policy instruments such as technical standardization to achieve regulatory objectives.”25
Lessig identified not only the power of the underlying computer code, but foreshadowed the next stage of cyberlaw development: the need for government to “harness” it.26 In Code and Other Laws of Cyberspace, Lessig claimed that “not only can the government take . . . steps to reassert its power to regulate, but that it should. Government should push the architecture of the Net to facilitate its regulation, or else it will suffer what can only be described as a loss of sovereignty.”27
In the late 1990s, Lessig’s call for government to regulate code went largely unheeded. Buoyed by the perceived potential of e-commerce and claims that governmental intervention would serve only to stifle the development of the Internet, governments were generally all too happy to adopt self-regulatory frameworks that left policy leadership to the private sector. For example, on July 1, 1997, President Clinton released a report entitled Framework for Global Electronic [*PG329]Commerce, articulating guiding policy principles, including private sector leadership; avoidance of undue governmental restrictions on e-commerce; the enforcement of a predictable, minimalist, consistent, and simple legal environment for commerce; the recognition of the unique qualities of the Internet; and the facilitation of electronic commerce on a global basis.28 The European Union declaration, released one week after the U.S. framework, followed the United States’ lead and called for, among other things, a key role for the private sector, the development of a clear and predictable regulatory framework, and the recognition of the special characteristics and fundamentally transnational nature of the Internet.29
Not surprisingly, global corporations encouraged the self-regulatory approach. For example, the Global Business Dialogue on E-Commerce (GBDe), an e-commerce corporate policy and lobbying group with dozens of multinational corporations among its membership, maintained,
[T]he pace and scope of change requires business to play a leadership role in working with governments, governmental organizations, business groups, consumer organizations and other stakeholders to develop an effective e-commerce framework that is global, market-driven and flexible. . . . [E]-commerce policy solutions should be market-driven and based on industry self-regulation wherever possible.
. . . .
. . . Conventional regulatory structures seem to be less capable of coping with the challenges of converging markets. The GBDe believes priority must be given to self-regulation and policy cooperation rather than over-regulation. Only in providing for continued market dynamism will a policy framework enable the converging process to realize its full potential, as well as allowing electronic commerce to reap the largest benefit from the convergence melting pot.30
[*PG330] Even with the most contentious policy matters, governments frequently seemed willing to oblige industry and the private sector. The Deputy Chairman of Australia’s Broadcast Authority, one of the few government agencies among Organisation for Economic Co-opera-tion and Development (OECD) member states actively to enforce an online content regulatory framework,31 noted in a 1998 speech,
It is clear that there is a broad level of international consensus emerging about some basic principles for the governance of cyberspace. These have been articulated in North America, Europe and the Asia Pacific region, including Australia . . . . The use of the terminology “Legal Framework for Cyberspace” might best be avoided, carrying as it does unnecessary and inappropriate overtones of heavy-handed interference, when what is really being proposed is simply a body of broad principles largely based on the notion of international cooperation, national responsibility and industry self-regulation.32
Similarly, the European Commission, in conjunction with the European Parliament and the European Council—bodies not known for regulatory reticence—developed an overtly self-regulatory “Action Plan” in 1997.33
[*PG331] Implicit in emerging cyberlaw principles was the limited role for government in the regulation of the Internet.34 The borderless Internet perspective suggested that traditional governmental organizations lacked the moral authority to exert regulatory control over the online environment because the relationship between citizen and state changed dramatically given the ability for the “governed” to move freely between online spaces without regard to national borders.35 With the reach of national laws ending at national borders, the right of states to regulate online conduct, which frequently occurred outside national borders, was diminished.
Proponents of regulatory code argued that government was increasingly powerless to regulate the online environment. In the battle between East Coast Code (traditional regulation, which directs behavior) and West Coast Code (regulation, by the software code, of cyberspace), initially West Coast Code would prevail, leaving government without its customary methodology for regulating online behavior.36 Although Lessig acknowledged that government could seek to regulate code, he maintained that its ability to do so was directly related to the type of code or architecture of the Internet in question; thus, open source code is far less regulable than proprietary software code.37
Advocates of self-regulation promoted the view that government was an inefficient and ineffective regulator of the online environment. This was a vision of government as too slow and too removed from the realities of the Internet marketplace—in a sense too Lud[*PG332]dite—to regulate effectively.38 Far better, self-regulation advocates would argue, to allow those parties who “get it” to set the rules unconstrained by government and guided by self-interest and the market.39
Government may have been willing to step aside during the commercial Internet’s nascent years, but no longer. With every aspect of the Internet regulatory environment undergoing renewed analysis, the next generation of cyberlaw looks to be dramatically different from its predecessor. In Cyberlaw 2.0, the borderless Internet becomes bordered, bordered laws become borderless, the regulation of code becomes regulated code, and self-regulation becomes industry consultation, as government shifts toward a more traditional regulatory approach. This vision of cyberlaw exacerbates competing policy tensions, pitting government against government, government against industry, and government against citizen.
The vision of a borderless Internet riding roughshod over laws that stop at national borders may have captured the imagination of many in the Internet community in the mid-1990s,40 but today it has become increasingly clear that the reverse may actually be true. Supported by businesses unwilling to abandon longstanding business models based on traditional geographic borders, several companies are rapidly creating new tools that allow for effective (though imperfect) geographic identification on the Internet. Governments, meanwhile, unwilling to concede that national laws are limited to national borders, are increasingly turning to explicitly extra-territorial legislation.
The result is an emerging legal framework that threatens the national sovereignty of many smaller countries, though not for reasons one would expect. Version 1.0 of cyberlaw was highlighted by the inability to enforce national laws against activities with local effects occurring outside the jurisdiction, which served as the primary threat to [*PG333]national sovereignty. In version 2.0, the greater challenge is proving to be aggressive extra-territorial statutes that hamper states’ ability to enforce national law and policy inside the jurisdiction.
Because both business and government share a vested interest in bringing geographic borders to the online environment (albeit for different reasons), it should come as little surprise that technologies facilitating geographic identification have so quickly arrived onto the marketplace. Although critics often point to the inaccuracy of these technologies,41 few users of the technology actually require perfection.42 Businesses either want to target their message to consumers in a specific geographic area or to engage in “jurisdictional avoidance.”43 Governments, on the other hand, often want to engage in geographic identification so that they can more easily identify when laws are triggered. For example, the State of Nevada recently enacted legislation that paves the way for the Nevada State Gaming Commission to legalize online gambling.44 Jurisdictional identification is central to the new legislation:
The commission may not adopt regulations governing the licensing and operation of interactive gaming until the commission first determines that:
(a) Interactive gaming can be operated in compliance with all applicable laws;
(b) Interactive gaming systems are secure and reliable, and provide reasonable assurance that players will be of lawful age and communicating only from jurisdictions where it is lawful to make such communications.45
[*PG334] Geographic identification has actually been utilized on the Internet on a relatively primitive scale for some time. For example, Internet Protocol (IP) lookups, which determine approximate user locations by referencing the user’s IP address against databases listing Internet Service Provider (ISP) server locations, had been used by Microsoft until last year to comply with U.S. regulations prohibiting the export of strong-encryption Web browser software.46 Although imperfect, the process was viewed as sufficiently effective to meet the standards imposed by the regulations.47
Recently, several companies have begun offering more sophisticated versions of these technologies. Akamai, an e-business service and software provider, provides a geographic identification service called EdgeScape, which maps user IP addresses to their geographic location and network point of origin.48 This information is then assembled into a database and made available to EdgeScape customers. Each time a user accesses a client’s Web site, EdgeScape provides data detailing the country from which the user is accessing the site, the geographic region within that country (i.e., state or province), and the name of the user’s origin network.49 Similarly, Quova, a California-based company, has developed GeoPoint, which boasts ninety-eight percent accuracy in determining Web users’ country of origin and eighty-five percent accuracy when drilling down to the city level.50
Businesses are implementing these technologies with increasing frequency as they seek to replicate offline business models online. For example, CinemaNow Inc., a California-based online distributor of feature-length films, uses the technology to limit distribution of the films to ensure compliance with distribution-license agreements that [*PG335]vary by country.51 Similarly, Internet users accessing Movielink.com, a U.S. Internet movie rental Web site, who are identified as coming from outside the United States are advised that the site is not available to non-U.S. residents and denied further access to the Web site.52 Even Google, the world’s most popular search engine, has acknowledged using these technologies to meet variations in local laws by delivering different search results to users in different countries.53
The power to map geography onto the Internet calls into question claims of a borderless Internet. Although many Internet users do indeed experience a “borderless” Internet as they effortlessly visit sites worldwide at the click of a mouse, users themselves are not borderless. They are located in physical places that with increasing frequency can be identified by the Web sites they visit. As Web sites filter content or alter user experiences based on geographic origin, they begin the process of bordering the Internet.54 Although previously the same network for all users whether accessed in Atlanta or Auckland, the Internet is fast becoming a bordered medium that varies noticeably depending upon geographic location of the user.
Although the bordered Internet deservedly garners increasing attention, the emergence of borderless digital laws deserves even greater scrutiny. Copyright law, for instance, though typically regarded as national legislation, is increasingly being extended beyond national borders. The case of Dimitri Sklyarov, a Russian software programmer, and his employer, Elcomsoft, illustrates the explicitly [*PG336]extra-territorial nature of the Digital Millennium Copyright Act (DMCA), the flagship U.S. digital copyright statute.55
Sklyarov, the author of a software program that undermined the encryption used by Adobe in its e-book software, visited Las Vegas, Nevada in July 2001 to present a paper on the strengths and weaknesses of software used to protect electronic books.56 When Adobe became aware of his planned appearance, it approached the FBI to seek its intervention into the matter.57 Armed with information from the company about the piracy potential of the software program, the FBI prepared an arrest warrant and detained Skylarov after he delivered his conference presentation.58
Spurred by Skylarov’s arrest, the global online community mobilized into action. A “Boycott Adobe” Web site was hastily constructed outlining how Skylarov’s software program featured many legitimate uses, such as the ability to make backup copies of e-books or to read e-books on other devices owned by the same user.59 Software programmers voiced their concern, indicating that the arrest would make many think twice before visiting the United States lest they suffer the same fate as Skylarov (who faced up to twenty-five years in prison, and fines up to $2.25 million).60 Civil liberties groups also became involved, organizing protests at Adobe’s offices and expressing dismay that it had become a criminal offense under U.S. copyright law merely to distribute information about a device that could be used to break technology protecting digital copyright.61
After a month in jail, Sklyarov was released on bail; charges were later dropped against Sklyarov, but charges remained against his em[*PG337]ployer, Elcomsoft (which faced fines up to $500,000).62 Elcomsoft’s first legal response was to file a motion to dismiss on the grounds that they represented an extra-territorial application of U.S. copyright law against a Russian company that had acted in accordance with its own national law.63 The motion argued,
[A]lthough the importance of regulating the activities prohibited under section 1201 may be significant to the United States, application of the law is not consistent with the traditions of the international system, as its application to a foreign corporation for activities that occurred in cyberspace would conflict with the laws of Russia. Elcomsoft is a Russian company that conducted its activities consistent with the laws of that country. Russian law permits the development and sale of the AEBPR [Advanced eBook Processor] program. If this court were to find that it has jurisdiction over Elcomsoft pursuant to an alleged violation of section 1201 of title 17 of the United States Code, this court would be subjecting Elcomsoft to a law that conflicts with the regulations of another sovereignty.64
Although presiding Judge Ronald M. Whyte denied the defense motion to dismiss, finding that the conduct in question occurred in the United States,65 the response brief from the U.S. Attorney’s Office [*PG338]is instructive.66 It argued that the plain language of the DMCA clearly applies extra-territorially, noting that section 1201(b), the section at issue, states that it is unlawful to “manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof.” 67 According to the U.S. Attorney’s Office, the inclusion of the word “import” within the statute demonstrates “Congress’ intent to extend the DMCA beyond the borders of the United States.”68
The Elcomsoft jurisdictional issues are not an anomaly—in fact, the DMCA regularly influences behavior outside the borders of the United States, often to the consternation of other countries.69 For example, Canada is currently engaged in a digital copyright reform process that is considering how to implement the World Intellectual Property Organization (WIPO) copyright treaties into national legislation.70 As part of the reform process, Industry Canada and Canadian Heritage, the two ministries jointly responsible for Canadian copyright policy, sponsored a cross-country consultation involving “town hall” meetings in various cities across Canada in the spring of 2002.71
At the Ottawa meeting in March 2002, U.S.-based direct-to-home satellite provider DirecTV gave a detailed presentation on the response rate of Canadian ISPs to its DMCA “notice and takedown” no[*PG339]tifications.72 DirecTV lamented that “only” forty-three percent of Canadian ISPs responded to its requests to remove content, seemingly oblivious to the fact that many Canadians might find it problematic that even one percent of ISPs, much less forty-three percent, would respond to legal requests that did not reflect Canadian copyright law or policy.73 The response rate did not surprise many Canadian ISPs, however, who privately acknowledged that they had little alternative but to respond, lest they face the prospect of significant liability for copyright infringement in the United States.
Much the same issue arose in Australia in early 2003. At least one Australian ISP received a demand letter from MediaForce, a U.S. digital copyright solutions company acting on behalf of Warner Bros., which listed several IP addresses it claimed were used illegally to access copyrighted material.74 The letter proceeded to demand that the users of the IP addresses be denied access and that their accounts be terminated.75
Digital copyright issues have proven to be the most contentious cyberlaw policy matter. Content creators, led by the movie and music industries, have sought greater control over their content in response to concerns over global piracy facilitated by the Internet. Despite widespread agreement on the importance of the issue, there is no consensus on the appropriate policy solutions. The export of U.S. law through a borderless DMCA limits the policy choices of other jurisdictions, because their local companies and citizens frequently face no viable alternative but to abide by the U.S. statute, even where it is inconsistent with local law.
The aggressive extra-territorial legislative approach is not limited to copyrights. A similar situation unfolded in the United States in the domain name sphere in 1999 with the enactment of the Anticybersquatting Consumer Protection Act (ACPA), which features a unique [*PG340]in rem jurisdiction provision that almost ensures its extra-territorial application.76
The provision is designed to address instances in which the plaintiff, invariably a trademark holder, is unable to assert traditional personal jurisdiction principles because the domain name registrant has no ties to the jurisdiction.77 The statute grants trademark holders the right to file a civil action against the domain name itself, which is treated as property based in the United States because the domain name root server resides there.78
Several commentators have questioned the constitutionality of the ACPA’s in rem provision,79 though courts have thus far not hesitated to apply it. For example, the provision surfaced in a dispute between two Canadian parties over the Technodome.com domain name.80 Heathmount was a Montreal-based company seeking to develop theme parks in both Canada and the United States.81 It claimed trademarks in the name “Technodome” in both countries.82 The owner of the technodome.com domain name was a Toronto teenager who worked at a local theatre company.83 Heathmount, as the trademark holder, could have launched a trademark infringement action in Canada where courts have addressed cybersquatting issues on several occasions,84 or it could have initiated an Internet Corporation for [*PG341]Assigned Names and Numbers (ICANN) Uniform Domain Name Dispute Resolution Policy (UDRP) action.85 Instead, it chose to launch an ACPA action in Virginia. The Toronto teenager had absolutely no connection to Virginia.86 The trademark owner successfully invoked the in rem jurisdiction clause by suing the domain name, rather than its owner.87
The court considered the propriety of a U.S. court addressing a suit between two Canadian litigants and concluded:
Plaintiff may not be able to assert the same rights in Canada, which lacks a body of law equivalent to the ACPA and whose enforcement of its trademark laws cannot extend into the United States. Defendants suggest that Canadian intellectual property law, drawing upon recent English case law, might view the registration of a trademark-infringing domain name as an actionable trademark violation. This outcome is particularly likely, Defendants argue, in a case like the one at bar, involving both registration and use of the mark. However, Defendants’ prediction of what the Canadian courts will do when presented with this issue is necessarily speculative and provides little support for the argument that Canada is a satisfactory alternative forum for this lawsuit.88
Although the application of the ACPA in rem jurisdictional clause might be justified in the Technodome.com case on the grounds that Heathmount possessed a U.S. trademark, subsequent decisions have extended the statute further by allowing claims based on foreign trademarks and foreign domain name registrations. In Barcelona.com v. Excelentisimo Ayuntamiento de Barcelona, a dispute between the City of Barcelona and the long-time owner of the Barcelona.com domain name, the court ruled that the statute could be applied to the City’s Spanish trademark, concluding that Congress makes no distinction between U.S. and foreign marks within the statute’s text.89 The court [*PG342]did concede that “trademark law has historically been governed and regulated on a national level.”90
In Cable News Network v. CNnews.com, another Virginia court removed virtually all limitations on ACPA in rem actions.91 It held that because Verisign, a company resident in Virginia, is the exclusive registry for all top-level “.com” domain names, all “.com” domains are essentially American and therefore subject to the ACPA, without regard for where the domains were registered or the location of the litigants.92
Most recently, a federal court in Virginia ruled that an in rem ACPA judgment ordering the cancellation of a domain took precedence over a foreign court order blocking the cancellation.93 The case involved a dispute over the globalsantafe.com domain name.94 After a U.S. court invoked the ACPA to order the domain name cancelled, the registrant responded by obtaining an order from a Korean court blocking the local registrar from effecting the cancellation.95 The legal drama then shifted back to the United States, where the court adopted a “first in time” rule to claim that it was the first to assert jurisdiction over the domain name.96 Based on that analysis, the court then ordered Verisign, which maintains the root server, to override the local registrar by deleting the domain in question from the root server.97
Given the broad interpretation accorded to the ACPA’s in rem jurisdiction provision by U.S. courts, it is increasingly apparent that the United States has created a domain name dispute resolution policy with global application. This creates a significant limitation on the ability of countries to develop their own domain name policies, because the ACPA has an effect akin to global law and will remain an option to potential litigants independent of their national law and policy.
Several countries have adopted privacy legislation that is borderless in approach. In the United States, the Children’s Online Privacy Protection Act (COPPA) applies to commercial Web sites and online services directed to, or that knowingly collect information from, children under the age of thirteen, and contains no limitation on jurisdictional applicability.98 The statute simply renders it unlawful to collect personal information from a child without parental consent.99
The Federal Trade Commission (FTC) is vested with responsibility for enforcing COPPA, and although it has yet to pursue any action against a foreign-based site, its rule-making guidance leaves no doubt that such sites are expected to comply with the statute in their privacy practices toward children.100 FTC regulations expressly apply to any Web site operator, which is defined as
any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce:
(a) Among the several States or with one or more foreign nations;
(b) In any territory of the United States or in the District of Columbia, or between any such territory and . . . (2) Any State or foreign nation.101
The United States is not alone in extending its privacy-law framework beyond its borders. In May 2002, the European Union’s Article 29 Data Protection Working Party released a document that assessed the international application of the E.U. data protection law to personal data processed on the Internet by non-E.U. based Web sites.102 The Working Party concluded that E.U. law was designed to [*PG344]apply in an extra-territorial manner.103 Interestingly, the Working Party was comforted by the fact that the U.S. had adopted a similar approach with COPPA.104
Having determined that the E.U. law applied to foreign-based sites, the Working Party examined the ramifications of applying the law to several commonplace Internet activities.105 For example, it concluded that the placement of a cookie file on computer users’ hard drives was covered by the legislation.106 Accordingly, Web site owners were required to provide users with adequate notice, specifying in clear terms the information intended to be stored in the cookie, along with the purpose and the life of the cookie.107
Australia has also incorporated extra-territorial provisions into its amended 1998 Privacy Act.108 The law, as amended through December 2001, places privacy obligations on both Australian companies as well as foreign companies that conduct business in Australia and collect personal information about Australians.109 Conscious of its extra-territorial approach, the law contemplates the possibility that foreign companies might face conflicts in meeting compliance requirements of competing privacy statutes.110 In such circumstances, the Australian law cedes jurisdiction to the foreign company’s own jurisdiction.111
In the wake of the terrorist attacks of September 11, 2001, and the growing concern over the use of computer networks for criminal purposes, it comes as little surprise to find that computer crime legislation is commonly borderless, with national authorities empowered to apply national criminal legislation against out-of-country activities.
The U.S.A. PATRIOT Act, a mammoth 342-page statute enacted in the fall of 2001, includes provisions that are expressly extra-[*PG345]territorial.112 The most important such computer crime provision is section 814, which amends the Computer Fraud and Abuse Act.113 The amendments enhance the U.S. government’s ability to prosecute hacking and denial of service attacks by expanding the definition of “protected computer” covered by the legislation.114 The new definition includes “a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.”115 The effect of the provision is to grant U.S. authorities the statutory right to prosecute foreign-based computer fraud and abuse under U.S. law, even if the activity in question may be lawful within its country of origin.
The United States is not alone in this approach. Singapore’s Computer Misuse Act also contains a provision that expands its applicability outside the country’s borders.116 The Act protects computers from unauthorized access, modification, interception, and interference.117 It intentionally features broad applicability, and section 11 states that “the provisions of this Act shall have effect, in relation to any person, whatever his nationality or citizenship, outside as well as within Singapore . . . [if] . . . the accused . . . the computer, program or data was in Singapore at the material time.”118 This section clearly extends the statute’s reach to out-of-country persons who hack into Singaporean computer servers or alter Web pages hosted within the country.
Similarly, Malaysia’s Computer Crimes Act, which took effect in 2000, includes extra-territorial provisions.119 The Act is designed to address three types of computer crimes: (i) unauthorized access to computer material,120 (ii) unauthorized modification of computer [*PG346]material,121 and (iii) wrongful communication.122 Section 9(1) focuses on the territorial scope of the Act, providing,
The provisions of this Act shall, in relation to any person, whatever his nationality or citizenship, have effect outside as well as within Malaysia, and where an offence under this Act is committed by any person in any place outside Malaysia, he may be dealt with in respect of such offence as if it was committed at any place within Malaysia.123
In light of notorious cases such as the global dissemination of the “Love Bug” virus—which wreaked havoc with computer systems worldwide but went largely unpunished due in part to inadequate computer crime legislation in the Philippines124—the desire for computer crime legislation that targets perpetrators regardless of location is understandable. Achieving commonly agreed cybercrime standards, however, is more challenging than is often acknowledged. For example, the recently enacted Council of Europe Cybercrime Convention125 adopts a very broad definition of cybercrime that includes offences related to copyright, thus leading to the possibility of criminal action in one jurisdiction against activity that is legal in another.126 Although certain jurisdictions may be comfortable equating copyright infringement with cybercrime, it is likely that others will shy away from that approach, resulting in jurisdictional conflicts over the issue.
Countries are also increasingly willing to extend their regulatory authority over online gambling. For example, Australia recently enacted the Interactive Gambling Act of 2001, creating a detailed legislative scheme that regulates Internet gambling sites located outside of Australia.127 Given the growing popularity of online gambling in Australia, federal legislators believed it was necessary to establish a statute [*PG347]that criminalized not only Australians who used online gambling services, but also Web sites providing gambling services to Australians, without regard for location.
Part II of the Act states that it is an offence intentionally to provide an interactive gambling service with an Australian-customer link.128 The statute treats a gambling service as having an Australian link if any of its customers are physically present in Australia.129 Contravention of the provision is cumulative so that a person who provides an interactive gambling service to an Australian is guilty of a separate offence with each day the service is available.130 The Act establishes an exception for those instances in which the gambling service was not aware, and could not have ascertained with reasonable diligence (such as asking for personal data or assessing geolocational traffic data), that the service was being provided to someone with an Australian link.131
Although some question Australia’s ability to enforce its anti-online gambling statute against offshore providers, there is little doubt that Australia has enacted a legislative scheme that counters the ability of users to interact with foreign Web sites under laws that do the same. Moreover, in case there was any doubt regarding the statute’s intention, section 14 plainly states that “[u]nless the contrary intention appears, this Act extends to acts, omissions, matters and things outside Australia.”132 Given that many countries have legalized online gaming,133 it is likely that some offshore gambling sites will find themselves subject to competing and contrary legal systems—operating lawfully within their home jurisdiction, yet acting unlawfully under Australian law.
Although Lawrence Lessig rightly recognized the regulatory power of code, he may have underestimated the enthusiasm with which government would begin to regulate it.134 Lessig called on government to harness the Internet by pushing the architecture of the [*PG348]Internet to facilitate its regulation,135 and today it has become apparent that government is responding. If version 1.0 of cyberlaw was characterized by the power of technology to regulate, a defining feature of cyberlaw 2.0 is the government regulation of technology. Interestingly, the regulation of code has not focused on the architecture of the Internet as Lessig anticipated. Rather, government regulation has centered on network end points, where devices access digital content, as well as the design and accessibility of Web sites.
In the United States, the proposed Consumer Broadband and Digital Television Promotion Act, better know as the Hollings Bill, is the archetypal example of the regulation of code.136 The Hollings Bill, which never made it out of committee in the Senate, required the Federal Communications Commission and the Registrar of Copyrights to oversee negotiations between representatives of digital media device manufacturers, consumer groups, and copyright owners to reach agreement on security system standards for use in digital media devices.137 The resulting security standards would be used to ensure the secure protection of digital content.138 Once established, digital device manufacturers would be prohibited from selling devices that do not incorporate the standards.139 Moreover, removing or altering the security standards from a work would be prohibited without the prior authorization of the copyright owner.140
As Lessig argues in The Future of Ideas, his follow-up to Code and Other Laws of Cyberspace, the danger associated with excessive copyright control rests not just with the implementation of code that controls copying but also with the support provided to these controls through law.141 Lessig is specifically referring to the DMCA, which provides an additional layer of legal protection to copyrights above both the traditional copyright protection and the technical measures protections.142 [*PG349]Thus, it would be unlawful to copy a motion picture, unlawful to bypass a DVD’s encryption, and unlawful to break that encryption’s code.143
Similar to the DMCA, the Hollings Bill enhances the protection of copyrights by using the law to mandate control.144 If successful, the Hollings Bill will illustrate how the law can be used to regulate code, and that success is likely to embolden other policymakers to launch forays into embedding code with regulation.
Other examples of the regulation of code have garnered less attention. The Workforce Investment Act of 1998, which included the Rehabilitation Act Amendments, provided that members of the public with disabilities seeking information or services from federal agencies have access to that information in a manner that is comparable with individuals without disabilities.145 Moreover, it also required that federal employees with disabilities enjoy equivalent access to information as those without disabilities, forcing all private firms that engage in government procurement to ensure equal access.146
The implementation of these requirements necessitated the development of new standards for accessing content on the Internet and required any agency seeking to procure federal government contracts to comply with the standard.147 As a result, the U.S. government specified the design and structure of thousands of Web sites by regulating their code.148
[*PG350] The European Union Data Protection Working Party engaged in a similar exercise in developing regulations for the online automated processing of personal data.149 Its recommendations specified privacy-friendly browser default settings, limitations on the configuration of cookies, and the elimination of auto-generated forms during software install processes.150 Although the recommendations also include suggestions for information disclosure, those related to software and hardware configurations also move government into the realm of regulating code.
Although policymakers increasingly appreciate that code regulates, they are also awakening to the corollary—that code can be regulated. Although the regulation of code raises new complications by blending the policy-making attributes of code with more traditional [*PG351]government policy of regulating code, these complications are not necessarily a bad thing. For example, the regulation of code need not stop at mandating the inclusion of anti-copying technologies within all digital devices: it could be extended to require the retention of fair use rights within the implementation of such technologies, thereby using regulation of code to maintain the copyright balance.151
Government may have been willing to yield policy-making leadership to the private sector in the mid-1990s, but as the volume of regulatory activity highlighted above suggests, cyberlaw regulation has become commonplace. Government typically consults with industry and consumer groups on their preferred approach, but it is unwilling to remain silent on matters of cyberlaw policy.
Nowhere is the shift away from self-regulation more evident than in the world of Internet governance. As the Internet blossomed from a small community of users to a global phenomenon in the mid-1990s, the governance of the domain name system underwent a similarly dramatic change. Once administered by Jon Postel, a computer scientist at the University of Southern California, in 1998, the U.S. government handed over management of domain names to ICANN, a California nonprofit company.152 ICANN’s initial creation drew interest from a diverse group of stakeholders including Internet users, domain name registrars, technical groups, and intellectual property law associations.153 Although each group offered differing perspectives on issues such as domain name dispute resolution and the creation of new domain name suffixes, there was widespread agreement on one key principle: ICANN was to be based on a self-regulatory model in which the stakeholders governed themselves, free from government interference.154
[*PG352] Self-regulation was premised on a consensus-based approach in which policy discussion was open to all, supported by a governance structure that ensured representation at the board level for all stakeholders.155 This latter goal was to be achieved by allocating half the board positions among several stakeholder groups, and by completing the other board seats with online elections, thus enabling Internet users to elect board representatives on a regional basis.156
With ICANN currently engaged in major reforms, supporters and critics alike have begun to look to governments to become more engaged.157 ICANN supporters want to bring government (and its financial resources) into the fold by elevating the role government plays on the ICANN board through the Government Advisory Committee,158 the body that currently enables government to play a consultative role within ICANN.159
ICANN critics, meanwhile, have turned to the U.S. government to call for a reevaluation of the ICANN mandate.160 Although the Department of Commerce renewed its Memorandum of Understanding with ICANN in September 2002, many critics view the U.S. government as their best ally in pursuing genuine ICANN reform.161
Just as ICANN and its critics turn to government, governments have begun to question openly the ICANN approach, suggesting that more governmental oversight may be needed. For example, U.S. Senator Conrad Burns announced his intention to introduce new legislation that would give the U.S. government greater influence over ICANN.162 Burns argues that greater influence is needed because [*PG353]ICANN has exceeded its authority, does not operate in an open fashion, and is unaccountable to Internet users.163
Similarly, the European Union has argued that governments must have greater involvement in public policy issues, recommending that ICANN always consult governments on policy matters, and that it should be able to ignore or reverse governmental advice only by a two-thirds vote of its board.164 In 2002, a representative from the Legal Counsel of the United Nations noted how unusual it was to entrust domain name governance to a private body rather than to an international representative body.165 He argued that the Internet requires international cooperation for both its operation and regulation and that global governmental organizations are uniquely suited to foster such cooperation.166
Most recently, the International Telecommunications Union, an international body in the United Nations system, issued its clearest signal yet that governments want a larger voice in the Internet governance process.167 Under the title “Internet Names: A Matter for Both Government and Private Sector,” it approved a resolution on the management of multilingual domain names that promotes the role of the government in the internationalization of domain names.168
A U.S. Congressional proposal to mandate the creation of a “dot-kids” second-level domain name illustrates how government is also engaging in Internet governance on the national, country-code level. The Dot Kids Implementation and Efficiency Act of 2002, passed by the House of Representatives in May of 2002, requires the National Telecommunications and Information Administration (NTIA) to establish a new dot-kids second-level domain within the dot-us country-[*PG354]code domain.169 The Act provides that the dot-kids domain allows access only to material that is suitable to children under the age of thirteen.170
Although it is not uncommon for government to play a role in the management of a country-code domain, mandating the creation of a new second-level domain is rare.171 The legislative proposal illustrates how governments worldwide are seeking a more prominent voice on Internet governance matters, and are no longer content to adhere to the self-regulatory bargain that envisioned private-sector led solutions.
Governments are also abandoning self-regulatory solutions in dealing with unsolicited commercial e-mail or spam. Although the U.S. Direct Marketing Association only recently altered its position that self-regulatory measures were sufficient to address concerns related to spam,172 it has been clear for some time that government is unconvinced by self-regulatory solutions. With spam now accounting for thirty-eight percent of all e-mail traffic, governments worldwide have begun to adopt aggressive anti-spam legislative initiatives.173 The United States has yet to enact federal anti-spam legislation, but dozens of U.S. states now have anti-spam legislation on the books.174 Moreover, the United States is not alone in the battle against spam, as Japan,175 South Korea,176 and the European Union177 have all enacted anti-spam measures in recent months. Although some governments [*PG355]profess to remain committed to industry-led anti-spam solutions,178 the tide is clearly shifting as legislative solutions move to the forefront.
Nowhere is the shift in attitude away from self-regulation more evident than in the area of e-commerce regulation, where visions of private-sector-led policy now represent a bygone era. This is particularly true in relation to consumer e-commerce transactions. Governments have abandoned policies that left these transactions to the private bargains of sellers and purchasers, imposing instead new e-commerce consumer protection measures. For example, the Canadian Province of Manitoba has enacted e-commerce consumer protection legislation that creates new disclosure requirements for sellers and provides purchasers with assurances of recourse in the event that the transaction is not completed as planned.179
The disclosure requirements include basic information such as the seller’s name, business address, and phone number, as well as detailed descriptions of the goods being purchased, applicable warranties, shipping charges, delivery dates, and refund policies.180 The information can be provided to the buyer via e-mail or posted on the seller’s Web site, so long as the buyer can access it prior to purchase.181 The purchaser also has the right to cancel the transaction if the seller fails to comply with the disclosure requirements or fails to deliver the goods within thirty days of the specified delivery date.182
The new rules also bring credit card issuers into the equation. If the seller fails to issue a refund after a buyer makes a credit card purchase online and then uses his legal rights to cancel the same transaction, the credit card issuer is required by law to cancel or reverse the [*PG356]credit card charge, including any associated interest charges.183 If the seller fails to disclose the requisite information to the consumer or does not meet the delivery deadline, the consumer can seek recourse through the credit card issuer, who is required to provide a refund.184 Moreover, sellers simply cannot ignore these issues because the law itself provides that the rules cannot be avoided or limited by contract—and failure to comply may result in fines or imprisonment.185
Manitoba is by no means alone in promulgating legislation of this kind. In Canada, it has been followed by Ontario, which recently introduced similar protections in a consumer protection bill.186 The European Union, which also has protections in place, has aggressively introduced e-commerce consumer protection legislation as part of its E-Commerce Directive187 and Distance Selling Directive.188 Moreover, Asian countries have proposed limitations on various other aspects of e-commerce transactions, including restrictions related to online auctions189 and online dating services.190
In addition to dictating the terms of e-commerce transactions, government has also intervened by regulating what can be sold online. Several states have enacted restrictions on the online sale of wine,191 automobiles,192 and cigarettes.193 In fact, some states have cre[*PG357]ated limitations on payment processes by questioning the legality of third-party payment systems such as PayPal194 and by reaching agreements with credit card issuers to deny approval for online gambling transactions.195
Government may have once believed that it should not regulate the Internet and Internet-based activity, but this is clearly no longer the case. From macro issues, such as global Internet governance, to micro concerns, such as the physical address of online sellers, government regulation has clearly replaced self-regulation as the cyberlaw regulatory method of choice.
Although the three principles of Cyberlaw 1.0 may appear distinct, they are in fact tied together by one larger principle—that government would not, could not, and should not apply its traditional regulatory mechanisms to the Internet. The existence of a borderless Internet and bordered laws implies that governments lacked the moral authority to apply their rules to people who had not elected them sovereign. Many of those who focused on the regulatory power of code did so with the belief that traditional lawmaking—East Coast Code in Lessig’s parlance—would be unable to regulate activity online as offline.196 Government may well have believed both of these premises for it enthusiastically adopted industry’s mantra that the Internet was different and that it was ill-equipped to flex its regulatory muscle.
No sooner had these principles been accepted than we find them being rapidly undermined. In this emerging cyberlaw framework, government plays the central regulatory role, much as it does for most offline activities. It is being assisted in this regard by technology, which is reshaping the Internet to match more closely its real-space equivalent, complete with borders that mirror those found in a Rand McNally Atlas.
[*PG358] In many respects, the changing cyberlaw environment creates greater challenges than its predecessor. Private-sector-led policy envisioned the likelihood of policy disputes, but was content to grant private parties the room to sort through those disputes through contractual mechanisms free from government interference. The popularity of borderless laws escalates these disputes to the international level. Private parties will still face policy disputes, but they will now be joined by countries who, burdened by the extra-territorial application of foreign laws, struggle to assert national sovereignty over policy choices.
The regulation of code, meanwhile, creates many of the same concerns as regulation by code. At one level, it transfers the policy choices embedded in code from industry to government. This is a more democratic approach that assuages concerns that industry will act in a self-interested manner at the expense of the general public interest. Although government may be just as likely to make poor policy choices, there is some comfort in knowing that the choices are made by policymakers who are accountable under our system of democracy in ways that corporate officials are not.
At another level, however, government intervention into code poses troubling implications for the innovation process. Government may be well-suited to represent the concerns of consumers and small businesses, but many would doubt whether it is equipped to prescribe Web site specifications, much less mandate the inclusion of new technologies into consumer products.
The replacement of self-regulatory solutions with more traditional forms of government lawmaking also creates new concerns. Although the ICANN experiment illustrates how self-regulation risks rapid devolution into a series of self-interested choices that exclude the public interest, it is by no means certain that government can or will make better choices. In fact, government processes may be so slow as to cause more harm than good. Moreover, the emergence of conflicting regulatory rules on all aspects of e-commerce are likely to cause many companies to forego the benefits of e-commerce, unwilling to bear the burden of a costly regulatory framework.
Although this new version of cyberlaw may indeed present some difficult policy choices, it is important that these issues be addressed through the prism of the real, rather than the construct of the perceived. Cyberlaw 2.0 has arrived, bringing with it a shift from a borderless network to borderless law, from code that regulates to code that is regulated, and from self-regulation to government regulation.