Some Legal Principles

Constitutional Sources of Privacy Interests Are Limited

The United States Constitution provides explicit protection to its citizens from unwarranted government intrusion. The Fourth Amendment protects individuals privacy rights against unreasonable searches and seizures and might provide remedies where a person s subjective ”yet objectively reasonable ”privacy expectations in e-mail have been violated by a government agency acting without a warrant . Beyond the United States Constitution, the California Constitution assures its residents of an inalienable right to privacy, added in 1972 by a ballot initiative known as Proposition 11. Unlike the Fourth Amendment to the federal Constitution, the California right protects California residents in their dealings with both the government and private businesses (including employers ) and individuals can bring suit to enforce violations of this right.

For the Exchange administrator, the federal constitutional right to privacy is unlikely to be a primary concern because it constrains only governmental actors, not private parties, from unreasonably intrusive action. Unless the network is subject to a subpoena or a search warrant and the administrator is acting as an agent of the government, the Fourth Amendment is unlikely to play much of a role. Another likely avenue of complaint is a perceived violation of the First Amendment. Disciplining an employee for speech-related conduct, like e-mail or Web surfing, frequently brings howls of protest that the employer is acting as a censor . However, in most cases the same government action requirement limits the applicability of the First Amendment to the private network, just as it limits the availability of the Fourth Amendment s protections. Of course, if a public institution or government agency operates the network, actions taken are government actions and the First and Fourth Amendments are controlling.

Statutes Protecting Privacy Rights

First, federal statutes provide privacy rights for specific categories of information such as video rental records, cable television subscriber information, and a student s educational records. Such records should be treated by the administrator as highly confidential and not subject to disclosure unless complying with the applicable exceptions or a court -ordered process, like a search warrant. If the network administrator examines this information, its further disclosure would likely violate the rights of the network user. If disclosure is deemed necessary, the administrator should consult with counsel regarding the situation under the applicable laws. The Computer Fraud and Abuse Act punishes unauthorized access or exceeding authorized access to computers to obtain financial, medical, or other related information.

Second, the federal statute most likely to be cited during a complaint is probably Title I of the Electronic Communications Privacy Act of 1986 (ECPA), an amendment to the Federal Wiretap Act. The ECPA bars, with limited exception, the interception of communications while in transit and those that are archived within the network. If a network administrator intends to monitor user activity, notice must be given. If a governmental entity wants to access the network s stored messages, it can do so provided it follows the provisions in the ECPA. Typically, a warrant would be needed. However, access can be compelled on less than a warrant under limited circumstances described in the ECPA. Questions including whether seizure of a computer on which private e-mail has been stored, but not yet retrieved by the intended recipients, constitutes an unlawful intercept under the Federal Wiretap Act, remain unsettled.

Third, the federal Privacy Protection Act makes it unlawful for a government employee to seize, in connection with a criminal investigation, any materials reasonably believed to have a purpose to disseminate to the public a newspaper, broadcast or similar form of public communication. In an interesting case involving the United States Secret Service, a trial court found that the Secret Service s failure to promptly make copies of draft magazine articles and a book intended for publication, after being advised that the materials were to be published, constituted a violation of the Act and awarded damages against the Secret Service. The government abandoned its cross- appeal .

Some of the other important statutes relating to electronic communications are the following:

• The Fair Credit Reporting Act bars disclosure of information from a person s credit file without consent . The information protected includes not only credit history but employment data as well. Interestingly, non-financial information found in a credit report header, including a person s name , aliases, birth date, Social Security number, and current and prior addresses and telephone numbers , is not protected information under the Act. An Exchange administrator should be aware that such information is highly confidential and should be disclosed to no one without compliance with the statute s terms or pursuant to a court-ordered process, like a subpoena or search warrant.

• The Electronic Funds Transfer Act requires that contracts with consumers for electronic funds transfers inform consumers of the circumstances under which their information can be disclosed. An Exchange administrator should be aware that such information is highly confidential and should be disclosed to no one without compliance with the statute s terms or pursuant to a court-ordered process, like a subpoena or search warrant.

• The Child Online Protection Act requires operators of commercial Web sites or online services to protect children and to provide notice of, and some limitations to, all information gathered from children, including reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

The Patriot Act

One feature of the United States Patriot Act is a new exception to the Wiretap Act, known as the computer trespasser exception. The computer trespasser exception involves prospective content surveillance; it allows law enforcement agencies to perform warrantless interception of the contents of Internet communications sent by a computer trespasser, provided that the trespasser s victim agrees to the monitoring. According to its critics, the computer trespasser exception to the warrant requirement poses significant dangers to privacy because it allows the government to wiretap a computer without a warrant. Critics contend this provision should be allowed to expire in 2005, as the statute currently provides.

A second feature of the Patriot Act imposes a reporting requirement on direct prospective surveillance of the Internet habits of network users by law enforcement. The reporting requirement requires that a detailed report be prepared whenever law enforcement installs its own surveillance device on an ISP available to the public pursuant to a pen register ^[1] order. The report must identify the installer, what was installed, when it was uninstalled , who listened, and what was heard . This feature improves the prospect of judicial review of law enforcement requests for leave to monitor citizen behavior on the public Internet.

Criminal and Civil Copyright Infractions

Copyright protection exists for most content, like music, e-books, movies, and so on. Software is deemed to be protected even when not stored on disk, and merely turning on a computer, which causes the operating system to be loaded from permanent storage to the computer s RAM, has been found to constitute copyright infringement if the person turning on the computer was not licensed to use the operating system. Postings of copyrighted works on the Internet are generally copies subject to scrutiny for copyright violation. Browsing the Internet causes a copy of the digital information viewed on the screen temporarily to be made in the user s computer screen memory. Even this brief capturing of information could constitute a copyright infringement. The primary exceptions to these rules are the creation of archival or backup copies of software, temporary copies created for maintenance or repair, and the fair use defense.

The Fair Use Defense

Copyright cannot be discussed in the digital era without noting that United States law provides that certain use of copyrighted material constitutes fair use that does not subject the user to the liability previously mentioned. Fair use is a complete defense to copyright infringement and typically applies when a work is used for purposes such as criticism, comment, news reporting, teaching, scholarship, or research. Several factors are considered when evaluating whether fair use applies. It is beyond the scope of this chapter to engage in a detailed discussion of fair use in electronic networks. However, taping broadcast or cable television transmissions for future viewing has been held to be a fair use when the copying is undertaken for private, noncommercial purposes. On the other hand, file sharing, or downloading music files through a central server like the one used by Napster, was held to be an impermissible facilitation of large-scale copyright infringement.

The problem of networks or ISPs facilitating copyright infringement is acute because digital forms of pictures, movies, and music can be attached to an e-mail message, posted to a Web site, or transmitted instantaneously to thousands of people. The implications of widespread dissemination of protected material and its relationship to fair use are still developing. In fact, the retransmission over the Internet of infringing material and the extent to which copyrighted material can be posted for the purpose of criticism has led to cases in which the defendants included both those posting the protected works and their Internet access providers. This area of the law remains unsettled.

There are three forms of liability for infringement: direct, indirect or contributing, and vicarious. Typically, some direct involvement is required before an ISP can be held directly liable for infringing content made available over its network. Some culpable conduct is also required for contributory infringement, some knowledge and perhaps benefit from the infringing activity. Finally, vicarious liability can be imposed only where the defendant has the right and ability to supervise the infringing activity, and has a direct financial interest in such activities. Whether and to what extent a network administrator might actually be able to supervise or control the infringing conduct of the network users is an open question, especially when the network merely provides Internet access to its users. However, if a network administrator learns of specific infringing material available on his or her system and fails to purge such material from the system, the operator might be found to have contributed to or engaged in direct infringement.

Liability Limitations Under the Digital Millennium Copyright Act

Title II of the Digital Millennium Copyright Act (DMCA) limits the liability of Service Providers which, as broadly defined under the Act, would include owners of corporate intranets , for third-party liability for damages, costs, or attorneys fees under the Copyright Act, but only if a series of technical requirements are met. If the conditions are met, a network providing Internet access can be immune from copyright infringement liability for transmitting, routing, and providing connections to infringing; system caching; information stored by a network user; or linking or referring users to infringing material.

If the foregoing conditions are met, under the DMCA a network administrator can remove or disable a user s access to content if there is a good faith basis for believing the content is infringing. Good faith does not require that the material or activity be ultimately determined to be infringing. However, a network administrator must comply with certain specific requirements governing notification to affected parties to avoid all potential liability. Here the exposure to liability includes the copyright owner for infringement, and the network user for disabling access to or removing content in response to a notification that it infringes.

Terminating Serial Infringers from Network Access

Although an employee can be removed from the network for violating company policies, the DMCA provides guidelines that can be used by administrators to develop their own policies. The key to receiving protection from the DMCA s liability limitations is adoption of and implementation of a policy of terminating the accounts or subscriptions of repeat infringers and informing network users of the policy. Regarding liability for storage, caching, and linking to infringing content, the network administrator must designate agents to receive notification of alleged acts of infringement and comply with specific rules for removing or blocking access to the allegedly infringing content. The rules regarding notification are published in the Federal Register. To avoid liability to subscribers for removed content, a network administrator must comply with procedures governing counter notifications (where the party responds that its use is not, in fact, an infringing use) and potentially replace or restore access to content removed in response to a notification of infringing use.

If a conforming notification (more popularly known as a takedown notice ) is received, a network administrator must promptly remove or block access to the allegedly infringing content. If its network user posted the content, the network service provider must promptly notify its subscriber that it has removed or disabled access to the material. If the network user complains that the content was noninfringing, the administrator must provide the information to the original complainant and must then replace or restore access to the disputed content on certain timelines . If a lawsuit is filed, the network administrator must stand down until a court makes a ruling . Material misrepresentations made by either the complainant or the network user could result in civil liability to the network owner. Finally, although network administrators can limit their liability for acts of third-party copyright infringement, the network is responsible for the acts of its employees under typical agency rules. Thus if an employee is posting infringing material that others can access by reaching through the firewall to the employee s desktop, the network owner might be liable. The courts have not been entirely consistent in interpreting the responsibility of service providers in response to defective notifications. Stay tuned .

Other Laws Possibly Implicating the Network

Other laws that could potentially implicate the network or network administrator include the following:

• Stalking laws Sending harassing e-mail messages could violate state stalking laws. This is regrettably common, especially at universities and high schools .

• Trade secrets The Economic Espionage Act of 1996 criminalized wrongful copying or control of trade secrets. A trade secret is broadly defined under the Act but requires reasonable measures to keep such information secret. Basically, there are two types of misappropriations arising from copied or stolen trade secrets, one where the defendant actually intends to benefit any foreign government, foreign instrumentality, or foreign agent, and second, where the copy is to economically benefit someone other than the owner of the secret.

• The National Stolen Property Act Theft of certain computer files by modem has been found to fall under this law. The court reasoned that the files were like files on paper and thus were sufficiently tangible to be property under the Act. The court said it saw no reason to punish the person who stores information on a computer rather than on paper. However, another federal court has found theft of software to not constitute goods, wares, merchandise, securities or monies within the meaning of the National Stolen Property Act.

• Wire fraud At least one court has found a defendant properly charged under the wire fraud statute for the alleged transmission of computer files containing source code. The defendant argued he was only subject to copyright infringement penalties but the court noted that the wire fraud statute does not have a requirement that physical goods or money be involved. Of course, other kinds of wire fraud (like the phishing scams that present legitimate -looking bank sites to try to trick users out of their credit card or bank account information) are common on the Internet too.

Dealing with Child Pornography

Distribution and possession of child pornography is illegal. The issue of illegal pornography continues to perplex courts and commentators, but for the private network administrator the issue is uncomplicated: illegal content must not be transferred over the administrator s network, and if the administrator knows about such transmissions, he or she must act to block, halt, or report it.