legal and regulatory tutorial l.
Skip this Video
Loading SlideShow in 5 Seconds..
Legal and Regulatory Tutorial PowerPoint Presentation
Download Presentation
Legal and Regulatory Tutorial

Loading in 2 Seconds...

play fullscreen
1 / 130

Legal and Regulatory Tutorial - PowerPoint PPT Presentation

  • Uploaded on

Legal and Regulatory Tutorial. INET 2002 June 18, 2002 Jim Dempsey Mike Godwin John Morris. Legal and Regulatory Tutorial Copyright. INET 2002 June 18, 2002 Mike Godwin.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Legal and Regulatory Tutorial' - Faraday

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
legal and regulatory tutorial

Legal and Regulatory Tutorial

INET 2002

June 18, 2002

Jim Dempsey

Mike Godwin

John Morris

legal and regulatory tutorial copyright

Legal and Regulatory TutorialCopyright

INET 2002

June 18, 2002

Mike Godwin


Based on materials prepared by Profs. Pamela Samuelson & David Post for the Computers Freedom & Privacy Conference, April 4, 2000. Edited and amended by Mike Godwin, CDT, for INET'01, updated for INET'02.

what is intellectual property a k a ip
  • Rights in commercially valuable information permitting owner to control market for products embodying the information
  • Copyrights for artistic & literary works (including software)
  • Patents for technological inventions (also including software)
what is ip 2
WHAT IS “IP”? (2)
  • Trade secrets for commercially valuable secrets (e.g., source code, Coke formula)
  • Trademarks (e.g., Coca Cola, Coke) to protect consumers against confusion
  • Copyright and trademark law are the areas most likely to have international, civil-liberties significance on the Internet, and, of the two, copyright law is more likely to be significant than trademark law.
elements of all ip law
  • Subject matter to be protected
  • Qualifications for protection
    • Who can claim
    • Procedure for claiming
    • Substantive criteria
  • Set of exclusive rights (rights to exclude other people's uses of the IP)
  • Limitations on exclusive rights
  • Infringement standard
  • Set of remedies
elements of copyright
  • Subject matter: works of authorship
    • E.g., literary works, musical works, pictorial works. NB: software (for copyright purposes) is a “literary work”
  • Qualifications:
    • Who: the author (but in US, work for hire rule)
    • Procedure: rights attach automatically (but US authors must register to sue; remedies depend on regis.)
    • Criteria: “originality” (some creativity); [in US] works must also be “fixed” in some tangible medium
copyright elements 2

Set of exclusive rights (right to exclude others):

  • to reproduce work in copies,
  • to prepare derivative works, including translations
  • to distribute copies to the public,
  • to publicly perform or display the work, or communicate it to the public (broadcast)
  • “moral rights” of integrity & attribution
  • some rights to control acts of those who facilitate or contribute to others’ infringement (e.g., ISPs)
copyright elements 3

Limitations on exclusive rights:

  • Fair use (e.g., Sony Betamax, Acuff-Rose) in US
  • Fair dealing in UK and Canada
  • First sale (e.g., libraries, bookstores)
  • Library-archival copying (e.g., ILL, course reserves)
  • Classroom performances
  • Special inter-industry compulsory licenses (e.g., cable-network TV)
  • Other (e.g., playing radio in fast food joint)
  • Constructing functional item from an expressive work (e.g., building a bicycle from a design)
copyright elements 4
  • Limitations on exclusive rights: duration
    • Berne standard: life + 50 years
    • EU & US: life + 70 years; 95 yrs from publication
  • Infringement standard: violating exclusive right (often copying of “expression” from protected work based on substantial similarity)
  • Remedies: injunctions, lost profits, infringers’ profits, “statutory damages,” costs, & sometimes attorney fees
uncopyrightable stuff
  • Ledger sheets and blank forms
  • Rules and recipes
  • White pages listings of telephone directories
  • Facts and theories (although particular expressions of facts or theories are copyrightable)
  • Ideas and principles
  • Methods of operation/processes
compilations and derivative works
  • Creativity in selection and arrangement of data or other elements = protectable compilation. (There has to be some small degree of creativity at the very least -- see, e.g., Feist v. Rural Telephone.)
  • Original expression added to preexisting work = protectable d/w (e.g., novel based on movie)
  • Compilation or derivative work copyright doesn’t extend to preexisting material (e.g., data or public domain play)
  • Use of infringing materials may invalidate copyright in compilation or derivative work
international treaties
  • Berne Convention for Protection of Literary & Artistic Works
  • Basic rule: “national treatment” (treat foreign nationals no worse than do own)
  • Berne has some minimum standards (duration, exclusive rights, no formalities)
  • WIPO administers treaties, hosts meetings to update, revise, or adopt new treaties
internat al treaties 2
  • TRIPS (Trade-Related Aspects of Intellectual Property Rights) Agreement
  • Sets minimum standards for seven classes of IPR, including copyright, that binds WTO members
  • Must have substantively adequate laws, as well as adequate remedies and procedures and must enforce effectively
  • Dispute resolution process now available
digital complications
  • Digitized photographs of public domain works (e.g., Microsoft claims ownership in some)
  • Very easy to reselect and rearrange the data in databases; uncreative databases may be very valuable although not copyrightable; EU has created a new form of IP right in contents of databases to deal with this. (New right is analogous to copyright, but not the same as copyright. Database protection can have civil-liberties, freedom-of-inquiry implications. May affect journalism, scholarship.)
digital complications 2
  • Digital environment lacks geographic boundaries
  • Very cheap and easy to make multiple copies and disseminate via networks
  • Very easy to digitally manipulate w/o detection
digital complications 3
  • Can’t access or use digital information without making copies. (U.S. courts began this analysis by stating that even ephemeral RAM or transmission copies are "copies" regulable under copyright law.)
  • New ways to appropriate information (e.g., Motorola violated the law by “stealing” data from NBA games for sports pager device)
digital complictions 4
  • People see that much Internet information is free and expect it all to be (or nearly so).
  • Many and perhaps most individuals think that private copying doesn’t infringe copyright; much of industry disagrees. Some in industry would like to meter access to copyrighted works, so that all private use is for-pay.
digital copyright controversies
  • Linking, framing
  • iCraveTV case
  • Cyberpatrol case - extracting list of sites
  • RIAA v. Diamond (Rio player case)
  • UMG Recordings v.
  • Napster
  • DeCSS cases
  • Sklyarov (AKA ElcomSoft)
  • Sonic Blue
wipo copyright treaty 1996
  • Reproduction right applies to digital works (but no agreement on temporary copies)
  • Exclusive right to communicate digital works to the public by interactive service
  • Fair use and other exceptions can apply as appropriate; new exceptions OK
  • Merely providing facilities for communication not basis for liability
wipo treaty 2
  • Tampering with copyright management information to enable or conceal infringement should be illegal
  • Need for “adequate protection” and “effective remedies” for circumvention of technical protection systems
  • Treaty not yet in effect, but US has ratified and implemented through DMCA; Canada has signed; EU has adopted a directive similar to DMCA (see Hugenholtz analysis/criticism).
  • Digital Millennium Copyright Act (1998)
  • “Safe harbor” provisions for ISPs based on notice and takedown
  • Section 1201: anti-circumvention rules
  • Section 1202: false copyright management information(CMI)/removal of CMI
dmca anti circumvention rules
  • WIPO treaty vague
  • Campbell-Boucher bill in US: proposed to outlaw circumvention of technological protection systems to enable copyright infringement (would have linked circumvention offenses to intent-to-infringe cases.
  • MPAA: wanted all circumvention outlawed
  • DMCA: illegal to circumvent an access control, 17 U.S.C. s. 1201(a)(1)
  • But 2-year moratorium; LOC study; 7 exceptions
exceptions to circumvention rule
  • Legitimate law enforcement & national security purposes
  • Reverse engineering for interoperability
  • Encryption research and computer security testing
  • Privacy protection & parental control
anti circumvention device provisions
  • Illegal to “manufacture, import, offer to public, provide or otherwise traffic” in
  • any “technology, product, service, device, [or] component”
  • if primarily designed or produced to circumvent technological protection systems, if only limited commercial purpose other than to circumvent technological protection systems, or if marketed for circumvention uses
more on device rules
  • 1201(a)(2)-- prohibits manufacture etc. of devices to circumvent effective access controls
  • 1201(b)(1)--prohibits manufacture etc. of devices to circumvent effective controls protecting a right of copyright owners
  • Actual & statutory damages + injunctions
  • Felony provisions if willful & for profit
problems with access circumvention regs
  • Existing exceptions overly narrow
  • No general purpose exception
  • Not clear that fair use circumvention is OK
  • May be used to penalize circumvention when there is no underlying “right” being protected (e.g., when protected work is in public domain)
mpaa v reimerdes
  • CSS is effective access control for DVDs
  • DeCSS circumvents it & has no other commercially significant purpose
  • Injunction against posting of DeCSS on websites or otherwise making it available
dvd cca v mclaughlin
  • Trade-secret misappropriation case (actually, a copyright case presented as if a trade-secret case).
  • CSS = proprietary information; DVD-CCA took reasonable steps to maintain secret
  • Inference: someone must have violated clickwrap license forbidding reverse engineering
  • Breach of agreement was improper means
  • Even though DeCSS on web for 4 months, not to enjoin would encourage posting trade secret on Web
digression elements of trade secret law
  • Information that can be used in business that is sufficiently valuable & secret as to afford an economic advantage to the holder
  • Outgrowth of unfair-competition law
  • No “exclusive rights” as such, but protected vs. use of improper means & breach of confidence
  • Independent development & reverse engineering are legitimate ways to acquire a trade secret
  • Relief generally limited to period in which independent development would have occurred
implications of dvd cca
  • Anti-reverse engineering clauses are common in software licenses; enforceability much debated
  • Judge treat information obtained through alleged reverse engineering as trade secret
  • Johansen didn’t reverse engineer, nor did many posters, yet held as trade secret misappropriators
  • Judge enjoined information that had been public for several months may be error
hollings bill tech mandates cbdtpa
Hollings Bill/Tech Mandates/CBDTPA
  • W/in 1 year, makers of computers and consumer electronics, consumers and copyright owners should develop standards and encoding rules.
  • If the private sector fails to agree, FCC develops standards. (Linked to DTV policy)
  • All "digital media devices" -- TVs, audio and video players, and PCs, as well as many other devices -- must respond to those standards.
  • Rules would have to preserve fair-use rights, e.g., educational/research purposes and some consumer copying.
  • Digital technology has posed many difficult questions and problems for copyright law
  • Much remains in controversy; how current cases are resolved matters a lot
  • Possible to build balance into law, but US “selling” broad anti-circumvention rules.
  • Gap in perception about law between copyright industry and the public
  • Easier to see the risks than the opportunities

Legal and Regulatory Tutorial

Consumer Privacy Overview

INET 2002

June 18, 2002

Jim Dempsey


Three Branches of Privacy

1. Consumer privacy - the right of individuals to control information about themselves generated or collected in the course of a commercial interaction. Referred to in Europe as "data protection."

2. Government records - the right of individuals to fair treatment of PII "voluntarily" submitted to the gov't - tax, welfare, property records.

3. Search and seizure law - right of individuals against unreasonable gov't privacy intrusions involving coercion. In the US, based on the Constitution's 4th Amendment.

the online privacy problem
The Online Privacy Problem
  • Online Privacy Risks
    • Collection of information to an extent never before possible: click-stream data, location information.
    • Aggregation of data across time, space, applications, vendors - creating a detailed dossier of activity and thought.
    • Retention is cheap and easy.
    • Distribution is cheap and easy too.
  • An Enduring Cause of Public Concern
    • Survey data and business experiences show that privacy is a major consumer concern and impediment to e-commerce. (Irony: Most do nothing about it.)

Fair Information Practices

  • Consumer privacy protection in the US and Europe, as well as under the guidelines of the OECD, is based on the following principles:
  • 1. Notice - before the collection of data, the data subject should be provided notice of what information is being collected and for what purpose
  • 2. Consent/choice - an opportunity to choose whether to accept the data collection and use.
    • Opt-out versus opt-in: In Europe, data collection cannot proceed unless data subject has unambiguously given his consent (with exceptions).

FIPs (2)

3. Collection Limitation - data should be collected for specified, explicit and legitimate purposes. The data collected should be adequate, relevant and not excessive in relation to the purposes for which it is collected.

4. Use/Disclosure Limitation - data should be used only for the purpose for which it was collected and should not be used or disclosed in any way incompatible with those purposes.

5. Retention Limitation - data should be kept in a form which permits identification of data subject for no longer than is necessary for the purposes for which the data was collected.


FIPs (3)

  • 6. Accuracy - data must be accurate, complete and up-to-date; reasonable steps must be taken to ensure that inaccurate or incomplete data is corrected or deleted
  • 7. Access - a data subject should have access to data about himself, in order to verify its accuracy and to determine how it is being used
  • 8. Security - those holding data about others must take steps to protect its confidentiality
  • 9. Accountability/ Enforcement - through a combination of informal complaint resolution and law
the three components of effective privacy protection
The Three Components of Effective Privacy Protection
  • Privacy by design
  • Self-regulation/consumer education
  • Law
privacy by design
Privacy by Design
  • Building privacy into the technology.
  • Collection limitation
    • Don’t transmit, collect, retain, or share data unless essential
    • Example: Log retention
  • Authentication ≠ Identification
    • Limit personally identifiable data
    • Allow for anonymity, pseudonymity, proxies, trust agents
  • Enhance user control
privacy by design42
Privacy by Design
  • P3P - the Platform for Privacy Preferences
  • User control
      • E.g., Wireless location: Handset versus network
  • Privacy Enhancing Technology
      • Encryption
      • Anonymizers
      • Free or pre-paid services
      • Cash - the best privacy technology in the world
self regulation and consumer ed
Self Regulation and Consumer Ed
  • TRUSTe and BBB Online - seals
  • OPA guidelines -
  • DMA - do not call/spam/mail lists
  • Privacy policies

Privacy can and will be a source of competitive advantage (?)

the government access problem
The Government Access Problem
  • The best corporate privacy practices are of limited help if sensitive information is readily available through other means without adequate privacy protections.
  • Access can take place in the course of criminal investigations, or civil discovery in a range of contexts. The customer subject to a subpoena or court order need never have violated the law.
current federal privacy laws
Current Federal Privacy Laws
  • Fair Credit Reporting Act (1970)
  • Privacy Act (1974)
  • Right to Financial Privacy Act (1978)
  • Video Privacy Protection Act (1988)
  • Drivers Privacy Protection Act (1994)
  • Health Insurance Portability and Accountability Act (1996)
  • Children’s Online Privacy Protection Act (1998)
  • Title V of Gramm-Leach-Bliley(1999)
current federal privacy laws 2
Current Federal Privacy Laws (2)
  • Electronic Communications Privacy Act (1986)
  • Family Educational Rights and Privacy Act(1974)
  • Sec 445 of the Gen'l Educational Provisions Act
  • Privacy Protection Act (1980)
  • Sec. 222 of the Communications Act (1996)
  • Cable Communications Policy Act (1984)
  • Telephone Consumer Protection Act (1991)
eu data protection directive
EU Data Protection Directive
  • Implemented country-by-country
  • FIPs - obligations on "data processors"
  • Data protection commissioners
  • Exceptions
  • Transborder flow
    • Adequate level of protection
    • US - EU Safe harbor
example location based services
Example: Location-Based Services
  • Wireless devices provide desirable new services and generate sensitive information based on location
  • Logging is a critical issue. Records of location can be a tool for surveillance and a treasure trove in lawsuits.
  • Platform-Specific Difficulties
    • Constraints on privacy policies, privacy seals
    • Traditional opt-in/opt-out harder to present
    • What is meaningful notice and choice in the wireless context?
location based services 2
Location-Based Services (2)
  • Identification and Anonymity
    • Wireless data services appear to provide a clearer connection between a user’s activities and identity. Ex: Impact of sharing user phone number with wireless applications providers.
  • Meaningful notice and choice for consumers should be an essential part of the design of location-based services.
    • Key point: Authentication ≠ Identification
location based services 3 federal legislation
Location-Based Services (3) - Federal Legislation

(c) Confidentiality of customer proprietary network information.

(1) Privacy requirements for telecommunications carriers. Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable [CPNI] in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.

location based services 4 federal legislation
Location Based Services (4) - Federal Legislation

(f) Authority to use wireless location information. For purposes of subsection (c)(1), without the express prior authorization of the customer, a customer shall not be considered to have approved the use or disclosure of or access to--

(1) call location information concerning the user of a commercial mobile service (as such term is defined in section 332(d), other than in accordance with subsection (d)(4); or

(2) automatic crash notification information to any person other than for use in the operation of an automatic crash notification system.

hollings bill s 2201
Hollings Bill - S. 2201
  • Online only (FTC rulemaking for offline)
  • Opt-in for senstitive
  • Opt-out for non-sensitive
  • Private right of action - $500/violation
  • State AG enforcement
  • FTC rulemaking
  • Safe harbor for self-regulatory programs
stearns bill h r 4678
Stearns Bill - H.R. 4678
  • Online and offline
  • Opt-out for all info
  • "a" transaction with the consumer
  • No access provision
  • Broad preemption
  • Enforcement only by FTC
  • Current laws:
  • Legislative tracking:
  • International materials:
  • Privacy Design Principles for Justice Systems:
constitutional roots
Constitutional Roots

Fourth Amendment:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

the dichotomies of surveillance law
The Dichotomies of Surveillance Law
  • Criminal Justice vs. National Security
    • Suspicion of crime vs. agent of a foreign power
  • Live interception vs. Access to Stored Communications
    • Title III vs. search warrant vs. subpoena
  • Content vs.Traffic Data and Subscriber Identifying Data
    • T-III or warrant vs. subpoena
criminal justice surveillance
Criminal Justice Surveillance
  • Katz and Berger - S.Ct. 1967
  • Wiretaps are searches and seizures within the meaning of the 4th Amendment
  • Standard: Legitimate expectation of privacy
  • Title III - 1968, 18 USC 2510 et seq.
    • Probable cause
    • "Wire and oral"
electronic communications privacy act ecpa 1986
Electronic Communications Privacy Act (ECPA) - 1986
  • Added “electronic” to Title III, requiring warrant for real-time interception of email and other data communications
  • Stored e-mail - search warrant 18 USC 2701 et seq.
  • Court requirement for pen register and trap and trace devices 18 USC 3121 et seq.
    • Smith v. Maryland (1979) - dialed digits are not protected. They are voluntarily given to the phone company. People know that the phone company can and does record and use them for billing purposes.
    • Low standard (mere relevance)
    • Judicial rubber stamp - “shall approve”
national security foreign intelligence surveillance act
National Security - Foreign Intelligence Surveillance Act
  • FISA - 1978 - 50 USC 1801 et seq.
  • Agent of a foreign power - country, faction, international terrorist group
  • Non-criminal standard for non-US persons
  • Quasi-criminal standard for US persons
  • Purpose
  • Covers oral and electronic
  • Physical searches, pen/traps, business records
  • No extraterritorial application - Echelon
design mandates calea 1994
Design Mandates - CALEA 1994
  • Communications Assistance for Law Enforcment Act
    • Isolate and enable LE to intercept content
    • Isolate and intercept call identifying info
    • Deliver to LE
    • Unobtrusive and protects privacy and security
  • Did not change intercept standards
  • Applies to telecomm carriers, not info srvcs
usa patriot act 2001
USA PATRIOT Act - 2001
  • FISA - primary purpose
  • FISA - roving taps
  • FISA - access to stored records
    • Eliminated agent of foreign pwr standard
  • Pen/trap for Internet
  • Sharing - from LE to intell
  • Sneak and peek
  • Did not change intercept standards
  • No design mandates
the matrix

Acquisition in Real Time

Historical Information

Contents of Communications

Title III order or consent, generally

Warrant (for unopened email) or consent

Subpoena with notice (for files, opened email) or consent

Other Records

(subscriber and transactional data)

Pen register/ trap and trace order or consent

Subpoena (for basic subscriber info only), consent

2703 (d) “specific and articulable facts” court order (for all other non-content records), consent

The Matrix
real time acquisition of communications interception
Real-Time Acquisition of Communications (Interception)
  • Title III (18 USC 2511(1)) makes it a crime to :
    • eavesdrop on others’ communications
    • use or disclose illegally intercepted contents
  • Applies to oral/wire/electronic comms.
  • Violations may lead to
    • criminal penalties (5-year felony) [§ 2511(4)]
      • exception for first offense, wireless comms.
    • civil damages of $10,000 per violation
    • suppression(no use of information)
  • Publicly accessible system [§ 2511(2)(g)(i)]
    • open chat rooms, lists, web sites
  • Consent of a party
    • login banner
    • terms of service
  • System provider privileges
  • Court-authorized intercepts
system operator privileges
System Operator Privileges
  • Provider may monitor private real-time communications to protect its rights or property [§ 2511(2)(a)(i)]
    • theft of service
    • e.g., logging keystrokes of a suspected intruder
  • Provider may intercept communications if inherently necessary to providing the service
  • PATRIOT Act- trespasser - operator may invite in gov't
court authorized monitoring
Court-Authorized Monitoring
  • Requires a kind of “super-warrant”
    • a/k/a “Title III order” (or T-3)
  • Probable Cause
  • Exhaustion
  • Good for 30 days
  • Minimization requirements
  • Annual report
real time transactional records
Real Time Transactional Records
  • Pen register/trap and trace statute 18 USC 3121
  • Law enforcement may obtain a court order to gather prospective non-content information about a user, such as
    • numbers dialed
    • addresses on in/outbound e-mail
    • inbound FTP connections
    • where remote user is logging in from (dialup? remote IP address?)
stored communications subscriber identifying info and transactional records
Stored Communications, Subscriber Identifying Info and Transactional Records
  • Permissive disclosure vs. mandatory
    • “may” vs. “must”
  • Content of communications vs. non-content
    • content
      • unopened e-mail vs. opened e-mail
    • non-content
      • transactional records vs. subscriber information
  • Providers to the public and not to the public
penalties for stored records communications violations
Penalties for Stored Records & Communications Violations
  • Civil remedies [18 U.S.C. § 2707]
    • $1,000 minimum per violation
    • attorneys’ fees
  • Criminal remedies [§ 2701]
    • only for accessing stored communications without authorization (e.g., one user snooping in another’s inbox)
    • inapplicable to the provider [§ 2701(c)(3)]
subscriber content and the system provider
Subscriber Content and the System Provider
  • Any provider may freely read stored e-mail or files of its customers
  • While ECPA imposes no prohibition, contractual agreement with customer may limit right of access
public providers and permissive disclosure
Public Providers and Permissive Disclosure
  • General rule: a public provider (e.g., an ISP) may not freely disclose customer content to others [18 U.S.C. § 2702]
  • Exceptions include
    • subscriber consent
    • necessary to protect rights or property of provider
    • to law enforcement if contents inadvertently obtained, pertains to the commission of a crime
    • emergency
    • child porn
government access to stored communications content
Government Access to Stored Communications Content
  • For unretrieved e-mail < 181 days old stored on a provider’s system, government must obtain a search warrant [18 U.S.C. § 2703(a)]
  • Can warrant be served like a subpoena?
government access to stored communications content74
Government Access to Stored Communications Content
  • For opened e-mail (or other stored files), government may send provider a subpoena and notify subscriber in advance [18 U.S.C. § 2703(b)]
    • government may delay notice 90 days in certain cases (§ 2705(a))
    • no notice to subscriber required if not a provider “to the public”
non content subscriber info
Non-Content Subscriber Info
  • Provider may disclose non-content records to anyone except a governmental entity
  • Government needs
    • appropriate legal process
    • or consent of subscriber
  • Basic subscriber information - 2703(c)(1)(C)
  • Transactional records - 2703(c)(1)(B)
basic subscriber information
Basic Subscriber Information
  • Can be obtained through subpoena
  • Provider must give government
    • name of subscriber
    • address
    • local and LD telephone toll billing records
    • telephone number or other account identifier
    • type of service provided
    • length of service rendered
    • payment information
transactional records
Transactional Records
  • Not content, not basic subscriber info
  • Everything in between
    • past audit trails/logs
    • addresses of past e-mail correspondents
    • telephone toll records
  • Government may compel via a “section 2703(d) court order”
section 2703 d court orders
Section 2703(d) Court Orders
  • “specific and articulable facts showing that there are reasonable grounds to believe that [the specified records] are relevant and material to an ongoing criminal investigation”
  • A lower standard than probable cause
  • Like warrant (& unlike subpoena), requires judicial oversight & fact-finding
preclusion of notice
Preclusion of Notice
  • In criminal investigations, general policy is to avoid tipping off target
  • Under ECPA, government may ask a court to prohibit ISP from notifying subscriber that records have been requested from ISP [§ 2705(b)]
2703 f requests to preserve
§ 2703(f) Requests to Preserve
  • Government can ask for any existing records (content or non-content) to be preserved
    • no court order required
    • does not apply prospectively
  • Government must still satisfy the usual standards if it wants to receive the preserved data
  • Title III order - real time content interception
  • Warrant - unopened e-mail/voicemail
  • Pen/trap order - real time traffic data interception
  • § 2703(d) court order - transactional records
  • Subpoena
    • unopened e-mail >180 days old, or stored files (or opened e-mail?)
    • basic subscriber info
  • Higher-order process always valid
    • e.g., warrant can compel transactional logs
circuit switching
  • Dedicated facilities (wire pairs, time slice interval, etc.) used only for that call
  • Physical appearances
  • Any point along the path receives both directions of the entire call
  • SS7 - separate paths for signaling and content
tapping the internet
Tapping the Internet
  • Each packet has source and destination address.
    • Source address may be forged with little effort.
    • Different packets can take different paths, though they usually don’t over reasonably short time scales.
    • Return packets often take a different path through the backbone.
  • Global - doesn't follow real-world geography
  • Layered architecture.
    • Fields at different layers may be intended for different parties
    • One layer’s content is another layer’s signaling.
  • Signaling is "in-band."
  • Intelligence at the edges, not the middle.
international debates
International Debates
  • Data retention
  • COE cybercrime convention
    • Crimes
    • Intercept and search and seizure procedures
    • Transborder cooperation
  • Jurisdictional issues
  • US:
  • 010911:
  • International:
  • CALEA, wiretap overview, cybercrime, etc:

Legal and Regulatory TutorialFree Expression


June 18, 2002

John Morris

  • First Amendment Basics
  • Governmental Efforts to Regulate Content
    • Adults, Minors, Filtering and other topics
  • Defamation
  • ISP Liability
  • International Approaches to Content
  • Transnational Efforts to Regulate Content
first amendment basics
First Amendment Basics
  • The First Amendment
    • “Congress shall make no law ... abridging the freedom of speech, or of the press .…”
  • Applies to States under the Fourteenth Amendment
  • Does not apply to private entities or individuals
first amendment basics 2
First Amendment Basics (2)
  • Prohibits criminal prosecutions for “protected” speech
  • Prohibits “prior restraints”
    • Unless “compelling governmental interest” and the restraint is the “least restrictive means” to further that interest
  • Not all speech protected
    • “Fire,” obscenity, child pornography
first amendment basics 3
First Amendment Basics (3)
  • Historically, First Amendment protected newspapers and pamphleteers
  • Then telegraph, then radio, then television ….
  • But the government could regulate radio and TV more than newspapers
    • Why? a scarce resource, invasive, pervasive
first amendment basics 4
First Amendment Basics (4)
  • How about the Internet?
    • Government argued that the Internet should be treated under the First Amendment just like television
      • Audio & video over TV screen-like device
    • Free speech advocates argued that the Internet was even more open and democratic than newspapers
      • Open to all, everyone could speak for little or no money, users must request content
first amendment basics 5
First Amendment Basics (5)
  • ACLU v. Reno, District Court 1996
    • Four key characteristics of the Internet: “First, the Internet presents very low barriers to entry. Second, these barriers to entry are identical for both speakers and listeners. Third, as a result of these low barriers, astoundingly diverse content is available on the Internet. Fourth, the Internet provides significant access to all who wish to speak in the medium, and even creates a relative parity among speakers.” (Judge Dalzell)
  • Reno v ACLU, Supreme Court 1997
    • Affirmed conclusion that Internet deserves the highest level of First Amendment protection
governmental efforts to regulate content
Governmental Efforts toRegulate Content
  • Main battleground: sexual content
  • Communications Decency Act (“CDA”)
    • permitted criminal charges against anyone who “uses any interactive computer service to display in a manner available to a person under 18 years of age” material that is “indecent”
  • Two huge problems:
    • vague concept of “indecency”
    • “display in a manner available to” a minor
content regulation indecency
Content Regulation: Indecency
  • Passed in early 1996 and immediately challenged by American Civil Liberties Union, American Library Assoc., others
  • Plaintiffs had to teach Internet to the courts
  • Plaintiffs argued that CDA “ineffective” and not “least restrictive means”
  • Plaintiffs advanced filtering technology as a good alternative
content regulation harmful to minors
Content Regulation:Harmful to Minors
  • CDA struck down in ACLU v. Reno
  • Second try by Congress: Child Online Protection Act (“COPA”)
  • Very similar to CDA, but aimed at content that is “harmful to minors”
content regulation harmful to minors 2
Content Regulation:Harmful to Minors (2)
  • ACLU v. Reno II, District Court strikes down COPA for many of the same reasons that CDA was struck down
  • Third Circuit Court of Appeals strikes down COPA because of “community standards” problem
  • Ashcroft v. ACLU, Supreme Court sends case back to Third Circuit to reconsider
content regulation national academy of sciences study
Content Regulation: National Academy of Sciences Study
  • Key findings:
    • 3/4 of adult content is overseas
    • Laws prohibiting sexual content will not be effective
    • Filtering software can be a useful tool to protect kids
    • Educating kids about Internet safety is critical
  • Swimming pool analogy:
    • “An analogy is the relationship between swimming pools and children. Swimming pools can be dangerous for children. To protect them, one can install locks, put up fences, and deploy pool alarms. All of these measures are helpful, but by far the most important thing that one can do for one's children is to teach them to swim.”
content regulation filtering
Content Regulation: Filtering
  • Mainstream Loudoun v. Board of Trustees of the Loudoun County Library
    • Unconstitutional for library to impose filtering software on all users, including adult users
  • Children’s Internet Protection Act (“CIPA”)
    • Requires that any library that receives federal fund must use filtering software
    • American Library Association v. United States strikes down CIPA as unconstitutional prior restraint
  • Basic off-line rules apply online
  • But a defamation can reach much farther
    • Young v. New Haven Advocate appeal to Fourth Circuit Court of Appeals
  • But what about an ISP? Liable for defamation of customer?
    • Off-line rule looks at control over and responsibility for defamation
isp liability
ISP Liability
  • Cubby v. CompuServe
    • 1991 case that concluded that online service was like a library, and could not be liable for content posted to it
  • Stratton Oakmont v. Prodigy Services
    • 1995 case that decided that online service providers could be held liable for the posting of an anonymous user to a message board
isp liability 2
ISP Liability (2)
  • Communications Decency Act of 1996:
    • 47 United States Code Section 230(c)(1): “No provider or user of an interactive computer service shall be treated as a publisher or speaker of any information provided by another information content provider.”
    • Numerous cases upholding validity of this element of CDA
isp liability 3
ISP Liability (3)
  • Protection from liability for ISPs is critical for free speech
    • Freedom from government censorship is far less valuable if no privacy Internet service provider will allow particular content
    • Recall that First Amendment does not apply to private entities like ISPs
    • ISP’s “Terms of Service” gain increasing importance
isp liability 4
ISP Liability (4)
  • Some other countries take the same approach to ISP liability
    • “Providers shall not be responsible for any third-party content to which they only provide access.” Sec. 5(3), Information and Communication Services Act, Germany.
isp liability 5
ISP Liability (5)
  • EU E-Commerce directive
    • "Mere conduit" - service provider is not liable
    • "Caching" - service provider is not liable for automatic, intermediate and temporary storage for the sole purpose of efficiency
    • Hosting - service provider not liable if it does not have knowledge, and, upon obtaining knowledge, acts expeditiously to remove or disable access
    • No general obligation to monitor
international approaches to content
International Approachesto Content
  • Numerous countries seek to control Internet content/access through variety of means
  • Many attempt direct regulation and censorship
  • The European approach looks to “self regulation” through industry codes of conduct
direct government control
Direct Government Control
  • Many governments seek to control Internet content
    • China - censor domestic and foreign content
    • Singapore -- blocks access to specific web content
    • Saudi Arabia - filters all Internet traffic through single central server
    • Syria -- runs the only ISP in the country
    • Australia - applies film content standards to Web sites
    • Sweden - requires violent content to beremoved from Web sites
european approach
European Approach
  • Encourages self-regulation
    • promotion of industry self-regulation and content-monitoring schemes
    • encouraging industry to provide filtering tools and rating systems
    • increasing awareness among users, in particular parents, teachers and children
  • ICRA - International Content Rating Association
  • Increasingly resorting to direct action
universal declaration of human rights article 19
Universal Declaration ofHuman Rights -- Article 19
  • “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive, and impart information and ideas through any media and regardless of frontiers.”
    • (300 lang.)
european convention of human rights article 10
European Convention ofHuman Rights, Article 10
  • “Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and receive and impart information and ideas without interference by public authority and regardless of frontiers.”
article 10 permitted restrictions
Article 10: Permitted Restrictions
  • these freedoms -- may be subject to such ... restrictions or penalties as are prescribed by law and are necessary in a democratic society --
    • in the interest of national security, territorial integrity or public safety,
    • for the prevention of disorder or crime,
    • for the protection of health or morals,
    • for the protection of the reputation or right of others,
    • for preventing the disclosure of information received in confidence or
    • for maintaining authority & impartiality of judiciary.
echr principles for judicial review
ECHR Principles forJudicial Review
  • Exceptions must be narrowly interpreted
  • The necessity for any restrictions must be convincingly established
  • The state must claim a pressing social need
  • BUT states are granted a “margin of appreciation”
internat l covenant on civil and political rights article 19
Internat’l Covenant on Civil and Political Rights, Article 19
  • “Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.”
    • (Eng)
iccpr permitted restrictions
ICCPR: Permitted Restrictions
  • For respect of the rights or reputations of others;
  • For the protection of
    • national security
    • public order (ordre public), or
    • public health or morals.
american convention art 13
American Convention, Art. 13
  • “Everyone has the right to freedom of thought and expression. This right includes freedom to seek, receive, and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing, in print, in the form of art, or through any other medium of oneís choice.”
    • (English); (Espanol)
american convention art 13 3
American Convention, Art. 13.3
  • “The right of expression may not be restricted by indirect methods or means, such as the abuse of government or private controls over newsprint, radio broadcasting frequencies, or equipment used in the dissemination of information or by any other means tending to impede the communication and circulation of ideas and opinions.”
african charter on human rights
African Charter onHuman Rights
  • "Every individual shall have the right to receive information. Every individual shall have the right to express and disseminate his opinions within the law." Article 9.
  • Individuals should exercise their freedoms "with due regard to the rights of others, collective security, morality and common interest." Art. 27
    • (English)
    • (FranÁais)
transnational efforts to regulate content
Transnational Efforts toRegulate Content
  • French Court Action against Yahoo, Inc.
    • Imposing fines on U.S. company for Nazi related content posted on U.S. web site
  • Yahoo, Inc. v. La Ligue Contre Le Racisme et L'Antisemitisme (LICRA)
    • California Federal Court holding that French court lacked jurisdiction over Yahoo
  • French criminal charges against Yahoo CEO
transnational efforts to regulate content 2
Transnational Efforts toRegulate Content (2)
  • Other countries are following France’s lead:
    • Italy -- claims global jurisdiction for libel
    • Germany -- claims similar jurisdiction
    • Australia -- asserted jurisdiction over Wall Street Journal in defamation case
  • Enormous threat to Internet posed by 100+ nations attempting to impose their local law on Internet speakers worldwide
highlights of other free expression issues
Highlights of Other Free Expression Issues
  • Spam and “Commercial Speech”
  • Software code as speech
  • Anonymous speech
  • Regulation of, and free speech rights of, Internet access carriers
but who really makes the rules for the internet
But Who Really Makes the Rules for the Internet?
  • Historically “unregulated”
  • Current inclination against regulation
  • Constitutional & legal problems with laws
  • Laws & regulations often ineffective
is the internet unregulated
Is the Internet “Unregulated”?
  • Much rhetoric among advocates and policymakers that the Internet is “not regulated”
  • But, the Internet is built on top of highly regulated telecommunications system
  • Nevertheless, Internet is largely unregulated
reasons to keep the internet unregulated
Reasons to keep the Internet “unregulated”
  • Innovation and competition have flourished on the largely unregulated Internet
  • Unique nature of Internet creates constitutional problems for regulations
  • Global nature of Internet means national laws and regulations are often ineffective
    • Regulated content moves offshore
    • Varying standards for content among nations
increasingly rules are set by the technology itself
Increasingly, Rules are Set by the Technology Itself
  • Technical requirements, not laws, often govern how people can use the Internet and what constraints are placed on them
  • For example, decentralized nature of Internet means that direct content censorship is impossible in the United States (but not impossible in some other places)
examples of the impact of technical design decisions on policy concerns
Examples of the Impact of Technical Design Decisions on Policy Concerns
  • Anonymity and IP Version 6
  • Cookies
  • Wireless location information
  • Open Pluggable Edge Services (OPES)
who makes these technical design decisions
Who Makes These Technical Design Decisions?
  • Private companies
    • Instant messaging example
  • Private technical standards setting bodies
types of standards bodies
Types of Standards Bodies
  • Core Internet Standards Groups
    • Internet Engineering Task Force (IETF)
    • World Wide Web Consortium
  • Core Telecommunications Stand’ds Groups
    • International Telecommunications Union (ITU)
    • Joint Technical Committee 1 of the Intern’l Organization for Standardization (JTC1/ISO)
    • Committee T1 of the Alliance for Telecommun. Industry Solutions (T1/ATIS)
types of standards bodies 2
Types of Standards Bodies (2)
  • Secondary Technical Standards Groups
    • European Computer Manufacturers Association (ECMA)
    • 3rd Generation Partnership Project (3GPP)
    • ENUM Forum
    • Open eBook Forum
  • Supporting Standards Groups
    • Internet Mail Consortium (IMC)
public policy concerns about the work of the standards bodies
Public Policy Concerns about the Work of the Standards Bodies
  • Very little public awareness of work of standards bodies
  • Very little public input into work
  • Highly technical nature of work hinders public participation
  • But, government control is not the answer
    • Geopriv, OPES working groups at IETF
additional resources on internet law and public policy issues
Additional Resources on Internet Law and Public Policy Issues
  • (for lots of good links)