The Internet, Information and the Culture of Regulatory Change: a Modern Renaissance

THE INTERNET, INFORMATION AND THE CULTURE OF REGULATORY CHANGE: A MODERN RENAISSANCE

Christopher Paul Boam*

The Internet's fundamental characteristics-a * 304 million people have Internet access- borderless, faceless and paperless environment- 45% are in the United States and Canada;' support its seemingly limitless use as a tool for * nearly one-third of U.S. households are reg- business but also present significant challenges. ular Internet users; The same technology that allows the smallest en- * in 1998, the "Internet economy" generated trepreneurs to enter millions of households over $300 billion in total revenue in the throughout the world also subjects them to innu- United States alone; merable, conflicting foreign laws and jurisdic- * "commercial activity" on the Internet is ex- tions, magnifying the legal impact of content er- pected to reach $100 billion in revenues in rors. The ability to enter the households of 1999; millions of unknown persons poses difficult chal- * North American retailers generated $14.9 lenges of identification, privacy and security. And billion in online sales in 1998 and expect at to magnify concerns, once a business "enters" least $36 billion in 1999 (a 145% increase); these households, the opportunity to conclude 0 Internet traffic continues to increase-visi- thousands of transactions without face-to-face tors to retail sites rose 300% in 1998 and on- contact and signed paper contracts raises addi- line retail orders grew by 200%.2 tional issues of transaction validation and authen- Of course, this kind of data changes from tication. It is precisely this "equality of access" to month to month, but updates of both actual and new markets and customers that renders tradi- projected data consistently show ever-increasing tional notions of the relevant "geographic" mar- commercial activity. ket and customer ineffective. The collective im- Out of this ever-increasing growth has come the pact of these peculiar characteristics of the desire for regulation and application of tradi- Internet on traditional notions of business not tional legal notions to a very new paradigm. Op- only offers the greatest opportunities but also ex- ponents of Internet regulation proclaim that horts the most challenging legal issues. neither the law nor its mechanisms of enforce- The Internet's recent effect on traditional busi- ment could hope to keep pace with the techno- ness is due in part to the rapidity of its growth as a logical change of the Internet. True enough, the medium and in part to the potential for business very infrastructure, applications and variations on growth. For a perspective on the Internet's busi- content (and the legal issues that come with those ness potential and consumer reach, consider the variations) have changed greatly since the In- following: ternet was developed by the Advanced Research

* Mr. Boam practices administrative and corporate law ITAL ECONOMY, at http://www.esa.doc.gov/de2k.htm (June with a specialization in telecommunications and new technol- 2000). ogy issues. He received his B.S. from the University of Scran- 2 See State of Online Retailing, Summary of Key Findings, ton in 1992 and his J.D. from the Catholic University of SHOP.ORO RESEARCH, at http://www.shop.org/research/sum- America in 1998. Mr. Boam has published articles in many mary.htm (July 1999); Shop.org Releases New Market Figures in a domestic and international journals on the topics of telecom- Study by The Boston Consulting GROUP, SHOP.ORG RESEARCH, at munications and Internet law. Most recently, he published an http://www.shop.org/nr/99/071999.html (July 19, 1999); article titled The Internet and Jurisdiction:International Principles Michele Masterson, Shop. org Suggestionsfor Successful E-Tailing, Emerge But Confrontation Looms, in the JOURNAL OF WORLD IN- E-COMMERCE GUIDE, at http://ecommerce.internet.com (July TELLECTUAL PROPERTY, at 3J. WORLD INTELL. PROP. 1 (2000). 1999). 1 See UNITED STATES DEPARTMENT OF COMMERCE, THE Dic- COMMLAW CONSPECTUS [Vol. 9

Projects Agency of the U.S. Defense Department. for companies to identify and respond to cus- To apply law to a virtual environment would be as tomer preferences and demand. However, the fruitless as an attempt to "grasp" a river-once availability of, and access to, customer informa- you place your hand into the flow, the water you tion and the increasing economic value of such 3 grasped is gone. information has raised concerns among consum- The purpose of this paper is twofold. The first ers and regulators regarding the potential for mis- two sections of the article outline legal develop- use of private information. Consequently, the pri- ments regulating content and asserting jurisdic- vacy of customers is a critical issue that any tion over the Internet. The third section of the Internet business must address at the outset. How- paper suggests that Internet regulation is a gras- ever, a few other initial concerns are vital predi- pable "river." Despite the fact that the Internet cates. may never be regulated like a broadcast medium, we can and should try to develop regulations. Any A. The Concern for Privacy Must Begin With attempt to set legal policy for the Internet should Security and Self Regulation be centralized with delegated regulatory tasks closely monitored. Policy-making at the national The technical nature of the Internet medium level should, in the near term, pursue a goal to- poses one of the most potentially difficult chal- ward international standard setting. When you lenges to its utilization. Given that e-commerce is consider the widely divergent ways in which con- dependent on computer-based applications, any tent regulation and jurisdictional notions have de- venture can become mired in issues of content veloped, the second suggestion is likely self-evi- portability, transmission speed and the all-impor- dent. tant element of transactional security. The key to security in business transactions I. REGULATION OF CONTENT IN THE where the customer is unseen is both identifying DIGITAL FRONTIER and then retaining the trust of the customer. The same is true for the Internet. The importance of Information is the basic commodity of the elec- this issue cannot be overemphasized. Most often, tronic superhighway. The key to success in the Internet-based businesses will require first-time emerging electronic marketplace will be a com- customers to enter basic information about them- pany's ability to gather and utilize information selves, at the very least: a username, a password from and about its customers quickly and effi- (to use the system with your username in the fu- ciently. Such data is a prerequisite for conducting ture) and an e-mail address. Once the customer e-commerce. Traditional face-to-face verification decides to perform a transaction on the site, the techniques, such as hand-checking credit cards, business typically requests additional information, driver's licenses or signatures are unavailable. In including name, address, phone number and the absence of any cash transactions, the identifi- method of payment. With the privilege of asking cation of customers and authentication of transac- consumers for this information comes the obligations and payments become even more impor- tion to ensure the security of the information tant. The collection and use of customer from unwanted use or intrusion. Internet business information also offer tremendous opportunities security issues are commonly divided among hard-

3 For instance, in one attempt to visually represent the tion, CAIDA also has developed a tool for viewing an infra- breadth and speed of global Internet connectivity, the Coop- structure map of multiple Internet backbone providers si- erative Association for Internet Data Analysis ("CAIDA"), a multaneously and for "updating and correcting that may be cooperative nonprofit research organization, published a invalid or out of date." COOPERATIVE ASSOCIATION FOR IN- graphical representation-a "snapshot"-of the Internet TERNET DATA ANALYSIS, ABOUT MAPNET, at http://www.caida. core taken from data collected during a 16-day period in Jan. org/tools/visualization/mapnet/Backbones (last updated 2000. COOPERATIVE ASSOCIATION FOR INTERNET DATA ANALY- Aug. 7, 2000). With the assistance of various backbone prov- SIS, VISUALIZING INTERNET TOPOLOGY AT A MACROSCOPIC iders supplying data and information on their trunk routes, SCALE, at http://www.caida.org/analysis/topology/as-core_ the Mapnet software will overlay all routes or select routes network (last updated Jan. 19, 2001). The visualization is a individually on a world map. Id. The lack of high-speed composite of 220,533 Internet Protocol ("IP") addresses routes connecting to mid-Asia, Africa and southern South (374,013 links and 154,104 target destination IP addresses) America gives a stark representation of who are the "haves" from paths obtained in the merger of three separate sets of and "have-nots" with regard to high-speed Internet connec- data. Id. In addition to the graphical topology representa- tivity. 20011 The Internet, Information and the Culture of Regulatory Change ware (physical security concerns) and privacy con- in early 2000, federal law enforcement authorities cerns. increasingly sought the help of computer profes- Among the hardware-related security issues to sionals to combat "cyber-assaults." Following the consider are: securing the web server 4 and busi- incursion of the "Love bug" virus, which brought ness data, securing transactional information (be- down computer networks across the globe in tween the server and consumer), and in some April 2000, a special multination session in Paris cases, securing the consumer's computer or net- was convened to discuss Internet security and co- work. Security risks to e-commerce run the gamut operative enforcement.9 All countries participat- from "eavesdropping" and "packet sniffing" of ing in the conference, including the United transactional data,5 to cracking passwords and ex- States, Japan, Russia, France, Great Britain, Swe- ploiting system flaws by hackers. Most security den and Brazil already had cooperated in "a ser- measures begin with installation and maintenance vice called 24/7 under which authorities [of any of computer "firewalls"' to protect the business's nation could] request help from participating internal systems and data, and modes of encryp- countries at any time" in the event of a cyber- tion to disguise and protect information during threat.'0 The conference concluded without for- an e-commerce transaction. mal recommendations, as designed, but the dis- Consider the security breach of Hotmail, cussions proved instrumental in developing policy Microsoft's Web-based e-mail service in late Au- proposals for subsequent G8 summits. gust 1999. The breach occurred when several nonpublic Web addresses, "Hotmail holes," were B. The Privacy Policy discovered that allowed access to e-mail accounts without use of a password. 7 During the several Many Internet businesses are now using "pri- days that it took Microsoft to close the holes, un- vacy policies" to inform customers of the web- authorized users could read and forward mem- sites's information practices. Typically, websites bers' old messages, read new messages and send will communicate a privacy policy via a link at the e-mail under the name of the user without use of bottom of the main page of the site. At a mini- a password. 8 This example reinforces the notion mum, such privacy policy should: (1) be easy to that supporting policies and practices are just as understand and prominently posted at the web- important as hardware and software concerns. site; (2) identify the site administrator and how Not only should consumers be aware of what se- he/she can be contacted; (3) disclose what infor- curity measures a company has taken, but also mation is collected; (4) describe how collected in- both company staff and customers should be formation is used (e.g., disclose how "cookies" are aware of what steps they must take to ensure that used), including whether such information is dis- security measures are effectively applied to indi- closed to third parties and the conditions of such vidual transactions. disclosure; and (5) provide a method by which In the wake of the several high profile and in- persons may restrict the use or disclosure of such ternationally disruptive Internet security threats information (an "opt-out").' 1

4 See NEWTON'S TELECOM DIcrIONARY 947 (16th ed. and software [that] limits the exposure of a computer or 2000). A web server is "a powerful computer [that] is con- group of computers to an attack from outside"). nected to the internet or an intranet. It stores documents 7 See Robin Lloyd, Hotmail Hole Still Wide Open, CNN IN- and files . . . and can display them to people accessing the TERACTIVE, at http://www.cnn.com/ tech/computing/9908/ server via hypertext transfer protocol ('http')." Id. 30/hotmail.04 (Aug. 30, 1999). 5 See Chris Hardie, Independent Study on Electronic Security, 8 See id. at http://www.summersault.com/chris/techno/security/ 9 See Nancy Weil, Global Panel Issues Internet Security Recom- glossary.html (last visited Feb. 11, 2001). Packet sniffing is: mendations, CNN.coM, at http://www.cnn.com/2000/ [t]he process of trapping and analyzing network traffic TECH/computing/05/18/global.security.idg/index.html that passes through a network interface, even if that traf- (May 18, 2000). fic's final destination is not at that interface. This has 10 Anne Swardson, Multi-Nation Conference Confronts Cyber- become a more common process over the years as more crime, WASHINGTON POST, May 17, 2000, at A] 8. One example tools have been developed to do the sniffing and organ- of 24/7's success included an incident where Thai authorities ize the information obtained in a reasonable manner. agreed to prosecute a medical entrepreneur in Thailand who Id. was issuing prescriptions in response to Internet orders and 6 See NEATON'S TELECOM DICTIONARY 346-47 (16th ed. then shipping them to the United States. Id. 2000) (defining firewalls as "[a] combination of hardware 11 See FEDERAL TRADE COMMISSION, PRIVACY ONLINE: FAIR COMMLAW CONSPECTUS [Vol. 9

In an attempt to forestall further government "rules" of disclosure and use. Therefore, any com- regulation, and with the tacit encouragement of pany should carefully consider the nature of the the Clinton administration and congressional information to be collected and how that informa- Republicans, a number of companies, associations tion may be utilized in the future. Acting contrary and business organizations have been working ag- to a posted privacy policy may create serious legal gressively over the past several years to promote liabilities and result in an administrative enforce- awareness of privacy issues and to develop volun- ment action. For example, the Federal Trade tary online privacy practices. A consortium of In- Commission ("FTC") stated in 1998 that the use ternet companies formed the Electronic Com- or dissemination of personal information in a merce and Consumer Protection Group, which manner contrary to a posted privacy policy is a published "Guidelines for Merchant-to-Consumer "deceptive practice" under the Federal Trade Transactions and Commentary" (the "Guide- Commission Act.' 6 2 lines").' In addition to defining the components On July 10, 2000, the FTC brought an action in of an e-commerce transaction and discussing U.S. District Court for the District of Massachu- "best practices," the Guidelines suggest basic rules setts to stop the sale of customer information by for providing: merchant contact information; de- Toysmart.com which was allegedly in violation of scriptions of marketing practices; information its privacy policy. 17 However, Massachusetts Dis- about the goods or services provided; necessary trict Court Judge Carol Kenner ruled that "in the information about the transaction; and all-impor- absence of a buyer, the commission's action was tant order cancellation, return and refund poli- premature.""' Regardless of a buyer at this stage 13 cies. The Internet Advertising Bureau also an- of the Toysmart bankruptcy litigation, Pam Kogut, nounced a similar initiative in early July 2000.14 assistant attorney general for Massachusetts, ar- Many e-businesses also have contracted with pri- gued that consumers need to be put on notice vacy "audit and seal" organizations-firms that that details such as "children's names, ages and specialize in scrutinizing site policies for compli- toy preferences" might be compiled.' 9 ance with applicable law and prevailing consumer Similarly, Amazon.com announced to its cus- concerns about privacy. For example, TRUSTe, a tomers on September 5, 2000 that it had revised well-known privacy consulting firm, will audit and its privacy policy. The revised policy stated that certify compliant sites for a fee, and the e-business customer purchasing and other information, as is then allowed to display the TRUSTe mark on an asset of the company, could be sold with the 15 the site. company to a purchaser of its assets. 20 In addition Critical elements of any privacy policy are the Amazon "clarified" its policy, stating that it would actual implementation of and adherence to the not share customer purchasing information with policy once it has been adopted. After a policy has third parties but could share such information been relied upon by consumers in providing in- with business partners of Amazon.2 1 The difficulty formation, it is difficult to change the privacy with Amazon's revised policy is not in the content

INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE, at 17 See FTC v. Toysmart.com, No. 00-11341-RGS (D. Mass. http://www.ftc.gov/reports/privacy2000/privacy2000.pdf July 10, 2000), available at http://www.ftc.gov/os/2000/07/ (May 2000) [hereinafter PRIVACY ONLINE]. toysmartcmp.htm. 12 ELECTRONIC COMMERCE AND PROTECTION GROUP, 18 Bankruptcy Judge Passes on Toysmart.com, N.Y. TIMES, at GUIDELINES FOR MERCHANT-TO-CUSTOMER TRANSACTIONS AND http://www.nytimes.com/library/tech/yr/mo/biztech/arti- COMMENTARY, at http://www.ecommercegroup.org/guide- cles/18toys.html (Aug. 17, 2000). lines.htm (last modified June 6, 2000). 19 Id. 13 See id. 20 E-mail from Amazon.com, Inc. to customers (Sept. 5, 14 The "lAB Privacy Guidelines" can be viewed at http:// 2000) (received by and on file with the author). www.iab.net (last visited Feb. 11, 2001). 21 See id. As dot.com bankruptcies continue, the "ripple 15 This means that a private organization has reviewed effect" could bring to bear additional privacy-related con- the site to determine if it complies with its stated privacy pol- cerns. For instance, PSInet's third-quarter 2000 loss of $1.38 icy and applicable laws. See TRUSTE.COM, How THE TRUSTE billion was considered to be a prime reason the company re- PROGRAM WORKS, at http://www.truste.com/webpublishers/ considered its initial grant of support to T-Direct, Inc., a pub.how.html (last visited Jan. 25, 2001). Fairfax, Va. startup that had hoped to book flights, hotels 16 15 U.S.C. § 45 (1994); see Geocities; Analysis to Aid and rental cars for business travelers. See Kenneth Public Comment, 63 Fed. Reg. 44,624, 44,625 (Aug. 20, Brandemeier, The Ripple Effect, WASHINGTON POST, Nov. 20, 1998). 2000, at El. 20011 The Internet, Information and the Culture of Regulatory Change of its disclosures as to use of customer data but in with Internet advertisers toward a set of voluntary the timing of the announcement. Customers who privacy standards that companies would follow in had previously dealt with Amazon and deposited conducting "blind" profiling of Internet consum- information into the company's database did so ers. 25 The principle issue of continuing talks cen- without knowledge of its intentions for the data ters on the way companies should disclose profil- (if Amazon had always intended to use customer ing practices (most often conducted through the information in this fashion) or under the rubric use of "cookies"), and "how and when consumers of more restrictive privacy guidelines. Previously, should be able to exclude themselves from scru- 26 Amazon's prior privacy statement did not address tiny." the issue of customer information sale as being an Even with a privacy policy in place, businesses "asset" or being shared with its "business part- should be extremely wary of surprising consumers ners." with drastic changes in the way the company uses An investigation by the FTC led to an adminis- information. Consider Amazon.com's August trative proceeding against GeoCities for allowing 1999 decision to give consumers access to third parties to collect and use personally identifi- purchasing data organized by corporate or orga- able information from website users, contrary to nizational affiliation. Touting the new feature as a GeoCities' privacy policy, which ultimately re- "fun" way to encourage community building, Am- sulted in a consent decree.2 2 Since the GeoCities azon published such information as the top sell- consent decree, the FTC has engaged in periodic ing book among National Semiconductor employ- reviews of Internet content. Under the aegis of ees, "101 Nights of Grrreat Sex," and the most the agency's antitrust enforcement and consumer popular CD among employees at the FDIC, "Zoot protection jurisdiction,23 including scrutiny of any Suit Riot: Swingin' Hits of the Cherry Poppin' deceptive and misleading advertising, the FTC's Daddies." 27 Privacy experts were swift in their crit- Internet Task Force engages in "Internet surf icism of Amazon's actions, noting that to "high- days," where Task Force members review the ad- light data in your collection of customer 28 vertising and privacy claims made by certain sites. profiles . . . throws fuel on the fire," alienating Frequently, the FTC staff will e-mail a site adminis- consumers who are already fearful of how their trator, notifying the site of a violation and giving personal privacy can be invaded by the Internet. the site thirty days to comply with requested Amazon has since given consumers the ability to changes. Further, on May 3, 2000, the FTC issued opt-out of such lists, but the incident left many a working paper to assist Internet advertisers with consumers unnerved. applying the FTC advertising guidelines in an on- Amazon, however, seemingly did not learn 24 line environment. their lesson. In late September 2000, it was re- In addition to the issuance of the working pa- vealed that Amazon had been engaging in a sales per, the FJ7C has pledged to continue discussions strategy called "dynamic pricing," which "gauges a

22 See FEDERAL TRADE COMMISSION, GEOCITIES CORP. Holiday Shipping Promises, at http://www.ftc.gov/opa/ AGREEMENT CONTAINING CONSENT ORDER, FTC FILE No. 2000/11/etailersurf.htm (Nov. 17, 2000); Linda Rosen- 9823015, available at http://ftc.gov/o5/1998/O989/geo- crance, FTC Warns Online Retailers to Keep Holiday Shipping ord.htm (Aug. 13, 1998). Promises, COMPUTERWORLD, at http://www.cnn.com/2000/ 23 See 15 U.S.C. § 45(a)-(c); 15 U.S.C. § 57(f)(3)-(4); tech/computing/11/21/ftc.promises.idg/index.html (Nov. and 7 U.S.C. § 181 (1999). 21, 2000). The FTC had sued seven online retailers for viola- 24 FEDERAL TRADE COMMISSION, DOT COM DISCLOSURES, tions of the rule during the 1999 Christmas shopping season. at http://www.ftc.gov/opa/2000/05/dotcom.htm (May 3, Id. 2000). The working paper advises online advertisers that the 25 See Jeri Clausing, Can Internet Advertisers Police Them- same consumer protection laws that apply to commercial ac- selves? Washington Remains Unconvinced, N.Y. TIMES, June 14, tivities in other media apply online, and that any disclosures 2000, at CIO. required to prevent an ad from being misleading must be 26 Id. An agreement eventually reached with the Com- clear and conspicuous. Id. In late Nov. 2000, the FTC took a more proactive stance, warning more than 100 online retail- mission would include provisions for "fines and other disci- ers that if they made "quick ship claims" in order to entice plinary actions against companies that violate those standards consumers for Christmas sales and then do not fulfill the or- and collect information surreptitiously." Id. ders on time, they will be subject to penalties under the Mail 27 David Streffield, Who's Reading What? Using Powerful or Telephone Order Merchandise Rule. Press Release, Fed- 'Data Mining' Technology, Amazon.com Stirs an Internet Contro- eral Trade Commission, FTC Follows up on "Project Too- versy, WASHINGTON POST, Aug. 27, 1999, at Al. late.com" With "Surf" of E-tailers, Educational Campaign On 28 Id. COMMLAW CONSPECTUS [Vol. 9 shopper's desire, measures his means and then of respondents stated that they do not trust online charges accordingly."29 As a result, different Ama- companies to keep their personal information zon customers were purchasing, for instance, the confidential and 82% recommend legislative ac- same DVD at the same time but for different tion to rectify that lack of trust.3 5 eBay has indi- prices. 30 Amazon stated that the pricing model cated that it would "support minimal regulation if was a test, employed only briefly and that the com- [it] curtailed states' rights to impose a 'patchwork pany would not further engage in dynamic pric- of differing rules.' "36 Also, BellAtlantic's Internet ing." ' Within two weeks after the incident was re- division indicated that it would find "baseline" 7 ported, Amazon not only apologized but also rules to be useful. issued refunds to appease angry customers. 32 As Unfortunately, these concessions have come in before, Amazon revealed its intentions and the the wake of several high-profile deviations from substance of the corporate strategy, and then the industry's effort to self-police. DoubleClick, backtracked after unintended exposure and con- Inc. was widely criticized in March 2000 for its sumer furor. plan to match a massive database of consumers' Industry also has learned that the best of pri- catalogue shopping habits with information that vacy intentions may not be enough. The chief ex- the company routinely collects as Internet users ecutive officer of E-Loan, Inc., Chris Larson, dis- move from site to site. S3 DoubleClick has been covered that despite considerable investment in able to perform the latter service for clients by consulting and attention to privacy protection, his tracking Web user movement through banner ads company was still exposed and vulnerable to all it places on contracted sites. Until it announced the policies and practices of its e-business part- its purchase of Abacus Direct, Inc., DoubleClick ners. E-Loan touted a public image that its website did not have the ability to match Web user habits was "cookie free," which means that it did not with personally identifiable purchasing informa- compile user information unless requested to do tion, while Abacus Direct has collected informa- so, and spent $250,000 on a website privacy audit tion for years on the buying habits of catalogue 39 by PriceWaterhouseCoopers. 33 Much to Larson's shoppers. chagrin, the audit found that one subsidiary, Many prominent websites such as AltaVista and CarFinance.com, was still using cookies pursuant Kozmo.com quickly announced that they would to pre-existing contracts; a strategic partner, and no longer release visitor data to DoubleClick un- LiveCapital.com was operating a user-habit track- less the consumer expressly agreed to allow infor- ing, tool on E-Loan clients that linked to the Live- mation to be shared. 4° Soon after, DoubleClick Capital site. To make matters worse, the Internet abandoned its effort to merge the two data advertising firm DoubleClick, Inc. had been hired sources but not before several complaints were to track those who clicked on LiveCapital's ban- filed against it with the FTC. 4' Similarly, America ner ads placed on other websites (a practice often Online and Netscape Communications were sued called "floating a tracker") .3 4 in early July 2000 in the Southern District of New Many e-commerce executives have accepted the York for allegedly illegally tracking downloads by inevitability of further privacy regulation, noting Internet users in violation of the Computer Fraud that in the FTC's 2000 Online Privacy Survey, 92% and Abuse Act. 42 In early August 2000, America

29 David Stretfield, On the Web, Price Tags Blur, WASHINC- 37 Id. TON POST, Sept. 27, 2000, at Al. 38 SeeJim Hu, Consumer Group Blasts DoubleClick in Report 30 See id. to FTC, CNET NEws.CoM, at http://news.cnet.com/news//O- 31 See id. 1005-200-1561502.html (Mar. 1, 2000). 32 See Michael J. Martinez, Net Profit and Loss, ASSOCIATED 39 Id. PRESS, at http://www.abcnews.go.com/sections/tech/Daily 40 Id. News/amazon000929.html (Sept. 29, 2000). .41 See Evan Hansen, DoubleClick Postpones Data-merging 33 See Michael Moss, A Web CEO's Elusive Goal: Privacy Plan, CNET NEws.coM, at http://news.cnet.com/news/0- Checks and Inspections, E-Loans FindsIt's Still Tough to Bulletproof 1005-200-1562746.html (Mar. 2, 2000). a Web Site, WALI ST. J., Feb. 7, 2000, at Bi. 42 See Plaintiff's Complaint, Specht v. Netscape Comm. 34 Id. Corp. and America Online, Inc., Civ. Act. (S.D.N.Y. July 6, 35 The survey was based on data collected from a random 2000). Section 1030 of the Computer Fraud and Abuse Act sample of 335 websites. See PRIVAcY ONLINE, supra note 11. provides for penalties against "[w]hoever intentionally ac- 36 Jerry Clausing, Fate Unclearfor F'C's Privacy Push, N.Y. cesses a computer without authorization or exceeds author- TIMES, May 22, 2000, at Cl. ized access, and thereby obtains information from any pro- 2001] The Internet, Information and the Culture of Regulatory Change

Online agreed to remove the monitor feature Theft Act includes punishment by fine and up to from a technology it inherited by purchasing Net- twenty years imprisonment for an offense that is 4 3 scape Communications in 1999. committed to facilitate a drug trafficking crime in Nonetheless, privacy protection will not be un- connection with a crime of violence or subse- limited. In balancing First Amendment with Due quent to a prior conviction for identity misappro- 49 Process concerns, courts have been increasingly priation under the Identity Theft Act. reluctant to allow online critics to remain anony- More recently, federal legislation has addressed mous. For example, on June 14, 1999, the Califor- privacy concerns involving children and financial nia Superior Court enforced a modem company's information. The Children's Online Privacy Pro- request to unmask an anonymous online critic tection Act ("COPPA") was signed into law on Oc- posing as a Xircom employee, rejecting argu- tober 21, 1998.50 The statute institutes stringent ments that a subpoena would violate the critic's regulations for obtaining electronic information free speech rights. 4 4 The Court noted that there is from children under 13 years of age, including no right to defame. 45 Similarly, the Miami-Dade the necessary parental consent.51 The FTC rules County Circuit Court in Florida rejected the First implementing COPPA, effective April 21, 2000, Amendment arguments of several Internet critics apply the requirements to a website or online ser- who sought to protect their anonymity. The court vice directed to children that collects personal in- ordered that Yahoo! and America Online comply formation, or websites whose operators have "ac- with a subpoena and disclose the real names of tual knowledge" that they are collecting personal certain online service users "so that they may be information from children.52 In addition to post- 46 formally named as defendants in a libel case." ing a prominent link on the masthead page and a clear description of the site's information prac- 1. Federal Privacy Regulation tices, the rules require sites to display this prominent link wherever the site collects personal infor- Although the United States has encouraged mation. 53 The notice of information policy must self-regulation by industry, some basic federal pri- disclose: (1) the name and contact information of vacy protections have emerged. Federal legislative all operators collecting or maintaining children's efforts began by addressing the illegal misappro- personal information through the site; (2) the priation of information gathered from the In- kinds of information collected; (3) how the opera- ternet and other electronic sources. On October tor(s) use the information collected; (4) whether 30, 1998, President Clinton signed the Identity the operator(s) disclose the information to third Theft and Assumption Deterrence Act (the "Iden- parties; (5) that a parent has the option to agree tity Theft Act"). 47 The Identity Theft Act makes it to information collection while restricting its use illegal to (without consent) knowingly transfer or by third parties; (6) that the operator(s) may not use another person's identification means with require a child to disclose more information than the intent to commit, or to aid or abet, any unlaw- is reasonably necessary to participate in the activi- ful activity that constitutes a violation of federal ties of the site; and (7) that a parent can review law or that constitutes a felony under any applica- his/her child's personal information, ask to have ble state or local law. 48 Significantly, the Identity it deleted and refuse further collection of infor-

tected computer if the conduct involved an interstate or 48 Id. at § 1028. Although the Identity Theft Act strength- foreign communication." Id. at 51 (citing 18 U.S.C. ened controls on the privacy of personally identifiable con- § 1030(a) (1994)). sumer information, such protections had been introduced in 43 Steven Bonisteel, AOL to Cut Download 'Spying' Feature 1986. The Electronic Communications Privacy Act ("ECPA") from Netscape, COMPUTERUSER.COM, at http://currents.net/ of 1986, which amended Title III of the Omnibus Crime news/00/08/07/news 6.html (Aug. 7, 2000). Control and Safe Streets Act of 1968, had established proce- 44 Rebecca F. Raney, Judge Rejects Online Critic's Efforts to dures governing electronic surveillance. Electronic Commu- Remain Anonymous, N.Y. TIMES, at www.nytimes.com/library/ nications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. tech/99/06/biztech/articles/15identity.html (June 15, 1848 (codified as in scattered sections of 18 U.S.C.). 1999). 49 18 U.S.C. § 1028. 45 Id. 50 Children's Online Privacy Protection Act, 15 U.S.C. 46 Carl S. Kaplan, Judge Says Online Critic Has No Right to §§ 6501-6505 (Supp. IV 1998). Hide, N.Y. TIMES, at http://www.nytimes.com/library/tech/ 51 Id. at §§ 6501-6505. 00/06/cyber/cyberlaw/09law.html (June 9, 2000). 52 16 C.F.R. § 312.3 (1999). 47 18 U.S.C. § 1028 (Supp. IV 1998). 53 Id. at § 312.4(b) (1999). COMMLAW CONSPECTUS [Vol. 9 mation. 54 rule "matches the intentions of the legislation's 5 The Financial Services Modernization Act authors." ° ("FSMA"), enacted on November 12, 1999, stipu- This is not the first time that the FTC has lates that financial service companies must create "pushed the envelope" with regard to regulatory a privacy policy and clearly state it to consumers. 55 initiatives aimed at privacy protection. However, The data protection provisions in Section 5 of the FTC initiatives have not always garnered the full Act are implemented by the FTC and federal support of the administration or Congress. On bank regulators, including the FDIC, the Federal May 22, 2000, the FTC issued its third report to Reserve Board and the Office of the Comptroller Congress on "Fair Information Practices in the 56 of the Currency at the Treasury Department. Electronic Marketplace" ("Privacy Report") ,60 The Securities and Exchange Commission will which comments on the results of the Commis- oversee its implementation in the securities indus- sion's 2000 Online Privacy Survey ("Survey") and try, and state insurance commissioners will apply recommends legislation setting forth a "basic level it to insurers. Regulations implementing the of privacy protection for consumer-oriented com- FSMA, drafted through a cooperative effort mercial Websites."61 The proposed legislation among federal banking regulators, require finan- would have established basic standards of practice cial firms to tell customers about the types of non- for the collection of information online, specifi- public personal information that is shared with af- cally addressing notices of information practices, filiates and third parties. "Nonpublic" is defined opt-out choices, restrictions on third-party access by the Act as information gathered from consum- and reasonable security. Additionally, the legisla- 5 7 ers applying for financial products and services. tion would provide an implementing agency with In addition, the FTC has adopted a rule inter- the authority to promulgate more detailed stan- preting the FSMA broadly by defining "financial dards pursuant to the Administrative Procedure information" to include any personal information Act. Although not abandoning self-regulatory ef- gathered by a financial institution, including forts, the FTC points to Survey data establishing 62 names and social security numbers (often called that such efforts have been ineffective. "credit header" information). 58 Consequently, fi- Republican lawmakers found themselves in an nancial institutions, insurers, banks, retailers and odd alliance with the White House and Com- any other business issuing credit must offer cus- merce Department in opposing the legislative ac- tomers an "opt out" opportunity before allowing tion recommended by the FTC. Outgoing Com- credit bureaus to resell personal information. merce Secretary William Daley commented to The Credit bureaus and direct marketers are "up-in- New York Times that "legislation would not be nec- arms" over the new rule, complaining that the essary" if the industry could show that it was effec- FTC has gone far beyond the mandate of the tively policing itself.63 Publicly, both White House FSMA. A House Banking Committee spokesman officials and Billy Tauzin (R-LA), the previous confirmed to The Washington Post that the FTC's Chairman of the House Subcommittee on Tele-

54 15 U.S.C. § 6502 (Supp. IV 1998). the frequency of privacy disclosures, the FTC notes that only 55 See Gramm-Leach-Bliley Financial Modernization Act, 10% of the sites posted privacy policies touching on all four Pub. L. No. 106-102, 113 Star. 1338 (codified as amended in of the fair information practice principles. Id. at i. Of all sites scattered sections of 12 and 15 U.S.C.). surveyed, only 8% display a privacy seal as the result of a pri- 56 15 U.S.C. §§ 6801-6802 (Supp. V 1999). vacy audit. Id. 57 15 U.S.C. § 6809(4) (Supp. V 1999). 63 Steve Labaton, White House and Agency Split on Internet 58 Privacy of Consumer Financial Information, 165 Fed. Privacy, N.Y. TIMES, May 23, 2000, at C1 [hereinafter Reg. 33,646, 33,658 (May 24, 2000) (to be codified at 6 C.F.R. Labaton]. The Clinton administration's preference for e- pt. 313). This new rule will take affect on July 1, 2001. See id. commerce industry self-policing began in mid-1995 with pub- at 33,661. lication of the administration's White Paper on "The Global Information Infrastructure." NATIONAL ACADEMY OF SCIENCES, 59 Robert O'Harrow, FT'C Curbs PersonalData Sales, WAsI I. THE GLOBAL INFORMATION INFRASTRUCTURE, at http://www. INGTON PosT, June 2, 2000, at El. 60 PRIVACY ONLINE, supra note 11. ostp.gov/forum/html/giipaper.html (1995) In the White Pa- per, the administration emphasized that "the private sector 61 Id. at 36. should take the lead" with regard to regulatory oversight of 62 Id. at ii. The Survey notes that while almost all websites issues relating to "global electronic commerce and entertain- (92%) collect personal information from consumers, only ment services." Id. at 13. 14% disclose anything at all about how the information is used. Id. In addition, despite "significant improvement" in 2001] The Internet, Information and the Culture of Regulatory Change communications, Trade and Consumer Protec- work Advertising Initiative includes a provision tion, said that government should continue to rely stating that if participants violate the terms, they 68 on industry to police itself and that the White can be sued for deceptive advertising practices. House should have a deeper interest in promot- The FTC further agreed to allow Internet advertising privacy laws in other areas, including health ing companies to begin merging personally iden- care and financial services. 64 Republican FTC tifiable information with a person's online habits, Commissioner Orson Swindle also took issue with a practice that was largely decried when at- the FTC recommendations. He noted in his dis- tempted by DoubleClick in May 2000.69 sent to the Privacy Report that the report "is de- The Electronic Signatures in Global and Na- void of any consideration of the costs of legisla- tional Commerce Act, effective on October 1, tion in comparison to the asserted benefits of 2000, will increase the information collected enhancing consumer confidence. '65 Chairman through e-commerce and the corresponding pres- 70 Tauzin added, "with the finding that websites sure for privacy protection. Consumers will be have improved dramatically their privacy policies, able to choose whether to use an electronic or [the FTC is] now recommending legislation. It traditional handwritten signature in e-commerce transactions, but certain documents will still be re- seems to be a contradiction that needs to be un- 7 66 their full force. ' derstood." quired in paper form to carry Regulators, however, will be given the authority to Appealing to the sentiments of Congress and integrity standards that are re- the Clinton Administration, a consortium of ma- define document against fraud. Congressional au- jor Internet companies agreed on July 27, 2000 to quired to ensure thors of the legislation emphasize that businesses a resolution with the FTC that would allow In- and consumers should still take steps to ask ven- ternet companies to continue regulating them- dors what measures are in place to ensure authen- selves for the time being.67 The important differ- tication of signatures and how legally binding ence between this agreement and the prior tacit electronic signatures can be integrated into ongo- approval of self-regulatory measures is the FTC's ing transactions. 72 imposition of an enforcement mechanism. The agreement reached at the meeting with the Net-

64 Forthcoming national rules on privacy for health care reached with the FTC). information, preceded by the Health Insurance Portability 70 Electronic Signatures in Global and National Com- and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. merce Act, Pub. L. No. 106-229, 114 Stat. 464 (to be codified 1936 (codified in scattered sections of 42 U.S.C.), do not at 15 U.S.C §§ 7001-7006, 7021, 7031). mandate but will likely state that doctors should request that 71 Delaware adopted similar legislation on July 14, 2000. a patient sign a consent form before personally identifiable House Bill 492, the Uniform Electronic Transactions Act treatment and case information is made available on the In- ("UETA"), provides the legal framework for using digital sig- ternet for studies and other purposes. Robert Pear, U.S. Plans natures and enforceable electronic contracts in the state. 72 Tighter Rules on Medical Files' Privacy, but Some Want More Lim- Del. Laws 457 (2000) (to be codified at DEL. CODE ANN. tit. 6 its, N.Y. TIMES, Aug. 20, 2000, at A20. The rules will give §§ 12A-101-12A-117). heath care industries and insurance companies two years to 72 The European Parliament had similarly introduced a come in compliance. Id. However, it has been noted by sev- draft directive on the use of digital signatures, but perhaps eral medical ethicists that many physicians already feel ethi- because of technical difficulties, the draft remained tabled cally bound to use patient consent forms before entering in- until passage of the Electronic Commerce Directive, which formation. Id. passed in May 2000 and is discussed below. See European Par- 65 Privacy Online: Fair Information Practices in the Electronic liament and Council Directive on a Common Framework for Marketplace, 1, at http://www.ftc.gov/reports/privacy2000/ Electronic Signatures, EUR. PARL. DOC. (COM 297 final) privacy2000.pdf (2000) (dissenting statement of FTC Com- (1998). On Nov. 20, 2000, the European Commission an- missioner Orson Swindle). nounced a proposal to speed recognition of electronic in- 66 63, at C1. Labaton, supra note voices in all 15 Member States of the EU. SeeAlan Osborn, EC 67 John Schwartz & Robert O'Harrow, Online Privacy Code Calls for Broad Recognition of Electronic Invoices, TOTAL Gets FTC's Support, WASHINGTON POST, July 28, 2000, at E3. TELECOM, at http://www.totaltele.com/view.asp?ArticlelD= 68 See NETWORK ADVERTISING INITIATIVE, SELF-REGULA- 34047&pub=tt&categoryid=626 (Nov. 21, 2000). At present, TORY PRINCIPLES FOR ONLINE PREFERENCE MARKETING BY NET- in some EU Member States, electronic invoicing is prohib- WORK ADVERTISERS, at http://www.networkadvertising.org ited, whereas in others, e-invoicing has to be accompanied by (2000). parallel transmission of paper invoices. Id. The fact remains 69 Id. (reporting that, surprisingly, DoubleClick has that many businesses simply lack the technical ability and stated that it would abstain from merging its Abacus wherewithal to make use of digital signatures under the new databases with "blind" online data despite the agreement law. COMMLAW CONSPECTUS [Vol. 9

2. State Privacy Regulation have the right to access collected data, correct the data, object to data uses, oppose automated deci- Although the federal government has moved sions and seek judicial remedies. 79 Most impor- cautiously to address privacy concerns, many tandy, the Data Directive controls the extraterrito- privacy protections. 73 states have adopted online rial flow of such information by prohibiting the States with privacy statutes have been aggressively transfer of data to countries that do not provide enforcing them. The consequences of not adher- "adequate" privacy protection. 0 ing to a privacy policy were forcefully demon- A Safe Harbor agreement ("Safe Harbor") for strated in a suit against U.S. Bancorp ("Bancorp") U.S. companies under the EU Directive was finally 7 4 and its subsidiaries. On June 30, 1999, U.S. reached with the European Commission on May Bancorp agreed to a costly settlement of a suit 31, 2000. It applies the Data Directive basics to brought by Minnesota for Bancorp's practice of U.S. banks, airlines and multinational companies sharing customer account information without that build databases in the course of their opera- customer consent for the marketing of nonfinan- tions in Europe and want to transfer that data to 75 cial products. The attorney general of Minne- the United States.8' The United States will not be sota alleged the bank's transfer of confidential required to pass new laws regarding data protec- customer information to a direct-marketing firm tion in order to access the European market. was contrary to its published disclosure policy and Rather, companies wanting to transfer data from 76 violated various federal and state laws. Although Europe must register for "Safe Harbor" protec- the case was settled quickly, the financial and pub- tion with the U.S. Department of Commerce and lic relations consequences to the bank were sub- 7 7 declare publicly that they are following EU data stantial. protection rules.8 2 Companies will be subject to legal action by the FTC for "deceptive acts or 3. InternationalPrivacy Regulation, a Marked practices" if they "publicly disclose" and then do 8 3 Difference in Approach not follow the rules. Thankfully for U.S. e-businesses, the agreement For the most part, foreign governments have does not apply the rules to information collected been moving much more aggressively to respond by many commercial websites-a European visit- to consumer privacy demands. In 1995, the Euro- ing a U.S. site and leaving personal data on a re- pean Union ("EU") adopted its Data Directive to gistration form, for example, is not covered by the control the use of information from consumers agreement.8 4. But from the EU point of view, U.S. and specify their privacy rights. The Data Direc- websites would ignore this aspect of the Data Di- tive went into effect in October 1998 and requires rective to their peril as the Internet may later be companies to ensure that data is: (1) collected covered by the EU Data Directive. The European only for specific purposes; (2) accurate and cur- Parliament recently issued an opinion that the 78 rent; and (3) discarded once no longer needed. Safe Harbor does not offer adequate protections, Under the Data Directive, European customers

73 Currently, New Jersey, New York and Connecticut sonal Data Protection Enters Into Effect, at http://www.euru- have privacy laws. See, e.g., N.J. STAT. ANN. § 39:2-39:3.8 (West nion.org/news/press/1998-4/pr89-98.htm (Oct. 23, 1998). Supp. 2000) (regarding electronic privacy of motor vehicle 79 Id. records); The National Crime Prevention and Privacy Com- 80 Id. pact, 2000 Conn. Legis. Serv. 555 (West 2000) (to be codified s See Commission Decision on the Adequacy of the Pro- at CONN. GEN. STAT. § 54-133 ) (concerning electronic trans- tection Provided by the Safe Harbor Privacy Principles, An- fer of state collected data). nex I, 2000 O.J. (C 2441). 74 Plaintiff's Complaint, Hatch v. U.S. Bank Nat'l. Ass'n. 82 See id. at § 1. A mixed system of enforcement was (D. Minn. June 9, 1999) (No. 99 CV-872) [hereinafter adopted for the Safe Harbor, which not only allows compa- Hatch]. nies to develop self-regulatory schemes for enforcement but 75 Rochelle Olson, U.S. Bancorp Settles Privacy Suit, SEAT- also to agree to cooperate with EU data protection authori- TLE TIMEsJuly 1, 1999 at C2 [hereianfter Olson];Julie Tripp, ties if they prefer. See id. (explaining that this latter method U.S. Bancorp Settles Privacy Suit in Minnesota, THE OREGONIAN, of registration has the benefit of being the only way under July 1, 1999, at B2 [hereinafter Tripp]. which a company can transfer human-resource specific data). 76 See Hatch, supra note 74 8- Id. at § 5. 77 Olson, supra note 75, at C2; Tripp, supra note 75, at 84 See generally id. In addition, many important business B2. sectors, most prominently the financial services sector, are at 78 Press Release, European Union, EU Directive on Per- present excluded from participating in the Safe Harbor. Id. 20011 The Internet, Information and the Culture of Regulatory Change because they neither provide for monetary dam- In keeping with its Asian and European counter- ages for breach nor right of appeal in the United parts, the United Kingdom implemented the UK States. The European Parliament's opinion, how- Data Protection 1998.90 The Canadian House of ever, was nonbinding, and although implementa- Commons approved Bill C-6 on April 4, 2000,9 1 tion might have been slightly delayed, indications which covers a wide range of industries using per- were that the European Commission would imple- sonal information for commercial purposes and ment the Safe Harbor given that it had already requires Canadian companies, including Internet found its protections adequate. The European Service Providers ("ISPs"), to obtain affirmative Commission finally approved the principles of the consent from customers before providing their 92 Safe Harbor on July 27, 2000, the same day it personal information to third parties. found the laws of Switzerland and Hungary ade- Privacy-related protections and their proponent 8 5 quately represented the Data Directive. countries on both sides of the Atlantic have not Within a month following the Safe Harbor's im- operated in this evolving legal environment with- plementation, several companies "in the 'privacy out a certain degree of duplicity. Early in 2000, business,' such as watchdog groups," could be the European Parliament concluded a special in- 8 6 counted among Safe Harbor U.S. participants. vestigation with a report on U.S.-led eavesdrop- The sole aberration to this initial trend was the ping on private Internet and data communica- Dun & Bradstreet Corporation's registration for tions. 93 Using artificial intelligence methods and a the Safe Harbor.8 7 Although permission to cut off global network of relays, the U.S. "Echelon" pro- data flows under the Data Directive is suspended gram, which had its beginnings as early as 1947, until June 2001, the EU is having difficulty "get- regularly sifts through voice and data communica- ting its own Member States in line."88s As of No- tions in Europe for "key words that its overseers 9 4 vember 30, 2000, it had "sued six countries for suspect may represent security threats." their failure to comply with the Directive at all."8 9 The British intelligence equivalent of the The nature of the agreement reached on the United States Central Intelligence Agency, MI5, Data Directive underscores the divergent dynam- has begun construction of a £25 million e-mail ics behind U.S. and pan-European regulation of surveillance center that "will monitor all e-mails privacy and the Internet. The EU and certain and Internet messages sent and received in Brit- 5 Asian countries, particularly Singapore and India, ain. " The new computer-center, codenamed have instituted rigorous privacy standards, "GTAC[,] Government Technical Assistance whereas the United States, with the exception of Center," will be completed by the end of 2000 in- the IFTC, still largely favors industry self-policing. side MI5's London headquarters.9 6 The creation

85 Directive 95/46/EC of the European Parliament and Providers,THE GLOBE AND MAIL, Apr. 5, 2000, at B5. The new of the Council of 24 Oct. 1995, available at http://eu- Canadian privacy legislation became effective on Jan. 1, 2001. ropa.eu.int/eur-lex/en/lif/dat/1995/en_395LOO46.html. Id. 86 Tamara Loomis, EU's Data Privacy Safeguards Get Scant 92 Id. (stating that "currently, Internet service providers Response in the United States, N.Y. L.J., at http://www.nylj.com/ have access to a wide variety of information on their custom- stories/00/11/113000a4.htm (Nov. 30, 2000). ers and can sell it, without user consent, to Internet market- 87 Id. Dun & Bradstreet's rationale for its early registra- ers"). tion was that, by its corporate practices, it "already com- 9" See Charles Trueheart, EuropeansDecry U.S. ElectronicIn- plied." Id. tercepts, WASHINGTON POST, Feb. 24, 2000, at A13. 88 Id. 94 Id. European 89 Id. politicians have used the Parliament re- 90 See UK Data Protection Act 1998, 1998 Chap. 29, Pt. port to suggest that the Echelon program "has been used to benefit U.S. corporations in economic and industrial espio- V, § 32, available at http://www.legislation.hmso.gov.uk/ nage." Id. Such claims are unsupported at present, but some acts/acts1998/19980029.htm (last visited Jan. 26, 2001). Sup- that indictments of U.S. intelli- plemental orders containing public interest and journalistic scholars are quick to add gence efforts ignore similar privacy-offensive activity in West- exceptions were ordered in Mar. 2000. Id. Apart from insti- ern Europe. Id. The British government admitted in June tuting the basic tenets of the Data Directive, the UK supple- with the United States on Eche- mental orders detail notification procedures for certain 2000 that it has cooperated lon in the interests of its own national security. See Nicholas transborder disputes and limit the amount that can be Rufford, MI5 Builds New Centre to Read e-Mails on the Net, charged for access to personal information. See Data Protec- LONDON SUNDAY-TIMES, 30, 2000,at 5GI. tion Act 1998: The Eighth Data Protection Principle and Apr. Transborder Data Flows, available at http://www.dataprotec- 95 Nicholas Rufford, MI5 Builds New Centre to Read e-Mails tion.gov.uk/transbord.htm (last visited Jan. 26, 2001). on the Net, LONDON SUNDAY-TIMES, Apr. 30, 2000,at 5G1. 91 See Shawn McCarthy, Privacy Bill to Cover Internet Service 96 Id. COMMLAW CONSPECTUS [Vol. 9

of GTAC has sparked criticism, both in Britain Despite both missteps and divergent methodol- and abroad, particularly given the British Parlia- ogies in Europe and North America, many Asian ment's approval of the Regulation of Investigatory nations have followed suit with privacy regulations Powers Act ("Investigatory Powers Act") on July and in some cases have drawn criticism of their 27, 2000. 9 7 The Investigatory Powers Act requires own. India's Lok Sabha, for example, unani- ISPs to facilitate wiretapping and access to encryp- mously approved its Information Technology tion keys to assist British authorities. 9 However, Bill. 15 Previously objectionable sections requiring both the Investigatory Powers Act and the GTAC cybercafes to keep detailed records of users and initiative parallel European Commission prepara- their activities were dropped, but the bill still in- tions for a directive granting similar authority to cluded the controversial Section 79, which gives a enforcement agencies across the EU. 99 Further- deputy superintendent of police the power to more, the proposed legislation would address the conduct search raids of the cafes without war- prevention of anonymous and unsolicited e-mail rant.' 06 ("spam") and set out the conditions under which Other efforts in Asia have been directed partic- telecommunications carriers must allow law en- ularly at developing e-commerce while protecting forcement agencies to intercept e-mail mes- consumer rights. New Zealand announced plans 00 sages.' in April 2000 to develop a "model code of con- Canada did some backpedaling shortly after duct" for e-commerce, following government con- 10 7 passing its revolutionary privacy legislation. Bow- sultations with traders and consumer groups. ing to public pressure, it scrapped a database of Basing its initiative on a similar model code in citizen information. The May 16, 2000 release of Australia, the New Zealand code "will require in- the annual report of the Canadian privacy com- ternet shopping sites to display a physical address, missioner revealed that a government bureau, as well as their privacy and security policies, pro- Human Resource Development Canada, managed vide details of refund, exchange and complaint a secret government database called the Longitu- policies, and advise which laws apply to transac- dinal Labour Force File.' 0' The database con- tions made by customers.""1' 8 Thailand took a sim- tained over 2,000 pieces of information on every ilar step in April 2000, announcing plans for e- Canadian citizen. 10 2 Culled from tax returns, commerce and digital signature legislation before child tax benefit files, provincial and municipal 2001.109 welfare files, federal jobs, and job social insurance master files, the breadth of the privacy protection C. Internet Content Issues in the United States breach shocked even Canadian Privacy Commis- sioner Bruce Phillips. 10 3 Again bowing to pres- Content that is entirely or mostly generated by sure, the Canadian government agreed to disman- an Internet site owner in the United States typi- 4 tle the database."' cally presents the least complex liability issues. In

97 Regulation of Investigatory Powers Act 2000, c. 23 www.mit.gov.in/itbillmain.htm (last modified Jan. 2, 2001) (Eng.). (noting that this bill was unanimously approved on May 16, 98 Id. at §§ 2, 12. 2000). 99 See Alan Osborn, EU Gets Tougher on Internet Crime with 106 See Rite to Know, THE TIMES OF INDIA, May 16, 2000, New E-Mail Directive, ToiAL TELECOM, at http://www.totaltele. available at 2000 WL 19671436. com/view.asp?ArticlelD=2804&pub=283&cateogryid=0 (June 107 Clare Blackburn, New Zealand Seeks to Protect Online 6, 2000). 100 See id. Consumers, TOTAL TELECOM, at http://www.totaltele.com/ 101 Canada Scraps Citizen Database,WIRED, at http://www. view.asp?ArticlelD=27124&pub=tt&categoryid=626 (Apr. 20, wired.com/news/politics/0,1283,36649,00.html (May 30, 2000). 2000) [Canada Scraps Citizen Database]; Ian MacLead, Vast 108 Id. database details every Canadian'slife, OTFAWA CITIZEN, at http: 109 Kettiya Jittapong, Thai Internet Laws Should Boost e- //www.ottawacitize n.com/national/00051 7/4116449.html Trade, REUTERS, at http://www.totaltele.com/view.asp?Article (May 17, 2000) [hereinafter MacLead]. ID=27133&pub=tt&categoryid=626 (Apr. 21, 2000). Thai- 102 MacLead, supra note 101. land's National Science and Technology Development 103 Id. Agency ("NSTDA") developed the legislation for considera- 104 See Canada Scraps Citizen Database,supra note 101. tion before Parliament in June 2000. The NSTDA also is con- 105 nT Act to be enforced from Aug. 15, THE ECON. TIMES, sidering four related laws on computer crime, electronic Aug. 10, 2000, available at 2000 WL 23647837; GAZETTE OF money transfer, personal information disclosure and univer- INDIA, INFORMATION TECHNOLOGY ACT, 2000, at http:// sal access. Id. 2001] The Internet, Information and the Culture of Regulatory Change this regard, U.S. site owners have significant First Congress included Section 230 in its enactment of Amendment and other legal protections available the Communications Decency Act of 1996, which to them. 110 Many website owners license content largely immunizes ISPs from liability arising from from others rather than develop their own. Li- the statements of third parties. " 3 Subsequent le- censing agreements between the site owner and gal decisions have held that under Section 230, a the content creator ensure the site owner has the website owner cannot be held responsible for the rights it needs to distribute, alter, republish or defamatory or otherwise tortious statements of in- 4 otherwise use the licensed content.' Yet, as the dividuals who post on its message boards." interactivity of websites increasingly becomes a Congress enacted a limitation on copyright lia- draw for retaining Internet customers, more sites bility for ISPs-and thus substantially altered case are building community content, such as chat law that held ISPs liable for copyright infringe- rooms, message boards and e-mail with their pri- ments committed by the ISP's users. Title II of the mary provision of e-commerce transactions. Digital Millennium Copyright Act ("DMCA")115 Many of the most prominent Internet busi- categorizes each separate function of an ISP and nesses, including America Online, began by offer- provides that each such function cannot create ing the e-mail and message board functions of a monetary liability for copyright infringement. 16 traditional ISP before engaging in e-commerce. For example, an ISP would incur little or no liabil- As a result, much of the content in these "extra" ity for its transmitting/routing and caching func- areas is created by users of the site and cannot, as tions, third-party postings, or use of its informa- a practical matter, be reviewed or edited by the tion retrieval tools. 17 site owner. In addition, the now common practice The DMCA does not change existing U.S. defi- of linking to, or "framing," the content of other nitions and requirements for copyright infringe- sites can subject site owners to either: 1) vicarious ment. Rather it decreases the stakes for providers liability for knowingly linking to another site that of a technology not contemplated when 8 engages in infringing activity; or 2) direct liability America's federal copyright laws were enacted.' 1 for infringing on the trademark of the linked Generally, these liability limitations apply only to site. 112 passive activities, where the ISP does not exercise any control over, or interact with, the content of infringing material.1 9 1. Legislative Activity the Some prospects for Internet-related legislation With regard to defamation, the United States were hotly debated during the 106th Congress but

110 See Nicole A. Wong & James F. Brelsford, Conducting 113 Communications Decency Act of 1996, 47 U.S.C. Web Site Legal Audits: A U.S. Perspective, PERKINS COlE LLP, § 230 (Supp. IV 1998). Some provisions of the CDA relating 1999, at http://www.perkinscoie.com/webrelease/ to "obscene" material were struck down as unconstitutional. webaudits.htm (last visited Sept. 29, 2000). The emergence See generally Reno v. American Civil Liberties Union, 521 U.S. of the Echelon controversy also parallels domestic U.S. con- 844 (1997). cern over the FBI's use of the "Carnivore" program to sift 114 See, e.g., Blumenthal v. Drudge, 992 F. Supp. 44, 51 through domestic e-mail for a security threat. Carnivore uses (D.D.C. 1998). On Dec. 7, 2000, Dr. Sam D. Graham, Jr., a similar technology to sift through packetized e-mail informa- former physician at Emory University School of Medicine, tion for "security-related" key words. Id. was awarded a $675,000 in what is considered to the first libel 111 See id. verdict based on an anonymous Internet message. Dr. Wins 112 Id. In 1997, Ticketmaster sued Microsoft for using $675k Internet Libel Case, WASHINGTON POST, at http:// hypertext links to bypass Ticketmaster's home page and ad- www.washingtonpost.com/wp-dyn/articles/A51072- vertising, claiming that Microsoft was engaging in an unlaw- 2000Decl0.html (Dec. 10, 2000). In early 1999, Dr. Graham ful use of Ticketmaster's site content. See Plaintiff's Com- had discovered an erroneous posting on a Yahoo! message plaint, Ticketmaster Corp. v. Microsoft Corp. (C.D.Cal. Apr. board that suggested "he had taken kickbacks from a urology 28, 1997) (CA No. 97-3055 DDP). Similarly, in 1997, several company.., and had been forced to resign." Id. It was found news media joined a suit with The Washington Post alleging that the posting had been made by a physician at a compet- that TotalNEWS engaged in trademark infringement by ing urology company. Id. framing their website news content with TotaINEWS adver- ''5 Pub. L. No. 105-304, 112 Stat. 2860 (codified as tisements. Plaintiffs Complaint, The Washington Post Co., et amended in scattered sections of 17 U.S.C.). al., v. Total News, Inc. (S.D.N.Y. Feb. 28, 1997) (97 Civ. 1190 116 17 U.S.C. § 512(a)-(d) (Supp. V 1999). (PKL)). Both suits were ultimately settled. Dan Goodin, 117 Id. at § 512(a)-(d). Scientologists' Copyright Suit Shapes Net Liability, CNET I's Id. at § 512(j). NEWS.coM, at http://news.cnet.com/news/0-1005-200- ''9 Under the DMCA, websites must register with the 343442.html (June 9, 1999). Copyright Office and put in place a policy for reporting pos- COMMLAW CONSPECTUS [Vol. 9

did not come to a final vote1 20 Due partly to elec- incentives, pay-per-view advertisements, personal 24 tion-year grandstanding, the House of Represent- privacy and "push" technology. 1 atives moved to pass a five-year moratorium on Apart from copyright issues, patents and other 1 state and local taxes targeting the Internet.'' content concerns, the Internet can serve as a stage Similar measures, however, did not pass either the for content liability that previously might never House or Senate before the close of the Session. have been expected. For example, in August The more substantive measures did not come to a 1999, eBay prevented a user from auctioning off a formal vote despite being successfully reported "fully functional" human kidney but not before 22 from assigned committees. the "item" brought in bids totaling more than $5.7 million. 25 Noting that trafficking human or- gans is a federal felony, punishable by a minimum 2. Judicial Activity of five years in prison and fines of $50,000 or more, eBay's vice Where Congress has had difficulty legislating, president of marketing swiftly affirmed that "eBay has a zero tolerance the courts have made some inroads. Several legal for illegal items on the site, 126 despite decisions have held that certain methods of con- its hands-off approach as a platform for consumer sales. ducting Internet business can be successfully pat- ented.' 23 In the past two years, at least ten specific Internet-based patents have been issued, covering 3. Uniform Laws such online processes as: reverse-price auctions, "shopping carts," secure online payments, online The anonymity, speed and geographic reach of sible copyright infringement on their site, if detected. Id. at patents are often a minimum of $9,000 in legal fees, and re- § 512(c) (2). cent changes in patent law make patent application secrets 120 During the 106th Congress, legislators were particu- public within 18 months, whether or not the application is larly pressed to protect copyrighted music in light of MP3, approved. Steve Roblee, Investors Downplay Patent Importance, Napster and similar Web-based software applications for the POTOMAC TECH. J., at http://www.potomactechjournal.com/ downloading of digital music. Nicole St. Pierre, Digital Piracy: displayarticledetail.asp?artjid=45045 (Dec. 8, 2000). Thus, Now the Spotlight is on Congress, Bus. WK.,July 31, 2000, at 59. "[i]f you have a technology to turn into a one-product com- In testimony before the court of appeals in mid-2000, Nap- pany, it's probably more important to get to market than to ster CEO Hank Barry testified that Napster "was willing to go through the process of getting a patent, . . . [but if the create a pay-for-download model while it was in negotiations technology] is useful for more than one thing, it's probably with the Recording Industry Association of America." Ben worth going after the patent." Id. Particularly, patent filings Charny, BMG and Napster Tie the Knot, ZDNET NEWS, at http:/ for "methods of doing business," popular in the past three / news.excite.ca/news/zd/001031 / 12/bmg-and-napster years, may not have the value that filers would like, as the (Oct. 31, 2000). On Oct. 31, 2000, Bertelsmann AG an- Patent and Trademark Office is expected to be more discrim- nounced that it was teaming with Napster to develop a "mem- inating in types of business patents it grants. Id. bership-based distribution system that would guarantee pay- 124 Jay Walker, founder of Walker Digital, which devel- ments to artists." Seth Sutel, Napster, music giant team up, ops new tech-driven business models, patents them and spins CICAGO SUN-TIMES, Oct. 31, 2000, at 1. In exchange for a them off into businesses, has particularly benefited from stake in Napster, the German media giant agreed to drop its these rulings. Steven Levy, Wired for copyright piracy lawsuit against the company and loan Nap- the Bottom Line, NEWS- WEEK, Sept. ster money to help develop a subscription service. Id. 20, 1999, at 43. Walker Digital's first successful concept company, Priceline, enables 121 SeeJeri Clausing, House Leaders to Vote on Internet Tax customers to name their own Ban, N.Y. TIMES, at http://www.nytimes.com/library/tech/ price for airline flights, using the Internet to connect yr/mo/cyber/capital/09capital.html (May 9, 2000). the user with an airline willing to make the deal. Id. 122 For example, the House Commerce Committee re- 125 Online Shoppers Bid Millionsfor Human Kidney, CNN IN- ported out H.R. 3113, the Unsolicited Commercial Elec- IrERACTIVE, at http://www.cnn.com/tech/computing/9909/ tronic Mail Act of 2000, on June 26, 2000. See generally H.R. 03/ebay.kidney (Sept. 3, 1999) [hereinafter Online Shoppers REP. No. 106-700 (2000). The bill, which did not come to a Bid Millions for Human Kidney]. eBay had similarly moved in formal vote before the close of the session, sought to de- May 2000 to stop the $135,805 sale of a purported 1952 ab- crease the burden of unsolicited and unwanted e-mail on in- stract painting by Richard Diebenkorn because the seller had dividuals and ISPs. H.R. 3113, 106th Cong. (2000); see alsoE- allegedly attempted to bid up the price by placing bids him- Commerce News-Wilmer Cutler & Pickering int'l Briefing, self. Saul Hansell, eBay CanceLs Sale in Auction of Abstract Paint- MONDAQ BUS. BRIEFING, Aug. 4, 2000, available at 2000 WL ing, N.Y. TIMES, May 11, 2000,at Al. Closer analysis by eBay 9238732. later revealed that bid-rigging "rings" were more prolific 123 See, e.g., State St. Bank & Trust Co. v. Signature Fin. among users of the online service than originally thought. Group, Inc., 149 F.3d 1368 (Fed. Cir. 1998). However, many Judith Dobrzynski, In Online Auctions, Rings of Bidders, N.Y. legal and business development experts doubt the wisdom of TIMES, June 2, 2000, at Al. pursuing a costly patent filing in advance of securing a profit- 126 Online Shoppers Bid Millions for Human Kidney, supra able business model and financing. Costs for Internet-related note 125. 2001] The Internet, Information and the Culture of Regulatory Change the Internet also have presented significant chal- The Uniform Electronic Transactions Act lenges to traditional contract principles, includ- ("UETA") recognizes the legal enforceability of ing: contract formation, permissible terms, evi- contracts in electronic form with an electronic sig- 132 dence of the contract and enforcement. New and nature. Apart from simply stating that an elec- repeat customers seeking to utilize a system for e- tronic record may satisfy the requirement of a le- commerce will rely on registration agreements gally binding writing, the UETA also would and contracts "executed" with the company prior require businesses to institute built-in safeguards to use of the site, both for their protection and to prevent sending erroneous transaction records 133 the company's. These "online contracts" or regis- to consumers. Although both uniform acts tration statements can be as simple as having the were debated at length during the July 1999 meet- customer key several choices indicating that they ing of the NCCUSL, no votes were taken on the have read the rules prior to using the system, or UETA.13 4 Some states have begun adopting varia- they can be as complex as formal agreements exe- tions of the draft law despite the difficulty in de- 35 cuted through use of a "digital signature." Regard- veloping consensus on its provisions.' The less of the complexity of the agreement with cus- UCITA fared much better in deliberations and tomers, key features of a digital transaction system has been fast-tracked by many states since July should be: confidentiality and verification of user 1999.136 identity, proof of transaction/repudiation, and re- tention of a positive record of the transaction. D. International Internet Developmen.ts After years of debate and aborted efforts on the issue, the National Conference of Commissioners On May 4, 2000, the European Parliament ap- on Uniform State Laws ("NCCUSL") convened in proved the long-awaited Electronic Commerce Di- July 1999 to discuss two draft uniform laws to ap- rective ("E-Commerce Directive"), clearing the ply to e-commerce transactions. The first, the Uni- way for the measure to become law within 18 form Computer Information Transactions Act months. 13 7 The E-Commerce Directive had been ("UCITA"), reflects the NCCUSL desire to ensure introduced, in draft, in November 1998 but had that consumers can: 1) thoroughly review an e- long been tabled over the issue of ISP liability for commerce transaction before agreeing to it; and content. 13 Like its legislative counterpart in the 2)-rely on procedures for the consumer to mani- United States, the E-Commerce Directive estab- fest assent to the transaction.' 2 7 Among the other lishes an exemption from liability for ISPs where concepts addressed by the UCITA are: limitations they play a passive role as a "mere conduit" of in- on consumer liability for "unauthorized" transac- formation from third parties. 139 Similarly, the E- tions, 128 institution of policies for product re- Commerce Directive limits ISPs from liability for turn, 129 rules for warranty disclaimers'3 0 and limi- other "intermediary" activities, such as storage of 0 tations placed on a business's choice of law and information, or "caching."14 forum.131 In one of the earliest, most restrictive and most

127 See generally NATIONAL CONFERENCE OF COMMISSIONERS 1999_ActionsSum.htm (last visited Jan. 26, 2001). ON UNIFORM STATE LAws, UNIFORM COMPUTER INFORMATION '35 SeeJonathan Bick, How is the Internet Coming into Play?, TRANSACTIONS ACT, CONFERENCE DRAvr, at http://www.law. N.Y. L.J., Aug. 14, 2000, at S7. upenn.edu/bl/ulc/ulc-frame.htm (July 23-30, 1999). 136 United States: ControversialNew Rules for Computer Con- 128 Id. at 290-335. tracts, MONDAQ Bus. RiEv., Aug. 8, 2000, available at 2000 WL 129 Id. at 266 n.88. 9238747. Virginia has taken the lead and after six months of 136 Id. at 169-200. delay enacted the UCITA in Mar. 2000, although the law will 131 Id. at 79. not be effective until July 1, 2001. Id. 132 McBRIDE, BAKER & COLES, SUMMARY OF E-COMMERCE 137 Press Release, The European Commission, Electronic LEGISLATION: NATIONAL CONFERENCE OF COMMISSIONERS ON Commerce: Commission Welcomes Final Adoption of Legal UNIFORM STATE LAws, UNIFORM ELECTRONIC TRANSACTIONS Framework Directive, at http://europa.eu.int/comm/inter- ACT, at http://www.mbc.com/ecommerce/Unisummary.asp? nalmarket/en/media/eleccomm/2k-442.htm (May 4, Uniform=other&PubID=20001115153528 (last visited Mar. 4, 2000). 2001). 138 Id. 133 An example of a safeguard may be the use of a confir- 139 Id. mation screen or return confirmation before execution of an 140 Id. The primary provisions of the E-Commerce Direc- order. Id. tive also address the following issues: 134 See AMERICAN LAW INSTITUTE, ACTIONS TAKEN AT 1999 * Place of establishment-The E-Commerce Directive de- ANNUAL NCCUSL MEETING, at http://www.ali.org/ali/ fines the place of establishment as the place where an COMMLAW CONSPECTUS [Vol. 9 productive Internet regulatory initiatives, Singa- The good news is that the United States, through pore's minister for information and the arts intro- statutes and case law, has developed an approach duced regulations establishing broad categories of to evaluating jurisdiction in Internet-based cases proscribed content that may not be accessed by that applies the traditional minimum contacts Internet users in Singapore. Encompassing a wide test. The bad news is that for most other countries variety of subject matters under the broad defini- determining proper jurisdiction is anything but a tion of "undesirable content," the regulations settled issue. were introduced in March 1996 and directed to All bases for asserting jurisdiction, whether for "rid the Net of content that 'threaten[s] public interstate or international Internet activity, are order and national security, religious and racial rooted in a few basic principles where a state may harmony, and morality.' "141 The regulations re- assert its substantive laws are applicable to particu- quire licensing all Singapore-based ISPs and "In- lar persons, transactions or communications. ternet Content Providers" ("ICPs") (e.g., Usenet Most often, when an act committed in one state groups) who must then "use their best efforts" to causes injury in the territory of another, jurisdic- remove from their communications any "undesir- 42 tion is based on the locus of the injurious effect, able content." 1 regardless of where the act or omission occurred. Alternative principles of "territory" and "national- II. JURISDICTION AND THE INTERNET ity" are less frequently invoked grounds for juris- (BECAUSE CONTENT MUST GO diction internationally. SOMEWHERE) For a given effect to support a particular U.S. jurisdiction, the threshold test is whether a defen- Because of the Internet's universal reach, a bus- dant has "purposefully availed" itself of a forum's iness in "Modeltown, U.S.A" potentially is subject- laws.143 But few nations carve out such an explicit ing itself to the uncertain and conflicting laws of niche in which specific jurisdiction will be as- countries throughout the world. For the last few serted. In fact, some jurisdictions (including the years, the Internet has posed unique jurisdictional EU) are proposing to tie jurisdiction over In- difficulties for courts. The reason is easy to de- ternet activity to the forum of the consumer. De- duce: e-commerce orders leap from computer to spite what "minimum contacts" may or may not computer without regard for national borders. exist with the forum, these proposals are based on

operator actually pursues an economic activity through terns. a fixed establishment, irrespective of where websites or Council Directive 2000/31/EC, 2000 OJ.(L 178/1), available servers are situated or where the operator may have a at: http://europa.eu.int/comm/internalmarket/en/me- mailbox. dia/eleccomm/com3len.pdf (last visited Mar. 4, 2001). " Transparency-The E-Commerce Directive requires 141 Sarah B. Hogan, To Net or Not to Net: Singapore's Regu- Member States to oblige Information Society service lation of the Internet, 51 FED, COMM. L.J. 429, 436-37 (1999) providers to make available to customers and compe- [hereinafter Hogan]. tent authorities, in an easily accessible and permanent 142 Id. at 440. Although touted as a measure to make form, basic information concerning their activities "tired state-owned news sites" more interesting, China has (name, address, e-mail address, etc). created an office of Internet news regulation. Matt Pottinger, * Online contracts-The E-Commerce Directive requires China Sets Up Office to Regulate Internet News, REUTERS, at http:/ Member States to remove any prohibitions or restric- /www.totaltele.com/view.asp?ArticlelD=27131 &pub=tt&cat- tions on the use of electronic contracts. In addition, it egoryid=626 (Apr. 21, 2000). Many concerned with Singa- ensures legal security by imposing certain information pore's regulatory burdens are similarly wary of China's Infor- requirements for the conclusion of electronic contracts mation Management Bureau, whose mandate includes in order to help consumers to avoid technical errors. countering the "infiltration of harmful information on the " Commercial communications-The E-Commerce Di- Internet." Id. Both licensed entities and content providers rective defines commercial communications (such as can be subject to prosecution under this regulatory scheme. advertising and direct marketing) and subjects them to See generally Hogan, supra note 141. However, as the closest transparency requirements. link to user-created content before it reaches the Internet via * Implementation-The E-Commerce Directive strength- an ISP, ICPs are considered "primarily responsible" for unde- ens mechanisms ensuring that existing EU and national sirable content and bear the initial threat of enforcement. Id. legislation is enforced. This includes encouraging the at 443-44. Although the regulations seemingly stratify levels development of codes of conduct at the EU level, stim- of liability for Internet content, Singapore officials have pro- ulating administrative cooperation between Member vided little or no guidance as to what constitutes "undesirable States and facilitating the establishment of effective, al- content." Id. at 437-40. ternative cross-border online dispute settlement sys- 143 See infra notes 149-56 and accompanying text. 20011 The Internet, Information and the Culture of Regulatory Change

public policy reasons. 1 44 Although basic interna- dant and the forum; specific jurisdiction exists if tional principles may be emerging, the divergent the claim results directly from the defendant's jurisdictional rationales at work set the stage for contacts with the forum state. 4 Thus, to support possible confrontation, or at the very least, legal jurisdiction in the United States, the threshold uncertainty. test is whether a defendant has "purposefully availed" himself of a forum's laws, whether specifically (with activity targeted toward the forum) or A. Jurisdiction in the United States generally (by making certain minimum activity 1. The Origins of U.S. Jurisdiction available to computer users in the forum).

In the United States, the traditional test for determining whether a court has personal jurisdic- 2. Early Internet Cases and the Development of a tion over an out-of-state defendant requires con- "Sliding Scale" sideration of both the forum state's long-arm statute and traditional constitutional due process U.S. courts initially had great difficulty applying requirements. 1 45 Long-arm statutes, adopted in a minimum contacts test to Internet activity. 1 49 Al- varying forms by each of the states, enable a court though Internet activity can be characterized and to exercise its jurisdiction outside the forum and quantified for purposes of identifying "purposeful bring a nonresident defendant into the forum to availment," the intangible nature of Internet- defend a lawsuit.' 46 Due process operates as a based communications led courts to assent to ju- check on a state's power to use its long-arm stat- risdiction infrequently because of "traditional no- ute, requiring a nondomiciliary defendant to have tions of fair play and substantial justice.' 150 . sufficient "minimum contacts" with the forum To find "purposeful availment" for evaluating such that the defendant should reasonably antici- jurisdiction, American courts have grouped In- pate being brought into court there. 1 47 General ternet cases into three categories of activities jurisdiction is evidenced by "continuous, system- along a "sliding scale."'15 First, purposeful avail- atic and substantial" contacts between the defen- ment can most easily be established when "a de-

144 See infra notes 245-49 and accompanying text. state's interest in adjudicating the dispute; 3) the plaintiff's 145 JAMES W. MOORE ET AL., MOORE'S FEDERAL PRACTICE interest in obtaining convenience and effective relief; 4) the § 108.60[1] (3d ed. 1997) [hereinafter MooRE's FEDERAL interstate judicial system's interest in obtaining the most effi- PRACTICE] (defining "long-arm statutes" as "statutory limits cient resolution of controversies; and 5) the shared interest on the exercise of jurisdiction over nonresident defend- of the several states in furthering fundamental substantive ants"). policies. Burger King, 471 U.S. at 478. This is the common law 146 See, e.g., N.Y. C.P.L.R. § 302(a) (McKinney 1990) guidepost to justify assertion ofjurisdiction applied to the In- (New York long-arm statute); CAL. CIv. PROC. CODE § 410.10 ternet. See, e.g., Pres-Kap, Inc. v. System One, Direct Access, (West 1973) (California long-arm statute); CONN. GEN. STAT. Inc., 636 So. 2d 1351, 1352 (Fla. Dist. Ct. App. 1994); Com- ANN. § 52-59b (West 1958) (Connecticut lng-arm statute); puServe, Inc. v. Patterson, No. C2-94-91, 1994 U.S. Dist. MASS. GEN. LAWS ANN. ch. 223A, § 3 (West 2000) (Massachu- LEXIS 20352 (S.D. Ohio), rev'd, 89 F.3d 1257 (6th Cir. 1996). setts long-arm statute); Mo. ANN. STAT. § 506.500 (West 151 See, e.g., Panavision Int'l v. Toeppen, 141 F.3d 1316, Supp. 1991) (Missouri long-arm statute); OHIO REv. CODE 1320-21 (9th Cir. 1998) (holding that "domain name hi- ANN. § 2307.382(A) (Anderson 1998) (Ohio long-arm stat- jacker" who registered domain name "panavision.com" and ute). attempted to profit by reselling the domain name to plaintiff 147 See, e.g., World-Wide Volkswagen Corp. v. Woodson, owner of registered trademark Panavision was amenable to 444 U.S. 286, 297-98 (1980) (holding that an Oklahoma California jurisdiction because his action was conduct ex- court does not have personal jurisdiction over a nonresident pressly aimed at a resident of California); Patriot Sys. v. C- automobile retailer and its distributor when the defendant's Cubed Corp., 21 F. Supp. 2d 1318, 1324 (D. Utah 1998) only connection with the forum state was the fact that an au- (holding that in an action alleging trade secret misappropria- tomobile sold in New York to New York residents became in- tion, unfair competition, copyright infringement and busi- volved in an accident in Oklahoma). ness tort, defendant's website, which the court characterized 148 MOORE's FEDERAL PRACTICE, supra note 145, at as passive advertisement, was not sufficient to support exer- § 108.41 [1], 42[1] (citing Perkins v. Benguet Consol. Mining cise of personal jurisdiction.); SF Hotel Co., L.P. v. Energy Co., 342 U.S. 437, 446-47 (1952)). Inv., Inc., 985 F. Supp. 1032, 1034 (D. Kan. 1997) (holding 149 See, e.g., CompuServe, Inc. v. Patterson, 89 F.3d 1257 that defendant's connection with Kansas, including plaintiffs (6th Cir. 1996). allegation that the injury occurred therein, as "tenuous" be- 150 Int'l Shoe Co. v. Washington, 326 U.S. 310, 316 cause mere "passive" website advertising, without more, is in- (1945); see also Burger King Corp. v. Rudzewicz, 471 U.S. 462, sufficient to support jurisdiction over nonresident defendant 478 (1985). The following factors to consider when evaluat- in dispute involving use of the trademark Sierra Suites); ing fairness: 1) the burden on the defendant; 2) the forum Zippo Mfg. Co. v. Zippo Dot Coin, Inc., 952 F. Supp. 1119, COMMLAW CONSPECTUS [Vol. 9 fendant clearly does business over the Internet" entered Ohio, he purposefully conducted busi- with clients from a particular jurisdiction-e.g., ness within Ohio over the Internet. 1 60 The right the defendant enters into contracts that require that Patterson sought to protect, a common law the "knowing and repeated transmission of com- trademark for which CompuServe wanted a decla- 52 puter files over the Internet" into ajurisdiction.1 ration of noninfringement, was governed by Ohio A second, middle category encompasses "interac- law and could only come into existence as a result tive websites where a user can exchange informa- of the operation of Ohio law. 16 1 The CompuServe tion with the host computer."' 53 Third, "[a] pas- court recognized that the defendant's activity in sive website that does little more than make Ohio and a common law trademark action were information available to those who are interested sufficient for jurisdiction, whereas the location of 162 in it," generally is inadequate to support personal the server alone was insufficient grounds. jurisdiction.l5 4Jurisdiction is asserted often for ac- In addition to sliding scale considerations, most tivity encompassed by the first category, occasion- U.S. jurisdictions have determined that apart ally for the second and rarely for the third. This from the mere access to Internet activity in the ju- three-part categorical approach to finding juris- risdiction, "something more" is needed to show diction through Internet activities and effects has that the defendant purposefully directed his activ- largely been parroted in recent cases. 1 55 Whether ity to the forum. The cases suggest that the "some- the exercise ofjurisdiction is appropriate typically thing more" generally may be identified by an- depends upon "the level of interactivity and com- swering two basic questions: (1) Would the mercial nature of the exchange of information plaintiff have been injured "but for" the defen- that occurs on the website."'156 The early Internet dant's conduct in the forum?; and (2) Would the cases in the United States indicate how the "slid- exercise of jurisdiction against the defendant be ing scale" would develop. reasonable, i.e., comport with "fair play and sub- CompuServe, Inc. v. Pattersona57 is a seminal deci- stantial justice" because of the defendant's pur- sion holding that a computer user cannot come under poseful contacts with that jurisdiction? the jurisdiction of the Ohio courts merely because a computer network was based in the state.'15 However, be- 3. More Recent Cases: How Courts Have Applied the cause the defendant placed items into the "streamof com- "Sliding Scale" merce" utilizing the Ohio-based computer system, he was "doing business" in the forum sufficient forjurisdiction. Raising the bar on the threshold for purposeful 163 The lower court in CompuServe held that it would be availment, in Bensusan Restaurant Corp. v. King, "manifestly unreasonable" to assert personal juris- the court held that mere injury occurring through diction in Ohio merely because CompuServe was use of the Internet in New York is not enough for 59 located there.' In reversing that decision, the personal jurisdiction. 1 64 A defendant who merely Sixth Circuit pointed out that the software was makes information available on the Internet, stored in CompuServe's Ohio computer system, which is then read in New York, does not "avail" and although the defendant had never physically himself of the forum, as opposed to one who ad-

1123-24 (W.D. Pa. 1997). Comment, PersonalJurisdiction and Cyberspace: EstablishingPre- 152 Zippo, 952 F. Supp. at 1123-24 (holding that elec- cedent in a Borderless Era, 6 CoMMLAw CONSPECTUS 101, tronic commerce involving knowing and purposeful transac- 108-11 (1998) (discussing this concept thoroughly). tions with Pennsylvania residents is sufficient to constitute 157 89 F.3d 1257. "doing business in Pennsylvania" for purposes of long-arm ju- 158 CompuServe, 89 F.3d at 1265-68. risdiction in a domain name dispute case). 159 CompuServe, No. C2-94-91, 1994 U.S. Dist. LEXIS 153 Id. 20352, at *7. 154 Id. at 1124. Thus, where "a defendant has simply 160 CompuServe, 89 F.3d at 1261, 1264-65. posted information on an Internet website[,] which is accessi- 161 Id. at 1267. ble to users in foreign jurisdictions," this activity usually will not suggest personal jurisdiction. Id. 162 Id. at 1265-66; see also Pres-Kap, 636 So.2d at 1353 155 See, e.g., Mink v. AAAA Dev. LLC, 190 F.3d 333 (5th (suggesting that the nature of online computer services is Cir. 1999); Coastal Video Comm. Corp. v. Staywell Corp., 59 such that to bring suit at the site of the central database F. Supp. 2d 562 nn.7-8 (E.D. Va. 1999); Millennium Enterp., would be inefficient and subjecting users to the jurisdiction Inc., v. Millennium Music, LP, 33 F. Supp. 2d 907, 913-16, of the database's location would be "unreasonable"). 920-21 (D. Ore. 1999). 163 937 F. Supp. 295 (S.D.N.Y. 1996). 156 Zippo, 952 F. Supp. at 1123; see also Timothy Nagy, 164 [d. at 301_ 20011 The Internet, Information and the Culture of Regulatory Change vertises, promotes and sells specifically within New lennium, the defendants had "consummated no York via the Internet, causing injury.165 The latter transaction," and made no "deliberate and re- would, in fact, constitute purposeful availment of peated" contacts with Oregon through their web- 73 the forum's law-the "something more" necessary site.1 to assert jurisdiction. That "something more" was In Coastal Video Communications Corp. v. Staywell detected in Blumenthal v. Drudge,166 where a pub- Corp.,174 also a middle category case, the plaintiff lisher of a political gossip website was found to alleged personal jurisdiction over the defendant have engaged in a persistent course of conduct in based on its website offering products for sale to Washington, D.C., creating adequate contacts for Virginia residents and sales of some products in 75 jurisdiction. 67 The Internet "magazine" was not Virginia.' The court did not decide whether it targeted exclusively at a Washington audience, could exercise general jurisdiction but remanded but by promoting and gathering information and the case for further development of the record. conducting interviews for his Internet magazine However, in dicta, the court noted that the defen- in that forum, Matt Drudge, the site's publisher, dant's website: purposefully availed himself of District of Colum- went well beyond mere advertising and solicitation of 68 bia law.1 products . .. allow[ing] the online visitor to purchase products through the website, without ever speaking to Both Bensusan and Blumenthal represent the a representative . . . [i]n essence, [the defendant] has nebulous "middle ground" of the evolving sliding established an [online] storefront that is readily accessible to every person in Virginia with a computer, a scale for finding jurisdiction, where the websites 76 modem, and access to the World Wide Web. 1 involved can be considered neither completely "passive" nor completely "active." As in Blumen- As in Bensusan, the Coastal court found that the thal, most of the more recent cases signal that existence of a website alone would not be enough courts look for traditional business contacts with a to establish general jurisdiction without evidence that it had reached some segment of the Virginia forum (sales or targeted advertising as in Blumen- 7 7 thal) coupled with the availability of the active population and generated sales. 1 website in the forum to support jurisdiction.' 69 By contrast, the jurisdictional lines for passive For example, in Millennium Enterprises, Inc. v. Mil- and active website contacts with a forum generally 17 lennium Music, L.P., 1, the defendants' interactive can be drawn clearly. For instance, in Jewish De- website, where consumers could purchase com- fense Organization,Inc. v. Superior Court of Los Ange- pact discs, request franchising information and les County,1 78 the plaintiff sued the New York- to cre- based Jewish Defense Organization in California join a discount club, was found insufficient 179 ate personal jurisdiction in Oregon.' 7' Again, in state court for allegedly defamatory statements. that more difficult middle category of activity, the Jurisdiction was claimed in California because the court held that the standard for finding jurisdic- Jewish Defense Organization used three Califor- 8° tion requires further refinement to constitute "de- nia-based companies to host its website.' The liberate action within the forum state."1 72 In Mil- court decided that merely hiring an Internet pro-

165 Id. 174 59 F. Supp. 2d 562. 166 992 F. Supp. 44. 175 Id. at 566. 167 Id. at 56. 176 Id. at 569 (finding no specific jurisdiction because 168 Id. at 56-57. there was no evidence the product at issue had been sold to 169 But see Butler v. Beer Across Am., 83 F. Supp. 2d Virginia residents). 177 decide the question with- 1261, 1266-67 (N.D. Ala. 2000) (finding no jurisdiction over Id. at 571-72 (declining to an Illinois beer entrepreneur who made a single sale of beer out more information on the record). But see Archdiocese of online to a minor in Alabama). St. Louis v. Internet Entm't Group, Inc., 34 F. Supp. 2d 1145, 170 33 F. Supp. 2d 907. 1146 (E.D. Mo. 1999) (exercisingjurisdiction over a "passive" 171 Id. at 920-24. website that specifically targeted information to forum re- 172 Id. at 921. sidents); Intercon, Inc. v. Bell Atlantic Internet Solutions, 173 Id. (quoting CompuServe, 89 F.3d at 1265); see also Inc., 205 F.3d 1244 (10th Cir. 2000) (finding personal juris- who knowingly di- Winfield Collection, Ltd. v. McCauley, 105 F. Supp. 2d 746, diction to be proper over a defendant located in the fo- 749 (E.D. Mich. 2000) (finding that sales of two craft items, rected e-mail traffic to plaintiff's server rum). developed through the allegedly infringing use of a copyrighted pattern, to Michigan residents was the result of ran- 178 72 Cal. App. 4th 1045 (Ct. App. 2d 1999). dom bids made on eBay and did not amount to targeted sales 179 Id. at 1050. in the forum). 180 Id. at 1055-56. COMMLAW CONSPECTUS [Vol. 9 vider that may have facilities in California would negotiating or systematic traditional sales in the not be enough to exercise jurisdiction over a non- forum in addition to maintaining a fully "active" resident defendant in that forum.' 8' In Mink v. website, which would itself have suggested "gen- AAAA Development, L.L.C.,8I 2 the U.S. District eral" jurisdiction over the defendant. Such was Court for the Southern District of Texas dismissed the case in PurCo Fleet Seroices, Inc. v. Towers.18 9 In a complaint on similar grounds.8 3 The developer PurCo, personal jurisdiction was found proper in of a computer software program brought an ac- Utah over Florida defendants who not only used tion against purported competitors, alleging con- their websites to solicit business from a Utah resi- spiracy to copy a program in violation of the de- dent but also attempted to obtain a cash settle- veloper's federal copyright and patent pending ment from the Utah-based plaintiff in exchange rights.' 8 4 On the developer's appeal from the dis- for relinquishing rights to a domain name.1 90 trict court ruling, the Fifth Circuit held that the One of the more recent developments in juris- corporate defendant's maintenance of an In- diction over e-commerce, however, was the limita- ternet website accessible to Texas consumers did tion of such jurisdiction for a negligence claim re- not support exercise of personal jurisdiction over lated to personal injury through a traditional 8 5 that defendant.1 forum selection clause on a website. The plaintiffs At least one case held that an out-of-state defen- in Decker v. Circus Circus Hotel'9' filed suit based on dant could be subject to jurisdiction despite seem- a hotel's reservation website. 92 The site included ingly "passive" contact with the forum. In Bochan a forum selection clause requiring that any cus- v. LaFontaine,18 6 the U.S. District Court for the tomer making a reservation over the Internet Eastern District of Virginia noted that the agree in advance to have all disputes settled in Ne- America Online facilities in the state were "inte- vada state and federal courts.1 93 Despite the high gral" to the act of publishing the material that was level of interactivity involved in the site and the the subject of the defamation action. 8 7 The court's ruling that the defendant had placed its court, however, also found a New Mexico defen- services into an "endless stream of commerce," dant subject to jurisdiction because his website, the court held that the forum selection clause accessible to Virginia Internet users, constituted should be enforced.194 If this decision is to be "doing business" in Virginia even though no sales considered a portent of developing Internet "con- were conducted over the site. 188 tract" law, site administrators would be well served In those cases where the contact with a forum is to have customers affirm that they have read and obviously "active," the basis for jurisdiction often understand a forum selection clause by "clicking" rests on "specific" jurisdictional notions of tradi- on a link before being allowed to engage in a 95 tional business contacts with the forum. Such de- transaction. 1 fendants frequently have engaged in contracting,

181 Id. at 1055-56, 1061-62; see also Lofton v. Turbine De- 192 Id. at 747. sign, Inc., 100 F. Supp. 2d 404, 411 (N.D. Miss. 2000) (hold- 193 Id. at 748. ing that allegedly defamatory remarks placed on a "passive" 194 Id. site did not amount to jurisdiction under Mississippi's long- 195 However, if passed and implemented nationally in arm statute). the United States, UCITA would apply a two-pronged ap- 182 190 F.3d 333. proach to forum selection clauses in consumer e-commerce 183 Id. at 333. transactions. First, if a forum selection clause is used in the 184 Id. at 335. on-site contract, the forum chosen would apply in the ab- 185 Id. at 337. sence of a state law preventing such a selection in the state 186 68 F. Supp. 2d 692 (E.D. Va. 1999). where the e-business is located. UNIFORM COMPUTER INFORMA- 187 Id.at 699. TION TRANsAcrIONs AcT, DRAFT 1999 § 109(a), at http:// 188 Id. at 701. www.law.upenn.edu/bll/ulc/ucita/citam99.htm (1999). Sec- 189 38 F. Supp. 2d 1320 (D. Utah 1999); see also Online ond, in the absence of a clause, the governing law would be Partners.com, Inc. v. Atlanticnet Media Corp., No. C 98-4146 that of the forum where the e-business is located unless the SI ENE, 2000 U.S. Dist. LEXIS 783 (N.D. Cal. Jan. 18, 2000) consumer contract requires delivery of a physical copy of the (findingjurisdiction over a Florida defendant that operated a agreement, in which case the law of the jurisdiction where website targeting a substantial population of gay men resid- the copy is to be delivered would apply. Id. at ing in the forum with subscription memberships, member- § 109(b) (1)-(2). In all other cases, the governing law would ship contracts and online credit card payments). be that of the jurisdiction with "the most significant relation- 190 PurCo, 38 F. Supp. 2d at 1323-26. ship to the transaction." Id at § 109(b) (3). 191 49 F. Supp. 2d 743 (D.NJ. 1999). 2001] The Internet, Information and the Culture of Regulatory Change

B. European Union and Member State Law stored on CompuServe-U.S.A.'s newsgroup serv- Interaction on Jurisdictional Issues ers.2 0 2 In response, CompuServe-U.S.A. blocked access to the vast majority of the newsgroups by all In the case of an action commenced in a na- of its worldwide subscribers, unblocking the new- tional court against a defendant domiciled within sgroups only after it provided parental control the EU, "personal jurisdiction" presently will be software to its subscribers.2 0 3 Citing the German determined in accordance with the 1968 Brussels Criminal Code, German authorities charged and 1989 Lugano Conventions ("the Conven- CompuServe-Germany's manager with providing tions"). 196 Under the Conventions, the basic juris- access to illegal content.2 0 4 CompuServe at- dictional rule is that a defendant should be sued tempted to defend itself under a liability exemp- 197 in his place of domicile. For persons domiciled tion for "online service providers" in Article 1, outside the EU, subject to any agreements as to Section 5 of Germany's Teleservices Act.2 0 5 The 198 jurisdiction made between the parties, "per- court, however, rejected the argument that Com- sonal jurisdiction" is determined in accordance puServe-Germany was not an "online service pro- with the traditional jurisdictional rules of the na- vider" by virtue of its simple hard-line connection tional forum, whether they focus on minimum ac- to CompuServe-U.S.A.20 6 On June 3, 1998, the 99 tivity or domicile.' Landesgericht (District Court of Munich) handed In the most notable example of the application down a two-year suspended sentence and fined of national jurisdictional law of an EU Member the manager $56,200.207 Ironically, even the pros- State to a U.S.-based ISP, a Bavarian court as- ecutor in the case appeared concerned about its 2 0 8 serted jurisdiction over and convicted Com- implications and appealed the conviction. puServe's German manager for violating German The CompuServe decision posed a dangerous 200 anti-pornography laws. In 1995, German police precedent for Internet publishers and ISPs. This had served CompuServe with a list of 282 Usenet case extended liability to the ISP rather than the newsgroups, which, in their view, contained user-group entity that posted the offending mate- images of violence, child pornography and besti- rial. Given the prevalence of such material on the ality.20 1 The incriminating content had been

196 Convention on Jurisdiction and Enforcement of & Schiller]. Judgments in Civic and Commercial Matters, 1990 O.J. 201 In der Strafsache gegen Felix Bruno Somm, 8340 Ds 465 (C 189) 1; European Free Trade Association: Convention on Js 173158/95, at § II.1(des Amtsgerichts Munchen, July, 15 Jurisdiction and Enforcement of Judgments in Civil and 1998), available at http://www.cyber-rights.org/isps/somm- Commercial Matters, 1988 O.J. (L 319) 9 [hereinafter Con- dec.htm (1998) [hereinafter Somm]. The original text of the ventions]; Stuart Dutson, The Internet, Intellectual Property and decision, in German, can be viewed at http://www.jura.uni- InternationalLitigation: The Implications of the InternationalScope wuerzburg.de/Lst/sieber/somm/somm-urteil.pdf (last vis- of the Internet on Intellectual Property Infringements, at http:// ited Mar. 4, 2001). www.bileta.ac.uk/98papers/dutson.html (Mar. 1998) [here- 202 Somm, supra note 201, at § 11.1. inafter Dutson]. As an example of how they have been imple- 203 Id. mented in national law, the "Conventions" were brought into 204 Id. at § IV.1.B.2.b. (citing Article 184 Abs 3 StGB of force in the United Kingdom by the Civil Jurisdiction and the German Criminal Code). Pursuant to Judgments Act 1982 (UK) (as amended to incorporate the the statute, Coni- puServe need only "have knowledge of third-party content, Lugano Convention by the Civil Jurisdiction and Judgments i.e.... has to know that the unambiguous newsgroups Act 1991 (UK)). Dutson, supra this note. ... 197 Dutson, supra note 196 (noting that Article 16(4) of make violent, child, or animal pornographic representations available for use. [This] [k]nowledge, however, does not the Conventions does not apply to patent infringement ac- mean that the accused had to know to individual contents of tions by virtue of Case 288/92, Duijnstee v. Goderbauer, 1983 the respective ... articles" in order to have E.C.R. 3663). violated the Act. 198 Reports on Conventions on Jurisdiction and the En- Id. at § IV.1.B.2.b (citations omitted). 205 Id. at § IV.1.B.1 (citations omitted). forcement of Judgments in Civil and Commercial Matters, art. 17, 1990 O.J. (C 189) 33. 206 Id. at § IV.1.B.1. The distinction between parent and 199 For instance, as Professor Dutson explains, English subsidiary prevented CompuServe-Germany from being con- rules as to service of process outside of the jurisdiction are sidered a "provider" pursuant to Section 3 of the Teleservices based in Order 11, r.1(1)(b), (c) and (f) of the Rules of the Act, and thus, CompuServe-Germany was unable to benefit. Supreme Court (Eng.). Dutson, supra note 196, at n.18 (cit- from the Teleservices Act's liability exception. See Teleser- ing Conventions, supra note 196, at arts. 4, 21; Case C-351/ vices Act, art. 1, § 3. 89, Overseas Union Ins. v. N.H. Ins., 1991 E.C.R. 1-3317). 207 Shock Decision by German Court against ISP, M2 PRESS- 200 See Stephan Wilske & Teresa Schiller, InternationalJu- WiRE June 29, 1998, available at 1998 WL 12977308. risdiction in Cyberspace: Which States May Regulate the Internet?, 208 Wilske & Schiller, supra note 200, at 122 n.24 (refer- 50 FED. COMM. L.J. 117, 122 n.24 (1997) [hereinafter Wilske encing Somm, supra note 201, at § III-IV). COMMLAW CONSPECTUS [Vol. 9

Web and the ease of international access to such claimed that "German law is dictating what Ameri- sites, it is easy to see how international jurisdic- can citizens can read and view."2 1 4 This effect, the tional and enforcement questions will continue to Bavarian court held, simply was due to the "inabil- be of great concern to Internet publishers. The ity of CompuServe to tailor its services to the laws CompuServe appeal remained pending for over a of each country in which it operates" and thus, 2 15 year and a half, but in November 1998, Chief was "incidental."" Judge Lazslo Ember announced the German state Similar issues regarding an ISP's ability to block court's reversal of the decision. As long professed illegal content from an individual country have by CompuServe lawyers, Judge Ember agreed that arisen in France as well. In May 2000, French trial the technical ability to effectively block content court Judge Jean-Jacques Gomez issued a ruling, simply did not exist at that time, adding that which banned French users from Yahoo! English- "more could not have been asked of' the ac- language auction sites where "Nazi books, dag- cused.20 9 In the interim, the lower court verdict gers, SS badges and uniforms" were sold.2 16 The adversely has affected Internet business in Ger- ruling was confirmed by a French court in Novem- many. In direct response to the lower court rul- ber 2000.217 Yahoo!'s defense was two part. First, ing, PSInet's London-based ISP physically moved Yahoo! argued that its auction services were gov- its Web servers out of Germany for fear of violat- erned by U.S. law, and thus, auctions of Nazi ma- ing Bavarian law.2 1 ' Such drastic steps in response terial "cannot be barred because of U.S. constitu- to an assertion of jurisdiction over Internet-based tional rights to freedom of speech. ' 21 8 Second, activity are rare, but they provide vivid examples Yahoo! asserted that there was "no failsafe way to of the extent to which judicial action in a forum identify French users and block access" by those can affect a developing business. users to Yahoo! auction sites. 219 Expert evidence Applying the same jurisdictional principles of presented at trial showed that only 70% of French territoriality, the European Court of Justice Internet users could be identified and then per- 2 20 ("ECJ") had permitted a Member State to require haps excluded from use of the Yahoo! site. service providers who operate in the forum to However, in November 2000, the court gave Ya- 21 obey national laws. In Shevill v. Press Alliance, ' hoo! a deadline of three months to implement a S.A., the ECJ held that only courts of the state in filtering system or face fines of roughly $13,000 which an Internet publication originated can per day.22 1 award damages for the publication of the same li- In addition to legislative efforts to define juris- bel in other EU Member States.2 12 However, diction and developing jurisdictional case law, broad application of a territorial approach to ju- courts worldwide have been frustrated by issues of risdiction would preclude Internet users from ac- enforcement. For instance, in the UK, a leaked cessing offending websites from hardware operat- copy of an official report into alleged "satanic rit- ing within the forum territory. The net result is ual abuse" of twenty-one children in Broxtowe, likely to be an extraterritorial chilling effect on England was published on the Web by journal- website content. For example, in the CompuServe ists. 2 22 The county council, which had commis- case, German law was held applicable to bar Ger- sioned the report, refused to publish it, and an man users access to certain news groups.2 13 As a English court issued an injunction requiring jour- consequence, the defendants in CompuServe nalists to remove the report on the basis that such

209 Mary Lisbeth D'Amico, German Ruling Protects ISPs, www.cnn.com/2000/tech/computing/1 1/20/france.yahoo. THE STANDARD.COM, at http://www.thestandard.com/article/ 02/index.html (Nov. 20, 2000). display/0,1151,7759,00.html (Nov. 19, 1999). 217 Id. 210 PSInet Moves Out after German Court Blamed ISPfor Porn 218 Id. Distribution,VNU NEWSWlRE,July 7, 1998, available at 1998 WL 219 Id. 23800227. 220 Id. As 70% of French Internet users use the same 211 Case C-68/93 (1995), available at 1995 ECJ CELEX French ISP, according to experts, they are easily identifiable. LEXIS 4862. Id. 212 Id. 221 See Steve Riseborough, Yahoo!'s Nazi Nightmare Could 213 Wilske & Schiller, supra at 200, at 129 n.64. have a Global Impact, TOTAL TELECOM, at http://www.totaltele. 214 Id. (citingJohn Markoff, German PornographyLaws De- com/view.asp?ArticlelD=34086&pub=tt&categoryid=0 (Nov. termine What America Sees, N.Y. TIMES, Dec. 31, 1995, at D2). 21, 2000). 215 Id at 130; see also Somm, supra note 201, at § 11.1. 222 See Tim Hardy, UK. Internet Services Seek Legal Change, 216 Yahoo! Loses Nazi Auction Case, CNN.coM, at http:// NAT'L LJ., Aug. 25, 1997, at B7. 20011 The Internet, Information and the Culture of Regulatory Change publication was a violation of copyright.223 Before coming increasingly common. For example, the the injunction took effect, however, free speech UK's Financial Services Act of 1996 makes it a advocates had downloaded the text and sent cop- criminal offense to place investment advertise- ies across the Web, rendering subsequent efforts ments in the UK unless they are approved by the to suppress the report largely futile. 2 24 Similarly, Financial Services Authority ("FSA") .230 Applying German authorities ordered the closing of a web- this regulation, the FSA notified the U.S. national site operated by a group of Dutch activists when mutual fund association, the Investment Com- the group published instructions for sabotaging a pany Institute ("I0"), that mutual fund websites railway station. 225 Before this site could be closed, available in the UK are considered to have been copies of the page were downloaded and forty du- issued in the UK 23 1 The FSA acknowledges the plicate sites appeared on the Web. 226 Thus, a fo- problem this presents for U.S. mutual fund com- rum ultimately may decide to assert jurisdiction panies and has stated that it will not take enforce- and enforce its laws, but practical success in stop- ment action against U.S. companies if they com- ping the offending Internet activity may not fol- ply with certain criteria, including the placement low. Although a court may grant injunctive relief of warnings or disclaimers on their websites.2 32 As against an Internet publisher, proliferation of the in the lower court CompuServe ruling, this appli- material may prevent compliance. Thus, limita- cation of the nationality principle will have a chil- tions on defendant jurisdiction and liability be- ling effect on the content of mutual fund websites come all the more important. developed domestically, whether UK courts decide to style the extraterritorial effect as "incidental" or not. C. The Effects of National Legislative Efforts to Similarly, an action was brought in France Apply Jurisdiction against the Georgia Institute of Technology for When principles of nationality control jurisdic- running an English-language Internet site from a tion, the result is the grant of a state's right to reg- satellite campus in France.23 3 The site allegedly vi- ulate the conduct of its own citizens anywhere in olated a French law requiring that goods and ser- the world.22 7 In one example of this approach, vices sold in France be sold and advertised in the Germany makes its nationals residing abroad sub- French language, but the appellate court upheld ject to its prohibition against the dissemination of the lower court's decision to dismiss the case on child pornography. 228 Applications of this type of procedural grounds.23 4 Despite the fact that the jurisdictional principle, however, are infrequent, jurisdictional issue was not resolved, Georgia due mainly to the inherent difficulties in the ex- Tech spent more than $20,000 in legal fees, illus- traterritorial enforcement of such laws. 229 When trating the monetary consequences to Internet 235 such "universal" restrictions exist, states typically publishers of defending such suits abroad. focus on prohibiting any activity by citizens relating to pornography or the exploitation of chil- 1. Legislation in the United States dren. Nonetheless, because of universal access to the U.S. legislative efforts aimed at protecting do- Web, extraterritorial enforcement issues are be- mestic copyrights in the context of the Internet

223 Id. "serves to protect against unintended clashes between our 224 Id. laws and those of other nations which could result in interna- 225 Id. tional discord." EEOC, 499 U.S. at 248 (citing McCulloch v. 226 Id. Sociedad Nacional de Marineros de Honduras, 372 U.S. 10, 227 See Wilske & Schiller, supra note 200, at 131. 20-22 (1963)). 228 Id. at 131-32 (citing §§ 6, 184(3), StGB (German Pe- 230 Dale M. Cendali & Rebecca L. Weinstein, PersonalJu- nal Code)). risdiction in Cyberspace, 220 N.Y. LJ. 13, n.10 (1998), available 229 Recognizing the problems of extraterritorial enforce- at http://www.litigationlaw.com/jul.htm. ment, the United States Supreme Court has held that "legis- 231 Id. lation of Congress, unless a contrary intent appears, is meant 232 Id. to apply only within the territorial jurisdiction of the United States." EEOC v. Arabian American Oil Co., 499 U.S. 244, 233 Wendy R. Leibowitz, How Risky Is Business on the In- 248 (1991) (quoting Foley Bros., Inc. v. Filardo, 336 U.S. 281, ternet?, NAT'L L.J. May 26, 1997, at BI. 285 (1949)). Although Congress "has the authority to en- 234 Id. force its laws beyond [U.S.] boundaries," this principle 235 Id. COMMLAW CONSPECTUS [Vol. 9 have employed a territoriality principle ofjurisdic- sive activity under one category but not an- 2 tion. Addressing growing concerns over the po- other.2 4 tentially unlimited liability of ISPs for website con- With regard to defamation, the U.S. Congress tent, the United States enacted new legislation included Section 230 in the Communications De- amending the Copyright Act of 1976 ("Copyright cency Act of 1996, largely immunizing ISPs from Act") to codify technologically sound guidelines liability arising from the statements of third par- for liability. The Online Copyright Infringement ties communicated over an ISP's facilities but Liability Limitation Act was enacted by Congress does not include a provision for extraterritorial as Title II of the DMCA. 23 6 The DMCA limits lia- application.2 43 Subsequent legal decisions have bility for ISPs and substantially alters case law held that, under Section 230, a website owner can- holding service providers liable for copyright in- not be held responsible for the defamatory or oth- 23 7 fringement. erwise tortious statements of individuals who post 244 Each separate function of an ISP is categorized on its message boards. and qualified with an exemption from monetary liability even if the service provider is, in fact, lia- 238 2. The EU Draft E-Commerce Directive on Electronic ble for copyright infringement. For example, Commerce Jurisdiction an ISP would incur little or no liability for its transmitting/routing and caching functions, Perhaps the most troubling development in- third-party postings, or use of its information re- volving the Internet and international jurisdiction trieval tools. 239 These limitations are at the heart was a draft EU directive ("Draft EU Directive"), of the DMCA, which does not change existing granting jurisdiction over consumer-based e-com- U.S. definitions of and requirements for copy- merce transactions to the locus of the consumer. right infringement, but decreases the stakes for Some observers claim that this jurisdictional ap- providers of a technology not contemplated when proach seriously could stunt the growth of e-com- the original Copyright Act was enacted.240 Gener- merce and lead to a damaging trade dispute with ally, the functions for which liability is limited are the United States.245 The European Commission passive activities where the service provider does met to hear public comment on the EU Draft Di- 6 not exercise any control over, or interact with, the rective in November 1999.24 The legislation content of the infringing material. The require- would allow disgruntled Internet shoppers to sue ments for each function differ, and they are inde- e-commerce firms in their own national courts, re- pendent of each for determining whether the ac- gardless of whether the company had "actively 247 tion of a service provider is protected.2 4' Thus, an sought" to sell its product in that country. ISP's activities may qualify for protection as pas- The EU Draft Directive established the basis for

236 Pub. L. No. 105-304, 112 Stat. 2860 (codified as 244 See, e.g., Blumenthal, 992 F. Supp. 44. amended in scattered sections of 17 U.S.C.); see a/soJennifer 245 See Reuters, European Law Seen as Grave Threat to E- E. Markiewicz, Comment, Seeking Shelter from the MP3 Storm: Commerce, FOXNEwS, at http://www.foxnews.com/scitech/ How Far does the Digital Millennium Copyright Online Service Pro- wires2/0910/trt_- 0910_16.sml (Sept. 10, 1999). vider Liability Limitation Reach?, 7 CoMMLAw CONSPECrUS 423 246 See, e.g., U.S., EU Closing in on E-Privacy Deal, Official (1999) (discussing the DMCA and its legal implications). Says, CHI. TRIB., Feb. 7, 2000, at 13. Member associations of 237 Declan McCullagh, Digital Copyright Law on Tria the European Consumer Organization ("EurCo"), among WIRED, at http://www.wired.com/news/politics/0%2C other European Internet industry leaders, were vocal at the 1283%2C33716%2C00.html (Jan. 18, 2000) (discussing re- Nov. public hearing. EurCo, although favoring the Commis- cent suits filed under the private enforcement authority of sion's Draft Directive, stressed that decisions on jurisdiction the DMCA). and applicable law for e-commerce should be tabled until ec- 238 17 U.S.C. § 512(a)-(d). onomic impact and cross-policy analysis has been under- 2-39 Id. at § 512(a)-(d). taken. See Fiachra O'Marcaigh, Pitfalls in the E-shop, E-Com- 240 Id. at § 512(0). merce, IRISH TIMES, Nov. 8, 1999, at 12. This strong public 241 Id. at § 512(n). consensus for analysis as to how the EU Draft Directive might 242 See COMMITFEE ON THE JUDICIARY HOUSE OF REPRE- be a disincentive to e-commerce businesses also was reflected SENTATIVES, 105TI- CONG., 2D SESS., SECTION-BY-SECTION ANAL- in the prehearing submissions. These submissions can be YSIS OF H.R. 2281 AS PASSED BY THE UNITED STATES HOUSE OF viewed in their original form at the DG-XV website of the REPRESENTATIVES 39 (1998). European Union at http://europa.eu.int/comm/scic/con- 243 See 47 U.S.C. § 230. Some provisions of the CDA relat- ferences/991104/contributions.doc (last visited Mar. 4, ing to "obscene" material were struck down as unconstitu- 2001). tional. See generally Reno v. American Civil Liberties Union, 247 See Amended Proposal for a European Parliament 521 U.S. 844 (1997). and Council Directive, on Certain Legal Aspects of Elec- 20011 The Internet, Information and the Culture of Regulatory Change jurisdiction as the forum where the "operator" (e- tional elements were addressed within the E-Com- commerce consumer) pursues an activity through merce Directive. Article I of the approved Direc- a "fixed establishment" (a website).248 This focus tive generally provides that the "law of the country on the ac'tivity of the operator and not the e-busi- of origin will.., govern the setting up and provi- ness is referred to as a "country of origin" ap- sion of online services offered by e-commerce bus- 254 proach, meaning "origin" of the consumer activity iness established in the European Union. and not the service provider.2 49 This concept Thus, the determination of the place of establish- forces e-businesses to address potential litigation ment of an e-commerce service provider is gener- in the Member State jurisdiction where the con- ally of great importance to the application of the "country of origin" sumer resides. principle. Certain legal areas, Under prior EU law, unhappy e-commerce cus- including taxation, data protection, cartel law, no- tomers generally could only seek redress in the tarial activities and gambling activities, however, country where the e-business is based.2 50 How- are expressly excluded from application of the 255 ever, the EU Council was anxious to update the service provider country of origin principle. In rules of private international law of the Member addition, an annex to the Directive excludes addi- States with respect to jurisdiction, particularly the tional legal areas, including "contractual obliga- Lugano and Rome Conventions. In May 1999, the tions concerning consumer contracts" from the 2 56 Council unanimously agreed on a proposal, which operation of the principle. Thus, the country of the Commission passed as a proposed regulation origin principle, as it is now applied, would be of on July 14, 1999.251 Article 15(c) of the proposed considerable benefit to e-commerce businesses Regulation would amend the Rome Convention, based in the EU, as it means that their services allowing a consumer engaged in an e-commerce would need to comply only with the law of the transaction to "bring an action before the courts Member State of their establishment. The princi- in the state of his domicile, without having com- ple, however, does not apply to the provision of pleted" the necessary steps to conclude the e-com- services from outside the EU, and such services merce contract in that state.2 52 This change in the provided by an establishment in the United Rome Convention would give force and effect to States, for instance, still may be required to com- the "country of origin" principle at issue in the ply with the separate laws of all fifteen Member EU Draft Directive. States. The principle arguably does not apply to Although the European Commission approved consumer contracts whether they are consum- both the EU Draft Directive and proposed regula- mated with e-commerce providers established tion, each needed to be ratified unanimously by within or outside of the EU. Thus, the same multi- EU justice ministers after consultation with the ple Member State application of laws seemingly European Parliament. 253 This and other jurisdic-

tronic Commerce in the Internal Market, COM (98) 586 final, choice regarding the law applicable to a contract and in the available at http://europa.eu.int/comm/dg15/en/media/ absence of a forum selection stipulates that: eleccomm/com427en.pdf (last visited Mar. 4, 2001). [T] he contract shall be governed by the law of the coun- 248 Directive 2000/EC of the European Parliament and try with which it is most closely connected ... It shall be of the Council ("Directive on Electronic Commerce") arts. presumed that the contract is most closely connected 7-9, available at http://www.ecai.ie/EU%20Directive%200. with the country where the party who is to effect the per- doc (last visited Apr. 6, 2001). formance which is characteristic of the contract has, at 249 Emphasis on "country of origin" arose in the face of the time of conclusion of the contract, his habitual resi- heated arguments to harmonize existing Member State juris- dence. dictional laws into a single EU statement of legal processes EUROPEAN COMMISSION PUBLIC HEARING, Nov. 4-5, 1999, and linkage of court systems. Sylvia Pennington, Europe Hand- ELECTRONIC COMMERCE: LEGAL JURISDICTION AND APPLICABLE cuffs E-commerce with Consumer Rights Laws, VNU NEWSWIRE, LAw 3, at http://europa.eu.int/comm/ustice-home/pdf/ Sept. 9, 1999, available at 1999 WL 6823762. Rather than har- presentext-en.pdf (last visited Mar. 5, 2001) [hereinafter EC monize existing laws into a single set of jurisdictional PUBLIC HEARING]. precepts, the European Commission has admittedly sought 251 See EC PUBLIC HEARING, supra note 250, at 2-3. to craft an expedient "framework" for "cross-border redress" 252 Id. at 3. that emphasizes consumer rights through existing national 253 Id. legal regimes. Id. 254 Directive 2000/31/EC of the European Parliament 250 See generally Convention on the Law Applicable to and the Council, art. 3, 2000 OJ. (L 178) 1. Contractual Obligations, 9 June 1980, 1980 O.J. (L 266) 1. 255 Id. at art. 1. The Convention grants contracting parties freedom of 256 Id. at Annex II. COMMLAW CONSPECTUS [Vol. 9 would apply to all consumer e-commerce con- sively profile customer activity on the Web. Thus, tracts. a certain degree of regulatory paternalism at this stage is necessary, if only to facilitate industry's "best practice" policing of itself. Formal regula- III. SETTING RULES tions governing consumer privacy on the In- A. Content Regulation Will Likely Continue, ternet, however, must be developed cautiously but With an Emphasis on Privacy with a careful eye toward the impact of such regulations on developing Internet applications. The For the moment, the U.S. preference for indus- FTC's proposal for formal privacy legislation and try self-policing seems to have weathered the its subsequent regulatory authority was "too much storm of recent privacy-related legislation and far- too soon." FTC Chairman Robert Pitofsky's pro- reaching recommendations. In the case of the posal to "marry today's efforts at self-regulation U.S./EU data "Safe Harbor," self-regulation even with an appeals process that would defer to a reg- may have found a happy coexistence with its ulatory body"257 goes further to protect the rights highly-structured European legislative counter- of consumers in an Internet environment, while part. Grudging acquiescence, however, by compa- industry eventually will stray from its own self-reg- nies such as eBay and Bell Atlantic to the likeli- ulatory vision, given the opportunity. Such case- hood of privacy regulation suggests that some by-case appeals, however, easily could overwhelm combination of legislative and regulatory initia- an agency that has no enforcement authority to tives will revisit privacy protection. Despite the monitor and take action against sites that violate Clinton administration's and Congress' reluc- customer privacy before appeals develop. tance to support the FTC's recommendations, high-profile privacy gambles like those of DoubleClick, and as alleged of Amazon, may drive B. Assertion of Jurisdiction-Toward public opinion to support increased regulation. International Standards One only need watch the actions of industry to anticipate where and when the next hot-spots for Although case law in the United States has de- legislative and regulatory privacy restrictions will veloped an approach to evaluating jurisdiction in be pursued. Given the FTC's verve in its role as an Internet-based case, determining the proper "bad cop" to the administration's "good cop," eyes jurisdiction internationally is anything but a set- likely will be on Constitution Avenue in Washing- tled issue. To assist in alleviating this disparity, the ton for the next regulatory step. American Bar Association concluded a two-year Self-regulation by industry is a necessary first study of international jurisdiction issues with the step, although the legislative model suggested by June 2000 release of its "London Meeting Draft" the EU deserves additional debate and considera- on Global Jurisdiction Issues Created by the In- tion by Congress. Given the lengths to which the ternet.258 Apart from including a voluminous dis- burgeoning industry could go to merge profiling cussion of Internet issues and how these have af- with personally identifiable customer informa- fected application of traditional jurisdiction tion, the FTC's decision to take an active role to principles internationally, the London Meeting monitor and facilitate this self-regulation is appro- Draft suggests international cooperation to de- priate. At present, there is no strong legal protec- velop jurisdictional standards. The draft proposes tion for consumers and Internet users who casu- a multinational "Global Online Standards Com- ally type personal information about purchases or mission" to study jurisdiction issues and "develop product preferences into online databases. Fur- uniform principles and global protocol standards ther, there is little public understanding of the by a sunset date," working with other interna- 259 depth to which online businesses can go to pas- tional bodies considering similar issues.

257 John Schwartz, Opting In: a Privacy Paradox, WASHINC- www.abanet.org/buslaw/cyber/initiatives/urisdiction.html TON POST, Sept. 4, 2000, at H1. (June 2000). 258 AMERICAN BAR ASSOCIATION, JURISDICTION IN CYBER- 259 Id. at 24. For example, the London Meeting Draft SPACE PROJECT, LONDON MEETING DRAI.r, ACHIEVING LEGAL notes that international working groups such as the Global AND BUSINESS ORDER IN CYBERSPACE: A REPORT ON GLOBALJU- Business Dialogue, the Hague Conference on Private Inter- RISDICTION ISSUES CREATED BY THE INTERNET, at http:// national Law, the Internet Law and Policy Forum, the Inter- 20011 The Internet, Information and the Culture of Regulatory Change

Despite the transactional and "access to con- force Internet entrepreneurs to exclude EU content" violations of national laws, the "country of sumers from the site. Although, as the Com- origin" approach the EU seems to be taking with puServe and Yahoo! cases exemplify, such exclu- regard to consumer-transaction e-commercejuris- sion is rarely possible, and even where possible, diction wholly is inappropriate at this stage of the likely will not be effective. medium's development. As it exists, the jurisdic- Until more jurisdictions clarify the legal liability tional element of the E-Commerce Directive of Internet users-including ISPs and publish- seemingly would mandate that both non-EU en- ers-e-commerce businesses will remain inter- trepreneurs and consumers have a knowledge ested in which forums may assert jurisdiction over and understanding of the relevant laws of the fif- them for potential offenses. Some Internet-based teen EU Member States (in addition to any future businesses may choose to remove operations from EU members). E-commerce participants would forums where laws are not conducive to the ser- face action in each jurisdiction in which a con- vices they provide, as PSInet did in response to sumer is located. Proponents of the jurisdictional the CompuServe case.2 61 Again, depending upon element countered that in applying the country of the technical capabilities of the service provider, it origin principle, the directive now "recognizes simply may decide to block the availability of the Member States operate a number of different sets service from the forum. What makes the proposed of rules regarding marketing promotions and EU directive particularly troubling is that if commercial communications, which are impossi- passed, the second alternative-blocking the con- ble to harmonize without killing off the electronic tent-becomes perhaps the only viable and safe '260 commerce sector in its infancy. option for a company concerned about foreign This argument negates a basic principle of the litigation. Internet as a commercial medium. E-commerce, Until international standards are developed despite ever-increasing gross online product and implemented, it also will be increasingly im- figures, still is in its infancy. A primary merit of portant to consider whether a foreign jurisdiction the medium for trade is its ability to equalize ac- has attempted to enforce its harsher laws against a cess to new and underdeveloped markets among foreign infringer in assessing how a particular for- both large existing businesses and entrepreneurs. eign jurisdiction might treat material posted on For entrepreneurs, this equality of access effec- the Web. As with any business in an uncertain le- tively would be negated by imposing the law of the gal landscape, effective e-commerce initiatives consumer's forum on an Internet transaction should contain an element of risk management. without any regard to "minimum contacts" or pur- As the above discussions indicate, even the most poseful availment considerations. When an entre- attentive e-commerce business model with sub- preneur specifically seeks to sell and advertise in a stantiated profit projections can get mired in ex- forum, traditional notions of minimum contacts traterritorial legal action if the Internet developer and purposeful availment with that forum ensure does not remain cautiously aware of the risks. Un- that jurisdiction can be asserted properly. Giving til more foreign jurisdictions define levels of re- a consumer the ability to simply "state" that juris- sponsibility/liability, as the United States has diction will be asserted regardless of the signifi- done for copyright protection, each compo- cance of the Internet venture's contacts with that nent-the Internet site, the ISP, the user-group, forum, however, will stifle the development of e- and the publisher-has a stake in determining commerce start-ups. Alternatively, the legal risks whether a foreign state can or will assert jurisdic- arising from the jurisdictional element could tion over it for a potentially offending site. Unfor- national Chamber of Commerce, the United Nations Com- pagel9_en.htm (Dec. 1998). Attorney Pullen notes that the mission on International Trade Laws, the World Intellectual unfair competition laws of several Member States forbid the Property Organization, the World Trade Organization and offering of three for the price of two discounts or loyalty bo- others are studyingjurisdiction issues in cyberspace. Id. at 24 nuses, and these types of restrictions are frequently but un- n.54. successfully justified on grounds of consumer protection. Id. 260 Mike Pullen, Attorney., Dibb Lupton Alsop, Brussels, 261 See Jim Hu, PSInet Wants Out of Bavaria, CNET The Draft E-commerce Directive-Good News for SMEs and Con- NEWS.COM, at http://news.cnet.com/news/0-1004-200- suiner Choice, COMMERCIAL COMM. NEWSLETYER 19, at http:// 330976.html (July 7, 1998). europa.eu.int/comm/dgl 5/comcom/newsletter/edition 15/ COMMLAW CONSPECTUS [Vol. 9 tunately, until foreign states adopt more uniform velopment of high-speed and advanced telecom- methodologies for determining jurisdiction for munications services. All three reports generally Internet communications and commerce, analy- conclude that advanced telecommunications cases will continue to be required on a forum-by-fo- pability is being deployed in a reasonable and rum basis. timely fashion. The three FCC reports, however, concede that rural access to the Internet still is 266 C. Infrastructure sadly lacking in the United States The debate over Internet access has been fueled, in part, by This third component of the "legal" Internet, the debate over unbundled access to cable infra- very easily could occupy an article by itself, and it structure, just as the Telecommunications Act of has in this journal and many others. For this rea- 1996 mandated unbundled access to telecommu- son, the focus of this article has emphasized both nications infrastructure. For the moment, the content and jurisdiction. Without minimizing the U.S. Court of Appeals for the Ninth Circuit in importance of infrastructure regulation to devel- AT&T Corp. v. City of Portland,26 7 held off on creat- opment of the Internet, the concern at this stage ing the same degree of open access to cable infra- 268 is for both access to and improvement of the high- structure. est capacity to deliver content. Indeed, the Fed- Additionally, the D.C. Circuit has stepped in on eral Communications Commission ("FCC" or the issue of telecommunications carrier compen- "Commission") concluded three reports, two is- sation for the provision of Internet services. Invali- sued pursuant to the direction of Congress (Sec- dating much of the FCC's February 1999 Declara- tion 706 of the Telecommunications Act of tory Ruling on reciprocal compensation, 269 the 1996)262 in January 1999263 and August 2000,264 D.C. Circuit found the FCC's conclusion that ISP respectively (collectively, the "706 Reports")-and traffic is "nonlocal" for purposes of reciprocal an additional report released in October 1999, compensation was not the result of "reasoned de- subsequently republished by the Practising Law cision-making."27°1 The D.C. Circuit accepted the Institute ("Cable Bureau Report").265 The 706 Re- FCC's assertion of jurisdiction over the provision ports and the Cable Bureau Report gauge the de- of Internet services but vacated the conclusion

262 47 U.S.C. § 157 (Supp. IV 1998) on Spectrum Study of the 2500-2690 MHz Band, the Poten- 263 In re Inquiry Concerning the Deployment of Ad- tial for Accommodating Third Generation Mobile Systems, at vanced Telecommunications Capability to All Americans In a http://www.fcc.gov/Bureaus/Engineering-Technology/ Reasonable and Timely Fashion, and Possible Steps to Accel- PublicNotices/2000/da002583.html (Nov. 15, 2000). erate Such Deployment Pursuant To Section 706 of the Tele- 267 216 F.3d 871 (9th Cir. 2000) communications Act of 1996, Report, 14 FCC Rcd. 2398 268 See id. at 877 (differentiating both broadband cable (1999) [hereinafter First Deployment Report]. programming via high-speed Internet from its more tradi- 264 In re Inquiry Concerning the Deployment of Ad- tional cable counterpart and the need to mandate third-party vanced Telecommunications Capability to All Americans In a access at this time). Reasonable and Timely Fashion, and Possible Steps to Accel- 269 In re Implementation of the Local Competition Provi- erate Such Deployment Pursuant to Section 706 of the Tele- sions in the Telecommunications Act of 1996, Inter-Carrier communications Act of 1996, Second Report, 15 FCC Rcd. Compensation for ISP-Bound Traffic, Declaratory Ruling, 14 20913 (2000) [hereinafter Second Deployment Report]. FCC Rcd. 3689 (1999). Under the "reciprocal compensation" 265 See generally Deborah A. Lathan, Broadband Today, 593 system, established local phone companies pay fees to com- PLI/Pat. 491 (2000). peting telephone carriers to connect calls for ISP traffic but 266 See, e.g., Second Deployment Report, 15 FCC Rcd. do not see compensation in return. SeeJeremy Pelofsky, FCC 20,913, 20,913, para. 8; Charles Babington, On the Road, Clin- Poised to Closed Loophole on Internet Traffic Fees, TOTAL ton Stresses Rural Internet Access, WASHINGTON PosT, Apr. 27, TELECOM, at http://www.totaltele.com/view.asp?ArticleID= 2000, at A1O. Several nonwireline modes of access, including 34350&pub=tt&categoryid=626 (Nov. 29, 2000) [hereinafter multichannel/mutlipoint distribution ("MMDS"), are prov- Pelofsky]. Because calls to the Internet are not "returned" ing to be cost effective in providing high-speed Internet ser- tinder the present system, unless states establish different vices to currently under-served areas. See Mark Holmes, MCI rules, established phone companies will pay roughly $2 bil- Reaches Out to Rural America, BROADBAND NETWORKING NEWS, lion in compensation in 2000 to rivals without seeing recipro- Jan. 16, 2001, available at 2001 WL 6815439 (reporting MCI's cal fees. Id. rollout of MMDS systems in rural areas). However, as the 270 Bell Atlantic Tel. v. FCC, 206 F.3d 1, 7 (D.C. Cir. FCC nears a probable reallocation of spectrum to accommo- 2000) (explaining that while perhaps sound for jurisdictional date third-generation ("3G") wireless services, "line-of-sight" purposes, the FCC's "end-to-end analysis" does not explain difficulties in the provision of MMDS may increase the attrac- how ISP traffic can be viewed as "linked telecommunications" tiveness of new 3G systems. See Press Release, Federal Com- and "continuous works" in order to obviate the view that munications Commission, Staff Releases Its Interim Report "calls to ISPs appear to fit" the definition of local calls). 20011 The Internet, Information and the Culture of Regulatory Change that ISP-bound traffic is not local. 27 1 By vacating City of Portland decision are now being examined this conclusion, the D.C. Circuit permitted indi- for open access by the FTC in light of Time vidual states to continue applying their own rules Warner's control over similar cable lines in cer- 274 to allow reciprocal compensation for ISP-bound tain markets. traffic. However, in upholding the FCC's assertion The next stage for developing regulatory con- of jurisdiction over ISP traffic, the D.C. Circuit cern in the United States likely is wireless Internet likely was affirming that component of the Declar- access and "openness." The UK's BT CallNet Ltd. atory Ruling that was of prime importance to the bowed to pressure on June 21, 2000, allowing its Commission on this issue.27 2 If nothing else, the customers to choose rival Internet portals as the 275 combined impact of the D.C. Circuit's affirmation home page on their cell phones. Similarly, in of FCC jurisdiction with regard to the reciprocal May, 2000, the EU forced France Telecom to take compensation issue and the success of the Com- similar action.2 76 By contrast, Sprint PCS, "the mission's argument against cable open access in most aggressive U.S. wireless service provider, cur- AT&T v. City of Portland should put ISPs on no- rently offers no way for customers to reprogram tice. As the FCC continues to define its regulatory cell phones to select home pages"; however, role with regard to the Internet, courts have be- Sprint has indicated a willingness to discuss "openness" 2 77 gun to recognize differing elements of its jurisdic- issues. tion over Internet issues, whether or not increased regulation is a public goal of the D. One Internet Commission. The access debate, however, additionally has When asked to describe the confluence of the led to close scrutiny over the consolidation of con- Internet and law, the picture I most often suggest tent and infrastructure providers. One argument to both lawyers and nonlawyers alike is of a is that if mergers such as AOL/Time Warner and wooden ship. The infrastructure of the Internet: WorldCom/Sprint are permitted to occur, access the telephone lines and routers, fiber and cable to diverse content and high-speed networks, re- networks, satellite up-links, etc., is the superstruc- spectively, would be stifled. Given consolidation ture of the sailing ship-the keel and cross-mem- among large content providers like AOL and bers. The content of the Internet, whether it is Time Warner, one fear is that the Internet simply video, data, e-mail, chat sessions or whatever else will become a series of "channels" providing inter- might keep a college student up at 2:00 a.m., is active content generated by several large "net- the system of decks. Depending on our individual works," similar to the way content is provisioned needs as Internet consumers, we position our- by the major networks on television. Similarly, the selves on certain decks and shield our loved ones WorldCom/Sprint merger was blocked by the Jus- from content that would otherwise be inappropri- tice Department in August 2000, primarily be- ate, yet, the decks are still there. Third and finally, cause of a fear that the combined company jurisdiction is represented by the hull of the ship. largely would control Internet backbone services, Depending on which perspective you take, the blocking open access to rivals. 27 3 This debate over hull can either keep content out or hold content the results of proposed mergers has led to consid- in, and the true utility of a fully-developed In- erable discrepancies in how various agencies ternet jurisdictional paradigm will be its ability to would preserve competition and/or protect open accomplish both in a predictable fashion, depend- access. For instance, the same high-speed cable ing on contacts with the forum. Just as a ship can- lines that the FCC and Ninth Circuit chose to not function without the unified support of keel, leave "unbundled" prior and subsequent to the hull and deck structure, regulation of the Internet

271 Id. Huddle in Washington, WALL ST. J. Sept. 22, 2000, at A3. The 272 The FCC announced in late Nov. 2000 that it hoped FCC similarly indicated in late Aug. 2000 that it is not satis- to soon begin a plan to phase out the reciprocal compensa- fied with AOL and Time Warner's pledges of Internet service tion loophole within two years. See Pelofsky, supra note 269. access. See id. 273 The combined company would have controlled ac- 275 See Dan Carney, Whose Web is it, Anyway?, Bus. WK., cess to 53% of the Internet backbone. Dan Carney et al., July 31, 2000, at 100. Whose Net is it, Anyway?, Bus. WK., July 31, 2000, at 100. 276 Id. 274 See Jill Carroll & John R. Wilke, Time Warner, AOL 277 Id. COMMLAW CONSPECTUS [Vol. 9 cannot have strength without a consistent, sup- ersY8 °' By virtue of its domain name jurisdiction, portive structure. however, ICANN's duties also include overseeing To conceptualize the Internet in this fashion is the competing interests of trademark holders and to accept that regulatory policy must be both de- small businesses, and of multinationals and for- veloped and monitored centrally, if at all. The in- eign nations. 28 ' Apart from obvious conflicts in creased availability of high-speed infrastructure mediating these two groups of competing inter- will impact the availability of new and advanced ests, some observers feel that it is "not possible to content, apart from the basic notion that content put a private organization in charge of public simply cannot exist without it. For example, avail- rights." 2 2 Both the leadership of ICANN and ability of IP Multicast2 78 or similar full motion those who interact with it on a daily basis insist video applications on the Web will depend on the that the organization is not seeking a greater role infrastructure's ability to support the content. in Internet governance. By contrast, such a role is Likewise, that content will be accessible in juris- being arguably sought by the International Tele- dictions that heretofore would have not been con- communications Union ("ITU"). For instance, at sidered by a content provider. Development of a "World Development Symposium for Regula- jurisdictional systems with international predict- tors" in late November 2000, sponsored by the ability will facilitate when, where, and how appli- ITU in Geneva, an "electronic regulatory hotline" cable laws and regulations will apply to the In- was proposed.2 8 3 The hotline would be staffed at ternet. How each of these three components of the ITU's Bureau for Telecommunications Devel- the Internet are managed and regulated will im- opment by a volunteer pool of regulators who pact each other in time, if not immediately. would provide rapid response to questions and Internationally, the Internet Corporation for best practice on issues ranging from telecommu- Assigned Names and Numbers ("ICANN") often nications "first call" to regulation of e-commerce has been pressured by Internet professionals to transactions. 284 Although not a private, self-regu- take on a larger quasi-regulatory role beyond its latory-organization ("SRO")2 815 like ICANN, the 2 7 current mission to administer domain names. 9 ITU's bureaucratic speed and regulatory ineffi- ICANN, a nonprofit California corporation, was ciency have driven the primary arguments to date appointed in October 1998 to "assume duties for against its increased role in Internet governance. managing domain name" and Internet root serv- Application of the SRO model to Internet gov-

278 Typical Internet communications are conducted in gramming via high-speed Internet from its more traditional "unicast," whereby each communication consists of an indi- cable counterpart). Although the multicast stream requires vidualized stream of data between the sender and one or high bandwidth and considerable network capacity, replica- more receivers. Unfortunately, the unicast method of infor- tion of the signal occurs at the "last mile," greatly reducing mation delivery simply cannot scale to support a vision of the overall burden on the network backbone. WWW.STARDUST. widespread radio and television broadcasts on the Internet. COM., McAsT 2000 WHITE PAPER-A SURVEY OF THE HISTORY When using a unicast application for a teleconference, for OF INTERNET MuLTIcAsT 3 at http://www.stardust.com/mcast instance, copies of the same data are sent point-to-point to 2000/whitepaperfinal.PDF (Jan. 26, 2000). however many receivers are present. IP Multicast enables one 279 See, e.g., Michelle Donegan, E-Commerce: Internet copy of digital information, such as a video stream, to be re- Governance-Internet Elections Face Policy Dispute, TOTAL ceived by multiple computers simultaneously. See Vicki John- TELECOM, at http://www.totaltele.com/view.asp?ArticlelD= son & Marjory Johnson, IP Multicast Backgrounder, 1, at http: 31612&Pub=CWI&CategorylD=705 (Sept. 11, 2000) [herein- //www.stardust.com/multicast/whitepapers/ backgrounder. after Donegan]. htm (June 25, 1999). With IP Multicast, one stream is sent by 280 Sheridan Nye, ICANN Raises On-Line Accountability, the server to the network and then a distribution tree forms. TOTAL TELECOM, at http://www.totaltele.com/view.asp?Arti- Leonard Giuliano, Deploying Native Multicast Across the Internet, cleID=24604&Pub=CWI&CategorylD=705 (Nov. 15, 1999). 1, at http://www.stardust.com/multicast /whitepapers/ 281 Id. sprint.multicastOL.htm (2000). Interested listeners simply 282 Donegan, supra note 279. add a branch to the tree and routers replicate packets of the 283 Vineeta Shetty, Regulators Seek Greater Global Coopera- multicast stream at each branch in the tree. Id. In this way, no tion, COMM. INT'L, at http://www.totaltele.com/view.asp?Arti- packets are ever duplicated in the network, and the server cleID=34046&pub=tt&categotyid=0 (Nov. 21, 2000). never has to send more than one stream of data. IP Multicast 284 Id. is an Internet application, but it uses the topology of the In- 285 The New York Stock Exchange is one example of an ternet backbone very differently. In addition, unlike trans- efficient self-regulatory organization, which, vested with cer- mission of a standard cable television signal, IP Multicast tain regulatory responsibility over the interaction of its mem- broadcasts involve "two-way information exchange and stor- bers in the financial marketplace, must report to the U.S. Se- age, even when a user views seemingly static content." Port- curities and Exchange Commission. See generally 15 U.S.C. land, 216 F.3d at 877 (differentiating broadband cable pro- § 78iii (Supp. V 1999). 2001] The Internet, Information and the Culture of Regulatory Change ernance has been discussed widely and to an ex- gotiation and regulatory standard-setting. Despite tent, implemented. Apart from ICANN's interna- the unique posture of several multinational cor- tional domain name jurisdiction, on the national porations, including WorldCom and Sprint, at the level, the "Complaint Centre" in Germany is an forefront of Internet regulatory issues, U.S. corpo- SRO of German ISPs, which deals with complaints rations have had little to point to as a domestic by Internet users against German providers of In- regulatory model for comparative negotiation. ternet content.2 86 When appropriate, the Com- Thus, coalition building and development of uni- plaint Centre can inform the legal authorities in form policy positions with foreign corporate cases involving content that is illegal in Ger- counterparts must be a near-term goal. many.2 8 7 In theory, vesting aspects of Internet gov- The National Telecommunications and Infor- ernance in an international SRO seemingly could mation Administration ("NTIA") has an executive encompass both U.S. preference for self-regula- level mandate to: "support a predictable, minimal- tion over e-commerce and the more structured ist, consistent and simple legal environment that legislative approach of the EU. This concept, how- will facilitate the growth of electronic commerce, ever, presents three immediate challenges. First, and help resolve privacy, content regulation, cop- no one, existing organization is suited for this in- yright protection, taxation and other similar is- ternational role. Second, the success or failure of sues."28 9 This mandate, however, should either be the EU's Safe Harbor enforcement compromise strengthened or re-delegated. Without strong, with the United States likely will give a strong indi- central authority over Internet policy, agency cation as to whether self-regulation and legislative "turf battles" over nascent regulatory jurisdiction constructs can coexist internationally with regard will likely become more prevalent. The NTIA does to the Internet, an international medium. Third not seem to have the public administrative sup- and finally, successful SROs with broad regulatory port or passive authorization to alleviate this. For authority arguably have taken decades to develop, instance, despite the FTC's recent report and leg- as did the New York Stock Exchange before being islative proposal on privacy regulation, and the vested with SRO authority pursuant to the Securi- agency's interaction with the FCC on issues relat- ties Exchange Act of 1934.288 ing to the AOL/Time Warner and other mergers, At the national level, there likely is not a pre- the FTC is not referenced as an agency the NTIA 29 0 sent need for one U.S. agency to have national assists in developing Internet policy. regulatory authority over this developing me- Both the FCC and FTC have admirably begun dium. An Office of Internet Policy, with close con- to address Internet issues under existing regula- tact and interrelationship with involved depart- tory authority. This existing authority, however, is ments and agencies, however, should be fostered not sufficient to alleviate jurisdictional conflict, in the new administration. At the very least, this particularly over issues of content and open ac- office should seek to both advise and liaison be- cess. The FTC's pro-competitive regulatory au- tween involved governmental organizations and thority will, at times, be at odds with the FCC's multinational corporations to ensure that if regu- "public interest" standard for scrutinizing mergers lations are created or international governing and alliances. Even within a single agency, subtle bodies fostered, the impact of these efforts can be turf issues are discernible. Consider the FCC measured carefully and centrally across regulatory Cable Services Bureau's ("Cable Bureau") issu- jurisdictions. before they are implemented. ance of a separate report on the state of broad- At first glance, and for purely domestic reasons, band access. Although each FCC report relating it would seem that industry prefers the current to further development of, and open access to, self-regulatory posture of the United States. How- broadband technology is crucial to further devel- ever, this preference has weakened the U.S. bar- opment, the Cable Bureau report on inherently gaining position for purposes of international ne- similar cable and common carrier issues and tech-

286 See (Beschwerdestelle) of the Freiwillige Selbstkon- 289 NATIONAL TELECOMMUNICATIONS AND INFORMATION trolle Multimedia Diensteanbieter e.v., at http://www.fsm. ADMINISTRATION, NTIA INFORMATION, at http://www.ntia. de/bes/index.html (last visited Jan. 26, 2001). doc.gov/ntiahome/aboutntia.htmhttp://www.ntia.doc.gov/ 287 See id. ntiahome/aboutntia.html (Sept. 6, 2000). 288 See generally 15 U.S.C. § 78s(h). 290 See id. COMMLAW CONSPECTUS [Vol. 9 nology, is peculiar as a separate and very individ- sentatives. The Internet has and will continue to ual effort. affect each of our lives. In the most basic sense, A strong executive-level office also should en- regulation of this developing medium is a "risk sure that international standard-setting authority, management" attempt. In a litigation setting, the particularly in the areas of international jurisdic- primary objective of risk management is to tion, the World Trade Organization and ITU, is "marginalize" a potential plaintiffs success. In the vested closely to the Office of the President. The world of e-commerce, centralized planning and goal of such an office would be to develop a cohe- awareness of the regulatory risks associated with sive plan of action to bring to any international regulation of this medium is not only crucial to negotiating table, whether or not final negotiat- securing our own national success in this environ- ing authority is delegated to the State Depart- ment, but also would serve to secure the future of ment, separate agency experts or corporate repre- the emerging virtual economy.