Extending Law into Cyberspace
Critical Information Infrastructure Protection and the Law
Draft Concept Paper - with NAE Support
In the earliest days of the Internet, many members of the Internet community held fast to the belief that cyberspace was an infinite frontier in which community members could interact free of the legal restrictions that are imposed upon them in physical space. While this view is still not uncommon among certain members of that community, it has become increasingly apparent that existing law--at international, national, state, and local levels--can and does relate to the cyberspace behavior of individuals and organizations. For example, a host of new statutes focus specifically on legal needs in cyberspace (e.g., Digital Millenium Copyright Act, COPPA, Electronic Signatures in Global and National Commerce Act, and state implementations of UCITA).
One important source of the tension between the Internet community and the existing legal system is the following. While the Internet is seen by many as a revolutionary technology that can alter in a fundamental way the basis on which people interact with each other, most of legal theory and practice is based on the notion of precedent and continuity. Given an enormous expansion in the space of human activity, many "netizens" say that the appropriate way to deal with behavior in this new space is either to take no regulatory action or, more commonly, to develop entirely new philosophies and approaches to law and regulation in cyberspace. On the other hand, when the existing legal system is called upon to resolve disputes relating to behavior in cyberspace, legal practitioners, lawmakers, and the judicial system have neither the time nor the expertise to develop de novo approaches, and they are loath to do nothing. Thus, they are often left to approach the dispute in a piecemeal manner, with whatever technical expertise they may be able to bring to bear.
Recognizing such difficulties, the report of the ABA Internet Jurisdiction Project attempted to undertake a comprehensive assessment of the fit between conventional legal doctrines and institutions and the needs of e-commerce. Building on this work, CSTB proposes to conduct a set of studies (or perhaps a series of workshops) that seek to develop a sound intellectual principles-based underpinning for extending existing law into cyberspace more generally.
The following broad categories of law seem appropriate for further development.
Civil Law (includes tort, civil procedure; conflicts of law; and intellectual property, including patents, copyright, and issues relating to piracy and royalties in software and music). Some illustrative questions:
- What liability should accompany defective software (and how are "defects" in software to be determined)?
- What models of self-regulation can be established in cyberspace?
- How can established methods for resolving conflicts of laws be extended to cyberspace?
Criminal Law (includes rules of evidence and criminal procedure; fraud; theft; national security offenses, hacking and vandalism offenses). Some illustrative questions:
- What procedures and technology are needed to assure the integrity of evidence in digital form?
- How should measures of damage be established for cyberattacks?
- Do computer-generated images of minors engaged in pornographic acts meet the threshold for violations of statutes restricting the possession of child pornography?
- What are new cyber-enabled opportunities for evasion, detection, investigation and evidence?
Business Law (includes commercial law; contract rights, antitrust, including mergers and acquisitions; employment law; securities regulation; administrative law; and taxation) Some illustrative questions:
- To what extent do current regulations (e.g., those of OHSA) govern the work environment of telecommuting employees? How do these regulations need to be extended, if at all, to the regulation of virtual workplaces?
- What standards should be used to evaluate the propriety of mergers and acquisitions of IT companies?
- What mechanisms can be used to disseminate information more widely about risks of investing in IT companies?
- What liabilities are incurred by owners/operators of Web sites?
- How, if at all, should equal access to bottlenecks in cyberspace (e.g., limited bandwidth) be governed?
Constitutional law (includes issues such as free speech, search and seizure, and privacy). Some illustrative questions:
- To what extent does the 5th Amendment allow an individual to refrain from divulging decryption keys that may result in self-incrimination?
- What standards apply to findings of libel in cyberspace?
- How specifically must search warrants be drawn for searches of computers?
Each of these categories is intentionally broad so that the cognizant committee can identify which areas within each category lend themselves to productive analysis and recommendations as the project proceeds. Study committees in each of these categories would include experts in jurisprudence and legal philosophy, legal practitioners, and experts in the design and implementation of information technologies, with an expectation of combinations imaginative enough to create interesting scenarios for analysis.
Depending on the ultimate design of the project, each component study or workshop could result in descriptions and assessments of its respective area, options for progress, and possibly recommendations for action.
Partnership with NAE
To jump-start this series, NAE has offered to underwrite an initial workshop that would focus on Information Assurance and the Law. Although law is coming to rival technical approaches to securing information systems, progress is hampered by the extremely limited understanding in the legal community of the large set of issues, and the technical strengths and weaknesses, associated with information assurance. This situation has been recognized by the Critical Infrastructure Assurance Office, which joined in June 2000 with the Virgina Bar Association in convening a meeting to discuss liability, privacy, and security issues associated with critical infrastructure protection -- a meeting that demonstrated the need to expand awareness and understanding in the legal community of the technical and policy concerns (through the apparent unfamiliarity with the critical infrastructure context of the majority of lawyers present). Meanwhile, the criticisms of federal government actions associated with proposals for the Federal Intrusion Detection Network and the Carnivore Internet-sniffer by the civil liberties community make clear the gulf in outlook between privacy and civil liberties advocates on the one hand and government-based security experts on the other. In this environment, the National Academies' provision of a neutral meeting ground and ability to convene technical experts with experts in other fields, such as law, suggest that CSTB, in cooperation with the NAE, can foster an important segment of the public dialogue in a sensitive and important arena. At the same time, a convening on this topic can help to tease out practical issues for pursuit of more systematic considerations of civil, criminal, business, and constitutional law, as outlined above.