Tuesday, October 16, 2007

A law of cyberspace

I’ve heard many people complain about the fact that law in cyberspace is a mess: different laws in different countries (and different laws in different parts of countries, as with the U.S. states), laws that conflict, laws that seem to make no sense when they are applied to online activity, etc., etc. And they’re right.

We’re clearly in some kind of transitional phase, at least as far as the law goes. Law has always been territorial and parochial: England had its unique set of laws, which applied only within the territory controlled by England; Japan had its unique set of laws, which applied only within the territory Japan controlled; Egypt had its unique set of laws, which applied only within the territory Egypt controlled, and so on.

This wasn’t a problem as long as people were pretty much parochial, i.e., pretty much stayed in the country in which they were born. It began to become a problem a hundred years or so ago, when international travel began to become easier and therefore more common. One downside of international travel’s becoming increasingly easier has been that the “bad guys,” the criminals can commit crimes in Country A and then go to another country, in an effort to avoid being apprehended and punished by Country A.

As I’ve written elsewhere, there is and has been a core of consistency in the laws of the various nation-states, because every state has to protect certain interests (e.g., property, matrimony, parentage) and prohibit certain types of conduct (e.g., murder, rape, theft). States may well go about protecting these interests and prohibiting conduct in different ways, but there has generally been a baseline of consistency in certain fundamental areas. That has made it possible – not necessarily easy, but possible – for countries to cooperate in bringing criminals to justice. As you probably know, modern states have extradition treaties which let Country B arrest the criminal I hypothesized above upon being requested by Country A; Country B returns him to Country A, where he can be tried, convicted and punished for crimes he committed against citizens of that country.

That system works pretty well in the real, physical world, though it has been facing more and more challenges as international travel becomes more common. It’s still, though, relatively easy to identity and apprehend a human being traveling from one country to another because actions in the physical world leave traces: A criminal who moves from Country A to Countries B and C can be identified by his appearance (unless he alters it substantially), by his fingerprints, by his passport, by his habits or other methods. The relatively cumbersome nature of real-world travel also contributes to the identification of criminals such as our hypothesized victimizer of Country A. It takes time and funds and arrangements (public arrangements) to go from Country A to Country B and then to Country C. Our perpetrator cannot move that quickly (unless he has his own private jet and other resources, which is possible but unlikely), and that, too, can facilitate his being identified, apprehended and returned to face justice in appropriate venues.

Cyberspace of course changes all this. We can virtually “travel” the globe in instants, or less than instants. We can do so anonymously or pseudonymously. We can conceal where we are in the traditional, territorial sense, where we were and where we will be. Identity and actions disconnect from territory, which can also mean they disconnect from law, which still is territorial and parochial.

We’re not sure yet how to think about cyberspace. One option, which was long ago proposed by many other people, is to conceptualize it as a “place” in itself – a virtual “place.” That makes sense if you equate “place” with the context in which we carry on various activities; we buy things, sell things, communicate, do art, harass and annoy each other, commit crimes, make friends, form communities and do a host of other typically human things online. It would, therefore, be quite logical to conceptualize cyberspace as another “place,” something analogous to a new, as-yet unsettled country.

If we did that, we could develop cyberspace-specific laws. These laws would be laws that, like the nation-state laws I noted earlier, were unique and parochial -- specific to the territory within which they applied. That “territory” would be the ever-expanding confines of cyberspace. The cyberspace laws would therefore only apply when we were “in” cyberspace, i.e., only when we were online. Offline activities would continue to be governed by the unique, parochial laws of the nation-state whose territory we occupied while we were online.

I see two problems with this approach. One is devising cyberspace-specific laws: Who would do this? Would the countries of the world develop a code of laws for cyberspace? Would the UN do this, alone or in collaboration with these countries? Who would decide what law governs cyberspace?

Before I analyze that issue, I want to note the other problem, which I am not specifically going to address in this post. If we were to devise and implement a set of cyberspace-specific laws, who would enforce them? I think that if it ever happens, it will be a long time before the various countries of the world are wiling to let an independent entity (the Cyberspace Court? A UN Cyberspace Court?) exercise jurisdiction over their citizens with regard to their online activities.

Think what that would mean: I’m a U.S. citizen and I’m writing this from my home in Dayton, Ohio. Assume that what I’m writing somehow violates our hypothetical set of cyberspace laws, which would subject me to the efforts of the entity charged with enforcing those laws. That would mean, I assume, that I would somehow have to be extradited from Dayton/Ohio/USA to a cyberspace-jurisdiction to be tried, probably convicted and somehow punished. If the United States. or any other country were to allow that to happen to its citizens, it would be surrendering a measure of its national sovereignty. It would be conceding part of its authority to control its citizens’ behavior to another, albeit virtual, sovereign entity. That may happen someday, in a distant future in which the influence of nation-states has declined or disappeared, but it will not happen for a long time.

That problem, though, cannot arise unless and until there is a set of cyberspace-specific laws. Let’s go back to the first problem: Who would devise such laws?

Logically, the articulation of these laws can from either from sources outside cyberspace or from sources inside cyberspace. In the first alternative, we either (i) devise entirely new laws that are specific to cyberspace or (ii) extrapolate existing, external law to cyberspace. In the second alternative, we would “grow” cyberspace law in cyberspace. Let’s consider each alternative.

I do not think we will see an external effort to devise cyberspace-specific laws primarily because of the enforcement problem. By agreeing to the articulation of cyberspace-specific laws, countries would already be surrendering a measure of their sovereign authority, because the issue of enforcement is implicit in, and an inevitable consequence of, the articulation of such laws.

Another external approach – which the Council of Europe is pursuing on a limited basis – is to encourage the harmonization of national laws insofar as they impact on activities in cyberspace. The Council of Europe has promulgated a Convention on Cybercrime in an effort to do this for the laws that define certain type of cybercrime and govern what law enforcement can do in investigating online criminal activity. The Convention has been ratified by many European countries, plus the U.S.; it can also be signed and ratified by other non-European countries, but I suspect that will take a while if, indeed, it happens. I’m not going to go into detail on why I think that here, because it would be a digression; suffice it to say that the Convention is a very complex document, one that incorporates certain perspectives about law that may not be common in all countries. I’m not saying that harmonization is a bad idea or that it is impossible; I am saying that I think it will take a long time to break down the barriers that exist between the unique, parochial laws that are found in every modern nation-state.

We needn’t give up hope for cyberspace laws, though. There’s still the other alternative: growing cyberspace laws in cyberspace. While this might seem a peculiar approach, it actually has its roots in history.

A system of law known as the Lex Mercatoria developed in medieval Europe, beginning around the tenth and eleventh centuries. The Lex Mercatoria was, as Wikipedia explains, a
body of rules and principles laid down by merchants themselves to regulate their dealings. It consisted of usages and customs common to merchants . . . in Europe, with slightly local differences. It originated from the problem that civil law was not responsive enough to the growing demands of commerce: there was a need for quick and effective jurisdiction, administered by specialised courts. The guiding spirit of the merchant law was that it ought to evolve from commercial practice, respond to the needs of the merchants, and be comprehensible and acceptable to the merchants who submitted to it.
The Lex Mercatoria was the product of a world in which nation-states had yet to evolve. During this era, merchants did not operate from a single, fixed location, such as a shop. Instead, they traveled to sell goods they bought in one place at another. Because they were doing business in so many places, the merchants became frustrated at having to deal with a patchwork of parochial, often inconsistent and inadequate local laws. To remedy this, they developed their own laws, which evolved from their needs and from the nature of the transactions in which they engaged. (They also developed their own courts, to ensure that disputes could be settled quickly and fairly, but that’s another story.)

Many scholars have suggested that the solution for cyberspace is the evolution of a new, online Lex Mercatoria – a Lex Cyberspace. The Lex Cyberspace would be, like the Lex Mercatoria, a specialized set of laws that exist separate and apart from the general laws governing activities in the various countries of the world. And like the Lex Mercatoria, the Lex Cyberspace would apply only to those who participate in activities undertaken in a specialized context, the context being trade for the Lex Mercatoria and cyberspace for the Lex Cyberspace. The rationale for the two law codes would be essentially the same: specialized endeavors that transcend national boundaries and national cultures require their own laws.

This approach could have certain advantages. Like the Lex Mercatoria, a consensually-evolved Lex Cyberspace should be uniquely tailored to the needs of the cyber-community, instead of a modified version of real-world law extrapolated online, where it may or may not be appropriate. And a Lex Cyberspace would be internally-derived, instead of than being imposed by an external entity (or entities). This aspect of a Lex Cyberspace has implicitly manifested itself in certain ways, one of which is a general sentiment to the effect that online communities should be self-policing, i.e., should develop and enforce their own standards and rules of behavior.

A Lex Cyberspace could, it seems, resolve both of the issues I noted above: developing laws governing online activity and enforcing those laws. The problem I see with the Lex Cyberspace solution is that nation-states are unlikely to be willing to surrender control to a body of online law-makers and law-enforcers. The demise of the Lex Mercatoria, after all, is attributed to the rise of nation-states, which were jealous of and insecure with this independent, transnational legal institution. Nation-states therefore assumed exclusive responsibility for making and enforcing law and, in so doing, subsumed the principles of the Lex Mercatoria into their own laws.

Perhaps there will someday be a Law of Cyberspace. It seems, though, that such a phenomenon cannot exist unless and until the influence of nation-states erodes or until the laws governing the territories claimed by the discrete nation-states coalesce into a single, consistent whole.

Friday, October 12, 2007

Envelopes and encryption

As I’ve mentioned, last June the U.S. Court of Appeals for the Sixth Circuit held, in United States v. Warshak, that Americans have a reasonable expectation of privacy in the contents of emails they have stored on an ISP’s servers.

(If the Warshak link doesn’t work, you can find it by going to http://www.ca6.uscourts.gov and searching for it in the opinions section either by name or by opinion # 07a0225p.06).

The Warshak opinion means that law enforcement can no longer use a court order, which issues without a showing of probable cause, to obtain the contents of emails someone has left stored with their ISP. They must, instead, obtain a search warrant, which does require them to show probable cause to believe that the emails contain or constitute evidence of a crime.

The opinion was, as is usual, issued by a panel of three of the Sixth Circuit judges; my understanding is that the federal government, which was the losing party in the case, is asking the entire Sixth Circuit to rehear this case en banc, i.e., to have all the judges on the Sixth Circuit sit as a panel and re-decide the case. If the Sixth Circuit does that, then the en banc panel can either agree with the three judges who said we have a Fourth Amendment expectation of privacy in our email, or disagree, and reject their conclusion. If the Sixth Circuit rehears the case en banc and agrees that we do have a reasonable expectation of privacy in stored emails, then I’d say there’s a good chance the case will go to the Supreme Court, because the effect of such a decision is to invalidate a federal statute law enforcement officers routinely use to obtain access to stored emails.

I don’t want to talk about the Warshak opinion, though. I want to talk about the larger issue – the question of whether we can reasonably expect the contents of our emails to be, and to remain, private. To do that, I need to review the standard courts apply when this issue comes up.

In 1877, the U.S. Supreme Court held, in Ex parte Jackson, that Americans have a Fourth Amendment expectation of privacy in the contents of sealed letters and packages they send through the U.S. mails (which was the default mail/delivery service at the time). The Jackson Court said “letters and sealed packages . . . in the mail are as fully guarded from examination and inspection, except as to their outward form and weight, as if they were retained by the parties forwarding them in their own domiciles.” The Court also held that anything we send that is not sealed – such as a postcard – is not encompassed by this rule because we have taken no steps to protect the privacy of its contents.

The Warshak court cited the Jackson decision, as well as the Supreme Court’s 1979 decision in Smith v. Maryland. In Smith, the Court said we do not have a Fourth Amendment expectation of privacy in the phone numbers we call, even from our homes, because by dialing those numbers we voluntarily convey that information to the phone company and, in so doing, surrender any privacy interest in it. I think the Smith decision was, and is, wrong, but that’s irrelevant.

In Warshak the government essentially argued that we have no Fourth Amendment expectation of privacy in emails we leave stored with an ISP because the ISP staff can read those emails, since we have not “sealed” them. Prosecutors often analogize email to a postcard: we send our emails through a system in which they are “visible” to other people without doing anything to shield their contents, to make them unreadable. The premise then is that the emails are like the phone numbers in Smith: We voluntarily share them, in the clear, with an entity whose staff can decipher the information they contain.

The Warshak court rejected that, essentially finding that we have an expectation of privacy if and when our ISP’s terms of service state that its staff either will not read our emails or will do so only under certain circumstances. That conclusion makes a certain amount of sense, but it really doesn’t resolve the Jackson-Smith problem, i.e., that the contents of stored emails CAN be read by ISP staff.

What I find interesting is that this controversy really does not need to arise. If we encrypted our emails, we would be “sealing” them, just as we seal the letters and other correspondence we send through the mails. If we “sealed” our emails, the Jackson rule would apply, even though we are sending emails via private carriers rather than through the U.S. mails. The Jackson Court’s point went not to the vehicle by which a message is being transmitted but to the steps taken to shield the contents of the message from the eyes of those involved in its transmission.

So why don’t we encrypt our emails? We were talking about this in my cyberspace law class yesterday, and one student pointed out that the general public doesn’t encrypt their emails because the process is too complex and/or too esoteric for them to use easily. I think she’s absolutely right. I think we are in a situation analogous to the situation letter writers were in until the mid-nineteenth century.

The adhesive envelope, which we assume has always been around, was not introduced until the mid-1800s. See Robert Ellis Smith, Ben Franklin's Web Site 56 (Providence RI: Privacy Journal 2000). Until then, people didn’t use envelopes; instead, they wrote their letters on a sheet of paper, which they folded and sealed with sealing wax, which was notoriously unreliable. See id. Letter writers knew the wax would probably fail, the letters would come unsealed and postal employees would probably read them. See id. Many, including Thomas Jefferson, wrote their letters in code – encrypted them -- to avoid this. See id. at 43. The adhesive envelope eliminated the need to encrypt letters because it was reliable AND easy to use. The Jackson Court’s holding was implicitly based on the impact adhesive envelopes had on securing the contents of written correspondence from prying eyes.

When it comes to email, our situation is, and is not, analogous to that of pre-adhesive envelope letter writers. Our situation is analogous because we have no simple way to “seal” our emails. Since we consequently do not “seal” our emails, it is, as a practical matter, difficult to argue that the contents of those emails are private. They really are postcards; their contents CAN (may not actually be, but CAN be) read by the staff of the entity involved in their transmission. Since they can be read by anyone who comes in contact with them, it is not, as a matter of common sense, reasonable for us to claim that their contents are private.

On the other hand, our situation differs from that of a pre-adhesive envelope letter writer in an important respect: We have tools available that will allow us to “seal” the contents of our emails. We do not use those tools because, as I said earlier, using them involves a lot more effort and expertise than simply sealing an adhesive envelope. I also think we don’t use these tools because most people, at least in this country, don’t realize that their emails are postcards, rather than letters. That is, I think most people in the U.S., anyway, don’t realize that the contents of their emails are not private.

All of this can, and probably will, change. Two things can transform the default status of email from that of postcard to that of sealed letter: One is for people to realize that they must “seal” their emails for them to be private. The other is the introduction of simpler, more intuitive encryption tools. I think the transformation will require the interaction of both factors: People will have to become receptive to the idea of encrypting emails, and the process of encrypting them will have to become at least a little more user-friendly.

If people begin to understand the utility of encrypting their emails, they will look for easy ways to do that. One way is, as I said, for developers to introduce new, user-friendly encryption tools. Another possibility is for ISPs to offer “one-click encryption” (if, in fact, that is a possibility), i.e., a system that automatically encrypts emails sent via that and compatible ISPs. I don’t know if this kind of one-click encryption is technically possible, and even if it is, I can see implementation problems. If I’m using a one-click encryption ISP, I assume I either can’t email people who don’t use my ISP or another, compatible one-click encryption ISP or if I can email them, I lose my encryption. But I assume the same kinds of problems will arise if and when our culture moves to one in which we seek to encrypt emails.

Encryption definitely is, and will probably continue to be, more challenging than an envelope.