Internet Privacy -
New Rules for a New World

In the past two years the world of communications has experienced a revolution as computers across the world have learned to speak with one another. As our global society goes on line with increasing frequency, we should take care to recognize that many of the assumptions we have long taken for granted simply do not apply at all in the totally new world of cyberspace.

Privacy is a prime example. We assume that letters sent by U.S. Mail ("snail mail" in cyberspeak) or by overnight carriers are secure, confidential and will not be viewed by anyone other than the intended recipient. The law protects these assumptions by imposing criminal penalties for mail tampering, and by providing a right to sue for invasion of privacy for unauthorized opening of personal mail. Similarly, we assume that our telephone conversations are confidential and know that a court order is needed before even the government can easedrop.

Given this background, it is hardly unreasonable to expect the same degree of privacy for E-mail messages sent across the Internet, or for the files stored in your workplace computer. The harsh reality, however, is that our E-mail messages are legally entitled to the same degree of privacy as a loud statement yelled to someone across a crowded city street: anyone who happens to receive it is entitled to make whatever use of it he or she desires. To ensure that the statement will be private, the speaker must get out of the public right of way. So, too, to ensure that an electronic communication is confidential, one must not use the Internet, an on-line service, a dial up computer bulletin board, or even the internal E-mail on your company’s computer network. Similarly, if the doorway to your company’s computers is left wide open by an unsecured Internet connection, you probably have no legal redress if someone wanders in and copies what is in plain view.

The Information Superhighway

The personal computer had a greater impact on our business and personal lives than any invention since television, which it may very well eclipse in the not too distant future. Computers have dramatically changed the way we work and provided access to vast quantities of information. We quickly learned that linking personal workstations in an office and then throughout an organization allowed us to share resources and information as never before. We next realized that these strange boxes on our desk were also an incredibly efficient means of internal office communications. E-mail allowed us to send messages and document to individuals or groups instantaneously, and to attach documents and reply promptly. The modem permitted our individual computer and local networks to use regular telephone lines to connect with other computers. On line services such as CompuServe, Prodigy or America On Line brought an unlimited reservoir of information directly to our desktops. With a few clicks of a mouse we can view the latest stock prices and ball scores, learn the weather in Seattle, make flight and hotel reservations, browse newspapers and magazines, and download anything from Grandma’s recipes for biscuits to telescopic images of distant galaxies. We can participate in discussion groups covering any topic imaginable (and many more we could never imagine). Dial up bulletin boards allow us access to specialized collections of information and software, and forums to discuss issues. The Internet is the next step in this information revolution.

Academic organizations and government agencies have long been sharing information by sharing access to their computers through dial up telephone connections. In the early 1970’s the U.S. Defense Department undertook a project to enable the various mainframe computers then in use for military research to communicate with each other in a way that was so reliable it would keep working even in the event of a nuclear attack. A computer network named ARPAnet resulted; it was based upon a common communications interface and information transfer system called an Internet Protocol (IP). In the 1980’s when Ethernet-based local area networks were developed, most used the UNIX operating system which came with IP networking capabilities built in.

In the early 1980’s the National Science Foundation created five regional supercomputer centers and built its own network - NSFNET- utilizing ARPnet’s IP technology for data transfer over specially conditioned telephone lines. Because these lines were expensive to use, NSFNET allowed local computers to connect via a daisy chain of local computer links, with electronic messages being passed up and down the chain until the final destination was reached. No longer hamstrung by the expensive telecommunications lines, local academic organizations and government agencies rapidly joined this growing network.

In the early 1990’s the network was opened up to a few large commercial cites and to locations and computers in other countries. As commercial and individual usage grew dramatically, the Internet quickly changed from a network of research and government mainframe computers to a communication mechanism potentially linking every computer in the world which has a modem or access to one. In 1995, when the commercial use of the Internet surpassed its noncommercial use, the Information Superhighway opened for business to the world community.

The development of graphical user interfaces such as Windows and the Macintosh's operating system, combined with a virtual explosion in access service providers, made access to the Internet reachable for the average person and the smallest business. Finally, the development of a common application for creation and viewing of documents with rich graphics, multimedia capacity and rapid links to other locations has provided the Internet with its "killer application": the World Wide Web. The Web is the automatic pilot of the Information Superhighway - it allows simple and free access to wherever we want to go, so that traveler can concentrate on the destination and scenery instead of driving the vehicle. Furthermore, anyone who has access to a computer and a modem, can invest a few hours or a few hundred dollars can become a full participant in the Internet by creating their own home page on the World Wide Web.

We predict that in the very near future Internet access will be as common in both business and home applications as telephone calls and faxes are today. It will become the window of primary access to all the information collected by the human mind, as well as all its creative accomplishments. It will also be a means to communicate and transfer information by text, fax, voice, video and means not yet imagined.

The Rules Governing the Internet

It is very simple to explain the rules and law governing the Internet - there are none. The Internet is frequently compared to the wild west - because of the absence of law and order, anything goes. The Internet is not a physical network of telephone lines and computer switches. It is a list of addresses, a software protocol to find those addresses and access software to view and retrieve whatever someone has stored at those addresses. Furthermore, because the Internet operates by transferring commands from one computer to another and through alternative routes, there is no standard route for messages to take. Indeed, the system is designed to find an alternative route when a road block is encountered. The information accessed is stored electronically at one of the tens of millions of computers using this communication mechanism. While some organizations have undertaken to unify and regulate the addresses and the electronic procedures for transferring information, no entity has issued any rules or regulations for the content of communications or their security. Federal legislation is being debated that would make it a crime to post pornographic materials on the Internet. While this is unquestionably within the power of the government to enact, it is likely to be even less effective than laws forbidding prostitution or prohibition of possession of alcohol. Furthermore, since the Internet is truly international, one country’s government lacks the power to control materials stored outside its boundaries. Therefore, from both a practical and legal perspective, we doubt that any body has the legal authority or practical means to regulate the content of the Internet. Indeed, in a very real sense it represents free speech in its purest form yet encountered by man.

Because of what it is and how the Internet works, there can be never be a guarantee that a message or document sent over it will not inadvertently reach an unintended party. We periodically receive messages from Germany (and in German) intended for an E-mail address in Germany which is only two letters different for our own. On another occasion we erroneously received a message between some company's employees discussing the discharge of a coworker. In the world of cybercommuncations, however, where omission of a period in an address or a typographical error can misdirect a message around the world, this is common. Furthermore, since messages are passed from computer to computer until their destination is reached, anyone with access to an intermediary computer has the capacity to read your message. Because there is no guarantee that any message you send or receive will not be viewed by a third party, there is no expectation of privacy.

To make matters worse, unfortunately there are individuals who intentionally invade others’ computers and who delight in causing mischief and damage. One of these hackers’ greatest challenges is to secure access to the most exetnsively defended computers. A skilled hacker can review your message or access your company’s files just as readily as a skilled burglar can break into your offices when no one is there. Unlike the burglar, however, the hackers leaves no evidence of his visit - even the pilfered files remain intact. The chances that some hacker will attempt to read your E-mail or penetrate your files, however, are probably far smaller than your odds of being burglarized. Under existing law, hackers who cause damage are clearly liable both criminally and civilly for the harm they due. The problem lies in finding them and assessing the damage they have caused. An unresolved legal question is whether mere unathorized entry into computer records without any damage is legally actionable. In cases where organizations have failed to take adequate precautions, courts have been very hesitant to impose liability.

The Developing Law of Cyberspace

Widespread use of cyberspace is far too new to have permitted the development of any substantial case law defining the rights of the users and abusers. Furthermore, do to the uniqueness of electronic communications, the statutory and case law that has developed over the years regarding defamation, appropriation of intellectual property, invasion of privacy and other actionable legal claims is not readily transferable to issues regarding Internet privacy and security. The few cases that have been decided suggest that new rules will be have to be devised before the respective rights of the citizens of this new world are clearly deliminated.

It is widely acknowledged that E-mail messages are discoverable in a civil lawsuit and can provide direct evidence of liability. A prime example is Los Angeles Police Department officer Lawrence Powell's famous E-mail message after the 1991 Rodney King beating: "Oops! I haven't beaten anyone so bad in a long time." In several recent sexual harassment cases, offensive E-mail communications have led to employer liability either as proof that the company condoned such conduct or as evidence that it failed to establish adequate safeguards to prevent such conduct. Even if the E-mail messages or computers files have been deleted from a computer’s hard drive, an expert can often reconstruct the message by examining the computer. With greater frequency, courts are ordering the examination of computer systems by the opposing side’s expert and the production of computer hardware during discovery in civil lawsuits.

We strongly recommend that employers adopt a electronic communication and computer usage policy. The policy should inform employees that computers and related equipment and the data they contain are company property and as such are to be used only for business purposes and not for personal purposes. The policy should also provide that any E-mail messages or documents employees create or store on their employer’s computers are subject to review by management at any time and without notice. Such a policy effectively prevents employees from establishing that they expected privacy in their electronic communications and permits discipline if the employee is discovered using electronic facilities for personal purposes.

In a recent decision, a federal court in California held that Netcom On-Line Communication Services Inc., the largest Internet general access provider, could be liable for copyright infringement when one of its subscribers posted copyrighted publications in the computer space Netcom provided to him. In that case, the copyright holder had advised NetCom that one of its users was posting its materials without permission and Netcom failed to take action to stop this. The Court ruled that while Netcom could not be held liable for direct copyright infringement, it could be liable for "contributory" infringement. The Netcom case illustrates the complexities of applying traditional law to the strange new world of cyberspace. First, it is a clear copyright infringement to reproduce copyrighted materials on the Internet without the owner’s permission. Despite its clear illegality, this practice occurs continuously and widely on the Internet, especially with regard to photographs and news articles. Since the data can be instantly downloaded and just as easily reproduced, it is virtually impossible to prevent copyright violations. Nonetheless, those who engage in such conduct, like those who use software without a proper license, are legally liable to the owner for copyright infringement and usually some species of theft.

What is most significant about the Netcom decision, however, was that the court ruled that Netcom as the service provider could under certain circumstances be liable for copyright infractions committed by its subscribers. In one sense this is analogous to holding the telephone company liable for a defamatory statement made over its lines or holding Xerox liable because a photocopied article was reproduced on one of its machines. The court’s rational in Netcom, however, distinguished such arguments by noting that Netcom had established its own ground rules limiting what materials could be posted in its space and that it fail to take corrective action when it was told of the infringement.

In a second recent case, a New York trial court held that Prodigy, one of the big three computer information services, could be held liable for an alleged defamatory statement one of its subscribers had posted to one of its discussion groups. In that case, a subscriber had uploaded a message to Prodigy’s "Money Talk" bulletin board in which he referred to a named stock broker as a fraud who was engaged in criminal conduct. The court ruled that because Prodigy had openly compared itself to a newspaper in its promotional materials and because it screened postings for obscenities and racial slurs, Prodigy should be considered a publisher in determining its liability for allegedly defamatory statements reproduced on its bulletinboards.

These cases illustrate that under certain circumstances a service provider can be held liable for improper postings disseminated through their facilities. By analogy, entities having Internet sites should take care to ensure that materials posted on them are used with the consent of any copyright owner and that they are not defamatory.

Computer Security

While there is no legal basis for assuming that communications sent through cyberspace are legally entitled to any degree of privacy, this hardly means that businesses and individuals should avoid using this media. The time and cost advantages of Internet communications are too powerful to ignore. The latest versions of E-mail software packages and the latest Web Browsers (software applications for navigating the World Wide Web, such as Netscape) provide mechanisms for message security. In addition, there are software applications such as PGP (Pretty Good Privacy) which provide for excellent security by ensuring that anyone who may read a transmission would be unable to decipher its contents. Both the user and recipient need to use the same encryption software and the same access key to decode the transmission. If you plan transmission of any substantial amount of business documents through the Internet, use of encryption software is a very prudent measure. Keep in mind, too, that even with unencrypted messages, the actual chances of interception are still very remote.

Nor should companies fear that connection to the Internet will provide outsiders with unauthorized access to their computer networks and all the files they contain. Almost all software sold today for establishing dedicated or dial up connections includes special features, such as electronic "fire walls," to prevent break-ins. Moreover, since the possibility of a break-in is substantially greater when someone is on line, additional protection can be derived by not leaving connections open unless they are in use. Since only a very competent and knowledgeable thief can manage a network break-in; the possibility of penetration of your computers by a competitor is extremely remote. Nonetheless, security should be a prime consideration in designing and operating your computer systems. Companies should periodically review their computer security arrangements to ensure continued effectiveness. For example, passwords and access codes should be changed regularly, especially when there has been a high level of employee turnover. Steps should also be taken to deny employees being separated access to computer systems. As employment law practitioners, the authors are directly aware of several cases where disgruntled employees have reeked havoc on company computer files and systems to secure revenge. While the law provides redress for such conduct, often perpetrators almost always lack the assets to make the employer whole. Moreover, the damage they cause can be extensive and irreparable.

Conclusion

Since its fundamental function is to freely share and openly publicize information, the Internet is perhaps the most public, and least private, of all places. No privacy should be expected. Nor do the authors believe that any privacy is provided by law on the Internet. This does not absolve individuals and companies using the Internet and computer communication services, and possibly the services providers themselves, from liability for breaches of copyright, defamation and other laws.

The communications world is undergoing a revolution. The old rules may no longer apply and the new ones have yet to be established. Individuals and companies should embrace the use of these powerful resources, but, like a visitor to a strange new land, they should take precautions and act very cautiously, until the rules which will apply in this strange new world have been established.