ISP Liability Survival Guide: Strategies for Managing Copyright, Spam, Cache, and Privacy Regulations / Edition 1

Paperback (Print)
Buy New
Buy New from
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 96%)
Other sellers (Paperback)
  • All (14) from $1.99   
  • New (3) from $9.75   
  • Used (11) from $1.99   


It's a jungle out there, (in ISP LiabilityLand) but your capable jungle guide, Tim Casey, takes you safely and firmly into and out of what would otherwise be very complex and potentially dangerous territory. Bring a camera.-Vinton Cerf

Governments around the world are establishing laws and regulations that will have a great impact on the way Internet Service Providers (ISPs) do business. With existing and ongoing efforts to regulate the Internet, ISPs are in desperate need of expert guidance to sort out which laws apply to them. This is precisely what author Timothy Casey offers in his new book. As the preeminent technical legal counsel for MCI WorldCom and one of the framers of the Digital Millennium Copyright Act, Casey shows you how to protect yourself in this volatile market.

This valuable guide gives you:
* Detailed explanations on the varying laws and how their technical features impact running a liability-free ISP
* Critical considerations for adopting effective policies and procedures that enable you to best structure your operations
* Valuable insight on the important issues to consider when contracting with users, vendors, and sales channels to accommodate the laws and maximize your profitability

Networking Council Books put technology into perspective for decision-makers who need an implementation strategy, a vendor and outsourcing strategy, and a product and design strategy. The series advisors are three of the most influential leaders of the networking community:

Visit our Web site at

Visit the Networking Council Web site at

Read More Show Less

Editorial Reviews

From the Publisher
"It is a unique book and valuable stuff ...." (Unixnt, February 2001)
It is a unique book and valuable stuff ....
Read More Show Less

Product Details

  • ISBN-13: 9780471377481
  • Publisher: Wiley
  • Publication date: 5/8/2000
  • Series: Networking Council Series, #9
  • Edition number: 1
  • Pages: 288
  • Product dimensions: 9.25 (w) x 7.50 (h) x 0.60 (d)

Meet the Author

TIMOTHY CASEY is a Senior Vice President and the Chief Technology Counsel for MCI WorldCom, where he manages the Technology Law Group. He is recognized as the top ISP technical and legal expert in the world.

LYMAN CHAPIN- Chief Scientist at BBN Technologies, CTO for GTE Technology Organization, and founding trustee of the Internet Society

SCOTT BRADNER- Senior Consultant for Harvard University, Transport Area Director IETF, trustee of the Internet Society, and ISOC VP of Standards

VINTON CERF- Senior Vice President for Internet Architecture and Technology at MCI Worldcom, founding President of the Internet Society, and co-inventor of TCP/IP

Read More Show Less

Table of Contents

WWW: The Wild, Wild West?

Intellectual Property and Other Laws Made Simple.

A Special Law for ISPs: The DMCA.

Other Internet-Specific Laws.

What Is an ISP to Do (or Not)?: Content and Activity Regulations to Live By.

Incorporating ISP Liability Concepts in Contracts.

Policies and Procedures: What to Ask/Tell Your Lawyer.

Technical and Legal Glossary.


Read More Show Less

First Chapter


Although intellectual property laws have had and will continue to have a significant impact on the Internet, intellectual property was not the first Internet-related legal area to be regulated. The first Internet-specific law of any significant consequence was probably the Communications Decency Act (CDA), which went into effect on February 8, 1996. The CDA was followed fairly closely by the German multimedia law, called the Federal Act Establishing the General Conditions for Information and Communications Services, which went into effect on August 1, 1997. I will talk about the CDA in this chapter and about the Germans' foray into cyberspace in Chapter 5, What Is an ISP to Do (or Not)? Content and Activity Regulations to Live By.

Many other Internet-specific laws now exist or are being created on a wide variety of subjects that will impact ISPs. For example, in some countries it is illegal to compare your product or service to that of a competitor. Some countries, such as the United States, have constitutions that protect citizens' rights up to certain limits, while other countries are dictatorships whose citizens have few individual rights. Correspondingly, some countries encourage communication on almost any subject, while others impose tight restrictions on almost anything said. Although many countries restrict pornographic material, especially child pornography, others let almost anything go.

At least 18 countries have legislation that restricts speech that is considered excessively violent or likely to incite crimes of violence. Materials that will promote hatred or vilify people onthe basis of race, gender, sexual preference, or disability are also banned. Private information of others cannot be used, and defamatory, false, misleading, or fraudulent materials are regulated. Even materials that reflect cultural attributes that are contrary to other people's cultural interests are controlled. All of these laws, and many others, are now being turned in the direction of the Internet, and at some point in time, virtually any law that exists in the physical world will be applied to the cyberworld in some way or another. It is impossible to identify, explain, and apply every one of these laws in the context of the Internet. However, I can at least identify some of the major ones that have already been applied to the Net, identify some of what is coming, and help prepare you for what hasn't even been thought up yet.

At the very least, you can be assured that more laws are on the way. For example, in April 1999, the European Commission (EC) released the Action Plan on Promoting Safer Use of the Internet. The objective of this plan, which extends to 2002, is to restrict the circulation on the Internet of illegal or harmful content and the illegal use of the Internet. In particular, the EC hopes to promote services, such as a European network of hot lines, that address "content on the Internet that is contrary to human dignity, for example, child pornography, extreme forms of violence, incitement to racial hatred and xenophobia." By establishing and promoting a hotline network, the EC hopes to provide a mechanism for removing illegal content from host servers. The EC also hopes to encourage the application of filtering and rating systems for Internet content. To achieve this objective, the EC anticipates that technologies similar to meta-data content labels will be established to allow Internet users to control the type of content to which they may be exposed. It is contemplated that the classification of such content will be performed by content providers, third-party experts, local Internet administrators (ISPs), or even automated tools, and that the filters will not only be located in a user's computer, but also in local area networks (LANs), proxy servers, search engines, and hosted web sites.

As I write this, I am attending the International Conference on Electronic Commerce and Intellectual Property, sponsored by the World Intellectual Property Organization (WIPO) in Geneva, Switzerland. More than 700 participants, mainly lawyers and politicians, from all over the world are attending this conference to discuss and learn how to apply intellectual property laws to the Internet and the Information Society, as the Internet and e-commerce are collectively referred to in much of the world. I am speaking at the conference about service provider liability issues, of course, but service provider concerns take a backseat to the intellectual property issues that are driving this conference. The representatives of each of the governments participating in this conference will return to their countries not only to work on applying intellectual property laws to the Information Society, as practiced in their countries, but also to begin or continue the process of applying additional laws to the Internet, which brings us to the subject matter of this chapter. Some of the more significant laws being applied to the Internet are set forth in the following sections.

Privacy, Publicity, and Defamation

From a legal perspective, your right to privacy can be defined in four distinct ways:

1. The right not to have your physical solitude intruded upon, such as could occur if someone eavesdropped on your private discussions or took pictures of you from an adjacent property.
2. The right not to have embarrassing private facts disclosed in public.
3. The right not to be placed in a false light in public.
4. The right not to have your name or likeness appropriated for commercial benefit.

As you can see, the right to privacy includes elements of what you probably thought were separate rights: privacy and publicity. The difference between privacy and publicity has to do primarily with the nature of the resulting injury. If your pocketbook is injured, then your right to publicity has probably been injured. If your psyche has been injured, then your right to privacy has probably been injured. Since most people have a hard time following this distinction, however, I will just stick with what most people think of as privacy and publicity.

The concept of privacy is usually equated with the privacy of personal information and activities. Since people are quite different the world over, privacy means something different to almost every person within every culture in the world. The right of privacy is intended to protect against intrusion upon an individual's private dignity and self-esteem. Privacy also depends on who you are. If you are famous, especially if you have purposely sought the public's attention, you can generally expect a lesser degree of privacy than can people who are not famous. Whether you are famous or not, however, everyone has a certain right to publicity, that is, the commercialization of your name, image, or persona. Hence, the right of publicity is intended to protect against commercial loss caused by appropriation of an individual's personality or likeness for commercial exploitation. Everyone also has a right not to have false things said about themselves by others, which is generally referred to as defamation. Given the interrelationship between each of these concepts-- privacy, publicity, and defamation-- they are dealt with together, starting with privacy.


The privacy issue rears its rather ugly head in a number of different ways with respect to the Internet. The most common way is through the direct collection of personal information from web sites. Many web sites, including ISP customer service sites, have been set up to collect such information from people accessing the site. This information ranges from someone's name and contact information, to complete demographic data, to very personal questions about that person's lifestyle. People have freely provided this information because they thought they had to do so in order to get service, or simply out of ignorance or misplaced trust in the operators of the web site. Before you laugh, how many of you have answered all of the questions on a warranty form because you thought your warranty would not be honored if you did not? Better yet, how many of you have purchased a magazine subscription or some similar item from a sweepstakes company because you thought your winning number would not be drawn if you did not? When web site operators began to trade or sell this data to other people, who then used it for marketing purposes or worse, the people from which the data was collected began to express grave concerns.

Many users have since figured out that data was being collected about them and their Internet usage habits in a number of more subtle approaches. Cookies are computer records of information that are sent from one web site to a user's computer that enable that web site or another, by accessing the cookie from a PC's hard drive, to identify certain types of activities that were engaged in by that user. Java programs, applets, ActiveX programs, and other client-based scripting technologies can also be used to collect vast amounts of data about users or their habits. This data can be collected for legitimate purposes, to which most users would not object, but it can also be used to target-market goods and services to users, which can be quite annoying. For example, in 1999, Nissan accidentally sent the e-mail addresses of over 24,000 potential automotive customers to the others. Shortly thereafter, AT& T emailed 1,800 customers of a long-distance program and likewise included the e-mail address of each of the other customers.

The manner in which different societies are dealing with this issue of the privacy of personal information is very interesting. Tribal-based cultures have almost no expectation of privacy within their cultures, but they expect significant privacy outside of their cultures. More than 40 countries have enacted, or are in the process of passing, privacy laws, including much of Europe, but not the United States-- yet. While Americans have historically had a relatively low expectation of privacy, Europeans have generally expected a significantly greater degree of privacy regarding their personal information. To deal with European privacy expectations, the European Union has passed a privacy directive that is in the process of being adopted, in different ways, by each of the member countries in the EU. This directive requires ISPs, e-commerce businesses, and others within the European Community to disclose how they intend to use any personal information they collect. While companies within the United States and in other countries are adopting similar efforts on a voluntary basis, these efforts may never guarantee the same level of privacy expected in Europe, and this may be a problem. The EU Privacy Directive also requires countries trading with its member countries to adopt measures that adequately protect personal information and threatens to cut off data transfers to countries that do not.

The definition of adequate protection is the subject of great debate, but basically the Europeans appear to feel that self-regulation is insufficient, and the United States disagrees. While legislation has been introduced in Congress to address this issue, it is far from certain whether any such legislation will become law in the near future. In the meantime, the U. S. administration has taken the position that self-regulation is the best solution within the United States, supplemented by the implementation of privacy policies on federal web sites and relying on enforcement actions by the Federal Trade Commission (FTC) when consumer protection issues are at hand. For example, the FTC does not require companies to adopt online privacy policies, but if a company does publish a policy, the FTC will prosecute any complaint alleging a failure to comply with that policy under consumer protection laws. While the FTC is contemplating seeking legislation on privacy and antifraud regulations, other legislation has been proposed to require web site operators in the U. S. to publish privacy guidelines. These latter provisions have been included in controversial-- and failed-- legislation having to do with broadband access issues, however, so they are unlikely to pass anytime soon.

In the Netherlands and the United Kingdom, legislation has already been passed establishing independent privacy agencies, with more than 50 and more than 100 employees, respectively, to take complaints, proactively investigate, and take legal action against privacy violators. While the United States has appointed a privacy counselor, this position merely provides advice to the administration and will not directly handle consumer privacy issues. The EU finds this effort to be wholly inadequate. As with all things politic, whether the United States' efforts are sufficient is a matter of governmental philosophy. In general, the U. S. government tries to avoid regulating the activities of its citizens because its citizens don't want the government telling them what to do, while many Europeans want their governments to tell them what to do, so the governments are more than happy to do so. A good reason for regulating yourself and asking the government to stay out is that you may not like what you get when the government does get involved. For example, a bill was introduced in the United States in 1999 that would have required ISPs to keep track of which subscribers didn't mind receiving unsolicited e-mail. The problem with this proposal, however, was that it also required the list to be made public, so that all those listed could be guaranteed of quickly being deluged with spam until they asked that their names be taken off the list. ISPs don't need this kind of burden, nor do they need half-baked legislation.

A Self-Regulated Approach

A self-regulatory approach, including codes of conduct and trademarks, can provide a viable tool in enhancing consumer trust in electronic commerce and ISPs. In the United States, the Better Business Bureau's BBB Online program and the TRUSTe program sponsored by a company called TRUSTe provide codes of conduct, trademark certification, and a limited amount of policing-- to members for a fee. An alternative approach to self-regulation, of course, is to simply establish a reasonable privacy policy and stick by it, but far too few companies stick with any policy they establish. When the FTC studied 1,400 web sites in 1998, it found that only 14 percent of those sites actually had privacy policies that informed visitors of their data collection practices. By 1999, a similar study showed that the number of sites with privacy policies had increased to over 65 percent, but only 9.5 percent of those sites actually met what were considered to be the basic elements of an appropriate policy.

In the United Kingdom, the Netherlands, and a growing number of other countries, many companies are adopting the Which? Web Trader scheme, although it may have different names in different countries. Which? Web Trader members (membership is free) must agree to follow a Code of Practice and must supply certain details and contact information to Which? Web Trader in order to receive permission to display the Which? Web Trader trademark. The Code of Practice aims to ensure that consumers are treated fairly, that consumer complaints are heard, and that member companies are expected to make things right in response to a complaint. The Code of Practice for Which? Web Trader is as follows:

  • A member company needs to be governed by the law of the country in which it is a member of Which? Web Trader.
  • Consumer complaints need to be dealt with effectively.
  • Member companies need to provide details about their procedures for solving disputes.
  • Prices should be clear to consumers, with no hidden charges such as for taxes, packaging, or delivery.
  • Member companies should clearly tell consumers how to pay for offered goods or services.
  • Member companies must provide full contact details.
  • Member companies must give consumers the possibility to opt out and refuse direct marketing material.
  • Member companies must provide a customer service phone number, say when this service is available, and state clearly the cost of the calls.
  • The terms and conditions in consumer contracts should be in English or in the official language of the appropriate country.
  • Member companies must make it clear whether they are providing a guarantee.

If a consumer wants to buy goods from electronic commerce merchants outside of a particular country, they can find a list on a specified web site of international partners who manage similar, affiliated schemes in other countries. In the United Kingdom, Which? Web Trader can be found at www. which. net/ webtrader/.

Technical Solutions

Speaking of standard approaches, there is another approach: the development of privacy-enabling technology standards. One such proposed standard is the Platform for Privacy Preferences (P3P), which was developed by the World Wide Web Consortium, a web-based standards group, and which aims to automate the sharing of personal information between a consumer and a web site. Lobbying organizations, such as the Direct Marketing Association, have pointed to P3P as an example of how technology might stave off privacy laws, such as Senator Leahy's Electronic Rights for the 21st Century Act, which was first introduced in 1999. This bill would make it harder to disclose information about customers for commercial purposes, increase privacy protection against governmental surveillance, and subject booksellers and libraries to civil liability for the unauthorized disclosures of personal information collected from library and book sale records. While such legislation might give consumers more control over how their personal information is used by online businesses, industry groups maintain that such regulations would be unduly cumbersome and expensive.

Electronic Communications Privacy Act

No discussion of privacy on the Internet would be complete without some discussion of the U. S. Electronic Communications Privacy Act (ECPA). The ECPA was intended to protect Internet-based communications as telephonic communications are currently protected. Thus, the ECPA requires legal due process standards to be met before Internet-based communications may be handed over to law enforcement officials. In addition, the ECPA prohibits individuals and service providers from monitoring the content of communications over the Internet. A number of people have told me that they are capable of intercepting traffic from the Internet. In response to my assertion that intercepting traffic sounded like an incredible waste of time because of all of the junk they would also receive, they have insisted that they can be extremely selective. I have turned down offers to have this selectivity demonstrated because I did not want to be a witness to the commission of a crime-- if their claims turned out to be true. Generally, since ISPs are not in the business of intercepting traffic, the ECPA would not seem to apply, but as it turns out, there are many circumstances where you will either want to intercept traffic or someone else will demand that you do so.

Law enforcement officials might want you to intercept traffic transmitted by users of your network who are suspected of committing crimes. A customer may want you to intercept traffic over your network involving messages to or from an employee or contractor of the customer. Your human resources department or security department might want you to intercept traffic from employees or contractors who are suspected of doing something wrong, such as stealing things from the company. Since the ECPA generally states that it is unlawful to intercept such traffic, it is very important to determine whether you come under any exemptions that would make taking such action okay.

Anytime you are asked to do anything by law enforcement officials, contact a lawyer and make sure the law enforcement officials provide you with the necessary legal documents to compel you to take such action. The intent here is not to make law enforcement's job any harder, but you could be liable for the consequences of any action taken without sufficient legal justification, and there have been plenty of cases where law enforcement officials were just a little too quick to jump the gun. When it comes to monitoring your own employees or the employees of a customer, an initial reading of the ECPA statutes would lead one to believe that these people are subject to broad protection, but other statutory exceptions and subsequent judicial decisions have significantly narrowed any protection. For example, 18 U. S. C. 2512( 2)( a), in combination with the definition provided at 18 U. S. C. 2510( 5)( a), permits the utilization of devices that intercept e-mail so long as (1) the intercepting device is part of the communication service provider's network, and (2) the device is used in the ordinary course of business.

The Fifth Circuit Court of Appeals interprets the intercept language in the ECPA to mean only the acquisition of an electronic message during the actual transmission of the message from one party to another. The court also noted that interception does not cover the retrieval of stored messages from network memory. This decision was based in part on 18 U. S. C. 2701( c)( 1), which permits the person or entity providing the electronic communication service, or someone authorized by such person or entity or authorized by a user of the service with respect to a communication of or intended for that user, to access stored communications. In Bohach v. Reno, 932 F. Supp. 1232, 1236 (1996), a federal district court held that the ECPA "allows service providers to do as they wish when it comes to accessing communications in electronic storage."

When it comes to taking action on behalf of a customer, however, you need to make sure you have the customer's written authorization to act on its behalf. Note that 18 U. S. C. 2511( 2)( a)( 2) provides an exemption from liability for employers who provide electronic communications services to employees for intercepting, disclosing, or using the content of an employee's e-mail message where such actions are necessary to protect the rights or property of the company. In particular, this section includes in its exemption any "operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, where facilities are used in the transmission of a wire or electronic communication." Thus, this section protects you only as long as you are acting as the employer's agent.

According to 18 U. S. C. 2511( d), someone can intercept a communication when they have previously received consent to do so from one of the parties to the communication. Since many employers now include consents of this type in agreements signed by employees and contractors, the employer can pass on the interception right to the ISP.

Children's Privacy

The collection of personal data from children is one area where the United States has already enacted legislation. The Child Online Privacy Protection Act (COPPA) was signed into law in 1998. It provides that web sites cannot collect information from children under the age of 13 without first obtaining parental consent. The difficulty has been that no one is quite sure how a web site should go about collecting such consent. Children's advocates want the FTC to require web sites to get written permission on paper before collecting data from children 12 and under. Other groups want schools to become digital signature certificate authorities that can verify children's and guardians' identities online. The signature would include pre-clearance on what information can be collected from a child, what cannot, and how to contact a guardian. Other groups fear that either of these solutions would be too burdensome and costly and urge that a type of notice and opt-out system be adopted.

In any case, in October 1999, the FTC issued rules to take effect on April 21, 2000, that implement the requirements of the COPPA. While observers generally lauded the rules, several issues remain unsettled. For example, it is not always clear what type of parental consent must be obtained for different date collection activities. For now, the rules adopt a sliding scale of consent (e. g., unauthenticated parental e-mail at the low end, or hard-copy written permission at the high end). These rules will be reassessed in two years to take account of users' experiences and developing technology.

Personally, I don't think people should even attempt to collect any information from children at all-- children often have no sense of privacy, of the risks involved, and of what is appropriate. The parents are the ones who are going to have to buy whatever it is that the web site is trying to sell, so why not just stick with the parents? I don't like child-oriented television advertisements, either, but that is another subject.

Legislation has also been introduced to further modify the COPPA to require special parental consent before any primary or secondary student could obtain school-based Internet service from an ISP or other Internet-based service provider who collects information from students in personally identifiable or aggregate form. Although this legislation did not go anywhere in 1999, which is why I am not even providing a title or number for the bill, it is likely that similar legislation will be reintroduced in 2000 or in later years. This type of proposed legislation would extend the COPPA's coverage to any student as old as 18 years of age, and would cover aggregate information. At the very least, such legislation would require written consents from the parents of all students participating in existing school-based Internet access programs and expand the notice obligations for ISPs. It could also establish a dangerous precedent that the collection of aggregate information from minors, including for network management purposes, requires parental consent.


While there is no federal right to control your publicity, a number of states-- such as New York, California, and Florida, where lots of celebrities live-- have enacted right of publicity laws in their states. Typically, these laws are designed to protect a famous person's name, voice, likeness, or persona from being impersonated or otherwise used for commercial purposes without their consent. Actress Hedy Lamarr, for example, filed a suit against Corel Corporation in Florida for use of her image in a photograph that appeared on a CD-ROM. But even ordinary citizens have learned to take advantage of these laws. A California woman, who is not famous, filed a similar suit against Corel for use of her photograph on a CD-ROM and on its Internet site in violation of the state's right of publicity statute. It isn't likely that a right of publicity claim against a customer for whom you provide access or web hosting services will get you in trouble. You may nonetheless be subject to a subpoena seeking facts about your service provision or you may be subject to injunctive orders requiring you to remove offending material.

On the other hand, if we are talking about your own web site, you need to be very careful about posting pictures of anyone who has not provided you with a release or a license-- and don't rely on a photographer's assurances. Unless the photographer is willing to sign a contract agreeing to indemnify you in case you get sued (make sure the photographer can actually make good on any such promise) or you get insurance to cover your use, as will be discussed subsequently, you need to take care of this matter yourself. Stick with cute pictures of dogs, cats, and inanimate objects.


False statements about somebody that are spoken are considered to be slanderous. When those same statements are written down, such as on a web site, in a chat room, or in e-mail, they are called libelous. When a libelous statement hurts the reputation or image of a person or company, it is considered to be defamatory. Related actions in unfair competition, trade disparagement, and a variety of other claims can likewise spring from such matters. Back in 1995, a lawsuit was brought by Stratton Oakmont, Inc., against someone who accused the company of fraud stemming from one of its initial public offerings. This accusation was published on an electronic bulletin board operated by Prodigy. In this case, the court ultimately ruled that Prodigy acted as the publisher of the information posted on its bulletin board and that, as a publisher, Prodigy should be liable for any resulting libel or defamation. Prodigy was found to be the publisher because it exercised editorial control, like the editor of a newspaper, over the posting to its site to make its service family friendly. This decision led to the rapid disappearance of most moderated boards, chat rooms, and message services.

Section 230 of the Communications Decency Act, which was partially ruled to be unconstitutional (but only partially), and which I will discuss in some detail, solves this problem in the United States. Section 230 says that information service providers are immune from liability as a publisher, where the ISP has only published the information from a third-party information content provider. AOL has successfully used this provision of the CDA in its defense in a number of defamation and libel suits brought against it, resulting from acts by its customers. Avery different rule appears to exist in England. Under the Defamation Act, exercising editorial control of posted information may subject an ISP to liability as a publisher or editor, thereby depriving the ISP of a defense. While there is a defense known as the innocent dissemination defense, that defense is available only to parties that have acted reasonably and have no reason to believe that they have done anything to cause or contribute to the publication of a defamatory statement. In a U. K. suit brought against Demon Internet Limited, an English ISP, an unknown U. S. member of a Usenet newsgroup carried by Demon had posted an allegedly defamatory message, which Demon refused to remove when so requested. The court ruled that Demon had published the information, and since it acted unreasonably in refusing to remove the material, especially once it knew something about it, it could not avail itself of the defense. Demon has decided to appeal this case.

The plaintiff in the Demon case has apparently also won defamation suits in Australia and New Zealand, but I don't know if ISPs were involved in such decisions. Perhaps they responded in a faster manner than did Demon. In Singapore, the National Kidney Foundation has sought a court order requiring ISPs in Singapore to disclose the names of those who circulated a defamatory e-mail. The e-mail was originally sent to 48 people, and although the party that originally posted it apologized and agreed to pay damages, the foundation wants to track down all copies of the message and is going after those 48 people and the ISPs to do it. Similarly, U. S. courts have been issuing subpoenas requiring ISPs to reveal the names of customers who posted allegedly defaming and disparaging messages on message boards. Since a number of Internet services such as AOL and Yahoo! allow people to post anonymously, and the IP addresses of their messages cannot be traced back past the ISP hosting the service, the defamed parties are finding that they have to try to get the names from the ISPs. Most ISPs, however, refuse such requests because of customer confidentiality concerns. But most ISPs have provisions in their acceptable use policies that allow them to reveal such information in response to court orders, and that is exactly what has been happening.

Indecency versus Obscenity

In response to reports of "dirty" pictures and books being mailed to troops in the field during the later part of the American Civil War, Congress passed a law making it illegal to send any "obscene book, pamphlet, picture, print, or other publication of vulgar and indecent character" through the U. S. mail. An expanded version of this law, known as the Comstock Law, also made it a crime to distribute lewd or lascivious publications or pictures. Words such as obscene, vulgar, indecent, and lewd have always been difficult to define because their definitions largely depend on each individual's subjective interpretation. Although some adults might claim to know such material when they see it, others are not so sure, and certainly what is obscene to some is not to others. Nevertheless, politicians and courts have struggled to define such words as best they could, often on the basis of the perceived need to protect children. Early tests for obscenity centered on whether the material in question tended to corrupt the morals of a young or immature mind. In this context, neither the intended audience nor the overall artistic merit of the material mattered.

This began to change, however, in 1922 after the publication of James Joyce's Ulysses. When copies of the book were seized, the publisher, Random House, successfully sued the U. S. government in a decision that created a new standard: Publications must be considered in their entirety. If such publications have artistic or literary merit when taken as a whole, they cannot be entirely banned on the basis of isolated pictures or passages that might be offensive to some. Thus, the test moved away from being based on the sensitivities of the most vulnerable to those of the average. This basic principle has been expanded over time, at least in the United States under the protections of the First Amendment to the Constitution, to include all ideas that have even the slightest redeeming social importance, whether they are unorthodox, controversial, or perhaps even hateful to the prevailing climate of opinion. With respect to certain types of pornographic material, however, the measure of prevailing opinion has to be determined by applying the standards of the community in which such material is distributed. Under this test, it is possible for the same material to be considered unacceptable in a conservative town and acceptable in a larger, more diverse community such as New York City.

The Basic Test for Obscenity

So how do you determine whether something really is illegal? First off, most people remember the community standard language and generally recognize it as the test for obscenity, but there is more. You must also remember to apply the aforementioned socially redeeming importance test and view the work as a whole, and analyze the wording of the laws of the state in which the alleged crime was committed. While the Supreme Court did attempt to establish a general definition that could be used in this regard in a case called Miller v. California in 1973, you will see that it didn't really help that much. In Miller, the Court stated that material is obscene, and therefore unprotected by the Constitution, if:

1. The average person, applying contemporary community standards, would find the materials, taken as a whole, to arouse immoral lustful desire, that is, prurient interest.
2. The materials depict or describe, in a patently offensive way, sexual conduct specifically prohibited by applicable state law.
3. The work, taken as a whole, lacks serious literary, artistic, political, or social value.

Since this is a rather complicated definition, it is best to try to parse it by asking a number of questions regarding the material:

1. Is it designed to be sexually arousing?
2. Is it arousing in a way that one's local community would consider unhealthy or immoral?
3. Does it depict acts whose descriptions are specifically prohibited by state law?
4. Does the work, when taken as a whole, lack significant literary, artistic, scientific, or social value?

Application of the Obscenity Test to the Internet

Since 1973, this has been the prevailing standard in the United States, and still is, but the introduction of the Internet and its widespread use for the distribution pornographichic material have served to further complicate matters. For example, in 1994 federal prosecutors succeeded in obtaining a conviction against a California couple on 11 counts of transmitting obscenity through interstate phone lines because a computer bulletin board they operated made sexually explicit pictures available to subscribers in Tennessee. Despite the fact that similar material was freely available in California and was not considered obscene in that state, the court ruled that the community in which the material was made available should be used to determine the standard that should be applied. Prosecutors picked Tennessee, of course, because Tennessee had a generally conservative populace and therefore had correspondingly rigid community standards. In the context of the Internet, which inherently recognizes no geographic boundaries, this meant that the lowest common denominator-- that is, the most conservative standard-- had to be applied to everything, thereby making almost any pornographic material on the Net illegal.

The Communications Decency Act

Against this backdrop, in 1996 the United States decided to see what it could do to further define obscene material and to take it a step further and attempt to define what Congress viewed as indecent communications. Since Congress was moving toward the adoption of an overhaul of the Communications Act of 1934, it decided to include a number of additional laws as part of the Telecommunications Act of 1996 to deal with this issue. One of these laws was the Communications Decency Act (CDA), which has quite a few sections, only some of which are relevant to this discussion.

The Telecommunications Act of 1996 was not the best vehicle for this endeavor. Due to political desires and intense lobbying by a vast array of interested parties, it is extremely ambiguous in parts and generally poorly drafted. In addition to doing a less than adequate job of breaking open the local phone markets in the United States to competition and failing to provide any definition for the term telecommunications device, the CDA included two particularly controversial provisions that illustrate the poor drafting. One provision made it a crime to use a telecommunications device to make an obscene or indecent communication to a minor, knowing that person to be a minor. The other provision made it a crime to use an interactive computer service to "knowingly . . . display in a manner available" to anyone under 18 a communication that "in context, depicts or describes, in terms patently offensive as measured by contemporary community standards, sexual or excretory activities or organs, regardless of whether the user placed the call or initiated the communication." As soon as the CDA was signed into law, it was attacked on constitutional grounds.

The first provision of the CDA, dealing with obscene or indecent communications, was struck down because, even though obscene material is not protected, indecent material is, in most cases. This means that the CDA was struck down only with respect to indecency, not obscenity. Many people believe that the CDA was struck down as a whole, but it was not-- just the parts that dealt with indecency or did a bad job of defining obscenity. So what is indecent? One definition, provided by the FCC and generally described by comedian George Carlin as the "seven dirty words," can be interpreted to include just about anything that offends someone's sensibilities without rising to the level of obscenity. The only kind of indecent material or speech that can be controlled by the government (again, only with respect to the United States) is indecent speech that is included in certain types of pervasive broadcasts. And this is only the case because of the possible exposure of the material to children. Hence, private cable channels fall under different rules, as do certain types of late-night broadcast. Keep in mind, children are a special case in all regards, as well they should be, and I will discuss the unique rules that apply to them shortly.

The second provision also got into trouble, as I suggested, for doing a bad job of defining obscenity or, rather, attempting to redefine obscenity. As already described, the second provision leaves out a number of the components of the obscenity test constructed by the Supreme Court and attempts to add in an odd mixture of what can best be described as indecency language. Civil liberty groups pointed out that the language, "display in a manner available," was too vague and that the community standards analysis, such as applied in the aforementioned Tennessee case, should not be applied to the Internet. ISPs joined in condemning this portion of the CDA because the breadth of the language implicated every party, including ISPs and browser makers, involved in the display of something illegal. While the statute did say "knowingly . . . displays" to a minor, it only specified the intent to display the material, not the intent to make it available to a minor. Hence, whether someone intended a minor to see it or not, it was illegal if you intended for it to be displayed and a minor happened to see it. Since ISPs and browser makers intend for almost everything they transmit or enable to be displayed in some way or another, they were potentially liable for everything. The Supreme Court agreed and struck down this provision of the CDA as unconstitutional because it was overly broad (violating the First Amendment) and vague (violating the due process requirements of the Fifth Amendment). Because the provision was struck down in whole, the Court did not address the issue of whether community standards apply to the Net, but the general belief is that at least that portion of the obscenity test will eventually be restructured.

Finally, the CDA also included an additional provision directed to obscene communications, such as e-mail and bulletin board postings, that are made with the intent to annoy. The Supreme Court has upheld this provision, so such communications can be repressed without violating the Constitution. This law can actually come in handy for ISPs in the fight against spammers (which I will discuss in the next section)-- especially those that send spam with embedded links to pornographic sites that might also include obscene materials.

Special Laws Relating to Children

Although disappointed with the Supreme Court's quick repudiation of major portions of the CDA, Congress was not deterred by the CDA's self-destruction and quickly passed the Child Online Protection Act (COPA). The COPA is generally referred to as CDA II because it was Congress's second attempt at regulating the decency of communications. The COPA sought to make it a crime for commercial web sites to give minors access to harmful material, which is defined as any sexually explicit communication that lacks "serious literary, artistic, political, or scientific value." Violators of this law would face fines of up to $50,000 and prison terms of up to six months, per offense. This law was narrower than the CDA in a number of respects. First, it applied only to the World Wide Web (not e-mail and not news-groups) and it applied only to "commercial" web sites. Second, after ISPs had been scared into action by the CDA, they made sure that it included provisions that exempted ISPs for simply transmitting or hosting material. Third, the knowledge standard was reconstructed to make it more specific-- that is, less broad-- and therefore, hopefully, more likely to pass constitutional muster. The new phrasing used the language "knowingly and with knowledge of the character" of the communication. Finally, the standard was limited only to material that was "harmful to minors."

The COPA was immediately attacked as unconstitutional and, like the CDA before it, a federal district court issued a preliminary injunction against enactment of part of the law. The injunction was based on a finding that the language of the act was still too vague and too broad because it could be interpreted to include indecent, rather than just obscene, material. This decision was promptly appealed to the Third Circuit Court of Appeals and, although the court has not yet issued its opinion on the matter, it appears pretty clear that the injunction will be upheld. In particular, during oral argument, one judge asked, "Isn't the answer here to empower parents [with filtering technology] to protect their children from [Internet smut]?" As with the CDA, only a portion of the COPA was attacked and therefore ruled on. This decision did not enjoin the provision in the COPA that requires ISPs to inform their subscribers about the availability of screening software to help subscribers filter out material that offends them in some way. I will remind you of this requirement in Chapter 5, but keep in mind that this is where it comes from.

Obscenity Rules Need Not Apply

I previously stated that when it comes to child pornography, the rules that apply to obscenity tend to go out the window. Although this statement would not be readily apparent within the context of the COPA, keep in mind that the COPA did not deal with child pornography; rather, it attempted to address the issue of communicating "harmful material" to minors. The sexual exploitation of minors is addressed in a variety of federal child porn statutes, such as 18 U. S. C. 2252. This statute outlaws knowingly transporting, shipping, receiving, or distributing via interstate or foreign commerce by any means, including by computer or mail, any visual depiction involving the use of a minor engaging in sexually explicit conduct and any visual depiction of such conduct. Violators can be fined up to $250,000 and imprisoned for up to 15 years. Such statutes do not address the issue of whether the material in question is "obscene," whether a community standard applies, or whether "serious" artistic value is a consideration. These statutes are not concerned with issues of "expression." Child pornography is constitutionally unprotected speech, so these laws are designed to promote the protection of children by attempting to destroy any potential market that could exist for the child pornography materials.

It is important, however, to recognize what is considered to be child pornography and what is not. First, the federal statutes are limited to visual depictions, not text, although this is not the case in some states. Second, material that depicts child sex, but does not use a child, does not qualify as child pornography. Hence, textual depictions of such activity, such as may be found in the most disgustingly offensive news-groups on Usenet, are not considered to be child pornography and are therefore subject to the normal protections of the First Amendment. If a newsgroup posting or any other textual depiction, such as Nabokov's novel Lolita, included a visual depiction, however, the harsher standard applies, regardless of the textual content.

Child Porn Is Child Porn, Animated or Not

So what is a visual depiction? So far, courts have found that computer-generated or computer-altered material that appears to be child pornography, but did not actually involve the sexual use of a real child, is not considered to be child pornography. Whether this makes any sense depends on your perspective. Technically, the statutes were intended to prevent children from being harmed, so if no child was used, then no child was harmed. I disagree with this perspective. It is almost impossible to distinguish between certain types of computer-generated or altered images and real images. If computer-aided child pornographic material is readily made available to the depraved souls who are attracted to such material, that is only likely to lead to further depravation, which can eventually lead to harm to real children. It is generally accepted that children who have been sexually abused often end up as emotionally troubled adults, which can lead to many other problems for the abuse victims as well as for the society within which they live. We should be doing what we reasonably can do to prevent even one child from being subjected to abuse (not just sexually oriented abuse), and if that means not protecting computer-generated child pornography, then so be it.

I say that we should do what we reasonably can do because there is a limit to how much responsibility should lie on the shoulders of the various entities participating in utilization of the Internet. For example, a residential Internet access customer recently asked her ISP to prevent pornographic messages from being delivered to her child's Hotmail account. Since Hotmail is a web site-based e-mail service, all e-mail messages delivered to a Hotmail account are first delivered to the Hotmail server and then transferred to the Hotmail account as standard data packets. Even though the ISP may provide access to the customer, the ISP is not providing an e-mail server and isn't even delivering mail that conforms to e-mail protocols. As such, there is nothing the ISP can do, other than recommend that the customer set up an e-mail account with the ISP and employ filtering software to filter out potentially offensive messages. Whether Microsoft's Hotmail service should have some obligation in this regard is a different matter.

Protection of Children from Sexual Predators Act

The Protection of Children from Sexual Predators Act of 1998 (PCSPA) requires ISPs to report incidents of child pornography to the appropriate federal agency. In this case, ISPs are defined as providers of an electronic communication service or a remote computing service to the public, through a facility or means of interstate or foreign commerce. These terms are taken from other laws and include pretty much anything any type of ISP does. Also, for the purpose of the PCSPA, child pornography is defined by sections 2251, 2251A, 2252, 2252A, and 2260 of title 18 of the U. S. Code.

For the most part, child pornography is any actual nude photo or image of a child that is not clearly innocent (such as a baby's bath picture) or clearly artistic. No image that depicts a nude child in a seductive way or engaged in a sexual act will be considered to be innocent or artistic-- no matter how famous the artist. Generally, you recognize most child pornography when you see it, but some situations can be difficult to judge. I discuss the specific requirements of complying with the PCSPA in Chapter 5.

Under the PCSPA, electronic communication service and remote computer service providers who "obtain knowledge of facts or circumstances from which a violation of child pornography laws is apparent" (this is the same knowledge standard used in the DMCA) are required to report it to federal authorities. Monitoring is specifically not required, but a failure to report any child pornography that is found can result in fines from $50,000 (first time) to $100,000 (subsequent times).

Child pornography laws previously tried to hedge against the possibility of destroying someone's life as the result of a single incident of the inadvertent possession of child pornography. These laws made reference to "3 or more" images. The PCSPA modified existing child porn laws to add a so-called zero tolerance provision. Now, the possession of one or more pieces of child pornography can result in a fine or a prison sentence. The PCSPA did, however, add a new affirmative defense for possession of one or more images if you tried promptly and in good faith to destroy the images or report the pornography to law enforcement. Although the zero tolerance program may be well intentioned, I am concerned that it goes too far-- even though I am a strongly opposed to child pornography.

Most residential Internet users have little knowledge of how browser software operates and how downloaded images are stored in their computers. Many users who accidentally access child pornographic images on the Internet do not realize that many of those images are automatically stored in their computers, for example, in the Cache file used by Netscape Navigator or the Temporary Internet file use by Microsoft Explorer. If law enforcement officials thereafter had some reason to look at their computers, they could find these images and the users would have no choice but to attempt to rely on the aforementioned affirmative defense. Granted, law enforcement officers aren't running around with subpoenas demanding access to most people's computers, so this scenario may not be played out very often, but it would be wrong to see a single innocent person wrongly charged with this type of crime.

Other Action around the World

The federal government in the United States, of course, is not the only government attempting to regulate visual or textual pornography. A number of states, including New Mexico, Virginia, and Michigan, have passed laws that prohibit exposing minors to harmful material via the Net or providing minors access to indecent online material. The New Mexico law has been judged to be unconstitutional. Legislation has been passed or is in the process of being approved in the United States and within the European Union to require ISPs to notify authorities if they encounter child pornography on the Internet. A French court recently ordered Altern, a French company that provides free web hosting services, to pay an 80,000 Eurodollar penalty for not controlling the publication of illegal material stored on its servers. A Bavarian judge convicted Felix Somm, former manager of CompuServe Germany, for allowing pornographic material to be stored on CompuServe's computers in Germany. While Somm never did go to jail and, to the best of my knowledge, the verdict was never made final after significant international protest, this case was an early illustration of one danger involved in operating an Internet business. As it turns out, the legal position in Germany is not so bad. Germany has passed a number of laws that make it clear that server hosting does not oblige the ISP to control the content hosted unless the ISP has positive knowledge of illegal content (such as child pornography), in which case the ISP is obliged to act. In the Somm case, even though the prosecutor acknowledged to the judge once the case had started that Somm did not actually know of the illegal content, the judge simply couldn't understand how that was possible and found him guilty anyway.

In 1998, the Swedish parliament passed a new act to regulate electronic bulletin boards. The act not only applies to BBSs but also to most services providing information on the Internet, such as Web servers and Usenet news servers. This act is basically the Swedish version of the CDA in the United States. In accordance with the law, an ISP is responsible for illegal content, even if the illegal content was submitted by users of the ISP's service. This responsibility is limited to what is obviously illegal according to certain other acts, for example, racial agitation, child pornography, or copyright infringement. To fulfill the requirements of the law, the supplier must supervise the contents of the service. If checking every single message transmitted through the service proves to be too cumbersome, however, the ISP can handle the supervision through an abuse board, to which users can complain about illegal messages. An English translation of the act is available at the following URL: www. dsv .su. se/ jpalme/ society/ swedish-bbs-act. html.

Likewise, Singapore and Australia have recently adopted legislation that restricts pornography and other offensive content on the Internet. The complaint-based laws require ISPs to either offer filtered services with filtering software to customers or block illegal sites on unfiltered services when provided with a notice. Under the Australian law, for example, complaints filed with the Australian Broadcasting Authority (ABA) would be reviewed in accordance with a national classification system for online content, similar to that developed for television and magazines. The ABA would then issue take-down orders or warnings to ISPs that fail to take down illegal material and fail to take reasonable steps to prevent access, if technically feasible, to foreign sites hosting illegal content. The ABA would be able to levy a graduated series of fines against ISPs that ignore the ABA. The Australian law, which took effect on January 1, 2000, has been deeply criticized around the world. The president of the American Civil Liberties Union (ACLU) went so far as to portray the Australian government as the "global village idiot" for its adoption of this law. The ACLU doesn't need to travel far to find village idiots.

In the United States, a number of bureaucrats have been pushing for a bill that would require ISPs to provide computer software or other filtering or blocking systems that allow customers to prevent minors from accessing material on the Internet. Of course, material is not defined, although it is presumed to only include bad content, whatever that is. Since filtering software and other blocking systems are hardly foolproof, this type of legislation could cause ISPs to be liable for failing to prevent a minor from accessing material, notwithstanding the ISP's use of filtering technology. To make matters worse, this legislation might require the ISPs to offer filtering at cost or for free and might even require the ISPs to renegotiate the terms of service with each and every one of its existing customers.

Spamming, Cramming, Spoofing, and Trespassing

Other than the fact that some of the topics in this section rhyme with each other, you might be wondering how they relate. The first three-- spamming, cramming, and spoofing-- all have to do with unauthorized acts by a third party. As I will subsequently more fully describe, spamming is an unauthorized form of messaging, cramming is an unauthorized form of billing, and spoofing is an unauthorized form of identifying (actually, misidentifying) oneself. Trespassing sneaks into this group because this age-old form of property protection has emerged as one of the primary weapons against any unauthorized use of an ISP's network resources.


I will spare you the agony of reading another joke involving the word spam. While different parties define electronic spam in different ways, a fairly common definition includes "the unsolicited transmission of bulk e-mail and/ or the posting of off-topic messages to Usenet newsgroups or other Internet lists." One common spamming practice is to flood the Internet with messages to numerous Internet users who have not consented to receive such messages, regardless of whether the users actually dislike or complain about receiving such messages. The term spam was coined to analogously describe the spread of these less-than-desirable messages across the Internet. While many spam messages deal with themes such as pornography or get-rich-quick schemes, a message may be defined as spam regardless of its content. There is no such thing as benign or ethical spam just because the spam promotes a worthy cause.

Little has changed in terms of the impact and undesirability of spam, so most ISPs have adopted Acceptable Use Policies (AUPs). Among other things, AUPs typically ban spam from the ISP's network and give the ISP the ability to terminate a user's account when that user has been responsible for sending spam.

When ISPs have done a bad job of controlling spam on their networks, an anonymous group that tracks the flow of spam through public interconnection points will issue a death threat to the slack ISP. In the past, the death threat would warn the ISP to clean up its act or face a denial-of-service or black-holing attack by the members of this group. A denial-of-service attack can take many forms, but a common technique is to send massive numbers of messages to an ISP that require the ISP to take some action in response to these messages. The processing of these messages, which are sent over and over again for a period of hours and even days, prevents the ISP from being able to process any other traffic, thereby denying the ISP the ability to provide any other service. A black-holing attack involves the blocking of e-mail or net news contributions from the ISP that fails to police spam. While I do not wish to condone vigilante justice such as this, these death threats have proven to be extremely effective deterrents to ISPs that thought they could make a quick buck by taking business from known spammers.

On the legislative front, a number of states have passed spam-related laws, but only with respect to activities occurring within those states. A number of spam bills have been introduced by the U. S. House and Senate, but each bill takes such a different approach to dealing with spam that no single bill has received much attention. The most recent bill to be introduced, by Representative Heather Wilson, is called the Unsolicited Electronic Mail Act of 1999. This bill would have the FCC create and maintain an opt-out list for anyone who does not want to be sent spam. The FCC would then be empowered to penalize those that send spam to anyone who has added their name to the list. The Direct Marketing Association (DMA) has already introduced an automated version of the same thing that allows anyone to access a web site and add their name to a do-not-spam list. Unfortunately, the DMA solution relies on reputabl e companies to sign up for the service and abide by its system. The worst spammers are not going to join the DMA.

Wilson's bill would also let ISPs opt out of transmitting spam, either on the sending or on the receiving end, and would let ISPs charge spammers to cover the cost of transmitting their spam. The bill would also criminalize the misidentification of a return address on a spam message (otherwise known as spoofing). In general, opt-out systems have drawn criticism by anti-spam groups, which favor an outright ban on spam. Others prefer an opt-in system, in which senders of spam cannot send a message to anyone not on the list.

Side Law: The Scourge of the Internet

MCI was actually the first ISP to announce a policy to ban spam on its network and to bar users of its Internet network services from sending spam. At the time, MCI's senior vice president for Internet architecture and engineering, Vint Cerf, stated that "[ s] pamming is the scourge of electronic-mail and newsgroups on the Internet. It can seriously interfere with the operation of public services, to say nothing of the effect it may have on any individual's e-mail system. Spammers are, in effect, taking resources away from users and service suppliers without authorization."


Cramming, as a concept, has been known in the telecommunications business for a number of years. Phone cramming occurs when an unscrupulous third-party company causes an unwanted service to be added to your phone bill. Phone companies introduced the concept of permitting third-party charges to be added to phone bills a number of years ago, to permit customers to consolidate charges from various interrelated providers such as psychic hot lines. This also permitted customers to hide certain types of charges that they didn't necessarily want someone else in their household to see on a regular charge card bill. Some fraudulent operators figured out that this enabled them to slip other charges onto phone bills without the phone company's knowing anything about the nature of the charge (and therefore without their being able to challenge it), and with the customer's being afraid to call the charge into question. As one would expect, this practice has made its way to the Internet as well.

The FTC has brought enforcement actions against a number of individuals and businesses for billing or debiting consumers' credit card accounts for unordered or fictitious Internet-related services. Charges of $19.95, a typical Internet service charge, from companies with names like Online Billing and Netfill would show up on individuals' cards and, unless these individuals looked closely, they might not recognize that the charges were not for their Internet service. When the individuals would call their credit card companies to investigate the charges, they would be told that the charges were for Internet services, adult services, or electronic bulletin board services. Some of these false charges were exposed, however, because the individuals so charged did not have Internet access and didn't even own computers. I have not seen an ISP actually pulled into one of these disputes yet, but I figure the likelihood of that occurring is not too far away.


Spoofing occurs when someone alters the header of a packet or e-mail message in such a way that the packet or message appears to have been sent by someone other than the actual sender. This is a particularly popular trick among spammers, who use this technique to redirect response traffic to someone else, thereby avoiding detection and the task of having to sort through all of the angry replies they get in return. I can imagine why a political dissident might want to remain untraceable and therefore may need the ability to put a false identifier on a packet or message without violating the law, but anonymity and spoofing are two very different things. At the same time, I know a number of innocent bystanders who have been hurt from having had their addresses used as spoofed addressed on many different types of messages. A student's address at Stanford University was spoofed on a violent, racist message distributed to users of the Stanford network. While the student was eventually cleared of any wrongdoing, he was nevertheless subject to detention and questioning, and probably still suffers from being wrongly accused of authoring the message. In another case, a legitimate business's address was used as the return address on some widely distributed spam. People responding to the spam flooded the business with so much e-mail, some of which threatened violence against the business and its owners, that it was forced to close down its operations for a period of time. Although it eventually brought suit against the spammer to attempt to recover its damages, it will never be made whole. Hence, the number of people who might need to spoof is greatly outweighed by the number of people who are being hurt by spoofing.

Typically, if an ISP's customer is performing one of these unauthorized acts, the ISP can terminate the customer's service for breach of contract, assuming the ISP's terms-of-service agreement or acceptable use policy states that spamming, cramming, spoofing, and many other acts are forbidden. Even where the ISP does not have appropriate terms of service in place, the ISP may still be able to terminate its service if the customer fails to follow common industry practices, i. e. netiquette. This latter situation arose in Canada, where an ISP did not specifically forbid spamming, but did require its customers to follow generally accepted rules of the Internet. When the ISP terminated a customer's service for distributing spam, the customer sued for breach of contract, but a Canadian court agreed with the ISP's argument that the customer had violated the netiquette of the Internet and denied the customer's claim.

The Reemergence of Trespassing Laws

The situation is different, however, where the spammers are not the ISP's actual customers and are just sending messages to the ISP's network end users. Although a healthy spread (oops-- sorry, I did say no jokes!) of anti-spam legislation either has been passed into law or is being considered, the most successful weapon against spam so far has been the good old trespassing laws. Trespassing laws have been used for years to seek damages and to obtain injunctions to prevent any reoccurrence, where one party has entered another party's property without authorization. Real property trespassing cases have been successful even where there has been no physical damage, on the theory that the trespass denied the owners of their undisturbed enjoyment of their land. Likewise, trespassing laws have been extended to the Internet because an ISP's network is like its real property and should be protected from unauthorized use by other parties even where there has been no physical damage. To strengthen their cases, however, ISPs generally allege that the actions of spammers have caused physical damages by overburdening the ISP's network or denying access to services by other parties.

The state of California is a good example of a local government's adoption of anti-spam legislation. If an ISP adopts an anti-spam policy (adoption is not required) and the ISP's network is located in California or is used to send spam to California residents, then the ISP can seek to recover damages. The ISP can seek the greater of its actual damages or civil damages of up to $50 per spam message, with a maximum of $25,000 per day. Similar legislation, the Can Spam Act of 1999 (seriously!), H. R. 2162, was introduced in the U. S. House of Representatives. This bill would permit ISPs to enforce their anti-spam rules by giving them the power to sue spammers who violate their spam policies. In Virginia, a new state law was passed that provides for prosecution of "fraudulent, unauthorized, or otherwise illegal" spam and that updates trespassing laws to include the use of an ISP's facilities without permission. The state of Washington has both anti-spam laws and anti-spoofing laws. Federal legislation was introduced that would prohibit the transmission of spam and spoofing, as well as the sale or distribution of a computer program that conceals routing information (with civil damages only). This measure was tied to a bill, the Internet Freedom Act of 1999, H. R. 1686, that attempted to introduce controversial changes to the cable access and broadband access laws, so it is not likely to be passed anytime soon. The politicians are onto spam, and since it is an act for the perpetrators of which few people have sympathy, you can expect to see many additional legislative efforts in the future.

Hyperlinking, Portals, and Framing

Try to imagine how the World Wide Web would operate without hyperlinking. Internet portal sites would probably not exist. Directory services would be extremely cumbersome to use. You would have to write down every URL that you wanted to use or cut and paste all of them into your browser. Even browsers would not operate the same way. Now imagine that hyperlinking existed, but providing a hyperlink made you potentially liable for any violation of the law that occurred at the linked web page. What if the web page to which you originally linked was legal, but subsequently became illegal? Would you then have an obligation to constantly recheck a linked page just to make sure it stayed legal? What if you could link to another site only if you first obtained the permission of the owner of that site, despite the fact that the site was otherwise open to the public?

Hyperlinking and Deep Linking

As far as I know, the hyperlinking issue first arose during the early stages of the DMCA negotiations. At that time, copyright holders still thought it was appropriate to hold ISPs liable for every copyright violation on the Net; they wanted to outlaw hyperlinking to an infringing site as well. The ISPs attacked this concept and argued that hyperlinking was so fundamental to the use of the World Wide Web that any attempt to regulate it would cause irreparable damage to the Internet. A compromise was eventually worked out, as described in Chapter 3, A Special Law for ISPs: The DMCA, which protects ISPs as long as they don't knowingly provide a link to infringing material and attempt to profit from doing so, but it was a long, hard-fought battle. Unfortunately, this was just the beginning of the hyperlinking issue. Hyperlinking issues appear in almost every piece of Internet-related legislation being considered around the world. For certain types of content, such as child pornography, the free-wheeling days of the past, which allowed Internet users to provide links to anything, are over.

A number of suits have also now been filed to prevent deep linking. A deep link is a hyperlink that takes a user to a specific web page deep within a web site, rather than to the home page for that site. Deep linking is an issue because certain web sites have been constructed to prevent users from getting to certain lower-level pages within their sites without first going through higher-level pages. If a lower-level page is access protected, this type of preventive measure can be enforced. Many web site operators, however, do not protect lower-level pages, thereby allowing anyone with a URL for a specific page (identified by directories, subdirectories, and a file name) not only to bypass the higher-level pages, but to bypass the access protection itself. Bypassing protection and pages in this fashion cuts down on traffic for advertisements on higher-level pages.

Other web site operators have worked out deep linking license agreements that permit licensees to provide such links and to advertise their ability to do so. For example, Ticketmaster Online allows sites like Yahoo! and Knight-Ridder to maintain deep links into the ticketmaster. com site, enabling them to link directly to a page selling tickets to a particular event. When Microsoft used the same deep links in its Sidewalk sites (which Microsoft has since sold to Citysearch) without an agreement with Ticketmaster, Microsoft was sued. This suit eventually settled without any legal decision (Microsoft agreed to stop deep linking to ticketmaster. com), so we don't know how the court would have ruled on the issue, but Ticketmaster has now filed a similar suit against Tickets. com. Since this issue is more fundamental to Tickets. com's business than it was to Microsoft's, this suit might actually go to trial and result in a decision. Keep your eyes peeled!


Portal sites, like Yahoo! or Excite, of course, have to be concerned about all of these issues because hyperlinking and especially deep linking are fundamental to their businesses. When the portal business was relatively new, there was general acknowledgment that it wasn't a good idea to develop rules that would affect these sites, but the fabulous success of these sites may be their single biggest problem. People have caught on to the fact that there is money to be made by controlling someone else's ability to link to a site, so as portal company stocks go up, the trepidation that initially existed about creating rules that negatively impacted portal sites will go down.


A frame is a small window, which may include text, pictures, links, and so on, within a larger browser window. Obviously, you can construct frames of your own information without consequence, and you can display other people's publicly available web sites (by creating a link to that site) on your screen in any size you desire. Constructing a web page with linked frames to other people's information can be a big problem. Since most web sites are copyrighted and a copyright includes the exclusive right to create derivative works, the linked framing of anything less than an entire page from another site (and possibly the entire site) could be considered the creation of a derivative work. When you frame someone else's information in such a way as to create confusion or to present their information as your information, you are probably going to get sued for copyright and trademark infringement, as well as for unfair trade practice violations.

Digital Signatures

A digital signature is a piece of data that is sent with an encoded message to uniquely identify the originator of that message and to verify that the message was not altered after it was sent. In November 1999, the U. S. House of Representatives passed H. R. 1714, the Electronic Signatures in Global and National Commerce Act (E-SIGN), followed by the passage of a similar bill in the Senate (S. 761). The differences between the two bills are to be worked out in a House-Senate conference, which will result in congressional passage (and likely presidential signature) and enactment sometime in 2000. The E-SIGN legislation will allow consumers and businesses to use electronic signatures, in the same way they use handwritten signatures, when engaged in online business transactions. This removes the legal uncertainties that have surrounded the status of electronic signatures and records.

To date, many states have enacted similar but somewhat differing laws. To resolve the confusion, all 50 states have been working on a Uniform Electronic Transactions Act (UETA), which is expected to be completed soon and offered to the 50 state legislatures for adoption. Until then, E-SIGN would preempt current state laws. At the urging of states and the Department of Commerce, an initial two-year deadline for states to enact their standard law was increased to four years. E-SIGN also directs the secretary of commerce to promote the principles of the legislation overseas (see the following discussion about a similar measure moving through the European Union). E-SIGN requires that the technologies used for signature authentication be technologically neutral; in other words, functionality requirements do not discriminate in favor of or against any particular technology or company. The primary difference between the House and Senate versions is that the Senate version confers legal validity on electronic signatures only for commercial transactions affecting interstate commerce.

The EU is also getting close to adopting the proposed Directive on a Common Framework for Electronic Signatures. This proposal was first made by the European Commission in 1998. It lays down minimum rules concerning security and liability, and ensures that digital signatures are legally recognized throughout the EU. It also provides minimum requirements on certification services, which can be offered without prior authorization, although member states are free to set up voluntary accreditation schemes for certification service providers. As will likely be the case in the United States, the EU Directive will probably adopt technical neutrality as a key principle.

Such legislation will also likely adopt the principle that the legal recognition of signatures be based on mutual recognition, rather than requiring a new, burdensome administrative procedure for some type of certification authority. In other words, the requirements for accreditation of a certificate authority should maintain appropriate levels of security, but should not set the standards so high as to require extensive governmental oversight or create artificial barriers to entry.

Importing/ Exporting of Software, Technology, and Content

Almost all countries have laws regulating what can be imported to and exported from each country. The United States, for example, attempts to regulate the import of certain types of products from other countries to prevent crop infection and domestic price erosion, or simply to economically repress other countries (for example, Cuban cigars and Iraqi oil). Likewise, the United States also attempts to regulate the export of certain types of products or information from the United States to other countries for national security reasons. The technology that can be imported or exported is specified in detailed regulations, but the rules are totally open when it comes to Canada and fairly loose when it comes to any NATO member country or another country with which the United States has close political ties. The rules are extremely strict when it comes to countries with which the United States has recently been at war (Iraq) or with which diplomatic relations are strained (China). Under these rules, some things simply cannot be exported, such as nuclear technology and certain levels of supercomputer technology. Most other things can be exported upon grant of an export license, depending on where they are going and why.

One of the most important things to keep in mind under these rules is that failure to get an appropriate export license could result in significant fines and prevent you from exporting anything to anybody for some period of time. One of my former employers failed to get an export license for some computers it shipped to a company that was a front for the government of a highly restricted country. Not only was this extremely costly, it was also embarrassing because the company was subjected to a congressional investigation and a lot of bad press. It is also important to realize what constitutes exporting. In the industrial age, exporting focused primarily on the shipment of physical products and maybe the exporting of manufacturing technology, so people still think of exporting as physically shipping something out of the country. Permitting a foreign national from a restricted country to tour your facility or work at your company is also considered to be an export.


Although the development of computers and the Internet has changed many things, these rules (in increasingly watered-down form) still exist. Hence, because virtually anyone in the world can tour your publicly available web site, it is not a good idea to put export-restricted information on that site or to otherwise export restricted technology or content from that site. This sounds fine, in general, until you consider the technology incorporated into Internet-related software or how certain types of Internet sites operate. For example, many different forms of software incorporate encryption technology that has long been on the list of highly restricted technologies. Since encryption technology can be used to protect the content of an electronic message, governments have been concerned that terrorists, criminals, and unfriendly government agents would use the technology to hide their activities from espionage agencies. Since the quality of the encryption is highly dependent on the bit length of the key used by the encryption software to encrypt a message, export regulations have largely focused on the bit length of the key.

Based on a study released by the Electronic Privacy Information Center, called Cryptography and Liberty 1999, relatively few countries have supported domestic or export controls on encryption. The United States was one of the few exceptions, and it has taken a huge effort to get the United States to back away from its position. Initial U. S. export regulations on key length were completely ineffective. First, the encryption technology they prevented U. S. citizens from exporting out of the United States was already freely available around the world. Second, exportable key lengths were so short that the underlying encryption software was not secure. Readily available computers, operating on their own or in a network, could easily decrypt messages encrypted with short keys. It obviously did little good to allow people to use and export insecure security software. While the battle raged over increasing the length of the key, alternative suggestions arose, such as key escrow and key recovery schemes. Typically, you could export encryption technology that used a key equal to or less than a certain bit length without restriction. If you wanted to export encryption technology with a longer key, you had to either escrow the keys with a trusted third party or government agency, or enable the government to extract the key when it deemed it necessary. ISPs, software companies, and civil libertarians have fought to reasonably loosen the export restrictions on encryption technology for many years.

Along with many other people, I have testified before Congress in response to a number of these schemes. In 1998, in response to yet another key recovery proposal, I started my testimony on behalf of MCI Communications by stating:

MCI believes that controls on the use of strong encryption, including key recovery systems, are contrary to the best interests of the American people for at least three reasons. Such controls could: (1) harm the ability of American businesses to compete with foreign companies for foreign and domestic customers; (2) undermine the enormous potential of the Internet, including global electronic commerce, to improve the lives of all Americans; and (3) violate the constitutional right to privacy and abrogate the protections of the 4th and 5th Amendments. In addition to these important considerations, there are a number of practical problems associated with key recovery systems that render them futile or even counterproductive.

Later in 1998 the United States became a signatory to the Wassenaar Agreement, a 33-nation pact on munitions that includes cryptography export controls. Although the Wassenaar Agreement was not binding on any nation that signed it (it is only a pact, not a treaty), it did influence the U. S. government to adopt a policy that permitted the export of 56-bit-length keys after a one-time review, without a key recovery requirement. While this was considered progress in the United States, the Wassenaar Agreement actually tightened restrictions on browsers, e-mail applications, and electronic commerce hardware and software in other countries. U. S. legislation then sought to have this policy extended to cover 64-bit-length keys, but anything less than 128 bits long was generally considered to be insecure by the industry. At the same time, Daniel Bernstein, who developed an encryption method while he was a doctoral candidate at the University of California, Berkeley, decided to challenge an export regulation that prevented him from posting his work on a web site so other scientists could review and comment on his work. This resulted in a 1999 decision by the Ninth Circuit Court of Appeals that export regulations on encryption source code were unconstitutional because they amounted to prior restraints on speech rights (source code is a form of speech) that violate the First Amendment.

Change Is in the Wind

As a result of all of this and the political importance of making the high-technology industry happy before the 2000 elections, the United States finally relaxed its controls on the export of encryption technology in late 1999 and further in 2000. The new policies allow U. S. firms, after a one-time review of their products, to sell encryption products without bit-length restrictions to customers in all but a handful of countries and certain foreign governments and military establishments. Although there is still considerable criticism of the policy and its one-time review requirement, especially by academics, the new policy could be a monumental step forward. The final rules can be found at www. eff. org/ pub/ Privacy/ ITAR_ export/ 1999_ export_ policy/ 19990916_ wh_ cryptopolicy_ pr. html.

Importing Banned Material

The latest import/ export controversy has nothing to do with cryptography and everything to do with a more fundamental aspect of Internet commerce. Through the use of a search engine, people around the world can locate information on almost anything they want, including many things I wish they couldn't find, such as hate literature and bomb-making instructions. And, just as the Internet allows farmers in poor countries to find drought-resistant grains, it also allows Germans to buy copies of Mein Kampf and other banned books from online book sellers such as Amazon. com and Barnesandnoble. com. The e-commerce merchants defend their actions by stating that their policy is to sell any book in print to any customer who wants to buy it and that it is up to the customer to figure out whether they are allowed to have such a book imported into their country. Plenty of precedents exist, however, for the principle that merchants shipping products into other jurisdictions are obligated to uphold the laws of the jurisdiction to which those products are being sent. As long as you don't operate a business or own any assets in the country into which you are shipping illegal goods, then these laws probably won't have a practical effect on you-- unless you just so happen to respect other people's cultures.

Gambling, Guns, Alcohol, and Money on the Internet

At long last, we reach the end of this chapter on the current laws that impact ISPs, but let me remind you that I have covered only the beginning of the regulated Internet. Assuredly, I have already failed to cover a number of the different laws that apply to ISPs, but I have tried to make up for this by stating on numerous occasions that almost any illegal act that can somehow be perpetrated on the Net will one day be regulated. However, many new laws, covering acts that are not presently illegal or regulated, will be regulated on the Net, and I have briefly outlined them here.


Gambling is legal in some communities such as Las Vegas (although regulated), but illegal in others such as Minnesota. Arguably, someone in Las Vegas should be able to gamble at an online casino operated in Nevada without violating any laws, and a Nevada casino should be able to advertise on its web site to attract such gamblers to that site. But what happens when the Minnesota resident sees the advertisement and places a bet on the web site?

Without a single bet being placed, this question is being tested in a lawsuit between the state of Minnesota and Wager Net, a private company that advertised its future gambling web site as a legal way to bet on sports from anywhere in the country. To further complicate matters, Wager Net advertises only from a web site based in Las Vegas, the gambling services are actually run by an operation based in Belize, where sports gambling operations are legal with the proper license. While this matter is pending, many other Internet-based casinos are up and running (more than 500 according to Interactive Gaming News) and taking money from anyone foolish enough to place a bet. In response, a number of states and countries have done nothing, others are considering regulating and licensing them, and a few have successfully prosecuted violators of existing or newly enacted antigambling laws. The state of Missouri obtained a guilty plea on a misdemeanor charge against a Pennsylvania resident for running an Internet gambling site that was available in Missouri. The state of New York even won a conviction against a company that tried to prevent New York residents from gambling on its site.

In the New York case, the company had built-in safeguards to prevent residents from states where gambling was illegal from placing bets on its system. An investigator in the New York Attorney General's office was able to bypass the safeguard by entering a valid Nevada address and checking a box that stated that the investigator was a resident of a state where gambling was legal. Hence, despite the company's efforts to not violate the law, the judge ruled that the efforts were insufficient because they could be readily bypassed and the provided information was not verified. This, of course, raises questions about how an Internet gambling site could ever take enough steps to prevent someone from gambling who was set on lying in order to get access to the cybercasino. Suggestions for how to verify customer-supplied information include checking credit card records, performing credit history reports, and running tracking software while the customer is online in an attempt to locate the server address the customer is using to access the Internet. This last suggestion isn't believed to be workable because many ISPs' operations prevent traces back to the actual server providing access.

All of this becomes meaningful to ISPs, even if they don't also operate gambling sites, because of recent legislative attempts to hold ISPs liable for allowing customers to operate gambling sites and because of a suit by a woman who lost a lot of money. I will deal with this woman's suit first. After losing more than $70,000 by placing bets at more the 50 different cybercasinos and being sued by her credit issuer for unpaid bills, the woman sued the bank and Visa and MasterCard for engaging in unfair business practices and aiding and abetting a crime by giving the cybercasinos merchant accounts to process bets. In early 1999, a California court refused to dismiss the suit on the grounds that doing so would deprive the woman of her right to address alleged violations of the law. Although she didn't sue her ISP or the ISP for the cybercasinos, a number of people have speculated that such possibilities were not too far-fetched.

The Internet Gambling Prohibition Act

Given the variance in state laws and enforcement efforts, especially with regard to New York, it is probably a good thing that the federal government is considering the passage of federal legislation regulating Internet gambling. In late 1999, the U. S. Senate passed the Internet Gambling Prohibition Act of 1999 (IGPA). The U. S. House of Representatives is working on an almost identical bill, so it is highly likely that legislation substantially similar to the IGPA will be passed by Congress and signed by the president. I will therefore treat the IGPA as though it is the current law of the land. Even if the House passes a different bill and a compromise between the two is required, you can be guaranteed that the difference will not be that significant-- there is a lot of political momentum behind such legislation.

Although the IGPA broadly prohibits online gambling and restricts online advertising, it also provides ISPs with limited immunities from both federal and state antigambling laws. The IGPA will not protect ISPs from unfair business practice suits or similar suits based on tort laws, such as in the aforementioned case from California.

As initially proposed, this legislation would have provided no protection for ISPs whose systems or services were used to operate or advertise any non-Internet gaming operations, even though such operations or advertisements might otherwise be entirely lawful in the state in which the gambling took place. This meant that an ISP could have been liable for violation of this law simply for hosting a state lottery web site or hosting a web site for the Las Vegas or Atlantic City Chamber of Commerce that contained hyperlinks to hotels with regular casino gambling. Luckily, as passed, the IGPA took a less aggressive approach.

The IGPA starts with a broad prohibition and then provides ISPs with protection from liability under certain circumstances. Thus, the IGPA makes it illegal to knowingly use the Internet or any interactive computer service to place, receive, or otherwise make a bet, or to send, receive, or invite information that would assist in the placement of a bet or wager. Violations of this law can result in fines of up to $20,000 and/ or up to four years in prison. Criminal proceedings under the IGPA can be initiated by state or federal law enforcement, or by the authority specified in accordance with a tribal-state compact negotiated under the Indian Gaming Regulatory Act, in cases that involve violations occurring on Indian land. A professional sports organization or amateur sports organization whose games, or the performances of whose athletes in such games, were alleged to have been the basis of a violation of IGPA may seek to enjoin violations of the IGPA through civil proceedings, but not against ISPs.

Conditional Immunity under the IGPA

Consistent with the basic model established by the DMCA, ISPs are not liable under the IGPA or any other provision of federal or state law prohibiting or regulating gambling or gambling-related activities when the ISPs are acting as mere conduits. In other words, an ISP is not liable if its facilities or services are used to transmit, route, or provide connections for gambling-related material or activity (including intermediate and temporary storage in the course of transmitting, routing, or providing connections), if:

  • The material or activity was initiated by or at the direction of another person.
  • The transmitting, routing, or provision of connections is carried out through an automatic process without selection of the material or activity by the ISP.
  • The ISP does not select the recipients of the material or activity, except as an automatic response to the request of another person.
  • The material or activity is transmitted through the system or network of the ISP without substantive modification of its content.

Likewise, an ISP is not liable for illegal gambling-related material or activity at an online site hosted by the ISP, or arising out of referring or linking users to such a site, if the material or activity was initiated by or at the direction of another person, unless the provider failed to expeditiously respond to an appropriate notice.

To be eligible under either immunity provision, the ISP must maintain and implement a written policy that requires the ISP to terminate the account of subscribers after receipt of an appropriate notice. Furthermore, the ISP cannot knowingly permit its servers to be used to engage in illegal gambling activities, with the specific intent that such servers be used for such purpose.

A notice can be sent by either state or federal law enforcement agencies acting within their authority and jurisdiction. (If you have any question about either of these two issues, seek legal advice.) An appropriate notice must:

  • Be in writing (paper or electronic)
  • Identify the material or activity that allegedly violates the IGPA, and allege that such material or activity violates the IGPA
  • Provide information reasonably sufficient to permit the ISP to locate and possibly block the material or activity
  • Be supplied to an agent of the ISP (as designated in accordance with the designation of agent provisions in the DMCA), if available
  • Provide information reasonably sufficient to permit the ISP to contact the agency that issued the notice, including the name of the agency and the name and telephone number of an individual to contact at the agency
  • Declare under penalty of perjury that the person submitting the notice is an official of the agency

Upon receipt of such a notice:

  • The ISP is obligated to expeditiously remove or disable access to the allegedly illegal material or activity residing at that online site.
  • If the ISP is not in control of the site in question, it must notify the agency that provided the notice that it was not the proper recipient of such notice, and upon receipt of a subpoena, cooperate with the agency to identify the person controlling the site.

Within 24 hours of issuing a notice to an ISP, the law enforcement agency can seek injunctive relief to prevent further use of the ISP's facilities or services by the alleged violator of the IGPA. Although this does not mean that an ISP's immunity is subject to a 24-hour response time, when the IGPA says expeditiously, it does mean fast. Hence, if you are not currently capable of responding to a notice within 24 hours, you need to be prepared to be subjected to injunctive actions by law enforcement agencies and possible liability for failure to respond quickly enough.

The two types of injunctive relief available to agencies for mere conduit activities are:

1. Restraining the ISP from providing access to an identified subscriber (by termination of the subscriber's account), if the court determines that there is probable cause to believe the subscriber has used such access to violate the IGPA.
2. Restraining the ISP from providing access by taking reasonable steps specified in the order to block access to a specific, identified, foreign online location.

Nobody is really sure what the term reasonable steps is supposed to mean. When this legislation was first introduced by Senator Kyl in 1998, a number of ISP representatives, including myself, met with him to explain that it wasn't possible for ISPs to block foreign sites. While Senator Kyl acknowledged this fact, he was unwilling to completely remove the language, so after a long series of exchanges, reasonable steps ended up being the agreed-upon text. In conjunction with the considerations that a court must take into account when structuring an order of injunctive relief (discussed in detail subsequently), this presumably means that a court will not order an ISP to shut down a circuit to a particular country just to block a particular site in that country. Of course, if there were other circuits into that country or other forms of access, the traffic would simply be routed around the blockage. This also presumably means that a court will not order an ISP to block all traffic from a specific, identified, foreign online location, by requiring the ISP to monitor for and block all Internet Protocol (IP) packets bearing a certain IP address. Not only would such a requirement have a severe impact on the performance of all affected routers or gateways, it would probably be an exercise in futility because the foreign site would only have to employ a stable and legal web site with hyperlinks that employ dynamic IP addressing to send users to the illegal site-- thereby avoiding the block.

The three types of injunctive relief available to agencies for hosting and linking activities are:

1. The same orders available for mere conduit activities.
2. Restraining the ISP from providing access to the material or activity at a particular site residing on a server operated or controlled by the ISP.
3. Such other injunctive relief as a court considers necessary to prevent or restrain access to specified material or activity prohibited by the IGPA and residing on a server operated or controlled by the ISP, that is least burdensome to the ISP among the forms of relief that are comparably effective for that purpose.

When considering any form of injunctive relief under the IGPA, as is also the case with injunctions under the DMCA, the court is required to consider:

  • Whether such an injunction, either alone or in combination with other such injunctions issued and currently operative, against the same ISP would significantly or unreasonably (taking into account the conduct of the ISP) burden either the ISP or the operation of the ISP's systems or networks
  • Whether implementation of such an injunction would be technically feasible and effective and would not materially interfere with access to lawful material at other online locations
  • Whether other less burdensome and comparably effective means of preventing or restraining access to the illegal material or activity are available
  • The magnitude of the harm likely to be suffered by the community if the injunction is not granted

To make sure that the court takes these considerations into account and does not order an ISP to take action in total ignorance of how Internet technologies work, an injunction cannot be ordered unless the ISP is first served with a notice of the intended action and is given an opportunity to appear before the court.

Advertising and Promotion of Non-Internet Gambling

Because, among other things, the IGPA prohibits the use of the Internet to invite information assisting in the placing of a bet or wager, the IGPA is considered to outlaw the advertising and promotion of illegal Internet gambling activities as well. But what about non-Internet gambling? Are banner advertisements linked to otherwise legal casino web sites legal? Is it okay to host the Las Vegas chamber of commerce?

The IGPA addresses the advertising and promotion of non-Internet gambling, which would include various physical casinos, because of the proliferation of gambling-related advertisements on the Internet and the possible liability of ISPs under other, preexisting, federal and state laws. Accordingly, the IGPA provides that ISPs are immune from liability under federal or state law prohibiting or regulating gambling or gambling-related activities or under any state law prohibiting or regulating advertising and promotional activities for:

  • Content provided by another that advertises or promotes non-Internet gambling activity that violates one of the aforementioned laws (unless the ISP is engaged in such a business), arising out of any mere conduit, hosting, or linking-related activities
  • Content provided by another that advertises or promotes non-Internet gambling activity that is lawful under federal law and the law of the state in which such gambling activity is conducted

This means that all of the linked banner advertisements by the Las Vegas casinos on your web site probably aren't going to subject you to immediate liability. Before you get too comfortable with that, though, there are some eligibility requirements that have to be met to qualify for such an immunity. To be eligible under the immunity provision, the ISP:

  • Must maintain and implement a written policy that requires the ISP to terminate the account of subscribers after receipt of an appropriate notice
  • Cannot knowingly permit its servers to be used to engage in illegal advertising or promotion of non-Internet gambling activities, with the specific intent that such servers be used for such purpose
  • Must offer residential access customers, at a reasonable cost, computer filtering or block software or another service that would enable customers to filter or block access by minors to online Internet gambling sites that violate the IGPA

The notice provisions and injunctive relief provisions applicable to non-Internet gambling advertising and promotion are basically the same as those already described. The filtering/ blocking provision is completely unrealistic (it is not technically feasible or economically reasonable) and probably will not withstand Constitutional scrutiny (i. e., it is too vague).

General Provisions of the IGPA

As long as an ISP takes an action in good faith to comply with a notice or a court order under the IGPA, the ISP is immune to claims for damages and penalties, forfeitures, and civil or criminal liability resulting from such actions.

ISPs are not obligated to monitor for material or uses of its service, so even if a court does order you to monitor for and block certain IP addresses, you might want to remind the court of this disclaimed obligation. ISPs are also not obligated to gain access to, remove, or disable access to material except in response to a notice or court order.

Subscribers who have had their accounts terminated are permitted to challenge the agency responsible for the termination action.

Exceptions of the IGPA

The broad provisions of the IGPA do not apply to certain types of gambling-related activities. These activities include:

  • Otherwise lawful bets related to lawful state and multistate lotteries, placed on a private network, at a terminal physically located within a open public facility
  • Otherwise lawful bets related to a legal live horse or dog race, placed on a closed-loop subscriber-based service, initiated from within a state that permits such activity
  • Otherwise lawful bets related to certain types of gaming activities at casinos operated on Indian lands


It is already illegal under federal law for either a dealer or an individual to simply ship a gun to a buyer after the receipt of payment. The weapon must first be shipped to a licensed gun dealer in the state where it is being purchased and then physically picked up by the buyer after a security check. So, although it is already technically illegal to purchase a firearm strictly over the Internet, this has not stopped people from buying and selling guns through message boards, web sites, and chat rooms. One Internet auction site (eBay) has already stopped the auctioning and sale of guns on its web site. Thus, the Internet Gun Trafficking Act was introduced in 1999 to tighten the regulations regarding the transfer of firearms over the Net. This act would require any seller of a firearm to get a federal license to sell firearms and for web site operators that host firearm sales to register their sites with the secretary of the treasury, which runs the Bureau of Alcohol, Tobacco and Firearms (ATF). Finally, the bill would require sites that resell guns to prohibit prospective buyers and sellers from contacting one another directly. All sales contacts would have to be made through a licensed broker.

This may seem to be a fairly extreme measure, but because I think private gun ownership should be highly regulated, it doesn't bother me. Moreover, since it is my understanding that the youths responsible for the Colorado Columbine High School slayings directly contacted an independent gun dealer through the Internet, who then illegally sold them at least one gun, a forced broker might have at least prevented them from obtaining more deadly weapons. It probably wouldn't have prevented their demented actions, but anything that would have made it harder for them to get the guns in the first place couldn't be that bad. As with other Internet activity-based legislation, ISPs should be prepared to deal with legislation that would require them to help law enforcement and not knowingly assist in the violation of any laws.


While there are a number of legitimate online pharmacies that sell only those prescriptions sent to them by licensed physicians and do not directly prescribe medications, regulators are actively targeting other sites and doctors that are prescribing medication without proper precautions. Since the prescription drug industry is already heavily regulated (and, yes, I know, it doesn't prevent people from getting illegal drugs), there is still a great deal of uncertainty about how to regulate Internet-based operations-- if at all. The state of Illinois has at least enacted legislation that permits state regulators to establish rules and regulations for Internet-based pharmacies doing business in Illinois, but it remains unclear whether this legislation was even necessary. Nevertheless, since interstate and foreign commerce are involved in most Internet-based operations, it is highly likely that federal legislation will be introduced on this issue as well in the near future.

In the meantime, at least one Internet-related drug law has already been passed by the U. S. Senate. A similar bill will be considered by the House in 2000. The Methamphetamine Anti-Proliferation Act of 1999 (MAA) includes a section on the advertising of drug paraphernalia and Schedule I controlled substances, such as methamphetamine. The MAA amended the Controlled Substances Act to include a provision making it illegal to directly or indirectly advertise for sale drug paraphernalia and certain controlled substances. Since this amendment potentially implicated ISPs for violations of the MAA and other antidrug laws by other persons, a provision was also added to give ISPs immunity under certain circumstances.

Under the MAA, an ISP is not liable, if it satisfies the conditions for eligibility, when its facilities or services are used by another to locate illegal online material, provided the ISP does not control or modify the material to which such a location tool refers or links. One condition is to comply with the notice-and-take-down procedures of the MAA. An ISP must remove or disable access to matter that violates the MAA within 48 hours (not including weekends and holidays) of receipt of an appropriate notice that describes a particular online site residing on a server controlled or operated by the ISP. The ISP must designate an agent for service of notices in accordance with the DMCA's designation of agent requirements. An appropriate notice must identify the matter, allege that such matter violates the MAA, and provide reasonably sufficient information to permit the ISP to locate the matter and sufficient information to permit the ISP to contact the federal official providing the notice. ISPs that fail to take down the material within the prescribed time period are deemed to have knowingly permitted their servers to be used to engage in illegal activity.

While the MAA generally does not apply to browser software, it does apply to the provision of browser software that provides matter consisting primarily of illegal material or that holds itself out to others as a source of, or directory for, or means of searching for illegal matter. I have never seen browser software that performs such a primary function, but then I've never searched for controlled substances using my browser. Maybe I'm missing something. The immunity provisions for ISPs in the MAA include similar limitations. An ISP that knowingly permits an online site on its server to be used to engage in activity that the ISP actually knows to be prohibited by the MAA will not be protected. Sites that hold themselves out as a source of or means of searching for matter prohibited by the MAA fall outside of the immunity provisions as well.


Alcohol sales, advertising, and use are other areas for which the regulations vary greatly from state to state, and country to country. A number of states, including California, have recently enacted legislation to require anyone selling alcoholic beverages online to verify the age and identity of any buyers when products are delivered.

Florida, Georgia, Kentucky, Tennessee, and North Carolina have gone one step further and made it a felony to ship alcoholic beverages directly to residents in their states. It has long been a misdemeanor (that carried only a small fine) to ship alcoholic beverages into these and other states. Upgrading this law to a felony puts the federal production permits of any brewer or vintner that breaks the law at risk. While the Twenty-first Amendment gives states the right to regulate the distribution of alcohol within their borders, federal legislation has also been introduced to give states access to federal courts to prosecute out-of-state alcohol shippers who break the laws. Hence, you won't even be able to hide behind your lack of personal jurisdiction in a state to avoid liability.

On the federal side, legislation will soon be enacted (different versions were passed by the House and Senate) that will prohibit Internet sales and interstate shipments of alcohol products in violation of state law (as previously noted). This legislation will provide state attorneys general with the authority to seek injunctions in federal courts to stop alcohol shipments that violate state laws. Injunctive relief will be available only against the entity shipping the alcohol in violation of applicable laws, not against communications companies used by third parties for advertising and other communications purposes. Since the Senate version did not contain clarifying language with respect to ISP liability, this is one of the differences that will have to be worked out in conference. Given the Senate's understanding of the need for ISP liability limitations, at this point, it is unlikely that this issue will present a significant hurdle in the way of resolution.

Money Laundering

Money laundering has been practiced through electronically controlled accounts for many years, so the introduction of money laundering to the Internet isn't much of a surprise. What is different about using the Internet for money laundering is that some Internet transmissions can be more readily traced after the fact than was possible with older technologies. Of course, money launderers are probably pretty savvy, so I wouldn't be surprised if they deployed many different types of tricks to fool anyone attempting to trace them.

Where things will get interesting is in the area of securities fraud on the Internet. Apparently, fraud artists are using the Internet for traditional investment frauds, such as stock price manipulation schemes. Again, it isn't clear that any new legislation will be required to deal with these issues solely with respect to the Internet, but as with everything else the temptation to do something is likely to be so high that some form of legislation should be expected.

And On and On

Aside from the fact that you might need to deal with each of the regulated areas discussed here, the broad range of subjects should illustrate an important point: that regulation of the Internet, in some way or another, is here to stay. Assuming that you have accepted this principle, it is now time to learn what you need to do-- or not, as the case may be-- to comply with many of these laws and regulations. Chapter 5 provides many answers.

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)