A cybersage speaks his mind
For a law professor specializing in the Internet, David Sorkin takes a pretty dim view of the current state of cyberlaw. In fact, he says, the law governing the offline world is probably equipped to handle most online disputes--including the controversy over spam.
An associate professor at the John Marshall Law School in Chicago, Sorkin in 1995 was one of the first academics to offer a course on cyberlaw.
But when it comes to legislating our way to Internet nirvana, Sorkin remains a skeptic. In fact, he says the law governing the offline world is equipped to handle most online disputes, and cautions that attempts to address Internet problems such as spam are only going to make matters worse.
While most legal academic careers hinge on legal publications far removed from a lay readership, Sorkin has devoted a considerable fraction of his publishing energies to the Web. His Spam Laws site is routinely cited as one of the most thorough online sources for up-to-date information on the subject. In a more subversive venture, his Don't Link to Us site has skewered what Sorkin terms "stupid linking policies" from sites as varied as Texas Instruments, Law.com and the American Cancer Society.
In an interview with CNET News.com, Sorkin laid out his views on the online legal landscape, including the future and advisability of laws regulating spam, linking, privacy and intellectual property.
Q: What is the most fertile area of the law today, with respect to the Internet?
A: I think it's a toss-up between privacy and intellectual property.
Privacy has always been kind of an offbeat area. Law schools mostly teach privacy law in bits and pieces within torts, criminal law, and constitutional law classes. A handful of activists have been talking about privacy for years, but the public and the media haven't paid much attention to them until recently.
I'm not quite sure why privacy now is in the public spotlight, but certainly the growth of the Internet and e-commerce has a lot to do with it. Intellectual property has also traditionally been viewed as a niche field, but most people in the legal profession have come to realize that intellectual property issues are so pervasive that everyone ought to have at least some general familiarity with the field. In that way I think it's following in the footsteps of tax law--there will always be specialists in these fields, but every lawyer engaged in commercial practice should be able to recognize and deal with tax and IP issues at a very basic level. Where is the best Internet-related law being written? Here? Abroad?
That's hard to say. It's easy to compare the European and U.S. approaches to privacy, because they are so different. Part of the difference is cultural--Europeans have a very different view of the roles of the private and public sectors, and the proper relationship between people and industry, than Americans do. That difference is reflected in the substance of our laws on privacy. In the United States, one of the most important criteria used to evaluate any proposed restriction on the collection and use of personal information by businesses is the effect that it will have on industry. In Europe that's at most secondary to the individual and societal rights that are affected.
Which approach do you think produces the better results?
I happen to think the best approach is a balance somewhere in the middle, but as business practices seem to get more and more invasive, I find myself leaning closer to the European approach, even though I'm normally quite wary of regulation.
But even if you think the Europeans have gone way too far in regulating private sector privacy, I think you have to admire the consistent and principled way in which they've done that. The principles of fair information practices have been around for decades, and most of them aren't even very controversial. For example, people ought to know which organizations have databases containing information about them, and they should have the right to challenge that information if it is inaccurate. Databases should be maintained in a secure manner. The European Data Protection Directive and related laws apply those principles across the board to government and industry regardless of the type of database or market sector.
But the U.S. has a sectoral approach. We have a specific law that governs credit reports, and another specific law that governs video-store rental records, and another one that governs education records, and so on. Some of our laws are pretty strong, but others aren't. Many industries aren't covered at all. And while some of the fair-information practices are incorporated in many of these laws, they're not implemented consistently. This isn't just a problem for individuals; it also increases the burdens imposed on businesses, and it makes it hard even to discuss the issues intelligently.
| Actually, most courts have done a decent job of learning the relevant technology needed to make decisions that involve the Internet. |
Sure. The U.S. Supreme Court got it pretty well in the CDA case, way back in 1997. Actually, most courts have done a decent job of learning the relevant technology needed to make decisions that involve the Internet. This may be a consequence of our adversary system--both sides generally have an incentive to educate the court and point out any misrepresentations that the other side may have made. This doesn't always work, but especially as a case goes up on appeal, one side or the other is likely to do a good job of educating the court. Most courts take their obligation to find the truth very seriously. How about grading the legislators as well?
Unfortunately, I don't think that many legislatures have been anywhere near as scrupulous in learning about technology before trying to make laws to govern it. Take a look at all of the different state spam laws to see what I mean. Only one state has a law that is anywhere near consistent with the practices commonly followed on the Internet--Delaware, where it is a crime to send unsolicited bulk commercial e-mail. The other state spam laws don't focus on the central technical problem with spam, but instead deal with the symptoms, like forging message headers or failing to honor opt-out requests, or with completely different issues, like pornography and other content-related issues. So where do you think spam law is headed? And what are the odds for passing a federal law? <="" p=""> More and more states are enacting laws related to spam, but as I've said, most of these laws don't do a very good job of focusing on the main problems that spam causes. One of the strongest objections to state laws was removed when appellate courts in California and Washington upheld those states' laws despite constitutional challenges. So I think we'll continue to see more states passing laws on spam.
One of the most recent state laws--an Ohio law that takes effect later this year--is interesting because it does seem to be based upon a better understanding of the technology than most of the other state laws. To summarize the Ohio law very loosely, it says that you can't send spam into an ISP's system if the ISP has an anti-spam policy posted on its Web site and the ISP's mail server tells you about that policy.
What are the odds of Congress passing a comprehensive anti-spam bill?I really don't know whether Congress will end up enacting a spam law. They've been considering various bills on the topic for more than five years, and contrary to what you'll often read in spam messages, none of these bills has been enacted. I certainly hope that none of the bills currently pending in Congress is enacted--all of them would do more harm than good. I do think that laws can and should be part of the solution to spam, but no law at all would be preferable to a really bad one. What has the experience with spam law taught us about the relevance of federalism in the Internet age? I'm referring to the complaints of spam litigants who say the existence of 26 different state laws makes prosecutions too difficult. Along the same lines, has the Internet been, or could it be, an impetus for more work in international law?
Of course it doesn't make sense to regulate a relatively borderless environment with laws that vary according to geography. I've never heard anyone argue that state laws are the ideal way to regulate spam or other online behavior. Would you ever consider them to be useful instruments?
In some instances, state laws can be useful as an experiment, to see what works and what doesn't--though I don't think that's a very good idea when the Internet is involved. In Washington and California, courts have rejected arguments that state spam laws violate the dormant Commerce Clause of the U.S. Constitution. In both cases, part of the reasoning behind that result is that the laws being challenged didn't really affect much legitimate activity anyway. So if a stronger state spam law were challenged on the same basis, it might end up being struck down. What are the odds of a transnational legal effort?
Of course it would make sense to harmonize legal approaches to spam internationally, though I don't think this is very likely to happen for a number of reasons. The Europeans view spam as a privacy and data-protection issue, while we think of it as a nuisance, a property offense, and increasingly, a threat to security. And we don't really even have anything resembling a consensus on how to deal with spam on a technical level, so I think it's asking way too much to reach agreement on the legal side.
I'm hopeful that we'll do better on the technical side, and maybe we will start moving toward some consensus on acceptable and unacceptable practices. That will put us in the right direction, at least, but I think the spam problem is going to get much worse before it starts getting better.
What about deep linking?What about it? I guess I don't understand why everyone is so concerned about it. It's an inherent part of the Web, in the same way that nouns and verbs are essential parts of speech. If you don't want people linking to or accessing certain content on your Web site, you can implement whatever rules you want to in the design or configuration of your site. But if you put content in a public place with its own published address, it's pointless to pretend that the address is a secret, and you shouldn't expect the legal system to enforce that ridiculous notion.
The same applies to "non deep" linking. What really surprised me when I started my "Don't Link to Us" site was how many companies insist that other sites ask permission before creating any links to them at all, not just deep links to specific pages.
What do you think was at the root of the issue?
Part of the problem may be intellectual property protectionism run amuck, but I place most of the blame on people who simply don't have any understanding of the Web and the Internet, or who are too lazy to do anything more than copying some other site's linking policy without even reading it. There is some real danger here from a policy perspective, if the legal system pays attention to these ridiculous linking policies--something that seems to have begun already in at least a few cases.
| If you put content in a public place with its own published address, it's pointless to pretend that the address is a secret, and you shouldn't expect the legal system to enforce that ridiculous notion. |
I'm not saying that an organization never has the right to restrict another organization's ability to link to its Web site. Two firms could enter into an agreement that permitted or prohibited such links, and the legal system ought to enforce such a contract unless there is a good reason not to. And there might be trade regulations that limit the ways in which companies can link to competitors' sites (as in Denmark, site of the recent Newsbooster linking dispute).
But I hope that courts don't get so confused about this that they start giving credence to restrictive linking policies outside those very narrow exceptions. That would certainly have a chilling effect on how people use the Web, just as spam now interferes with the utility of e-mail as an effective communications medium.
You're on an ICANN board. How has that experience influenced your view of the organization? How well do you think it's living up to its charter and goals, and do you agree with critics that ICANN is biased toward corporate interests?I'm not actually involved directly with ICANN--I'm a dispute-resolution panelist for two providers that are accredited by ICANN to resolve domain name disputes (WIPO and NAF). But I do have grave concerns about the job that ICANN has done thus far. It does seem to be biased in many ways, but more importantly it isn't open or accountable or stable, and has done little to earn the public's trust and much to lose that trust.
It's true that you can't please all of the people all of the time, but ICANN seems to have succeeded at doing just the opposite. I've had differences of opinion with other ICANN dispute-resolution panelists, but I've never felt that they weren't acting in good faith. Unfortunately, I can't say the same of ICANN itself.
| It's true that you can't please all of the people all of the time, but ICANN seems to have succeeded at doing just the opposite. |
That's a tough one. We shouldn't jump into decisions that will have long-term effects, and I'm concerned that this is happening in response to last year's terrorist attacks in many areas of the law, not just those related to national security or the Internet. A survey was just released that says nearly half of Americans now think the First Amendment goes too far in protecting freedom of speech. I hope we don't make long-term policy based upon that view. Fortunately it looks like the courts are critically examining some of the recent legislation that affects our constitutional rights. Are there any positives here?
It's hard to find a positive effect. The only one I can think of offhand is increased public and industry awareness of information security issues. We shouldn't rely on buggy applications and operating systems to run important applications--something that most of us do all the time. We have a long, long way to go in addressing pervasive security risks and vulnerabilities, but at least we're starting to pay attention to the problem. What law does the Internet really need?
I don't think that the Internet really needs much law--it's really just a question of figuring out how best to apply more general laws to the online environment. Even in the area of spam, where social pressure and technical measures thus far have failed, I don't think that the law has to treat the Internet as something completely different from the outside world. Should certain default rules be applied to different media?
It's true that we might want to apply different default rules to some media, such as "opt-in" for fax solicitations and "opt-out" for telemarketing, but the underlying principles are so similar that it doesn't really make sense to enact completely separate laws for each medium. The other problem with that approach is that it makes it much harder to keep up with new technology. We already have SMS spam and IM spam and targeted pop-ups and pop-unders--who knows what will come next?
