personally checks out, for fear that he could be accused of assistingin distributing viruses, trojans or pirated software; and so on.In this way, the most restrictive criminal laws that might apply to agiven on-line service (which could emanate, for instance, from onevery conservative state within the system's service area) could end uprestricting the activities of system operators all over the nation, ifthey happen to have a significant user base in that state.  Thisresults in less freedom for everyone in the network environment.2.  Federal vs. State Rights of Privacy.Few words have been spoken in the press about network privacy laws ineach of the fifty states (as opposed to federal laws).  However, whatthe privacy protection of the federal Electronic CommunicationsPrivacy Act ("ECPA") does not give you, state laws may.This was the theory of the recent Epson e-mail case.  An ex-employeeclaimed that Epson acted illegally in requiring her to monitor e-mailconversations of other employees.  She did not sue under the ECPA, butunder the California Penal Code section prohibiting employeesurveillance of employee conversations.The trial judge denied her claim.  In his view, the California lawonly applied to interceptions of oral telephone discussions, and notto visual communication on video display monitors.  Essentially, heheld that the California law had not caught up to modern technology -making this law apply to e-mail communications was a job for the statelegislature, not local judges.Beyond acknowledging that the California law was archaic and notapplicable to e-mail, we should understand that the Epson case takesplace in a special legal context - the workplace.  E-mail user rightsagainst workplace surveillance are undeniably important, but in ourlegal and political system they always must be "balanced" (ie.,weakened) against the right of the employer to run his shop his ownway.  Employers' rights may end up weighing more heavily againstworkers' rights for company e-mail systems than for voice telephoneconversations, at least for employers who use intra-company e-mailsystems as an essential backbone of their business.  Fortunately, thisparticular skewing factor does not apply to *public* communicationssystems.I believe that many more attempts to establish e-mail privacy understate laws are possible, and will be made in the future.  This is goodnews for privacy advocates, a growing and increasingly vocal groupthese days.It is mixed news, however, for operators of BBS's and other on-lineservices.  Most on-line service providers operate on an interstatebasis - all it takes to gain this status is a few calls from otherstates every now and then.  If state privacy laws apply to on-linesystems, then every BBS operator will be subject to the privacy lawsof every state in which one or more of his users are located!  Thiscan lead to confusion, and inability to set reasonable or predictablesystem privacy standards.It can also lead to the effect described above in the discussion ofcriminal liability.  On-line systems might be set up "defensively", tocope with the most restrictive privacy laws that might apply to them.This could result in declarations of *absolutely no privacy* on somesystems, and highly secure setups on others, depending on theindividual system operator's inclinations.3.   Pressure on Privacy Rights Created by Risks to Service Providers.There are two main kinds of legal risks faced by a system operator.First, the risk that the system operator himself will be foundcriminally guilty or civilly liable for being involved in illegalactivities on his system, leading to fines, jail, money damages,confiscation of system, criminal record, etc.Second, the risk of having his system confiscated, not because he didanything wrong, but because someone else did something suspicious onhis system.  As discussed above, a lot of criminal activity can takeplace on a system when the system operator isn't looking.  Inaddition, certain non-criminal activities on the system could lead tosystem confiscation, such copyright or trade secret infringement.This second kind of risk is very real.  It is exactly what happened toSteve Jackson Games last year.  Law enforcement agents seized Steve'scomputer (which ran a BBS), not because they thought he did anythingwrong, but because they were tracking an allegedly evil computerhacker group called the "Legion of Doom".  Apparently, they thoughtthe group "met" and conspired on his BBS.  A year later, much of thedust has cleared, and the Electronic Frontier Foundation is funding alawsuit against the federal agents who seized the system.Unfortunately, even if he wins the case Steve can't get back thebusiness he lost.  To this day, he still has not regained all of hispossessions that were seized by the authorities.For now, system operators do not have a great deal of control overgovernment or legal interference with their systems.  You can be asolid citizen and report every crime you suspect may be happeningusing your system.  Yet the chance remains that tonight, the feds willbe knocking on *your* door looking for an "evil hacker group" hidingin your BBS.This Keystone Kops style of "law enforcement" can turn systemoperators into surrogate law enforcement agents.  System operators whofear random system confiscation will be tempted to monitor privateactivities on their systems, intruding on the privacy of their users.Such intrusion can take different forms.  Some system operators maydeclare that there will be no private discussions, so they can reviewand inspect everything.  More hauntingly, system operators may indulgein surreptitious sampling of private e-mail, just to make sure noone's doing anything that will make the cops come in and haul awaytheir BBS computer systems (By the way, I personally don't advocateeither of these things).This situation can be viewed as a way for law enforcement agents to doan end run around the ECPA's bar on government interception ofelectronic messages.  What the agents can't intercept directly, theymight get through fearful system operators.  Even if you don't go forsuch conspiracy theories, the random risk of system confiscation putsgreat pressure on the privacy rights of on-line system users.4.   Contracts Versus Other Rights.Most, perhaps all, of the rights between system operators and systemusers can be modified by the basic service contract between them.  Forinstance, the federal ECPA gives on-line service users certain privacyrights.  It conspicuously falls short, however, by not protectingusers from privacy intrusions by the system operator himself.Through contract, the system operator and the user can in effectoverride the ECPA exception, and agree that the system operator willnot read private e-mail.  Some system operators may go the oppositedirection, and impose a contractual rule that users should not expectany privacy in their e-mail.Another example of the power of contracts in the on-line environmentoccurred recently on the Well, a national system based in SanFrancisco (and highly recommended to all those interested indiscussing on-line legal issues).  A Well user complained that amessage he had posted in one Well conference area had beencross-posted by other users to a different conference area without hispermission.A lengthy, lively discussion among Well users followed, debating theproblem.  One of the major benchmarks for this discussion was thebasic service agreement between the Well and its users.  And aproposed resolution of the issue was to clarify the wording of thatfundamental agreement.  Although "copyrights" were discussed, theagreement between the Well and its users was viewed as a moreimportant source of the legitimate rights and expectations of Wellusers.Your state and federal "rights" against other on-line players may notbe worth fighting over if you can get a contract giving you the rightsyou want.  In the long run, the contractual solution may be the bestway to set up a decent networked on-line system environment, exceptfor the old bogeyman of government intrusion (against whom we will allstill need our "rights", Constitutional and otherwise).CONCLUSIONThere are many different laws that system operators must heed inrunning their on-line services.  This can lead to restricting systemactivities under the most oppressive legal standards, and tounpredictable, system-wide interactions between the effects of thedifferent laws.The "net" result of this problem can be undue restrictions on theactivities of system operators and users alike.The answers to this problem are simple in concept, but not easy toexecute.  First, enact (or re-enact) all laws regarding electronicservices on a national level only, overriding individual state controlof system operators activities in cyberspace.  It's time to realizethat provincial state laws only hinder proper development ofinterstate electronic systems.As yet, there is little movement in enacting nationally effectivelaws.  Isolated instances include the Electronic CommunicationsPrivacy Act and the Computer Fraud and Abuse Act, which place federal"floors" beneath privacy protection and certain types of computercrime, respectively.  On the commercial side, the new Article 4A ofthe Uniform Commercial Code, which normalizes on-line commercialtransactions, is ready for adoption by the fifty states.Second, all laws regulating on-line systems must be carefully designedto interact well with other such laws.  The goal is to create awell-defined, reasonable legal environment for system operators andusers.The EFF is fighting hard on this front, especially in the areas offreedom of the press, rights of privacy, and rights against search andseizure for on-line systems.  Reducing government intrusion in theseareas will help free up cyberspace for bigger and better things.However, the fight is just beginning today._ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _Lance Rose is an attorney who works primarily in the fields ofcomputer and high technology law and intellectual property.  Hisclients include on-line publishers, electronic funds transfernetworks, data transmission services, individual system operators, andshareware authors and vendors.  He is currently revising SYSLAW, TheSysop's Legal Manual.  Lance is a partner in the New York City firm ofGreenspoon, Srager, Gaynin, Daichman & Marino, and can be reached byvoice at (212)888-6880, on the Well as "elrose", and on CompuServe at72230,2044.Copyright 1991 Lance RoseThe above article was originally published in Boardwatch, June, 1991