Best and Worst Internet Laws

[Preface: I’ve already overstayed my guest visit, but before I go, I want to say thanks to the Concurring Opinions team for the opportunity to blog here, and thanks to all of you for the great comments and stimulating dialogue. A complete index of my guest blog posts. Meanwhile, I’ll keep blogging on technology and marketing law at my main blog and on all other topics at my personal blog. Hope to see you there!]

Over the past dozen years, the lure of regulating the Internet has proven irresistible to legislators. For example, in the 109th Congress, almost 1,100 introduced bills referenced the word “Internet.” This legislative activity doesn’t always come to fruition. Still, in total, hundreds of Internet laws have been passed by Congress and the states. This body of work is now large enough that we can identify some winners and losers. So in the spirit of good fun, I offer an opinionated list of my personal votes for the best and worst Internet statutes in the United States.

[Keep reading for the list]

Best Internet Laws

With my libertarian leanings, it should not be surprising that my list of good Internet laws is both brief and skewed towards laws that minimized the scope of Internet regulation.

#2: Internet Tax Freedom Act

Many people mistakenly think this law eliminated sales tax for purchases over the Internet. It didn’t (if you don’t pay sales tax, you owe use taxes on those purchases). Instead, the law placed a temporary moratorium on states enacting Internet access taxes or e-commerce-specific taxes. By freezing new taxes, the law forestalled a tax frenzy during the dot com boom. The current moratorium expires in November, but Congress is proposing to extend the law permanently (see the Permanent Internet Tax Freedom Act of 2007, S.156 & H.R. 743). To which, I say: amen!

#1: 47 USC 230

The law was enacted in 1996 (as part of the Communications Decency Act, discussed below) during the heyday of the cyberspace exceptionalism movement–about the same time as Barlow’s Declaration of Independence and Johnson/Post’s Internet self-governance article. Indeed, this law is one of the most conspicuous examples of setting different rules for physical space and cyberspace. In this case, the law provides websites and other intermediaries a near-absolute immunization from liability for their users’ content—even if offline publishers would be liable for publishing the exact same user content in dead trees.

It’s hard to overstate the importance of this law to the Internet’s evolution. Without this law, all Internet content probably would be subject to a notice-and-takedown regime like we have for copyright law (see discussion about the DMCA Online Safe Harbors below). If websites had to remove user content upon notice to avoid liability, they would act conservatively, quickly pulling down complained-about content without much fuss. So, any company unhappy with negative consumer comments could simply contact the web host, claim that the comments were defamatory (making the web host potentially liable for the content), and expect the web host to scramble to take down the user’s comment.

But in this takedown melee, only negative remarks would be targeted (there would be no legal grounds—or reason—to target positive comments). Thus, notice-and-takedown rules would result in “lopsided” databases where only positive opinions/commentary would remain, but many negative comments could be quickly excised. This would ruin the ability of the consumer opinion sites (e.g., eBay’s feedback forum, Amazon product reviews) to hold people and companies accountable for their choices. Indeed, by undermining the credibility of Internet content generally, a notice-and-takedown scheme could diminish the Internet’s vitality as a mainstream information resource.

47 USC 230 eliminates the notice-and-takedown option for people and companies trying to escape accountability. As a result, 47 USC 230 is a big part of the reason why the Internet has been such a massive success.

Effective but Questionable Internet Laws

Two additional laws are noteworthy for substantially accomplishing their intended goals, even though I can’t classify them as “good” because of their deficient policy rationales.

#2: No Electronic Theft Act (NET Act)

In 1997, Congress changed the basic paradigm for criminal copyright infringement. Previously, the law required that defendants had to infringe for the money. After the NET Act, infringers may be criminal even if their infringement was non-commercial.

The NET Act specifically targeted warez traders, a group of hobbyist infringers who aggregate and disseminate copyrighted works as trophies—by finding and publicly presenting a hard-to-get copyrighted work, the warez trader demonstrates his/her prowess as a trader and earns recognition from the community. Warez traders generally subscribe to the “information wants to be free” philosophy, so they never exchange copyrighted works for the money, but their trading can have adverse consequences for copyright owners.

There are many reasons why the NET Act is lousy policy, most importantly because it will not change warez traders’ behavior. Yet, it has given the DOJ an effective tool to nail warez traders, and a couple hundred warez traders have been busted using the law.

#1: Anti-Cybersquatting Consumer Protection Act

The 1990s saw a frenzy of domain name registrations, often involving the registration of domain names containing well-known trademarks by someone other than the trademark owner (a process called “cybersquatting”). Courts struggled to apply trademark law to this behavior, so trademark owners appealed to Congress for help. Congress initially hoped that ICANN would promulgate its own anti-cybersquatting administrative regulations (which ultimately became the UDRP). But ICANN took too long, and an impatient Congress enacted the ACPA.

The ACPA targeted cybersquatting, and in that respect the law has worked well. The classic 1990s cybersquatting “land-grab” registrations of [trademarkowner].[tld] have effectively dried up, and the few cases where a true cybersquatter has gone to court to defend against an ACPA claim generally have resulted in resounding victories for the trademark owner.

A silver lining of the ACPA: it contains an immunization of domain name registrars and registries that completely eliminated them as the targets of trademark owners. Prior to ACPA, domain name registrars (especially Network Solutions, the monopoly .com registrar for most of that time) had been sued repeatedly. Now, plaintiffs don’t even think about it.

However, the ACPA isn’t all good news. From a defense perspective, the ACPA has emerged as a tool to attack gripers and other critics. From a trademark owner’s perspective, the ACPA hasn’t curbed domain name parking, domain tasting and other AdSense-fueled sites all using trademarks or typographical versions of them. So no one is really happy with the law. Nevertheless, as a point solution to the cybersquatting problem, I think ACPA is fairly characterized as a solid success.

Worst Internet Laws

I want a little credit for finding 4 laws that I could say something good about. It wasn’t easy. In contrast, the list of bad laws is much longer, so I’ve limited myself to 10.

What makes a law “bad”? Unfortunately, there are many routes to ignominy, and mere legislative cluelessness isn’t sufficient. Some common themes: poor/ambiguous drafting, unintended consequences, justification bait-and-switch (publicly declaring that the law was designed to do X, when it was never likely to do so), and attempts to legislatively manufacture markets or change consumer behavior.

The dishonor roll:

#10: E-Sign

E-Sign generally says that online contracts won’t be denied enforcement simply because they are in electronic form rather than on paper. Superficially, this sounds positive because it stops courts from underenforcing electronic contracts or engaging in funky cyberspace exceptionalism. The problem? This law was completely unnecessary, as many states had already enacted the Uniform Electronic Transactions Act (UETA) before Congress passed the substantially identical E-Sign. Worse, E-Sign has a partial preemption clause that makes it difficult/impossible to figure out what state laws survived it. So E-Sign is a prime example of how Congress cannot resist the lure of Internet regulation—even if it adds no value (or even subtracts value)in the process.

#9: DMCA Online Safe Harbors

Another law that looks good on the surface, the law purports to provide safe harbors to protect online intermediaries from copyright infringement caused by other people. However, this law has at least two major flaws. First, it sets up a notice-and-takedown procedure which has led to significant abuse.

Second, and perhaps more importantly, the law only governs late 1990s technologies. It doesn’t contemplate P2P file sharing and other decentralized forms of communications. This technological dependency makes the safe harbor increasingly irrelevant as technology evolves. As a stark example, consider that the online safe harbors didn’t get mentioned–not a single reference!–in the most important online secondary infringement case to date, the Grokster Supreme Court opinion.

#8: Unlawful Internet Gambling Enforcement Act of 2006 (see the end of this file)

As I have said elsewhere, this law is a “a flagship example of how special interest lobbying combined with legislative mumbling can produce an unreadable mess.” First, the law is written in unintelligible Congress-ese. Second, the law is pockmarked with special interest exceptions, clearly showing who has the best lobbyists. Third, and most importantly, Congress did not specify (in this law or elsewhere) what constitutes illegal Internet gambling, yet the law requires third party money sources to block the flow of money to illegal gambling operations. Thus, just like Kafka might write it, Congress deputizes private actors to block illegal activity without deciding for itself what constitutes illegal activity. The consequence is that banks and other money sources are going to curtail lots of legitimate activity to be on the safe side.

#7: DMCA Anti-Circumvention

There are lots of reasons not to like the DMCA anti-circumvention law. Most obviously, the law targets “bad” technology rather than bad behavior—a regulatory model that usually fails when technological innovation bypasses such restrictions, or worse, the restrictions inhibit the development of socially beneficial technology.

However, the anti-circumvention laws make this list principally because of their unintended consequences. The law was designed to bolster content protection technology: the purported justification was that content owners wouldn’t feel comfortable putting content online without content protection measures, and this law restricts the ability to bypass those measures.

As it turns out, the hottest area of anti-circumvention litigation has nothing to do with such content protection schemes but instead involves companies using the DMCA as an anti-competition law. Two flagship examples—Chamberlain, involving the sale of compatible after-market universal garage door openers (a case the EFF calls “mind-bogglingly absurd”) and Lexmark, involving refilled printer cartridges—ultimately reached pro-competitive outcomes, but only after significant litigation and some disconcerting early rulings. Even with these rulings, companies now routinely consider anti-circumvention claims as part of a general anti-competitor campaign. As a result, the law has increased the cost of doing business, given plaintiffs another tool to try to restrict legitimate competition, and done almost nothing to protect content owners.

#6: Electronic Communications Privacy Act

This law was written in 1986 (amending earlier versions), back when the Internet was an obscure academic network. Although the law wasn’t written with the Internet in mind, it has the heroic responsibility of governing a huge swath of private Internet communications, including emails, private chat, VOIP and others. Even if the law were well-drafted, applying a pre-Internet law to these communications would create plenty of ambiguity and friction. Unfortunately, this is not a well-drafted law; in my opinion, this law as one of the most poorly drafted statutes ever. The result is a tangled convoluted hairball that no one (even privacy experts) can understand or apply.

#5: Utah Digital Signatures Act

In 1995, there was some concern that the lack of Internet authentication would inhibit the development of e-commerce. As a result, VeriSign (and others) advocated that everyone on the Internet—both users and websites—should have digital certificates to validate their identity (the equivalent of an Internet driver’s license) so that websites and users each could figure out who they were dealing with. However, VeriSign and others expressed concern that a digital certificate issuer would face significant liability if the authenticated information was wrong. Thus, the argument went, if only digital certificate vendors could get some liability protection, digital certificate vendors would provide the necessary authentication that would allow e-commerce to explode.

In response to these concerns, Utah enacted the Digital Signatures Act to regulate the process of granting accurate certificates and limit the liability of digital certificate vendors. Utah hoped the law would make cause digital certificate vendors to relocate to Utah to take advantage of its friendly legal climate, making Utah a leader in e-commerce.

As it turns out, digital certificates weren’t needed to catalyze e-commerce, nor did the market materialize for digital certificates in the form contemplated by the statute (as a PKI-based system). As a result, this law was a complete failure, and no companies ever complied with the statute’s formalities. Indeed, the law proved to be so irrelevant that Utah has taken the highly unusual step of repealing the law. At least they owned up to their mistake (this time).

#4: Anti-Kid Spam Laws in Utah and Michigan

Nothing fires up the legislative machine like trying to protect kids from Internet dangers. In this case, Utah and Michigan created “do-not-email” registries, similar to the national Do-Not-Call registries, for the registration of kids’ email addresses. Porn spammers are supposed to check these databases and eliminate any registered kids’ addresses from their porn spam distributions.

While do-not-contact registries are generally popular, I’m in the minority of people of who think they are suboptimal policy (I explain my thinking, by deconstructing the federal Do-Not-Call registry, here). In these cases, the do-not-email registries claim to be protecting kids, but they actually don’t try to authenticate registrants’ ages—making them a generic do-not-email registry, something even the FTC doesn’t favor. Most importantly, assuming the database actually contains kids’ email addresses, it becomes a juicy targets for criminal hackers, pedophiles and other bad actors. Based on this concern, the FTC has advocated against the idea.

#3: Dot Kids Implementation and Efficiency Act of 2002

As we saw with the Utah Digital Signatures Act, legislators can’t stimulate market demand simply by legislating the market into existence. In my opinion, no legislative act better illustrates this principle than the Dot Kids Implementation and Efficiency Act of 2002. In the name of providing a safe online haven for kids, Congress co-opted the domain and decreed that only kid-safe content could reside there. In theory, parents would feel safe letting their kids loose there, and content publishers would have a good place to reach kids. Ultimately, Internet filters could simply enable websites and shut off the rest of the Internet to kids.

The problem? Not many content publishers saw the value of creating kid-safe websites and housing them under the restrictive rules of the law. As a result, is a virtual wasteland, housing less than 20 websites, almost all of which have less-than-compelling content. (You mean to tell me you’ve never been there? Check it out yourself). Not exactly the most enticing destination for Junior. So is a ghost-town-like reminder that legislators should stay out of the business of trying to manufacture markets.

#2: Utah/Alaska Anti-Adware Laws

Have you noticed a trend here? Utah makes my dud-law list three times—a hat trick of legislative incompetence. This is such a remarkable feat that we might consider banning Utah from enacting further Internet regulations until they can show that they will use their powers wisely.

This law makes my list because of the deceptive rationales used to justify it. Touted as “anti-spyware” “consumer protection” law, it was neither. The law only targeted adware, not spyware, and it gave enforcement rights to trademark owners, not consumers. As a result, the law gave trademark owners the power to take software out of consumers’ hands—even if the consumers actually wanted the technology. Further, by allowing trademark owners to attack competitors for engaging in comparative advertising, the law tried to inhibit beneficial competition rather than promoting it. Thus, despite its billing, this law was a profoundly regressive anti-consumer law.

Given its deceptive nature and adverse policy effects (which I explain in lengthy detail here), it should not be surprising that the law was quickly enjoined. (Disclosure note: I worked on an amicus brief challenging the law). Chastened, the act’s sponsor subsequently amended the law to make it effectively irrelevant.

However, before Utah amended its law, Alaska implemented its own bastardization of Utah’s initial law. Among the Alaska law’s defects, it expects adware vendors to pop-up a notice to potential downloaders asking them for their geography; with this information, in theory, the vendor can avoid downloading the regulated software to Alaska residents. In other words, in an effort to fight unwanted pop-ups, the Alaska law mandates that software vendors deliver lots of unwanted pop-ups to consumers–even when both the vendors and consumers are located outside of Alaska. Gotta love that logic.

#1: Communications Decency Act

Based on the discussion above, clearly there was plenty of competition for the worst Internet law of all time. However, I found picking a “winner” surprisingly easy. In fact, in my book, it isn’t particularly close.

The Communications Decency Act, passed in 1996, was Congress’ first comprehensive attempt to regulate Internet content. Not surprisingly, Congress made a lot of rookie mistakes. The CDA tried to keep kids away from Internet porn, a reaction to a sensational 1995 article (the “Rimm Report”) published in the Georgetown Law Journal that proclaimed that the Internet was awash in porn. But later examinations thoroughly discredited the Rimm Report—meaning that Congress’ efforts/overreactions were based on bad social science.

Worse, Congress mistakenly assumed that non-porn content could be easily segregated from porn. In defense of this assumption, the government’s expert witness proposed a content tagging system that would enable browsers to wall off porn. But this exposed a deep flaw in the law—the tagging system didn’t exist, browsers weren’t written to honor the tag, and it turns out that requiring publisher self-tagging for all Internet content is burdensome and cost-prohibitive.

Because web and email content publishers had no easy way to comply with the law, the law threatened to restrict virtually Internet speaker. Further, Congress imposed punitive and draconian sanctions (including stiff jail time) for breaking the law. Congress really, really wanted to wipe porn off the Internet, but it chose a particularly mean-spirited way of doing so.

Not surprisingly, the law fared poorly in the courts. Within a week, it was enjoined. The next year, the US Supreme Court unanimously struck down the law (although 2 judges would have found a way to preserve some of the law). For its lack of policy support, its sloppy blunderbuss approach to regulating speech, and its flat-out meanness, I hereby crown the CDA the worst Internet law (to date…).

You may also like...

4 Responses

  1. Bruce Boyden says:

    Eric, great idea and great list. I agree with the top 6. But I would quibble with most of the rest of it, particularly your two “best” laws.

    On the ECPA, perhaps this makes it even worse, but some Congresspersons *were* envisioning its application to the Internet, at least to e-mail; there are statements to that effect in the legislative history. The problem with the ECPA is, as you note, its drafting: broad prohibitions cabined by limiting definitions (some with multi-part tests) and overlapping, vague, broad exceptions. And it just gets worse every time it’s amended, which is frequently.

    Also, if you want to be confused by drafting, try figuring out how you’re supposed to bring an in rem suit under the ACPA.

  2. Orin Kerr says:

    Funny, Eric, I would say that ECPA is the best Internet law written. It’s really extremely clever, and the only reason it is hard to understand today is that Congress left out the suppression remedy. But the basic statute is a remarkable achievement.

    I’m also not sure I understand why the Unlawful Internet Gambling Enforcement Act of 2006 is so bad. My understanding is that it has let to a very significant drop in Internet gambling, which is exactly what it was designed to do.

  3. Bruce Boyden says:

    Orin, to take one example among many, how does an electronic communication service — not a service provider, but the service itself (e.g., Internet access) — engage in “storage” for purposes of backup protection? (18 U.S.C. s 2510(17)(B).) Does the Internet decide when to back things up? And why is “electronic storage” the term used for something far more limited than electronic storage anyway? Given that “electronic storage” means, essentially, storage during transit, and that 2701 is limited to access of communications in “electronic storage,” how is what is prohibited under 2701 any different from what is a prohibited “acquisition” under the Wiretap Act, at least under the interpretation embraced by the en banc First Circuit in Councilman? Why are behavior-based exceptions (dependent on the purpose of the interception) excluded from the definition of “device” rather than exceptions to the prohibition on interception? That seems unnecessarily confusing. And how come computers haven’t been added to the “business use” exception, or are they “telephone” or “telegraph” equipment? Is “a facility through which an electronic communication service is provided” something less than all data machines attached to the phone network and Internet, and if so, what defines the subset of facilities subject to 2701’s prohibition? Why do ISPs get blanket authority to hack into *other* ISPs under 2701(c)(1), which effectively immunizes (for purposes of 2701) “the person or entity providing *a* [not “the” or “such”] wire or electronic communications service”? And how come the sender of a message can hack into the recipient’s computer (or routers along the way) under 2701(c)(2) to retrieve his or her message? OK, that was much more than one example, but you get my drift.

  4. Nice list. I thought others might be interested in this paper ITIF just released on the Internet Tax Freedom Act (#2 on your list). It goes into the legislation’s history in depth and argues for making it permanent (since it is set to expire in Nov. 2007). Here is the link: