April 27, 1994 Lawmaking and Law Enforcement in Cyberspace By: David R. Johnson As more people communicate and do business through the global electronic network, there will be disputes. Many current infonauts hope that the new online community can work things out informally, using social pressures, "netiquette" and discussion instead of rules to prevent harms and resolve disagreements. But as more newbies join the net and as the financial stakes increase, it seems likely that some rules will be necessary, and some enforcement of those rules will be required. Where will those rules come from and who will enforce them? Some argue that, especially in light of the international character of the networks, we should not look to existing territorial governments but should instead create a self-regulatory regime that is articulated and enforced by system operators and users who understand the new media and wish it well. One way to advance exploration of the question whether Cyberspace should be self-regulating (or, perhaps, even "sovereign" within its sphere) is to discuss in concrete terms how the law of Cyberspace can be made and enforced so as to achieve both effectiveness and fundamental principles of fairness. The "local" Law of Cyberspace is already made by sysops and users in the form of contracts and rules applicable to particular systems. Sysops decree the terms and conditions of access to their particular spaces -- and users agree to these as a condition of being granted entry. These agreements may be contracts of adhesion -- not truly negotiable. But they nonetheless present the user with meaningful choice, because there is great diversity among the rules established by different areas. Further, the barriers to creation of a new electronic space, with rules more agreeable to any given set of users, are low. This local law is relatively easily enforced, because a sysop can banish those who break it. The complication comes when we consider Cyberspace as a whole and when systems are set up to exchange mail and discussion groups and otherwise interconnect in such a way that User A gets messages from a User B whose access to the network is not controlled by the same sysop. Unilateral promulgation of rules for particular local electronic spaces simply doesn't work to control Internet listservs or other forms of cross-system communication. An obvious next step, then, is to allow the system operators to agree among themselves on certain minimum principles that all will accept -- the violation of which all agree will be met with standard enforcement strategies, including banishment. For example, all (or most) sysops might agree to provide some minimum level of privacy protection to e-mail messages. And they might, in consequence, agree to exclude any user who deliberately acted to defeat such protections. Or sysops might agree only to exchange e-mail traffic with other systems that honor certain minimum standards regarding accurate labelling of message contents to protect the interests of users in selecting the types of messages they want to receive. The net itself can create a new procedure to establish such global, agreed-upon, rules. Such a procedure can be modelled in part on "notice and comment rule making" but would also involve a vote or agreement -- somewhat like that now used to establish new Usenet news groups. A "Cyberspace Law Institute" might provide the mechanism for such lawmaking as follows: (1) Any new proposed rule would be published in an easily accessible place and distributed by mail to a list of sysops and others interested in reviewing such proposals; (2) All comments and debate would be collected in that same electronic location and distributed to interested parties; (3) Sysops prepared to accept and enforce the rule would register their agreement at the central location; (4) Vigorous opposition to particular rules, coupled with an indication of unwillingness to connect to systems that adopt the proposed rule, could also be registered; (5) After a suitable interval, the sysops who agree upon the rule would proceed to implement and enforce it. Presumably, one first rule would be that Sysops will not connect with other systems that do not enforce the rules those systems have agreed upon. Another first principle might address the amount of "due process" to be given to a user, perhaps including appeal to a decision maker other than the local sysop, before invocation of the ultimate sanction. Note that this regime provides clear notice regarding the terms and conditions applicable across systems. (It might be supplemented by listing the local rules applicable within various systems, to allow users more fully informed choices.) Although some may raise antitrust concerns, it seems likely that a mechanism of this kind should be viewed as a kind of standard setting designed to enhance competition. And it provides for a deliberative process, maximizing user choice insofar as consistent with the need for sysops to define their own systems. It's hard to evaluate a system of law-making like this other than in the context of the substantive laws the system actually makes. Should we worry about collusion among sysops to stifle user rights? I think not -- sysops have strong incentives to increase traffic on the system. But the only way to be sure is to give it a try. The alternative appears to be to allow current national legislatures to adopt inconsistent and unenforceable rules based on a failure to understand and embrace the promise of the new communications technology. The very first efforts of sysops to formulate basic rules, designed to protect users and foster increased use of the new medium, will demonstrate the advantages of developing the new law of Cyberspace indigenously.