5 Va. J.L. & Tech. 2 (2000) <http://www.vjolt.net>
1522-1687 / 2000 Virginia Journal of Law and Technology Association

VIRGINIA JOURNAL of LAW and TECHNOLOGY

UNIVERSITY OF VIRGINIA

SYMPOSIUM 2000

5 VA. J.L. & TECH. 2

Avoiding Intellectual Trespass in the Global Marketplace:
Encryption & Privacy in E-Commerce

David Bender [*]

Danice M. Kowalczyk [**]

  1. From the doorstep of the new Millennium, one can see across the threshold to the rapidly expanding territory of e-commerce. E-commerce is not limited to mere web shopping. It includes, among other things, online securities transactions, buying and downloading software, and business-to-business transactions.[1] The growth of e-commerce has signaled extensive changes in the way domestic and international business is conducted. Domestically, e-commerce has harkened the emergence of a great chasm between two economies: Old Economy industries, often characterized by slow growth in investment, productivity, profits and pay, versus New Economy Net companies with growing options and opportunities.[2] Internationally, e-commerce exists within an unpredictable and non-uniform legal framework. Indeed, it is the non-existence of a global legal and regulatory framework which some Net content providers and regulatory experts predict will be the next real hurdle for the e-commerce industry.[3] At the forefront of this legal scene is the conflict between the United States’ view and the European Union’s view regarding privacy and the extent of legal protection afforded personal information.

    Personal Information - the New Commodity of the Digital Economy v. Privacy

  2. U.S. data privacy law is in constant flux,[4] comprised of a cornucopia of Constitutional, common law and statutory privacy rights, each of which often grants substantial protection in only a very restricted area.[5] Constitutionally, general privacy protections stem most often from the First and Fourth Amendments.[6] The right to privacy is also said to emanate from the penumbras of the Bill of Rights.[7] Constitutional privacy protections, however, apply only to intrusion by government, not private, entities. The basis of common law protection from an invasion of privacy by private parties stems from Warren’s and Brandeis’ oft-quoted "right to be let alone"[8] which is embodied in the following four distinct tort laws addressing invasions of privacy: intrusion upon one’s seclusion, misappropriation of one’s name and likeness, false light publicity, and public disclosure of private facts.[9] Where the above protections have been perceived as failing adequately to remedy given privacy transgressions, federal and state statutes have attempted to fill the niche.

  3. Examples of relevant federal legislation governing the public sector include the Privacy Act of 1974,[10] the Freedom of Information Act,[11] and the Right to Financial Privacy Act of 1978.[12] Examples of relevant legislation governing the private sector (targeting specific industries) include the Electronic Communications Privacy Act of 1986 ("ECPA"),[13] the Electronic Fund Transfer Act ("EFTA"),[14] the Fair Credit Reporting Act of 1970 ("FRCA"),[15] the Video Protection Privacy Act of 1988 ("VPPA"),[16] the Cable Communications Policy Act ("CCPA"),[17] and, more recently, the Driver’s Privacy Protection Act of 1994 ("DPPA")[18] and the Children’s Online Privacy Act of 1998 ("COPPA").[19] In addition, the Department of Health and Human Services has a February 21, 2000 deadline, pursuant to the Health Insurance Portability and Accountability Act of 1996, to set guidelines for protecting health information privacy.

  4. Statutorily, many states have recognized the general right to privacy in their constitutions,[20] as well as enumerated specific offenses against privacy.[21] Some have even exceeded the right to privacy recognized under the Constitution of the United States, holding even private actors subject to a Constitutional standard of behavior.[22] However, while the above address general privacy concerns, state statutory responses to the specific threat of burgeoning uses and misuses of computer technology have been varied.[23] While a few states have enacted legislation aimed directly at curbing the invasion of information and computer privacy,[24] most others have reacted by merely enacting legislation that broadly deals with the regulation of various entities who deal in information, such as those engaged in personal data transmission,[25] credit,[26] financial information,[27] and communications.[28]

  5. Notwithstanding the above legal privacy protections, it is, in fact, industry self-regulation which is most favored in the online environment. More specifically, U.S. government policy fervently supports industry led, market-driven self-regulation[29] as the best means of protecting privacy rights over the Internet and World Wide Web.[30] In fact, Internet sites are promulgating privacy policies in the deliberate hope that both federal as well as state regulation can be avoided.[31] Not surprisingly, however, industry self-regulation often falls well short of a comprehensive U.S. privacy protection scheme.[32]

  6. In contrast, governments of E.U. countries regulate privacy protection for their citizens, ensuring that personal data is protected well beyond national borders.[33] The European Union’s Directive on Data Protection ("Directive"), enacted in October 1998, prohibits the flow of personal information about E.U. citizens to countries outside the E.U. that are not in compliance with its stringent privacy protection rules.[34] This Directive is at the forefront of the privacy debate as it may in the future block U.S. e-commerce, or business-to-business sites, from access to E.U. markets. More specifically, the 15-nation E.U. could bar European-based companies from sending personal data (such as credit ratings, Social Security numbers, health information and buying or online habits)[35] to U.S. businesses.[36] As a result of the implications of this Directive, the U.S. and E.U. are currently undertaking the onerous task of finding a way for U.S. organizations to comply with the E.U.’s data protection law.[37] The U.S. Commerce Department has suggested that the E.U. grant U.S. businesses receiving personal data from the E.U. "safe harbor" status if they voluntarily accept a given set of principles addressing the safeguarding of personal information,[38] the specific details of which to date remain unclear.[39] Not surprisingly, this seemingly ideal solution has met with much discourse. U.S. consumer advocacy groups oppose the dodging of strict E.U. privacy rules. These groups hold in derision the vagueness of the plan, its failure to establish remedies for victims of data privacy violations, and the idea of giving strong privacy protection for E.U. data when it is processed in the U.S. but failing to do the same for U.S. domestic data.[40] The safe harbor proposal further fails to guarantee that individual consumers will be able to access the personal information obtained by businesses about them.[41] Meanwhile, E.U. criticisms include a dislike of primarily industry-led self-regulation.[42] E.U. authorities also suggest the need for an independent body with the mission of both acting as a contact point for E.U. data protection authorities and cooperating in the investigation of complaints.[43] Largely as a result of the above differences, resolution of this dilemma remains at an impasse--despite U.S. Commerce Department earlier interest in a 1999 year-end conclusion.[44]

  7. Unresolved privacy concerns leave Internet commerce at a cross-road. While the Internet boosts world trade because of better, quicker information,[45] the greatest barrier to e-commerce use lies in the fact that the same instant information gratification which attracts users to e-commerce also keeps them at bay. E-commerce shoppers distrust business’s efforts to protect the privacy of their personal information, and businesses continue to grapple with the disconcerting idea of sharing proprietary business information with customers and suppliers online.[46] For e-commerce to thrive, users must feel comfortable and confident in both the privacy afforded information divulged as well as the accuracy of information received.[47]

  8. Since there is no "Better Business Bureau" to police e-commerce retailers, a host of private-sector organizations such as the Online Privacy Alliance[48] are currently developing to monitor industry’s efforts at self-regulation.[49] These privacy advocates often support not only protection and accuracy of information but also full disclosure and transparency of business ties on e-commerce sites.[50] Other civil libertarians and privacy groups assert that in order to fulfill the Internet’s potential as a commercial dynamo, privacy must be viewed as a structural and technological component of the Internet.[51] In fact, users should directly consider the impact on privacy in the process of designing information systems and in deciding whether to even use personal data at all.[52] Many privacy advocates also support sanctions for privacy violations. As online direct marketing becomes increasingly profitable and the value of personal information catapults upward, so too does the temptation to abuse it.[53] Currently, victims of privacy transgressions have no clear legal recourse. Who will act, domestically or internationally, to create a recourse mechanism? Related concerns exist regarding high-tech industry-backed privacy groups such as Americans for Computer Privacy, the Global Business Dialogue on Electronic Commerce ("GBDe")[54] and the newly formed Electronic Commerce and Consumer Protection Group.[55] In whose interests, industry or consumer, are these groups acting? What about the potential threat of an industry-backed e-commerce privacy cartel?[56] Finally, resolution of privacy concerns in the e-commerce world may remain at a crossroads because consumers, themselves, often emit confusing signals regarding privacy – individuals who express concern over personal privacy also enjoy ease of access to websites that recall their tastes and buying habits.[57] The privacy hurdles referenced above currently obstruct the view of not only privacy watchdogs but all international e-commerce users, shoppers and retailers gazing out unto the e-commerce expanse. With potential global cost savings through e-commerce expected to rise from $17 billion in 1998 to $1.25 trillion by 2002,[58] the failure to adequately address such hurdles could have expensive global ramifications.

    The Encryption Dilemma- to Have or Have Not

  9. In addition to privacy, e-commerce businesses raise differences in international laws on security, a sub-topic of privacy, as one of the largest obstacles to creating electronic links with customers and other businesses. Abroad, security concerns are rectified through the use and export of strong encryption[59] technology or cryptography.[60] For some time now, however, the U.S. position on the export of encryption technology has been diametrically opposed to the European position. Until recently, the U.S., with few exceptions, has refused to allow the export of high-level encryption technology, holding to Cold War fears that "equate encryption software with military arms for purposes of export classification."[61] In addition, the Clinton administration has required that most encryption programs include a mandatory key escrow provision allowing law enforcement agencies to access encrypted data pursuant to court order.[62] These stringent regulations on the export of strong encryption programs has not only crippled the Internet’s ability to protect its information but has also retarded the growth and sale abroad of U.S.-developed encryption software, leaving the high-tech sector at frustrating odds with the federal government. In short, a dilemma has existed between the needs of the information industry for strong encryption programs and security demands by law enforcement for access to digital communications.[63] Recently, this dilemma came one small step closer to resolution or, at least, appeasement.
  10. On September 16, 1999, the Clinton administration announced a new information security and privacy strategy that is intended both to loosen export regulations on encryption technology as well as to provide law enforcement agencies with the tools necessary to read certain encrypted messages.[64] Revision of current export policy on encryption technology and a proposed bill, the Cyberspace Electronic Security Act, will be the agents used to execute the administration’s new plan.[65]

  11. Citing e-commerce, national security and privacy as chief concerns, the new regulations (as originally set forth in September, 1999) will, among other things, permit any encryption product or software with a key length of 64 bits to be exported under a license exception, after a technical review, to non-government end-users (individuals and commercial firms) in any country except for seven specifically identified states (Iran, Iraq, Libya, Syria, Sudan, North Korea and Cuba).[66] Further, in order to assist e-commerce and open up the entire commercial sector as a market for strong U.S. encryption products, two other changes will be implemented. First, encryption products previously allowed only for a company’s internal use may now be used externally for communicative purposes with other firms and supply chains. Second, retail products and software using a key in excess of 64 bits[67] may now be exported to all end-users, including governments, except in the seven identified states. These exports will also be made under a license exception. Finally, in keeping with the Wassenaar Arrangement,[68] the U.S. will decontrol exports of 56 bits, DES and equivalent products to all users and destinations (except the seven states) following a technical review. Also, exports of software using a key of 64 bits or less falling under the Wassenaar Arrangement’s definition of mass market will be decontrolled.[69] Finally, the new encryption strategy is said to continue the three fundamental principles of U.S. export policy: one-time technical review, post-export reporting requirements for any export to a non-U.S. entity of any product above 64 bits,[70] and the ability to deny exports to governments and military end-users.[71]

  12. In November, 1999 the Department of Commerce circulated draft regulations of the above proposals to industry. Following receipt of industry’s and other stakeholders' comments, the initial proposals presented in September, 1999 were substantially revised. Some key changes include broadening the definition of retail products (since government export licenses will not be required for products described as "retail products or goods").[72] Another change includes additional reductions on controls of source code, beyond those reductions originally announced in September, 1999. Commercial encryption source code, encryption tool kits and components may now be exported under a license exception to businesses and non-government end-users for internal use, internal customization and new product development.[73] Further, the newest draft recognizes industry’s opposition to proposed restrictions on exports of data-scrambling technology to foreign telecommunications companies and Internet service providers. Namely, while export licenses are still required for strong encryption products offered to foreign governments, excluded from the definition of government are telecommunications entities and Internet service providers.[74] The new regulations further permit U.S. companies to export any encryption item to their foreign subsidiaries without a prior review. On January 12, 2000, the Bureau of Export Administration, a subdivision of the Department of Commerce, released the new encryption export regulations which implement the Clinton administration’s export strategy.[75]

  13. The co-agent of the administration’s new encryption export plan, the Cyberspace Electronic Security Act ("CESA"), will give the FBI $80 million over the next four years to develop a new unit to focus on cracking codes,[76] the purpose behind such act being to strengthen law enforcement efforts to investigate encryption-related cybercrimes. The CESA will also authorize that law enforcement techniques, including decryption, used to obtain useable evidence be kept in strict confidence to avoid open disclosure of techniques which might jeopardize investigations and hamper law enforcement.[77] Coupling the CESA with encryption technology export policy revisions, the Clinton administration’s new encryption strategy is said by some to balance export control liberalization with additional tools and resources for law enforcement, a more even-handed approach to encryption than other proposals currently before Congress.[78]

  14. One such proposal is the Security and Freedom through Encryption Act ("SAFE"), the former front-runner in the race for a more industry-friendly encryption export policy. Currently, passage of SAFE, a bill which would have essentially reversed the federal govern-ment’s strict position on encryption, seems unlikely as a result of the Clinton administration’s unanticipated loosening of export restrictions.[79] This is especially true in light of the Department of Defense’s announcement that it will ask President Clinton to veto SAFE should the bill pass.[80]

  15. Despite largely favorable responses to the Clinton Administration’s new plan, however, e-commerce users can expect continuing battles in the encryption arena. Privacy advocates and civil libertarians assert that while the administration’s new strategy offers increased personal privacy and information protection as a result of ease in obtaining strong encryption products, it concurrently grants law enforcement authorities access to decryption keys without sufficient privacy protections. Many wonder about the possibility of future collusion between law enforcement and industry via a "backdoor" entry to encryption software. What happens to the average individual when such hidden vulnerabilities exist? Other criticisms of the new export policy include confusion over what purpose the one-time review procedure serves and the circumstances under which an export license exception will be granted.[81] Finally, privacy advocates assert that encryption using any key less than 90 bits is vulnerable.[82] In other words, with advancements in encryption programming and decoding technology globally developing at such a rapid pace, even relaxation as to 64 bits may be too little, too late.

  16. Recent case law brings even greater encryption challenges. In May, 1999 the Ninth Circuit Court of Appeals in Bernstein v. Department of Justice[83] ruled that the federal government’s encryption regulations, insofar as they require licenses for encryption and decryption software, devices and technology, constitute a prior restraint on freedom of speech.[84] Specifically, the Bernstein court held that existing encryption export law restricted communications in the form of source code, violating the First Amendment. Since a final ruling in this matter has the potential to create a substantial crack in the wall surrounding the encryption fortress, the Ninth Circuit Court of Appeals’ recent grant of the Department of Justice’s motion for rehearing should be closely watched.[85]

  17. Keeping aim at the target of a legally uniform e-commerce world, international differences regarding encryption, within its larger world of privacy, must be resolved if the dream of a dynamic global marketplace is to be fully realized.

    The Global Marketplace

  18. As national boundaries become more porous,[86] both Old Economy industries and New Economy Net companies will benefit by functioning on both sides of the digital divide. This task is most easily accomplished by globally addressing the need for harmonization of privacy and encryption laws to facilitate the free flow of international e-commerce uninhibited by nation-specific barriers.[87] In this environment of harmonization, however, it is important to commit to memory the mantra that the quickest way to destroy the Internet may be to begin over-regulating. While a predictable global legal environment governing transactions is necessary, over-regulation could stifle e-commerce, a thriving industry progressing at warp speed.[88] We must walk a fine line on the path of legal uniformity so as not to fall into the thicket of over-regulation. Resolving policy differences over encryption and privacy may be the first steps on the yellow brick road toward a legally uniform, internationally seamless e-commerce world, the Oz of the Millennium.

Footnotes

[*] Counsel, White & Case, New York, N.Y.

[**] Associate, White & Case, New York, N.Y.

[1] Diane M. Istran, Electronic Commerce - The Web of Legal and Business Relationships, in FROM BITS AND BYTES TO CYBERSPACE, Advanced International Retreat, Computer Law Association (Oct. 22-23, 1998). See also Jiri Weiss, 10 Questions on E-Commerce (Aug. 31, 1999) <http://builder.cnet.com/Business/Ecommerce20/>.

[2] Editorial, Growing Pains of the Internet Age, BUSINESS WEEK, Oct. 4, 1999, at 250.

[3] Shawn Willett, International E-commerce Faces Obstacles (Jan.12, 1999) <http:/www.foxnews.com/>.

[4] THE INTERNET AND BUSINESS: A LAWYERS GUIDE TO THE EMERGING LEGAL ISSUES, Computer Law Association, Current Issues Publications Series, at 44 (1996).

[5] Ian C. Ballon, The Emerging Law of the Internet, in PRACTISING LAW INSTITUTE 19TH ANNUAL INSTITUTE ON COMPUTER LAW (1999) (limited areas of protection, for example, have been tax returns, personal financial data, medical records and children’s privacy). See also Ron N. Dreben, Morgan, Lewis & Bockius, LLP, Legal Issues and the Electronic Storefront, in GEORGETOWN UNIVERSITY LAW CENTER CONTINUING LEGAL EDUCATION, Advanced Computer Law Institute (Mar. 11-12, 1999).

[6] The Third, Fourth, Fifth, Ninth, and Fourteenth Amendments have also been noted as providing individuals with some Constitutional privacy protections. See Griswold v. Connecticut, 381 U.S. 479, 484 (1965).

[7] Sandra Byrd Petersen, Your Life as an Open Book: Has Technology Rendered Personal Privacy Virtually Obsolete?, 48 FED. COMM. L.J. 163, 172 (1995).

[8] Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 HARV. LAW REV. 193, 195 (1890).

[9] William L. Prosser, Privacy, 48 CAL. L. REV. 383, 389 (1960). This categorization of torts was later adopted by the Restatement (Second) of Torts. See RESTATEMENT (SECOND) OF TORTS 652A (1977).

[10] 5 U.S.C. 552a (1994 & Supp. III 1997). The Privacy Act provides protective guidelines for federal agencies involved in the collection and storage of personal data in government records, as well as any subsequent dissemination of such information.

[11] 5 U.S.C. 552 (1994 & Supp. III 1997). The Freedom of Information Act allows individuals to access Federal agency records. However, the public cannot obtain, inter alia, an individual’s personnel and medical files and/or law enforcement records. See 5 U.S.C. 552(b)(6).

[12] 12 U.S.C. 3401-3422 (1994). The Right to Financial Privacy Act was designed to protect bank customers’ right to privacy in relation to their financial records kept by financial institutions with which they do business.

[13] 18 U.S.C. 2510-2522, 2701-2709, 3121-3127 (1994 & Supp. III 1997). The ECPA protects private electronic communications from unauthorized access, interception or disclosure.

[14] 15 U.S.C. 1693b (1997). The EFTA requires financial institutions offering electronic fund transfer services to provide their customers with advance notice of the institution’s given privacy policies. It further requires those institutions to advise customers of any circumstances under which information about the customers’ accounts may be released to third parties.

[15] 15 U.S.C. 1681-1681u (1994 & Supp. III 1997). The FRCA lists guidelines for credit reporting agencies regarding the dissemination of personal information where individual consent has not been obtained.

[16] 47 U.S.C. 2710-2711 (1994). The VPPA regulates disclosure of consumer videotape rental records.

[17] 47 U.S.C. 551 (1994). The CCPA governs the collection, use and disclosure of customer identification data by cable television service providers.

[18] 18 U.S.C. 2721 (1994 & Supp. II 1997). The DPPA limits the access and dissemination of personal information held by a state’s department of motor vehicles.

[19] 15 U.S.C. 6501 (et seq.). See also 11 Fed. Reg. 59,888 (1999) (to be codified at 16 C.F.R. pt. 312). The COPPA, which will become effective April 21, 2000, is aimed at prohibiting unfair and deceptive acts involving the collection and use on the Internet of personal information from and about children.

[20] See, e.g., Alaska Const. art. I, 22 (1999); Ariz. Const. art. II, 8 (1999); Cal. Const. art. I, 1 (1998); Fla. Const. art. I, 23 (1998); Haw. Const. art. I, 6 (1998); and Mont. Const. art. II, 10 (1999).

[21] See, e.g., ALA. CODE 1975 13A-11-30 (1999); See also N.Y. PENAL LAW 250.00 (McKinney 1999) (eavesdropping); William C. Donnino, McKinney Practice Commentary, PL 250.05 (1989) (eavesdropping); N.Y. GEN. BUS. LAW 395-b (McKinney 1999) (video surveillance); N.Y. LAB. LAW 201-a (McKinney 1999) (fingerprinting); N.Y. EXEC. LAW 296(19) (McKinney 1999) (genetic privacy); and N.Y. CIV. RIGHTS LAW 50-51 (McKinney 1999) (proscribing use of person’s name, portrait or picture for advertising or trade purposes without permission and providing a cause of action for invasion of a person’s right to privacy). See also N.J. STAT. ANN. 2A:156A-1 et seq. (1999) (dealing with a party’s privacy interest in his or her electronic communications/documents).

[22] See Cal. Const. art. I, 1 (amended 1972). See also CAL. CIV. CODE 1798.1 (West 1998).

[23] See supra note 7, at 183.

[24] See, e.g., ME. REV. STAT. ANN. 17-A 432-433 (1999); KAN. STAT. ANN 21-4002 (1998); GA. CODE. ANN. 16-9-93 (1999); VA. CODE 18.2-152.5 (1999); W. VA. CODE 61-3C-2 and 61-3C-12 (1999).

[25] See, e.g., FLA. STAT. ANN. 540-08 (West 1988); MISS. CODE ANN. 35-7-49 (1999); NEB. REV. STAT. 20-202, 20-204 (1999); WASH. REV. CODE ANN. 46.12.380 (West 1987 & Supp. 1995). See also N.Y. GEN. BUS. LAW Ch. 20, Art. 32, added by L. 1993, c. 457 (Video Consumer Privacy Act) (1999).

[26] See, e.g., CAL. CIV. CODE 1785.1, 1785.32, 1786, 1786.52 (West 1998); MD. CODE ANN., COM. LAW II 14-1207 (1990 & Supp. 1994); MASS. ANN. LAWS ch. 93 105 (Law. Co-op. 1999); MONT. CODE ANN. 31-3-101 (1999); N.H. REV. STAT. ANN. 359-B:2 to :21 (1998); WASH. REV. CODE 19.182.005-902 (1999).

[27] Massachusetts Privacy bill, "An Act Relative to a Consumer’s Right to Privacy," House No. 4483, 39 (Mass. 1999).

[28] See, e.g., CONN. GEN. STAT. 53-422 (1999); D.C. CODE ANN. 43-1845 (1998).

[29] Industry has avoided government intervention through development of criteria for online privacy policies, education of public and private sectors, development of punishment systems for violations, and the creation of watchdog groups. Thomas C. Dabney, Associate General Counsel, America Online, Inc., Allocating the E-Commerce Risks of Buyers and Sellers, in GEORGETOWN UNIVERSITY LAW CENTER CONTINUING LEGAL EDUCATION, Advanced Computer Law Institute (Mar. 11-12, 1999).

[30] Elizabeth Wasserman, A New Year Brings Talk of New Net Rules (Jan. 6, 1999) <http://CNN.com/TECH/>. The Clinton administration encourages the Internet industry to develop voluntary guidelines to protect personal data.

[31] Margaret Jane Radin & Daniel L. Appelman, Doing Business in the Digital Era: Some Basic Issues, 570 PLI/PAT 51, at 64 (Aug/Sept. 1999). The World Wide Web Consortium has also developed the draft Platform for Privacy Preference ("P3P"), a protocol for implementing self-enforcing privacy policies for Web sites. Id. The World Wide Web Consortium ("W3C") is an industry standards group comprising more than 200 businesses and academic institutions. The recently released version of the P3P draft is a work in progress, scheduled to become final in April of 2000. See Mo Krochmal, W3C Releases Last Privacy-Standard Draft, TECH WEB (Nov. 5, 1999) <http://www.techweb.com/wire/story/TWB19991105S0018>.

[32] While several private sector groups have been formed (e.g., TRUSTe, Online Privacy Alliance, and EPIC) to monitor industry’s attempts at establishing in-house privacy protections, these groups are often comprised of industry, as opposed to consumer-interest, groups. As a result, concern exists that consumers’ desires for stringent privacy protections are being sacrificed in the interest of industry’s desire for the new currency of information.

[33] Elinor Mills, U.S. Data Privacy Guidelines Released, The Industry Standard (Apr. 20, 1999) < http://www.thestandard.com/>.

[34] Neal J. Friedman, The Legal Challenge of the Global Information Infrastructure, CYBERSPACE LAWYER, Vol. 2, No. 10, at 8 (Jan. 1998). See also Ian C. Ballon, The Emerging Law of the Internet, in PRACTISING LAW INSTITUTE, 19TH ANNUAL INSTITUTE ON COMPUTER LAW, at 298 (1999).

[35] Ron N. Dreben, Legal Issues and the Electronic Storefront, in GEORGETOWN UNIVERSITY LAW CENTER CONTINUING LEGAL EDUCATION, Advanced Computer Law Institute, at 3 (Mar. 11-12, 1999).

[36] Elinor Mills, U.S. Data Privacy Guidelines Released, The Industry Standard (Apr. 20, 1999) <http://www.thestandard.com>. See also Reuters, U.S., Europe Battle Over Data Privacy, Inter@ctive Week Online (Sep. 20, 1999) <http://www4.zdnet.com/intweek/ stories/news/>.

[37] See Rosario Imperiali, The Status and Challenges of Information Technology Practice in Mediterranean Area Countries and Worldwide, Transborder Data Flows: USA and EU Confrontation, at 3, 8 (Jun. 10-11, 1999) (on file with author). While negotiations are in progress, E.U. members agreed not to initiate any enforcement action against noncompliant U.S. companies so as not to inhibit trade.

[38] Reuters, U.S., Europe Battle Over Data Privacy, Inter@ctive Week Online, (Sep. 20, 1999) <http://www4.zdnet.com/intweek/stories/news/>. The principles in discussion would put a much heavier emphasis on self regulation within a tougher U.S. legal framework.

[39] The principles are designed to serve as guidance to U.S. organizations seeking to qualify for both safe harbor status as well as the presumption of "adequacy" (to meet E.U. concerns) it creates. Such principles, which are still in draft form, deal with the areas of notice, choice, onward transfer, security, data integrity, access and enforcement. See Domingo R. Tan, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States and the European Union, 21 LOY. L.A. INTL & COMP. L.J. 661, at 682 (Aug. 1999).

[40] James Glave, Safe Harbor: No Port in a Storm?, <http://www.wired.com>.

[41] David H. Kramer, eCommerce: Strategies for Success in the Digital Economy, 570 PLI/PAT 1093, at 1103 (Aug./Sept. 1999).

[42] In October, 1999 the U.S. and EU engaged in discussions which involved moving away from a self-regulatory scheme and toward U.S.-led enforcement of data protection (with U.S. courts playing an active role). 13 WORLD INTELL. PROP. REP. (Dec. 1999); see also Owen D. Kurtin & Beth Simone Noveck, Financial Community Fixes on Online Data Privacy, NAT'L L.J., Jan. 24, 2000, at C12.

[43] See Rosario Imperiali, The Status and Challenges of Information Technology Practice in Mediterranean Area Countries and Worldwide, Transborder Data Flows: USA and EU Confrontation, at 8 (Jun. 10-11, 1999) (on file with author).

[44] The U.S. Department of Commerce recently issued a revised draft of the International Safe Harbor Principles dated November 15, 1999. Comments to such draft had a deadline date of December 3, 1999. A March, 2000 resolution is planned.

[45] Michael J. Mandel, The Internet Economy: The World’s Next Growth Engine, BUSINESS WEEK, Oct. 4, 1999, at 72.

[46] See supra note 1.

[47] Editorial, Growing Pains of the Internet Age, BUSINESS WEEK, Oct. 4, 1999, at 250.

[48] See <http://www.privacyalliance.org/>. The Online Privacy Alliance is based in Washington and is supported by some of the most influential names on the Web. Other privacy advocates, such as the Electronic Privacy Information Center ("EPIC"), met September 16, 1999 in Hong Kong to chart a course for the 21st Century, releasing "Privacy and Human Rights 1999: An International Survey of Privacy Laws and Developments." EPIC and other conference attendees support strong privacy protections and continued vigilance against privacy violations. See <http:www.epic.org/events/privacyagenda/ press_release.html>. Another private sector privacy monitor achieving success with increased membership is nonprofit Palo Alto based TrustE which mandates that members agree to a set of privacy principles. TrustE is the Internet industry’s leading privacy seal program supporter.

[49] Cyberspace: Who Will Make the Rules?, BUSINESS WEEK, Mar. 22, 1999, at 30D.

[50] Editorial, Growing Pains of the Internet Age, BUSINESS WEEK, Oct. 4, 1999, at 250.

[51] Chris Oakes, Click Here for a Privacy Policy, WIRED (Apr. 6, 1999) <http://www.wired.com/news/technology/0,1282,18976,00.html>.

[52] THE INTERNET AND BUSINESS: A LAWYERS GUIDE TO THE EMERGING LEGAL ISSUES, Computer Law Association, Current Issues Publications Series, at 45 (1996).

[53] Marcia Stepanek, Protecting E-Privacy: Washington Must Step In, BUSINESS WEEK, July 26, 1999, at EB 30.

[54] GBDe was launched in early 1999 and is composed of business leaders from more than 200 companies, including several leaders in media, software, telecom and banking. In September, 1999 a meeting was held amongst members in Paris to make a joint call for industry-lead regulation for E-commerce. GBDe’s privacy protection suggestions included strengthening self-regulation and a digital "trustmark" for accredited sites, which did not garner support from the European attendees.

[55] The Electronic Commerce & Consumer Protection Group was formed in early September, 1999 of six large Internet companies joining forces to promote uniform global E-commerce laws. Chet Dembeck, Who Are the Big E-Commerce Players Really Watching Out For?, E-Commerce Times, <http:\\www.ecommercetimes.com>.

[56] Kenneth Neil Cukier, Global Business Group Seeks New E-Commerce Order, <http://www.herring.com/>.

[57] Stephen H. Wildstrom, A Big Boost for Net Privacy, BUSINESS WEEK, Apr. 5, 1999, at 23.

[58] The United States, which continues to dominate the Internet, is expected to reap half of such long-term benefits. See Michael J. Mandel, The Internet Economy: The World’s Next Growth Engine, Oct. 4, 1999, pg. 74. Business to business E-commerce is expected to grow from a $43 billion industry today to a $1.3 trillion industry by 2003. Matthew W. Beale, CyberTrust OK to Export Crypto Worldwide, E-COMMERCE TIMES, Sep. 27, 1999, <http://www.ecommercetimes.com/>.

[59] Encryption is the process of converting data into a form that is meant to be incomprehensible to all except authorized recipients. PRACTISING LAW INSTITUTE 19TH ANNUAL INSTITUTE ON COMPUTER LAW, at 110 (1999). See also Edward J. Radlo, Legal Issues in Cryptography, at 41 in J.T. Westermeier, General Law Update Part 2 (Legal Ethics and the ‘Net, UCC Article 2B, Encryption & New Computer Cases), in WORLD COMPUTER LAW CONGRESS AND THE 1997 COMPUTER AND TELECOMMUNICATIONS LAW UPDATE, Computer Law Association (1997).

[60] Cryptography is the more general concept, including not only encryption but also authentication. Related topics include key certification, key management, key escrow and key infrastructure.

[61] Neal J. Friedman, The Legal Challenge of the Global Information Infrastructure, CYBERSPACE LAWYER, Vol. 2, No. 10, at 10 (Jan. 1998).

[62] Id. Those entities commonly granted an exception to the mandatory key escrow provision were certain banks and other financial institutions.

[63] Gov’t Official Admits Current Gov’t Crypto Policy a ‘Failure’, CYBERSPACE LAWYER,Vol. 3, No. 3, at 30 (May 1998).

[64] Doug Brown & Diane Frank, White House Shifts Encryption Strategy, FEDERAL COMPUTER WEEK (Sep. 20, 1999) <http://www.fcw.com/>. See also Jack McCarthy, Crypto Export Rules Eased (Sep. 16, 1999) <http://wwwthestandard.com/>.

[65] These actions are part of a plan entitled "Preserving America’s Privacy and Security in the Next Century: A Strategy for America in Cyberspace" which has been created by the Defense, Justice and Commerce Departments along with the Office of Management and Budget. Doug Brown & Diane Frank, White House Shifts Encryption Strategy, FEDERAL COMPUTER WEEK (Sep. 20, 1999) <http://www.fcw.com/>.

[66] Transcript of White House Press Briefing, Secretary Daley (Sep. 16, 1999) <http://www.epic.org/crypto/legislation/cesa/briefing.html>. See also White House Press Release, Office of Press Secretary, Sep. 16, 1999.

[67] The retail products and/or software discussed are those that do not require substantial support, are sold in tangible form, or have been specifically designed for individual customer use. Id.

[68] An Agreement among thirty-three countries with common controls and exports.

[69] Transcript of White House Press Briefing, Secretary Daley (Sep. 16, 1999) <http://www.epic.org/crypto/legislation/cesa/briefing.html>. See also Clinton Administration Talks About Encryption, TECH LAW JOURNAL (Sep. 17, 1999) <http://www.techlawjournal.com/encrypt/19990917a.htm>.

[70] Transcript of White House Press Briefing, Secretary Daley (Sep. 16, 1999) <http://www.epic.org/crypto/legislation/cesa/briefing.html>.

[71] Id.

[72] For example, the "retail encryption commodities and software" category was created. Goods falling into this category can now be exported to any end user, except one of the previously listed seven nations. These products "are those which are widely available and can be exported and reexported to anyone (including any Internet and telecommunications service provider), and can be used to provide any product or service (including e-commerce, client-server applications, or software subscriptions)." Commerce Department Releases Encryption Export Regulations, TECH LAW JOURNAL (Jan. 13, 2000) <http://www.techlawjournal.com/encrypt/20000113.htm>.

[73] U.S. DEPARTMENT OF COMMERCE, COMMERCE ANNOUNCES STREAMLINED ENCRYPTION EXPORT REGULATIONS (Jan. 12, 2000) (available at <http://204.193.246.62/public.nsf/docs/60D6B47456BB389F852568640078B6C0>.

[74] Commerce Revises Encryption Export Rules for January Implementation, 4 BNA ELECTRONIC COMMERCE & LAW REPORT No. 48 (December 22, 1999). Telecommunications and Internet service providers can further obtain and use any encryption product under this license exception to supply encryption services for the general public. Provision of government services, however, still requires a license. Commerce Department Releases Encryption Export Regulations, supra note 72.

[75] Once again, these new regulations are subject to review for 120 days, with a final revised rule issuing shortly thereafter. For a more detailed discussion of the newly released regulations, see U.S. DEPARTMENT OF COMMERCE, supra note 73; Commerce Department Releases Encryption Export Regulations, supra note 72.

[76] Per usual, CESA will not address domestic use and sale of encryption, which remains unregulated. See U.S. Relaxes Export Restrictions, E-COMMERCE NEWS (Sep. 17, 1999) <http://sellitontheweb.com/ezine/news0136.shtml>. See also Transcript of White House Press Briefing, Attorney General Janet Reno (Sep. 16, 1999) (available at <http://www.epic.org/crypto/legislation/cesa/briefing.html>). The Clinton administration is also scheduled to give $500 million to the Defense Department over the next few years to enhance information security practices. David M. Nadler & Valerie M. Furman, Administration Relaxes Restrictions on Encryption Software, MONDAQ BUSINESS BRIEFING, 2000 WL 9237976 (Feb. 7, 2000).

[77] A similarly controversial act is the Communications Assistance for Law Enforcement Act ("CALEA") of 1994 which requires the telecommunications industry to design its systems in compliance with FBI technical requirements to facilitate electronic surveillance. Recent FCC rulings regarding the CASEA would enable the FBI to track the physical locations of cellular phone users and monitor Internet traffic. On November 18, 1999, both the ACLU and EPIC initiated a court challenge to CALEA saying the FCC decision threatens communications privacy. See <http://www.epic.org/privacy/wiretap/calea/release_11_18_99.html>.

[78] Transcript of White House Press Briefing, Attorney General Janet Reno (Sep. 16, 1999) <http://www.epic.org/crypto/legislation/cesa/briefing.html>.

[79] Authored by Congressman Bob Goodlatte (R-Va) and Zoe Lofgren (D-Calif.). Following the September 16, 1999 Clinton administration statement concerning its loosening of export regulations, Congressman Goodlatte stated his belief that SAFE (H.R. 850) is alive and well—especially "in light of the details lacking in the Clinton plan." Administration Addresses Encryption Reform Proposal, TECHNOLOGY LAW JOURNAL, <http://www.techlawjournal.com/>. The status of the Promote Reliable Online Transactions to Encourage Commerce and Trade Act ("PROTECT"), which did not go as far as SAFE, sponsored by Senator John McCain and Senator Conrad Burn remains uncertain.

[80] Transcript of White House Press Briefing, Deputy Secretary of Defense John Hamre (Sep. 16, 1999) (available at <http://www.epic.org/crypto/legislation/cesa/briefing.html>. Deputy Secretary of Defense John Hamre stated that SAFE would essentially allow the exportation of "anything of national security interest without any surveillance at all." As of November 12, 1999, the Clinton administration remains opposed to the passage of the Security and Freedom through Encryption Act. See Representatives Caution Clinton About Encryption Export Regulations, TECH LAW JOURNAL (Nov. 12, 1999) <http://www.techlawjournal.com/encrypt/19991112.htm>. Following release of the new encryption regulations on January 12, 2000, Rep. Goodlatte advised that "the House remains ready to take up H.R. 850 if the regulations do not allow American companies to fully compete in the global marketplace." See Commerce Department Releases Encryption Export Regulations, supra note 72.

[81] Kathleen Ellis, Encryption Exports: Small Step forward, Big Step Back, <http://www.slashdot.org/>.

[82] Ted Bridis, The Associate Press, A Small Step. Encryption Export Rules Relaxed, <http://www.abcnews.go.com/>.

[83] 176 F.3d 1132 (9th Cir. 1999).

[84] PRACTISING LAW INSTITUTE 19TH ANNUAL INSTITUTE ON COMPUTER LAW, at 287 (1999).

[85] 192 F.3d 1308 (9th Cir. 1999).

[86] Michael J. Mandel, The Internet Economy: The World’s Next Growth Engine, BUSINESS WEEK, (Oct. 4, 1999), at 76.

[87] Neal J. Friedman, The Legal Challenge of the Global Information Infrastructure, CYBERSPACE LAWYER, Vol. 2, No. 10, at 8 (Jan., 1998).

[88] Id. at 9.


Author Biography

David Bender is Of Counsel at White & Case, L.L.P. in New York. An intellectual property attorney with a concentration in computer software and services, Mr. Bender has extensive experience in contracting, litigation and counseling. He negotiates and drafts all types of agreements relating to computer software and hardware, litigates computer-related disputes and directs intellectual property due diligence investigations. Mr. Bender is the author of Computer Law: Software Protection and Litigation, a three-volume treatise, and of a number of law review articles on topics relating to computer, intellectual property and antitrust law. He has published numerous papers in conference handbooks and has been a guest speaker at many seminars in the United States and abroad. Mr. Bender, a registered U.S. patent attorney, has represented a variety of corporations in the area of computer software and services. Over the past 10 years, he has drafted and supervised approximately 200 computer software and service agreements of all types and degrees of complexity. Before joining White & Case, Mr. Bender was General Attorney, Intellectual Property Litigation, for AT&T. Prior to that, he was in private practice.


Discussion

Name: Christopher Gatewood
Title: Editor-in-Chief 1999-2000
Affiliation: Va J L & Tech
I take it that under this proposal, the applicable sales tax would be determined by the purchaser's location. A major loophole seems to be that whether a merchant is subject to the tax requirement depends on his own location, at least until the international community arrives at a concensus on sales tax, the likes of which the world has never seen. It seems therefore that moving an e-sales company (some combination of its servers, its place of incorporation, its principle place of business) just outside of the U.S. would allow that service's users to get a no-tax discount.
Name: Richard W. Boone Jr.
Title: Editor-in-Chief 2000-2001
Affiliation: Va J L & Tech
I concur with Mr. Gatewood. The imposition of sales tax on Internet transactions creates an incentive to relocate e-businesses outside of the U.S.. This effect is not felt with ordinary sales taxes because it is not cost effective for consumers to go elsewhere to aviod the tax. However, because the Internet is a truly global medium, consumers can shop anywhere they want without additional effort. Therefore, as long as the e-business is located in a place where shipping costs are similar to U.S. locations, it can effectively offer customers a discount. One way to avoid this effect is to impose a tariff on imports. However, this just creates new problems because such a tariff would conflict with our international trade obligations (NAFTA, GATT, etc.).