6 Current Strategies for Dealing With Trespass in Cyberspace
Many steps are being taken through technology, legislation, and social norms to combat trespass in cyberspace. Many piecewise solutions, the effectiveness and the legality of which are questionable, have been proposed by governments, organizations, and outraged individuals. Due to the strong individual and communal sentiment against it, an especially large effort is being undertaken to stop unsolicited commercial email, or spam.
6.1 Technology
Just as many companies sell software to facilitate the sending of bulk email, several organizations offer software applications, available both commercially and as freeware, to filter out unwanted email. Filters currently work based on either origin or content. Origin-based filters block all incoming email that is sent from domain names on an opt-out list. Alternately, opt-in origin-based filters allow the reception only of email that originates from recognized and trusted domains. For example, a user may enable a filter to allow messages only from friends and relatives on an opt-in list. Likewise, filtering based on content may use an opt-out or an opt-in approach. For instance, a content-based filter may block all messages containing the phrase "make money fast" or may allow only messages containing a certain code word to enter the recipient's mailbox. Filters may be implemented at different levels of application: by individual users, by network administrators, or by ISPs.
Unfortunately, the integrity of the messages being sent severely limits the effectiveness of filtering. Commercial emailers often forge their sender information and use misleading subject headings in order to avoid unwanted replies and to circumvent filters. In an effort to improve the effectiveness of filters, other technologies have been suggested to work in conjunction with filters. For example, digital signatures could be used to verify the domain names of senders. Labeling standards, similar to PICS,[76] could be implemented to categorize all email. Under this regime, all commercial email would be labeled as such. Then, filters would be better able to identify and sort out unsolicited email. Additionally, commercial emailers could maintain remove lists to discontinue the sending unsolicited email to users who request to be taken off of their distribution lists. However, this technology only works after a user has received spam and, again, relies on the integrity of the sender to honor the recipient's request for removal. From a different angle, the Ad Hoc Working Committee has proposed a system that would channel mail into dynamically generated accounts as well as Bulk Mail Transfer Protocol (BMTP), an alternative to Simple Mail Transfer Protocol, which would actually use a separate channel for email sent in bulk.[77] In order to achieve universal acceptance, though, these technologies would need to be implemented in a fashion that would require their use, either through law or code, as an accepted standard available for all email communications.
Technologies to prevent forms of cyberspace trespass other than spam can also be employed. On the World Wide Web, sites can require digital certificates before allowing users to view certain pages, and cancelbots can be used to delete multiple postings to online discussion groups. For networks and individual computers, software such as CyberSoft's VFind can be used to scan for computer viruses and to detect trojan horses. To protect against viruses, local routers can be programmed to filter all packets from an attacking source. Network administrators can also build firewalls around their systems to increase the difficulty of gaining access from outside of the network.
It is important to point out that unauthorized access frequently occurs when a hacker exploits a defect in a security system. Although many of the previously mentioned methods are effective in deterring intruders, they may be expensive or require extensive technological abilities in order to be implemented. Moreover, network administrators and individual users must consider the trade-off between cost and the level of security they wish to install.
6.2 Legislation and Government
In 1991 both the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) established computer crime units. While the CFAA is the only federal legislation that addresses trespass in cyberspace, it does not specifically address unsolicited commercial email as an offense. Many states, including
At the federal level, anti-spam bills are pending. The Anti-Slamming Bill (HR 3888), a telecommunications act, includes an amendment to prohibit forged return addresses on email and to require that commercial emailers maintain remove lists.[79] A more stringent bill, the Netizen's Protection Act (HR 1748), seeks to ban all unsolicited advertisements by email and to require correct sender information on all electronic mail.[80] The requirement of accurate sender information would certainly help individual users to filter out unwanted email from known spammers; however, this legal approach fails in two respects. First, the legality of this legislation is questionable on the grounds of First Amendment rights since these proposals may be interpreted as infringing upon free speech and privacy. Second,
6.3 Social Norms and Markets
Due to the intrusion of spam into the established cultural of the Internet, an intense anti-spam movement based on social norms has emerged among much of the Internet community in recent years. Using a vigilante approach, some annoyed email recipients fight spam with spam by sending numerous, and often vehement, replies back to the sender. At a higher level, groups have been organized for the sole purpose of eliminating spam. For example, the Coalition Against Unsolicited Commercial Email (CAUCE) advocates a legislative approach and supports the Netizen's Protection Act.[81] Other groups have created communal databases, such as SAFEeps, of people who do not wish to receive spam.[82]
The debate over spam has even brought together parties with conflicting interests in hope of reaching some sort of agreement. Comprised of representatives from ISPs, on-line advertising companies, software companies, anti-spam organizations, and civil liberties groups, the Ad-Hoc Working Group submitted a report to the FTC which called for certain technical and legislative reforms to reduce significantly the amount of spam.
A more extreme grassroots approach has been incorporated in the Realtime Blackhole List (RBL).[83] Clearly, the legality of the RBL is questionable due to its overbroad protection which blocks more email than just spam. It also may violate the Sherman Antitrust Act if it is interpreted as conspiracy in the restraint of trade. Nonetheless, althought the RBL may not be the most desirable method for eliminating spam, it has proven effective in many respects and has shown that the Internet community will not stand for spam.
In a less drastic way, individual users may also fight spam by reporting the receipt of unsolicited email to ISPs, mail providers, and network administrators with the hope that these authorities will implement or enforce anti-spam policies. Additionally, a market approach could be taken by charging, in terms of cash or computation time, commercial emailers for each unsolicited advertisement they send.
In addition to attempts to reduce spam, efforts can also be made to prevent other forms of unauthorized access. Users can choose their network passwords carefully to reduce the risk of hackers falsely logging in as them. Network administrators can implement policies to deter potential hackers. For instance, many network administrators log the number of failed log-in attempts to their system. If the network administrator notices three successive failed log-in attempts, he could send a message to the IP address where this failure occurred to let the user know that he is being watched for suspicious activity. Such action may prevent a potential hacker from continuing an attempted network break-in. The bottom line is that users and network administrators should use common sense and implement policies, when possible, so that they do not make breaking into a network any easier for hackers.
7 Metaphors
In general, metaphors can be a helpful means of analyzing novel situations. For example, hacking a web page on the World Wide Web can be likened to entering a door marked as private on a busy city street. Similarly, sending spam email can be compared to engaging in traditional direct marketing. Ultimately, however, these metaphors are limited both in their descriptive and in their normative powers. Criminal activity on the Internet, or at least, activity which seems like it should be criminal, is rarely as simple as the prototypical trespass case. Cyber-trespass often involves interactions that are more complex and nuanced than real space trespass, and cyber-trespass often raises questions about the scope and relative importance of the elements of trespass. More general property metaphors also fail. For example, hacking a web page and sending spam email are closely bound up with notions of property and violation of ownership. However, such traditional textbook analyses often fall short and raise more questions than they answer.
This section reviews the inadequacy of the trespass metaphor in the abstract, then explores two specific applications of the trespass metaphor. When all three fail, this section proposes breaking down the analysis of trespass to a conceptual level and distilling important principles. After establishing the definitions of important terms and concepts, this paper will explore the legal and technical architectures that can help implement these principles in cyberspace.
7.1 The Trespass Metaphor in the Abstract
As discussed earlier, courts agree that trespass can be applied to cyberspace. However, certain problems arise from the differences between real space and cyberspace in this application. First, a broad range of definitions and interpretations exists in deciphering the language involved. For example, the cyberspace terms "property" and "entry" are inherently different from their real space counterparts. Does cyberspace "property" include both hardware and software on personal computers? Who, if anyone, owns data that is stored remotely or while it is being transferred via network connections? A consistent use of these terms relies upon a common, but currently nonexistent, understanding of their translations into cyberspace. Unlike the real space language of trespass, however, the definitions of these terms may become quickly obsolete.
Currently, the CFAA defines a computer as:
...an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device.[84]
The accuracy of this definition is questionable even today. How long will it be until it is obsolete? With the incredibly fast rate of change in technology, new devices that cannot be construed under this definition will force adaptations of this model.
Second, detecting computer trespass may be significantly more difficult in cyberspace than it is in real space. Electronic signals that trespass onto a computer are intrinsically more difficult to detect than a person who trespasses upon another's property. In cyberspace, a person less often knows when his computer is being trespassed upon, and sometimes no evidence exists to prove that trespass occurred. For instance, trojan horses and active Java applets may copy or borrow a computer's resources without the computer's owner ever knowing.
A propagation effect of trespass may also be more pronounced in cyberspace. In real space, a trespasser can only be on one piece of property at any given time. Through network connections, though, vehicles of trespass may be passed along from one computer to another quite easily. For example, an animated email that steals computer resources can easily be forward from one computer to another. Viruses and Internet worms that travel through networks also contribute to the rapid spread of trespass instances.
Finally, enforcement of legislation against trespass also becomes more difficult in cyberspace. Certainly, it is impossible to punish illegal behavior that cannot be detected or proved, but even known trespass may be difficult to prosecute due to the current status of laws and the nature of the Internet. Cyberspace trespass transcends the element of location which physically exists in real space. Location and property are key elements in enforcing legislation against trespass, but they are not well defined in cyberspace. Thus it appears that the trespass metaphor fails to adequately describe actions in cyberspace.
7.2 Specific Trespass Metaphor: Street of Doorways
Hacking a web page lends itself naturally to comparison with physical entry. As Trotter Hardy wrote, "[m]any of the words used to describe Web sites have a basis in real property: the word 'site' itself is one, as are such expressions as 'home pages,' 'visiting' web sites, 'traveling' to a site and the like."[85] This property metaphor envisions the World Wide Web as a series of interconnected loci; a network of doors, both public and private, which the surfer can visit -- or at least, try the doorknobs. Unauthorized access or modification of a web page is therefore comparable to unauthorized entry of a physical space.
Because of the intermingled characteristic of the World Wide Web, this metaphor envisions the geography of a
The doorways metaphor relies on traditional trespass laws to the extent that once a door is defined as public, private, or something in between, unauthorized access is determined to be trespass. The owner of a private residence can exclude others without cause; a reason as simple as "I don't like the way you look" will suffice. The owner of a social club also has significant discretion in choosing whom to admit and exclude; as long as it is a private club, users who do not fit the club's membership requirements can be excluded and, theoretically, charged with trespass.[86] However, the owner of a grocery store or movie theater has significantly less freedom to exclude. Title II of the Civil Rights Act of 1964,[87] as well as state laws,[88] prohibit exclusion on the basis of factors such as sex and race. Ejectment must be on the basis of grounds such as violent or disruptive conduct.[89] Otherwise, the establishment will be held liable for violating the ejectee's civil rights.[90]
The difficulty with applying this analogy to cyberspace is that the "doorways" do not always identify what lie inside. Because web pages often feature hyperlinks without describing the linked pages, the user frequently does not know the nature of a site until he or she enters it.[91] Sometimes, the access is the result of confusion of the part of web page creator. [92]
Conceivably, unwelcome access could also occur if the creator of a web page were to link her site to an otherwise unavailable web site[93] without that site's consent. Users might also stumble upon a confidential web page after guessing at a URL.[94] While the real space metaphor presumes an element of intent on the trespasser's part, these scenarios illustrate the way in which inadequate labeling in cyberspace can lead to ambiguity over whether the intruder intended to trespass, and thus whether it makes sense to punish her. Labeling issues aside, the real space "doorways" metaphor does accurately map the intuition in cyberspace that the owner of a personal homepage should seek to install a lock or at least close the front door[95] before bringing a lawsuit for trespass. Owners should not have an expectation of privacy in property which they leave out in the open, accessible to all who happen by. However, there is a strong social norm in cyberspace permitting users to visit numerous doorways and to try multiple doorknobs. There is also much less social condemnation for hackers who enter a computer upon finding a security hole than there is for burglars who enter a building.[96]
Thus, for all the reasons stated above, the metaphor comparing the World Wide Web to a street of doorways is a poor fit at times.
7.3 Specific Trespass Metaphor: Direct Marketing
Spam email can also be thought of in terms of an analogy -- specifically, the analogy to direct marketing. Whether door-to-door sales, telemarketing, junk mail, or fax advertisements, direct marketing shares several characteristics with spam email: They are both unsolicited, they are both commercial in nature, and they are both directed towards a known and finite audience. These similarities have led some courts and commentators to think of and treat spam email as yet another form of direct marketing,[97] subject to the same principles of trespass to land and trespass to chattel.[98]
These principles vary depending on the medium of direct marketing. Because of its intrusiveness, the Supreme Court has held that commercial door-to-door advertising may be regulated as to time, place and manner by state and federal governments.[99] However, because of important First Amendment considerations, governments may not prohibit such solicitations altogether.[100] Similarly, the Ninth Circuit has upheld restrictive regulations on telephone solicitation requiring callers to identify themselves, to call only during reasonable times, to allow individuals to choose not to receive future calls, and to refrain from using automated calling machines[101], but has limited the range of permissible limitations to content-neutral time, place, and manner restrictions that are narrowly tailored to meet important government objectives.[102]
Because of their less intrusive nature, direct mail solicitations are subject to less restrictive regulations than are door-to-door and telephone solicitations.[103] Individuals may still filter junk mail by making requests of the postmaster,[104] and governments may require the labeling of unsolicited commercial mail as such.[105] However, the Court has held that governments may not themselves filter or prohibit such commercial mail.[106]
Finally, fax solicitations have been treated in an entirely different manner. The Federal Telephone Consumer Protection Act of 1991 (TCPA) totally bans all unsolicited advertisements by fax.[107] Because fax solicitations force the conversion of the recipient's paper and toner for the advertiser's use, and because receiving unsolicited faxes can tie up the recipient's resources, preventing her from receiving other, wanted communications, courts have upheld the constitutionality of the TCPA.[108]
Drawing from these analogies, one commentator has argued that spam email should be regulated by the government through a labeling requirement for junk communications, restrictions on the sale of personal information, or a complete ban on electronic solicitations.[109] Carroll asserts that unless spam email falls under the "cost-shifting and scarcity" exception of fax solicitations, a complete ban would treat all commercial solicitations as trespasses per se, even if some recipients may have welcomed the solicitations. Analogizing to the door-to-door solicitations that were under consideration in Project 80's, Inc. v. City of
However, the validity of the direct marketing metaphor is questionable. Although spam email is like the other forms of direct marketing, it differs from each form in a significant manner. Unlike door-to-door, telephone, and direct mail advertising, spam email comes at almost no cost to the advertiser. After the initial purchase of computer equipment and mailing lists, the marginal cost to the spam emailer of sending one more email is virtually zero. This enables the spam emailer to costlessly send many more messages to many more people. Thus, spam emailing lacks the built-in cost deterrent present in other forms of direct advertising. Considering that studies have found direct mail to be profitable with only a 1% response rate,[112] even with the significant costs of printing and postage, there seems to be enormous potential for spam email to overflood and paralyze the Internet. This would suggest more stringent regulations on spam email.
Another disjuncture in the analogy concerns the disruptiveness of the communication. Receiving an email is not as attention-demanding[113] or as intrusive[114] as a knock at the door or a ring on the telephone. In this aspect, it is most similar to direct mail and fax solicitations. This feature suggests less stringent regulations on spam email.
However, spam email differs from fax solicitations yet again in the areas which distinguish fax solicitations from door-to-door, telephone, and direct mailing: cost-shifting and scarcity. Although there may be some cost-shifting for those who subscribe to pay-by-minute commercial online services,[115] a significant -- if not greater -- number of users have free or flat-rate Internet access.[116] Cost-shifting is therefore not as compelling an argument as it is in the fax transmission context.[117] Moreover, spam emailing has not yet reached the scale where other types of email are precluded, whether because of the timing of the transmission or because of the volume of memory occupied. The absence of cost shifting and of resource scarcity militate in favor of a less stringent regulatory regime.
Moreover, there are several aspects of spam email that were never even contemplated in the analogous media. Most users obtain email accounts through third-party ISP's; maintenance of these email accounts is subject to contractual agreements between the recipient and the ISP (such as subscription agreements), and between the sender and the ISP (such as policy statements). Although analogous contractual agreements exist in real space (renting a post-office box, for example), the application of contract law exceeds the normal boundaries of the direct marketing metaphor. Courts have begun to consider the application of contract rules to spam email situations,[118], but many questions remain unexplored and unanswered. Who has standing to sue the spam emailer -- the recipient or the ISP? Could the ISP be held liable for negligently failing to filter obviously commercial email? Alternatively, is ownership of an email account an implicit signal that commercial mail is welcome? Is the email inbox public or private space? Does the answer to this depend on whether one is an ISP, or whether one contracts with an ISP? As one commentator has stated, "A home in the real world is, among other things, a way of keeping the world out. . . . An online home, on the other hand, is a little hole you drill in a wall of your real home to let the world in."[119] Such a view suggests that commercial email is to be tolerated and even expected -- yet another conflicting recommendation resulting from the trespass metaphor.
7.4 The Usefulness and Limits of Metaphors
As demonstrated above, the trespass metaphor fails both in the abstract and in two specific applications. It thus appears that trespass-esque crimes in cyberspace, such as hacking web pages and spamming, are their own animal -- so much so that they should not be stretched or squeezed to fit pre-existing analogous molds. Nevertheless, the shortcomings of the specific metaphors have led commentators such as Carroll to pick and choose from the extant options to fashion the solution that "feels" the best, without articulating a coherent principle for the rules and exceptions proposed.[120] This problem is compounded by the natural tendency to draw connections among metaphors. For example, when envisioning an architecture for dealing with cyber-trespass in general, it is tempting to add the "feel-good" solution for spam email to the "feel-good" solution for web page hacking and to find an answer in the average. However, the limitations of metaphors as an analytical tool suggest that a different kind of analysis is required to evaluate a regime as different and unprecedented as cyberspace.
Metaphors serve a useful purpose, and are especially favored by lawyers, who are constantly challenged by bizarre and unforeseen fact patterns that stretch the limits of legal precedent. Comparing interactions and relationships that exist only in cyberspace to real-world situations is helpful to the extent that it extends core principles to new and complex situations where the novelty itself is distracting. This helps to preserve common values and ensure that they survive the development of a new legal regime. Using metaphors also "places new modes of processing and interacting with information in a familiar framework and . . . make[s] users feel comfortable with the new technologies."[121] This helps to promote the spread and assimilation of the new technology.
However, using metaphors can lead to counterintuitive or undesirable results. For example, some opponents of spam email argue that the metaphor of direct marketing ignores the strong cultural norms of the Internet that condemn commercial communications. Thus, someone who is indifferent to, or even enjoys, receiving direct mail might find spam email utterly offensive. Similarly, the strong cultural acceptance of hacking in cyberspace may lead to a user tolerating or supporting the hacking of web pages while at the same time condemning trespass in real space. For such users (who at one point constituted the majority of Internet users), application of the real space metaphor would lead to an undesirable result in cyberspace.
Using metaphors can also result in inconsistency and confusion. Depending on which medium of direct advertising is selected, the recommendations for regulating spam email differ considerably. Comparisons to door-to-door and telephone solicitation suggest time, place, and manner restrictions. Comparisons to direct mail solicitations suggest user regulation and some government regulation. Comparisons to fax transmissions suggest a complete ban. Instead of recognizing that the comparison to direct marketing is apt because spam email is like -- and equal to -- the other types of commercial solicitation, commentators and courts are tempted to categorize spam email into one of the four types and make adjustments according to what "feels right." Similarly, comparisons between hacking and trespass tend to get caught up in the categories and exceptions of real space. Is the web page like a commercial storefront? A living room? A bedroom? A bedroom with a "Do Not Disturb" sign on it? Although such exercises can help define an appropriate course of action, conflicting recommendations are ultimately unhelpful.
More insidiously, using metaphors poses the risk of gazing myopically on a new frontier. Indeed, some commentators would argue that the risk of shortsightedness is near certainty. As Ethan Katsh writes, "Particularly during the early phase of the development of some new technology, differences in how some task is conducted are not necessarily easy to recognize and, as a result, the qualitative differences between the old and the new technologies tend to be neglected. It is almost to be expected that how the new media differ from the old will be glossed over. Thus, early films were labeled 'moving pictures' and were not immediately understood to be an art form."[122] As another commentator has observed, "the first cars were called 'horseless carriages' and looked as though they were designed to be pulled by a horse. It took many years to realize that a good shape for a car is quite different. Radio was originally called "wireless telegraphy"; it took years to realize that the great application of radio was broadcasting."[123]
Thinking about trespass-like behavior in cyberspace solely under the rubric of trespass can lead to this same myopia. For example, one commentator recently evaluated spamming by presenting two conflicting metaphors, discussing related case law, and glibly reducing the inquiry to "determin[ing] if receiving unwanted email is more similar to Consolidated Edison and Bolger, or to Frisby."[124] The practice of hurriedly latching onto a metaphor runs the risk of limiting potential solutions to variants of that metaphor, and may subsequently ignore entirely different metaphors that prove more illustrative.
Moreover, an over-preoccupation with property lines and defining "mine" vs. "yours" could hamper the development of the Internet in directions that do not depend on barriers and zones. One such zone-free possibility is the conception of the Internet as a world without hard drives. Rather than being stored in any physical locus, information would be stored in constant motion over a worldwide network from which information may be recalled instantly. Thus, the best uses of the Internet may be yet unseen, and may turn out to be premised on concepts that are totally unreliant on notions of property.
7.5 Conceptualization: A More Helpful Approach
A more helpful and robust approach is to extract important principles and concepts from the obvious metaphors, and then determine how best to preserve those principles and concepts in the new regime. In the context of real space trespass, several important concepts emerge. These are explored below.
Containers
One of the most important concepts in the realm of trespass is the concept of containers as the barrier between what is private and what is public. Whether the container is an envelope that affords a letter all the protection of the federal postal statutes, the four walls of a building that define the space within as private and subject to Fourth Amendment protections, or a purse which can neither be opened and rummaged through, nor bent and worked to determine the shape of what is inside, containers are the basis of trespass and property law as the thing which bestows and defines ownership. In cyberspace, the concept of containers could mean the architecture of a personal folder on a shared hard drive; a user id and password reque
附件
2007826212103_701.jpg
附件
demo1.rar
