LA

B.A./B.B.A.LL.B (Hons)
SEMESTER VI
IM
SH
INFORMATION TECHNOLGY LAWS
LU
PN

Compiled & Edited By:

H

Ms. Navditya Tanwar Kaundal

HIMACHAL PRADESH NATIONAL LAW UNIVERSITY

GHANDAL, SUB TEHSIL - DHAMI

P.O - SHAKARAH

SHIMLA-171014

DECEMBER, 2019

(For private circulation only)

 Paper : LLB 604 Semester- VI

B.A./B.B.A. LL.B. (Hons.)

The development in information and communication technologies (ICT) has led to multifaceted
challenges to the existing legal regime. The problems could be seen in the areas of crime, torts,
contract and intellectual property etc. The rapid growth of ICT has raised various complex
questions which need to be addressed. This has been the concern of the legislators all over the
world and each legal system has attempted to change the law according to the changing needs of
the times. United Nations Commission on International Trade Related aspects of law
(UNCITRAL) proposed a model law on e-commerce in 1996 with the objective to propose a
kind of guide to all the countries in enacting their own laws. UNCITRAL model law also
inspires the Indian Information Technology Act, 2000. The Act provides for laws relating to e-
commerce and cyber offences. The present course is not only limited to the existing legal

LA
framework an attempt will also be made to analyse the grey areas like data protection, cyber
stalking and multi- media and to understand international development in this area.

Objectives:
IM
SH
1) To familiarise students with the dynamics of cyber law with a focus on new forms of
cybercrimes.
LU

2) To give an update of recent cyber law developments and case laws.

3) To engage with today’s cyber law reality and debates.

PN

4) To provide knowledge and modus operandi useful for the Indian law.
H

Prescribed Legislation:

1. Information Technology Act, 2000 and corresponding Rules and Regulations

2. Trade Marks Act, 1999

3. Indian Penal Code, 1860

4. The Copyright Act, 1994

5. Protection of Children from Sexual Offences Act, 2012

6. Indian Evidence Act, 1872

7. Patents Act, 1970

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.1

8. Indian Contract Act, 1872

Suggested Readings:

1) Sharma Vakul, Information Technology Law & Practice, 5th Edn.( New Delhi: Universal
Law Publishing Co.Pvt. Ltd.2016)

2) Seth Karnika (2016) Computers, Internet And New Technology Laws- A

Comprehensive Reference Work with Special Focus on Developments in India, 2nd
Edn.(Lexis Nexis,2016)

3) Rodney D.Ryder, Intellectual Property and Internet (New Delhi: Butterworths, 2002)

4) Nadan Kamath Ed., Law relating to Computers and the Internet (New Delhi: Universal
Law Publishing Co. Pvt.Ltd.,2000)

LA
5) Rahul Matthan, The Law Relating to Computers and the Internet and E-Commerce(New
delhi: Butterworths, 2000)

IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.2

Syllabus:

Module-1

Cyber Jurisprudence and Fundamentals of Information Technology

(Total Lectures – 20 Lectures)

[This module aims to acquaint students with the terms Information Technology & Cyberspace.
It delves into significance and growth of Information Technology and concepts such as Digital
World and related issues] (Ss. 1- 2, 4,5 and 79)

LA
1.1 Cyberspace and Information Technology

1.2 Overview of computer and web technology

IM
SH
1.3 Defining Cyberspace and its components

1.4 Regulations of Cyberspace: Issues and Challenges

1.5 Concept of E-Governance; Convergence of technologies and legal issues

LU
PN

Module-2

E-Contract, E-Commerce and E-Banking

H

(Total Lectures – 10 Lectures)

[This module emphasis on the principles of formation of contracts and regulatory framework for
E-Commerce and E-Banking] (Ss. 3, 3A, 10A, 11-13, S.6 of N.I.Act)

2.1 E-Contract, Mail Box rule, Impact of I.T Act on E-Commerce; Formations of E-
Contracts; Types of E-Contracts-Shrink wrap, Browse wrap and Click Wrap; UNCITRAL
MODEL Law on E-commerce,1996.

2.2 Introduction to e-commerce and regulatory paradigms for e-commerce; e-commerce and
IPRs; Protection of commercial data in Online medium.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.3

2.3 Taxation and e-commerce

2.4 E-commerce and Consumer Protection; E banking and Electronic Payment System; Legal
issues and E-banking

2.5 Jurisdictional issues in e-commerce and dispute resolution mechanism; digital and
electronic signature: law and technology

Module-3

Intellectual Property Issues in Cyberspace

LA
(Total Lectures – 15 Lectures)

[This module deals with the issues relating to protection of Intellectual Property Rights in

IM
cyberspace] (Ss.2, 14, 51, 52, 56, 57 I.T Act; Ss. 63B, 65A, 65B Copyright Act, 1957;
S. 27, 29 134 Trade Marks Act, 1999)
SH
3.1 Protection of Copy right in cyberspace; linking, framing, caching and digital piracy.
LU

3.2 Liability of ISP’s for copyright violations

3.3 Protection of multimedia works in cyberspace; IP protection to computer software and

computer generated works
PN

3.4 Protection of Trademarks in cyberspace – cybersquatting, domain name dispute, reverse

domain hijacking and meta-tagging; ICANN Dispute Resolution Policy and WIPO
H

3.5 Patents Protection in cyberspace; protection of trade secrets.

Module-4

Cyber Wrongs; Cyber Crimes and Jurisdiction in Cyberspace

(Total Lectures – 20 Lectures)

[The module deals with regulation of cyber wrong, cybercrimes and elucidates on criminal
activity done with the use of computers and how computer crimes differ from execution of other
crimes, its implication and protective measures] (Ss. 43- 43A, 65, 74, 75)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.4

4.1 Defining Cyber wrongs and cybercrimes; ingredients of cyber offences; typology of cyber
offence; cyber offence against persons; cyber offence against economy, countries and based on
contents.

4.2 Adjudications of cyber wrongs and cybercrimes.

4.3 Cyber privacy, electronic surveillance and legal issues; international responses to cybercrime.

4.4 Principles of jurisdiction and jurisdiction in cyberspace.

4.5 US approach towards cyberspace jurisdiction; Indian approach towards cyberspace;

jurisdiction based on Procedural laws of India

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.5

 RENO v. ACLU: THE FIRST CONGRESSIONAL ATTEMPT
TO REGULATE PORNOGRAPHY ON THE INTERNET
FAILS FIRST AMENDMENT SCRUTINY

I. INTRODUCTION

In 1999, an estimated 200 million personal computer users will

access the Internet on a regular basis.' In 1996, in an effort to regu-
late this new medium, Congress passed Title V of the Telecommuni-
cations Act, also known as the Communications Decency Act
(CDA).2 Mter the CDA received presidential approval, forty-seven
plaintiffs3 filed suit against the Attorney General of the United
States and the Department of Justice. 4 The plaintiffs alleged that
sections 223(a)5 and 223(d)6 of the CDA were facially unconstitu-

LA
1. See ACLU v. Reno, 929 F. Supp. 824, 831 (E.D. Pa. 1996).
2. See Reno v. ACLU, 117 S. CL 2329, 2337-38 (1997).
IM
3. See id. at 2339 nn.27-28. The 47 plaintiffs included organizations and corpora-
tions such as the National Press Photographers Association, American Civil
Liberties Union, Planned Parenthood Federation of America, America On-
SH
line, Apple Computer, CompuServe, Magazine Publishers of America, and
Microsoft Corporation. See id.
4. See id.
5. 47 U.S.C.A. § 223(a) (Supp. 1998). This section provides in pertinent part:
LU

(a) Prohibited general purposes Whoever- (1) in interstate or foreign

communications (A) by means of a telecommunications device know-
ingly (i) makes, creates, or solicits, and (ii) initiates the transmission
of, any comment request, suggestion, proposal, image or other com-
PN

munication which is obscene, lewd, lascivious, filthy, or indecent,

with intent to annoy, abuse, threaten, or harass another person; (b)
by means of a telecommunications device knowingly-(i) makes, cre-
ates, or solicits, and (ii) initiates the transmission of, any comment,
H

request, suggestion, proposal, image, or other communication which

is obscene or indecent, knowing that the recipient of the communi-
cation is under 18 years of age, regardless of whether the maker of
such communication placed the call or initiated the communication
(2) knowingly permits any telecommunications facility under his con-
trol to be used for any activity prohibited by paragraph (1) with the
intent that it be used for such activity, shall be fined under Title 18,
or imprisoned not more than two years, or both.
[d.
6. 47 U.S.C.A. § 223(d) (Supp. 1998). This section provided in pertinent part:
(d) Sending or displaying offensive material to persons under 18
Whoever-( 1) in interstate or foreig!1 communications knowingly-(A)

273

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.6

 274 Baltimore Law Review [Vol. 28

tional. 7 The challenged provisions were aimed to protect individuals

under eighteen years of age from receiving harmful communica-
tions over the Internet. s The plaintiffs asserted that sections 223(a),
which prohibited knowingly transmitting obscene or indecent com-
munications to minors,9 and 223(d), which prohibited knowingly
sending or displaying sexually explicit messages that were patently
offensive to minors,1O violated their First Amendment free speech
and Fifth Amendment due process rights}1
Mter conducting an evidentiary hearing,12 the United States
District Court for the Eastern District of Pennsylvania issued a pre-
liminary injunction preventing the government from enforcing both
provisions. 13 The Government appealed directly to the Supreme
Court.14 The issue before the United States Supreme Court was
whether sections 223(a)and 223(d) of the CDA violated both the

LA
uses an interactive computer service to send a specific person or per-
sons under 18 years of age, or (B) uses any interactive computer ser-
IM
vice to display in a manner available to a person under 18 years of
age, any comment request, suggestion, proposal, image, or other
communication that, in context, depicts or describes, in terms pa-
SH
tently offensive as measured by contemporary community standards,
sexual or excretory activities or organs, regardless of whether the
user of such service placed the call or initiated the communication;
or (2) Knowingly permits any telecommunications facility under such
LU

person's control to be used for an activity prohibited by para-

graph(1) with the intent that it be used for such activity, shall be
fined under Title 18, or imprisoned not more than two years, or
both.
PN

[d.
7. See ACLU v. Reno, 929 F. Supp. 824, 826 (E.D. Pa. 1996). Twenty plaintiffs filed
suit immediately after the statute was signed by President William Clinton,
challenging the constitutionality of both sections 223(a) and 223(d). See Reno,
H

117 S. Ct. at 2339. The district judge entered a temporary restraining order,
but only against the enforcement of section 223(a) as it applied to indecent
communications. See id. Thereafter, twenty-seven plaintiffs filed a second suit
challenging the same two provisions. See id. The two suits were consolidated
and heard by a three-judge panel of the district court as permitted under sec-
tion 561 of the Act. See id.
8. See Reno,117 S. Ct. at 2331.
9. See supra note 5.
10. See supra note 6.
11. See ACLU, 929 F. Supp. at 849.
12. See id. at 827.
13. See id.
14. See id. at 826. The Government directly appealed to the Supreme Court as per-
mitted by the statute. See Reno v. ACLU, 117 S.Ct. 2329, 234041 (1997) (apply-
ing 47 U.S.C. § 561 (Supp. 199~».

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.7

 1998] Reno v. ACLU 275
First lS and Fifth 16 Amendments because of overbreadth and
vagueness. 17
The United States Supreme Court resolved the First Amend-
ment issue in Reno v. ACLU,18 Certain language in the statutory pro-
visions abridged the right to freedom of speech protected under
the First Amendment. 19 The Court deemed the provisions facially
unconstitutional,2o Finding the statutory provisions in violation of
the First Amendment,21 the Court did not resolve the question of
whether the vagueness of both provisions violated the Fifth Amend-
ment. 22 In reaching its decision, the Supreme Court announced that
the Internet deserves the highest degree of protection against gov-
ernmental intrusion because it is the most participatory form of
mass communication ever created. 23
In order to explain the Supreme Court's First Amendment in-

LA
quiry in Reno, Section II of this Note details several past Supreme
Court cases that establish the parameters from which the Reno
Court worked to resolve the issue presented,24 as well as a history of
IM
the medium examined by the Reno Court-the Internet. 25 In Section
III, this Note summarizes the facts, opinion, and rationale of the
SH
Reno decision. 26 Section IV critiques the Court's opinion and con-

15. U.S. CoNST. amend. I. This Amendment to the Constitution guarantees the ba-
sic freedoms of speech, religion, press, and assembly and the right to petition
LU

the government for redress of grievances. See id.

16. U.S. CoNST. amend. V. This Amendment to the Constitution provides:
No person shall be held to answer for a capital, or otherwise infa-
PN

mous crime, unless on a presentment or indictment of a Grand Jury,

except in cases arising in the land or naval forces. or in the Militia.
when in actual service in time of War or public danger; nor shall any
person be subject for the same offence to be twice put in jeopardy of
H

life or limb; nor shall be compelled in any criminal case to be a wit-

ness against himself; nor be deprived of life. liberty, or property,
without due process of law; nor shall private property be taken for
public use, without just compensation.
[d.
17. See Reno v. ACLU, 117 S. Ct. 2329, 2341(1997).
18. 117 S. Ct. 2329 (1997).
19. See id. at 2334.
20. See id. at 2340.
21. See id. at 2334.
22. See id. at 234546.
23. See id. at 2343.
24. See infra notes 32-132 and accompanying text.
25. See infra notes 13~9 and accompanying text.
26. See infra notes 170-259 and accompanying text.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.8

 276 Baltimore Law Review [Vol. 28

eludes that the majority reached the appropriate result.27 It was not
surprising that the language of the CDA lacked the specificity and
narrowness required by the First Amendment in light of the fact
that Congress enacted a version of the CDA that was never the sub-
ject of a senatorial hearing, but merely discussed for approximately
one hour on the Senate floor. 28 Thereafter, Section IV of this Note
explores Justice O'Connor's alternative approach taken in analyzing
the CDA's provisions at issue in her concurring and dissenting opin-
ion. 29 Section IV addresses the impact Reno had on Congress and
the Executive, focusing particularly on the Internet Indecency Act:-
legislation passed in an effort to correct the constitutional infirmi-
ties of the CDA.30 This Note concludes that this newly enacted legis-
lation adequately revised the provisions struck down in Reno and ap-
pears constitutionally defensible. 31

LA
II. HISTORICAL DEVELOPMENT
A. First Amendment Parameters IM
The United States Supreme Court has reviewed numerous con-
stitutional challenges to government regulations of speech and ex-
SH
pression. 32 From this precedent, it is clear that courts must balance
the government's interest in protecting its citizens from harmful,
obscene, and indecent materials33 with the individual's interest in
communicating or receiving communications. 34 It is equally evident
LU

that the method of expression can have a decisive effect on the out-
come in a given case-the same speech protected in one mediuIil
may not be protected in another. 35 The challenge facing the Reno
PN

Court was balancing these interests in light of case precedent and

H

27. See infra notes 260-70 and accompanying text.

28. See Reno, 117 S. Ct. 2329, 2338 n.24 (1997).
29. See infra notes 271-306 and accompanying text.
30. See infra notes 307-48 and accompanying text.
31. See infra notes 349-53 and accompanying text.
32. See infra notes 35-131 and accompanying text.
33. See infra notes 35-131, 170-259 and accompanying text. This interest is particu-
larly acute for minors. See infra notes 84-101 and accompanying text.
34. See, e.g., Virginia State Bd. of Pharmacy v. Wrginia Citizens Consumer Council,
Inc., 425 U.S. 748, 75fr57 (1976) (chronicling the Court's concern with the
rights of receivers and concluding that "if there is a right to advertise, there is
a reciprocal right to receive advertising"); Marcy Strauss, Redefining the CapttrJe
Audience Doctrine, 19 HAsTINGS CONST. L.Q 85, 85 (1991) (noting the Court's
long history of considering both speakers and potential listeners in First
Amendment analysis).
35. See infra notes 102-20.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.9

 1998] Reno v. ACLU 277

applying this precedent to the Internet. Before dealing with the

Court's analysis, it is instructive to consider the relevant precedent
with which the Court dealt.

1. Content-Neutral Regulations of Adult Material

An initial inquiry in any First Amendment case centers on the

government act that is allegedly abridging expression. 36 The govern-
ment can proceed in two distinct fashions when it interferes with
the marketplace of ideas. 37 First, the government might attempt to
regulate the content of the expression. 38 Generally, content-based
regulations of speech are viewed with greater contempt and height-
ened scrutiny by the courts. 39 Alternatively, the government might
create a restriction that is aimed at the time, place, and manner of
speech, thereby appearing neutral as to the speech's content. 40

LA
Courts will normally permit content-neutral regulations provided

36.
IM
See Henry H. Perritt, Jr., Turt Liability, The First Amendment, and Equal Access to
Electronic NetwOTks, 5 HAAv. J.L. & TECH. 65, 114 (1992) (explaining that a state
action must exist to apply the First Amendment); see also Gitlow v. New York,
SH
268 U.S. 652, 666 (1925) (holding that the First Amendment is applicable to
the states through the Fourteenth Amendment).
37. See Capitol Square Review & Advisory Bd. v. Pinette, 515 U.S. 753, 761 (1995)
(observing that the state may regulate by either content-neutral or content-
LU

based restrictions); Chase J. Sanders, Bearing the First Amendments Crosses: An

Analysis o/State v. Sheldon, 53 MD. L. REv. 494, 504-05 (1994) (explaining that
government regulations of speech are divided into two categories); see also
Renton v. Playtime Theatres, Inc., 475 U.S. 41, 41 (1986) (noting that the two
PN

categories of speech regulation are content-neutral and content-based).

38. See also LAURENCE H. TRIBE. AMERICAN CONSTITUTIONAL LAw § 12-1, at 785 (2d
ed. 1988) (discussing the marketplace of ideas theory of free speech).
39. See Burson v. Freeman, 504 U.S. 191, 191 (1992) (holding that content-based
H

restrictions must be subjected to exacting scrutiny); Ward v. Rock Against Ra-

cism, 491 U.S. 781, 800 n.6 (1989) (observing that content-based regulations
must be subjected to the most exacting scrutiny)(citing Boos v. Barry, 485 U.S.
312, 321 (1988»; Riley v. National Fed'n of the Blind of N.C., Inc., 487 U.S.
781, 798 (1988) (holding that a content-based regulation is subject to the most
exacting scrutiny); Boos v. Barry, 485 U.S. 312, 321 (1988) (stating that con-
tent-based restrictions must be subject to the most exacting scrutiny).
40. See Burson, 504 U.S. at 196 (explaining that the Court has held that the gov-
ernment may regulate time, place, and manner of speech so long as the re-
strictions are content-neutral); Wanl, 491 U.S. at 791 (stating that the govern-
ment may impose reasonable restrictions based on time, place, and manner);
Renton, 475 U.S. at 41 (stating that time, place, and manner regulations are ac-
ceptable); United States Postal Serv. v. Council of Greenburgh Civic Ass'ns,
453 U.S. 114, 132 (1981) (explaining that the Court has recognized the valid-
ity of time, place, and manner restrictions).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.10

 278 Baltimore Law Review [Vol. 28

. they are reasonable. 41 Thus, content-based regulations are far more

likely to fail First Amendment scrutiny than their content-neutral
counterparts. 42 However, a clear line of demarcation between the
categories may prove difficult to support in certain situations.
An illuminating illustration of this difficulty is City of Renton v.
Playtime Theatres, Inc. 43 In Renton, the Supreme Court was petitioned
to resolve a First Amendment challenge to a city zoning ordinance
prohibiting adult motion picture theaters from being located within
1,000 feet of any residential zone, church, park, or within one mile
of any school. 44 Playtime Theatres purchased two theaters in down-
town Renton, Washington, intending to use them as adult movie
theaters. 45 The theaters were located within the area regulated by
the ordinance. 46 Playtime Theatres sought injunctive relief and a de-
claratory judgment that the ordinance violated the First and Four-

LA
teenth Amendments. 47
The Supreme Court determined that the ordinance was not di-
rected at regulating the content of the films shown in the theaters,
IM
but rather the secondary effects that these types of theaters tend to
promote. 48 The Court analyzed the ordinance as a content-neutral
SH
regulation because the predominant purpose underlying the ordi-
nance. was to curtail the deleterious secondary effects that adult the-
aters have on a neighborhood, not to restrain any particular type of
communication. 49 In reaching this conclusion, the Court relied
LU

heavily on the city council's "predominant interests" in enacting the

ordinance which were deduced from the council's prolonged delib-
erationsso and stated intentions.51 The Court distinguished content-
PN

41. See Capitol Square Review & Advisory Bd., 515 U.S. at 761 (holding that state
governments have the right to impose content-neutral restrictions); Wanl, 491
H

U.S. 781, 803 (1989) (holding that the city's regulation is content-neutral and,
therefore, valid under the First Amendment).
42. See, e.g., Martin H. Redish, The Content Distinction in First Amendment Analysis, 34
STAN. L. REv. 113. 134 (1981) (explaining that content-based regulations will
be overturned in more instances than content-neutral restrictions).
43. 475 U.S. 41 (1986).
44. See id. at 44.
45. See ilL at 45.
46. See ilL
47. See ilL
48. See ilL at 47.
49. See ilL at 46.
50. See id. at 47 (noting that the lower court's finding of the city council's intent
was "more than adequate to establish that the city's pursuit of its zoning inter-
ests here was unrelated to the suppression of free expression."). Specifically,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.11

 1998] Reno v. ACLU 279

based regulations from content-neutral time, place, and manner

regulations. 52 The Renton Court explained that content-based regula-
tions are presumed to violate the First Amendment because they
chill expression of ideas or views,53 but content-neutral regulations
are acceptable "so long as they are designed to serve a substantial
governmental interest and do not unreasonably limit alternative ave-
nues of communication. "54 The Renton Court held that the ordi-

the city council referred the matter to the planning and development commit-
tee. See ilL at 44. The committee held public hearings, researched the exper-
iences of nearby Seattle, Washington, received advice from the city attorney's
office as to similar developments in other cities, and made recommendations
leading to the enactment of the challenged ordinance. See ilL
51. See ilL at 48 (noting that the ordinance was designed to prevent crime, protect
the city's retail trade, maintain property values, and preserve neighborhoods,

LA
commercial districts, and the quality of urban life).
52. See id. at 4647. One commentator recognized the significance of this distinc-
tion as follows: "No longer will adult business location ordinances be analyzed
IM
under the strict scrutiny standard ... which establishes a presumption of con-
stitutional invalidity that the city must overcome. Instead, adult business loca-
tion ordinances will be analyzed by the rational basis standard, which raises a
SH
presumption of validity . . . ." Ronald M. Stein, &gulation of Adult Businesses
Through Zoning After Renton, 18 PAC. LJ. 351, 352 (1987) (footnotes and inter-
nal quotations omitted).
53. See Renton, 475 U.S. at 47; see also Denver Area Educ. Telecomms. Consortium,
Inc. v. FCC, 518 U.S. 727, 782 (1996) (Kennedy, J., concurring) (stating that
LU

"[t]he Constitution in general does not tolerate content-based restrictions of,

or discrimination against, speech"); RA.V. v. City of St. Paul, 505 U.S. 377,382
(1992) (observing that "content-based regulations are presumptively invalid");
PN

Carey v. Brown, 447 U;S. 455, 462 (1980) (discussing a statute that completely
banned all non-labor picketing, but exempted peaceful labor picketing at a
place of employment, and concluding that the statute was a content-based reg-
ulation); Police Dep't of Chicago v. Mosley, 408 U.S. 92, 94-95, 98-99 (1972)
H

(stating that a Chicago ordinance exempting peaceful labor picketing from its
general prohibition on picketing next to a school was a content-based regula-
tion and opining that "above all else, the First Amendment means that gov-
ernment has no power to restrict expression because of its message. its ideas,
its subject matter, or its content").
54. Renton, 475 U.S. at 47; see City Council of Los Angeles v. Taxpayers for Vincent,
466 U.S. 789, 791, 804-07, 812-15 (1984) (upholding a prohibition against post-
ing signs on public property as a valid time, place, and manner restriction due
to the municipality's valid aesthetic concerns in limiting unpleasant forms of
expression, and observing that people can still post signs outside of the city or
within the city on private property); Clark v. Community for Creative Non-
Violence, 468 U.S. 288, 293 (1984) ("Expression, whether oral or written or
symbolized by conduct, is subject to reasonable time, place, or manner restric-
tions."). In Clark, the Court reasoned that such restrictions on speech are
valid if they are justified in some way without referring to the content of the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.12

 280 Baltimore Law Review [Vol. 28

nance served a substantial government interest-preserving the

quality of urban life-and allowed reasonable alternatives for com-
munication. 55 Therefore, the ordinance survived the First Amend-
ment challenge. 56
Commentators have criticized the Renton Court's conclusion
that the ordinance at issue was content-neutral,57 in effect, agreeing
with Justice Brennan's dissenting opinion that concluded the ordi-
nance was content-based. 58 Additionally, commentators have drawn
attention to a footnote in which Justice Rehnquist, writing for the
majority, notes that "it is manifest that society's interest in protect-
ing this type of expression is of a wholly different, and lesser magni-

regulated speech, if the restrictions are narrowly tailored to serve a significant

LA
governmental interest, and if the restrictions leave open alternative methods
of communicating the speech in question. See Clam, 468 U.S. at 293; see also
Heffron v. International Soc'y for Krishna Consciousness, Inc., 452 U.S. 640,
IM
643, 647-48, 654-55 (1981) (upholding the constitutionality of a Minnesota rule
which required members of ISKCON to confine their distribution, sales, and
solicitation activities to a fixed location at the state fair, reasoning that the
SH
rule was not content-based because it applied to all persons or organizations
wishing to sell and distribute material and that the state had a valid interest in
wanting to maintain the orderly movement of people at the fair, and noting
that alternative forums of expression existed outside of the fairgrounds).
55. See Renton, 475 U.S. at 54. The Court noted that the ordinance left approxi-
LU

mately 520 acres, which equaled five percent of Renton's land area, available
for use as adult theater sites. See id. at 53. Laurence Tribe explains that deci-
sions such as "Renton may signal the willingness of some members of the
PN

Court to fashion rules for speech in public places which will try to accommo-
date the conflicting demands of individuals and communities to have govern-
ment shield each from intrusion by the other." TRIBE, supra note 38, at § 12-
19, at 950.
H

56. See Renton, 475 U.S. at 54-55. As Justice Rehnquist, writing for the majority, ex-
plained: "In our view, the First Amendment requires· only that Renton refrain
from effectively denying respondents a reasonable opportunity to open and
operate an adult theater within the city, and the ordinance before us easily
meets this requirement." Id. at 54.
57. See Geoffrey R. Stone, Content-Neutral Restrictions, 54 U. CHI. L REv. 46, 104
(1987) (referring to Renton as a "disturbing" exception to the Court's protec-
tion of free speech); Leading Cases, Restrictive Zoning of Adult Theaters, 100
liAR. L REv. 190, 195 (1986) ("The Renton ordinance was a content-based reg-
ulation of the first order.").
58 .. See Renton, 475 U.S. at 55 (Brennan, j., dissenting) ("The Court asserts that
the ordinance is aimed not at the content of the films shown at adult motion
picture theaters, but rather at the secondary effects of such theaters on the
surrounding community, and this is simply a time, place, and manner regula-
tion. This analysis is misguided." (citation and footnote omitted».

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.13

 1998] Reno v. ACLU 281

tude than the interest in untrammeled political debate. '"S9 From

this footnote, it appears that at least Justice Rehnquist would sup-
port the view that low-value speech, such as sexually explicit cinema-
tography, whether regulated in a content-based or content-neutral
manner is less deserving of First Amendment protection. 60 While it
is unclear whether this generalization is supported by a majority of
the Court, cases demonstrate that when indecent communication
rises to the level of obscenity, government regulations need not be
content-neutral to survive a First Amendment challenge.61
2. Obscene Material is not Protected by the First Amendment
Legislative efforts aimed at restricting what is deemed obscene
are not novel creations. 62 When lawmakers suppress obscene mate-
rial, no violation of the First Amendment occurs because, as the Su-
preme Court has repeatedly held, obscenity is not a form of speech

LA
worthy of First Amendment protection. 63 While several attempts of

IM
59. See id. at 49 n.2 (quoting Young v. American Mini Theatres, Inc., 427 U.S. 50,
70 (1976».
60. See Philip J. Prygoski, The Supreme Court's "Secondary Effects" Analysis in Free
SH
Speech Cases, 6 COOLEY L. REv. I, 18 (1989); Stein, supra note 52 at 351 ("The
Supreme Court's acceptance of the time, place, and manner analysis set forth
by Justice Stevens in Young also signaled the Court's view that the type of ex-
pression at issue did not deserve the fullest protection.").
61. See Prygoski, supra note 60, at 18. Delving into the reason why Justice Rehn-
LU

quist "alluded to Young for the proposition that the kind of speech restricted
by the Young and Renton ordinances was low-value speech, at least when com-
pared to the core first amendment speech of political debate," one commen-
PN

tator observed:
The only tenable conclusion is that the value of speech is related to
the amount of first amendment protection the Court is willing to
give it. Justice Stevens made this argument and it was rejected by a
H

majority of the Court in Young. However, this argument appears to be

part of Justice Rehnquist's premise as he analyzed the ordinance in
Renton.
[d. (footnotes omitted).
62. See Martin Karo Be Marcia McBrian, The Lessons of Miller and Hudnut: On Prrr
posing a Pornography Ordinance that Passes Constitutional Muster, 23 U. MICH. J-L
REF. 179, 183-84 (1989) (tracing the history of laws restricting obscenity).
63. See Randolph Stuart Sergent, The ''Hamlet'' FaUacy: Computer Netwurks and the Ge-
ographic Roots of Obscenity Regulation, 23 HAsrINGS CoNST. L.Q 671, 681 (1996)
(stating that "implicit in the history of the First Amendment is the rejection
of obscenity as utterly without redeeming social importance," and therefore
"not within the area of constitutionally protected speech or press,") (quoting
Roth v. United States, 354 U.S. 476, 484 (1957»; Bruce A Taylor, Hard-Core
Pornography: A Proposal for a Per Se Rule, 21 U. MICH. J.L. REF. 255. 255 (1988)
(citing Arcara v. Cloud Books, Inc., 478 U.S. 697, 705(1986»; Roth v. United

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.14

282 Baltimore Law Review [Vol. 28

defining what is obscene were crafted by earlier COUrts,64 the mod-

ern definition appears in Miller v. California. 6S
In Miller, the Court analyzed the application of California's
criminal obscenity statute66 to circumstances in which an individual
sent sexually explicit material to "unwilling recipients who had in
no way indicated any desire to receive such materials. "67 Miller con-
ducted a mass mailing campaign to advertise the sale of "adult"
books. 68 Included in this mass mailing were five unsolicited
brochures sent through the mail to a restaurant in Newport News,
California. 69 The envelope was opened by the manager of the res-
taurant and his mother.70 Mter opening the unrequested envelope,
the manager and his mother complained to the police. 71 Mter a

States, 354 U.S. 476, 484-86 (1957); Chaplinsky v. New Hampshire, 315 U.S.

LA
568, 571-72 (1942».
64. See Sergent, supra note 63, at 681 (stating that United States v. Bennett, 24 F. Cas.
1093 (C.C.S.D.N.V. 1879), adopted the obscenity test used in the English case
IM
of Regina v. Hicklin, 3 L.R-Q.B. 360 (1868), which determined obscenity based
on the effect the material would have on the most susceptible members of the
population); Karo & McBrian, supra note 62, at 183-84 (explaining that early
SH
American courts applied the English Hinklin test which was subsequently aban-
doned and replaced by the definition of obscenity articulated by the Supreme
Court in Roth v. United States, 354 U.S. 476, 484 (1957»; Edward John Main,
The Neglected Prong of the Miller Test Obscenity: Serious Literary, Artistic, Politica~ ur
Scientific Value, 11 S. Ill. U. LJ. 1159, 1159-60 (1987) (citing Memoirs v. Massa-
LU

chusetts, 383 U.S. 413 (1966); Roth v. United States, 354 U.S. 476 (1957». But
see Sergent, supra note 63, at 681-82 (explaining that other courts such as
United States v. Dennett, 39 F.2d 564 (2d Cir. 1930), United States v. One Book En-
PN

titled mysses, 72 F.2d 705 (2d Cir. 1934), and United States v. Levine, 83 F.2d 156
(2d Cir. 1936), adopted a test that required the material to be judged by the
dominant effect the allegedly obscene work would have on the average person
in the community).
H

65. 413 U.S. 15, 24 (1973); see also Karo & McBrian, supra note 62, at 184 ("The
Court found the Roth language entirely unsatisfactory in practice, however,
and replaced Roth II obscenity definition sixteen years later in Miller v. Califur-
nia.") (footnote omitted).
66. The appellant was convicted of the misdemeanor of knowingly distributing ob-
scene material under California Penal Code § 311.2(a) & 311 (West
1968)(amended 1969). See Miller, 413 U.S. at 16.
67. Id. at 15.
68. See id. at 16. The brochures that the appellant mailed primarily consisted "of
pictures and drawings very explicitly depicting men and women in groups of
two or more engaging in a variety of sexual activities, with genitals often
prominently displayed." Id. at 18.
69. See id. at 18.
70. See id.
71. See id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.15

 1998] Reno v. ACLU 283

jury trial, Miller was convicted of violating a statute that prohibited

knowingly distributing obscene materials.72 Prior to this decision,
the Court had never adopted a standard "to determiQe what consti-
tutes obscene, or pornographic material subject to regulation under
the States' police power."73 As a result of this case, a majority of the
Court agreed on "concrete guidelines to isolate 'hard core' pornog-
raphy from expression protected by the First Amendment. "74
The Court focused on three criteria, each of which must be ful-
filled in order to deem a communication obscene. 7s Focusing on
the "average person applying contemporary community stan-
dards, "76 the Court first required the communication as a whole to
solely appeal to sexual interest. 77 The communication must also de-
pict or describe sexual conduct, specifically addressed by the state
regulation, in a "patently offensive way. "78 The final consideration

LA
requires a court to determine if the communication "lacks serious
literary, artistic, political, or scientific value. "79
The Miller Court affirmed the notion that states can pass laws
IM
that prohibit circulating obscene material when the method of dis-
persal creates a "danger of offending the sensibilities of unwilling
SH
recipients or of exposure to juveniles. "80 The Court emphasized that

72. See id. at 16 n.1.

73. Id. at 22.
LU

74. Id. at 29. Although the Court described the criteria as "guidelines," it is clear
that all three requirements must be fulfilled to render material "obscene" and
thereby devoid of constitutional protection. See, e.g., Reno v. ACLU, 117 S. Ct.
PN

2329, 2332 (1997) (referring to the "three-prong obscenity test set forth in
Miller").
75. See Miller, 413 U.S. at 24.
76. Id.
H

77. See id. (citing Kois v. Wisconsin, 408 U.S. 229, 230 (1972) (quoting Roth v.
United States, 354 U.S. 476, 489 (1957»). This requirement is often described
as "the prurient interest." See id.
78. Id. While the Court did not specifically define "patently offensive," it provided
two categories of materials satisfying this standard: "(a) Patently offensive rep-
resentations or descriptions of ultimate sexual acts, normal or perverted, ac-
tual or simulated. (b) Patently offensive representation or descriptions of mas-
turbation, excretory functions, and lewd exhibition of genitals." Id. at 25.
79. Id. at 24.
80. Id. at 18-19; see Stanley v. Georgia, 394 U.S. 557, 567 (1969) (noting that the
Roth decision rejected the need to prove that viewing obscene matter would
lead to unacceptable social conduct); Interstate Circuit, Inc. v. Dallas, 390 U.S.
676, 690 (1968) (indicating that a state may regulate the access of certain
materials to juveniles because of its strong interest in the deVelopment of chil-
dren); Ginsburg v. New York, 390 U.S. 629, 63743 (1968) (stating that a state's

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.16

 284 Baltimore Law Review [Vol. 28

obscene material is not entitled to First Amendment protection. 81

Accordingly, the Miller Court developed standards for identifying
obscene material, thus allowing states to prohibit the dissemination
of material deemed "Miller obscene"82 without violating the First
Amendment. 83 What is Miller obscene to a child, however, is not
necessarily Miller obscene to an adult.

power to control the free flow of certain material to its children exceeds con-
trol over adults, and thus material not obscene to adults may still be found
obscene to children and subject to regulation); Redrup v. New York, 386 U.S.
767, 769 (1967) (noting that the three cases consolidated in this action did
not involve obtrusive publication so as to make it "impossible for an unwilling
individual to avoid exposure" to the material in question); Jacobellis v. Ohio,
378 U.S. 184, 195 (1964) (recognizing that states have a legitimate interest in

LA
stopping the free flow of harmful material to children); see also Rabe v. Wash-
ington, 405 U.S. 313, 317 (1972) (Burger, C. J., concurring) (observing that a
movie screen depicting sexual acts was visible to motorists passing by the thea-
ter and to minors watching the film from outside the fence surrounding the
IM
theater; thus, the First Amendment would likely not prevent a state from regu-
lating such displays); United States v. Reidel, 402 U.S. 351, 36~1 (1971)
(opinion of Marshall, J.) (noting that the government cannot exercise its
SH
power to protect minors and unwilling recipients of sexual material until pub-
lic or commercial distribution occurs because until then it is in private posses-
sion and threatens neither children nor anyone else); Breard v. Alexandria,
341 U.S. 622, 64445 (1951) (holding that an ordinance that prohibited the
LU

sale of periodicals door-to-door at private residences, without the prior con-

sent of the homeowner or occupants, did not abridge the First Amendment
because the community felt this sort of salesmanship was irritating to home-
owners who did not desire subscriptions); Kovacs v. Cooper, 336 U.S. 77, 88-89
PN

(1949) (validating an ordinance that protected local home and business own-
ers from the use of sound trucks which emitted loud noises); Prince v. Massa-
chusetts, 321 U.S. 158, 169-70 (1944) (affirming the constitutionality of a state
H

statute forbidding distribution of religious material by a minor on the streets);

cJ. Butler v. Michigan, 352 U.S. 380, 382-84 (1957) (noting that a state cannot
place a total ban on material which is not obscene to adults simply because it
is obscene to minors); Joseph Burstyn, Inc. v. Wilson, 343 U.S. 495, 502 (1952)
(holding that motion pictures fall within First Amendment protections and
even if they possessed "a greater capacity for evil, particularly among the
youth of a community," it would not follow that they should be disqualified
from First Amendment protection); Public Utils. Comm'n v. Pollak, 343 U.S.
451, 4~5 (1952) (stating that activities do not warrant any type of limitation
when such activities do not burden the general public's "convenience, com-
fort and safety").
81. See Miller, 413 U.S. at 23.
82. See Michael I. Meyerson, Impending Legal Issues for Integrated Broadband Networlu,
3 U. FLA. J.L & PUB. POL'y 49, 55 n.29 (1990) ("Legal obscenity is frequently
referred to as 'Miller obscene. "').
83. See Miller, 413 U.S. at 20.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.17

 1998] Reno v. ACLU 285

3. A Lower Threshold of Obscenity Exists for Minors

In 1968, the Court reviewed Ginsberg v. New YorJtI4 to determine
the constitutionality of a New York criminal obscenity statute. 8S The
statute prohibited selling material to minors defined to be obscene
on the basis of its appeal to minors, whether or not it would be ob-
scene to adults. 86 In upholding the constitutionality of the statute,
the Court rejected the defendant's broad argument that "the scope
of the constitutional freedom of expression secured to a citizen to
read or see material concerned with sex cannot be made to depend
on whether the citizen is an adult or a minor. "87
Ginsberg and his wife operated a stationary store and lunch-
eonette in Long Island, New York. 88 Along with providing food ser-
vices to customers, Ginsberg sold numerous magazines, including
some described as "girlie magazines. "89 On two separate occasions,

LA
Ginsberg sold a sixteen-year-old boy a pornographic magazine90 and
was prosecuted pursuant to a New York statute. 91
IM
By concluding that the statute did not invade the area of free-
dom of expression that the Constitution grants to minors,92 the
Court affirmed the state's authority to adjust the meaning of ob-
SH
scenity according to what appeals to the sexual interests of minors. 93

84. 390 U.S. 629 (1968).

85. See id. at 621 (citing N.Y. PENAL LAw § 484-h (McKinney 1909) (current version
LU

at N.Y. PENAL LAw § 235.21 (1967».

86. See ill. at 631.
87. [d. at 636. The defendant store owner insisted that denying section 484-h ma-
PN

terial to minors, insofar as that material is not obscene for persons 17 years of
age or older, constituted a violation of the First Amendment. See id.
88. See id. at 631.
89. See id.
H

90. See id.

91. See ill.
92. See id. at 637. For examples of statutes that did interfere with this right, see,
e.g., West Virginia State Bd. of Educ. v. Barnette, 319 U.S. 624, 642 (1943)
(holding a statute compelling children, against their religious beliefs, to salute
the American flag unconstitutional); Pierce v. Soc'y of Sisters, 268 U.S. 510,
534-36 (1925) (holding an Oregon statute that interfered with children's at-
tendance at private and parochial schools unconstitutional); Meyer v. Ne-
braska, 262 U.S. 390, 402 (1923) (holding a Nebraska statute forbidding chil-
dren to study modern languages other than English unconstitutional).
93. See Ginsberg, 390 U.S. at 638; see also Mishkin v. New York, 383 U.S. 502, 509
(1966) (stating that the prurient-appeal requirement will be adjusted to "social
realities by permitting the appeal of this type of material to be assessed in
terms of the sexual interests of its intended and probable recipient group");
Bookcase, Inc. v. Broderick, 218 N.E.2d 668,671 (N.Y. 1966) (holding that the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.18

 286 Baltimore Law Review [Vol. 28

Therefore, "even where there is an invasion of protected freedoms

'the power of the state to control the conduct of children reaches
beyond' the scope of its authority over adults."'94 The Court justified
this regulatory paternalism over minors on the grounds that each
state "has an independent interest in the well-being of its youth,"9S
and that parents are not always capable of controlling what their
own children read. 96
The Ginsburg opinion signaled the Court's acceptance of the
"variable obscenity approach."97 This approach recognizes the legiti-
mate interests states have in fashioning statutes that create a lower
threshold of obscenity for younger audiences. 98 Even though states
are permitted to redefine obscenity for minors, courts must con-
tinue to analyze the constitutionality of these statutes with limiting
principles in mind. These limiting principles are overbreadth and

LA
vagueness. 99
In particular, the concept of overbreadth prevents the govern-
ment from denying the general public access to materials simply be-
IM
cause they could be inappropriate for minors. loo The Court has ex-
plained that to restrict the general population to that which is
SH
appropriate for children, would be "'to bum the house to roast the
pig. "'101 This concern creates unique considerations for the Court
when it reviews cases dealing with methods of speech outside of the
traditional realm of print media.
LU

definition of obscenity may depend solely upon to whom the material in ques-
tion is directed).
PN

94. Ginsberg, 390 V.S. at 638 (quoting Prince v. Massachusetts, 321 V.S. 158, 170
(1944». In Prince, the Court upheld the conviction of the guardian of a nine-
year-old girl for violating the Massachusetts child labor law by permitting the
girl to sell religious tracts for the Jehovah's Witnesses on the streets of Boston.
H

See id. at 638-39.

95. Id. at 640.
96. See id. (quoting People v. Kahan, 206 N.E.2d 333, 334 (N.Y. 1965) (Fuld, J.,
concurring) which struck down the first version of § 484-h of the New York
Penal Law on grounds of vagueness).
97. See JOHN E. NOWAK &: RONALD D. ROTUNDA. TREATISE ON CONSTITUTIONAL LAw,
§ 16.61 (b), at 1205 (2d ed. 1992).
98. See Kevin W. Saunders, Elo:tTonic Indecency: Protecting Childnm in the Wake of the
Cable and Internet Cases, 46 DRAKE L REv. 1, 34 (1997) ("Variable obscenity al-
lows consideration of the audience in determining whether material is ob-
scene and prohibiting the distribution of obscene material to that particular
audience. ") .
99. See NOWAK &: ROTUNDA, supra note 97, § 16.61(b), at 1205.
100. See ill.
101. Id. § 16.61 (b), at 1206 (quoting Butler v. Michigan, 352 V.S. 380,383 (1957».

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.19

 1998] Reno v. ACLU 287

4. Indecent Broadcasting Can Be Prohibited

In 1978, the United States Supreme Court granted certiorari in
FCC v. Pacifica Foundation. I02 The Court reviewed the constitutional-
ity of a declaratory order issued by the Federal Communications
Commission (FCC) 103 pursuant to its congressionally authorized
power to regulate indecent public broadcasting under 18 U.S.C. §
1464. 104 Section 1464 forbade the use of "any obscene, indecent, or
profane language by means of radio communications."I05 The Court
explained that "of all forms of communication, it is broadcasting
that has received the most limited First Amendment protection"l06
and ultimately concluded that the FCC could prohibit indecent
broadcasting. 107
Pacifica involved the broadcast of comedian George Carlin's in-

LA
famous monologue entitled "Filthy Words."I08 The New York radio
station owned by Pacifica Foundation played the monologue one af-
ternoon at about 2:00 p.m. loo A man who heard the broadcast while
IM
driving with his son complained to the FCC that this type of mono-
logue should not have been broadcast on the public airwaves. llo
The FCC issued a declaratory order stating that if any more com-
SH
plaints about the broadcast were filed, it would decide whether to
impose sanctions against the station for airing it. 1\1
The Pacifica Court explained that governmental acts which reg-
ulate the content of speech are not automatically violative of the
LU

First Amendment. 112 The First Amendment analysis of speech regu-

PN

102. 438 U.S. 726 (1978).

103. Created by the Communications Act of 1934, the FCC regulates interstate and
foreign communications by wire and radio in the public interest. See BLACK'S
LAw DIGnONARY 610 (6th ed. 1990). The regulatory power of the FCC includes
H

radio and television broadcasting, telephone, telegraph, cable television opera-

tion, two-way radio and radio operators, and satellite communication. See id.
104. See Pacifica, 438 U.S. at 731.
105. Id.
106. Id.
107. See id.
108. See id. at 729.
109. See id. at 729-30.
110. See id. at 730.
Ill. See id. The Commission did not impose formal sanctions, but it did state that
the order would be "associated with the station's license file, and in the event
that subsequent complaints are received, the Commission will then decide
whether it should utilize any of the available sanctions it has been granted by
Congress." Id.
112. See id. at 744.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.20

 288 Baltimore Law Review [Vol. 28

lations requires a court to examine both the content and context in

which the speech occurred.113 The Court found that because the
content of Pacifica s broadcast was vulgar, offensive, and shocking, it
was not entitled to absolute First Amendment protection in all situa-
tions.114 Of more noteworthy significance, however, was the Court's
review of the context in which the monologue was communicated
to others. lIS
The Court primarily based its context analysis of broadcast me-
dia on two characteristics that distinguish it from other forms of
communication}16 First, broadcast media permeate the privacy of
homes, "where the individual's right to be left alone plainly out-
weighs the First Amendment rights of an intruder."ll7 The second

LA
113. See id. The Court quotes this analysis as first articulated by Mr. Justice Holmes
in Schenck v. United States, 249 U.S. 47 (1919):
We admit that in many places and in ordinary times the defendants
in saying all that was said in the circular would have been within
IM
their constitutional rights. But the character of every act depends
upon the circumstances in which it is done .... The most stringent
protection of free speech would not protect a man in falsely shouting
SH
fire in a theatre and causing a panic. It does not even protect a man
from an injunction against uttering words that may have all the effect
of force . . . . The question in every case is whether the words used
are used in such circumstances and are of such a nature as to create
LU

a clear and present danger that they will bring about the substantive
evils that Congress has a right to prevenL
Id. at 52.
114. See Pacifica, 438 U.S. at 747.
PN

115. See id. at 747-48. The importance of context is illustrated by Cohen v. California,
403 U.S. 15, 25 (1971). In Cohen, Paul Cohen entered a Los Angeles court-
house wearing a jacket bearing the words "Fuck the Draft." See ill. at 16. After
entering the courtroom, he took the jacket off and folded it. See ill. at 19 n.3.
H

The evidence showed no violent reaction to the jacket by anyone in the court-
room. See id. at 16. Nonetheless, when he left the courtroom, Cohen was ar-
rested, convicted of disturbing the peace, and sentenced to 30 days in prison.
See id. The Court held that criminal sanctions could not be imposed on Go-
hen for his political statement in a public place because there was no evi-
dence showing his "speech" offended unwilling viewers, especially since no
one objected to it. See ill. at 22.
116. See Pacifica, 438 U.S. at 748.
117. Id. (citing Rowan v. Post Office Dep't, 397 U.S. 728, 736 (1970». The Court
stated:
Because the broadcast audience is constantly tuning in and out, prior
warnings cannot completely protect the listener or viewer from unex-
pected program content. To say that one may avoid further offense
by turning off the radio when he hears indecent language is like say-
ing that the remedy for an assault is to run away after the first blow.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.21

 1998] &no v. ACLU 289

characteristic is the accessibility of the broadcasts to children. l1s

This accessibility arid the previously legitimized Ginsberg paternalism
justified upholding the FCC's order. 119 While no Court has expressly
held, commentators have observed that opinions such as Pacifica
represent an attempt to create a middle tier of constitutional pro-
tection for offensive, but non-obscene speech when the context is
broadcast media. 12o Another mode of communicating indecent
speech that has been the subject of regulatory restrictions is the
dial-a-porn industry.

One may hang up on an indecent phone call, but that option does
not give the caller a constitutional immunity or avoid a harm that
has already taken place.

LA
[d. at 74849.
118. See id. at 749.
119. See id. at 750. However, the Court noted:
IM
It is appropriate, in conclusion, to emphasize the narrowness of our
holding. This case does not involve a two-way radio conversation be--
tween a cab driver and a dispatcher, or a telecast of an Elizabethan
SH
comedy. We have not decided that an occasional expletive in either
setting would justify any sanction or, indeed, that this broadcast
would justify a criminal prosecution. The Commission's decision
rested entirely on a nuisance rationale under which context is all-
LU

important. The concept requires consideration of a host of variables.

The time of day was emphasized by the Commission. The content of
the program in which the language is used will also affect the com-
position of the audience, and differences between radio, television,
PN

and perhaps closed-circuit transmissions, may also be relevant.

[d. Commentators have called into question the legitimacy of the FCC's inter-
est in preventing this type of inadvertent exposure to children. See TRIBE, supra
note 38, § 1218, at 937. Laurence Tribe reasons that the likelihood that chil-
H

dren would be exposed to the particular program was minimal because most
children would be at school at the time the program aired and the station ca-
tered to a distinct adult audience. See id.; see also NOWAK & ROTUNDA, supra
note 97, § 16.18(a), at 1033 ("The Court did not explain why it did not as-
sume that children old enough to understand the Carlin monologue were
more likely to be in school in the early afternoon."). Outside of the Court's
two justifications for according broadcasting the most limited First Amend-
ment protection of all other media, a majority of Justices "could not agree on
the constitutional rationale for their holding." NOWAK & ROTUNDA, supra note
97, § 16.18(a), at 1034.
120. See, e.g., TRIBE, supra note 38, § 12-18, at 938 ("Although the COurt has clearly
embarked on the task of erecting a hierarchy of expression within the First
Amendment, it is important to note that no Court has yet squarely held that
offensive or sexually explicit but non-obscene speech enjoys less than full First
Amendment protection.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.22

 290 Baltimore Law Review [Vol. 28

5. Indecent Dial-A-Pom Can be Regulated, but not Banned

In 1989, the Supreme Court decided the most analogous case
to Reno--Sable Communications of California, Inc. v. FCC. 121 Sable Com-
munications began providing sexually explicit, pre-recorded tele-
phone messages through Pacific Bell. 122 Sable sought declaratory
and injunctive relief against enforcement of section 223(b) of the
Communications Act l23 which banned all indecent and obscene in-
terstate "dial-a-porn" telephone messages. 124 In affirming the district
court,l25 the Supreme Court held that the statute was not narrowly
tailored to only protect children from exposure to indecent
messages. 126 Although acknowledging that "[s]exual expression
which is indecent but not obscene is protected by the First Amend-
ment, "127 the Court concluded that the government may regulate
the content of indecent speech to serve a compelling interest. 128

LA
121. 492 U.S. 115 (1989).
IM
122. See id. at 117-18. Sable Communications charged a fee to people who accessed
the messages, which Pacific Bell collected and divided between itself and Sable
Communications. See id. at 118.
SH
123. See id. The Supreme Court analyzed the constitutionality of section 223(b) of
the Communications Act of 1934. See id.; 47 U.S.C. § 223 (a) (1)(A) (1982 &
Supp. V 1988). The company based its challenge on the First and Fourteenth
Amendments. See Sable, 492 U.S. at 117-18. Sable Communications wanted to
LU

enjoin the FCC and the Department of Justice from pursuing "any criminal
investigation or prosecution, civil action or administrative proceeding under
the statute. n Id. at 117.
124. See Sable, 492 U.S. at 117.
PN

125. :rhe district court struck down the "indecent speech" provision of 47 U.S.C. §
223(b), holding that the statute was overbroad and unconstitutional. See id. at
118-19. The Supreme Court upheld the district court's ruling on the constitu-
tionality of section 223(a) (1 )(A) 's prohibition on obscene messages, stating
H

that the Court has "repeatedly held that the protection of the First Amend-
ment does not extend to obscene speech." Id. at 124; see, e.g., Paris Adult The.-
ater v. Slaton, 413 U.S. 49, 69 (1973) (holding that First Amendment protec-
tion does not extend to obscene speech).
126. See Sabk, 492 U.S. at 126. In support of the district court's decision, the Court
stated that Sabk, "like Butler, presents ... 'legislation not reasonably restricted
to the evil with which it is said to deaL'" Id. at 127 (quoting Butler v. Michi-
gan, 352 U.S. 380 (1957». The Butler Court further held that a statute which
made it an offense to make available to the general public material found to
have a potentially harmful influence on minors was' insufficiently tailored
since it denied adults their free speech rights by allowing them to read only
what was acceptable for children. See Butler, 352 U,S. at 383.
127. Sable, 492 U.S. at 126.
128. See id. The Court observed that to survive constitutional scrutiny, any regula-
tion promulgated to serve such an interest must be narrowly drafted so as to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.23

 1998] Reno v. ACLU 291

The Court obseIVed that protecting the physical and psychological

well-being of minors from certain sexual material is a compelling in-
terest. 129 However, the Court concluded that the total ban on inde-
cent messages was unconstitutional'30 because less restrictive means
were available to seIVe the government's interest without denying
adults access to constitutionally protected messages. 131 The Court
suggested that potential alternates included "credit card, access
code, and scrambling rules [as] a satisfactory solution to the prob-
lem of keeping indecent dial-a-porn messages out of the reach of
minors. "132 These alternative means of shielding children from inaIT
propriate communications were a focal point of the Reno decision.
Prior to discussing screening methods for the Internet, however, it
is necessary to define what the Internet actually encompasses and
how it developed up to the Court's decision in Reno.

LA
B. History of the Internet
The Internet originated in 1969 as the result of an experimen-
IM
tal project of the Advanced Research Project Agency (ARPA), and
was called ARPANET.133 Originally, the United States Government
used ARPANET to link computers conducting defense-related re-
SH
search.134 The network soon evolved from its defense-related re-

not unnecessarily interfere with the First Amendment right to exercise free
speech. See itt. Specifically, the Court stated that "the Government may serve
LU

this legitimate interest, but to withstand constitutional scrutiny, 'it must do so

by narrowly drawn regulations designed to serve those interests without unnec-
essarily interfering with First Amendment freedoms.~ Id. (quoting Schaum-
PN

burg v. Citizens for a Better Env't, 444 U.S. 620,637 (1980), which is based on
the Court's holding in Hynes v. Mayor of Oradell, 425 U.S. 610, 620 (1976)
and First Nat'l Bank of Boston v. Bellotti, 435 U.S. 765, 786 (1978».
129. See itt. This least restrictive means analysis, while not dispositive in Reno, cer-
H

tainly plays a part in deciding how best to regulate the Internet.

130. See id. at 131. It is worthy to note the similarity between § 223(b) and the
CDA provisions at issue in Reno. See ACLU v. Reno, 929 F. Supp. 824, 828-29
(1996) (explaining that CDA provisions at issue regulate indecent, obscene,
and "patently offensive" communication employing a telecommunications de-
vice or an interactive computer service). Section 223(b) was introduced on
the floor of Congress and no Congressman or Senator presented data with re-
spect to how often or to what extent minors could avoid any regulations and
access dial-a-porn messages. See Sable, 492 U.S. at 130.
131. See itt. at 128. As the Court explained, 42 U.S.C. § 223(b), "as amended in
1988, impose[d] an outright ban on indecent as well as obscene interstate
commercial telephone messages." Id. at 117.
132. Id. at 128.
133. See ACLU, 929 F. Supp. at 831.
134. See id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.24

 292 Baltimore Law Review [VoL 28

search ongms to serve universities, corporations, and individuals

around the world. 13S Following this expansive evolution, the
ARPANET became known as the "DARPA Internet" and later simply
the "Internet. "136
It is nearly impossible to determine the size of the Internet be-
cause no single entity administers it.137 However, reports show "that
the Internet has experienced extraordinary growth in recent
years."138 As of 1996, approximately 9,400,000 host computers were
estimated to be . linked to the Internet, with sixty percent of these
host comput.ers located in the United States}39 This estimate does
not include the personal computers used to access the Internet,
which brings the number of Internet users to as many as forty mil-
lion worldwide. l40 The total number of computer users who access
the Internet was expected to reach 200 million by the year 1999}41

LA
Several methods of communicating information are available
once a person gains access to the Internet. 142 These methods are as
follows: (1) one-to-one messaging, such as electronic mail (e-mail),
IM
which allows· direct communications to another individual compara-
ble to sending a first class letter; (2) one-to-many messaging, such as
listservs or mail exploders, which allows individuals interested in a
SH

particular subject to join a mailing list and communicate their

messages to all other members of the mailing list simultaneously,
analogous to a bulk mailer; (3) distributed message databases, such
LU

as newsgroups, which are similar to listservs inasmuch as they relate

to particular areas of interest, but unlike a listserv, users simply ac-
cess the database when they desire to communicate with others
PN

about the subject matter; (4) real time communication, such as chat
rooms, which allow two or more people to type messages to each
other that almost immediately appear on the others' computer
H

screens; and (5) remote information retrieval, such as the World

Wide Web, which provides a global platform of online information
that users access through search engines. 143 The World Wide Web
approach to information retrieval is the most advance information

135. See ill.

136. See id.
137. See id. at 831-32.
138. [d. at 831.
139. See id.
140. See id.
141. See id.
142. See id. at 834.
143. See id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.25

 1998] Reno v. ACLU 293

retrieval system and is "fast becoming the most well-known on the

Internet. "144 For the most part, in each of the methods described
above, users can transmit and receive text, audio, and visual
images. 14S The ease of accessing sexually explicit material through
anyone of the information retrieval methods is a major concern,
particularly in light of the explosive growth of the World Wide Web.
This problem arises because once someone posts sexually explicit
material on the World Wide Web, the individual posting the mate-
rial is unable to prevent it from entering any specific community}46
Thus, the Internet can be viewed as a network of networks-mean-
ing any information contained on a network connected to the In-
ternet has the capacity to be retrieved by any other linked
network. 147
Unlike radio broadcasts and television, sexually explicit commu-

LA
nications over the Internet are much less likely to enter a person's
home inadvertently.l48 Receiving information on the Internet re-
quires one to take "a series of affirmative steps more deliberate and
IM
directed than merely turning a dial. "149 Furthermore, almost all sex-
ually explicit materials "are preceded by warnings as to the con-
SH
tenL "ISO One government witness testified, at an evidentiary hearing
in Reno that "the 'odds are slim' that a user would come across a
sexually explicit site by accident." lSI
Individuals and commercial entities that communicate through
LU

the Internet have faced difficulties in setting boundaries on the ac-

cessibility of materials they make available to users. Several attempts
have been made to develop methods of verifying the age of Internet
PN

users who access material through the various informational re-

trieval methods. IS2 However, when the United States District Court
for the Eastern District of Pennsylvania decided Reno, it believed
H

there were no reliable means by which to screen the age of Internet

users accessing information through any informational retrieval
method, nor could anything be done to segregate Internet fora con-
taining sexual material into "'adult' or 'moderated' areas of cyber-

144. [d. at 836.

145. See ill. at 834.
146. See it! at 844.
147. See it!
148. See it!
149. [d. at 845.
150. [d. at 844.
151. [d. at 844-45.
152. See it! at 84549.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.26

 294 Baltimore Law Review [Vol. 28

space. "153 The expansiveness of the Internet and the fact that it was
unregulated led Congress to enact the Communications Decency
Act of 1996.
C. History of the CDA
The Telecommunications Act of 1996 1S4 was an extremely broad
piece of legislation promulgated by Congress. The purpose of the
Act was "[t]o promote competition and reduce regulation in order
to secure lower prices and higher quality services for American tele-
communications consumers and encourage the rapid deployment of
new telecommunications technologies."ISS The Act included seven ti-
tles, but the major provisions had nothing to do with the
Internet. 156
Six of the titles were the result of "extensive committee hear-

LA
ings and the subject of discussion in Reports prepared by Commit-
tees of the Senate and the House of Representatives. "157 However,
Title V, the CDA, contained provisions added either after the hear-
IM
ings were completed or as amendments during floor debates. ls8
Congress failed to thoroughly analyze the CDA and its potential ef-
SH
fect on the Internet, and the result was a hastily drafted piece of
legislation. ls9 The two statutory provisions challenged in Reno were
offered on the floor of the Senate and each provision received an
informal label. l60 Section 223(a), which prohibited knowingly trans-
LU

mitting obscene or indecent communications to minors, was labeled

the "indecent transmission" provision. Section 223(d), which pro-
hibited knowingly sending or displaying sexually explicit messages
PN

that were patently offensive to minors, was labeled the "patently of-
fensive display" provision. 161
In order to curtail the reach of these two provisions, Congress
enacted section 223 (e)( 5) .162 This provision provided two affirmative
H

defenses for potential violators seeking to escape the reach of sec-

tions 223(a) and 223(d).163 One defense pertained to a person who

153. Id. at 845.

154. Pub. L. No. 104-104, 110 Stat. 56 (1996).
155. Id.
156. See itl.
157. Reno v. ACLU, 117 S. Ct. 2329, 2338 (1997).
158. See id.
159. See infra note 28 and accompanying text.
160. See Reno, 117 S. Ct. at 2338.
161. See id.
162. See 47 U.S.C.A. § 223(e)(5) (Supp. 1998).
163. See Reno, 117 S. Ct. at 2339.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.27

 1998] Reno v. ACLU 295

had taken "'good faith, reasonable, effective, and appropriate ac-

tions' to restrict access by minors to the prohibited communica-
tions. "164 The second defense provided protection for "those who
restrict access to covered material by requiring certain designated
fonns of age proof, such as a verified credit card or an adult identi-
fication number or code. "165 Thus, Congress drafted what it believed
to be a narrowly tailored law which provided sufficient defenses to
prosecution in light of the Court's prior admonitions in Sable. l66
Reno provided the Supreme Court with the opportunity to consider
the constitutionality of the CDA and its affinnative defenses, while
defining its stance on Internet regulation. Prior to Reno, the Court
dealt with legislative subject matter that included areas with exten-
sive histories of governmental regulation. 167 However, the Internet
did not have this type of regulatory history and the CDA was the

LA
first attempt to regulate this medium of communication. l68 With the
ever-increasing amount of Internet use in this country and the in-
creasing awareness of the Internet's communicative capabilities,
IM
Reno presented a ripe situation for the Supreme Court to express its
opinion about Internet regulation. l69
SH

III. INSTANT CASE

President Clinton signed the CDA on February 8, 1996. 170 On
the same day, twenty plaintiffs, led by the ACLU, filed an action in
LU

164. Id. (quoting 47 U.S.CA § 223(e)(5)(A) (1997».

PN

165. Id. (citing 47 U.S.CA § 223(e)(5)(B) (1997».

166. See ilL For a discussion of Sable, see supra notes 121-32 and accompanying text.
167. See Reno, 117 S. Ct. at 2343 ("Thus, some of our cases have recognized special
justifications for regulation of the broadcast media that are not applicable to
H

other speakers.")(citations omitted); see also FCC v. League of Women Voters

of Cal., 468 U.S. 364, 376 (1984) (holding that the constitutionality of broad-
cast regulations does not require that such regulations serve "compelling" gov-
ernment interests since broadcast regulation "involves unique considera-
tions"); FCC v. Pacifica Found., 438 U.S. 726, 748-50 (1978) (holding that "of
all forms of communication, it is broadcasting that has received the most lim-
ited First Amendment protection" and the reasons for treating broadcasting
differently are: (1) broadcasts reach people in the privacy of their own homes
without prior warning and (2) broadcasts are available to children of all ages);
Red Lion Broad. Co. v. FCC, 395 U.S. 367, 386 (1969) (noting that the charac-
teristics of new media warrant different First Amendment analysis); NBC v.
United States, 319 U.S. 190,215 (1943) (upholding the FCC's authority to reg-
ulate radio communications beyond the engineering and technical aspects).
168. See Reno, 117 S. Ct. at 2343.
169. See infra notes 170-270 and accompanying text.
170. See Reno, 117 S. Ct. at 2339.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.28

 296 Baltimore Law Review [Vol. 28

the United States District Court for the Eastern District of Penn-
sylvania and moved for a temporary restraining order to enjoin en-
forcement of sections 223(a) and 223(d) of the CDA.17I The case
was assigned to Judge Ronald Buckwalter, and he proceeded to con-
duct an evidentiary hearing on February 15, 1996.172 Judge
Buckwalter granted a limited temporary restraining order after find-
ing that section 223(a)(1)(B) was unconstitutionally vague. 173 As a
result of this order, the CDA was not enforceable against any poten-
tial violators.174 When twenty-seven other plaintiffs filed the same
constitutional challenge to the CDA, a threejudge court convened
and consolidated the two cases. 175
The parties stipulated to many of the facts involved and placed
an extensive portion of their cases before the court by sworn decla-
rations at the consolidated hearings. 176 The plaintiffs targeted their

LA
constitutional challenge on section 223(a)(I)(B) and section
223(d) (1) of the CDA.I'7 However, the plaintiffs made it clear that
they did "not quarrel with the statute to the extent that it covers
IM
obscenity or child pornography, which were already proscribed
before the CDA's adoption. "178
SH
The district court held that sections 223(a)(1)(B) and
223(d)(l) were unconstitutional on their face under First Amend-
ment overbreadth and Fifth Amendment vagueness doctrines.179
Therefore, the judgment of the district court enjoined the Govern-
LU

ment from enforcing the "indecent" material prohibition in section

223(a)(1 )(B), but "preserve[d] the Government's right to investi-
PN

171. SeeACLU v. Reno, 929 F. Supp. 824, 827 (E.D. Pa. 1996).
172. See id. at 827.
173. See id.
H

174. See id.

175. See id. at 827-28 & n.3. The plaintiffs in the first suit requested Chief judge
Dolores Sloviter of the United States Court of Appeals for the Third Circuit to
appoint a three-judge court pursuant to section 561 (a) of the Communica-
tions Decency Act. See id. at 827. As is required by 28 U.S.C. § 2284, judge
Sloviter appointed such a court consisting of herself, judge Buckwalter, and
judge Stewart Dalzell. See id. Soon after these events, the American Library A!r
sociation, Inc. and an additional 26 plaintiffs filed a similar lawsuit against the
Government. See ill. at 827-28 & n.3. On February 27, 1996, Chief judge
Sloviter convened the same threejudge court and consolidated the two ac-
tions pursuant to FED. R CIV. P. 42(a). See id. at 828; see also supra note 3 and
accompanying text.
176. See Reno, 929 F. Supp. at 828.
177. See id. at 829.
178. [d.
179. See id. at 849.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.29

 1998] Reno v. ACLU 297

gate and prosecute the obscenity or child pornography activities

prohibited therein. The injunction against enforcement of sections
223(d)(l) and (2) [was] unqualified because those provisions con-
tain[ed] no separate reference to obscenity or child pornogra-
phy. "180 Although the district court's judgment was unanimous, each
judge wrote a separate opinion. 181
The Government appealed the order of the district court di-
rectly to the United States Supreme Court pursuant to section
561 (b) of the CDA. 182 This provision mandated that, upon request,
parties could appeal directly to the Supreme Court with a facial
constitutional challenge to the CDA.183 Mter reviewing the provi-
sions of the statute and the opposing arguments presented by the
parties, the Supreme Court affirmed the district court's decision on
First Amendment grounds without deciding whether the provisions

LA
violated the Fifth Amendment. l84
The Court reviewed past decisions upon which the Government
relied, analyzed the overbreadth of the CDA provisions at issue, and
IM
finally considered the Government's additional arguments concern-
ing affirmative defenses and the Act's severability clause. 18S The
SH
Court found the Government's reliance on past regulatory cases
misplaced and the language of the CDA's provisions overbroad. l86 In
striking down the challenged provisions, the Court relied on its
time-honored tradition of protecting free speech under the First
LU

Amendment when a statute is not narrowly tailored to support a le-

gitimate government interest. 187
A. Supreme Court Distinguishes Reno from Prior Cases
PN

In Reno, the Government argued that the CDA was constitution-

ally permissible under three of the Supreme Court's earlier cases. l88
These cases were Ginsberg v. New yom, 189 FCC v. Pacifica Foundation, 190
H

180. Id.
181. See ilL at 857-83.
182. See Reno, 117 S. Ct. at 234041.
183. See 47 U.S.C. § 561(b) (1997).
184. See Reno, 117 S. Ct. at 2341.
185. See infra notes 188-270 and accompanying text.
186. See infra notes 188-270 and accompanying text.
187. See Reno, 117 S. Ct. at 2348.
188. See ilL at 2341.
189. For a discussion of the Reno Court's distinguishment of Ginsberg v. New York. see
infra notes 193-201 and accompanying text.
190. For a discussion of the Reno Court's distinguishment of FCC v. Pacifica Found.,
see infra notes 202-10 and accompanying text.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.30

 298 Baltimore Law Review [Vol. 28

and Renton v. Playtime Theaters, Inc. 191 Instead of providing support

for the Government's position, the Court observed that these cases
created serious doubt about the constitutionality of the CDA's
provisions. 192
1. Ginsberg Distinguished from Reno
In Ginsberg, the Court upheld the constitutionality of a New
York statute that prohibited selling certain types of obscene material
to minors. 193 The Reno Court reasoned that the statute in Ginsberg
was narrower than the CDA in four different respects. l94 First, the
Ginsberg statute did not prevent parents who wished to purchase the
magazines for their children to do so, unlike the CDA, which would
be applicable even if parents consented to their children receiving
the material or supervised their children in obtaining the mate-

LA
rial. 19S Second, the statute in Ginsberg applied only to commercial
sales, unlike the CDA which contained no such limitation. l96 Third,
the Ginsberg statute specifically defined the harmful material sought
IM
to be suppressed as "utterly without redeeming social importance
for minors."I97 The CDA, on the other hand, failed to provide any
SH
definition of "indecent," which was employed in section
223 (a) (1).198 In addition, the "patently offensive" standard used in
section 223(d) failed to provide that such material must lack serious
literary, artistic, political, or scientific value in order to fall within
LU

the statute. l99 Lastly, the Court npted that the New York statute de-
fined a minor as any person under the age of seventeen, but the
CDA applied to persons under the age of eighteen,200 thereby in-
PN

creasing itsreach. 201 For these reasons, the Court rejected the Gov-

191. For a discussion of the Reno Court's distinguishment of Renton v. Playtime Thea-
H

tres, Inc., see also infra notes 211-21 and accompanying text.
192. See Reno, 117 S. Ct. at 2341.
193. See supra notes 84-101 and accompanying text.
194. See Reno, 117 S. Ct. at 2341.
195. See id. ("Under the CDA, by contrast, neither the parents' consent-nor even
their participation-in the communication would avoid the application of the
statute. ").
196. See id. The Ginsberg statute applied only to situations where merchants sold
magazines containing indecent materials to minors. See Ginsberg v. New York,
390 U.S. 629, 647 (1968).
197. Reno, 117 S. Ct. at 2341 (quoting Ginsberg v. New York, 390 U.S. 629, 646
(1968».
198. See id. at 2341.
199. See id.
200. See id.
201. By attempting to protect people 18 and under, the CDA in effect expands its

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.31

 1998] Reno v. ACLU 299

ernment's contention that the CDA was of a similar restrictive na-

ture to the Ginsberg statute.
2. Pacifica Distinguished from Reno
Thereafter, the Court compared its Pacifica decision with the
instant case because of the Government's argument that Pacifica ap-
plied to the analysis of the CDA. 202 In Pacifica, the Court upheld the
constitutionality of a declaratory order administered by the FCC
against a radio station that broadcast a certain comedic mono-
logue. 203 Again, the Court drew several distinctions between the
Pacifica order and the CDA. 204
First, the order in Pacifica applied to one specific broadcast,lOS
unlike the CDA's prohibitions which were "not limited to particular
times and [were] not dependent on any evaluation by an agency fa-

LA
miliar with the unique characteristics of the Internet. "206 Second,
the FCC's order was not punitive in any way, unlike the CDA which
imposed criminal sanctions on violators. 207 Lastly, the Pacifica order
IM
applied to radio broadcasts governed by the FCC, which historically
"received the most limited First Amendment protection"208 because
SH
warnings could not protect listeners from offensive program con-
tent. 209 In contrast, the Internet was not subject to any regulatory
agency's evaluations concerning material transmitted through it.210
3. Renton Distinguished from Reno
LU

Lastly, the Supreme Court distinguished the instant case from

its decision in Renton v. Playtime Theatres, Inc. 211 The zoning ordi-
PN

nance upheld in Renton had several distinguishing features from the

coverage to a whole other segment of society that many see as adult. See id. at
H

2346.
202. See ill. at 2341, 2343.
203. See supra notes 102-11 and accompanying text.
204. See infra notes 205-10 and accompanying text.
205. See Reno, 117 S. Ct. at 2342 ("[T]he order in Pacifica, issued by an agency that
had been regulating radio stations for decades, targeted a specific broadcast
that represented a rather dramatic departure from traditional program con-
tent in order to designate when-rather than whether-it would be permissi-
ble to air such a program in that particular medium.").
206. [do
207. See ill.
208. FCC v. Pacifica Found., 438 U.S. 726, 728 (1978).
209. See Reno, 117 S. Ct. at 2342.
210. See id.
211. 475 U.S. 41 (1986); see also infra notes 212-15 and accompanying text.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.32

 300 Baltimore Law Review [Vol. 28

COA.212 The Renton ordinance focused on minimizing the deleteri-

ous secondary effects that adult movie theaters have on residential
neighborhoods. 213 The COA did not focus on any secondary effects
that indecent or patently offensive material might have on children,
but "applie[d] broadly to the entire universe of cyberspace."214
Therefore, the Court reasoned that "the COA [was] a content-based
blanket restriction on speech, and, as such, [could not] be 'prop-
erly analyZed as a form of time, place, and manner regulation, "'21S
which was the analysis employed by the Court in Rentlm.
B. Broadcast Media Distinguished from Internet

To further distinguish its past justifications for subjecting the

broadcast media to harsh regulation, the Court noted several differ-
ences between broadcast media and the Internet. 216 These differ-

LA
ences include the long history of governmental regulation" of broad-
cast media,217 the lack of available frequencies for broadcasters,218
IM
212. See Reno, 117 S. Ct. at 234243.
SH
213. See id. at 2342 ("The [Renton] ordinance was aimed, not at the content of the
films shown in the theaters, but rather at the 'secondary effects'--such as
crime and deteriorating property values--that these theaters fostered .... ")
214. Id.
215. Id. (quoting Renton, 475 U.S. at 46). In Turner Broadcasting System, Inc. v. FCC,
LU

512 U.S. 622 (1994), the Court stated that "[a]s a general rule, laws that by
their terms distinguish favored speech from disfavored speech on the basis of
the ideas or views expressed are content based. By contrast, laws that confer
PN

benefits or impose burdens on speech without reference to the ideas or views

expressed are in most instances content-neutral." Id. at 643 (citations omit-
ted).
216. See Reno, 117 S. Ct. at 2343.
H

217. See Red Lion Broad. Co. v. FCC, 395 U.S. 367, 375 (1969) (holding" that the
history of the fairness doctrine and of related legislation demonstrates that
the FCC's action did not exceed its authority, that in adopting the new regula-
tions, the FCC was implementing Congressional policy, and that the fairness
doctrine and its specific manifestations in the personal attack and political ed-
itorial rules do not violate the First Amendment).
218. See Turner, 512 U.S. at 637 (holding that the appropriate standard by which to
evaluate the constitutionality of the must-carry provision is the intermediate
level of scrutiny applicable to content-neutral restrictions that impose an inci-
dental burden on speech); United States v. O'Brien, 391 U.S. 367, 377 (1968)
(holding that a content-neutral regulation will be sustained "if it furthers an
important or substantial governmental interest; if the governmental interest is
unrelated to the suppression of free expression; and if the incidental restric-
tion on alleged First Amendment freedoms is no greater than is essential to
the furtherance of that interest").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.33

 1998] Reno v. ACLU 301

and the intrusive nature of broadcasting. 219 The Court concluded

that none of these factors were present in cyberspace and deferred
to several of the district court's findings concerning the near impos-
sibility of a situation in which an Internet user would access sexually
explicit material accidentally or unwillingly.220 Accordingly, the Su-
preme Court agreed with the district court's conclusion that prior
Supreme Court case law failed to provide a compelling basis to sub-
ject the Internet to the watered-down level of First Amendment
scrutiny that broadcast media endure. 221 The Court then turned to
the affirmative precedent that required it to strike down the CDA.
C. Vagueness and the Miller Test
The Court did not analyze the CDA under the Fifth Amend-
ment because it struck down the provisions on First Amendment

LA
vagueness grounds. 222 Neither "indecent" nor "patently offensive"
was defined by the statute and the Court opined that these terms
would "provoke uncertainty among speakers about how the two
IM
standards relate to each other and just what they mean. "223 As a re-
sult of this vagueness, the CDA was in fact a blanket content-based
regulation of speech and would have a considerable chilling effect
SH

on free speech. 224 Furthermore, the CDA threatened potential viola-

219. See Sable Communications of Cal., Inc. v. FCC, 492 U.S. 115,128 (1989). In Sa-
LU

ble, the Court distinguished radio from telephone dial-a-porn:

There is no "captive audience" problem here; callers will generally
not be unwilling listeners. The context of dial-in services, where a
PN

caller seeks and is willing to pay for the communication, is manifestly

different from a situation in which a listener does not want the re-
ceived message. Placing a telephone call is not the same as turning
on a radio and being taken by surprise by an indecent message. Un-
H

like an unexpected outburst on a radio broadcast, the message re-

ceived by one who places a call to a dial-a-porn service is not so inva-
sive or surprising that it prevents an unwilling listener from avoiding
exposure to it.
220. Id. See Reno, 117 S. Ct. at 2343.
221. See id. at 2344.
222. See id.
223. Id. (footnote omitted).
224. See id.; see also Gentile v. State Bar of Nev., 501 U.S. 1030, 1048-51 (1991)
(holding that Nevada Supreme Court Rule 177, that prohibited a lawyer from
making extrajudicial statements to the press that have a substantial likelihood
of materially prejudicing an adjudication proceeding, was void for vagueness
because the rule failed to provide fair notice to those at whom it was directed
and was so imprecise grammatically that discriminatory enforcement was a
real possibility).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.34

302 Baltimore Law Review [Vol. 28

tors with criminal sanctions. 22S The Court reasoned that the uncer-
tainty of what material the statute covered, coupled with the threat
of prosecution may deter people from communicating with one an-
other through words or ideas that mayor may not be unlawful. 226
The Government's response to this vagueness finding was that
the statute was no more vague than the three-prong obscenity stan-
dard created by the Court in Miller v. Californit/,.227 The Government
reasoned that q-te "patently offensive" standard of the CDA was in-
cluded in the second prong of the widely accepted Miller obscenity
test; therefore, according to the Government, the resulting conclu-
sion must be that the COA was constitutionally defensible. 228 The
Supreme Court found the Government's reasoning 'flawed in several
respects. 229
All three prongs of the Miller test work together to limit the

LA
reach of the obscenity standard. 230 Thus, it would be incorrect to
evaluate one prong without considering the others. The COA
lacked any limiting language and created a greater danger of sup-
IM
pressing speech that would otherwise lie beyond the reach of the
Miller standard. 231 When a statutory regulation affects constitution-
ally protected speech in an adverse manner, the Government must
SH

demonstrate that the regulation promotes a compelling interest and

that the least restrictive means of furthering such interests are
employed.232
The Supreme Court concluded that in order for the COA to
LU

meet its intended purpose of denying minors access to sexually ex-

PN

225. See Reno, 117 S. Ct. at 2344-45.

226. See id. at 2345.
227. See ill. (discussing Miller v. California, 413 U.S. 15, 24 (1973». In Miller, the
Court reaffirmed Roth v. United States, 354 U.S. 476 (1957), holding that ob-
H

scene material is not protected by the First Amendment. See Miller, 413 U.S. at
36.
228. See Reno, 117 S. Ct. at 2345.
229. See id. The Court concluded that the Government was incorrect because the
second prong of the Miller test limited its reach to certain material "'specifi-
cally defined by the applicable state law. '" Id. The CDA has no such require-
ment, which would have the effect of reducing the vagueness of "patently of-
fensive." Id. Furthermore, the Miller test is limited to "sexual conduct," while
the CDA extends to "'excretory activities' as well as 'organs' of both a sexual
and excretory nature." Id.
230. See ill. ("Just because a definition including three limitations is not vague, it
does not follow that one of those limitations, standing by itself, is not
vague.").
231. See ill. at 2346.
232. See Sable Communications of Cal, Inc. v. FCC, 492 U.S. 115, 126 (1989).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.35

 1998] Reno v. ACLU 303

plicit material, it must suppress a plethora of speech "that adults

have a constitutional right to receive and to address to one an-
other. "233 In prior cases, the Court consistently held that speech
which was indecent but not obscene was entitled to protection
under the First Amendment as to the adult population.234 Protecting
children from harmful materials is a valid governmental interest
which has received repeated recognition by the Court. 23S However,
the interest in protecting minors never justifies "an unnecessarily
broad suppression of speech addressed to adults. "236 Thus, the
Court agreed with the district court that the CDA was analogous to
the dial-a-pom ban in Sable.237
In Sable, the FCC argued that the Court "should defer to Con-
gress' conclusion about an issue of constitutional law. "238 The Court
responded that "it is [the Court's] task in the end to decide

LA
whether Congress has violated the Constitution "239 and rejected the
notion "that nothing less than a total ban would be effective in
preventing enterprising youngsters from gaining access to indecent
IM
communications."240 As a result, the Sable Court declared that a con-
stitutional inquiry does not end merely because a statute serves a Ie-
SH

233. Reno, 117 S. Ct. at 2346.

234. See Sable, 492 U.S. at 126; see also Carey v. Population Servs. Int'l, 431 U.S. 678,
LU

701 (1977) ("[W]here obscenity is not involved, [the Court has] consistently
held that the fact that protected speech may be offensive to some does not
justify its suppression.").
235. See FCC v. Pacifica Found., 438 U.S. 726, 749 (1978) (noting that certain busi-
PN

nesses, such as movie theaters and book stores, may be prohibited from giving
children access to indecent material); Ginsberg v. New York, 390 U.S. 629, 639
(1968) (upholding a state statute that limited the availability of sexual material
H

to minors because such material Was deemed to be harmful to the develop-

ment of minors).
236. Reno, 117 S. Ct. at 2346. "[T]he Government may not 'reduc[e] the adult pop-
ulation ... to ... only what is fit for children.'" Id. (quoting Denver Area
Educ. Telecomms. Consortium, Inc. v. FCC, 116 S. Ct. 2374, 2393 (1996)
(quoting Sable Communications of Cal., Inc. v. FCC, 492 U.S. 115, 128
(1989»). "[R] egardless of the strength of the government's interest' in pro-
tecting children, '[t]he level of discourse reaching a mailbox simply cannot be
limited to that which would be suitable for a sandbox.'" Id. (quoting Bolger v.
Youngs Drug Prods. Corp., 463 U.S. 60, 74-75 (1983».
237. See id.
238. Sable, 492 U.S. at 129.
239. Id.; see also Marbury v. Madison, 5 U.S. 137, 177 (1803) (holding that it is the
responsibility of the judiciary to interpret the law).
240. Reno, 117 S. Ct. at 2346.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.36

 304 Baltimore Law Review [Vol. 28

gitimate government interest. 241 The purpose of the statute must be

served through the least restrictive means possible for it to survive
constitutional scrutiny.242
The Supreme Court distinguished the CDA from the statutes in
Ginsberg and Pacifica because the least restrictive means of attaining
the goal of the CDA were not used. 243 The Ginsberg and Pacifica stat-
utes were tailored to meet their purposes in the least restrictive
manner possible, whereas the CDA was not limited in any similar
way. 244 As written, the CDA would prohibit access to
"nonpornographic material with serious educational or other
value"24s and would subject parents to a prison sentence for al-
lowing their children to access information on the Internet that the
parents deem appropriate. 246 Therefore, the CDA was a content-
based restriction on speech, and the Government had the burden

LA
of showing "why a less restrictive provision would not be as effective
as the CDA. "247
The Government could not prove that there were effective
IM
means, at a reasonably affordable price, for non-commercial speak-
SH
241. See ill. ("[T]he mere fact that a statutory regulation of speech was enacted for
the important purpose of protecting children from exposure to sexually ex-
plicit material does not foreclose inquiry into its validity.") (footnote omitted).
242. "As we pointed out last Term, that inquiry embodies an 'over-arching commit-
ment' to make sure that Congress has designed its statute to accomplish its
LU

purpose 'without imposing an unnecessarily great restriction on speech.'" Id.

at 234647 (quoting Denver Area Educ. Telecomms. Consortium, Inc. v. FCC,
116 S. Ct. 2374, 2385 (1996) (holding that a statutory provision permitting a
PN

cable operator to prohibit patently offensive or indecent programming on

leased access channels is consistent with the First Amendment, a "segregate
and block" provision with respect to the leased access channels violates the
First Amendment, and a provision permitting the operator to prohibit pa-
H

tently offensive or indecent programming on public access channels violates

the First Amendment».
243. See ill. ("Unlike the regulations upheld in Ginsberg and Pacifica, the scope of
the CDA is not limited to commercial speech or commercial entities. Its open-
ended prohibitions embrace all non-profit entities and individuals posting in-
decent messages or displaying them on their own computers in the presence
of minors.").
244. See ill.
245. Id.
246. See ill. at 2348 ("Similarly, a parent who sent his 17-year-old college freshman
information on birth control via e-mail could be incarcerated even though
neither he, his child, nor anyone in their home community, found the mate-
rial 'indecent' or 'patently offensive,' if the college town's community thought
otherwise. ").
247. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.37

 1998] Reno v. ACLU 305

ers to screen minors from "accessing material through e-mail.mail

exploders, newsgroups, or chat rooms. "248 Therefore, a great deal of
adult communication on the Internet was hindered because of the
all-encompass.ing language of the CDA.249 The Government simply
failed to meet its burden and as a result the CDA, as written, was
facially overbroad under the First Amendment.2S0
The Government set forth several additional arguments in sup-
port of the constitutionality of the CDA, which were dismissed by
the Court.25I In addition to these rejected arguments, the Govern-
ment suggested that the affirmative defenses provided in section
223(e) (5)252 curtailed the statute's unconstitutional reach.2S3 How-

248. Id. at 2347 (citing ACLU v. Reno, 929 F. Supp. 824, 845 (E.D. Pa. 1996».
249. See Reno, 117 S. Ct. at 2347.- "These limitations must inevitably curtail a signifi-

LA
cant amount of adult communication on the Internet." Iff.. "The breadth of
the CDA's coverage is wholly unprecedented." Iff..
250. See ilL
IM
251. See ilL at 234849. These arguments included: (1) that the CDA was constitu-
tional because it leaves open ample alternative channels of communication;
(2) that the plain meaning of the Act's "knowledge" and "specific person" re-
SH
quirement restricts its applications; and (3) the Act's prohibitions are almost
always limited to material lacking social value. See ilL at 2349.
252. 47 U.S.C. § 223(e)(5) (Supp. 1998). Section 223(e)(5) provided:
(a) Defenses-In addition to any other defenses available by law... (5) It is
a defense to a prosecution under subsection (a)(I)(B) or (d) of this sec-
LU

tion, or under subsection (a) (2) of this section with respect to the use of
a facility for an activity under subsection (a)(I)(B) of this section that a
person-(A) has taken, in good faith, reasonable, effective, and appropri-
PN

ate actions under the circumstances to restrict or prevent access by mi-

nors to a communication specified in such subsections, which may in-
volve any appropriate measures to restrict minors from such
communications, including any method which is feasible under available
H

technology; or has restricted access to such communication by requiring

use of a verified credit card, debit account, adult access code, or adult
personal identification number.
Id. Finally, the Government argued that the CDA helps to encourage the
growth of the Internet because people who refuse to subscribe to the Internet
due to the pornographic material available to children would no longer have
to worry about such a problem. Thus, the Government reasoned that this ar-
gument "provides an independent basis for upholding the constitutionality of
the CDA." Reno, 177 S.Ct. at 2351. However, the Court considered this argu-
ment the Government's weakest because it contradicted the district court's fac-
tual findings. See id. These findings indicated the recent, expansive growth of
the Internet occurred regardless of the availability of sexual material on the
Internet. See id. "The Government apparently assumes that the unregulated
availability of 'indecent' and 'patently offensive' material on the Internet is
driving countless citizens away from the medium because of the risk of expos-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.38

 306 Baltimore Law Review [Vol. 28

ever, the Court concluded that the Government's suggestion of

"tagging" sexually explicit transmissions per section 223(e)(5)(A)
would be ineffective, and thus the defense was "illusory."254 Further-
more, the age verification defense provided by section 223(e)(5)(B)
was not economically feasible for most non-commercial information
providers to use, and therefore, the defense failed to sufficiently
narrow the statute's burden on speech. 2ss Ultimately, the Court
agreed with the district court's conclusions that "the defenses do
not constitute the sort of 'narrow tailoring' that will save an other-
wise patently invalid unconstitutional provision. "256
At oral argument before the Supreme Court, the Government
urged that the Court should honor section 608 of the CDA-the
severability clause of the statute. 2S7 The Court declined to do so as
to section 223(d), opting to strike it down entirely because "inde-
cent" speech receives constitutional protection. 258 The Court agreed

LA
to sever the phrase "or indecent" from section 223(a), leaving the
remainder of section 223(a) intact because it related solely to ob-
IM
scene speech which is not entitled to First Amendment protec-
tion.259 However, the Court concluded that the severability provision
could do nothing else to save the remainder of sections 223(a) or
SH

ing themselves or their children to harmful material." [d. "The dramatic ex-
LU

pansion of this new marketplace of ideas contradicts the factual basis of this
contention. The record demonstrates that the growth of the Internet has been
and continues to be phenomenal." [d.
PN

253. See Reno, 117 S. Ct. at 2349-50.

254. See id. at 2349. "Tagging" means that a person could "encode their indecent
communications in a way that would indicate their contents, thus permitting
recipients to block their reception with appropriate software." [do. At the time
H

the case was before the district court, no such software was available. See id.
255. See id. Age verification is currently used by commercial providers of sexually
explicit material, and thus they would be protected by the statute. See ill. How-
ever, the Government failed to prove that the age verification actually pre-
cluded minors from casting themselves as adults. See id. "The Government
thus failed to prove that the proffered defense would significantly reduce the
heavy burden on adult speech produced by the prohibition on offensive dis-
plays." [do at 2350.
256. [do
257. See 47 U.S.C. § 608 (1994). Section 608 provided: "If any provision of this
chapter or the application thereof to any person or circumstances is held inva-
lid, the remainder of the chapter and the application of such provision to
other persons or circumstances shall not be affected thereby." [do
258. See ill.
259. See ill.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.39

 1998] Reno v. ACLU 307

223(d).260

IV. ANALYSIS
A. Discussion of Supreme Court s Holding and Rationale
The Supreme Court did not strike down the entire CDA.261 In-
stead, the Court struck down the "indecent" and "patently offen-
sive" sections of the CDA because they were unconstitutionally over-
broad. 262 However, the "obscenity" provisions of the CDA were not
challenged and remain good law. 263 In its holding, the majority olr
served how the Internet existed at the time the case was before the
Court. 264 All of the Justices agreed that age-verifying gateway tech-
nology was not widely available, particularly for non-commercial in-
formation providers. 26S It is not the Court's duty to forecast whether
technical developments might occur in the near future or in the

LA
years or decades that follow. 266 The majority's position is defensible
inasmuch as it held that the CDA did not pass constitutional muster
IM
because it contained undefined terms, and more importantly,
lacked narrowly tailored means to meet the governmental purpose
of the statute. 267
SH
However, one may accurately hypothesize that if the Court
found that gateway technology was available to all Internet speakers
when the case was before it, the CDA may have withstood the
Court's First Amendment scrutiny. This type of technology could
LU

provide the Government with the narrowly tailored means necessary

for legislation to survive strict scrutiny because it would make the
statutory defenses effective for all information providers. Therefore,
PN

a question arises as to whether the Court genuinely intends to pro-

vide the Internet with such broad protection in the future. For ex-
ample, the Court affirmed in Reno that the Government has a valid
H

interest in protecting children from harmful material. 268 Therefore,

access by minors to material on the Internet that is not obscene,

260. See id. The Court also refused to limit its holding to a "judicially defined set
of specific applications." [d.
261. See supra notes 154-61 and accompanying text.
262. See supra notes 185-87 and accompanying text.
263. See supra note 177.
264. See supra notes 133-53 and accompanying text.
265. Such software was not available, but Internet filtering software for information
receivers was available. See Reno, 117 S. Ct. at 2349.
266. See id.
267. See supra notes 222-50 and accompanying text.
268. See supra note 235 and accompanying text.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.40

 308 Baltimore Law Review [Vol. 28

but still harmful to them, can be regulated if the legislation con-

taining these restrictions is appropriately drafted by Congress.
In enacting the CDA, Congress simply did not research the
myriad of issues involved with such an expansive regulation. 269 The
provisions were not the result of any Congressional hearings, and
thus no legislative findings existed to provide factual support for the
CDA.270 In failing to draft clear, concise constitutional legislation,
the Court once again sent a message to Congress that ill-prepared
legislation will not be tolerated when it unduly restricts information
flowing to and from the marketplace of ideas.271
B. Alternative Approach
The Reno decision was not without a differing viewpoint. Justice
Sandra Day O'Connor wrote a separate opinion, joined by Chief

LA
Justice William Rehnquist, concurring in part and dissenting in part
with the majority opinion. 272 Justice O'Connor concluded that the
"indecent" provision of the CDA was not unconstitutional on its
IM
face.273 Her opinion began with the observation that section 223(d)
was really two separate provisions and labeled them as the "specific
person" provision and the "display" provision.274 She reasoned that
SH

each provision deserved a separate constitutional analysis. 27S Further-

more, she observed that the statute was not written to prevent
adults from accessing indecent material, but rather "the undeniable
purpose of the CDA [was] to segregate indecent material on the In-
LU

ternet into certain areas that minors cannot access. "276 The legisla-
tion created "adult zones," and the Court has upheld analogous
PN

zoning legislation in the past, but only when they meet the require-
ments of the First Amendment.277 In Justice O'Connor's opinion,
H

269. See supra notes 28 and 158-60 and accompanying text.

270. See supra notes 28 and 158-60 and accompanying text.
271. See supra notes 238-50 and accompanying text.
272. See Reno v. ACLU, 117 S. Ct. 2329, 2351-57 (1997) (O'Connor, j., concurring
in part, dissenting in part).
273. See id. at 2357 (O'Connor, J., concurring in part, dissenting in part).
274. See ill. at 2352 (O'Connor, J., concurring in part, dissenting in part).
275. See ill. (O'Connor, J., concurring in part, dissenting in part).
276. Id.
277. See id. at 2353-54 (O'Connor, J., concurring in part, dissenting in part). Many
states have enacted legislation which in effect creates these adult zones. See,
e.g., MD. ANN. CoDE art. 27, § 416E (1996) (prohibiting minors in establish-
ments where certain enumerated acts are performed or portrayed); MD. ANN.
CoDE art. 27, § 416B (1996) (denying minors access to speech deemed harm-
ful to minors).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.41

 318 Baltimore Law Review [Vol. 28

v. CONCLUSION
Reno v. ACLU addressed whether sections 223 (a) (1) and 223(d)
of the CDA impinged on the First Amendment rights of adults. 349
More importantly, the United States Supreme Court invalidated the
first governmental attempt to regulate pornography on the most ex-
pansive, technologically advanced mode of communication known
to this day.3so The Supreme Court held that both sections 223(a)(1)
and 223(d) were overbroad to the extent they covered undefined
"indecent" material, and as a result violated the First Amendment
because they could suppress constitutionally protected speech. 3S1
The Court recognized the importance of protecting minors
from harmful material, but refused to "'reduc[e] the adult popula-
tion . . . to . . . only what is fit for children. "'352 This refusal reaf-

LA
firms the principle that the government may regulate constitution-
ally protected speech, but only when such a regulation serves a
legitimate government purpose and is narrowly tailored by the least
IM
restrictive means available. 3S3 Only time will tell whether the newly
adopted Internet Indecency Act will survive constitutional scrutiny.
SH
However, it appears as though the government has taken adequate
steps to assure that the Act will survive a constitutional challenge
and has cured the defects present in the CDA that proved fatal to
its intentions in Reno.
LU

Scott A. Shail
PN
H

younger. CompaTe 47 U.S.C. § 223(a)(1)(B) (1997) (CDA). with 47 U.S.C. §

231(d)(7) (1999) (COPA).
349. See supra notes 4-23 and accompanying text.
350. See supra notes 17~270 and accompanying text.
351. See supra notes 17~270 and accompanying text.
352. Reno v. ACLU. 117 S. Ct. 2329, 2346 (1997) (quoting Denver Area Educ.
Telecomms. Consortium. Inc. v. FCC, 518 U.S. 727, 759 (1996) (quoting Sable
Communications of Cal.. Inc. v. FCC, 492 U.S. 115, 128 (1989»).
353. See supra note 187 and accompanying text.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.42

 1998] Reno v. ACLU 309

the Court should uphold this type of zoning law "if (i) [the stat-
ute] ... does not unduly restrict adult access to the material; and
(ii) minors have no First Amendment right to read or view the
banned material. "278
justice O'Connor proceeded to discuss the "unzoneable" na-
ture of cyberspace. 279 In comparing prior case law with Reno,2Bll jus-
tice O'Connor stated that previous zoning laws existed "in the phys-
ical world, a world with two characteristics that make it possible to
create 'adult zones': geography and identity. "281 These characteristics
allow owners to exclude minors from their establishments without
affecting the First Amendment rights of adults.282
Adults are unduly affected by the CDA provisions because these
two principles---geography and identity---do not exist in cyber-
space.283 justice O'Connor recognized the future possibility of con-

LA
structing barriers on the Internet to screen user identification, thus
making cyberspace potentially zoneable.284 However, these advance-
ments have not been fully developed, nor were th~y available to all
IM
Internet users at the time Reno was decided.28S As a result, this tech-
nology did not save the "display" provision, section 223 (d)(l)(B) ,
from constitutional failure. 286 Thus, Justice O'Connor agreed with
SH
the majority that this section of the CDA caused speakers to com-
pletely refrain from using indecent speech, and as a result, unduly
affected the First Amendment rights of adults.287
Sections 223(a)(1)(B) and 223(d)(l)(A) were the subject of
LU

justice O'Connor's dissenting opinion because she reasoned that

they were not unconstitutional in every application. 288 justice
O'Connor noted that for section 223(a)(1)(B) to apply, the infor-
PN

mation sender must have known the recipient was under eighteen
H

278. Reno, 117 S. Ct. at 2352-53 (O'Connor, j., concurring in part, dissenting in
part).
279. See id. at 2353-54 (O·Connor. j., concurring in part, dissenting in part).
280. See id. at 2353 (O'Connor, j.. concurring in part. dissenting in part).
281. Id.
282. See id.
283. See id.
284. See id.
285. See id. at 2353-54. (O'Connor, j.. concurring in part. dissenting in part). These
advancements are known as "gateway" technology. and includes adult verifica-
tion numbers, screening software such as Cyber Patrol and SurfWatch, and
Web browsers with screening capabilities. See id.
286. See id. at 2354 (O·Connor. j.. concurring in part, dissenting in part).
287. See id.
288. See id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.43

310 Baltimore Law Review [Vol. 28

years 01d. 289 Justice O'Connor opined that section 223(d) should be
construed to require this knowledge as well, even though this re-
quirement was lacking from the language of the statute. 290 Justice
O'Connor reasoned that when the provisions were read to require
knowledge, they would be no different than the statute in Ginsberg
as applied to a conversation between an adult and a minor.291
However, when more than one adult participates in a conversa-
tion that is subsequently joined by a minor, the Ginsberg 292 analogy
is destroyed because the CDA requires adults to cease using inde-
cent speech immediate1y.293 Therefore, in this situation, the CDA
provisions restrict the rights of adults to use indecent speech over
the Internet. 294 However, when an adult's constitutional right to en-
gage in indecent speech would not normally be affected by a stat-
ute, a facial challenge to the statute will faiJ.295 As a result, the

LA
Court has the authority to strike, as unconstitutional, portions of
the CDA as they pertain to communications between adults and up-
hold those same provisions as they pertain to communications in-
IM
volving minors.296 Based on this authority, Justice O'Connor "sus-
tain [ed] the 'indecency transmission' and 'specific person'
provisions to the extent they apply to the transmission of Internet
SH

communications where the party initiating the communication

knows that all of the recipients are minors. "297
LU

289. See id.

290. See id.
PN

291. See id. at 2355 ("Restricting what the adult may say to the minors in no way re-
stricts the adult's ability to communicate with other adults. He is not pre-
vented from speaking indecently to other adults in a chat room (because
there are no other adults participating in the conversation) and he remains
H

free to send indecent e-mails to other adults.") (O'Connor, J., concurring in

part, dissenting in part).
292. See supra notes 83-101 and accompanying text.
293. See Reno, 117 S. Ct. at 2355 (O'Connor, J., concurring in part, dissenting in
part). "If they did not, they could be prosecuted under the 'indecency trans-
mission' and 'specific person' provisions for any indecent statements they
make to the group, since they would be transmitting an indecent message to
specific persons, one of whom is a minor." Id.
294. See id.
295. See ill. ; see also United States v. Salerno, 481 U.S. 739, 745 (1987) (stating that
a facial challenge to legislation succeeds only if the challenger shows that no
circumstances exist under which the statute is valid). .
296. See Reno, 117 S. Ct. at 2355 (O'Connor, J., concurring in part, dissenting in
part) (quoting Brockett v. Spokane Arcades, litc., 472 U.S. 491, 504 (1985».
297. Id. at 2356 (O'Connor, J., concurring in part, dissenting in part).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.44

 1998] Reno v. ACLU 311

Justice O'Connor then analyzed the COA under the second

prong of the valid zoning law inquiry, which is whether the statute
interferes with minors' First Amendment rights. 298 She concluded
that "the CDA does not burden a substantial amount of minors'
constitutionally protected speech. "299 Justice O'Connor referred to
Ginsberg in which the Court determined that minors may be denied
access to certain material deemed obscene as to minors, and estab-
lished the test for determining what materials fall into this cate-
gory.300 Justice O'Connor reasoned that the CDA could potentially
ban speech that minors have a constitutional right to access because
Congress failed to clarify what constitutes "patently offensive"
speech under the COA 301 This potential interference, however, was
not enough for plaintiffs to successfully prove that the COA was
overbroad. 302 Justice O'Connor observed that the plaintiffs simply

LA
failed to prove substantial overbreadth concerning minors' speech
rights, and thus a facial challenge of the CDA should fai1. 303 Justice
O'Connor concluded, under the zoning law analysis, the "display,"
IM
"indecency transmission," and "specific person" provisions were un-
constitutional as applied to communications between adults.304 How-
ever, the "indecency transmission" and "specific person" provisions
SH

were constitutionally valid as applied to communications between an

adult and one or more minors, and thus those portions of the stat-
ute should be upheld as constitutiona1. 30S
LU

Justice O'Connor's concurring and dissenting opinion provided

an alternative overbreadth analysis of the COA306 This reasoning ad-
heres to the principle that a statute may be declared unconstitu-
PN

tional in part, but otherwise left intact. 307 Justice O'Connor's opin-
ion accurately demonstrates a flexible, realistic approach to
H

298. See id.

299. Id. at 2357 (O'Connor, J., concurring in part, dissenting in part).
300. See id. at 2356 (O'Connor, J., concurring in part, dissenting in part).
301. See id. An example of speech that a minor has a right to access, but would be
banned by the CDA, is any speech that has some redeeming value for minors
and does not appeal to their prurient interest. See itl.
302. See id. "Our cases require a proof of 'real' and 'substantial' overbreadth." Id.
(citing Broadrick v. Oklahoma, 413 U.S. 601, 615 (1973».
303. See id.
304. See id. at 2357 (O'Connor, J., concurring in part, dissenting in part).
305. See id.
306. See supra notes 271-304 and accompanying text.
307. See Rerw, 117 S. Ct. at 2355 (O'Connor, j., concurring in part, dissenting in
part) (quoting Brockett v. Spokane Arcades, Inc., 472 U.S. 491, 504 (1985».

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.45

 312 Baltimore Law Review [Vol. 28

determining the constitutionality of statutes, which effectively pre-

serves the congressional intent behind such legislation.
C. Impact of Reno v. ACLU
In Reno v. ACLU, the United States Supreme Court reaffirmed
the framework for conducting a constitutional analysis of overbroad
legislative enactments under the First Amendment. 308 The effect of
this designed constitutional inquiry is twofold: (1) overbroad legisla-
tion that the Court strictly scrutinizes will be deemed unconstitu-
tional under the First Amendment if it chills protected free speech,
unless Congress narrowly tailors the provision so that the statute in-
fringes such rights in the least intrusive way possible, and (2) Con-
gress is forced to carefully investigate the subject matter of a statute
to ensure the means for avoiding legislative overbreadth are clearly
available to all who may fall within the reach of the statutory lan-

LA
guage in order to survive constitutional scrutiny.
It would be difficult to argue that the result of the Reno deci-
IM
sion surprised First Amendment scholars, especially in light of Sa-
ble. 300 Although the version of the CDA in Sable created a complete
ban on indecent material, and thus is facially distinguishable from
SH
the version of the CDA at issue in Reno, the facts in Reno illustrate
that the CDA created a total ban on constitutionally protected
speech.310 Congress failed to document that the technology existed
for the ·CDA, in its current form, to pass constitutional scrutiny.3I1
LU

According to the information before the Court, there was no viable

age verification process to protect information providers, and there-
fore the statutory affirmative defenses were not an effective means
PN

to avoid prosecution. 312 Thus, the cumulative effect of all these fac-
tors created an identical restriction on speech as did the statute that
was at issue in Sable.313
H

The Reno decision directly benefits Internet users who choose

to provide indecent material to others. The Supreme Court ex-
pressly stated that the Internet deserves far more protection from
regulation than does broadcasting. 314 Therefore, it is highly proba-
ble that potential Internet regulation supporters will be unable to

308. See supra notes 170-270 and accompanying text.

309. See supra notes 121-32 and accompanying text.
310. See Reno, 117 S. Ct. at 2347-50.
311. See supra note 284 and accompanying text.
312. See Reno, 117 S. Ct. at 2349-50.
313. See supra notes 121-32 and accompanying text.
314. See. Reno, 117 S. Ct. at 2343.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.46

 1998] Reno v. ACLU 313

draw any support from prior cases upholding the regulation of

broadcast media. This reduces the amount of legal authority at
their disposal and greatly reduces the chances of mounting success-
ful defenses against the constitutional challenges to Internet
regulations.
On the other hand, Reno does provide hope for those who sup-
port regulating the Internet. Once computer software is available to
the average Internet user that allows persons to verify the age of a
recipient, statutes such as the CDA will enjoy greater judicial sup-
port. This software will allow an Internet user wishing to send inde-
cent messages to be reasonably sure that another user with whom
the individual is communicating is an adult. This assurance will al-
low people to communicate with one another without the threat of
prosecution under a statute that regulates communication, thus

LA
avoiding forced silence upon people and violations of the First
Amendment. Until such software is available to all Internet users,
whether commercial or non-commercial, legislation seeking to regu-
IM
late protected speech communicated over this medium of commu-
nication will not succeed.
Reno also affected the contemporary political arena, compelling
SH
the legislative and executive branches to carefully consider First
Amendment values as they create and administer regulations of the
Internet.31S Within six months of the Court's decision in Reno, Vice
President AI Gore announced that the Clinton administration would
LU

join members of the online industry to form "Kids Online," a na-

tional effort to make the Internet and online services "safer for chil-
dren. "316 Rather than calling for increased regulation of the In-
PN
H

315. See infra notes 314-22 and accompanying text.

316. Kids Online to get Administration Support, COMM. DAILY, Dec. 2, 1997, available in
1997 WL 13781115. Participating members of the online industry include
America Online, the American Library Association, the WaIt Disney Company,
and Time Warner, Inc. See id. Each company will design and provide its own
protective program for children. See id. Additionally, Gore praised the "use of
Internet blocking and screening," and stated that the "use of such devices by
parents 'is not censorship.'" Gore at Summit Conference Sets Kids Online Policy,
CoMM. DAILY, Dec. 3, 1997, available in 1997 WL 13781201. Gore further com-
mented: "It's called 'parenting,' and blocking was 'fully protected' by the First
Amendment." It! Furthermore, Gore praised "Web sites that have started to
rate themselves and the online industry for its decision to adopt a formal pol-
icy statement showing 'zero tolerance' for child pornography and that In-
ternet service providers will 'be working closely with law enforcement to re-
port and pursue any suspicious activity. '" Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.47

314 Baltimore Law Review [Vol. 28

ternet,317 the Clinton Administration's cooperative approach to the

problems posed by indecent material on the Internet reflects a real-
ization that only with the online industry's cooperation can there be
effective restrictions without a "nationwide backlash" occurring
"that could stunt the growth of [the] Internet."318 Along with par-
ents,319 this coalition will.move toward strengthening the Reno
majority's conclusion that Internet-filtering software is a viable alter-
native to a complete ban of indecent speech.
D. Congressional IWponse
The Reno Court was mainly concerned with two characteristics
of the CDA.320 First, the CDA covered commercial and non-
commercial information providers and applied the same level of lia-
bility to these two categories. 321 Second, the CDA failed to provide
any definition of "indecent" and omitted the requirement that "pa-

LA
tently offensive" material must lack socially redeeming value. 322 In
response to these concerns, the legislative branch of the federal
IM
317. Vice President Gore was quick to· recognize that this program "should follow
dictates of court decisions and [the] Constitution." [d. Gore attacked groups
SH
that support increased government involvement, stating "that government has
to follow court rulings and 'we must find methods to keep our children safe
that do not infringe on the free speech of others.... [d.
318. [d. The administration openly supported a "3rd way" policy that calls for in-
LU

dustry lead~rs to work alongside the government in solving the present

problems with children and the Internet. See id.
319. Some would contend that Reno shifts the responsibility of keeping children
away from sexuall~xplicit material on the Internet to parents. See Ann Gre-
PN

gor, Filtering Software Can Help Make Surfing Safer for Kids, HOME PC, Nov. I,
1997, available in 1997 WL 2968922. This responsibility has spurred a move-
ment in the online industry to develop new and improved Internet-filtering
H

software. See id. Several examples of available programs parents can use to ac-
complish this task are Microsystems' Cyber Patrol, Solid Oak Software's Cyber-
Sitter, Net Nanny Ltd.'s Net Nanny, Spyglass's SurfWatch, and Security
Software Systems' Cyber Sentinel. See id. These programs all share certain simi-
larities so that:
As children surf, the filters compare what's streaming into the com-
puter against lists of proscribed words, phrases and Internet ad-
dresses. If the software finds a match, the page won't appear on-
screen. Some programs get parents started with extensive lists of un-
desirable sites; others rely more on users to create their own lists, cit-
ing the vast differences in what parents consider objectionable.
[d.
320. See Reno v. ACLU, 117 S. Ct. 2324, 2345, 2347 (1997).
321. See ill. at 2347.
322. See ill. at 2345.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.48

 1998] Reno v. ACLU 315

government accepted the Supreme Court's challenge issued in

Reno. The United States Senate Commerce Committee approved
Senate Bill 1482, a bill written by Senator Dan Coats of Indiana that
amends section 223 of the Communications Act of 1934, and is "de-
signed to prevent indecent material from being conveyed over the
Internet" to people under seventeen years old. 323 Senate Bill 1482 is
known as the Internet Indecency Act, and it outlaws the commercial
distribution of pornography over the Internet to minors. 324
The Internet Indecency Act appears to be a reincarnation of
the Communications Decency Act designed to withstand constitu-
tional challenge. "325 Senate Bill 1482 is modeled after the New York
statute that the Supreme Court upheld in Ginsberg v. New York with

323. Senate Panel OK's School Filtering, Internet Decency Bills, Funds NGI, EDUC. TECH.

LA
NEWS, Mar. 18, 1998, availahle in 1998 WL 10242373.
324. S. 1482, 105th Cong. (1998) provides:
Section 1. Prohibition on Commercial Distribution on the World
IM
Wide Web of Material that is Harmful to Minors. (a) Prohibition- (1)
IN GENERAL - Section 223 of the Communications Act of 1934 (47
U.S.C. 223) is amended -(A) by redesignating subsections (e), (f),
SH
(g), and (h) as subsections (f),(g), (h), and (i), respectively; and (B)
by inserting after subsection (d) the following new section (e): (e)
(1) Whoever in interstate or foreign commerce in or through the
World Wide Web is engaged in the business of the commercial distri-
bution of material that is harmful to minors shall restrict access to
LU

such material by persons under 17 years of age. (2) Any person who
violates paragraph (1) shall be fined not more than $50,000, impris-
oned not more than six months, or both... (5)it is an affirmative de-
PN

fense to prosecution under this subsection that the defendant re-

stricted access to material that is harmful to minors persons under 17
years of age by requiring use of a verified credit card, debit account,
adult access code, or adult personal identification number or in ac-
H

cordance with such other procedures as the Commission may pre-

scribe. (6) This subsection may not be construed to author the Com-
mission to regulate in any manner the content of information
provided on the World Wide Web. (7) For purposes of this subsec-
tion: (A) The term "material that is harmful to minors" means any
communication, picture, image, graphic image file, article, recording,
writing, or other matter of any kind that -(i) takeri as a whole and
with respect to minors, appeal to a prurient interest in nudity, sex, or
excretion; (ii) depicts, describes, or represents, in a patently offensive
way with respect to what is suitable for minors, an actual or simulated
sexual act or sexual contact, actual or simulated normal or perverted
sexual acts, or a lewd exhibition of the genitals; and (iii) lacks seri-
ous literary, artistic, political, or scientific value.
It!
325. See supra note 348 and accompanying text.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.49

 316 Baltimore Law Review [Vol. 28

the Reno Court's remarks in mind. 326 The statute in Ginsberg pro-
hibited the selling to minors under seventeen years of age material
considered obscene as to minors but not to adults. 327
In Reno, the Supreme Court found four primary differences be-
tween the CDA and the Ginsberg statute,328 all of which Senate Bill
1482 clearly addresses. 329 First, like the statute in Ginsberg,3'30 Senate
Bill 1482 does not prohibit parents from obtaining material on the
Internet for their children,331 unlike section 223(a)(2) of the CDA
which criminalized such parental activity.332 Second, the scope of
Senate Bill 1482 is clearly limited to commercial transactions333 as
was the statute upheld in Ginsberg.334 The CDA was directed at both
commercial and non-commercial activity.33S Third, the Ginsberg stat-
ute's "harmful to minors" standard included the requirement that
the material "lack serious literary, artistic, political, or scientific

LA
value," thus protecting material containing any of these serious
value elements. 336 Section (e)(7) of Senate Bill 1482 specifically
adopts this requirement of the Ginsberg statute. 337 On the other
IM
hand, the CDA did not contain a definition of "indecent" or a "so-
cial value" exception to the "patently offensive" provision. 338 Lastly,
SH
the Ginsberg statute defined minors as people under the age of sev-
enteen,339 and Senate Bill 1482 adopts the same definition of mi-
nors. 34O In contrast, the scope of the CDA included eighteen-year-
0Ids. 341
LU

Furthermore, Senate Bill 1482 provides the narrow-tailoring

that the Court has required in the past when testing the constitu-
tionality of legislation. 342 Section (e)(5) of the bill provides certain
PN

326. See supra notes 3144 and accompanying text.

327. See supra note 85 and accompanying text.
H

328. See supra notes 193-200 and accompanying text.

329. See infra notes 33041 and accompanying text.
330. See supra note 85 and accompanying text.
331. See supra note 324.
332. See supra note 5.
333. See supra note 324.
334. See supra note 85 and accompanying 'text.
335. See supra note 5.
336. See supra notes 85-87 and accompanying text.
337. See supra note 324.
338. See supra note 5.
339. See supra notes 85-87 and accompanying text.
340. See supra note 324 and accompanying text.
341. See supra note 5.
342. See supra notes 32-132 and accompanying text.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.50

 1998] Reno. v. ACLU 317

affirmative defenses 343 that the Reno Court acknowledged as both

technically and economically feasible for commercial information
providers. 344 The scope of Senate Bill 1482 is explicitly limited to
commercial activity on the World Wide Web, and therefore the af-
firmative defenses will protect those providers who follow its terms
from prosecution. 345 Senate Bill 1482 is specifically designed to meet
the parameters established by the Supreme Court in past deci-
sions346 and appears to be constitutional under the First Amend-
ment because of its adherence to the Court's commands in both
Reno and Ginsberg. This Bill eventually became part of the Child On-
line Protection Act (COPA)347 and was immediately challenged. 348

343. See supra note 324.

LA
344. See supra note 255.
345. See supra note 342.
346. See supra notes 32841 and accompanying text.
347. See 47 U.S.C. § 231 (1999). IM
348. See ACLU v. Reno, 31 F. Supp. 2d 473 (E.D. Pa. 1999); ACLU v. Reno, 1998
WL 813423 (E.D. Pa. Nov. 23, 1998). The ACLU represented individuals, enti-
SH
ties, organizations, World Wide Web site operators, and content providers that
post, read, and respond to Web sites with information on obstetrics, gynecol-
ogy, and sexual health. See Reno, 31 F. Supp. 2d at 484. The plaintiffs argued
that the statute was unconstitutional for the same reasons as CDA-a restric-
tion on speech "harmful to minors" burdens speech that is protected for
LU

adults. See id. at 478-79. Just before the COPA was about to go into effect, the
United States District Court for the Eastern District of Pennsylvania issued a
temporary restraining order. See Reno, 1998 WL 813423 at *1. The court later
granted a preliminary injunction, preventing the enforcement of the statute
PN

until a final adjudication of the merits of the plaintiffs' claims. See Reno, 31 F.
Supp. 2d at 499. The court held that the plaintiffs established "a substantial
likelihood that they will be able to show that COPA imposes a burden on free
H

speech that is protected for adults." Id. at 495. Like the Interent Indecency
Act, the district court and commentators recognized that COPA was clearly
Congress' response to the Supreme Court striking down the CDA in Reno v.
ACLU, 117 S. Ct. 2329 (1997). See, e.g., Reno, 31 F. Supp. 2d at 476-77; Pierre J.
Lorieau, Reno v. ACLU: Champion of Free Speech ur Blueprint fur Speech Regulation
on the Internetr, 7 J.L. POL'y 209, 247 (1998); Richard Raysman and Peter
Brown, Regulating Internet Content, Privacy; Taxes, N.Y.LJ. Sept. 21, 1998, at 1.
For example, the COPA explicitly defines "material that is harmful to minors,"
using some of the Supreme Court's criticisms of Reno. See 47 U.S.C. § 231 (6).
While the CDA used general terms such as "indecent" and "patently offen-
sive" to describe material harmful to minors, the COPA incorporated specific
guidelines, such as a lack of serious literary, political, or scientific value for
minors. for courts to consider. Compare 47 U.S.C. § 223(a)(I)(B) (1998)
(CDA). with 47 U.S.C. § 231(a)(1) (1999) (COPA). Furthermore. while the
CDA regulated distribution of materials to eighteen-year-olds, the COPA ap-
plies only to material distributed to individuals seventeen years old and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.51

 IN THE HIGH COURT OF KARNATAKA

Sales Tax Appeal No. 2/2004

Decided On: 31.01.2005

Diebold Systems Pvt. Ltd.

Vs.

The Commissioner of Commercial Taxes

LA
JUDGMENT

IM
H.L. Dattu, J.
SH
1. The appellant is a public limited company engaged in the manufacture and supply of
Automated Teller Machines (ATM's for short). In view of the configuration and for the purpose
for which is put to use, the appellant company is of the view that the sale of ATM's is eligible to
LU

single point levy of tax under Sec 5(3)(a) of the Karnataka Sales Tax Act, 1957 (hereinafter for
the sake of brevity referred to as 'Act, 1957'). However, in order to have the views of the
department in this regard, in particular, the Advance Ruling Authority constituted by the
PN

Commissioner of Commercial Taxes in exercise of his powers under Section 4 of the Act, the
appellant company had filed an application before the Advance Ruling Authority in Form 54 as
provided under Rule 27-E (1) of the Karnataka Sales Tax Rules, 1957 ('Rules' for short), seeking
H

clarification on the rate of tax applicable under the Act on sale of Automated Teller Machines.

2. In response to the notice of the hearing issued by the Advance Ruling Authority, Sri Mohan
Mudkavi, learned Chartered Accountant along with the Vice-President of the Company had
appeared before the Authority and represented the facts and also had produced the literature and
description of the ATM's. The basic submission that was made was, ATM is a combination of a
Computer and it runs on a processor and the purpose for which it is put to use, is to dispense with
cash and therefore, had requested the Authority to classify ATM's as goods falling under Entry
20 of Part 'C' of the Second Schedule to the Act and not Electronic goods falling under Entry 4 of
Part 'E' of Second Schedule to the Act.

3. The Advance Ruling Authority (Majority View) after referring to the dictionary meaning of
the word "Automated Teller Machines" and the product literature produced by the appellant

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.52

company, by their order No. CLR.CR. 6/2002-03 dated 1.10.2002 have clarified that ATM's can
be classified under the caption "computer terminals" and therefore, ATM's would fall under
Entry 20 (ii) (b) of Part 'C' of Second Schedule to the Act and the basic tax applicable is four
percent.

4. The Chairman of the Advance Ruling Authority has dissented from the majority view and has
opined, that the goods in question would fit into the description of electronic goods, parts and
accessories thereof and therefore, falls under Entry 4 of Part 'E' of the Second Schedule to the
KST Act and the basic rate of tax applicable is 12%.

5. The Commissioner of Commercial Taxes being of the view, that the Authority for clarification
and Advance Ruling, has erroneously classified ATM's as "computer terminals" and the basic
rate of tax is at 4%, instead of classifying the product as electronic goods falling under Entry 4 of
Part 'E' of the Second Schedule to the Act and liable to tax at 12% and thereby has caused

LA
prejudice to the interest of the revenue, had initiated suo motu revisional proceedings under
Section 22-A(1) of the Act by issuing a show cause notice dated 2.9.2003, inter alia directing the
appellant company to show cause, why the order passed by the Authority for clarification and

IM
Advance Ruling vide order No. CLR.CR. 6/2002-03 dated 1.10.2002 should not be set aside and
the 'goods' in question should not be treated as "electronic goods" falling under Entry 4 Part 'E'
SH
of Second Schedule to the Act liable to tax at 12%. After receipt of the show cause notice, the
appellant company has filed its reply dated 16.9.2003, inter alia requesting the Commissioner of
Commercial Taxes to accept the order passed by the Advance Ruling Authority dated 1.10.2002
and to drop the proposal made in show cause notice dated 2.9.2003.
LU

6. The Commissioner of Commercial Taxes, after considering the reply filed by the appellant
company, has confirmed the proposal made by him in the show cause notice dated 2.9.2003, by
PN

his order dated 29.11.2003. The findings and the conclusions reached by the Commissioner of
Commercial Taxes is as under:

"As stated by the dealer himself, ATM consists of apart from the other things, computer (i.e.,
H

mother board with processor), computer peripherals such as RAM, drives, Key board, monitor,
mouse, etc., and also software. In common parlance or popular sense, ATM is a Teller Machine
(that is, which disburses cash issues statement of account etc.,) which is automated with the aid
of computer, computer peripherals, software and other devices. Technically as contended by the
dealer it can be held to be a computer terminal. However, going by the principles of common
parlance as applicable to interpretation of entries under the KST Act, it cannot be classified as
computer terminal for the purpose of the KST Act when it is not specifically included in the
entry relating to computer terminals. The Hon'ble Supreme Court in the case of Deputy
Commissioner of Sales Taxes (Law), Board of Revenue (Taxes), Ernakulam v. GS. Pai and
Company (reported in MANU/SC/0441/1979 : 45 STC 58) has held that 'while interpreting
entries in the sales tax legislation, the words used in the entry must be construed not in any

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.53

technical sense from the scientific point of view but as understood in common parlance'. Similar
view has been taken by the Hon'ble Supreme Court and High Courts in may other cases."

7. Aggrieved by the aforesaid order passed by the Commissioner of Commercial Taxes in SMR
CR No. 04/2003-04 dated 29.11.1993, the appellant company is before this Court in this appeal
filed under Section 24(1) of the KST Act.

8. The question of law raised for our consideration and decision are as under.

"I. Whether the Commissioner of Commercial Taxes has power and authority under Section 22-
A(2) of the Act, to revise an order of the Advance Ruling Authority passed under Section 4 of
the Act?

II. Is ATM a computer and whether it would fall under Entry 20(i) of Part 'C of Second Schedule
to the Act?"

LA
9. At the time of hearing of the appeal, the learned Senior Counsel Sri K.P. Kumar, would submit
that in view of the amendment made to the provisions of Section 4 of the Act and the

IM
corresponding amendment of the Rules, he would not press for an answer on the first question of
law raised in the memorandum of appeal. In view of the submission made by the learned Senior
SH
Counsel, we need not consider and answer the first legal issue raised by the appellant company
in the appeal for our consideration and decision.

10. To answer the second question of law raised, the entries which the authorities have
LU

considered to give their ruling requires to be noticed and therefore, they are extracted:

Entry 20 of Part 'C of the Second Schedule has amended by Karnataka Act No. 3/1998, which is
given effect from 1.4.1998, is as under:
PN

"20. (i) Computer of all 1.4.98 to 31.12.99 Four percent kinds namely,- 1.1.2000 to 31.3.2001
Eight percent main frame, mini, 1.4.01 to 31.5.03 Four percent personal, micro From 1.6.2003
H

Five percent computers and the like and their parts (ii) Peripherals, that is to say.- (a) All kinds of
1.4.98 to 31.12.99 Four percent printers and 1.1.00 to 31.3.02 Eight percent their parts, 1.4.02 to
31.5.03 Four percent namely,- Dot matrix, ink jet, From 1.6.2003 Five percent laser, Line, line
matrix and the Like (b) Terminals, 1.4.98 to 31.12.99 Four percent scanners, multi 1.1.00 to
31.3.02 Eight parent media kits, 1.4.02 to 31.5.03 Four percent plotters, modem From 1.6.2003
Five percent and their parts (iii) Computer 1.4.98 to 31.12.99 Fourpercent consumables 1.1.00 to
31 3.02 Eightpercent namely.- 1.4.02 to 31.5.03 Four percent stationery, floppy From 1.6.2003
Five percent disks, CD ROMs, DAT tapes, Printer ribbons, printer Cartridges and cartridge
Tapes. (iv) Computer 1.4.99 to 31.12.99 Four percent Cleaning Kit 1.100 to 31.3.02 Eight
percent 1.4.02 to 31.5.03 Four percent From 1.6.2003 Five percent (v) Computer 1.4.01 to
31.5.03 Four percent Software From 1.6.2003 Five percent

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.54

11. Entry 4 of Part 'E' of the Second Schedule to the Act as amended by Karnataka Act 5/1996
with effect from 1.4.1996 reads as under:

"Entry 4: Electronic Goods and parts and accessories thereof other than those falling under any
other entry of this Schedule.

(The basic rate of lax for the relevant assessment year was 32 percent)."

12. The primary question that requires to be considered and decided in this appeal is the rate of
tax applicable on the sale of 'Automated Teller Machines under KST Act, 1957? Alternatively,
whether the revising authority was justified in clarifying that ATM's would fall under Entry 4 of
Part 'E' of Second Schedule to the Act and the basic rate of tax on the sale of ATM's is at 12%?

13. ATM's are not included under Entry 20 Part 'C of the Second Schedule to the Act. However,
the appellant company is of the view that ATM is a combination of a computer and it runs on a

LA
processor and therefore, the 'goods' in question would fall under Entry 20(i) of Part 'C' of the
Second Schedule to the Act, and not under Entry of Part 'E' of Second Schedule to the Act.

IM
14. In order to resolve the controversy between the parties to the lis, we need to know what is
ATM and how it works?
SH
ATM is the acronym for Automated Teller Machine. This Machine has a data terminal with two
input and four output devices. The ATM connects to and communicates with a host processor
that is analogous to an Internet Service provider. Then as a way of supporting the Machine to the
LU

host processor, dial up or leased lines are used. With the dial up, the Machine would dial into the
host processor, using a standard telephone line and modem. With the leased line, the Machine is
connected through the host processor through what is called a four-wire, point to point, dedicated
PN

telephone line. The ATM does not have many parts, There is a card reader, which is what
captures a person's account information that is stored on the magnetic strip located on the back of
the ATM/debit card. This information is actually used by the host processor in routing the
H

transaction to the appropriate bank. Then in has a 'Key pad', which is used by the cardholder to
tell the machine what type of transaction is needed. It has an 'electric eye' that is used for cash
dispensing mechanism. In addition to the eye, the ATM has a 'sensor' that is capable of
evaluating the thickness of each of the bills being dispensed.

15. The world's first ATM was installed in Enfield Town in the London Borough Enfield,
London, on June 27, 1967 by Barclay's Bank. This instance of the invention is credited to John
Shephered-Birron, although George Simjian registered patents in New York, JSA, in the 1930's
and Don Wetzel and two other Engineers from Ducted registered a patent on June 4, 1973.

16. ATM's are found at banks, grocery stores, shopping racks, convenience stores and some
times on the side of the road. They are used by the bank's customers to make cash withdrawal
and check their account balances at any time without the need of human teller. Many ATM's also

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.55

allow people to deposit cash or cheques, transfer money between their bank or even buy postage
stamps. ATM's are known by a wide variety of names. Some of which are more common in
certain countries than others. Examples include Automated Teller Machine, Automated Banking
Machine, Bank Box, Cash Box, Cash Dispenser, Cash Point, Hole in the Wall, Mac Machine
Mini Bank, MAC Machine, Robotic Teller, Tele Banco, Ugly Teller, etc.

17. The book on Computers, concepts and applications for users by Robert C. Nikenson has
explained the configuration and its uses in the day-to-day affairs by banks, stores etc. According
to the learned Author, an ATM is not a computer by itself. It is connected to a computer that
performs the tasks requested by the person using the ATM. The computer is connected
electronically to many ATM's that may be located some distance from the computer.

18. In so far as its use is concerned, the learned Author says that when you use an ATM, you are
using a computer. When you insert your card and press keys on the ATM, you are entering input

LA
into the computer. The computer process the input to perform the banking transactions you
requested and you receive output in the form for a paper summary and cash. The computer is a
multiple user computer, because different people use it through many ATM's at one time. When

IM
you use an ATM, you are using the computer to keep with your personal banking needs.

19. In modern ATM's customer's authenticate themselves by using a plastic card with a magnetic
SH
stripe, which encodes the customer's account number, and by entering a numeric pass-code
called a PIN (Personal Identification Number) number, which in some cases, may be changed
using a machine. Most ATM's are connected to authorisation of a transaction by the card user or
LU

authorising Institution via communications network.

20. Now we need to notice what is a "computer terminal", since the majority view of the
Advance Ruling Authority is that ATM is a "computer terminal" and therefore, it would fall
PN

under Entry 20 (ii)(b) of Part 'C' of the Second Schedule to the Act.

21. In Columbia Encyclopedia, Sixth Edition, computer terminals are described as under:
H

A device that enables a computer to receive or deliver data. Computer terminals vary greatly
depending on the format of the data they handle. For example, a simply early terminal comprises
a typewriter keyboard for input and a typewriter-printing element for alpha-numeric output. A
more recent variation includes the key board for input and a television screen to display the
output. The screen can be Cathode-ray tube or a gas plasma panel, the later involving an Ionized
Gas (sandwiched between glass layers) that glows to form dots which inturn, connect to form
lines. Such displays can present a variety of output, ranging from simple alpha numeric to
complex graphic images used as design tools by Architects and Engineers. Portable terminals
frequently use liquid crystal displays because of their low power requirements. The terminals of
pen-based computers use a stylus to input hand writing on the screen. Touch sensitive terminals
accept input made by touching a pressure-sensitive panel in front of a menu displayed on the
screen. Other familiar types of terminals include store checkout systems that deliver detailed

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.56

printed receipts and use later scanners to read the bar codes on packages and automatic teller
machines in banks.

22. Having noticed what is ATM and its use, and computer terminals, we intend to refer to the
observations made by the Apex Court and the manner in which Schedule to the entries under the
Statute requires to be interpreted in fiscal laws, since the revising authority has held while
accepting that the ATM'S are technically can be held to be a 'computer terminal', however, by
common parlance, it cannot be classified as computer terminal for the purpose of the Act. The
Supreme Court in the case of TATA CONSULTANCY SERVICES v. STATE OF ANDHRA
PRADESH AIR 2004 SCW 6583, has observed.

"61. We, in the case, are not concerned with the technical meaning of computer and computer
programme as in a fiscal statute plain meaning rule is applied. (See Partington v. Attorney-
General, (1869) LR 4 HL 100,p. 122)

LA
62. In interpreting an expression used in a legal sense, the Courts are required to ascertain the
precise connotation, which it possesses in law.

IM
63. It is furthermore trite that a Court should not be overzealous in searching ambiguities or
obsequies in words, which are plain. (See Inland Revenue Commissioner v. Rossminster Ltd.
SH
(1980) 1 All ER 80, p.90)

64. It is now well settled that when an expression is capable of more than one meaning, the Court
would attempt to resolve that ambiguity in a manner consistent with the purpose of the
LU

provisions and with regard to the consequences of the alternative constructions. [See Clark &
Tokeley Ltd. (t/a Spellbrook) v. Oakes [1998(4) All ER 353].
PN

65. In Inland Revenue Commissioner v. Trustees of Sir John Aird's Settlement [1984] Ch 382, it
is stated:

"......... Two methods of statutory interpretation have at times been adopted by the Court, One,
H

sometimes called literalist, is to make a meticulous examination of the precise words used. The
other sometimes called purposive, is to consider the object of the relevant provision in the light
of the other provisions of the Act- the general intendment of the provisions. They are not
mutually exclusive and both have their part to play even in the interpretation of a taxing statute."

23. The learned Senior Counsel Sri K.P. Kumar appearing for the appellant company, relying on
the definition of computers' that finds a place in, would firstly contend that ATM's are nothing
but computers and therefore, fits into the description of "computers of all kinds" that finds a
place under Entry 20 (i) of Part 'C' of Second Schedule to the Act. The learned Senior Counsel
did take all the pains to explain the configuration of ATM, and how it works, by referring to the
dictionary meaning of the word "computers" and further, to explain the meaning of the words
'namely', 'and the like' and 'their parts', the learned Senior Counsel relies on the observations

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.57

made by the Supreme Court in the case of INDIAN ALUMINIUM COMPANY LIMITED v.
ASSISTANT COMMISSIONER OF COMMERCIAL TAXES (APPEALS) AND ANR. [2001]
121 STC 510.

24. Nextly, the learned Senior Counsel would contend that the revisional authority can invoke his
powers of revisions, only, if the order passed by his subordinate authority is not only erroneous
but also prejudicial to the interest of the revenue and if two views are possible, the
Commissioner in exercise of his supervisory jurisdiction normally should not interfere with the
order passed by his subordinate authorities. In aid of his submissions, the learned Senior Counsel
relies on the observations made by Gujarat High Court in the case of COMMISSIONER OF
INCOME TAX v. ARVIND JEWELLERS MANU/GJ/0318/2002 : [2003]259ITR502(Guj) and
the observations made by the Punjab & Haryana High Court in the case of COMMISSIONER
OF INCOME TAX v. MAX INDIA LTD., MANU/PH/0155/2004.

LA
25. Sri Anand, learned Govt. Advocate would contend that ATM's are electronic goods, may be
operated with the assistance of computer technology in the common parlance theory, they cannot
be construed as computers or their terminals. The learned Govt. Advocate has produced before

IM
us voluminous literature on computers, only to demonstrate that ATM's by no stretch of
imagination could be construed either as computers or as a computer terminals and the Advance
SH
Ruling Authority was not justified in answering the clarification sought for by the appellant, that,
ATM's are "computer terminals" and they can be fit into one of the sub-entries under Entry 20
Part 'C' of Second Schedule to the Act. In his view, the revisional authority was justified in
concluding that ATM's are electronic goods.
LU

26. Now the question that would arise for consideration and decision in this appeal is, is an ATM
is a "computer" as contended by learned Senior Counsel or a "computer terminal" as classified
PN

by the Advance Ruling Authority (Majority view) in its order dated 1.10.2002? or is it
"electronic goods" are classified by the Commissioner of Commercial Taxes in his order dated
29.11.2003, while revising the order passed by the Advance Ruling Authority?
H

27. The information Technology Act, 2000, is an Act to provide legal recognition for
transactions carried out by means of electronic data interchange and other means of electronic
communication, commonly referred to as "electronic commerce", which involve the use of
alternatives to paper-based methods of communication and storage of information to facilitate
electronic filing of documents with the Government Agencies, etc.

In the dictionary clause of the Act, the meaning of the word "computer" is defined to mean any
electronic, magnetic, optical or other high speed data processing device or system which
performs logical, arithmetic and memory functions by manipulations of electronic, magnetic or
optical impulses and includes all input, output, processing, storage, computer software, or
communication facilities which are connected or related to the computer in a computer system or
computer network. The "computer network" means the interconnection of one or more

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.58

computers through the use of satellite, microwave, terrestrial line, or other communication media
and terminals or a complex consisting of two or more interconnected computers whether or not
the interconnection is continuously maintained.

28. The purpose and object of Information Technology Act, is to recognise the transactions
carried out by means of electronic data interchange and other means of electronic
communication. To suit the purpose and object of the Act, the Parliament has defined the
expression "computer" by giving a very wide meaning, but at the same time, by using the
expression "means" immediately after the words "computers", the Legislature intends to make it
clear that the definition is exhaustive and no other meaning can be assigned to the expression
than what is included in the definition.

29. The Schedule to an Act is very much part of fiscal enactment. It is enacted by the hand of the
Legislature. The Schedule in an Act sets down things and objects and contains their names and

LA
descriptions. The expressions in the Schedule have no evocative function. They can neither
enlarge nor cut down the meanings or articles or things specifically named in the list. Therefore,
the enlarged definition of "computers" in the Information Technology Act cannot be made use of

IM
interpreting an Entry under fiscal legislation.

30. Entry 20 of Part 'C' of the Second Schedule to the Act firstly speaks of computers of all kinds
SH
namely, main frame, mini personal, micro computers, and the like and their parts. The question
of law raised by the appellant before us is whether ATM is a computer and as such squarely falls
under Entry 20 (i) Part 'C' of the Second Schedule to the Act, though the Advance Ruling
LU

Authority on the request made by the appellant for clarification has opined, that ATM's are
"terminals" and would fall under Entry 20 (ii) (b) of Part 'C' of the Second Schedule to the Act,
Sri K.P. Kumar, learned Senior Counsel would submit that ATM's are "computers" in view of
PN

the words like "namely" and "and the like" in the Entry immediately after naming the commodity
i.e. computer of all kinds. In aid of his submission, the learned Senior Counsel has relied on the
observations made by the Supreme Court in the case of INDIA ALUMINIUM COMPANY
H

LTD. v. ASSISTANT COMMISSIONER OF COMMERCIAL TAXES (APPEALS) AND

ANR. [2001] 121 STC 510. The case was under the provisions of Entry Tax Act. The question
before the Court was whether furnace oil is not liable to tax under Entry 11 of the First Schedule
to the Karnataka Tax on Entry of Goods Act, 1979. The Entry which came up for consideration
was "all petroleum products that is to say petrol, diesel, crude oil, lubricating oil, transformer oil,
brake or clutch fluid, bitumen (asphalt) tar and others but excluding LPG, Kerosene and Naphtha
for use in the manufacture of fertilizers". The Apex Court while interpreting the use of the words
"and others" in the Entry has observed that the use of the words "and others" in the Entry refers
to petroleum products other than those which are specifically mentioned therein. To arrive at this
conclusion, the Court has noticed that the Legislature has specifically excluded from the Entry
aviation fuel, liquid petroleum gas, kerosene and naphtha for use in the manufacture of fertilizers
and if not for his exclusion, even those products could have been included in the expression
"petroleum products" in view of the language employed in Entry 11 of the Act.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.59

31. The observation made by the Apex Court in the aforesaid decision would not come to the
assistance of the learned Senior Counsel for the appellant company in view of the language
employed in Entry 20 (i) of Part 'C' of the Second Schedule to the Act. The first limb of the Entry
speaks of all kinds of computers and immediately thereafter, the word 'namely' is used. It only
indicates what is included in the previous term or alternatively, it can be said the word "namely"
imports enumeration of what is comprised in the preceding clause. (See. STATE OF BOMBAY
v. BOMBAY EDUCATION SOCIETY MANU/SC/0029/1954 : [1955]1SCR568 . Then there is
enumeration of the goods such as 'main frame, mini, personal, microcomputers and the like'. The
use of the word "and the like" is only to include computers, which are akin to, main frame, mini
personal, microcomputers. To consider whether an item falls within the meaning of an Entry of a
Schedule to an Act, it has to be seen whether its qualities would fall in any one of the entries or
in any one of the items included under that Entry. In the present case, since ATM is not a
computer by itself, it would not fall under Entry 20 (i) of Part 'C' of Second Schedule to the Act.

LA
32. The Advance Ruling Authority (Majority View) has classified ATM's as 'terminals' falling
under Entry 20 (ii) (b) of Part 'C' of the Second Schedule to the Act, since ATM machine is also

IM
understood as computer terminal in the commercial world. This view of the Advance Ruling
Authority was not strongly supported by learned Senior Counsel, and a passing remark was
made, that if it does not fall under Entry 20 (i) of Part 'C' of the Second Schedule to the Act, it
SH
can be brought under "terminal" as envisaged under Entry 20 (ii) (b) of Part 'C' of the Second
Schedule to the Act.

33. Entry 20 (ii) of Part 'C' of Second Schedule to the Act speaks of "peripherals". The Entry is
LU

as under:

(ii) Peripherals that is to say,-

PN

(a) All kinds of printers and their parts namely, dot matrix, ink jet, laser, line matrix and the like

(b) Terminals, scanners, multimedia kits, plotters, modem and their parts.
H

Immediately after the expression "peripherals", the Legislature has used the expression "that is to
say, all kinds of printers and their parts and terminals, scanners, multi-media kits, plotters,
modem and their parts".

The expression "that is to say" is the commencement of ancillary clause, which explains the
meaning of the principal clause. This expression is explained by the Apex Court in the case of
STATE OF TAMILNADU v. PYARELAL MALHOTRA MANU/SC/0419/1976 :
1983(13)ELT1582(SC) and in that, the Court has observed that the expression "that is to say" is
employed to make clear and fix the meaning of what is to be explained or defined. Such words
are not used as a rule, to amplify the meaning while removing a possible doubt for which
purpose the word 'includes' is generally employed. In unusual cases, depending upon the context
of the words "that is to say", this expression may be followed by illustrative instances. The

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.60

Supreme Court in the case of SAIT RIKHAJI FURTARNAL v. STATE OF A.P. 1991 Suppl. (I)
SCC 2002 has observed that the expression "that is to say" is exhaustive and not illustrative. The
meaning of the expression "peripheral equipment" is defined in the Illustrated Computer
Dictionary (Donald D. Spencer - Third Edition) to mean input/output units and auxiliary storage
units of a computer system, attached by cables to the Central Processing Unit used to get data in
the date out, and to act as a reservoir for large amounts of data that cannot be held in the Central
Processing Unit at one time. The word "terminal" means key board/display or key board/printer
device used to input programs and data to the computer and to receive the output from the
computer.

The Legislature having introduced the phrase "peripherals" under sub-entry (ii) of Part 'C' of the
Second Schedule to the Act, has defined the term by using the expression "that is to say". The
definition must determine the application of the phrase. In our view, the context in which the
expression "that is to say" is used in exhaustive and not illustrative. Therefore, since ATM's are

LA
not included under sub-entry 20 (ii) (b) of the Part 'C' of Second Schedule to the Act, by
construction, it cannot be brought under that Entry.

IM
34. Entry 4 of Part 'E' of the Second Schedule to the Act speaks of electronic goods, and its parts
and accessories thereof other than those falling under any other Entry of the Second Schedule to
SH
the Act.

35. The word "Electronic" has been defined by Megraw-Hill in Dictionary of Scientific and
Technical Terms (Second Edition), as pertaining to electron devices or to circuits or systems
LU

utilising electron devices, including electron lubes, magnetic amplifiers, transistors and other
devices that do the work of electron tubes. The word 'electron' has been defined as a stable
elementary particle with an indivisible charge of negative electricity, found in all atoms and
PN

acting as a carrier of electricity in solids.

36. With this back ground, let us come back to the findings and the conclusions reached by the
regional authority to hold that ATM's cannot be considered as 'computer terminals' but can be
H

considered only as 'electronic goods'. The regional authority had issued a notice dated 2.9.2003
under Section 22-A of the Act, proposing to revise the order passed by the Advance Ruling
Authority and further proposing to classify ATM's as electronic goods, and liable to tax at a
higher rate, on the ground that the Advance Ruling Authority has erroneously, classified ATM as
computer and the same has caused prejudice to the interest of the revenue. A detailed reply had
been filed by the appellant company, after receipt of the show cause notice, justifying the
findings and the conclusion reached by the Authority for clarifications and Advance Rulings, and
nowhere in the reply the appellant company had conceded that ATM works on the principles of
electronics and is commonly understood to be electronic goods. Why we have noticed the
aforesaid statement is only because, the revisional authority while concluding and confirming the
proposal made by him in the show cause notice, specifically observes this aspect of the matter to
conclude his findings, apart from other reasons, that the ATM's are electronic goods. These

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.61

passing observations made by the regional authority cannot be said that there is total non-
application of mind by the authority, while holding that ATM's are electronic goods. Apart from
noticing the so called concession made by the appellant/assessee, the revisional authority has
assigned other reasons to support his conclusion and therefore, the stray observation made by the
revisional authority can be just ignored, while considering the other findings and conclusions
reached by the revisional authority.

37. In so far the order passed pursuant to his show cause notice, the regional authority firstly,
observes that ATM's are not computers of all kinds, for the reason, that ATM's are not mentioned
in any of the sub-entries of Entry 20 of Part 'C' of Second Schedule to the Act. Secondly, the
entries in a Taxing Statutes requires to be construed not in their scientific or technical sense,-but
as understood in common parlance or popular sense, Then the revisional authority goes on to
observe that ATM consists of apart from other things, computer (i.e. Mother Board with the
processor), computer peripherals, such as RAM, Drives, Key Board, Monitor, Mouse etc., and

LA
also software. In common parlance or popular sense, ATM is a Teller Machine (that is which
disburses cash, issues statement of account, etc.) which is automated with the aid of computer,

IM
computer peripherals, software and other devices, and therefore, technically, as contended by the
dealer, it can be held to be computer terminal. However, going by principles as applicable to be
interpretation of entries under the KST Act, it cannot be classified as computer terminal for the
SH
purpose of the Act, when it is not specifically included in the entry relating to computer
terminals.

38. The Supreme Court in several of its judgment has laid down the rule of interpretation for
LU

articles of daily use and commonly traded items, which are mentioned in the Taxing Statutes.
The Rule is that if there is no definition in the Statute, we should follow for tax purposes the
definition not of the dictionaries or of technical books but of commercial parlance i.e. the
PN

popular meaning. The intention of Legislature is, that in Taxing Statutes, when terms are used of
common usage, it is the common man's understanding of the articles which prevails over the
technical man's concept. The place of scientific definition based on technical books, technical
H

literature, dictionaries, etc., is relevant. When the goods are technical, there is no market and so,
no market parlance. At the same time, if the goods are not technical, the definition in the market
parlance would apply. It only means, that if the goods are technical, common parlance or
commercial parlance would not apply. Therefore, in our opinion, the revisional authority is
firstly justified in observing that though technically goods in question may fall within the
meaning of the expression "computer terminals", but in common parlance theory, they are not
understood so.

39. An Automatic Teller Machine, in our view, is an electronic device, which allows a bank's
customer to make cash withdrawals, and check their account balances at any time without the
need of human teller, probably that most widely used means of "electronic funds transfer". From
the literature and the books on computers produced before us, we are of the view, that ATM is
not a computer by itself and it is connected to a computer that performs the tasks requested by

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.62

the person using ATM's. The computer is connected electronically to many ATM's that may be
located from some distance from the computer. In common parlance, it is understood as
electronic device and therefore, the regional authority is justified in holding that ATM's are
electronic goods and the levy of tax and the sale of ATM's requires to be made under Entity 4 of
Part 'E' of Second Schedule to the Act.

40. The learned Senior Counsel, lastly contended that if two views are possible in understanding
the nature of the commodity and the rate of tax applicable on the sale of such commodity, the
revisional authority should not exercise his supervisory jurisdiction under Section 22-A of the
Act. This is a well settled legal principle and there cannot be any dispute on this proposition of
law. But at the same time, it requires to be kept in view that the revising authority is authorised
under the Act to revise an order, which is erroneous and prejudicial to the interest of the revenue.
What is erroneous and prejudicial to the interest of the revenue is explained by the Apex Court
and this Court is several of its decisions. The repetition of this settled principle need not be made

LA
for the purpose of deciding this legal issue canvassed by learned Senior Counsel for the appellant
company.

IM
41. Section 22-A(2) of the Karnataka Sales Tax Act is amended with effect from 1.4.2002 and
the amended provision authorises the Commissioner to invoke his suo motu revisional powers,
SH
when there is divergent opinion among the members of the Advance Ruling Authority, and if the
majority opinion is erroneous and prejudicial to the interest of the revenue. That is what that has
been done by the Commissioner in the present case. Therefore, in our opinion, there is no
jurisdictional error committed by the Commissioner of Commercial Taxes invoking his powers
LU

under Section 22-A of the Act.

42. In the result, appeal fails and accordingly, it is rejected. In the facts and circumstances of the
PN

case, parties are directed to bear their own costs. Ordered accordingly.
H

******************************************************************************

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.63

 NLSIU Bangalore - Indian Journal of Law and Technology

2010

Article

JURISDICTIONAL ISSUES IN CYBERSPACE

Justice S. Muralidhar

I INTRODUCTION
With the advent of the internet and the transmission of information and transacting of business
across borders, a host of issues have cropped up on the legal front. This article proposes to deal

LA
with only one such major issue - that of jurisdiction of the courts to deal with intellectual
property rights (IPR) disputes arising out of commercial transactions on the internet.
Within the fairly broad field of IPR, the focus will be on trademark disputes, as that is one

IM
area where the major developments have taken place.
SH
The traditional approach to jurisdiction invites a court to ask whether it has the
territorial, pecuniary, or subject matter jurisdiction to entertain the case brought before
it. With the internet, the question of 'territorial' jurisdiction gets complicated largely on
account of the fact that the internet is borderless. Therefore, while there are no borders
LU

between one region and the other within a country there are no borders even between
countries. The computer as a physical object within which information is stored has given
way to 'cyberspace' where information is held and transmitted to and from the 'web.' So where
PN

is this 'place' where the information is 'held'?

There is a clear geographical limitation to IP rights. Where registration is granted, say, of
a trademark or a patent or copyright, it operates to prevent others from infringing those
H

rights within the territory of the state where the registration is granted. It prevents even
those outside the territory of the state from infringing those rights within the territory. The
statutory law, as enforced by courts of the territory, accords due recognition to this system.
Outside of infringement actions, courts have in passing off actions sought to protect trademarks
and trade names of users within the territory to the exclusion of those seeking to pass off their
goods as that of the holder of the right. Where the goods are tangible and bought and sold
within the territory, enforcement of such law is not a problematic issue. However, a holder of
IP rights accorded protection in a state cannot enforce those rights in a foreign state within
whose territory the infringer is located and the laws of which do not acknowledge the
activity to be an infringement. Further, all of the above assumptions change in the context of
transactions over the internet and even more so when the products or services themselves are not
in physical form but in a virtual world. Also, in a borderless cyber world, the products and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.64

services can be transmitted easily across countries in a flash. It then compounds the problem
as the following example shows.

The product is a copyrighted song in the MP3 digital format. The transaction can begin
with the 'uploading' of the product in one territory, being held on a server in another, being
advertised for sale on the website of a service provider in a third country, being 'bought'
by a click and pay service hosted in yet another territory, and finally 'downloaded' in another
territory. The complete transaction turns out to be a sale of a pirated product which per se is an
infringement of the copyright in the son
in question. Ds the court in each of these territories have jurisdiction to entertain the dispute?

The notion of jurisdiction is rooted in territoriality from the point of view of both the court
which can properly assert jurisdiction and from the point of view of the law that should be

LA
applied while deciding the dispute.

A caveat at this stage would be in order. What is applicable to international transactions

IM
involving the internet, could well apply to 'domestic' transactions as well. The law as
developed in the USA has had to reckon with both situations, i.e., internet transactions
SH
across countries and those across states. The enforcement issues would of course be more
complex when it comes to international transactions. However, the principles applied by
courts to assert or negate jurisdiction in either instance have remained more or less similar.
The Yahoo! case2 is one instance of this and will be discussed elaborately later as it throws up
LU

several dimensions. In the Banyan Tree Holding case,3 the Delhi High Court was
dealing with an interstate issue of jurisdiction and not an international dispute. Interestingly,
the plaintiff was a foreign company which had invoked the jurisdiction of an Indian court
PN

to seek an injunction against the alleged violator of its trademark. The court by and *3
large followed the development of common law in the USA, the UK and some other
Commonwealth countries. An indigenous law is yet to be developed for India.
H

The inability of countries to effectively regulate the transactions on the internet

originating or ending within their territories stems from the nature of the technology itself.
While countries can seek to enforce their respective laws within their physical, geographical
and political spaces delineated on an atlas, a borderless cyberworld, controlled by technology
that is constantly changing, throws up several challenges. Even while it was thought that
one could fix the physical location of the computer from where the transaction
originates and the one where it ends, that too can be bypassed or 'masked' by
technology. Legal scholar Wendy Adams sums up the problem as thus:

Internet, as a communications system, has been designed to be largely indifferent to the

physical location of its component parts. The closest equivalent to a physical location in

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.65

Internet communications (as opposed to the physical infrastructure, which is readily
identifiable as existing in a given geographical location) is an Internet Protocol (IP)
address, a 32bit number providing the necessary information for routing communications
between computers attached to the network. The sending computer needs to know the
32bit address of the receiving computer in order for communication to take place; it ds
not need to know the street address, city or country of the building in which the
receiving computer is physically located. This fundamental incompatibility between legal
governance as a function of geopolitical territory, and network governance as a function of IP
addressing, makes it difficult (although not impossible) to impose local limitations on the
global dissemination of information.

On the second question of the applicable law, the principle invoked is of 'sovereign equality
within international law.' In the more traditional mode of dispute resolution involving two

LA
countries, resort is had to public international law. Where the dispute is between entities and
persons in different countries, the sphere of private international law is meant to find
a solution. In the area of IPR violations and infringement across borders, there is yet to

IM
develop a universal law. The TRIPS
Agreement is not the 'uniform' law in the area. Resort is still to be had to private
SH
international law. Wendy Adams explains:

In circumstances of regulatory diversity involving geographically complex facts, domestic

courts must apply the law of one state to the exclusion of all others, notwithstanding that each
LU

state can rightfully claim that some portion of the impugned activity has taken place
within its territorial borders. In choosing the law of a single State to govern the transaction or
dispute, domestic courts are effectively deeming the activity to have occurred within that state.
PN

The foundational principle of sovereign equality within international law requires this legal
fiction, as a State's authority to prescribe or enforce its laws does not extend beyond its
territorial jurisdiction. Such questions of jurisdiction are inevitable in disputes involving online
H

activity, as the lack of territorial precision in an online environment necessarily leads to

geographically complex facts. Accordingly, domestic courts addressing these
disputes will first have to localise the transaction prior to assuming jurisdiction. At issue
is whether domestic courts will develop localisation processes which have unanticipated
spillover effects in the international trade regime in relation to the benefits and burdens
allocated under the TRIPS Agreement. (Emphasis Supplied)

The need for local courts to 'localise' the transaction has posed a challenge that has generated a
variety of responses which are analysed in the following section.

II

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.66

 This part examines the efforts made by courts in different countries to 'localise'
transactions in IPR disputes in the process of exercising personal jurisdiction over defendants
located outside their territories. It traces the development of the law first in the USA, through
the 'minimum contacts' test, the 'purposeful availment' test, the Zippo 'sliding scale' test and the
'effects' tests. It discusses the difficulties with each of these tests in their application to cases.
Thereafter the development of the law in the UK, Canada, Australia and India is discussed.

THE USA

Minimum Contacts Test

In International Sh Co. v. Washington, a twopart test for determining jurisdiction of the forum
court over a defendant not residing or carrying on business within its jurisdiction was

LA
evolved. It was held that in such instance the plaintiff had to show that the defendant has
sufficient 'minimum contacts' in the forum state. In other words, the defendant must have
purposefully directed its activities towards the forum state or otherwise 'purposefully availed'

IM
of the privilege of conducting activities in the forum state. Further, the forum court had to be
satisfied that exercising jurisdiction would comport with the traditional notions of fair play and
SH
substantial justice. The minimum contacts test in International Sh has been
understood as to have performed "two related, but distinguishable, functions." The first
was to protect the defendant from the burden of litigating in a distant or inconvenient
forum.The second was to ensure that the states do not "reach out beyond the limits imposed on
LU

them by their status as cqual sovereigns in a federal system.

Michael Geist points out that:
In many jurisdictions, the litmus test for determining whether assertion of jurisdiction is
PN

appropriate involves analyzing whether jurisdiction is reasonable under the circumstances,

with courts in the United States and Canada regularly relying on a reasonableness standard as
their guide. In the United States, the reasonableness standard is couched in terms of
H

'minimum contacts,' while in Canada the language of choice is 'real and substantial
connection.' Although these terms necessitate somewhat different analyses, the
core principle remains the same the appropriateness of asserting jurisdiction
depends upon whether the parties themselves would think it reasonable to do so.

He explains that: "...a foreseeability metric lies at the heart of the reasonableness
standard. This metric dictates that a party should only be hauled into a foreign court where it
was foreseeable that such an eventuality might occur."This test, as will be seen later, appears
to have greater practical relevance in deciding jurisdictional issues than other tests that have
been subsequently evolved.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.67

Recently, the Court of Appeals for the Ninth Circuit in Boschetto v. Hansing, while rejecting
the 'sliding scale' test (laid down in the Zippo case which is discussed later) has
followed the minimum contacts test. However, the traditional minimum contacts approach
is limited to the category of cases to which International Sh most directly applied, i.e.,
longrange commercial transactions. It would not be applicable to cases involving remote torts
or goods that were moved after purchase and cases dealing with internet defamation and other
noncommercial transaction cases.

Purposeful Availment Test

The USASupreme Court's focus on purposeful conduct of the defendant emerged in Hanson v.
Denckla. The facts here were that a Florida court asserted jurisdiction over a Delaware trust
company, in an action challenging a Florida resident's appointment of property of which

LA
the Delaware company was trustee. The settlor had after the creation of the trust moved
from Pennsylvania to Florida. However, the trust company had not solicited or conducted
business in Florida other than routine correspondence with the settlor. Holding that the

IM
Florida court did not have jurisdiction, the USA Supreme Court held that the trust company
had not purposefully undertaken to conduct business in Florida. It was connected with
SH
the state only because the settlor unilaterally moved to Florida subsequent to the
contractual relationship being established.

In WorldWide Volkswagen Corp. v. Woodson, an automobile was involved in an accident

LU

while it was being driven by the purchasers through Oklahoma. The question was
whether the wholesaler and retailer, both located in New York, could be made amenable to the
jurisdiction of the Oklahoma court where a product liability claim was filed. In holding that
PN

the wholesaler and retailer were not subject to personal jurisdiction there, the US Supreme
Court pointed out that the defendants had not undertaken to conduct any business in
Oklahoma. Their only connection with that state arose as a result of the 'unilateral activity' of
H

the purchasers driving the car there. The Court explained that the foreseeability that an
automobile might be taken to Oklahoma was not relevant. According to it what was relevant
was the foreseeability "that the defendant's conduct and connection with the forum state are
such that he should reasonably anticipate being hauled into court there."
In Burger King Corp v. Rudzewicz, the Supreme Court held that the defendant did
not have to be physically present within the jurisdiction of the forum court and that the forum
court may exercise jurisdiction over a nonresident where an alleged injury arises out of or
relates to actions by the defendant himself that are 'purposefully directed' towards residents
of the forum state. It was held that 'purposeful availment' would not result from
'random' or 'fortuitous' contacts by the defendant in the forum state. It requires the plaintiff to
show that such contracts resulted from the "actions by the defendant himself that created a
substantial connection with the forum state." He must have engaged in 'significant activities'

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.68

within the forum state or created 'continuing obligations' between himself and the
residents of the forum state. It was held on facts that the twenty year relationship that the
defendant had with the plaintiff "reinforced his deliberate affiliation with the forum state
and the reasonable foreseeability of litigation there."

In Asahi Metal Industry v. Superior Court, the US Supreme Court reversed the decision
of the State Supreme Court and held that exercise of personal jurisdiction over the Japanese
company would be unreasonable and unfair, and so constitute a violation of the Due Process
Clause. Furthermore, it was held that 'the mere placement of a product into the stream of
commerce' was not an act 'purposefully directed towards the forum state' and so it would
not result in a 'substantial connection' between the defendant and the forum state as
required to support a finding of minimum contacts.

LA
The US Supreme Court remained divided (4:4:1) on whether the Japanese supplier of valve
assemblies, which were incorporated into tyre tubes by a Taiwanese company and
subsequently distributed by that company in California, had purposefully availed

IM
itself of the benefits of doing business in California. Justice O'Connor, joined by three
other judges, held that something more than the defendant's awareness that its valve
SH
assembly might be swept into the state in the
'stream of commerce' and cause an injury there must have been shown. It was held that Asahi
should be shown to have engaged in some act 'purposefully directed toward the forum
state,' such as designing the product for the forum state, advertising or providing
LU

customer service there, or enlisting a distributor to serve the state. Justice Stevens concurred
but for separate reasons. Justice Brennan dissented along with three judges on the other
hand. The dissenting judges found that Asahi had made 'regular and extensive' sales of
PN

component parts to a manufacturer which in turn was selling the manufactured product
in California. According to the dissenting judges, the fact that Asahi knew this was
sufficient to make it amenable to the Californian court's jurisdiction. It observed:
H

The stream of commerce refers not to unpredictable currents or eddies, but to the regular and
anticipated flow of products from manufacture to distribution to retail sale. As long as a
participant in this process is aware that the final product is being marketed in the forum state,
the possibility of a lawsuit there cannot come as a surprise. The difference in the
respective approaches was precisely this. The majority opinion rendered by Justice O'Connor
required Asahi to have engaged in conduct indicating 'intent or purpose to serve the market'
whereas for the dissenting judges it was sufficient that the defendant had placed its product
in the 'stream of commerce.' The dissenting judges also emphasised on the presumed
awareness of Asahi that the product would be 'swept into the state of California' and so in
such circumstances

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.69

'the possibility of a lawsuit there could not come as a surprise' to the defendant. In Inset
Systems Inc. v. Instruction Set Inc. the defendant had displayed on its website used for
advertising its goods and services, a toll free telephone number'1-800-US-INSET.' The
plaintiff, a company in Connecticut brought an infringement action against the defendant in a
court in Connecticut, which in any event had a long arm statute. The District court held that the
defendant had:

purposefully availed itself of doing business in Connecticut because it directed its

advertising activities via the Internet sites and tollfree number toward the State of
Connecticut (and all states); Internet sites and tollfree numbers are designed to
communicate with people and their businesses in every state; an Internet
advertisement could reach as many as 10,000 Internet users within Connecticut alone;
and once posted on the Internet, an advertisement is continuously available to any Internet user.

LA
However, the approach in Bensusan Restaurant Corp. v. King, was different although New
York too had a long arm statute. The defendant therein had a small jazz club known as 'The

IM
Blue Note' in Columbia, Missouri and created a general access webpage giving
information about the said club as well as a calendar of events and ticketing information.
SH
In order to buy tickets, prospective customers had to use ticket outlets in Columbia. Bensusan
(the plaintiff therein) was a New York corporation that owned 'The Blue Note,' a
popular jazz club in the heart of Greenwich Village in New York. It also owned the
rights to the ‘The Blue Note’ trademark. It accordingly sued the defendant for trademark
LU

infringement in New York. It was noticed that New York had a long arm statute. However, the
New York court held that the defendant had not done anything to purposefully avail himself of
the benefits of the forum. Like numerous others, the defendant had "simply created a web site
PN

and permitted anyone who could find it to access it. Creating a site, like placing a product into
the stream of commerce, may be felt nationwide or even worldwide but, without more, it is not
an act purposefully directed towards the forum state."(Emphasis Supplied)
H

In Ballard v. Savage, it was explained that the expression 'purposefully availed' meant
that "the defendant has taken deliberate action within the forum state or if he has created
continuing obligations to forum residents." It was further explained that "it was not required
that a defendant be physically present within, or have physical contacts with the forum,
provided that his efforts are purposefully directed toward forum residents. “In
CompuServe, Inc. v. Patterson, it was found that the defendant had chosen to transmit its
products from Texas to CompuServe's system, and that system provided access to his software
to others to whom he advertised and sold his product. It was held that Patterson had
"purposefully availed himself of the privilege of doing business."

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.70

In Maritz, Inc. v. Cyber Gold Inc., where internet surfers who came across its website
were encouraged by the defendant Cyber Gold to add their email address to a mailing list that
basically subscribed the user to the service, it was held that the defendant had obtained the
website for the purpose of and in anticipation that internet users will access Cyber
Gold's website and eventually sign up on Cyber Gold's mailing list. Therefore, although
Cyber Gold claimed that its website was a passive one, it was held that through its
website, "Cyber Gold has consciously decided to transmit advertising information to all
internet users, knowing that such information will be transmitted globally." In Neogen Corp.
v. Neo Gen Screening, Inc., the Court of Appeals held that the purposeful availment
requirement is satisfied if the web site is interactive to such a degree that reveals a specifically
intended interaction with residents of the state. In that case, the plaintiff (Neogen), a
Michigan Corporation, was in the business of developing and marketing a range of health
care, food, and animal related products and services, including certain diagnostic test kits.

LA
It filed a suit in the Michigan District Courts alleging, inter alia, trademark infringement
against the defendant (Neo Gen Screening/NGS), a Pennsylvania Corporation performing
diagnostic testing of blood samples from newborn infants. The District Court dismissed the suit

IM
for lack of personal jurisdiction. The Court of Appeals held that the maintenance of the
defendant's website, in and of itself, ds not constitute purposeful availment of the
SH
privilege of acting in Michigan. It observed that: "the level of contact with a state that occurs
simply from the fact of a website's availability on the Internet is therefore an attenuated contact
that falls short of purposeful availment." However, the Court in that case did not decide the
question of whether the defendant's website alone would be sufficient to sustain personal
LU

jurisdiction in the forum state as it held that the website should be considered alongside
other interactions with Michigan residents. It also observed that when potential
customers from Michigan had contacted NGSAto purchase its services, NGSAhad
PN

welcomed their individual business on a regular basis. The Court further observed that
"although customers from Michigan contacted NGS, and not the other way around, NGS could
not mail test results to and accept payment from customers with Michigan addresses without
H

intentionally choosing to conduct business in Michigan." (Emphasis Supplied) It was in this

context that the Court of Appeals reversed the finding of the District Court and remanded the
matter.

In Cybersell, Inc. v. Cybersell. Inc., the facts were that an Arizona Corporation that advertised
for commercial services over the internet under the service mark 'Cybersell',
brought an infringement action against a Florida Corporation that offered webpage construction
services over the internet. As part of its marketing effort, the Florida Corporation created a
webpage that had a logo at the top consisting of “'CyberSell' over a depiction of the
planet earth, with the caption underneath
'Professional Services for the World Wide Web' with a local telephone number and a hypertext
link allowing the internet surfer to introduce herself. That link invited a company not on the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.71

web but interested in getting on the web to email the Florida Corporation for further
information. Arizona had a long arm statute that permitted a court to exercise personal
jurisdiction over parties whether found within or outside the state to the maximum extent
permitted by the court in United States. The Court referred to the decision of the Arizona
Supreme Court in Uberti v. Leonardo, in which it was held that Arizona will exert
personal jurisdiction over a nonresident litigant to the maximum extent allowed by the
federal constitution. The Arizona Court of Appeals adopted a three part test to determine
whether the district court could exercise specific jurisdiction over the nonresident
defendant: (1) the nonresident defendant must do some act or consummate some
transaction with the forum or perform some act by which he purposefully avails himself
of the privilege of conducting activities in the forum, thereby invoking the benefits and
protections; (2) the claim must be one which arises out of the results from the
defendant's forum related activities; and (3) exercise of jurisdiction must be reasonable. It was

LA
held by the Court of Appeals that all that Cybersell FL (the Florida Corporation) had done was
to:
post an essentially passive home page on the web, using the name 'CyberSell,' which

IM
Cybersell AZ (the Arizona Corporation) was in the process of registering as a federal service
mark. While there is no question that anyone, anywhere could access that home page and
SH
thereby learn about the services offered, we cannot see how from that fact alone it can be
inferred that Cybersell FL deliberately directed its merchandising efforts toward Arizona
residents.
LU

It was further noticed that: " the interactivity of its web page is limited to receiving the
browser's name and address and an indication of interestsigning up for the service is not an
option, nor did anyone from Arizona do so. No money changed hands on the Internet from (or
PN

through) Arizona." It was held that Cybersell FL's contacts were insufficient to establish
'purposeful availment.'
H

Three years later in Bancroft & Masters Inc. v. Augusta National Inc. the Circuit Court
applied the Calder 'effects' test in a trademark dilution and infringement case and upheld
jurisdiction. The plaintiff, a California computer services company, had been granted
registration of the domain name 'masters.com' by Network Solutions Inc. (NSI). The
defendant Augusta National Inc. (ANI) was a Georgia golf club that held several
registrations for 'masters' and a domain name 'masters.org' served a ceaseanddesist notice
on NSI in California. The plaintiff then responded by filing a suit in California for a declaration
that its domain name did not infringe ANI's trademark. The court upheld the exercise of
personal jurisdiction over ANI since by serving the notice on NSI in California, ANI 'had
expressly aimed' its activity at California.

The Zippo 'sliding scale' test

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.72

An extension of the purposeful availment test was attempted in Zippo Mfg. Co. v.
Zippo Dot Com, Inc. The plaintiff Zippo Manufacturing was a Pennsylvania
corporation making cigarette lighters. The defendant was a California corporation
operating an internet website and an internet news service. It had offices only in
California. Viewers who were residents of other states had to go to the website in order to
subscribe for the defendant's news service by filling out an online application.
Payment was made by credit card over the internet or telephone. Around 3000 of the
defendant's subscribers were residents of Pennsylvania who had contracted to receive the
defendant's service by visiting its website and filling out the online application. Additionally
the defendant had entered into agreements with seven internet access providers in
Pennsylvania to permit their subscribers to access the defendant's news service. The
defendant was sued in a Pennsylvania court for trademark dilution, infringement and false

LA
designation. After discussing the development of the law till then, the District Court first
observed that:

IM
The Constitutional limitations on the exercise of personal jurisdiction differ depending upon
whether a court seeks to exercise general or specific jurisdiction over a nonresident
SH
defendant (Mellon, 960 F.2d at 1221.). General jurisdiction permits a court to exercise
personal jurisdiction over a nonresident defendant for non-forum related activities when
the defendant has engaged in 'systematic and continuous' activities in the forum state
(Helicopteos Nacionales de Colombia, S.A. v. Hall, 466 U.S. 408.). In the absence of
LU

general jurisdiction, specific jurisdiction permits a court to exercise personal jurisdiction

over a nonresident defendant for forum related activities where the relationship between the
defendant and the forum falls within the 'minimum contacts' framework of International Shoe
PN

Co. v. Washington, 326 U.S. 310 and its progeny, Mellon, 960 F.2d at 1221 (Emphasis
Supplied)
The Zippo court then noted that:
H

a three pronged test has emerged for determining whether the exercise of specific personal
jurisdiction over a nonresident defendant is appropriate: (1) the defendant must have
sufficient 'minimum contacts' with the forum state, (2) the claim asserted against the
defendant must arise out of those contacts, and (3) the exercise of jurisdiction must be
reasonable.

The court in Zippo classified websites as (i) passive, (ii) interactive and (iii) integral to the
defendant's business. On facts it was found that the defendant's website was an interactive one.
Accordingly it was held that the court had jurisdiction to try the suit. The Zippo court's
observation that the likelihood that personal jurisdiction can be constitutionally exercised
is directly proportionate to the nature and quality of commercial activity that an entity
conducts over the internet has been compared by that court to a 'sliding scale.'

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.73

In the Court's words:

At one end of the spectrum are situations where a defendant clearly ds business over
the Internet. If the defendant enters into contracts with residents of a foreign jurisdiction
that involve the knowing and repeated transmission of computer files over the Internet,
personal jurisdiction is proper. At the opposite end are situations where a defendant has simply
posted information on an Internet Web site, which is accessible to users in foreign jurisdictions.
A passive Web site that ds little more than make information available to those who are
interested in it is not grounds for the exercise of personal jurisdiction. The middle ground is
occupied by interactive Web sites where a user can exchange information with the host
computer. In these cases, the exercise of jurisdiction is determined by examining the level of
interactivity and commercial nature of the exchange of information that occurs on the Web site.

LA
Zippo was welcomed by courts as offering a balance between a lawless internet and an
excessively regulated one. While an owner of a passive website could not be expected to
foresee being sued in multiple jurisdictions worldwide, the owner of an interactive one should

IM
expect such an outcome. Also, it tacitly approved the protection of local consumers'
interests by local courts applying the local law.
SH
Soon, however, problems surfaced in applying the Zippo sliding scale test in terms of
which the assertion of a court's jurisdiction depended upon the 'level of interactivity and
commercial nature of the exchange of information' as a result of the use of the website. The
LU

courts have been finding it problematic in determining the degree of interactivity that should
suffice for jurisdiction to be attracted. Mere ability to exchange files with users through
the internet has been held not to be sufficiently 'interactive' for the forum court to assume
PN

jurisdiction.

In Millennium Enterprises Inc. v. Millennium Music L.P., the Oregon district court
H

declined to exercise jurisdiction over a South Carolina corporation that sold products both
offline and on the web. The court felt that 'something more' than merely showing that
the website was interactive was required. The defendant should Be shown to have
consummated some transaction within Oregon and to have made
'deliberate and repeated contacts' with Oregon through the website so that it could be held that
they ought to have anticipated being hauled into an Oregon court.

In People Solutions v. People Solutions, although it was possible for customers visiting
the defendant's website to download information, obtain product brochures and order products
online, the court refused to assert jurisdiction since the plaintiff failed to show that defendant
had sold its products or contracted for services with any person in the forum state through
the website. Again in Mink v. AAAA Development, although the defendant's website

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.74

offered printable mailing order forms that could be downloaded, provided a toll-free
number, a mailing and an email address, the forum court declined to exercise jurisdiction
since in fact no orders were placed using the website.

In Winfield Collection v. McCauley, the website provided an interactive mechanism of doing

online business and the plaintiff showed that auction sales were conducted over the net with
bidders in Michigan. Nevertheless jurisdiction was declined because the defendant was not
shown as "actively and intentionally doing business with customers in Michigan." It was held
that the form of online sale made it impossible for the defendant's website to target the
users of any particular state and therefore other than the court of the state where the principal
place of the business of the defendant was located, other state courts could not exercise
jurisdiction. Since over the years, most websites are interactive to some degree, there has been
a shift from examining whether the website is per se passive or active to examining the nature

LA
of the activity performed using the interactive website.

Zippo has been criticised as being ineffective in lending legal certainty in the face of ever-

IM
changing technology which has witnessed a shift from the use of passive websites to
those that are either partly or wholly interactive. If the test were to be static irrespective of the
SH
changes in technology, then it would become irrelevant if a majority of the websites answered
the definition of an interactive website. That would result in a 'chilling effect' on international
commerce of which the internet is a major vehicle. It would then fail to provide the balance
between the interests of consumers and those of producers and marketers.
LU

The Effects Test and 'Intentional targeting'

PN

The difficulty experienced with the application of the Zippo sliding scale test has paved
the way for application of the 'effects' test. The courts have thus moved from a 'subjective
territoriality' test to an 'objective territoriality' or 'effects' test in which the forum court will
H

exercise jurisdiction if it is shown that effects of the defendant's website are felt in the
forum state. In other words it must have resulted in some harm or injury to the plaintiff within
the territory of the forum state. Since some effect of a website is bound to be felt in several
jurisdictions given the nature of the internet, courts have adopted a 'tighter' version of the
'effects' test, which is 'intentional targeting.'

The 'effects' test was first evolved in Calder v. Jones. The plaintiff therein was a resident of
California who commenced a libel action in a California court against the National Enquirer
based on an article that it printed and circulated in California. Apart from the Enquirer and its
local distribution company, its editor and the author of the article were all in Florida. Affirming
the assertion by the California court of personal jurisdiction over the defendants, the Supreme
Court held:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.75

The allegedly libelous story concerned the California activities of a California resident. It
impugned the professionalism of an entertainer whose television career was centred in
California. The article was drawn from California sources, and the
*16 brunt of the harm, in terms both of respondent's emotional distress and the injury to her
professional reputation, was suffered in California. In sum, California is the focal point
both of the story and of the harm suffered. Jurisdiction over petitioners is therefore proper in
California based on the 'effects' of their Florida conduct in California.59

On facts it was held that the author and editor 'expressly aimed' their tortuous actions
at California and that they knew that the article would have a devastating impact on the
respondent and that they should have reasonably anticipated that the brunt of that injury would
be reasonably felt by the defendant in the state in which she lived and worked. The court went

LA
on to observe:

Petitioners are not charged with mere untargeted negligence. Rather, their

IM
intentional, and allegedly tortuous, actions were expressly aimed at California. Petitioner South
wrote and petitioner Calder edited an article that they knew would have a potentially
SH
devastating impact upon respondent. And they knew that the brunt of that injury would be felt
by respondent in the State in which she lives and works and in which the National
Enquirer has its largest circulation. Under the circumstances, petitioners must
'reasonably anticipate being hauled into court there' to answer for the truth of the statements
LU

made in their article...

Yahoo! Case
PN

The effects test propounded in Calder has been applied with mixed results. One of the most
discussed decisions of a French court where the effects doctrine was applied is the
H

Yahoo! case. French Jew while surfing on the net came across Nazi memorabilia being offered
for sale on a web page hosted by Yahoo!. The offering of Nazi memorabilia for sale was an
offence under the French penal law. Although the website of Yahoo! France did not host a
similar web page, it could be viewed on the Yahoo! website hosted from the US by anyone in
France. LICRA, an organization fighting racism and anti-Semitism, and the Union of
Jewish students in France (UJEF) sued Yahoo! and Yahoo! France in the courts in France.
The French court ordered Yahoo! to block access to its US website from France, in order to
prevent internet users in France from accessing the objectionable items offered for auction sale
on that site. It found that this was technologically feasible through a series of devices for which
it examined experts. It thus rejected Yahoo!'s argument that the French court's order was not
capable of being implemented beyond the borders of France. The French court essentially
applied the effects test to assert jurisdiction. It held that by permitting internet users in France

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.76

to participate in the sale of such objects, Yahoo! had committed a wrong within the territory of
France. Although the website was capable of being viewed from anywhere in the world, the
French court concluded that it had caused harm to the two claimants located in France. The
mere possibility of downloading the objectionable information did not alone determine the
question of jurisdiction. The French court also considered the effect it would have on the
public at large in France who could access Yahoo!'s website and who were targeted.
Thus the court concluded from the fact that Yahoo! displayed advertisements in
French to visitors at the US based server and that Yahoo!France provided a link to the US
based Yahoo! server that Yahoo! did intend its services to reach persons in France and also
intended to profit from the visitors from France to its US based website.

While courts have more readily applied the effects test in defamation cases, there have been
problems in its application to trademark infringement cases. For instance, the Court of Appeals

LA
in Cybersell held that the 'effects' test did not apply with the same force to Cybersell AZ as it
would to an individual, because a corporation ds not suffer localised harm in a specific
geographic location in the same manner as an individual. Cybersell FL's web page

IM
simply was not aimed intentionally at Arizona knowing that harm was likely to be
caused there to Cybersell AZ. In Digital Equipment Corp. v. Alta Vista Technology,63 the
SH
plaintiff, a Massachusetts company sued the defendant which was its licensee alleging
infringement of its mark. Although the defendant argued that it had structured its affairs
to avoid the forum state, the court found that the defendant's use of its website to infringe the
plaintiff's mark did have effects in the forum state and its purpose may be said to be targeting
LU

the forum state and its citizens. In Nissan Motor Co. v. Nissan Computer Corp.
although the defendant did not sell goods to its consumers on its websites (which were
registered under the domain names 'nissan.com' and 'nissan.net') it had intentionally
PN

changed the content of its website to exploit the goodwill of the plaintiff by profiting from the
confusion created among the consumers. It was therefore held to have "deliberately and
substantially directed its activity toward the forum state."65
H

It is pointed out that in developing criteria to be used in determining whether a website has
targeted the forum state, care must be taken to ensure that it must be technology neutral in
the sense that it will remain relevant even as new technologies emerge.
Furthermore, the criteria must not display any bias towards either consumers, who would seek
to apply the law governing the destination of the product, or producers who seek to apply the
law of the place of origin of the goods. Further, as Michael Geist points out, the real
question would be whether the targeting of a specific jurisdiction was foreseeable.

This in turn depends on three factors:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.77

To identify the appropriate criteria for a targeting test, we must ultimately return to the core
jurisdictional principle - foreseeability. Foreseeability should not be based on a passive
versus active website matrix. Rather, an effective targeting test requires an assessment of
whether the targeting of a specific jurisdiction was itself foreseeable. Foreseeability in that
context depends on three factors: contracts, technology, and actual or implied
knowledge. Forum selection clauses found in website terms of use agreements or
transactional click wrap agreements allow parties to mutually determine an appropriate
jurisdiction in advance of a dispute. They therefore provide important evidence as to the
foreseeability of being hauled into the courts of a particular jurisdiction. Newlyemerging
technologies that identify geographic location constitute the second factor. These
technologies, which challenge widely held perceptions about the Internet’s architecture, may
allow website owners to target their content to specific jurisdictions or engage in
'jurisdictional avoidance' by 'de targeting' certain jurisdictions. The third factor, actual or

LA
implied knowledge, is a catchall that incorporates targeting knowledge gained through
the geographic location of tort victims, offline order fulfillment, financial intermediary
records, and web traffic.

IM
SH
Trend of adopting a combination of Zippo 'Sliding Scale' and Calder 'Effects' test

The courts in the USA have recently adopted a combination of the Zippo 'sliding scale'
test and the Calder 'effects' test in order to examine whether the forum court has jurisdiction in
LU

a case involving trademark infringement by the use of the internet.

In Toys "R" US v. Step Two, the Court of Appeals revisited the issue. In that case, the
PN

plaintiff, Toys "R" Us (Toys), a Delaware corporation with its headquarters in New
Jersey, owned retail stores worldwide where it sold toys, games, and numerous other products.
In August 1999, Toys "R" Us acquired Imaginarium Toy Centers, Inc., which owned and
H

operated a network of 'Imaginarium' stores for the sale of educational toys and games.
In this process, Toys “R” Us also acquired several Imaginarium trademarks. The defendant,
Step Two, was a corporation in Spain that owned or franchised toy stores operating under the
name 'Imaginarium' in Spain and nine other countries. It had registered the Imaginarium mark
in several countries where its stores were located. At the time of the litigation, there were 165
Step Two Imaginarium stores possessing the same unique facade and logo as the stores
owned by Toys "R" Us, and selling the same types of merchandise as Toys "R" Us sold in its
Imaginarium stores. However, Step Two did not operate any stores, maintain any offices
or bank accounts, or have any employees anywhere in the United States. In 1995,
Imaginarium Toy Centers, Inc. (which Toys "R" Us had later acquired) registered the domain
name 'imaginarium.com' and launched a website featuring merchandise sold at Imaginarium
stores. In 1996, Step Two registered the domain name 'imaginarium.es', and also began to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.78

advertise the merchandise that was available at its Imaginarium stores. In April 1999,
Imaginarium Toy Centers registered the domain name 'imaginarium.net', and launched
another website where it offered Imaginarium merchandise for sale. In June 1999, Step Two
registered two domain names, 'imaginariumworld.com' and 'imaginariumworld.com'. In May
2000, Step Two also registered three more domain names including 'imaginariumnet.com' and
'imaginariumnet.org'. Toys "R" Us brought action against Step Two alleging that Step Two
had used its websites to engage in trademark infringement, unfair competition, misuse of
the trademark notice symbol, and unlawful 'cybersquatting.' The District Court of New
Jersey denied Toys "R" Us' request for jurisdictional discovery and, simultaneously,
granted Step Two's motion to dismiss for the lack of personal jurisdiction. However, the
Court of Appeals held that the record did not support the finding that the defendant Step
Two had knowingly conducted business with residents of New Jersey. It reversed and
remanded the case for limited jurisdictional discovery relating to Step Two's business activities

LA
in the United States. The Court emphasized that:

the mere operation of a commercially interactive website should not subject the operator

IM
to jurisdiction anywhere in the world. Rather, there must be evidence that the defendant
'purposefully availed' itself of conducting activity in the forum state, by directly targeting its
SH
website to the state, knowingly interacting with residents of the forum state via its website, or
through sufficient other related contacts. (Emphasis Supplied)

The California Supreme Court in Pavlovich v. Superior Court was divided 4:3 on the
LU

question of whether a Texas website operator who had posted software designed to
defeat the plaintiff's technology for encrypting copyrighted motion pictures was subject to
personal jurisdiction in California where the motion picture, computer, and DVD industries
PN

were centred. In rejecting jurisdiction, the majority focused on the fact that the
defendant did not know that the particular plaintiff, a licensing entity created by the
motion picture and DVD industries, was located there. The dissent thought it sufficient that
H

the defendant was on notice that its conduct would harm the motion picture and DVD
industries centred in California. In Revell v. Lidov, the plaintiff, a Texas resident sued Lidov,
a Massachusetts resident and the Columbia University for posting a defamatory piece on the
university's bulletin board. The court applied both Zippo and Calder. It first found that
the website was interactive and individuals could both send and receive messages. But
applying Calder it found that the article made no reference to Revell's Texas activities
and was not directed at Texas readers as distinguished from other readers. Also, Lidov did not
know that Revell was a Texas resident when he posted the article and therefore could
not reasonably anticipate being hauled into a Texas court. Consequently, the Texas
court was held not to have jurisdiction.

Difficulties in the application of the three tests

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.79

Thomas Schultz points out that the dynamics of jurisdiction are reasonableness and fairness.71
Schultz concludes that both the subjective territoriality and objective territoriality or the
effects tests, if construed too broadly, are bound to be unfair and unreasonable. According to
Schultz, a middle path had to be chosen between the too narrow ('subjective territoriality') and
the too broad ('effects') jurisdictional bases for better managing transborder externalities.
This middle path was 'targeting.' Schultz defines targeting to mean "in essence that the
activity must be intended to have effects within the territory of the state asserting
jurisdiction." According to another scholar, Michael Geist, the principle of targeting is
used to "identify the intentions of the parties and to assess the steps taken to either
enter or avoid a particular jurisdiction. "Targeting is described as "something more than
effects, but less than physical presence."

LA
Legal scholars C. Douglas Floyd and Shima Baradaran Robison add:

Nor is the central difficulty in Internet cases created by the fact that a defendant has undertaken

IM
conduct that might subject itself to jurisdiction everywhere, rather than only in one or a
few states. A tort feasor who mails a thousand bombs to recipients in one state, and one to
SH
recipients in each of the other forty nine states, should not be relieved from geographic
responsibility for the consequences of his actions in each of those states simply because he
is subject to suit everywhere, or because his conduct has a uniquely intensive
relationship with a single state. The problem in Internet cases is not that the defendant is
LU

potentially subject to suit everywhere, but that he is potentially subject to suit anywhere,
without having any particular reason to know where that might be. This lack of
predictability and geographically specific notice lies at the heart of the difficulties that the
PN

courts have experienced in applying traditional jurisdictional concepts in cases in which the
instrument of wrongdoing is an Internet posting. The case of the Internet posting is more
analogous to one in which a defendant throws a bottle containing poisonous gas into
H

the ocean, with awareness that it may cause injury to someone, somewhere, if it is
found and opened someday. After discussing the inconsistent results arrived at by courts in
different cases having more or less similar facts, they emphasise the need for a uniform
approach, whether the cases involve torts, or interstate commerce disputes. Thereafter they
conclude:

(1) A unified approach to questions of personal jurisdiction should be applied to all cases in
which jurisdiction is asserted in a forum remote from the defendant's residence or the
place of wrongdoing, regardless of the particular subject matter of the action, the legal
theories that it raises, or the means by which the allegedly wrongful conduct of the
defendant has been committed. (2) The factors informing such an approach must be
sufficiently flexible to take account of the wide array of differing contexts in which issues

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.80

of personal jurisdiction are presented, and, in particular, to take account of the unique
characteristics of the Internet that have increasingly troubled the courts in recent years. (3)
The Supreme Court's apparent importation of notions of a defendant's purpose or its intent to
target the forum state is flawed and has created more problems than it has resolved in
the context of modern actions involving informational torts. (4) Questions of personal
jurisdiction should turn on objective (rather than subjective) factors that have primary reference
to whether the defendant objectively should be on notice that it has caused the effects
giving rise to the action in the particular forum state. If such notice ds exist, the court should
further inquire whether the intervening acts of third parties should relieve the defendant of
geographic responsibility for those effects and whether the balance of the interests of the
defendant, the plaintiff, and the forum state makes it fundamentally unfair to subject the
defendant to suit there.

LA
To summarise the position in the US, in order to establish the jurisdiction of the forum
court, even when a long arm statute exists, the plaintiff would have to show that the defendant
'purposefully availed' of jurisdiction of the forum state by

IM
'specifically targeting' customers within the forum state. A mere hosting of an interactive
web page without any commercial activity being shown as having been conducted within the
SH
forum state, would not enable the forum court to assume jurisdiction. Even if one were to
apply the 'effects' test, it would have to be shown that the defendant specifically directed its
activities towards the forum state and intended to produce the injurious effects on the
plaintiff within the forum state. Some courts have required the plaintiffs to show that the
LU

defendant should be shown to have foreseen being 'hauled' into the courts in the forum state
by the very fact that it hosted an interactive website.
PN

OTHER COMMON LAW JURISDICTIONS

The approach of courts in other common law jurisdictions, including India, is examined
H

next.

Canada

In Morguard Investments Ltd. v. De Savoye, the Canadian Supreme Court emphasized

the 'real and substantial connection' as a test for determining jurisdiction. It was
observed that the approach of permitting suit where there is a real and substantial connection
with the action strikes an appropriate and reasonable balance between the rights of the
parties. In Pro-C Ltd. v. Computer City Inc., 78 it was held that the listing of Canadian
retail outlets on the defendant's website coupled with there being a de-facto 'common
market' between Canada and the US meant that Canadian consumers were being targeted and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.81

therefore the Ontario court in Canada would have jurisdiction to try the trademark infringement
action against the defendant located in the USA.

In Patrick Desjean v. Intermix Media Inc., the defendant, a Delaware Corporation with its
principal office in Los Angeles, used to offer ostensible free software programs. When
the plaintiff, a resident of Canada, installed a free Intermix Screensaver or game from
www.mycoolscreen.com, he also unwittingly installed one or more spyware programs.
Thereafter, the plaintiff brought an action against the defendant in Canada for violating the
misleading representations provisions of the Canadian Competition Act, 1985. The Federal
Court of Ottawa, after referring to the decision of the Ontario Court of Appeal in Muscutt v.
Courcelles, (2002) 213 D.L.R. (4th) 577, took the following eight factors into account while
determining whether it had jurisdiction:

LA
(1) The connection between the forum and the plaintiff's claim; (2) The connection between the
forum and the defendant; (3) Unfairness to the defendant in assuming jurisdiction; (4)
Unfairness to the plaintiff in not assuming jurisdiction; (5) Involvement of other parties to the

IM
suit; (6) The Court's willingness to recognize and enforce an extraprovincial judgment
rendered on the same jurisdictional basis; (7) Whether the case is interprovincial or
SH
international in nature; (8) Comity and standards of jurisdiction, recognition and
enforcement prevailing elsewhere. (Emphasis Supplied)

The Court observed that the defendant had no office in Canada although in the past it
LU

subsidized office space for contractors working on two websites purchased by Intermix.
Intermix had no server in Canada and www.mycoolscreen.com also was not hosted on
servers located in Canada but on a server in California. It was also observed that 66% of
PN

downloads from either the defendant's websites or third parties distributing the defendant's
applications were made by American users and the remaining were made throughout the
world. Canad accounted for only 2.5% to 5.3% of downloads. On the basis of these facts,
H

the Federal Court held that the Canadian courts had no jurisdiction over the
defendant since there was no substantial connection between the defendant and the forum.
What is significant is that the Canadian federal Court identified the court's willingness to
recognise and enforce an extra provincial judgement rendered on the same jurisdictional
basis as being a relevant factor. It highlights the need for reciprocity and its relevance
in enforcement without which exercise of such personal jurisdiction over extraterritorial
defendants might be rendered futile.

United Kingdom

In 1-800 Flowers Inc. v. Phonenames, the defendant was a UK based phonebook company
and the plaintiff was engaged in the business of delivery of flowers. Customers across

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.82

the world could access the plaintiff's website to place orders for flowers. There was, however,
no evidence to show that UK residents had placed orders on its website. It was argued that
because the website was accessible from the UK and the UK residents could place orders
online, the use by the defendant of the mark 1-800 on its website amounted to use in the
UK. It was held in the first appeal by the Bench that "mere fact that websites could be accessed
anywhere in the world did not mean, for trade mark purposes, that the law should regard them
as being used everywhere in the world." The intention of the website owner and what
the reader will understand if he accesses the website was held to be relevant. The Court of
Appeals also rejected the argument. Justice Buxton, in a concurring opinion pointed out as
under:

I would wish to approach these arguments, and particularly the last of them, with
caution. There is something inherently unrealistic in saying that A 'uses' his mark in the United

LA
Kingdom when all that he ds is to place the mark on the internet, from a location outside the
United Kingdom, and simply wait in the hope that someone from the United Kingdom will
download it and thereby create use on the part of A. By contrast, I can see that it

IM
might be more easily arguable that if A places on the internet a mark that is confusingly
similar to a mark protected in another jurisdiction, he may do so at his peril that someone from
SH
that other jurisdiction may download it; though that approach conjured up in argument
before us the potentially disturbing prospect that a shop in Arizona or Brazil that happens to
bear the same name as a trademarked store in England or Australia will have to act with
caution in answering telephone calls from those latter jurisdictions. However that may be, the
LU

very idea of
'use' within a certain area would seem to require some active step in that area on the part of
the user that goes beyond providing facilities that enable others to bring the mark into
PN

the area. Of course, if persons in the United Kingdom seek the mark on the internet in response
to direct encouragement or advertisement by the owner of the mark, the position may be
different; but in such a case the advertisement or encouragement in itself is likely to
H

suffice to establish the necessary use.

Australia

The judgment of the Australian High Court in Dow Jones & Company Inc. v. Gutnick, is
instructive of the application of the effects test. Dow Jones & Company Inc., a corporation
registered in the USA, had published material on the internet that was allegedly defamatory of
Mr. Gutnick who sued in the Supreme Court of Victoria to recover damages to vindicate his
reputation. The Victorian law was treated as a long arm rule which provided for jurisdiction
based upon the mere happening of damage within a jurisdiction. The High Court held that
the primary judge was correct in deciding the issue of jurisdiction in favour of the
plaintiff. Since the long arm was found to be valid and applicable, the arguments that

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.83

the defendant had minimal commercial interest in the sale of its magazine in Victoria
and that it had published them principally for the benefit of US readers was considered
irrelevant. However, what is important to note is that the state of Victoria in the said case did
have a long arm law which was held to be valid and which permitted extension of jurisdiction.

India

Casio India Co. Limited v. Ashita Tele Systems Pvt. Limited, was a passing off
action where the defendant was carrying on business from Bombay. The defendant had
managed to get a registration of domain name www.casioindia.com and defendant no. 2
was the Registrar with whom the domain name had been registered. The plaintiff, on the other
hand, claimed to be a 100% subsidiary of Casio Computer Ltd., Japan (Casio Japan), which
was the registered owner of the trade mark 'Casio' in India used for a large number of

LA
electronic and other products. He had registered a large number of domain names in
India like 'CasioIndiaCompany.com', 'CasioIndia.org', 'CasioIndia.net', etc. Defendant No.
1 had obtained the above domain names during the time when it held a distributorship

IM
agreement with the plaintiff. It was held by the learned single Judge after referring to
the decisions in Rediff Communication Ltd. v. Cyber Booth and Dow Jones & Co. Inc. v.
SH
Gutnick that "once access to the impugned domain name website could be had from
anywhere else, the jurisdiction in such matters cannot be confined to the territorial limits of
the residence of the defendant." According to the learned single Judge, since a mere
likelihood of deception, whereby an average person is likely to be deceived or confused
LU

was sufficient to entertain an action for passing off, it was not at all required to be proved
that "any actual deception took place at Delhi. Accordingly, the fact that the website of
Defendant No. i can be accessed from Delhi is sufficient to invoke the territorial jurisdiction of
PN

this Court."

In India TV Independent News Service Pvt. Limited v. India Broadcast Live Llc &
H

Ors., a different approach was adopted. The plaintiff ran a Hindi news channel 'INDIA
TV' that was launched in March 2004. However, the plaintiff claimed to have adopted the
trademark 'INDIA TV' since December 2002. The plaintiff had applied for registration of the
said mark and the relevant applications had been published in the trademarks journal. The
plaintiff was also the owner of the domain name 'indiatv.com' which was registered on
18.11.2003. The channel was made available for live viewing on the said website. Defendant
Nos. 1 & 2 hosted a website 'www.indiatvlive.com' which the plaintiff came across in January
2007. The website contained the words 'INDIA TV' which were displayed prominently inside
the sketch of a television. A passing off action was initiated in the Delhi High Court to prevent
Defendant No. 2 from using the domain name 'www.indiatvlive.com.' While the suit was
pending, Defendant No. 1 was proceeding with an action instituted by it in the Arizona District
Court in USA, where the defendants were located, against the plaintiff seeking a

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.84

declaration of non-infringement of the plaintiff's mark by Defendant No. 1. The plaintiff then
approached the Delhi High Court stating that the defendant had suppressed the fact of having
filed the aforesaid action in Arizona and prayed for an injunction against defendant from
proceeding with the said action in the Arizona courts particularly since the suit in the Delhi
High Court was a prior action. In resisting the said application, Defendant No. 1 took the
stand that the Delhi High Court was not a court of competent jurisdiction as it was not the
appropriate forum/ forum conveniens. Inasmuch as the defendants did not reside or work
for gain in India, it was only the District Court in Arizona that was the appropriate
forum/forum conveniens to decide the dispute. It was argued before the court that in
order to attain personal jurisdiction, i.e., jurisdiction over the person of a defendant in contrast
to the jurisdiction of a court over a defendant's property or his interest therein, there should be
a long arm statute on the basis of which the court could exercise jurisdiction over any
individual located outside the state. As regards the internet, it was argued that it was not

LA
enough to establish that there was a passive website. The court referred to the purposeful
availment test and the three factors highlighted in Cybersell. The learned single Judge then
noticed that India did not have a long arm statute to grant jurisdiction as regards nonresident

IM
defendants. Therefore it had to be examined whether the defendant's activities "have a
sufficient connection with the forum state (India); whether the cause of action arises out
SH
of the defendant's activities within the forum and whether the exercise of jurisdiction
would be reasonable." In paragraphs 46 and 47, it was observed as under:

46 I am in agreement with the proposition that the mere fact that a website is
LU

accessible in a particular place may not itself be sufficient for the courts of that place to
exercise personal jurisdiction over the owners of the website. However, where the website is
not merely 'passive' but is interactive permitting the browsers to not only
PN

access the contents thereof but also subscribe to the services provided by the
owners/operators, the position would be different. However, as noticed in the judgment
in CyberSell Inc. case (supra), even where a website is interactive, the level of
H

interactivity would be relevant and limited interactivity may also not be sufficient for a
court to exercise jurisdiction. In Panavision International LP case, it was found that the
registration of the Plaintiff's mark as a domain name by the Defendant had the effect of injuring
the Plaintiff in California and therefore the court had jurisdiction. In Compuserve case
(supra) again it was found that the Defendant had contacted Ohio to sell his computer
software's on the Plaintiff's Ohio based systems and sent his goods to Ohio further for their
ultimate sale and thus those courts had jurisdiction.

47 In the present case, the website 'indiatvlive.com' of Defendant No. 1 is not wholly of a
'passive' character. It has a specific section for subscription to its services and the options
(provided on the website itself) for the countries whose residents can subscribe to the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.85

services include India. The services provided by Defendant No. 1 can thus be subscribed to and
availed of in Delhi (India) i.e. within the jurisdiction of this court.

The learned Single Judge concluded in India TV that "Defendant No. 1 intended to target
expatriate Indians as well as Indians within the country." Furthermore, the stand taken by
Defendant No. 1 in its written statement was that it had a global presence including a
presence in India. It claimed to be the first IPTV delivery system for Indian content from
India. The website of Defendant No. 1 was launched in India as well as in Los Angeles. It was
accordingly held tha "Defendant No. 1 company has sufficient connection with India." As
regards the 'effects' test, it was held that since the plaintiff channel was an Indian news channel
intended for Indian audiences, any damage alleged to have been caused or alleged to be likely
to arise to the good will, reputation, etc. of the plaintiff would be in India. However, the
alleged damage that may have arisen or may be likely to arise to the plaintiff would be as a

LA
consequence of the fact that the impugned website is accessible in India and the services
provided can be availed of in India. Consequently, it was held that "the Defendant is carrying
on activities within the jurisdiction of this court; has sufficient contacts with the jurisdiction of

IM
the court and the claim of the Plaintiff has arisen as a consequence of the activities of
Defendant No. 1 within the jurisdiction of this court."
SH
Both Casio and India TV were decisions of single Judges and required proper
reconciliation. The opportunity presented itself in Banyan Tree Holding (P) Limited v. A.
Murali Krishna Reddy.The plaintiff there was a company located in Singapore. It
LU

claimed that it was part of a group of companies involved in the hospitality business. It
claimed the use of the word mark 'Banyan Tree' and also the banyan tree device since
1994. The plaintiff maintained the websites 'www.banyantree.com' and
PN

‘www.banyantreespa.com’ since 1996. The websites were accessible in India. Its application
for the registration of the mark and the device were also pending. In October 2007, the plaintiff
learnt that the defendants, located in Hyderabad in Andhra Pradesh, had initiated work on a
H

project under the name 'Banyan Tree Retreat', which according to the plaintiff was deceptively
similar to that of the plaintiff. The plaintiff invoked the jurisdiction of the Delhi High Court on
the ground that the defendants' website 'www.makprojects.com/banyantree', which
advertised its products and services was accessible in Delhi. The display of the
confusingly similar mark and device was calculated to cause much confusion and
deception among the public by passing off the services of the defendants as that of the plaintiff.
Accordingly, an injunction was sought. The Division Bench of the Delhi High Court, while
answering the referral order of the learned Single Judge, affirmed the ruling in India TV and
overruled Casio. It then remanded the case to the single Judge for a decision on the preliminary
issue of jurisdiction.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.86

The answers given by the Division Bench in Banyan Tree to the questions of law referred to it
were as follows:

Question (i): For the purposes of a passing off action, or an infringement action where
the plaintiff is not carrying on business within the jurisdiction of a court, in what
circumstances can it be said that the hosting of a universally accessible website by the
defendants lends jurisdiction to such Court where such suit is filed ('the forum court')?

Answer: For the purposes of a passing off action, or an infringement action where the plaintiff
is not carrying on business within the jurisdiction of a court, and in the absence of a longarm
statute, in order to satisfy the forum court that it has jurisdiction to entertain the suit, the
plaintiff would have to show that the defendant
'purposefully availed' itself of the jurisdiction of the forum court. For this it would have to be

LA
prima facie shown that the nature of the activity indulged in by the defendant by the use of the
website was with an intention to conclude a commercial transaction with the website user
and that the specific targeting of the forum state by the defendant resulted in an injury or

IM
harm to the plaintiff within the forum state.
SH
Question (ii): In a passing off or infringement action, where the defendant is sought to be sued
on the basis that its website is accessible in the forum state, what is the extent of the burden on
the plaintiff to prima facie establish that the forum court has jurisdiction to entertain the suit?
LU

Answer: For the purposes of Section 20(c) CPC, in order to show that some part of the cause of
action has arisen in the forum state by the use of the internet by the defendant the plaintiff will
have to show prima facie that the said website, whether euphemistically termed as 'passive
PN

plus' or 'interactive', was specifically targeted at viewers in the forum state for commercial
transactions. The plaintiff would have to plead this and produce material to prima
facie show that some commercial transaction using the website was entered into by the
H

defendant with a user of its website within the forum state resulting in an injury or harm to the
plaintiff within the forum state (Emphasis Supplied)

It was held that merely having an interactive website was not sufficient to make the defendant
amenable to the jurisdiction of the forum court. Applying the principle of intentional targeting,
it was held that the plaintiff had to show the intention of the defendant to conclude a
commercial transaction with the website user.

Banyan Tree also dealt with the issue of trap orders. The question that was addressed
was whether a single trap transaction was sufficient to show that the defendant had
purposefully availed the forum Court's jurisdiction. It was held that a lone trap transaction will
not be sufficient evidence for the purposes of establishing that a part of the cause of action

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.87

arose within the jurisdiction of the court. The plaintiff would have to show that the
defendant has purposefully availed of the jurisdiction of the forum court by entering
into a commercial transaction with an internet user located within the jurisdiction of the
forum court. This cannot possibly result from a solitary trap transaction since that would
not be an instance of 'purposeful' availment by the defendant. It would have to be a real
commercial transaction that the defendant has with someone and not a transaction set up by the
plaintiff itself. If the only evidence is in the form of a series of trap transactions, they have to
be shown to be obtained using fair means. The plaintiff seeking to establish jurisdiction on the
basis of such trap transactions would have to aver unambiguously in the plaint, and also place
along with it supporting material that prima facie proves that the trap transactions relied upon
satisfy the abovementioned test.

Banyan Tree has been later followed by the Karnataka High Court in Presteege Property

LA
Developers v. Prestige Estates Project Pvt. Ltd., a case involving a passing off action
initiated by Prestige Estates against Presteege Property Developers. The Single Judge
noticed that the construction activity of the defendant was exclusively in Kerala. It was further

IM
observed that though online booking was indicated, the sale would not take place in Bangalore
so as to constitute a part of the cause of action in terms of passing off since even if the
SH
defendants were to pass off their property riding on the reputation of the plaintiff as alleged, the
same would take place only in Kerala. Similarly in the case of the other defendant, the
activity of providing the services was observed to be exclusively in Tamil Nadu. The court
held that the "test of concluding a commercial transaction should be shown, to establish the
LU

level of activity indulged in by the defendants by the use of the website." The test not being
satisfied by the plaintiff, the learned single Judge held that the court at Bangalore would lack
jurisdiction.
PN

The present state of the law in India may be summarized. A plaintiff, not having the benefit of
the limited long arm provision of either section 134 of the Trade Marks Act, 1999 or section 62
H

of the Copyright Act, 1957 will not be able to persuade a court to exercise jurisdiction over a
defendant hosting a website containing the material purportedly violating the plaintiff's
IP rights unless it is shown that the defendant targeted its interactive website at viewers
in the forum state for the purpose of commercial transactions and in fact entered into
such transactions using the website. Further a lone trap transaction may not demonstrate
the 'purposeful' targeting by the defendant of the forum state or of 'aiming' at particular
customers therein. A more systematic behaviour over a series of transactions will have to be
shown as having been entered into by the defendant. It may be argued that the test evolved in
Banyan Tree may not answer the problems in a different factual setting and in a different
context, for e.g., the tort of defamation or the crime of cyber pornography. But then
Banyan Tree ds not deal with those contexts for which other tests will have to be devised.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.88

Nevertheless the courts in India will have to guard against overprotection of local interests and
adopt a balanced approach to ensure that a middle path is found in individual cases.

III OTHER TYPES OF CASES

Internet Jurisdiction in Copyright Cases

The tests adopted in copyright cases for exercising jurisdiction are no different from those
already discussed. The courts in the USA that had earlier sought to fashion
constitutional tests for jurisdiction around the particular technologies of the internet, have in
the more recent decisions reverted to the known tests of minimum contacts and reasonableness.

ALS Scan, Inc. v. Digital Service Consultants, Inc. is an example of the contemporary

LA
trend. The defendant, a Georgiabased Internet service provider, argued that it conducted
no business and had no offices, contracts, income, or advertising (other than through its
website) in Maryland. The plaintiff, a Maryland corporation, countered that, by enabling

IM
a thirdparty website operator to publish allegedly infringing photographs in Maryland, the
defendant had subjected itself to specific jurisdiction in the state. The court ruled for the
SH
defendant, observing that:

[i]f we were to conclude as a general principle that a person's act of placing

information on the Internet subjects that person to personal jurisdiction in each State in
LU

which the information is accessed, then the defence of personal jurisdiction, in the
sense that a State has geographically limited judicial power, would no longer exist.
PN

The court formulated a general rule that would establish personal jurisdiction in at least some
of these cases:
H

a State may, consistent with due process, exercise judicial power over a person outside
of the State when that person (1) directs electronic activity into the State, (2) with the
manifested intent of engaging in business or other interactions within the State, and (3)
that activity creates, in a person within the State, a potential cause of action cognizable in the
State's courts.104

The court added, however, that under such a standard, a person who simply places information
on the internet ds not subject himself to jurisdiction in each state into which the electronic
signal is transmitted and received. This decision is also an instance of the exemption of an
ISP from liability merely because it provided a platform or space in which the alleged
infringement took place.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.89

In Bridgeport Music, Inc v. Still N the Water Publishing, it was recognized that just operating
an internet website can constitute purposeful availment if the website is interactive to a
degree that entails specifically intended interaction with state residents. The court held
that there was no jurisdiction in Tennessee over a defendant that had not hosted or
operated a website for sale of alleged infringing composition.

Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd. involved the free exchange of

copyrighted music, movies and other digital media over the internet. The defendants distributed
software that enabled users to exchange digital media via the same peertopeer transfer
network. When the actions were originally filed, the defendants (Grokster, MusicCity and
Kazaa BV) each independently branded, marketed and distributed filesharing software. All
three platforms were powered, however, by the same 'FastTrack' networking technology.
This technology was developed by defendants Niklas Zennstrom and Janus Friis (who also

LA
launched Kazaa BV), and licensed to each company. As a result, users of all three
software platforms were connected to the same peertopeer 'FastTrack network,' and were able
to exchange files seamlessly. However, later the operation of the 'Kazaa system' had

IM
passed from Kazaa BV to Sharman Networks, a company organized under the laws of the
islandnation of Vanuatu and doing business principally in Australia. The defendant had
SH
allegedly provided filesharing software and entered into licensing agreements with
approximately two million Californian residents. The Court explained that in order to
extend personal jurisdiction, it would have to be shown that (1) a nonresident defendant
purposefully availed itself of the privilege of conducting activities in the forum state,
LU

thereby invoking the protections of its laws; and (2) the plaintiff's claims arose out of the
defendants' forumrelated activities. In the instant case, it was held that the defendant
was subject to specific jurisdiction under the California long arm statute because it directed
PN

its commercial activities at California, the forum state, and alternatively because of the impact
of the defendant's activities in California. While determining that the defendant *33 had
engaged in commercial activities directed at the forum State, the Grokster court cited Cybersell
H

and Zippo. For the effects test, the Grokster court drew on the Supreme Court's decision
in Calder.

IV ENFORCEMENT
The territorial nature of IPR is challenged by the advent of the internet. Attempts at finding a
uniform minimum standard to decide issues of jurisdiction as well as applicable law are
still to bear any definite shape. The TRIPS framework fails to provide the necessary
platform for resolving trans-border disputes arising out of the use of the internet. In the
circumstances, reliance is increasingly placed on the available enforcement mechanisms
in private international law to protect IPRs in digital goods distributed on web based
networks.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.90

Courts in domestic jurisdictions rely upon long arm statutes that enable them to exercise
personal jurisdiction over defendants outside the territory of the forum state. In some of the
cases noticed hereinbefore, particularly from the courts in the USA, the readiness with which
jurisdiction has been exercised is explained with reference to the existence of long arm statutes
in some of the States. In India, in the absence of a federal structure (as in the USA) in that
sense, the provision enabling the Courts to exercise jurisdiction with such a 'long arm' is
present in section 20 (c) of the Code of Civil Procedure, 1908 (CPC) that confers jurisdiction to
courts wherever there is an accrual of any "cause of action, wholly or in part." For
trademark infringement suits or suits relating to any right in a "registered trademark", Section
134(2) of the Trade Marks Act, 1999 supplements the courts to exercise jurisdiction over
a nonresident defendant, where the plaintiff "actually and voluntarily resides or carries on
business or personally works for gain." A similar provision to that effect is present in section
62 of the Copyright Act, 1957 for suits filed against copyright infringement.

LA
However, exercising jurisdiction is only one part of the exercise. The forum court's intervention
would be rendered futile if its orders against defendants outside its jurisdiction cannot be

IM
enforced. This is compounded if the defendant has no assets within the forum state. Further,
where the defendant is protected by the laws of his country against the consequence brought
SH
about the judgment, the courts in the country of the defendant would be reluctant to accord
recognition and consequent enforcement of such judgment.

The case of Yahoo! Inc. v. LICRA is illustrative of such complex legal situations.
LU

Yahoo!, an American internet service provider, brought suit in federal district court in
diversity against La Ligue Contre Le Racisme et L'Antisemitisme ('LICRA') and L'Union
des Etudiants Juifs de France ('UEJF') seeking a declaratory judgment that two interim
PN

orders by a French court are unrecognizable and unenforceable. The district court held that
the exercise of personal jurisdiction over LICRA and UEJF was proper, that the dispute
was ripe, that abstention was unnecessary, and that the French orders are not
H

enforceable in the United States because such enforcement would violate the First
Amendment. The district court did not reach the question whether the orders are recognizable.
LICRA and UEJF appealed only the personal jurisdiction, ripeness, and abstention holdings. A
majority of the en banc panel (Court of Appeals) held that the district court properly exercised
personal jurisdiction over LICRA and UEJF. The Court of Appeals reversed the District Court.
While three judges alone held that the District Court did not have jurisdiction over the
French defendants and therefore the suit should be dismissed, three other judges held that the
suit was not ripe and therefore, should be dismissed. Consequently, by a 6:5majority, the suit
was dismissed.

The relevant passage clarifying the opinion of the Court of Appeal is given below:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.91

An eight judge majority of the en banc panel holds, as explained in Part II of this
opinion, that the district court properly exercised specific personal jurisdiction over
defendants LICRA and UEJF under the criteria of Calder. A three judge plurality of the panel
concludes, as explained in Part III of this opinion, that the suit is unripe for decision under the
criteria of Abbott Laboratories. When the votes of the three judges who conclude that the
suit is unripe are combined with the votes of the three dissenting judges who conclude that
there is no personal jurisdiction over LICRA and UEJF, there are six votes to dismiss Yahoo!'s
suit.

In the Indian context, as long as the disputes concern parties that are within the
country, the question of enforcement of the judgment of one state court in another state where
the defendant resides or carries on business may not arise in view of the provisions of the Civil
Procedure Code. However, where the defendant is outside the country, unless there are

LA
reciprocal arrangements for recognition of decrees entered into the country of the defendant's
location, enforcement will be problematic. Further, in the context of the internet, the web
server hosting the offending material will have to abide by the order of the court asking it to

IM
remove the offending material from the website or block the site from viewership. Although
this is technically feasible, it would not be legally achievable unless the entity required to
SH
implement the court's directions accepts and agrees to abide by them.

Wendy Adams brings out the complex nature of the problem in the following passage:
LU

When differences in the extent to which states assume jurisdiction over disputes
involving extraterritorial activity are combined with the jurisdictional ambiguity
inherent in an online environment, unilateral enforcement of intellectual property rights
PN

within virtual commerce is not a viable alternative; domestic adjudication cannot

reconcile protection ahead of the curve with the minimum standards provided under the terms
of the TRIPS Agreement in a manner which preserves but ds not enhance TRIPS entitlements.
H

In ensuring the legitimacy of private enforcement, the methodology adopted to map virtual
transactions to territorial jurisdiction is a critical factor. Deficiencies in the localization process
would permit infringement in violation of domestic law, resulting in under compensation of
domestic innovators relative to foreign imitators. In the alternative, domestic courts could also
settle problems of jurisdictional ambiguity by stretching the notion of territoriality beyond
currently accepted limits. Excessive localization would amount to an impermissible
extraterritorial application of domestic intellectual property law, leading to
overcompensation of local innovators. Foreign imitators would be faced with a forced march
to the top, particularly in relation to states possessing superior economic advantages in
terms of trading power and as a desirable location for foreign direct investment.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.92

It is therefore not unusual that Alternative Dispute Resolution mechanisms through multilateral
trade negotiations have been thought of. One such instance is the Uniform Domain Name
Dispute Resolution Policy (UDRP) developed in the context of registration of domain names.
To tackle the growing phenomenon of cyber squatting, the UDRP was brought forth by the
ICANN. It provides a remedy by way of arbitration. It appears that the World Intellectual
Property Organization ('WIPO') also has an Arbitration & Mediation Centre which
adjudicates on disputes brought before it concerning the domain name registration. The
Centre has been approached by prominent individuals and companies seeking permanent
injunction against parties who registered domains in the names of such plaintiffs.

A recent instance of invoking the jurisdiction of a court in India to prevent the name of a
public figure being registered as a domain name, which can then be commercially sold
on the website is Arun Jaitley v. Network Solutions Private Limited & Ors. Mr. Jaitley, a

LA
prominent senior lawyer and politician, decided to book the domain www.arunjaitley.com
through the website of the defendant nos. 1 and 2 (Network Solutions LLC) since
defendant No.2 was the registering authority which had registered the domain name at the

IM
instance of some other person whose identity is not yet known. A WHOIS search conducted on
the said domain name showed that on 21st July 2009 the Registrar for the domain name was
SH
defendant no.1 Network Solutions, LLC. It was found that the domain name had expired on
12th July 2009 and was pending deletion. Despite Mr. Jaitley's lawyer asking that no domain
name be registered or renewed using his name, the defendants declined to do so. On 27th
August 2009 when a search was conducted on WHOIS Search, the status of the domain
LU

name was continued to be shown as 'pending delete.' It had been updated on 21st August
2009 The Registrar for the said domain name was still shown as Network Solutions,
LLC. In August, 2009 when a further WHOISA Search was conducted, it showed that the
PN

Registrar for the said domain name had changed to 'DOMAIN PARK BLOCK.COM LLC.'
The Registrant was Portfolio Brains LLC (PBL) an entity which has been impleaded as
Defendant No.3. In an interim order, the Delhi High Court observed:
H

25. The present suit raises very significant questions in the realm of intellectual
property law concerning the protection that a person is entitled to, particularly when the
person's name had acquired distinctiveness, goodwill and reputation. It also raises an
important question whether the right to one's own name is part of the bundle of
'personal' rights enshrined in the right to life under the Article 21 of the Constitution of
India, and Article 17 of the International Covenant on Civil & Political Rights. Is a person
entitled to protection of such a right and all other rights incidental to and stemming from that
right viz., the rights to publicity and to privacY. It appears to this Court that the plaintiff has
more than a stateable prima facie case.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.93

 26. The plaintiff has prima facie demonstrated, with the help of all several
documents, that defendant No.3 is 'squatting' on his name with the intention of exploiting
it for profit. If not injuncted, the domain name www.arunjaitley.com could well be 'purchased'
by any person. Such person could then use it for any purpose detrimental to the goodwill
and reputation of the plaintiff. The balance of convenience in restraining the defendants
from transferring, alienating or offering for sale the domain name 'arunjaitley.com' to any third
party and from creating any third party interest in the said domain name 'arunjaitley.com'
appears to be in favour of the plaintiff at this stage.

The court restrained PBL from advertising the domain name 'arunjaitley.com' or using the said
domain name for auction purposes or for any other purpose. PBL was restrained from
transferring, alienating or offering for sale the said domain name to any third party and from
creating any third party interest in the said domain name and was directed to maintain status

LA
quo in relation to the said domain name. In other cases where offending emails are sought
to be blocked, the court issues a mandatory injunction to the email service provider to
ensure compliance with the court's directions. Problems could arise if those entities which are

IM
located outside the jurisdiction either refuse to answer summons or refuse to implement
the court's directions. In that event, resort to the UDRP might be a more efficacious option for
SH
a plaintiff.

It appears that attempts at evolving a uniform law to govern the issue of

enforceability of foreign judgments, with particular reference to disputes arising out of internet
LU

transactions proved unsuccessful. It appears that the Hague Convention on Choice of Court
Agreements on June 30, 2005, ds not cover the question of torts committed on the internet.
The first draft of the Hague Convention on Jurisdiction and Foreign Judgments in Civil
PN

and Commercial Matters adopted in 1999 did not deal with issues arising from ecommerce
and this was referred to a group of experts. They could not agree on any minimum uniform
standard in view of the uncertain domestic law in the area. This therefore is an unfinished
H

task that will require to be revisited since the need for such a uniform law, given the volumes
of transactions on the net, can never be overstated.

V THE IMPORT OF JURISDICTIONAL ISSUES CONCERNING THE INTERNET

The above discussion throws up several interesting questions. One is whether the entire cyber
world is in fact getting fragmented in the process of devising laws and procedures reflective
of the tension between being overly protective of domestic interests and having too little
regulation of the internet.

Wendy Adams contextualizes the pros and cons of 'universal permission' as opposed to
'universal prohibition' in the following words:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.94

Resolution of the issue of jurisdiction in relation to commercial websites that do not appear to
be directed towards a specific territorial market requires that a default legal rule be established
in favour of either the location of the commercial website (which may refer either to the
location of the initial server, the location of one or more caching servers, or the website
operator's usual place of business), or the location of the person accessing the website (an
inquiry which could also be complicated by issues of nationality and residence). A
default rule favouring the location of the website would amount to universal permission,
whereby the commercial website operator is presumed to be in compliance with local
regulation to which he is subject, and individual states must in effect optout of this rule by
applying indirect regulation to prohibit residents from accessing commercial websites in
violation of local laws. In contrast, a default rule favouring the location of the person
accessing the commercial website would amount to universal prohibition; commercial

LA
website providers would be required to determine in advance those states in which their
products are permitted, and allow residents of these states alone to optin by restricting
access to the website accordingly. Note that these default rules are mutuallyexclusive,

IM
and accordingly states must reach consensus in favour of permission or prohibition if
consistent results are to be reached. Note as well that conditioning access upon
SH
geographical location becomes more complicated as successively smaller jurisdictional
units are adopted, e.g., substate entities within federal unions and municipalities.
Compelling arguments can be marshalled in support of either position, but what is
immediately apparent is that a default rule of universal prohibition tends to reduce the
LU

efficacy of the Internet as a unique commercial medium, leading to what some

commentators have called a Balkanisation of the Internet.
PN

Thomas Schultz is another legal scholar who has reflected on the above problem. He
challenges in a direct way popular assumptions about the internet. The first assumption
was that the internet was 'free' as in free speech. Schultz says, and rightly, that
H

technology has demonstrated that it can be shaped 'so as to enshrine values of liberty or values
of control.' He says: " It had been shown that the Internet could be a place of exquisite control
just as it used to be a place of exquisite liberty. Thus, the first 'inherent characteristic' claim had
been repealed."

The other myth he seeks to demolish is that the internet is 'global'; that it was a large network
of computers which had no centre or central authority through which all
communications would travel and which could regulate those communications. It was
conceived as an 'internet cloud' symbolising the unpredictability of the path that the
communication could take from one point to another. However when governments
the world over realized that the internet was just another tool that could be misused for a
variety of nefarious activities, they clamped down on the 'freedom' of access to the net.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.95

People started to say that they did not want outlandish foreigners to do the equivalent
of standing in the garden in front of their house doing things that are regarded with
outright repugnance in their community. The French were anxious at the thought of there
being, just around the corner, defiant Americans believing it is their fundamental right to say
whatever they want to say, even if it involves an apology for Nazism. In the United
States, people were incensed about lax foreign governments not cracking down on
online casinos, which were intruding into American homes and offices, computers, and
mobile phones, to fuel compulsive gambling. Many countries became concerned about
incitements to terrorism and appeals to fund terrorist organizations flowing into their
country simply by dint of being globally accessible. Some governments began to
consider blocking by technical means local residents' access to foreign Internet sources
that glorify terrorism. Other governments grew increasingly apprehensive about the West

LA
spreading its culture and values throughout the world by a mere information transfer
into territories which were previously exposed mainly to local information. Suddenly, the free
and global character of the Internet started to be considered an evil. The global Internet

IM
community started to think that, after all, it did not want to be a single community, but several,
and that each community should be allowed to live according to its internal fundamental
SH
values, according to its own choices of public policy (in the sense of ordre public), which
partake of the expression of each nation's Volksgeist. The Internet should be free, most
agreed, but only insofar as this freedom stopped short of violating the fundamental
principles underlying the operation of each state's legal system.
LU

In the field of ecommerce, Schultz says, the reemergence of the Westphalian outlook of
states to protect 'local' values and their own 'sovereignty' is leading to fragmentation of
PN

the internet. He observes:

The Internet is caught between old forces of local territorialism and new forces
H

characteristic of global economies. As a result, it may end up being carved up or

fragmented into discrete legal spheres a development which contradicts the hitherto traditional
vision of the Internet as a paradigmatic example of a borderless world of global
transnationalism.

The fragmentation is taking two forms. The first may be represented as vertical in nature; led
by the forces of territorialism, it reflects concerns of public policy and the protection of local
values. The second, which may be considered horizontal, is driven by the rationale of
commercial efficiency. (Emphasis Supplied)

Schultz explains that horizontal fragmentation is driven by rationale of commercial

efficiency. This is achieved by constitution of legal systems which are transnational and largely

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.96

autonomous of State control. He cites the example of eBay's dispute resolution mechanism.
The objective of eBay's dispute resolution mechanism is to avoid the jurisdictional questions
posed by the application of state law. On the other hand vertical fragmentation is a result of
the forces of territorialism. It reflects concerns of public policy and the protection of local
values, e.g., the Yahoo! case. There is vertical fragmentation of the internet by states
exercising greater control over web based information flows within (and into) their
territory based on local values and preferences. The latter has been triggered by a
variety of factors including libel originating in distant countries, online casinos, domain
name cyber-squatting, hate speech websites and so on. What Schultz also effectively
demolishes is the myth that the internet cannot be regulated.

The jurisdiction sought to be exercised by domestic courts over foreign defendants depends to
a large extent in precisely 'locating' their presence in the physical terrain, if that is at all

LA
possible. It appears that the French Court hearing the Yahoo! case did advert to the possibility
of using 'geolocation' technology to block viewership of the website to specified group of
people based on their geographical location. The idea was that no French national in France

IM
should be able to view the Nazi memorabilia on display on the Yahoo! Website. The French
court was informed that this was technically feasible. However it is pointed out that this is
SH
not useful in localizing the activity since the puzzle remains whether the customers initiated the
online activity by reaching out to access the commercial website or vice versa.

The anxiety of countries and their courts to protect local citizenry from commercial or content
LU

based harm while at the same time not wanting other countries to exert the same authority over
its citizens is not unique. The differing policy priorities of countries defy the formulation of
a uniform set of laws or codes to regulate activity on the internet. In purporting to answer
PN

Lawrence Lessig's question as to why some other court would want to enforce Minnesota's
antigambling laws, Michael Geist answers:
The answer is that they would not if this were the only regulation at stake. Minnesota
H

wants to protect its citizens from gambling, but New York may want to protect its
citizens against the misuse of private data. The European Union may share New York's
objective; Utah may share Minnesota's. Each state has its own stake in controlling certain
behaviors, and these behaviors are different. But the key is this: the same architecture that
enables Minnesota to achieve its regulatory end can also help other states achieve their
regulatory ends. And this can initiate a kind of quid pro quo between jurisdictions.

Any attempt at codifying 'uniform' norms to govern internet transactions will have to account
for the inevitable attempts by states to assert territorialism on the basis of the need to protect
local values and local commerce.

VI CONCLUSION

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.97

 An oft repeated quote in the context of the internet is that of Judge Nancy Gertner in Digital
Equipment Corp. v. Altavista Technology: "The internet has no territorial boundaries.
To paraphrase Gertrude Stein, as far as the internet is concerned, not only is there perhaps
'no there, there', the 'there' is everywhere where there is internet access."

This article traced the difficult and different paths that common law courts traversed in trying
to formulate a definitive test which would lend legal certainty in tackling the complex problem
of courts exercising jurisdiction in disputes arising out of activities on the internet. The
problem is perhaps compounded by the fact that the technology which is rapidly
changing is at least two steps, if not more, ahead of the law. The 'catch up' by the law appears
as of now a mirage.

There can be no doubt that Indian courts will increasingly be called upon to exercise jurisdiction

LA
over foreign or extra territorial defendants engaged in internet transactions. And it is
predictable that the Indian courts, even while they familiarize themselves with the complex
nature of the problem, will continue to rely upon the law developed by the common law

IM
courts elsewhere. It appears that just as the technology is by and large a borrowed one, the
law in relation to it will also inevitably be that. There is scope and need for developing
SH
indigenous law. If in the area of IPR, Indian statutory law has been made to conform to the
requirements of international law, it is hard to imagine that the position will be any different
when it comes to the law governing ecommerce. While getting the law to cope with the
technological changes in the use of the internet will be a formidable challenge, what can happen
LU

is that we may be irreversibly heading towards erecting more cyber borders, which can in
turn generate a whole slew of law avoidance technologies. These concerns are the beginning
in what predictably will be a long term engagement for law makers and those associated
PN

with the enforcement of law.

H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.98

 Cyber Sovereignty: The Way Ahead
ERIC TALBOT JENSEN*

SUMMARY

PREFACE ............................................................. 276

LA
INTRODUCTION ....................................................... 278

I. STATES ARE SOVEREIGN AND EQUAL............. ...................... 282

IM
A. Sovereignty.............................................282
1. Rights......................... .................... 283
SH

2. Obligations.........................................284
B. Equality..............................................285
1. Rights......................... .................... 285
LU

2. Obligations.........................................286
C. Application to Cyberspace................. ................ 287
1. Sovereignty............................ ................. 287
PN

2. Equality....................... .................... 289

D. The Way Ahead......................................... 290
H

11. STATES EXERCISE SOVEREIGNTY OVER TERRITORY, PERSONS, AND

ACTIVITIES. ..................................................... 291
A. Territory...............................................292
1. Rights............................................. 292
2. Obligations..........................................293
B. Persons............................................... 293
1. Rights............................................. 294
2. Obligations .......................... ............... 295
C .Application to Cyberspace ......................... .............. 296

* Associate Professor, Brigham Young University Law School. The author would like to thank the
staff of the Texas InternationalLaw Journal for hosting an excellent symposium and the attendees for
their insights and comments to the author's presentation. Additionally, Grant Hodgson and Brooke
Robinson provided excellent research and review assistance for this Article.

275

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.99

276 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

1. Territory ...................................... ..... 296

2. Persons ...................................... ...... 301
D. The Way Ahead ............ . ................. ..... 302

CONCLUSION .......................................................... ......... 304

PREFACE

There is no universally agreed definition [for sovereignty], but

considerations of international sovereignty revolve around the
recognition of a government's right to exercise exclusive control over
territory, and this definition is ill suited for cyber discussions. For
convenience we might refer to "the geography of cyberspace," but I
challenge you to point to cyberspace. Although cyberspace is all around
us, when trying to point at it you will be as unable to as the Square in

LA
[Edwin] Abbott's Flatland was to point to "up." I always found it
troubling to hear military commanders talk in terms of seizing the cyber
"high ground" or negotiating "cyber terrain." That was language they
IM
were comfortable with, but in any meaningful sense of the
word, cyber lacks geography.
SH

Recent years are full of reports of cyber incidents in which, from time to time,
significant damage is done by way of a cyber operation. Examples include the 2007
cyber assault on Estonia by pro-Russian "hacktivists" that temporarily shut down
many governmental and private sector operations,2 the 2012 "Shamoon" virus that
LU

damaged 30,000 computers at Saudi Arabia's Aramco and was claimed by the
"Cutting Sword of Justice,"' the 2013 cyber shutdown of the New York Times by
PN

the Syrian Electronic Army,4 and of course the infamous Stuxnet malware that
damaged almost one thousand centrifuges at an Iranian nuclear facility and has
been attributed to the United States and Israel by many cyber experts.
H

1. Gary D. Brown, The Wrong Questions About Cyberspace, 217 MIL. L. REv. 214, 225-26 (2013).
Gary Brown was the first Staff Judge Advocate (legal advisor) for the newly formed United States Cyber
Command. Id. at 214.
2. Kertu Ruus, Cyber War I: Estonia Attacked from Russia, EUR. INST. (2008), http://www.euro
peaninstitute.org/index.phplcomponent/content/article/42-european-affairs/winterspring-2008/67-cyber-
war-i-estonia-attacked-from-russia (discussing the cyber attacks on Estonia and Estonia's defensive
response).
3. Saudi Arabia Says Cyber Attack Aimed to Disrupt Oil, Gas Flow, REUTERS (Dec. 9, 2012, 2:30
PM), http://www.reuters.com/article/2012/12/09/saudi-attack-idUSL5E8N91UE20121209; see also Wael
Mahdi, Saudi Arabia Says Aramco Cyberattack Came from Foreign States, BLOOMBERG (Dec. 9, 2012),
http://www.bloomberg.com/news/2012-12-09/saudi-arabia-says-aramco-cyberattack-came-from-foreign-
states.html.
4. Heather Kelly, Syrian Group Cited as New York Times Outage Continues, CNN (Aug. 29, 2013,
9:30 AM), http://www.cnn.com/2013/08/27/tech/web/new-york-times-website-attack/ (discussing the
attack that temporarily shut down the New York Times' website).
5. Ellen Nakashima & Joby Warrick, Stuxnet Was Work of U.S. and Israeli Experts, Officials Say,
WASH. POST, June 2, 2012, http://www.washingtonpost.comlworld/national-security/stuxnet-was-work-of-
us-and-israeli-experts-officials-say/2012/06/01/gJOAlnEy6U-story.html.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.100

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 277

Each of these cyber events, and the multitude of others that have occurred and
continue to occur daily,6 raises important questions about the role and responsibility
of States with respect to cyber incidents. Do States exercise sovereign control over
the cyber infrastructure that sits on their territory? If so, do States have a
responsibility to control the cyber activities that emanate from or even just pass
through their sovereign cyber assets? In other words, to what extent does a State
have to control activities of non-State actors, such as private hacktivists, criminal
organizations, and terrorists, when those cyber actions may cause harm to others?
The answer to these questions revolves in large part around the international
law doctrine of sovereignty.! The extent to which nations exercise sovereignty over
cyberspace and cyber infrastructure will provide key answers to how much control
States must exercise and how much responsibility States must accept for harmful
cyber activities when they fail to adequately do so.
This Article argues that States have sovereign power over their cyber
infrastructure and that with that sovereign power comes corresponding
responsibility to control that infrastructure and prevent it from being knowingly

LA
used to harm other States. This responsibility to prevent external harm extends not
IM
6. See generally A FIERCE DOMAIN: CONFLICT IN CYBERSPACE, 1986 To 2012 (Jason Healey ed.,
2013).
7. The continuing application of international law to cyber capabilities has led one scholar to
SH

conclude:

This does not necessarily mean that the rules and principles of international law are
applicable to cyberspace in their traditional interpretation. Because of the novel character of
cyberspace, and in view of the vulnerability of cyber infrastructure, there is a noticeable
LU

uncertainty among governments and legal scholars as to whether the traditional rules and
principles are sufficient to provide answers to some worrisome questions.

Wolff Heintschel von Heinegg, Territorial Sovereignty and Neutrality in Cyberspace, 89 INT'L L. STUD.
PN

123, 127 (2013). China, Russia, Tajikistan, and Uzbekistan seem to believe that new treaties governing
cyber conflict are needed. See Permanent Representatives of China, the Russian Federation, Tajikistan,
and Uzbekistan to the United Nations, Letter dated 12 Sept. 2011 to the Secretary-General, U.N. Doc.
H

A/66/359 (Sept. 14, 2011) ("China, Russia, Tajikistan and Uzbekistan have jointly elaborated in the form
of a potential General Assembly resolution on an international code of conduct for information security
and call for international deliberations within the United Nations framework on such an international
code, with the aim of achieving the earliest possible consensus on international norms and rules guiding
the behaviour of States in the information space." (citation omitted)); Wu Jiao & Zhao Shengnan,
Nations Call on UN to Discuss Cyber Security, CHINA DAILY, Sept. 14, 2011, http://europe.china
daily.com.cn/europe/2011-09/14/content_13682694.htm (discussing letter from China, Russia, Tajikistan,
and Uzbekistan to United Nations calling for new rules for cyber conflict); Jason Healey, Breakthrough
or Just Broken? China and Russia's UNGA Proposal on Cyber Norms, ATLANTIC COUNCIL (Sept. 21,
2011), http://www.atlanticcouncil.org/blogs/new-atlanticist/breakthrough-or-just-broken-china-and-russia
-s-unga-proposal-on-cyber-norms [hereinafter Healey, Breakthrough or Just Broken?] (same). However,
other countries, including the United Kingdom and the United States, have advocated that current
international law is insufficient to govern cyber war. See, e.g., U.N. Secretary-General, Developments in
the Field of Information and Telecommunications in the Context of International Security: Rep. of the
Secretary-General: Addendum, at 4, U.N. Doc. A/59/116/Add.1 (Dec. 28, 2004) (discussing the United
States' acknowledgment of the need for international cooperation to assure cybersecurity); U.N.
Secretary-General, Developments in the Field of Information and Telecommunications in the Context of
International Security: Rep. of the Secretary-General, at 11-12, U.N. Doc. A/59/116 (June 23, 2004)
(asserting the United Kingdom's position that the Council of Europe Convention on Cybercrime is the
best means for criminalizing cybercrime).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.101

278 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

only to State actors, but also to non-State actors. This sovereign power and
responsibility, while almost exclusive, necessarily has some limitation.
The Introduction to this Article will introduce the underlying assumptions of
sovereignty and set the stage for a review of some of the cardinal principles of
sovereignty and their application to cyberspace in light of each State's
corresponding sovereign duties and obligations. Parts I and II will then look at the
fundamental principles of sovereignty, consider how these principles apply to cyber
activities and what corresponding cyber duties and obligations those principles
implicate, and then consider related issues that naturally arise from that application.

INTRODUCTION

In the emerging area of cyber operations, the application of the doctrine of

sovereignty to cyber activities has created an ongoing debate among States,"
academics,' and practitioners.o The recently published Tallinn Manual on the
International Law Applicable to Cyber Warfare (Tallinn Manual) reflects some of

LA
this controversy in its short section on sovereignty."
Current State practice suggests that States are hesitant to accept responsibility
IM
for cyber activities that come from within their sovereign territory.12 In none of the
examples discussed in the Preface did any State accept responsibility for the cyber
actions that occurred." In fact, the opposite is true. In the case of the cyber assaults
SH

on Estonia, Russia not only disclaimed any responsibility, but has proven
unresponsive to requests by Estonia for investigation and extradition of the
potential offenders who acted from within Russian territory.1 In the case of the
LU

8. See generally Grp. of Governmental Experts on Devs. in the Field of Info. and Telecomms. in
PN

the Context of Int'l Sec., Rep. of the Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of InternationalSecurity (2010), transmitted by Note
of the Secretary-General,U.N. Doc. A/65/201 (July 30, 2010) [hereinafter Int'l Sec. Grp.] (chronicling
H

States' approaches to cybersecurity); U.N. Secretary-General, Developments in the Field of Information

and Telecommunications in the Context of InternationalSecurity: Rep. of the Secretary-General, U.N.
Doc. A/64/129/Add.1 (Sept. 9, 2009) [hereinafter Developments in the Field of Information and
Telecommunications] (reporting on how States have responded to the security concerns surrounding new
developments in the fields of information and telecommunications).
9. See, e.g., generally Forrest Hare, Borders in Cyberspace: Can Sovereignty Adapt to the
Challenges of Cyber Security?, in THE VIRTUAL BATTLEFIELD: PERSPECTIVES ON CYBER WARFARE 88
(Christian Czosseck & Kenneth Geers eds., 2009); Andrew Liaropoulos, Exercising State Sovereignty in
Cyberspace: An International Cyber-Order under Construction?, in PROCEEDINGS OF THE 8TH
INTERNATIONAL CONFERENCE ON INFORMATION WARFARE AND SECURITY 136 (Douglas Hart ed.,
2013); von Heinegg, supra note 7; Sean Kanuck, Sovereign Discourse on Cyber Conflict under
InternationalLaw, 88 TEx. L. REv. 1571, 1597 (2010); Eric Talbot Jensen, Sovereignty and Neutrality in
Cyber Conflict, 35 FORDHAM INT'L L.J. 815 (2012) [hereinafter Jensen, Sovereignty and Neutrality].
10. Brown, supra note 1, at 218.
11. TALLINN MANUAL ON THE INTERNATIONAL LAW APPLICABLE TO CYBER WARFARE r. 1
(Michael N. Schmitt ed., 2013) [hereinafter TALLINN MANUAL]. The Author was a member of the
international group of experts that drafted the Manual.
12. See Michael N. Schmitt, The Law of Cyber Warfare: Quo Vadis?, 25 STAN. L. & POL'Y REV.
269, 277 (2014) [hereinafter Schmitt, The Law of Cyber Warfare] ("[Ilt is typically left to potential
targeted states to safeguard cyber activities and cyber infrastructure on their territory.").
13. See supra notes 2-5 and accompanying text.
14. See Ruus, supra note 2 (discussing lack of Russian cooperation following the attack).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.102

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 279

Stuxnet malware, despite numerous allegations that the United States and Israel
were involved, neither country has officially admitted responsibility."
This hesitation on the part of States to accept responsibility for incidents that
occur over the Internet is the product of two major issues inherent in the structure
of the Internet: the difficulty of timely attributing an attack and the random
method in which data travels over the Internet infrastructure, normally taking the
path of least resistance without respect to geography.
The issue of cyber attribution has been well documented" and needs only brief
comment here. The nature of the Internet allows anonymity, including for those
who desire to represent themselves to be someone else. This anonymity acts as "an
open invitation to those who would like to do [] harm, whatever their motives."' 8
This inherent difficulty in timely attribution makes States wary of accepting
responsibility for attacks from within their territory because not only can they not
always identify the attacker in a timely manner, but because even if they can
identify the computer from which the cyber act originates, they are unlikely to know
who is behind the computer.' 9

LA
Similarly, anonymity allows States to take actions, knowing that timely
attribution is impossible.20 This is especially true of actions taken by States through
proxies, such as non-State actors.2
IM
SH

15. David E. Sanger, Obama Order Sped up Wave of Cyberattacks againstIran, N.Y. TIMES, June 1,
2012, http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against
-iran.html?pagewanted=2&_r=2&seid=auto&smid=tw-nytimespolitics&pagewanted=all&; but see
William J. Broad et al., Israeli Test on Worm Called Crucial in Iran Nuclear Delay, N.Y. TIMES, Jan. 15,
2011, http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html?pagewanted=all (noting tacit
LU

U.S. and Israeli acknowledgment of the Stuxnet virus).

16. See David Hricik, Lawyers Worry Too Much about Transmitting Client Confidences by Internet
E-mail, 11 GEO. J. LEGAL ETHICS 459, 466-70 (1998) (outlining the complex process through which
PN

information is fragmented and disseminated through the internet according to the best path available,
creating a random set of transmission paths at any moment).
17. See generally MARTIN C. LIBICKI, CYBERDETERRENCE AND CYBERWAR (2009); Jack M.
Beard, Legal Phantoms in Cyberspace: The ProblematicStatus of Information as a Weapon and a Target
H

under International Humanitarian Law, 47 VAND. J. TRANSNAT'L L. 67 (2014); Susan W. Brenner,

Cyber-Threats and the Limits of BureaucraticControl, 14 MINN. J. L. Scl. & TECH. 137 (2013); Duncan B.
Hollis, An e-SOS for Cyberspace, 52 HARV. INT'L L.J. 373, 397-401 (2011); Todd C. Huntley, Controlling
the Use of Force in Cyber Space: The Application of the Law of Armed Conflict during a Time of
Fundamental Change in the Nature of Warfare, 60 NAVAL L. REV. 1, 34-35 (2010); Erik M. Mudrinich,
Cyber 3.0: The Department of Defense Strategy for Operatingin Cyberspace and the Attribution Problem,
68 A.F. L. REV. 167 (2012); Bradley Raboin, Corresponding Evolution: International Law and the
Emergence of Cyber Warfare, 31 J. NAT'L ASS'N ADMIN. L. JUDICIARY 602 (2011); Michael N. Schmitt,
"Below the Threshold" Cyber Operations: The CountermeasuresResponse Option and InternationalLaw,
54 VA. J. INT'L L. 697 (2014); Jonathan Solomon, Cyberdeterrence between Nation-States: Plausible
Strategy or a Pipe Dream?, 5 STRATEGIC STUD. 0. 1, 5-10 (2011), available at http://www.au.af.mil
/au/ssq/2011/spring/solomon.pdf.
18. Harry D. Raduege, Jr., Fighting Weapons of Mass Disruption: Why America Needs a "Cyber
Triad", in GLOBAL CYBER DETERRENCE: VIEWS FROM CHINA, THE U.S., RUSSIA, INDIA, AND
NORWAY 3, 4 (Andrew Nagorski ed., 2010), available at http://www.ewi.info/sites/default/files/ideas-
files/CyberDeterrenceWeb.pdf.
19. Eric Talbot Jensen, Cyber Deterrence,26 EMORY INT'L L. REv. 773,785-86 (2012).
20. See id. (discussing how the difficulty of attributing cyber attacks enables cyber attackers).
21. See id. at 781 (emphasizing the ability of non-State actors to carry out attacks and "harness the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.103

280 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

Additionally, the nature of data flow on the Internet makes States hesitant to
accept responsibility for cyber activities that flow from within their territory. Cyber
data, by its nature, seeks out the path of least resistance over the available cyber
infrastructure.2 2 In other words, an email sent from a computer in one city to a
recipient in that same city may travel through any number of foreign countries
before arriving at its destination. 3 The same is true of cyber malware. And this
2

data is not only uncontrollable by the sender in how it travels, but also largely
uncontrollable by the States through which the data passes. This means that
malware may traverse any number of States before reaching the target State.
Transit States do not want to be responsible for the harmful data in these types of
scenarios.
Despite the hesitance of States to accept responsibility for attacks crossing
their cyber infrastructure, there is a fundamental assumption in international law
that authority and obligations strive to stay in balance with each other.24 In other
words, when the international paradigm allocates authority to a State, it almost
always allocates a corresponding responsibility or obligation. 5 The application of
2

LA
this principle was illustrated as far back in history as the legitimization of the
Westphalian system. When States became the primary actors in the international
community, they did so with the understanding that they would possess a monopoly
IM
on force within their geographic borders.26 In correspondence to that obligation
came the grant of authority for sovereigns to raise armies and navies that would be
reciprocally recognized by other States and given combatant immunity in any future
SH

conflicts, as long as those armies and navies acted in accordance with the
sovereign's wishes and the provisions of any international agreements to which the
sovereign had acceded.2 7
LU

The practical application of this balance is seen in the Instruction for the
Government of Armies of the United States in the Field, 28 known as the Lieber
PN

power of cyber weapons and use them at their discretion" without the threat of retribution).
22. See Hricik, supra note 16, at 467 (noting that the internet "is based on TCP/IP (Transfer Control
Protocol/Internet Protocol) routing of information packets through unpredictable paths through
H

interconnected networks linking millions of computers." (internal quotation marks omitted)).

23. See id. at 469 (explaining how an email can "be broken into hundreds or thousands of packets,
each potentially traversing several different networks around the globe" before reaching its destination
(internal quotation marks omitted)).
24. See Martti Koskenniemi, Doctrines of State Responsibility, in THE LAW OF INTERNATIONAL
RESPONSIBILITY 45, 47-48 (Philip Alston & Vaughan Lowe eds., 2010) (discussing the reciprocal nature
of authority and obligations in international law).
25. Id.
26. W. Michael Reisman, Sovereignty and Human Rights in Contemporary International Law, 84
AM. J. INT'L L. 866, 867 (1990); Fr6ddric Gilles Sourgens, Positivism, Humanism, and Hegemony:
Sovereignty and Security for Our Time, 25 PENN ST. INT'L L. REv. 433, 443 (2006) (citing sixteenth-
century writer Bodin's Six Livres De la Ripublique as defining sovereignty as the "absolute and
perpetual power of the commonwealth resting in the hands of the state"). See generally PHILIP BOBBITT,
THE SHIELD OF ACHILLES: WAR, PEACE, AND THE COURSE OF HISTORY 81-90, 96-118 (2002)
(discussing the development of the concept of sovereign power).
27. See Viet D. Dinh, Nationalism in the Age of Terror, 56 FLA. L. REV. 867, 871-73 (2004)
(discussing key characteristics of the Westphalian system, including the State monopoly on violence); cf
BOBBInT, supra note 26, at 509-19 (recounting the development of the Westphalian system and Grotius's
ideas of sovereignty).
28. U.S. War Department, General Orders No. 100: Instructions for the Government of Armies of
the United States in the Field (Apr. 24, 1863) [hereinafter Lieber Code], available at http://www.icrc.org

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.104

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 281

Code.2 9 This Code was written by Francis Lieber and issued by President Abraham
0
Lincoln to provide guidance to the Union armies during the American Civil War.
Article 57 of the Lieber Code proclaims, "So soon as a man is armed by a sovereign
government and takes the soldier's oath of fidelity, he is a belligerent; his killing,
3
wounding, or other warlike acts are not individual crimes or offenses." ' In other
words, once the sovereign was exercising the responsibility to monopolize and
control violence through its agents, those agents were granted authority to use force
on behalf of the sovereign with immunity, even when fighting against other
-12
sovereigns.
This balance between responsibility and authority continues to underlie the
modern law of armed conflict. The laws with respect to prisoners of war," the
treatment of civilians during armed conflict," and targeting" all reflect the balanced
grant of authority and obligation. The balance also applies directly to the principle
of sovereignty. As stated in the International Court of Justice's (ICJ) Corfu
Channel case, "Sovereignty confers rights upon States and imposes obligations on
3 6
them."

LA
As a starting point, it is important to note that international law must also be
considered to apply to cyberspace and cyber technologies. As stated in the United
States' 2011 International Strategy for Cyberspace, "The development of norms for
IM
State conduct in cyberspace does not require a reinvention of customary
international law, nor does it render existing international norms obsolete. Long-
SH

standing international norms guiding State behavior-in times of peace and

conflict-also apply in cyberspace."3 7
LU

/ihl.nsf/FULL/110?OpenDocument.
PN

29. Id.; see also JOHN FABIAN WITT, LINCOLN'S CODE: THE LAWS OF WAR IN AMERICAN
HISTORY 8 (2012) ("Historians and international lawyers who discuss [Instruction for the Government of
Armies of the United States in the Field] usually call the order Lieber's code after its principal drafter.").
30. WITT, supra note 29, at 2 ("President Lincoln will issue Lieber's code as an order for the armies
H

of the Union. He will deliver it to the armies of the Confederacy, too, and expect them to follow the
rules he has set out. The code will be published in newspapers across the country and distributed to
thousands of officers in the Union Army.").
31. Lieber Code, supra note 28, art. 57.
32. Eric Talbot Jensen, Applying a Sovereign Agency Theory of the Law of Armed Conflict, 12 CHI.
J. INT'L L. 685, 708-10 (2012).
33. Geneva Convention Relative to the Treatment of Prisoners of War, opened for signature Aug.
12, 1949, 6 U.S.T. 3316, 75 U.N.T.S. 135 [hereinafter Geneva Convention on Prisoners of War]; Protocol
Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of
International Armed Conflicts (Protocol I), June 8, 1977, 1125 U.N.T.S. 3 [hereinafter Additional
Protocol I].
34. E.g., Geneva Convention Relative to the Protection of Civilian Persons in Time of War, Aug.
12, 1949, 6 U.S.T. 3516, 75 U.N.T.S. 287; Additional Protocol I, supra note 33.
35. Additional Protocol I, supra note 33.
36. Corfu Channel (U.K. v. Alb.), 1949 I.C.J. 4, 43 (Apr. 9) (individual opinion of Judge Alvarez).
37. EXEC. OFFICE OF THE PRESIDENT OF THE U.S., INTERNATIONAL STRATEGY FOR
CYBERSPACE: PROSPERITY, SECURITY, AND OPENNESS IN A NETWORKED WORLD 9 (2011) [hereinafter
OFFICE OF THE PRESIDENT, INTERNATIONAL STRATEGY FOR CYBERSPACE], available at http://
www.whitehouse.gov/sites/default/files/rss-viewer/international-strategy-for-cyberspace.pdf.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.105

 282 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

It follows, then, that the international law doctrines applying to sovereignty

would apply to cyber technologies. Where international law grants authority for
States with respect to cyberspace and the application of cyber technologies, it also
imposes duties and obligations. As nations exercise sovereign power over aspects of
cyberspace, or exert sovereign authority over cyber infrastructure, they must
necessarily accept the corresponding obligations and duties that come with that
assertion of authority.
The following Parts of this Article will review some of the cardinal principles
of sovereignty and their application to cyberspace and then consider the
corresponding duties and obligations. In each case, the principle of sovereignty will
be stated and defined. Its application to cyberspace will then be discussed,
including the corresponding duty or obligation that arises from that assertion of
sovereignty. An example of the duty and obligation will be used to help clarify the
analysis. Finally, issues that arise from the assertion of that authority and its
corresponding duty or obligation will be highlighted.

LA
I. STATES ARE SOVEREIGN AND EQUAL

When the nation-State emerged in seventeenth-century Europe, it brought

IM
with it the doctrine that the international community would consist of
geographically organized and controlled entities that would have at least two
SH

characteristics. First, those entities would be sovereign, and second, they would be
equal, regardless of size or composition." These two characteristics of States
remain in force today and have significant impacts on cyberspace and cyber
operations.
LU

A. Sovereignty
PN

Sovereignty is inherent to statehood and, in fact, is often termed the "basic

constitutional doctrine of the law of nations."3 9 The meaning of the term
"sovereignty" has been a point of discussion for centuries4 0 and remains so today.4
H
'

However, it is manifested in certain rights and corresponding obligations. A basic

review of those rights and obligations will assist in discerning the impact of
sovereignty on cyber operations.

38. See BOBBITT, supra note 26, at 508 (noting that in the aftermath of the Thirty Years War, "[tihe
extension of the maxim cuius regio eius religio imposed common restrictions on states, adumbrating the
emergence of a new society of states characterized by their sovereign equality").
39. E.g., JAMES CRAWFORD, BROWNLIE'S PRINCIPLES OF PUBLIC INTERNATIONAL LAW 447 (8th
ed. 2012).
40. E.g., SAINT AUGUSTINE, THE CITY OF GOD 88 (Vernon J. Bourke ed., Gerald G. Walsh et al.
trans., 1958) (426); JOHN AUSTIN, THE PROVINCE OF JURISPRUDENCE DETERMINED 191-361 (Isaiah
Berlin et al. eds., 1954) (1861); THOMAS HOBBES, LEVIATHAN OR THE MATTER, FORME, AND POWER
OF A COMMON-WEALTH ECCLESIASTICAL AND CIVILL 121-29 (Richard Tuck ed., 1991) (1651); JOHN
LOCKE, Two TREATISES OF GOVERNMENT 105 (Thomas I. Cook ed., 1947) (1690).
41. E.g., John Alan Cohan, Sovereignty in a Postsovereign World, 18 FLA. J. INT'L L. 907, 908-09
(2006); Reisman, supra note 26, at 866.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.106

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 283

1. Rights

Sovereignty confers rights on two distinct planes or spheres: the domestic

sphere and the international sphere. In other words, sovereignty is understood to
be "the collection of rights held by a State, first in its capacity as the entity entitled
to exercise control over its territory and second in its capacity to act on the
international plane, representing that territory and its people."4 2
With respect to the domestic sphere, sovereignty provides exclusivity in power
and authority. This was confirmed in the Island of Palmas Arbitral Award of 1928.43
The arbitral decision provides that "[s]overeignty in the relations between States
signifies independence. Independence in regard to a portion of the globe is the
right to exercise therein, to the exclusion of any other State, the functions of a
State."" One of the most fundamental rights of sovereignty, then, is exclusivity of
power within the sovereign's own territory, particularly as opposed to the exercise
41
of rights in that territory by some other sovereign.
The ICJ in its Corfu Channel decision confirmed this understanding of

LA
sovereignty. "By sovereingty [sic], we understand the whole body of rights and
attributes which a State possesses in its territory, to the exclusion of all other States,
and also in its relations with other States."4 6
IM
Though a State's sovereign power is nearly absolute, it is limited by certain
international law principles,47 including actions of the U.N. Security Council," the
SH

law of armed conflict," and fundamental human rights." There are also areas
where, based on consensual agreement and custom, no State can assert sovereignty,
such as the high seas." This area has been treated as res communis, meaning that it
LU

42. CRAWFORD, supra note 39, at 448.

PN

43. Island of Palmas (Neth. v. U.S.), 2 R.I.A.A. 829, 838 (Perm. Ct. Arb. 1928).
44. Id.
45. Samantha Besson, Sovereignty, in MAX PLANCK ENCYCLOPEDIA OF PUBLIC INTERNATIONAL
LAW para. 119 (2011). Sovereignty is generally characterized as the "powers and privileges resting on
H

customary law which are independent of the particular consent of another state." CRAWFORD, supra
note 39, at 448.
46. Corfu Channel (U.K. v. Alb.), 1949 I.C.J. 4, 43 (Apr. 9) (individual opinion of Judge Alvarez).
47. Besson, supra note 45, para. 75.
48. For example, each member of the United Nations has agreed to "accept and carry out the
decisions of the Security Council in accordance with the present Charter." U.N. Charter art. 25.; see also
John R. Worth, Globalization and the Myth of Absolute National Sovereignty: Reconsidering the "Un-
signing" of the Rome Statute and the Legacy of Senator Bricker, 79 IND. L.J. 245, 260 (2004) (discussing
States' relinquishment of some powers in accepting the legitimacy and authority of the United Nations).
49. For example, during times of international armed conflicts, States have to treat prisoners of war
in accordance with the Geneva Conventions, rather than any potentially applicable domestic law. See
generally Geneva Convention on Prisoners of War, supra note 33.
50. See Rosa Ehrenreich Brooks, War Everywhere: Rights, National Security Law, and the Law of
Armed Conflict in the Age of Terror, 153 U. PA. L. REV. 675, 684-85 (2004) (outlining that "core
rights... cannot be eliminated"); Ashley S. Deeks, Consent to the Use of Force and InternationalLaw
Supremacy, 54 HARV. INT'L L.J. 1, 11 (2013) (noting that international human rights laws "trump
inconsistent domestic laws").
51. Allison Leigh Richmond, Scrutinizing the Shipwreck Salvage Standard: Should a Salvor Be
Rewarded for Locating Historic Treasure?,23 N.Y. INT'L L. REv. 109, 121 (2010).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.107

284 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

belongs to all States and can be appropriated by no State. 2 There are other areas
5

where actors have agreed to non-exclusive sovereignty such as Antarctica," the

seabed, and the moon.5 ' These are areas where no sovereign exercises power, but
54

where all sovereigns share power, based on agreement.

2. Obligations

As discussed above, international law tries to keep in balance rights and

obligations. This is reflected in the ICJ's statement, "Sovereignty confers rights
upon States and imposes obligations on them."56 Therefore, in correspondence with
the rights and authorities discussed above, the principle of sovereignty also imposes
obligations which deserve discussion here.
Obligations tied to sovereignty include the obligation to recognize the
sovereignty of other States,57 the obligation of non-intervention into the areas of
exclusive jurisdiction of another State,5 and the obligation to control the actions
that occur within the sovereign's geographic boundaries."

LA
The obligation to recognize the sovereignty of other States is simply the
obverse of the right of a State to exercise its own sovereignty. In claiming the rights
IM
that come with sovereignty, there is an implicit recognition of the right of others to
make similar claims and exercise similar rights.
Once another State has made such claims, and those claims are recognized,
SH

other sovereigns have a legal obligation to not interfere with the sovereign rights of
the other State. Though there are legitimate exceptions to this rule, the obligation
of non-intervention is well recognized in international law.'
LU

52. Jean Allain, Maritime Wrecks: Where the Lex Ferenda of Underwater CulturalHeritage Collides
PN

with the Lex Lata of the Law of the Sea Convention, 38 VA. J. INT'L L. 747, 758 (1998).
53. See The Antarctic Treaty art. 4, Dec. 1, 1959, 12 U.S.T. 794, 402 U.N.T.S. 71 (limiting claims to
sovereignty in Antarctica).
54. U.N. Convention on the Law of the Sea arts. 1, 137, opened for signature Dec. 10, 1982, 1833
H

U.N.T.S. 397.
55. Treaty on Principles Governing the Activities of States in the Exploration and Use of Outer
Space, including the Moon and Other Celestial Bodies art 2, opened for signatureJan. 27, 1967, 18 U.S.T.
2410, 610 U.N.T.S. 205 [hereinafter Outer Space Treaty].
56. Corfu Channel (U.K. v. Alb.), 1949 I.C.J. 4,43 (Apr. 9) (individual opinion of Judge Alvarez).
57. IAN BROWNLIE, PRINCIPLES OF PUBLIC INTERNATIONAL LAW 289 (7th ed. 2008) ("The
sovereignty and equality of states represent the basic constitutional doctrine of the law of nations....");
Michael J. Kelly, Pulling at the Threads of Westphalia: "Involuntary Sovereignty Waiver"- Revolutionary
International Legal Theory or Return to Rule by the Great Powers?, 10 UCLA J. INT'L L. & FOREIGN
AFF. 361, 364 (2005) ("Under classic Westphalian theory, the base maxim upon which foreign relations
are built is the proposition that all states are equal and must reciprocally respect each other's
sovereignty.").
58. CRAWFORD, supra note 39, at 447 ("The corollaries of the sovereignty and equality of states
[include] .. . a duty of non-intervention in the area of exclusive jurisdiction of other states .... ).
59. Ilaycu v. Moldova, 2004-VII Eur. Ct. H.R. 1, para. 312 ("[J]urisdiction is presumed to be
exercised normally throughout the State's territory.").
60. For example, lawful countermeasures or actions taken in self-defense would allow a nation to
interfere with another State's sovereignty. See U.N. Charter art. 51 (allowing a right of individual or
collective self-defense in the event of an armed attack against a Member State of the United Nations).
61. E.g., Corfu Channel, 1949 I.C.J. at 35 ("Between independent States, respect for territorial
sovereignty is an essential foundation of international relations.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.108

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 285

Another obligation that grows out of sovereignty is the requirement to control

actions from within a State's sovereign control from having deleterious effects on
others. 2 This obligation is worth mentioning here but will be discussed further
6

below.

B. Equality

The principle of the sovereign equality of States laid out in Article 2.1 of the
U.N. Charter States: "The Organization is based on the principle of the sovereign
equality of all its Members." 3 This principle of equality is based on the historical
maxim "par in parem non habet imperium," or "an equal has no power over an
equal,"" which is considered by some to be the first, and perhaps most fundamental,
principle of sovereignty. 65 As such, certain rights and obligations accrue from this
accepted equality.

1. Rights

LA
As equals under international law, States have the right to deal with each other
on equal footing, with equal consideration under the law. "If states (and only
IM
states) are conceived of as sovereign, then in this respect at least they are equal, and
their sovereignty is in a major aspect a relation to other states (and to organizations
SH

of states) defined by law." 66 While skeptics argue that the practical reality of this is
far from being true, with large and powerful States clearly exerting unequal
pressures on smaller and weaker States to bow to their desires,67 equality is still
guaranteed under the law. Regardless of what some identify as the reality of
LU

international politics where "while all States are equal, some are more equal than
others,"" the legal regime is established with a clear preference to equality and
maintenance of the status quo. "The United Nations are [sic] based on the principle
PN

of sovereign equality of all its members and preserving state sovereignty is a top
69
priority for both international organizations and individual States."
H

62. See infra Part I.B.2.

63. U.N. Charter art. 2, para. 1.
64. CRAWFORD,supra note 39, at 448 & n.9.
65. U.N. Charter art. 2, para. 1.
66. CRAWFORD,supra note 39, at 447.
67. See, e.g., Philippines Seeks Quick UN Ruling on South China Sea Dispute, S. CHINA MORNING
POST, June 19, 2014, http://www.scmp.com/news/asia/article/1536058/philippines-seeks-quick-un-ruling-
south-china-sea-dispute ("China claims most of the South China Sea, including waters near the shores of
its neighbours, which has led to escalating territorial disputes."); Russell Hotten & Alix Kroeger,
Ukraine-Russia Gas Row: Red Bills and Red Rags, BBC (June 16, 2014), http://www.bbc.com/news/
world-europe-26987082 (stating that the gas conflict is a "power struggle between the interim Ukrainian
government, which leans towards the EU, and Russia, which wants to keep Ukraine firmly within its
sphere of influence").
68. CRAWFORD, supra note 39, at 449 (citing GEORGE ORWELL, ANIMAL FARM 90 (1945)).
69. Liaropoulos, supra note 9, at 137-38 (citation omitted).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.109

286 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

Some of the obvious rights that accrue from international equality include an
equal right to global commons,o the right to develop and utilize domestic resources
without non-consensual external constraints, 1 and the right to discourse on the
international scene as an equal. These rights are also tempered with corresponding
obligations.

2. Obligations

Several obligations flow from the principle of sovereign equality. First, States
must act with due regard for the rights of other sovereigns.7 2 There is some
discussion as to how far-reaching this obligation of due regard is, but it is at least
applicable by treaty to the global commons,7 3 natural resources,74 the environment,"
and during times of armed conflict."
The obligation of due regard, though not clearly defined in international law, is
generally thought of as an obligation to ensure that the exercise of one State's rights
does not cause undue harm to another State's exercise of its rights." It is

LA
70. See Todd B. Adams, Is There a Legal Futurefor Sustainable Development in Global Warming?
IM
Justice, Economics, and Protectingthe Environment, 16 GEO. INT'L ENVTL. L. REV. 77, 97 (2003) ("[The
world] is to be shared by all generations in accordance with the limited rights and necessary obligations
of a user of the natural resources or the trustee of the natural resources. ... '[Pilanetary rights' are
SH

group rights to equal access to the commons." citing EDITH BROWN WEISS, IN FAIRNESS TO FUTURE
GENERATIONS: INTERNATIONAL LAW, COMMON PATRIMONY, AND INTERGENERATIONAL EQUITY 96
(1989))).
71. See Inaamul Haque & Ruxandra Burdescu, Monterrey Consensus on Financing for
LU

Development: Response Sought from InternationalEconomic Law, 27 B.C. INT'L & COMP. L. REV. 219,
249-50 (2004) ("Under customary international law, principles of sovereignty support a state's clear right
to regulate commercial activities within its borders. This power is extensive and encompasses such issues
as capacity to engage in business, forms of business enterprises, conditions of continuance of a business,
PN

and regulations of capital markets as well as those of foreign capital inflows and outflows.").
72. E.g., George K. Walker, Defining Terms in the 1982 Law of the Sea Convention IV: The Last
Round of Definitions Proposedby the InternationalLaw Association (American Branch) Law of the Sea
H

Committee, 36 CAL. W. INT'L L.J. 133, 168-69 (2005) ("Article 87(2) declares that the high seas freedoms
listed in Article 87(1) . . . 'shall be exercised by all States with due regard of the interests of other States
in their exercise of the freedom of the high seas, and also with due regard for the rights under [the]
Convention with respect to activities in the Area."' (alteration in original) (quoting U.N. Convention on
the Law of the Sea, supra note 54, art. 87(2))).
73. E.g., Outer Space Treaty, supra note 55, art. 9; Geneva Convention on the High Seas art. 2, Apr.
29, 1958, 13 U.S.T. 2312,450 U.N.T.S. 82.
74. G.A. Res. 1803 (XVII), U.N. GAOR, 17th Sess., Supp. No. 17, U.N. Doc. A/5217, at 15 (Dec.
14, 1962); Charles N. Brower & John B. Tepe, Jr., The Charterof Economic Rights and Duties of States:
A Reflection or Rejection of InternationalLaw?, 9 INT'L LAW. 295,306-07 (1975).
75. See Meinhard Schroder, PrecautionaryApproach/Principle, in MAX PLANCK ENCYCLOPEDIA
OF PUBLIC INTERNATIONAL LAW, supra note 45, at 4 (describing the precautionary principle as a set of
rules guiding States towards environmentally stable development). See generally United Nations
Conference on Environment and Development, Rio de Janeiro, Braz., June 3-14, 1992, Report of the
United Nations Conference on Environment and Development, U.N. Doc. A/CONF.151/26/Rev.1 (Vol. I)
(Aug. 12, 1992).
76. DEP'T OF THE NAVY ET AL., THE COMMANDER'S HANDBOOK ON THE LAW OF NAVAL
OPERATIONS para 8.4 (2007); 1 JEAN-MARIE HENCKAERTS & LOUISE DOSWALD-BECK, CUSTOMARY
INTERNATIONAL HUMANITARIAN LAW 147-49 (2005); SAN REMO MANUAL ON INTERNATIONAL LAW
APPLICABLE TO ARMED CONFLICTS AT SEA § 35 (Louise Doswald-Beck ed., 1995); U.K. MINISTRY OF
DEFENCE, THE MANUAL OF THE LAW OF ARMED CONFLICT para 12.24 (2004).
77. See Chinthaka Mendis, Sovereignty vs. Trans-Boundary Environmental Harm: The Evolving

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.110

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 287

understood to have two components: 1) an "awareness and consideration of either

State interest(s) or other factor(s)," and 2) a balancing of those interests and factors
when making a decision."
Another obligation that has its foundation in sovereign equality is the
obligation to solve disputes peacefully. This obligation is clearly stated in the U.N.
Charter" and has been stated in General Assembly statements and resolutions,"
applied in decisions of the ICJ," and has been duplicated in bilateral and
82
multilateral treaties.
While there is no obligation to solve all disputes, States are obligated to
resolve disputes peacefully if they have the potential to endanger the maintenance
of international peace or security.83 Additionally, if States elect to resolve disputes
that do not endanger international peace and security, they must also resolve these
disputes peacefully, though there is no legal obligation to resolve these disputes at
all.8

C. Application to Cyberspace

LA
As stated above, the doctrine of sovereignty and the principles it espouses
IM
have direct application to cyberspace. As States exercise their sovereign rights, they
can do so in cyberspace but must also accept the corresponding obligations that
apply. The next two Subparts will consider the principles of sovereignty and
SH

equality and apply the rights and obligations discussed above to cyberspace, as well
as identify some lingering issues that will need further resolution.
LU

1. Sovereignty

As a matter of sovereignty, States have the right to develop their cyber

PN

capabilities according to their own desires and resources. A State may choose to
extensively develop its cyber capabilities and make them available broadly to its
citizens as Estonia has done, 5 or it can choose to close its cyber borders to outside
H

influences as North Korea has done.

International Law Obligations and the Sethusamuduram Ship Channel Project 54-55 (2006)
(unpublished U.N. fellowship manuscript), http://www.un.org/depts/los/nippon/unnff.programme-home/
fellows.pages/fellows-papers/mendis 0607_sri_1anka.pdf (illustrating the obligation of due regard with
discussion of Sri Lanka and India).
78. Walker, supra note 72, at 174.
79. U.N. Charter art. 2, paras. 3-4; Id. arts. 33-38.
80. G.A. Res. 40/9, U.N. Doc. A/RES/40/9 (Nov. 8, 1985); G.A. Res 2625 (XXV), U.N. GAOR,
25th Sess., U.N. Doc. A/8082, at 121 (Oct. 24, 1970).
81. Aerial Incident of 10 August 1999 (Pak. v. India), Judgment, 2000 I.C.J. 12, para. 53 (June 21).
82. See id. para. 22 (noting claims to resolve disputes peacefully in cited bilateral and multilateral
treaties).
83. U.N. Charter art. 33, para. 1.
84. G.A. Res. 2625 (XXV), supra note 80.
85. Cyber Security, E-ESTONIA.cOM, http://e-estonia.com/the-story/digital-society/cyber-security/
(last visited Feb. 7, 2015) ("CERT-EE (Computer Emergency Response Team Estonia) handles security

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.111

288 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

In conjunction with this right, States are obligated to recognize this right and
not interfere with the domestic cyber decisions of another State." For example,
except as provided by international law, one State cannot place limits on the ability
of another with respect to its cyber development and capabilities.' States can,
either bilaterally or multilaterally, agree to collaborate on cyber activities or place
limits or constraints on such development between or among themselves."9
Because of the place of a State on the international sphere, States may express
their intent and work toward the development of State practice, either alone or in
conjunction with others. In line with this, many States have actively participated in
international fora, such as the U.N.-sponsored Group of Government Experts,90 and
regional fora, such as the Shanghai Cooperation Organization 9' or the Council of
Europe. 92 As with any international agreement, States have the obligation to
negotiate in good faith93 and to comply with their international obligations, once
undertaken.
One of the recently developing pressures on the idea of cyber sovereignty is
the movement to recognize a human right to the Internet.9 4 If the time comes that

LA
incidents taking place in the .ee domain. The department helps in case Estonian websites or services
IM
should fall under cyber attack or if Estonian computers distribute malware. CERT-EE also has the
possibility to reverse engineer the malware .... [T]he real key to Estonian cyber security lies in the
inherent safety and security built-in to every single Estonian e-Government and IT infrastructure system.
SH

The secure 2048-bit encryption that powers Estonia's Electronic-ID, digital signatures and X-road-
enabled systems means that personal identity and data in Estonia is airtight.").
86. Dave Lee, North Korea: On the Net in World's Most Secretive Nation, BBC (Dec. 10, 2012),
http://www.bbc.com/news/technology-20445632.
87. See TALLINN MANUAL r. 1 (observing that sovereignty gives States the exclusive right to control
LU

cyber infrastructure and cyber activities within their boundaries).

88. See id. (delineating exclusive rights associated with State sovereignty in cyberspace).
89. See, e.g., U.S. DEP'T OF DEF., DEPARTMENT OF DEFENSE STRATEGY FOR OPERATING IN
PN

CYBERSPACE 9 (2011) [hereinafter DEPARTMENT OF DEFENSE STRATEGY FOR OPERATING IN

CYBERSPACE], available at http://www.defense.gov/home/features/2011/0411-cyberstrategy/docs[DOD
Strategy-forOperating-inCyberspace July_2011.pdf (describing the Department of Defense's plan to
develop "increasingly robust international relationships to reflect [its] core commitments and common
H

interests in cyberspace").
90. Int'l Sec. Grp., supra note 8, at 7-8.
91. Oona A. Hathaway et al., The Law of Cyber-Attack, 100 CALIF. L. REv. 817, 865-66 (2012).
92. Convention on Cybercrime pmbl., Nov. 23, 2001, T.I.A.S No. 13174, E.T.S. No. 185 (2001)
[hereinafter Convention on Cybercrime].
93. See, e.g., Aerial Incident of 10 August 1999 (Pak. v. India), Judgment, 2000 I.C.J. 12, para. 53
(June 21) ("The Court's lack of jurisdiction does not relieve States of their obligation to settle their
disputes by peaceful means. . . . They are [ ] under an obligation to seek [a peaceful settlement], and to
do so in good faith...."); G.A. Res. 2625 (XXV), supra note 80, at 123 (reaffirming U.N. Charter
principles related to peaceful resolution of conflicts); Draft Declaration on Rights and Duties of States,
G.A. Res. 375 (IV), annex art. 13, U.N. GAOR, 4th Sess., U.N. Doc. A/1251, at 67 (Dec. 6, 1949)
("Every State has the duty to carry out in good faith its obligations arising from treaties and other
sources of international law...."); Markus Kotzur, Good Faith (Bona Fide), in MAX PLANCK
ENCYCLOPEDIA OF PUBLIC INTERNATIONAL LAW, supra note 45, paras. 11-14 (discussing treaties that
require good-faith negotiation).
94. See Written Statement Submitted by the Association for Progressive Communications (APC), a
Non-Governmental Organization in General Consultative Status, U.N. Doc. A/HRC/17/NGO/38 (May
24, 2011) (associating "Internet rights" with human rights). See also Special Rapporteur on the
Promotion and Protection of the Right to Freedom of Opinion and Expression, Rep. of the Special
Rapporteuron the Promotion and Protection of the Right to Freedom of Opinion and Expression, para.
22, U.N. Doc. A/HRC/17/27 (May 16, 2011) ("The right to freedom of opinion and expression is as much

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.112

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 289

such a human right is recognized and accepted by States, that right will, of course,
impose obligations on the sovereign decisions of each State, constraining State
action that might affect the enjoyment of that human right by its population.
Additionally, a State's exercise of sovereignty over cyber resources can be
directed or limited by the U.N. Security Council through the power granted to it in
the U.N. Charter.5 States have a duty to comply with Security Council resolutions,
even if they limit the exercise of sovereignty over cyber issues. Additionally, States
must comply with human rights obligations, even if it limits their exercise of
sovereignty.9 6
For example, assume State A contracts for the use of cyber capabilities from
State C. Assume further that State A is using cyber means to incite human rights
abuses in State B through the cyber infrastructure provided by State C. If the
Security Council orders State C to stop allowing State A to use its cyber
infrastructure, State C must comply.

2. Equality

LA
Just as States are equals under the doctrine of sovereignty, each State exercises
IM
its sovereign cyber prerogatives on an equal plane with all others. Each State,
regardless of its cyber capabilities, has the same right to exercise sovereignty over
its territory as any other State. However, in doing so, conflicts often arise between
SH

States.9 7 Certain obligations attach to States in these disputes.

First, States have an obligation to resolve peacefully cyber disputes that may
endanger international peace and security." If States attempt to resolve cyber
LU

disputes that don't endanger international peace and security, they must do so
peacefully."
For example, if State A is using cyber means to harm State B, and that action is
PN

endangering international peace and security, both States have an obligation to

resolve the dispute peacefully. Alternatively, if State A is using cyber means to
steal information from State B, but that theft of information does not endanger
H

a fundamental right on its own accord as it is an 'enabler' of other rights .... "); Cassondra Mix, Internet
Communication Blackout: Attack Under Non-internationalArmed Conflict?, 3 J.L. & CYBER WARFARE
70, 99 (2014) (noting the suggestions that an Internet blackout imposed by Egyptian authorities to quell
protests in 2011 may have violated a right to the Internet).
95. U.N. Charter art. 25 ("The Members of the United Nations agree to accept and carry out the
decisions of the Security Council in accordance with the present Charter.").
96. See, e.g., International Covenant on Civil and Political Rights, opened for signature Dec. 16,
1966, 999 U.N.T.S. 171 (establishing the civil and political rights of all individuals as well as States'
obligations to protect those rights).
97. See, e.g., Lesley Wroughton & Michael Martina, Cyber Spying, Maritime Disputes Loom Large
in U.S.-China Talks, REUTERS (July 8, 2014), http://www.reuters.com/article/2014/07/08/china-usa-
idUSL4NOPJOMT20140708 (noting increased tensions between the United States and China regarding
the territorial scope of cyber activities).
98. See U.N. Charter art. 2, para. 3 ("All Members shall settle their international disputes by
peaceful means in such a manner that international peace and security, and justice, are not
endangered.").
99. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.113

290 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

international peace and security, a dispute may arise, but there is no obligation to
try to settle that dispute. However, if attempts to settle that dispute are made, those
methods must be peaceful.
Second, in its cyber activities, a State must exercise due regard for the rights of
other States.'" For example, assume a State wants to increase its cyber security. In
an effort to do so, it decides to aggressively monitor cyber threats across the World
Wide Web. That State has the right to do so, so long as its activities do not violate
the rights of other sovereign States.

D. The Way Ahead

This principle of sovereign equality raises some lingering issues that continue
to be the focus of the international community. Because States are sovereign and
equal, each State is able to develop its cyber capabilities based on its own best
interest. Further, each State has no obligation to get involved in other States'
domestic cyber issues unless it chooses to do so. However, there is a great deal of

LA
discussion about cyber collaboration, particularly as it relates to less developed
countries.
IM
The U.N. Group of Governmental Experts on Developments in the Field of
Information and Telecommunications in the Context of International Security
recently stated in its report that "[c]onfronting the challenges of the twenty-first
SH

century depends on successful cooperation among like-minded partners.

Collaboration among States, and between States, the private sector and civil society,
is important and measures to improve information security require broad
international cooperation to be effective."o' This collaboration would "be designed
LU

to share best practices, manage incidents, build confidence, reduce risk and enhance
transparency and stability."'0 2
PN

Information sharing and capacity building claims revolve mostly around calls
for "ensuring global [information and communications technology] security," 3 and
many States have responded favorably to some of these ideas.' In the Department
H

of Defense's Cyberspace Policy Report, the Department of Defense stated,

In collaboration with other U.S. Government agencies, Allies and
partners, [the Department of Defense] pursues bilateral and

100. See supra notes 72-78 and accompanying text (discussing the duty of due regard and its broad
applicability under international law).
101. Int'l Sec. Grp., supra note 8, para. 15.
102. Id. para. 14.
103. E.g., id. para. 17.
104. See, e.g., EU-Japan ICT Cooperation-JoiningForces for the Future Internet, EUR. COMM'N,
https:/ec.europa.euldigital-agendalen/eu-japan-ict-cooperation-%E2*%80%93-joining-forces-future-
internet (last visited Feb. 8, 2015) (stating that European countries began joint research projects with
Japan in 2012 to design efficient, global technology, including internet security technologies, "for the
future networked society"); Press Release, White House, FACT SHEET: U.S.-Russian Cooperation on
Information and Communications Technology Security (June 17, 2013), available at http://www.white
house.gov/the-press-office/2013/06/17/fact-sheet-us-russian-cooperation-information-and-communication
s-technol (indicating that the United States and Russian Federation took measures to increase
cooperation on information and communications technology security in order to reduce the possibility of
a cyber incident destabilizing their bilateral relationship).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.114

2015]1 CYBER SOVEREIGNTY: THE WAY AHEAD 291

multilateral engagements to develop further norms that increase

openness, interoperability, security, and reliability. International
cyberspace norms will increase stability and predictability of state
conduct in cyberspace, and these norms will enable international
action to take any required corrective measures.o
The balance that will have to be struck between the exercise of sovereign
prerogative with respect to cyber activities and the benefits of information and
security sharing for the health of the Internet will continue to be a vexing issue for
the foreseeable future. For now, there is no obligation to engage in information and
security sharing, but much pressure to do so.
Finally, the equality of States means that each State has an equal vote in the
discussion of how to resolve lingering cyber issues. For example, a group of States
headed by Russia recently proposed a "code of conduct" for cyber activities.'Oa
Other nations, such as the United States, did not support such an initiative.'07 States
may choose to band together in regional alliances with respect to cyber activities' 8
or may take unilateral action." No consensus is required in a system of sovereign

LA
equality. IM
II. STATES EXERCISE SOVEREIGNTY OVER TERRITORY,
PERSONS, AND ACTIVITIES
SH

Though sovereignty manifests itself in many different ways, it almost always

means that a sovereign has some kind of territory over which it exercises ultimate
control."o This territorial authority extends to the population and activities within
the territory."' As clearly stated in one of the seminal treatises on international law,
LU

"The corollaries of the sovereignty and equality of states [include] a jurisdiction,

prima facie exclusive, over a territory and the permanent population living
PN

there . ... 112

105. U.S. DEP'T OF DEF., DEPARTMENT OF DEFENSE CYBERSPACE POLICY REPORT 5-6 (2011)
H

[hereinafter DEPARTMENT OF DEFENSE CYBERSPACE POLICY REPORT] available at

http://www.defense.gov/home/features/2011/041 lcyberstrategy/docs/NDAA%20Section%20934%2ORe
portFor%20webpage.pdf.
106. Wu & Zhao, supra note 7.
107. Healey, Breakthroughor Just Broken?, supra note 7.
108. See JOHN LYONS, ESTABLISHING THE INTERNATIONAL CYBER SECURITY PROTECTION
ALLIANCE IN ASIA PACIFIC (ICSPA APAC) 1 (2014) (announcing the establishment of an alliance in the
Asia Pacific to enhance online safety and security and provide governments and law enforcement
agencies with resources and expertise to help them reduce harm from cyber crime).
109. Abraham D. Sofaer et al., Cyber Security and InternationalAgreements, in PROCEEDINGS OF A
WORKSHOP ON DETERRING CYBERATTACKS: INFORMING STRATEGIES AND DEVELOPING OPTIONS
FOR U.S. POLICY 179, 179 (The Nat'1 Acad. Press ed., 2010) ("[C]urrent U.S. efforts to deter
cyberattacks and exploitation-though formally advocating international cooperation-are based almost
exclusively on unilateral measures.").
110. See Besson, supra note 45, para. 1 (defining sovereignty as "supreme authority within a
territory).
111. Id. para. 70 (referring to sovereignty as encompassing "ultimate authority and competence over
all people and all things within [the sovereign's] territory").
112. CRAWFORD, supra note 39, at 447.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.115

292 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

The rest of Part II will discuss the sovereign rights and obligations with respect
to territory and persons, and then apply these rights and obligations to cyberspace,
including identifying particular issues that remain unsettled.

A. Territory

Sovereignty over a territory denotes certain rights and corresponding

obligations associated with that specific territory.

1. Rights

Perhaps the most important sovereign right over territory is the exclusivity of
authority. As von Heinegg has stated, "territorial sovereignty protects a State
against any form of interference by other States.""' Sovereigns alone exercise this
right and are only encroached upon through consensual divestiture of authority."'
Even the UN Charter grants States protection under Article 2(7) against

LA
intervention from the United Nations, and other States in certain matters,
concerning issues that fall within a State's domestic jurisdiction.""
IM
Sovereignty over territory necessarily implies sovereignty over things found on
or within territory. For example, "[O]bjects owned by a State or used by that State
for exclusively non-commercial government purposes are an integral part of the
SH

State's sovereignty and are subject to the exclusive jurisdiction of that State if
located outside the territory of another State." 1 This exclusivity of jurisdiction
would also apply to objects that have sovereign immunity, wherever located.'17
LU

Additionally, objects not owned by the State but located within the State's territory
are subject to the State's regulation."' This would include both real and personal
property." 9
PN

States also exercise authority to control their geographic borders.'20 This

implies that "the State is entitled to control access to and egress from its territory,"
which "seems to also apply to all forms of communication.",21
H

113. von Heinegg, supra note 7, at 124.

114. See Cohan, supra note 41, at 935 (explaining how States can willingly enter into agreements that
undermine their domestic sovereignty by recognizing external authority structures).
115. U.N. Charter art. 2, para. 7; Besson, supra note 45, para. 88 ("The UN Charter also protects
sovereign States' domaine r6serv6 and prohibits other States' intervention on sovereign States'
territory." (citations omitted)).
116. von Heinegg, supra note 7, at 130.
117. TALLINN MANUALr. 4.
118. von Heinegg, supra note 7, at 124.
119. HENRY WHEATON, ELEMENTS OF INTERNATIONAL LAW § 77 (George Grafton Wilson ed.,
1936) (1836).
120. Hare, supra note 9, at 92.
121. von Heinegg, supra note 7, at 124.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.116

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 293

2. Obligations

The principle of sovereign equality entails an obligation of all States to respect

the territorial sovereignty of other States. As the ICJ noted in the Nicaragua
judgment, "[b]etween independent States, respect for territorial sovereignty is an
essential foundation of international relations."1 22
Another extremely important obligation that each sovereign State has is to not
knowingly allow its territory to be used to harm another State.123 This obligation is
well founded in international law and stated clearly in the ICJ's Corfu Channel case
where the court says a State may not "allow knowingly its territory to be used for
acts contrary to the rights of other States." 24
Accordingly, States are required under international law to take appropriate
steps to protect the rights of other States.1 25 This obligation applies not only to
criminal acts harmful to other States, but also, for example, to activities that inflict
serious damage or have the potential to inflict such damage on persons and objects
protected by the territorial sovereignty of the target State.12 6

LA
These obligations, as applied to cyber operations, generate interesting
discussion, as will be covered in further detail below. While it is mostly clear how
they apply in the non-cyber world, cyber operations have caused many to rethink
IM
27
the practical application of these foundational sovereign obligations.
SH

B. Persons

The ability of a sovereign State to assert power over persons has been
LU

uncontroversial since the genesis of statehood.12 8 However, the bounds of that

PN

122. Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Judgment, 1986
I.C.J. 14, para. 202 (June 27) (quoting another source).
123. Corfu Channel (U.K. v Alb.), 1949 I.C.J. 4, 22 (Apr. 9).
124. Id.
H

125. See, e.g., United States Diplomatic and Consular Staff in Tehran (U.S. v. Iran), Judgment, 1980
I.C.J. 3, paras. 67-68 (May 24) (describing the general obligation under international law for States to
"ensure the most constant protection and security to each other's nationals in their respective
territories." (internal quotation marks omitted)).
126. In the Trail Smelter case, the arbitral tribunal, citing the Federal Court of Switzerland, noted:
"This right (sovereignty) excludes ... not only the usurpation and exercise of sovereign rights ... but also
an actual encroachment which might prejudice the natural use of the territory and the free movement of
its inhabitants." Trail Smelter (U.S. v. Can.), 3 R.I.A.A. 1905, 1963 (1941) (first omission and part of
second omission in original). 'According to the tribunal, "under the principles of international law ... no
State has the right to use or permit the use of its territory in such a manner as to cause injury by
fumes . .. in or to the territory of another or the properties or persons therein, when the case is of serious
consequence ..... Id. at 1965.
127. See, e.g., Eric Talbot Jensen, State Obligations in Cyber Operations, 14 BALTIC Y.B. INT'L L. 71
(2014) [hereinafter Jensen, State Obligations],available at http://papers.ssrn.com/sol3/papers.cfm?abstract
id=2419527 (describing how recent cyber incidents have drawn attention to State obligations to control
their cyber infrastructure to ensure it does not harm other States).
128. See, e.g., Cohan, supra note 41, at 944 ("[T]he concept of sovereignty... has previously been
characterized as the right of a State to exercise supreme power over its territory and citizens, free from
outside interference."); von Heinegg, supra note 7, at 132 ("Moreover, according to the principles of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.117

294 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

assertion have often been contested, including in a seminal case decided by the
Permanent Court of International Justice (PCIJ), the precursor to the ICJ. In S.S.
"Lotus", a dispute arose between France and Turkey over Turkey's assertion of
authority in the case of an accidental collision at sea.129 The Court in that case
determined that the public international law regime was fundamentally permissive
and that where there was no positive restriction, sovereigns were generally free to
assert their authority over individuals in the absence of a specific proscription from
doing so.'30
While that specific decision of the PCIJ has been limited under modern
international law,'"' a State's current ability to exercise sovereignty applies to all
legal persons within its territory and some outside its territory, such as its citizens
who are abroad.'3 2 This means that a State's sovereign rights and obligations extend
to both State and non-State actors who meet those qualifications.

1. Rights

LA
Sovereign States' ability to exercise prescriptive jurisdiction (territorial,'
nationality,134 protective," passive personality,' 6 and universal' 3 ) over both State
and non-State actors is guided by international law.'" These accepted limitations
IM
represent the modern constraints on the assertion of such jurisdiction.'3 9 Conflicting
SH

active and passive nationality, a State is entitled to exercise its jurisdiction over the conduct of individuals
that occurred outside its territory.")
LU

129. S.S. "Lotus" (Fr. v. Turk.), Judgment, 1927 P.C.I.J. (ser. A) No. 10, at 5 (Sept. 7).
130. Id. at 18 ("International law governs relations between independent States. The rules of law
binding upon States therefore emanate from their own free will as expressed in conventions or by usages
PN

generally accepted as expressing principles of law and established in order to regulate the relations
between these co-existing independent communities or with a view to the achievement of common aims.
Restrictions upon the independence of States cannot therefore be presumed.").
131. See U.N. Convention on the Law of the Sea, supra note 54, art. 97 ("In the event of a collision
H

or any other incident of navigation concerning a ship on the high seas, involving the penal or disciplinary
responsibility of the master or of any other person in the service of the ship, no penal or disciplinary
proceedings may be instituted against such person except before the judicial or administrative authorities
either of the flag State or of the State of which such person is a national.").
132. See Helen Stacy, Relational Sovereignty, 55 STAN. L. REv. 2029, 2050-51 (2003) ("Sovereignty
attaches itself to the people of the state, not merely the state itself . . .. Relational sovereignty places a
higher obligation on the sovereign state to care for and regulate the behavior of its citizens both inside
and outside state borders.").
133. RESTATEMENT (THIRD) OF FOREIGN RELATIONS LAW § 402(1) (1986).
134. Id. § 402(2).
135. Id. § 402(3) & cmt. f.
136. Id. § 402 & cmt. g.
137. Id. § 404.
138. See INT'L BAR ASS'N, REPORT OF THE TASK FORCE ON EXTRATERRITORIAL JURISDICTION 11
(2009) ("The starting point for jurisdiction is that all states have competence over events occurring and
persons (whether nationals, residents or otherwise) present in their territory... . In addition, states have
long recognised the right of a state to exercise jurisdiction over persons or events located outside its
territory in certain circumstances, based on the effects doctrine, the nationality or personality principle,
the protective principle or the universality principle.").
139. See id. at 11-16 (discussing the different bases for a State's exercise of extraterritorial
jurisdiction).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.118

 2015]1 CYBER SOVEREIGNTY: THE WAY AHEAD 295

assertions are normally resolved through the principles of comity.'" As the U.S.
Supreme Court recently described it, "[American] courts have long held that
application of [American] antitrust laws to foreign anticompetitive conduct is
nonetheless reasonable, and hence consistent with principles of prescriptive comity,
insofar as they reflect a legislative effort to redress domestic antitrust injury that
foreign anticompetitive conduct has caused.""'
States have also established international agreements that have created
methodologies for the exercise of jurisdiction over persons. These agreements
include both multilateral agreements such as the European Cybercrime
Convention 42 and bilateral agreements such as extradition treaties.' They provide
a mechanism for sovereign States to assert rights over individuals in situations of
conflicting claims.1
"

2. Obligations

The ability to exercise rights of legal persons also brings obligations to do so.

LA
Recall the maxim that States must prevent their territory from knowingly being
used to harm the territory of another. That harm is almost always generated by
some actor, taking some action. If States have the obligation to prevent known
IM
trans-boundary harm, they have to accept the corresponding obligation to exercise
control and authority over those within their power who are causing that trans-
SH

boundary harm. This obligation applies to both State and non-State actors.
The ICJ provided insight into the application of this obligation to non-State
actors in Armed Activities on the Territory of the Congo.14 The Court was unwilling
to assign responsibility to Zaire for not preventing the activities of certain armed
LU

groups because the government was not capable of doing so.14 6 However, the clear
implication of the Court's decision is that if the government had been capable, it
PN

would have had the obligation to do so.

H

140. Robert C. Reuland, Hartford Fire Insurance Co., Comity and the ExtraterritorialReach of
United States Antitrust Laws, 29 TEX. INT'L L.J. 159, 161 (1994) ("In adopting a position that comity
considerations may be relevant only in the case of a 'true conflict,' the Supreme Court effectively closes
the door to the consideration of comity issues under any circumstances short of an actual conflict
between U.S. and foreign law.").
141. F. Hoffmann-La Roche Ltd. v. Empagran S.A., 542 U.S. 155, 165 (2004) (emphasis omitted).
142. Convention on Cybercrime, supra note 92.
143. E.g., Extradition Treaty between the United States of America and the United Kingdom of
Great Britain and Northern Ireland, U.S.-U.K., Mar. 31, 2003, T.I.A.S. No. 07-426.
144. See, e.g., Cohan, supra note 41, at 939-40 ("Membership in the United Nations and in other
international organizations means that the participating state accepts the right of its fellow members to
intervene in its domestic affairs if it has failed in its most fundamental obligations to protect its own
citizens. . . ." (internal quotation marks omitted)); Worth, supra note 48, at 256 ("Article 12(2)(b) [of the
Rome Statute] states that the Court will have personal (ratione personae) jurisdiction over the citizens of
states that have become party to the [International Criminal Court].").
145. Armed Activities on the Territory of the Congo (Dem. Rep. Congo v. Uganda), Judgment, 2005
I.C.J. 168, paras. 299-301 (Dec. 19).
146. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.119

296 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

C Application to Cyberspace

One of the potential difficulties with applying sovereignty to cyberspace is the

claim that cyberspace is a virtual world and does not lie within any national
sovereignty.' In other words, skeptics claim that the activities that take place in
cyberspace do not always fall under a State's jurisdiction."" The next two Subparts
will analyze these arguments with respect to territory and persons.

1. Territory

Some have likened cyberspace to the commons, such as the high seas, and
proposed that a similar legal regime should apply.' The argument is that because
cyberspace does not fall within any State's territory, it is not subject to any State's
sovereignty.' The authors of the Tallinn Manual responded to this issue by arguing
that "although no State may claim sovereignty over cyberspace per se, States may
exercise sovereign prerogatives over any cyber infrastructure located on their

LA
territory, as well as activities associated with that cyber infrastructure."'-'
Cyber infrastructure is composed of servers, computers, cable, and other
physical components.'52 These components are not located in cyberspace, but on
IM
some State's territory. It seems clear that a State has jurisdiction and exercises
sovereign authority over these components that are located within its territorial
SH

boundaries. A State also exercises jurisdiction over cyber infrastructure outside its
geographic boundaries if it exercises exclusive control over that cyber
infrastructure, such as with cyber infrastructure on a State warship on the high
seas.'53 The scope of territorial sovereignty in cyberspace includes the cyber
LU

infrastructure "located on a State's land area, in its internal waters, territorial sea
and, where applicable, archipelagic waters, and in national airspace" but does not
extend to its exclusive economic zone or on the continental shelf where States only
PN

54
exercise "sovereign rights."
The law is at least settled enough with respect to cyber activities that the
authors of the Tallinn Manual listed as its first "black letter" rule, "A State may
H

exercise control over cyber infrastructure and activities within its sovereign

147. See David R. Johnson & David Post, Law and Borders-The Rise of Law in Cyberspace, 48
STAN. L. REV. 1367, 1371 (1996) ("The power to control activity in Cyberspace has only the most
tenuous connections to physical location.").
148. See, e.g., Id. at 1372 (arguing that "efforts to control the flow of electronic information across
physical borders ... are likely to prove futile").
149. See, e.g., Dan Hunter, Cyberspace as Place and the Tragedy of the Digital Anticommons, 91
CALIF. L. REV. 439, 517 (2003) ("[W]ith the intangible property of cyberspace, we can throw out our
normal assumptions about private ownership of the resources and recognize that a commons system
might be the most efficient use of the resource.").
150. See Johnson & Post, supra note 147, at 1370 ("The Net thus radically subverts the system of
rule-making based on borders between physical spaces, at least with respect to the claim that Cyberspace
should naturally be governed by territorially defined rules.").
151. TALLINN MANUAL r. 1 cmt. 1.
152. Id. gloss.
153. Id. r. 5.
154. von Heinegg, supra note 7, at 128 & n.17.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.120

 2015] CYBER SOVEREIGNTY: THE WAY AHEAD 297

territory.""' One of the Tallinn authors has also written that "State practice
provides sufficient evidence that components of cyberspace are not immune from
territorial sovereignty nor from the exercise of State jurisdiction." 56 Nor does
connecting that infrastructure to the World Wide Web connote some kind of waiver
5
of sovereignty."' In fact, the practice of States is just the opposite-the practice of
States has made it clear that they will continue to exercise territorial sovereignty
over their cyber infrastructure.' 58
This authority comes with corresponding duties and obligations. One of the
primary obligations is that a State has an obligation not to knowingly allow its cyber
infrastructure within its territory or under its exclusive control to cause trans-
boundary harm."'9 This obligation has been accepted to apply to radio
telecommunications'" and was recently recognized as a rule by the authors of the
Tallinn Manual.16
'

This obligation has also been stated in multiple official State comments. For
example, according to China, sovereign States "have the responsibilities and rights
to take necessary management measures to keep their domestic cyberspace and

LA
related infrastructure free from threats, disturbance, attack and sabotage."
Similarly, India has stated,
IM
By creating a networked society and being a part of [a] global networked
economy, it is necessary for nation states to realise that they not only
have a requirement to protect their own ICT infrastructure but at the
SH

same time have a responsibility to ensure that their ICT is not abused,
either covertly or overtly, by others to target or attack the ICT
infrastructure of another nation state.
LU

Likewise, Russia has stated that "States and other subjects of international law
should refrain of [sic] such actions against each other and should bear responsibility
at international level for such actions in information space, carried out directly,
PN

under their jurisdiction or in the framework of international organizations of their

membership."'" Finally, the U.S. government's 2011 International Strategy for
Cyberspace calls on States to "recognize the international implications of their
H

technical decisions, and act with respect for one another's networks and the broader
6
Internet.", 1

155. TALLINN MANUAL r. 1.

156. von Heinegg, supra note 7, at 126.
157. Id.
158. DEPARTMENT OF DEFENSE, STRATEGY FOR OPERATING IN CYBERSPACE, supra note 89, at 1.
159. Schmitt, The Law of Cyber Warfare, supra note 12, at 276.
160. Developments in the Field of Information and Telecommunications,supra note 8, at 3.
161. TALLINN MANUAL.
162. Kanuck, supra note 9, at 1591 (internal quotation marks omitted).
163. Id.
164. Id. at 1591 n.88.
165. OFFICE OF THE PRESIDENT, INTERNATIONAL STRATEGY FOR CYBERSPACE, supra note 37, at
10.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.121

298 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

These and similar statements, combined with limited State practice, have led
many commentators'" to argue,

States have an affirmative duty to prevent cyberattacks from their

territory against other states. This duty actually encompasses several
smaller duties, to include passing stringent criminal laws, conducting
vigorous investigations, prosecuting attackers, and, during the
investigation and prosecution, cooperating with the victim-states of
cyberattacks that originated from within their borders."'

The kinds of acts that equate to trans-boundary harm might include attacks on
networks, exploitation of networks, and other hostile acts in cyberspace that
threaten peace and stability, civil liberties and privacy.' 6 At this point, it is still
unclear under the law as to whether the mere transit of data through a particular
nation's infrastructure rises to the level of a prohibited activity, even if the data
eventually results in harm to another State.'"
Note that the obligation only triggers if the State from whose territory the

LA
harm originates has knowledge of the harm.' When States have knowledge of the
harmful acts, they have a duty to stop them."' Knowledge might be imputed to the
State if State agents or organs, such as intelligence or law enforcement agencies,
IM
know of the harm emanating from the State's cyber infrastructure, even if those
72
agents or organs choose to not inform other agencies in the government.'
SH

There may also be times when neither a State nor its organs or agents have
actual knowledge but should have had knowledge, given the circumstances. In the
ICJ's Corfu Channel case, the court held Albania liable for harm to England, even
LU

though there was no direct evidence that Albania knew of the harm. In that case,
the court concluded that given the circumstances, Albania must have known about
the emplacement of the mines that caused the harm."' The "must have known"
PN

standard is higher than a "should have known" standard but demonstrates that
proving actual knowledge is not required. As for States who "should have known,"
international law is still unclear as to the obligation of such a State."' However, von
Heinegg is willing to allow a rebuttable presumption of actual or constructive
H

knowledge if "a cyber attack has been launched from cyber infrastructure that is

166. E.g., David E. Graham, Cyber Threats and the Law of War, 4 J. NAT'L SEC. L. & POL'Y 87, 93-
94 (2010); Matthew J. Sklerov, Solving the Dilemma of State Responses to Cyberattacks: A Justification
for the Use of Active Defenses againstStates Who Neglect Their Duty to Prevent, 201 MIL. L. REV. 1, 62-
63 (2009).
167. Sklerov, supra note 166, at 62-63.
168. See OFFICE OF THE PRESIDENT, INTERNATIONAL STRATEGY FOR CYBERSPACE, supra note 37,
at 12-14 (recognizing that cyberspace activities can have effects beyond borders and detailing initiatives
that will be undertaken to protect the United States against threats posed by cyber criminals or States
and their proxies).
169. von Heinegg, supra note 7, at 137.
170. Id. at 136.
171. Id. at 135-36.
172. Id. at 136.
173. Corfu Channel (U.K. v. Alb.), Judgment, 1949 I.C.J. 4, 19-20 (Apr. 9).
174. See von Heinegg, supra note 7, at 151 (speculating hypothetically about whether constructive
knowledge is sufficient to establish a violation).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.122

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 299

under exclusive government control and that is used only for non-commercial
government purposes.""
There is currently an ongoing discussion as to whether a State's responsibility
to prevent knowing cyber harm creates a duty to monitor networks in order to
116
"know" when cyber harms exist. In other words, if such a responsibility exists, if
State A knows that its infrastructure is being used to cause trans-boundary harm to
State B, State A has an obligation to stop the harm.'" In order to effectively comply
with that obligation, there is an emerging norm that State A has an obligation to
monitor its cyber infrastructure and take proactive measures to prevent harm from
emanating from cyber infrastructure over which State A exercises sovereignty. 7 8
However, this emerging norm is still quite controversial, particularly when
considered in light of potential human rights obligations that might be compromised
in the process of monitoring."'
Until that norm becomes generally accepted, target States will have to find
ways to determine the level of knowledge of States from whose territory harmful
cyber effects originate before allocating responsibility. In the current view of the

LA
United States,

[Department of Defense (DoD)] adheres to well-established processes

IM
for determining whether a third country is aware of malicious cyber
activity originating from within its borders. In doing so, DoD works
closely with its interagency and international partners to determine: [(1)]
SH

The nature of the malicious cyber activity; [(2)] The role, if any, of the
third country; [(3)] The ability and willingness of the third country to
respond effectively to the malicious cyber activity; and [(4)] The
LU

appropriate course of action for the U.S. Government to address

potential issues of third-party sovereignty depending upon the particular
circumstances. 0
PN

In addition to the obligation to prevent trans-boundary harm, a State has an

obligation to cooperate with the victim State in the event of adverse or unlawful
cyber effects from cyber infrastructure located in its territory or under its exclusive
H

governmental control when it may affect international peace and security.'"' A

175. Id. at 137. Note that von Heinegg clearly states that the presumption does not allow for
attribution. Id.
176. See generally Jensen, State Obligations,supra note 127.
177. See id. at 13 (stating that in order to comply with the duty to control their cyber infrastructures,
States have an emerging duty to monitor cyber activities within their territories in order to prevent or
stop activities that are adversely or unlawfully affecting other States).
178. Id.
179. Cf EKATERINA A. DROZDOVA, CIVIL LIBERTIES AND SECURITY IN CYBERSPACE 13 (2000),
available at http://fsi.stanford.edulsites/default/files/drozdova.pdf ("While a system for advanced
monitoring, searching, tracking, and analyzing of communications may be very helpful against cyber
crime and terrorism, it would also provide participating governments, especially authoritarian
governments or agencies with little accountability, tools to violate civil liberties domestically and
abroad.").
180. DEPARTMENT OF DEFENSE, CYBERSPACE POLICY REPORT, supra note 105, at 8.
181. In addition to those circumstances mentioned above where the maintenance of international

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.123

300 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

State may also have a treaty obligation to establish criminal information sharing and
criminal processing arrangements as a matter of domestic law.1 8 2
This obligation to cooperate is based on the U.N. Charter18 and ICJ
opinions,' and is also confirmed in the U.N. General Assembly's Declaration on
Principles of International Law concerning Friendly Relations and Co-operation
among States in Accordance with the Charter of the United Nations.'8 The
obligation to cooperate with respect to cyber incidents is also enshrined in the
European Convention on Cybercrime, which has forty-two States parties and an
additional eleven signatory States.'"
This norm of cooperation only requires States to cooperate when the adverse
or unlawful cyber incident originates from infrastructure within the territory or
under its exclusive governmental control or when the unlawful cyber incident
transits the cyber infrastructure in the State's territory or under its exclusive
government control. Both conditions must be met for the duty to be applicable. No
specific standard for the level of cooperation is clearly agreed upon, but the general
consensus is that States must exercise good faith when fulfilling this duty.'

LA
As an example, if a cyber incident originates in State A and threatens State B's
critical infrastructure such that there is a threat to international peace and security,
IM
both State A and State B have a legal duty to cooperate to peacefully resolve that
incident.
As with the obligation concerning trans-boundary harm, the obligation to
SH

cooperate also has a number of unresolved issues. Most relevant to this Article is
the fact that historical State practice does not demonstrate that States accept the
obligation to cooperate in any meaningful way.'" Again, the 2007 situation between
LU
PN

peace and security is at risk, the duty to cooperate also applies to the solving of international problems of
economic, social, cultural, or humanitarian character. U.N. Charter art. 1, para. 3. States also have a
duty to cooperate in scientific investigation in Antarctica. The Antarctic Treaty, supra note 53, art. 2.
The duty to cooperate also applies to the scientific investigation of outer space. Outer Space Treaty,
H

supra note 55, art. 1. Finally, international cooperation applies to marine scientific research. U.N.
Convention on the Law of the Sea, supra note 54, art. 143.
182. See, e.g., Convention on Cybercrime, supra note 92, art. 26, para. 1 ("A Party may, within the
limits of its domestic law and without prior request, forward to another Party information obtained
within the framework of its own investigations when it considers that the disclosure of such information
might assist the receiving Party in initiating or carrying out investigations or proceedings concerning
criminal offences established in accordance with this Convention or might lead to a request for co-
operation by that Party under this chapter.").
183. U.N. Charter art. 1, paras. 1, 3; Id. art. 33, para. 1.
184. See, e.g., Pulp Mills on the River Uruguay (Arg. v. Uru.), Judgment, 2010 I.C.J. 14, para. 102
(Apr. 20) (finding it vital for parties to comply with their procedural obligations under the 1975 Statute
of the River Uruguay because cooperation is essential to the protection of the river).
185. G.A. Res. 2625 (XXV), supra note 80, at 123.
186. Article 23 requires that "[t]he Parties shall co-operate with each other" and provide mutual
assistance, particularly with respect to investigations of cyber incidents. Convention on Cybercrime,
supra note 92, art. 23.
187. See Kotzur, supra note 93, para. 16 ("One of the most basic principles governing the creation
and performance of legal obligations, whatever their source, is the principle of good faith.").
188. See Schmitt, The Law of Cyber Warfare, supra note 12, at 273 ("A state's national interests
undergird its consent or conduct .... States might seek, for example, to maximize power and influence
at the expense of other states . . . .").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.124

2015]1 CYBER SOVEREIGNTY: THE WAY AHEAD 301

Estonia and Russia is instructive. Estonia found Russia's response to its queries
and requests for assistance unhelpful and protective of Russian interests."

2. Persons

The U.S. Department of Justice's recent indictment of five members of the

Chinese Army for cyber hacking" represents a significant shift from the
methodology States have traditionally used in dealing with State-sponsored cyber
activities."' For the United States to move away from its normal diplomatic
approach 92 and invoke domestic criminal law as a means of deterring State-
sponsored cyber activities is a definite policy shift.' Certainly, it is improbable that
the indictment will result in any convictions as China and the United States do not
have an extradition treaty'94 and China has signaled no intention to honor such a
request anyway. However, the idea that States will use domestic criminal law as a
tool to deter other States who are engaged in harmful cyber activities is a
potentially interesting development. The use of criminal law for non-State actors,

LA
on the other hand, is the norm, however ineffective.
It seems clear that in addition to State actors, "terrorist groups and even
individuals, [sic] now have the capability to launch cyber-attacks, not only against
IM
military networks, but also against critical infrastructures that depend on computer
SH

189. See Ruus, supra note 2 ("[T]he Estonian State Prosecutor made a formal investigative
assistance request, which Moscow rejected, alleging that procedural problems prevented cooperation.").
LU

190. Michael S. Schmidt & David E. Sanger, 5 in China Army Face U.S. Charges of Cyberattacks,
N.Y. TIMES, May 19, 2014, http://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-
cyberspying.html. China is, of course, not the only State conducting cyber activities. Recent media
revelations concerning the United States' cyber activities have alleged widespread actions against both
PN

State and commercial entities. Simon Romero & Randal C. Archibold, Brazil Angered Over Report
N.S.A. Spied on President, N.Y. TIMES, Sept. 2, 2013, http://www.nytimes.com/2013/09/03/world/
americas/brazil-angered-over-report-nsa-spied-on-president.html; David E. Sanger & Nicole Perlroth,
N.S.A. Breached Chinese Servers Seen as Security Threat, N.Y. TIMES, Mar. 22, 2014, http://www.nytimes.
H

com/2014/03/23/world/asia/nsa-breached-chinese-servers-seen-as-spy-peril.html; Snowden NSA: Germany

to Investigate Merkel "Phone Tap", BBC (June 4, 2014), http://www.bbc.com/news/world-europe-
27695634; Jonathan Watts, NSA Accused of Spying on Brazilian Oil Company Petrobras, GUARDIAN,
Sept. 9, 2013, http://www.theguardian.com/world/2013/sep/09/nsa-spying-brazil-oil-petrobras.
191. See Schmidt & Sanger, supra note 190 ("[President Obama and Defense Secretary Chuck
Hagel] have attempted to engage the Chinese in a dialogue over norms for operating in cyberspace, a
careful diplomatic dance that has gone on for several years. But Monday's action by the Justice
Department marked an attempt to publically shame the Liberation Army . ... ").
192. See Ellen Nakashima, U.S. Publicly Calls on China to Stop Commercial Cyber-Espionage, Theft
of Trade Secrets, WASH. POST, Mar. 11, 2013, http://www.washingtonpost.com/world/national-security/us-
publicly-calls-on-china-to-stop-commercial-cyber-espionage-theft-of-trade-secrets/2013/03/11/28b21d12-
8a82-11e2-a051-6810d606108d-story.html (discussing the United States' diplomatic efforts to hold China
accountable for cyber-espionage).
193. See Schmidt & Sanger, supra note 190 (describing how the Justice Department indicted five
members of the Chinese People's Liberation Army and illustrating how this represents a U.S. policy shift
on dealing with Chinese cyber activities).
194. Dominic Rushe, Chinese Hackers Break into US Federal Government Employee Database,
GUARDIAN, July 10, 2014, http://www.theguardian.com/world/2014/jul/10/china-hackers-us-government-
employee-database.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.125

302 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

networks."'0 5 And the results of such actions can be catastrophic. "[M]alicious

actors, state and non-state, have the ability to compromise and control millions of
96
computers that belong to governments, private enterprises and ordinary citizens."'
The threat is such that

[t]he President's May 2011 International Strategy for Cyberspace states

that the United States will, along with other nations, encourage
responsible behavior and oppose those who would seek to disrupt
networks and systems, dissuading and deterring malicious actors, and
reserving the right to defend these national security and vital national
assets as necessary and appropriate.'97

The fact that cyber operations may be initiated by a vast array of persons
implicates the States from which those persons take those actions. Every time there
is a victim-State, there is a State from which the action was initiated and often a
State or States through which the activity passed. In each case, those States have

LA
not only the right to control their citizens and others who might be involved, but
also the obligation to do so.'" When persons take actions from within a State that
harm another State, the State from which the harm originated has an obligation to
try to stop those actions, once the State has knowledge.'99 If a State is monitoring its

IM
networks and knows in advance, it can act preemptively to stop that activity before
it emanates from within its sovereign territory. Additionally, as stated above with

S H
respect to controlling actions, a State can take proactive measures to discourage
non-State actors by "passing stringent criminal laws, conducting vigorous
investigations, prosecuting attackers, and, during the investigation and prosecution,

borders."200

L U
cooperating with the victim-States of cyberattacks that originated from within their

D. The Way Ahead

P N
Applying a State's sovereign rights and obligations to persons with respect to

H
cyber activities emphasizes the key role States must play in the way ahead for
cyberspace. As the community of States moves forward, States will have to
determine how the exercise of those sovereign rights and obligations can best be
managed to accomplish each State's purposes.
For example, there are a number of issues revolving around the obligation to
prevent trans-boundary harm. One of these issues stems from the fact that
international law allows for some de minimis imposition on the rights of other
States.2 ' It is unclear generally what the limit of acceptable de minimis harm is, but

195. Liaropoulos, supra note 9, at 136 (citation omitted).

196. Id. at 137.
197. DEPARTMENT OF DEFENSE, CYBERSPACE POLICY REPORT, supra note 105, at 2.
198. Jensen, Sovereignty and Neutrality, supra note 9, at 826-27.
199. Id.
200. Sklerov, supra note 166, at 62.
201. See Jutta Brunn6e, Sic utere tuo ut alienum non laedas, in MAX PLANCK ENCYCLOPEDIA OF
PUBLIC INTERNATIONAL LAW para. 7 (2010) ("[T]he mere causation of transboundary harm does not
transgress the sic utere tuo maxim.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.126

2015] CYBER SOVEREIGNTY: THE WAY AHEAD 303

this is particularly unclear in cyberspace, where it is accepted that most cyber

activities will not rise to the level of a use of force." As time progresses, State
practice will indicate what the acceptable amount of de minimis harm is and where
that line is generally crossed. Currently, that line is quite high because States are
unwilling to respond in forceful ways to cyber activities.20 3 The shift in U.S. policy to
apply domestic criminal remedies reflects that at least some States are not
comfortable with the current paradigm. States' willingness to accept State-
sponsored cyber activities, even those that are far below the use of force, seems to
be waning. The future will undoubtedly bring more proactive measures to deter
States from conducting cyber activities and reduce the acceptable level of de
minimis cyber harm.
Another current issue that will likely come to the fore in the near future
concerns the knowledge requirement for the trans-boundary harm obligation.
While the law is clear that some form of knowledge, whether actual or constructive,
is required for responsibility, the law is unclear as to the responsibility of a State
that chooses not to invest in cyber capabilities on purpose, in an effort to remain

LA
blind to its obligations.2 0 This issue of the level of knowledge, and responsibility to
seek knowledge, will need to be resolved by State practice over time. As the duty
to monitor and prevent continues to emerge, States will have to accept greater
IM
responsibility under a constructive knowledge standard and a State's ability to
practice willful blindness will disappear. The pressures of the increasing availability
of technology and the rising awareness of cyber activities will aid in this movement.
SH

Finally, though there is a clearly recognized rule of international law on the

acceptance of responsibility for trans-boundary harm, State practice in the cyber
area has been inconsistent at best, and directly non-compliant in many cases.2
LU

Particularly in the area of cyber operations that are generated from within a State's
borders, there is a mixed history on responsible States' willingness to accept
responsibility.2 0 Though this trend could actually go either way, it seems likely that
PN

the harms that are possible through cyber activities will eventually outweigh the
benefits that States accrue by having freedom of action. Thus, particularly in light
of the fact that non-State actors and even lone individuals can harness State-level
H

violence through the use of cyber tools, States will soon find it in their best interest

202. See TALLINN MANUAL r. 11 (defining the term "use of force" in the cyber context as an
operation the scale and effects of which are comparable to non-cyber operations that would qualify as a
use of force).
203. But see DEPARTMENT OF DEFENSE, CYBERSPACE POLICY REPORT, supra note 105, at 4
("Finally, the President reserves the right to respond using all necessary means to defend our Nation, our
Allies, our partners, and our interests from hostile acts in cyberspace. Hostile acts may include
significant cyber attacks directed against the U.S. economy, government or military. As directed by the
President, response options may include using cyber and/or kinetic capabilities provided by [the
Department of Defense].").
204. TALLINN MANUAL r. 93.
205. See, e.g., discussion supra Part II.C.1 on Russia's unwillingness to assist Estonia after the 2007
cyber attacks.
206. See, e.g., Sklerov, supra note 166, at 10 ("As may be expected, China and Russia reject these
accusations.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.127

304 TEXAS INTERNATIONAL LAW JOURNAL [VOL. 50:2

to regulate themselves in order to protect themselves not only from other States,
but from non-State actors as well.

CONCLUSION

An analysis of the international doctrine of State sovereignty demonstrates

that many of those norms are directly applicable to cyber operations and can easily
be applied with respect to States. In fact, the recently published Tallinn Manual
concludes that principles of sovereignty can be applied and does so apply them.2 07
However, there are still areas where State practice has presented difficulties,
such as the area of accepting responsibility for trans-boundary harm, the emerging
principles of a duty to monitor and prevent, and the duty to apply due regard to a
State's cyber activities.
It seems clear, though, that the future will provide greater clarity as incidents
of state cyber activities become more widespread and the information more
available to the public. At that point, the way ahead is likely to demonstrate that

LA
the doctrine of sovereignty continues to apply to cyber operations.
IM
SH
LU
PN
H

207. TALLINN MANUAL R. 1.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.128

Copyright 2013 by Northwestern University School of Law Printed in U.S.A.
Northwestern University Law Review Vol. 107, No. 4

Articles
REGULATING CYBER-SECURITY

NathanAlexander Sales

ABSTRACT-The conventional wisdom is that this country's privately

owned critical infrastructure-banks, telecommunications networks, the
power grid, and so on-is vulnerable to catastrophic cyber-attacks. The
existing academic literature does not adequately grapple with this problem,
however, because it conceives of cyber-security in unduly narrow terms:
most scholars understand cyber-attacks as a problem of either the criminal

LA
law or the law of armed conflict. Cyber-security scholarship need not run in
such established channels. This Article argues that, rather than thinking of
private companies merely as potential victims of cyber-crimes or as
IM
possible targets in cyber-conflicts, we should think of them in
administrative law terms. Many firms that operate critical infrastructure
tend to underinvest in cyber-defense because of problems associated with
SH

negative externalities, positive externalities, free riding, and public goods-

the same sorts of challenges the modern administrative state faces in fields
like environmental law, antitrust law, products liability law, and public
LU

health law. These disciplines do not just yield a richer analytical framework
for thinking about cyber-security; they also expand the range of possible
responses. Understanding the problem in regulatory terms allows us to
PN

adapt various regulatory solutions-such as monitoring and surveillance to

detect malicious code, hardening vulnerable targets, and building resilient
and recoverable systems-for the cyber-security context. In short, an
H

entirely new conceptual approach to cyber-security is needed.

AUTHOR-Assistant Professor of Law, George Mason University School

of Law. Thanks to Jonathan Adler, Stewart Baker, Derek Bambauer, Bobby
Chesney, Eric Claeys, Tim Clancy, Orin Kerr, Michael Krauss, Deirdre
Mulligan, Steve Prior, Jeremy Rabkin, Paul Rosenzweig, J.W. Verret, Ben
Wittes, and Todd Zywicki for their helpful comments. I'm also grateful to
participants in workshops at Syracuse University College of Law and the
Republic of Georgia's Ministry of Justice. Special thanks to the Center for
Infrastructure Protection and Homeland Security for generous financial
support.

1503

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.129

 NORTHWESTERN UNIVERSITY LAW REVIEW

INTROD UCTION ............................................................................... 1504

1. AN EFFICIENT LEVEL OF CYBER-SECURITY..........................................................1510
II. CYBER-SECURITY FRAMEWORKS, CONVENTIONAL AND UNCONVENTIONAL.........1519
A. The Conventional Approaches:Law Enforcement and Armed Conflict... 1521
B. Cyber-securityas an EnvironmentalLaw Problem ........ ........ 1525
C. .. as an Antitrust Problem ................................ 1528
D. as a ProductsLiabilityProblem 1533
..................................
E. as a PublicHealth Problem........... ......................... 1539
III. REGULATORY PROBLEMS, REGULATORY SOLUTIONS .......................................... 1544
A. Monitoring and Surveillance ................................... 1546
B. HardeningTargets ......................... .................. 1552
C. Survivability and Recovery ................................ 1561
D. Responding to Cyber-attacks .......................... ..... 1564

LA
CONCLUSION ................ ...............................
IM ........................................ 1567

Introduction
The Red Army had been gone for years, but it still had the power to
inspire controversy-and destruction.' In April 2007, the government of
SH

Estonia announced plans to relocate a contentious Soviet-era memorial in

its capital city of Tallinn. Known as the Bronze Soldier, the Soviets erected
the statue in 1947 to commemorate their sacrifices in the Great Patriotic
War and their "liberation" of their Baltic neighbors. The local population,
LU

which suffered under the Bolshevik boot for decades, understandably saw
the monument in a rather different light. Not long after the announcement,
the tiny nation was hit with a massive cyber-attack. Estonia, sometimes
PN

nicknamed "E-stonia," is one of the most networked countries in the

world-its citizens bank, vote, and pay taxes online 2-and it ground to a
halt for weeks. The country's largest bank was paralyzed. Credit card
H

companies took their systems down to keep them from being attacked. The
telephone network went dark. Newspapers and television stations were
knocked offline. Who was responsible for launching what has come to be
known as Web War I?' The smart money is on Russia, though no one can
say for sure.

The events in this paragraph are described in JOEL BRENNER, AMERICA THE VULNERABLE: INSIDE
THE NEW THREAT MATRIX OF DIGITAL ESPIONAGE, CRIME, AND WARFARE 127-30 (2011); RICHARD
A. CLARKE & ROBERT K. KNAKE, CYBER WAR: THE NEXT THREAT TO NATIONAL SECURITY AND
WHAT TO Do ABOUT IT 11-16 (2010); and Ian Traynor, Russia Accused of Unleashing Cyberwar to
DisableEstonia, GUARDIAN (London), May 17, 2007, at 1.
2 Kelly A. Gable, Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorismand Using
UniversalJurisdictionas a Deterrent,43 VAND. J. TRANSNAT'L L. 57, 61 & n.14 (2010).
War in the Fifth Domain, ECONOMIST, July 3-9, 2010, at 25, 28; see also CLARKE & KNAKE,
supra note 1, at 30; David W. Opderbeck, Cybersecurity and Executive Power, 89 WASH. U. L. REV.
795, 799 (2012).

1504

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.130

107:1503 (2013) Regulating Cyber-security

It could happen here. Government officials like Richard Clarke, the

former White House cyber-security czar, have been warning of "an
electronic Pearl Harbor" for years.' Others lament the "gaping
vulnerabilit[ies]"' in America's cyber-defenses and speculate that the
economic effect of a major assault could be "an order of magnitude"
greater than the September 11, 2001 terrorist attacks.' Academic
commentators generally agree. Some see the danger as "monumental"' and
the country's "most pervasive and pernicious threat."' Others predict that
America's failure to secure its cyber-assets "could take down the nation's
entire security and economic infrastructure"' and "bring this country to its
knees.""o It has even been suggested that "[t]he very future of the Republic"
depends on "protect[ing] ourselves from enemies armed with cyber
weapons."" There are some naysayers,12 but the consensus that we stand on
the brink of a cyber-calamity is both broad and deep.
A large-scale cyber-attack on this country, as in Estonia, likely would

LA
target privately held critical infrastructure-banks, telecommunications
carriers, power companies, and other firms whose compromise would cause
IM
4 Richard Clarke, Threats to US. National Security: Proposed PartnershipInitiatives Towards
SH

Preventing Cyber TerroristAttacks, 12 DEPAUL BUS. L.J. 33, 38 (1999-2000).

5 Joby Warrick & Walter Pincus, Senate Legislation Would Federalize Cybersecurity; Rules for
PrivateNetworks Also Proposed,WASH. POST, Apr. 1, 2009, at A4.
6 Max Fisher, Fmr. Intelligence Director: New Cyberattack May Be Worse than 9/11, ATLANTIC
LU

(Sept. 30, 2010, 2:28 PM), http://www.theatlantic.com/politics/archive/2010/09/fmr-intelligence-

director-new-ttack-may-be-worse-than-9-11/63849/ (quoting former Director of National Intelligence
Mike McConnell); see also EXEC. OFFICE OF THE PRESIDENT, CYBERSPACE POLICY REVIEW 1 (2009),
PN

available at http://www.whitehouse.gov/assets/documents/CyberspacePolicy Review final.pdf

("Threats to cyberspace pose one of the most serious economic and national security challenges of the
21st Century for the United States and our allies.").
William C. Banks & Elizabeth Rindskopf Parker, Introduction, 4 J. NAT'L SEC. L. & POL'Y 7, 11
H

(2010).
Walter Gary Sharp, Sr., The Past, Present, and Future of Cybersecurity, 4 J. NAT'L SEC. L. &
POL'Y 13, 13 (2010); see also CTR. FOR STRATEGIC & INT'L STUDIES, SECURING CYBERSPACE FOR THE
44TH PRESIDENCY 11 (2008), available at http://csis.org/files/media/csis/pubs/081208
securingcyberspace_44.pdf; Greg Rattray et al., American Security in the Cyber Commons, in
CONTESTED COMMONS: THE FUTURE OF AMERICAN POWER IN A MULTIPOLAR WORLD 137, 145
(Abraham M. Denmark & James Mulvenon eds., 2010).
9 Opderbeck, supra note 3, at 798.
1o Neal Kumar Katyal, Criminal Law in Cyberspace, 149 U. PA. L. REv. 1003, 1020 n.45 (2001)
(quoting Chris O'Malley, Information Warriors of the 609th, POPULAR SCI., July 1997, at 71, 72).
II Stephen Dycus, Congress'sRole in Cyber Warfare, 4 J. NAT'L SEC. L. & POL'Y 155, 156 (2010).
12 See, e.g., Derek E. Bambauer, Conundrum, 96 MINN. L. REV. 584, 604 (2011);
Charles J.
Dunlap, Jr., Meeting the Challenge of Cyberterrorism:Defining the Military Role in a Democracy,
76 INT'L L. STUD. 353, 361 (2002); Seymour M. Hersh, The Online Threat, NEW YORKER, Nov. 1,
2010, at 44, 48; Martin Libicki, Rethinking War: The Mouse's New Roar?, FOREIGN POL'Y, Winter
1999-2000, at 30, 38; Jerry Brito & Tate Watkins, Loving the Cyber Bomb? The Dangers of Threat
Inflation in Cybersecurity Policy 6-7 (Mercatus Ctr. at George Mason Univ., Working Paper No. 11-24,
2011), available at http://mercatus.org/sites/default/files/WP 124_Loving cyber-_bomb.pdf.

1505

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.131

 NORTHWESTERN UNIVERSITY LAW REVIEW

widespread harm." Indeed, America's critical infrastructure, approximately

85% of which is owned by private firms,14 already faces constant
intrusions." Yet the private sector's defenses are widely regarded as
inadequate. Companies are essentially on their own when it comes to
protecting their computer systems, with the government neither imposing
security requirements nor bearing a share of the resulting costs.'" According
to Bruce Smith, the United States follows a "bifurcated approach to
network security" that "relie[s] predominantly on private investment in
prevention and public investment in prosecution."" Christopher Coyne and
Peter Leeson likewise stress that our defensive strategy "is simply the sum
of dispersed decisions of individual users and businesses."" Regular firms
that operate in competitive markets (such as online retailers) may be
adequately protecting their systems against ordinary intruders (such as
recreational hackers). But strategically significant firms in uncompetitive
markets (such as power companies and other public utilities) seem less

LA
IM
13 See CLARKE & KNAKE, supra note 1, at xiii; Davis Brown, A Proposalfor an International
Convention to Regulate the Use of Information Systems in Armed Conflict, 47 HARV. INT'L L.J. 179,
SH

182 (2006). Federal law defines "critical infrastructure" as "systems and assets, whether physical or
virtual, so vital to the United States that the incapacity or destruction of such systems and assets would
have a debilitating impact on security, national economic security, national public health or safety, or
any combination of those matters." 42 U.S.C. § 5195c(e) (2006). Some types of critical infrastructure
are more important, and less likely to be adequately defended, than others.
LU

14 Todd A. Brown, Legal Propriety of Protecting Defense Industrial Base Information

Infrastructure,64 A.F. L. REV. 211, 220 (2009); Gus P. Coldebella & Brian M. White, Foundational
Questions Regarding the FederalRole in Cybersecurity,4 J. NAT'L SEC. L. & POL'Y 233, 240 (2010);
PN

Christopher J. Coyne & Peter T. Leeson, Who's to Protect Cyberspace?, I J.L. ECON. & POL'Y 473,
476 (2005); Gregory T. Nojeim, Cybersecurity and Freedom on the Internet, 4 J. NAT'L SEC. L. &
POL'Y 119, 135 (2010); Benjamin Powell, Is Cybersecurity a Public Good? Evidence from the
FinancialServices Industry, 1 J.L. ECON. & POL'Y 497, 497 (2005); Paul Rosenzweig, Cybersecurity
H

and Public Goods: The Public/Private "Partnership,"HOOVER INST. 2 (2011), http://media.hoover.org

/sites/default/files/documents/EmergingThreats Rosenzweig.pdf, reprinted in PAUL ROSENZWEIG,
CYBERWARFARE: How CONFLICTS IN CYBERSPACE ARE CHALLENGING AMERICA AND CHANGING THE
WORLD 156-75 (2012).
15 See MCAFEE & CTR. FOR STRATEGIC & INT'L STUDIES, IN THE DARK: CRUCIAL INDUSTRIES
CONFRONT CYBERATTACKS 6 (2011), available at http://www.mcafee.com/us/resources/reports/rp-
critical-infrastructure-protection.pdf; Eric Talbot Jensen, Cyber Warfare and PrecautionsAgainst the
Effects of Attacks, 88 TEx. L. REv. 1533, 1537 (2010); Neal Kumar Katyal, Digital Architecture as
Crime Control, 112 YALE L.J. 2261, 2263 (2003); Debra Wong Yang & Brian M. Hoffstadt,
Counteringthe Cyber-Crime Threat, 43 AM. CRIM. L. REV. 201, 201, 205 (2006).
16 See Yasuhide Yamada et al., A Comparative Study of the Information Security Policies of Japan
and the United States, 4 J. NAT'L SEC. L. & POL'Y 217,219-20 (2010).
17 Bruce P. Smith, Hacking, Poaching, and Counterattacking: Digital Counterstrikes and the
Contours ofSelf-Help, 1 J.L. ECON. & POL'Y 171, 173 (2005).
18 Coyne & Leeson, supra note 14, at 475-76; accord AM. BAR ASS'N, NATIONAL SECURITY
THREATS IN CYBERSPACE 8 (2009), available at http://nationalstrategy.com/Portals/0/National%
20Security/o20Threats%20in%20Cyberspace%20%20FINAL%2009-15-09.pdf; Banks & Parker, supra
note 7; Nojeim, supranote 14, at 121.

1506

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.132

107:1503 (2013) Regulating Cyber-security

likely to maintain defenses capable of protecting their systems against

skilled and determined adversaries (such as foreign intelligence services).
The poor state of America's cyber-defenses is partly due to the fact
that the analytical framework used to understand the problem is
incomplete. The law and policy of cyber-security are undertheorized.
Virtually all legal scholarship approaches cyber-security from the
standpoint of the criminal law or the law of armed conflict." Given these
analytical commitments, it is inevitable that academics and lawmakers will
tend to favor law enforcement and military solutions to cyber-security
problems. These are important perspectives, but cyber-security scholarship
need not run in such narrow channels. An entirely new approach is needed.
Rather than conceiving of private firms merely as possible victims of
cyber-crimes, or as potential targets in cyber-conflicts, we should think of
them in regulatory terms.20 Many companies that operate critical
infrastructure tend to underinvest in cyber-defense because of negative
externalities, positive externalities, free riding, and public goods

LA
problems-the same sorts of challenges the modern administrative state
encounters in a variety of other contexts.
IM
19Bambauer, Conundrum, supra note 12, at 588-89. For examples of the criminal
law approach,
SH

see Banks & Parker, supra note 7, at 9; Mary M. Calkins, Note, They Shoot Trojan Horses, Don't
They? An Economic Analysis of Anti-Hacking Regulatory Models, 89 GEO. L.J. 171, 190-97 (2000);
Sean M. Condron, Getting It Right: Protecting American Critical Infrastructure in Cyberspace,
20 HARV. J.L. & TECH. 403, 407-08 (2007); Katyal, CriminalLaw, supra note 10, at 1013-38; Katyal,
LU

Digital Architecture,supra note 15, at 2263-88; Michael Edmund O'Neill, Old Crimes in New Bottles:
Sanctioning Cybercrime,9 GEO. MASON L. REV. 237, 241-52 (2000); Opderbeck, supra note 3, at 822-
26; and Yang & Hoffstadt, supra note 15, at 201-07. For examples of the armed conflict approach, see
Brown, supra note 13, at 182-90; Condron, supra, at 408; David E. Graham, Cyber Threats and the
PN

Law of War, 4 J. NAT'L SEC. L. & POL'Y 87, 90-100 (2010); Eric Talbot Jensen, Computer Attacks on
CriticalNational Infrastructure:A Use of Force Invoking the Right of Self-Defense, 38 STAN. J. INT'L
L. 207, 214-29 (2002); Herbert S. Lin, Offensive Cyber Operationsand the Use of Force, 4 J. NAT'L
H

SEC. L. & POL'Y 63, 70-82 (2010); William J. Lynn III, Defending a New Domain: The Pentagon's
Cyberstrategy, 89 FOREIGN AFF. 97, 101-05 (2010); Michael N. Schmitt, Computer Network Attack
and the Use of Force in InternationalLaw: Thoughts on a Normative Framework, 37 COLUM. J.
TRANSNAT'L L. 885, 900-24 (1999); Matthew J. Sklerov, Solving the Dilemma of State Responses to
Cyberattacks: A Justificationfor the Use of Active Defenses Against States Who Neglect Their Duty to
Prevent, 201 MIL. L. REV. 1, 6-10 (2009); and Matthew C. Waxman, Cyber-Attacks and the Use of
Force: Back to the Future of Article 2(4), 36 YALE J. INT'L L. 421, 426-37 (2011). There are
exceptions. Some scholars understand cyber-security in public health terms. See IBM, MEETING THE
CYBERSECURITY CHALLENGE: EMPOWERING STAKEHOLDERS AND ENSURING COORDINATION 11-14
(2010), availableat http://www-304.ibm.com/easyaccess3/fileserve?contentid=192188; Jeffrey Hunker,
U.S. InternationalPolicy for Cybersecurity: Five Issues that Won't Go Away, 4 J. NAT'L SEC. L. &
POL'Y 197, 202-04 (2010); Deirdre K. Mulligan & Fred B. Schneider, Doctrine for Cybersecurity,
140 DAEDALUS 70, 77-88 (2011); Rattray et al., supra note 8, at 151-66. Others approach cyber-
security from an economic perspective. See THE LAW AND ECONOMICS OF CYBERSECURITY (Mark F.
Grady & Francesco Parisi eds., 2006); Coyne & Leeson, supra note 14, at 473-77; Powell, supra note
14, at 498-501; Rosenzweig, supranote 14, at 7-11.
20 Cf Samuel J. Rascoff, DomesticatingIntelligence, 83 S. CAL. L. REv. 575 (2010) (proposing an
administrative law framework for understanding domestic intelligence).

1507

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.133

 NORTHWESTERN UNIVERSITY LAW REVIEW

For instance, cyber-security resembles environmental law in that both

fields are primarily concerned with negative externalities. Just as firms tend
to underinvest in pollution controls because some costs of their emissions
are borne by those who are downwind, they also tend to underinvest in
cyber-defenses because some costs of intrusions are externalized onto
others. An attack on a power plant will not harm just the intended target; it
will also harm the company's customers and those with whom the company
has no relationship. Because firms do not bear the full costs of their
vulnerabilities, they have weaker incentives to secure their systems. Cyber-
security also resembles an antitrust problem. Antitrust law seeks to prevent
anticompetitive behavior, and it traditionally has been skeptical of
coordination among competitors. Some interfirm cooperation could
improve cyber-security-sharing information about vulnerabilities and
threats, for example, or developing industry-wide security standards. Yet
firms are reluctant to do so because they fear antitrust liability. Cyber-
security raises tort problems as well. Products liability law uses the threat

LA
of money damages to incentivize firms to take reasonable precautions when
designing their products, but this threat is almost entirely absent in the
IM
cyber-security context. Companies face little risk of liability to those who
are harmed by attacks on their systems or products, and they therefore have
weaker incentives to identify and patch vulnerabilities. Finally, cyber-
SH

security resembles public health. A key goal of public health law is

prevention-keeping those who have contracted a disease from spreading it
to the healthy, a form of negative externality. Public health law uses
vaccinations to promote immunity, biosurveillance to detect outbreaks, and
LU

quarantines to contain infectious diseases. Cyber-security has similar

goals--ensuring that critical systems are immune to malware, quickly
PN

detecting outbreaks of malicious code, and preventing contaminated

computers from infecting clean systems-and could use similar tools.
Approaching cyber-security from a regulatory vantage point does not
just yield a richer analytical framework. It also expands the range of
H

possible responses. If cyber-insecurity resembles problems that arise in

other regulatory contexts, then perhaps some of their solutions can be
adapted here; the more frameworks available, the longer the menu of policy
choices. Taken together, these disciplines suggest four groups of responses:
(1) monitoring and surveillance to detect malicious code, (2) hardening
vulnerable targets and enabling them to defeat intrusions, (3) building
resilient systems that can function during attacks and recover quickly, and
(4) responding in the aftermath of attacks.
First, public health law's distributed biosurveillance network might be
used as a model for detecting cyber-intrusions. Rather than empowering a
single regulator to monitor Internet traffic for outbreaks of malicious code,
private firms could be tasked with reporting information about the
vulnerabilities and threats they experience in the same way hospitals report
to public health authorities. To incentivize participation in this distributed

1508

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.134

107:1503 (2013) Regulating Cyber-security

surveillance network, firms might be offered various subsidies (on the

theory that cyber-security data is a public good that the market will tend to
underproduce) and liability protections (such as an exemption from the
antitrust laws). Second, we might harden targets by adopting industry-wide
security standards for companies that operate critical infrastructure. These
protocols should not be issued in the form of traditional regulatory
commands. Instead, as is sometimes the case in environmental law and
other fields, the private sector should actively participate in formulating the
standards. Tort law has a role to play as well: threats of liability and offers
of immunity might be used to incentivize firms to implement the protocols.
Third, because it is inevitable that some cyber-attacks will succeed, it is
important that critical systems are able to survive and recover. Public
health law offers several strategies for improving resilience. Systems that
are infected with malware might be temporarily isolated to prevent them
from spreading the contagion. Or firms might build excess capacity into
their systems that can be deployed in emergencies-the equivalent of

LA
stockpiling vaccines and medicines. Finally, although retaliation is
thoroughly addressed in the existing criminal law and armed conflict
literatures, there is one possible response that deserves brief mention here:
IM
"hackbacks," in which a victim counterattacks the attacker. Because the
counterattack might fall on a third party whose system has been conscripted
SH

by the intruder, hackbacks can incentivize those third parties to prevent

their systems from being so commandeered. Hackbacks also might weaken
attackers' incentives: if assailants know that counterattacks can render their
intrusions ineffective, they are less likely to commit them in the first place.
LU

This Article proceeds in three parts. Part I considers whether private

companies are investing socially optimal amounts in cyber-defenses. Part II
describes four regulatory frameworks-environmental law, antitrust law,
PN

products liability law, and public health law-and explains their relevance
to cyber-security. Part III surveys solutions used by these regulatory
disciplines and considers how to adapt them for the cyber-security context.
H

Several preliminary observations are needed. First, I use the terms

"cyber-attack" and "cyber-intrusion" interchangeably to denote any effort
by an unauthorized user to affect the data on, or to take control of, a
computer system. As used here, the terms include all of the following:
"viruses" (a piece of code that "infects a software program and then
ensures that the infected program reproduces the virus"2 1); "worms" ("a
stand-alone program that replicates itself"'22 ); "logic bombs" (malware that

21 O'Neill, supra note 19, at 246; accord Katyal, Criminal Law, supra note 10, at 1023; Sklerov,
supra note 19, at 14-15.
22 Katyal, CriminalLaw, supra note 10, at 1024; accord Sklerov, supra note 19, at 15. Viruses and
worms are similar. A principal difference is that viruses require human action to propagate-such as
clicking on a link or opening an attachment-but worms replicate on their own. CLARKE & KNAKE,
supranote 1, at 81; Katyal, CriminalLaw, supranote 10, at 1024; O'Neill, supra note 19, at 247.

1509

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.135

 NORTHWESTERN UNIVERSITY LAW REVIEW

"tells a computer to execute a set of instructions at a certain time or under

certain specified conditions"23 ); and distributed denial-of-service (DDOS)
attacks (in which a "master" computer conscripts "zombies" and orders
them to disable a victim by flooding it with traffic24 ). Second, this Article
emphatically is not a paean to traditional command-and-control regulation.
The conventional wisdom is to avoid cyber-security regulation,25 in part
because of doubts about the government's ability to manage such a
dynamic field. But, as I hope to show in the following pages, cyber-security
need not, and in many cases should not, be pursued with heavy-handed
regulatory tools. It is possible to promote better cyber-defenses with private
law, such as by modifying traditional tort law doctrines. As for public law,
regulation need not take the form of rigid legal commands backed by the
threat of sanction; regulatory objectives often can be attained by appealing
to private firms' self-interest-by offering positive incentives to improve
their defenses, not just by punishing them when they fall short. The private
sector's poor defenses may represent a market failure, as some have

LA
argued,26 but "[t]here's not much point in replacing a predictable market
failure with an equally predictable government failure."27
IM
I. AN EFFICIENT LEVEL OF CYBER-SECURITY
SH

Our national security depends on the security of our critical

infrastructure.28 A cyber-attack on these assets, most of which are held by
private firms, could be devastating: with a few keystrokes, adversaries
could hack into banks and corrupt customer data, take control of power
LU

plants and bring down the electricity grid, open the floodgates of dams, and
take telecommunications networks offline.29 Or worse. Despite the
magnitude of the threat, the conventional wisdom is that the private sector
PN

is not adequately protecting itself.30 This section surveys the available

evidence on the extent of private cyber-security expenditures. It then
H

23 Katyal, Criminal Law, supra note 10, at 1025; accord O'Neill, supra note 19, at 248.
24 STEWART A. BAKER, SKATING ON STILTS: WHY WE AREN'T STOPPING TOMORROW'S
TERRORISM 202-03 (2010); BRENNER, supra note 1, at 38-39; CLARKE & KNAKE, supra note 1, at 13-
14; Lin, supra note 19, at 70.
25 See CLARKE & KNAKE, supra note 1, at 108-09; see also Derek E. Bambauer, Ghost in the
Network, 164 U. PA. L. REv. (forthcoming 2014) (manuscript at 6), available at http://papers.ssm.com/
sol3/papers.cfm?abstract id=2232471 ("[C]ybersecurity is underregulated.").
26 See BAKER, supra note 24, at 237; CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 50;
Katyal, Digital Architecture, supra note 15, at 2285.
27 BAKER, supra note 24, at 237; accord Coyne & Leeson, supra note 14, at 490; Powell, supra
note 14, at 507.
28 See AM. BAR ASS'N, supra note 18, at 6-8; BRENNER, supra note 1, at 223.
29 See BRENNER, supra note 1, at 137-54; CLARKE & KNAKE, supra note 1, at 64-68; Stewart
Baker, Denial of Service, FOREIGN POL'Y (Sept. 30, 2011), http://www.foreignpolicy.com/articles/
2011/09/30/denial of service?print-yes&hidecomments=yes&page=fll.
30 See infra notes 34-41 and accompanying text.

1510

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.136

107:1503 (2013) Regulating Cyber-security

predicts that ordinary firms in competitive markets (like online retailers)

are more likely to be investing socially optimal amounts in cyber-defense,
while strategically significant firms in uncompetitive markets (like public
utilities) are more likely to be underinvesting.
The optimal level of cyber-intrusions is not zero, and the optimal level
of cyber-security expenditures is not infinity. From an economic
perspective, the goal is to achieve an efficient level of attacks, not to
prevent all attacks."' Suppose that the expected cost to society of a given
cyber-attack-its cost discounted by the probability that it will occur-is
$5 billion. It would be efficient for society to invest up to $5 billion in
countermeasures to prevent the attack. If the necessary countermeasures
cost more than $5 billion, the cost of preventing the attack would exceed
the resulting security gains.32 Relatedly, some intrusions are more
problematic than others. Cyber-security is a form of risk management,
where risk is a function of three variables: vulnerabilities, threats, and
consequences." A company with easily hacked systems, that faces a high

LA
probability of attacks from sophisticated foreign intelligence services, and
whose compromise would cause severe social harm raises very different
IM
problems than a company with relatively robust defenses, that is unlikely to
face skilled intruders, and whose compromise would have few
consequences for society.
SH

Are individual firms, and society as a whole, investing the right

amount in cyber-defense? Most observers believe that firms are
underinvesting-and are missing the mark by a wide margin. Richard
LU

Clarke proclaims the private sector response an "unmitigated failure,"34 and

scholars generally agree." Very little empirical data is available, but the
consensus view has at least some anecdotal support. Studies conducted in
PN

2009 and 2011 by McAfee, a computer security firm, revealed low levels
H

31 Coyne & Leeson, supra note 14, at 477-78.

32 Id. at 478.
3 See, e.g., Rosenzweig, supranote 14, at 7.
34 CLARKE & KNAKE, supra note 1, at 104.
See AM. BAR Ass'N, supra note 18, at 9; Banks & Parker, supra note 7, at 9; Katyal, Criminal
Law, supra note 10, at 1019; Bruce Schneier, Computer Security: It's the Economics, Stupid (May 16,
2002) (unpublished manuscript), available at http://www2.sims.berkeley.edu/resources/affiliates/
workshops/econsecurity/. But see Coldebella & White, supra note 14; Smith, supra note 17, at 173
n. 12. Some scholars argue that companies are providing a suboptimally high level of cyber-security.
Benjamin Powell reports that a 2000 study found that firms would invest in cyber-defenses if they were
expected to produce a 20% return on investment, which was considerably lower than the 30% return on
investment typically required for information technology investments. Powell, supra note 14, at 504.
What mechanism could account for a tendency to overinvest? A firm's IT department has incentives to
overstate the vulnerabilities the company faces, as cyber-security fears translate into a larger share of
the company's budget; for outside security vendors, such fears mean brisker business. Bambauer,
Conundrum, supra note 12, at 604-06; Calkins, supra note 19, at 198-99; Ross Anderson, Unsettling
Parallels Between Security and the Environment (May 16, 2002) (unpublished manuscript), available at
http://www2.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/.

1511

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.137

 NORTHWESTERN UNIVERSITY LAW REVIEW

of investment in cyber-defense. The studies found that many firms regard

cyber-security as little more than "a last box they have to check," 6 and that
they neglect network security because they find it too expensive." In
particular, McAfee found that companies often have weak authentication
requirements"-tools that can verify that the person who is accessing a
system is who he says he is, and is authorized to access the system. Even
fewer have systems that can monitor network activity and identify
anomalies.39 Other studies reveal that some companies' defenses are so
poor they don't even know when they've suffered an attack. Verizon
reported that "fully 75 percent of the intrusions they investigated were
discovered by people other than the victims and 66 percent of victims did
not even know an intrusion occurred on the system." Finally, a 2011 study
by the Ponemon Institute found "that 73 percent of companies surveyed
had been hacked, but 88 percent of them spent more money on coffee than
on securing their Web applications."'

LA
Are these levels of investment efficient? Whether a particular firm is
making socially optimal investments in cyber-security-and the related
issue of who should pay for that company's cyber-defenses-is a function
IM
of two intersecting questions. First, what is the defending firm? Is it a
regular company in a competitive market, an operator of critical
SH

infrastructure in an uncompetitive market, or something in between?

Second, who is the anticipated attacker? Is it a recreational hacker, a
foreign intelligence service, or someone in between?
LU
PN
H

3 McAFEE & CTR. FOR STRATEGIC & INT'L STUDIES, supra note 15, at 1.
37 McAFEE, IN THE CROSSFIRE: CRITICAL INFRASTRUCTURE IN THE AGE OF CYBER WAR 14
(2009), available at http://www.mcafee.com/us/resources/reports/rp-in-crossfire-critical-inf-astructure-
cyber-war.pdf.
See MCAFEE & CTR. FOR STRATEGIC & INT'L STUDIES, supranote 15, at 14.
Id. at 15. It would be a mistake to read too much into these findings. The study's methodology
was to survey business executives in about a dozen countries, MCAFEE, supra note 37, at 1, 41 n.1;
MCAFEE & CTR. FOR STRATEGIC & INT'L STUDIES, supranote 15, at 3, and it "was not designed to be a
statistically valid opinion poll with sampling and error margins." MCAFEE, supra note 37, at 1.
Moreover, a computer security company obviously stands to benefit from public perceptions that
security is lacking.
40 Rattray et al., supra note 8, at 155; accordJensen, Cyber Warfare, supra note 15, at 1536.
41 BRENNER, supranote 1, at
239.

1512

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.138

107:1503 (2013) Regulating Cyber-security

The range of possibilities can be depicted in a simple graph:

4-foreign governments

(1) (2)

yr sophistication 4-organized crime

:of attacker

retal ers %anks ISPs* Utilities

LA
aktivists
(4) (3)
IM
***Joe* *-recreational hackers
SH

(-)************...........................x: significance of target********* ***..............................(+)

The x-axis depicts the firms that might be subject to a cyber-attack.

LU

They are arranged from left to right in order of increasing strategic

significance. A strategically significant company is one whose compromise
PN

would result in substantial social harms. On the far left are relatively
insignificant firms in competitive markets-markets in which many
companies offer the same good or service, and where disappointed
consumers therefore may defect from one to another. An example would be
H

online retailers, such as Amazon.com. To the right are financial

institutions, which rate high on the strategic significance scale. Former
Director of National Intelligence Mike McConnell predicted that an attack
on a single bank "would have an order-of-magnitude greater impact on the
global economy" than 9/11.42 Banks operate in fairly competitive markets,
as consumers can easily move their accounts from one to another. Another
step to the right are Internet Service Providers (ISPs) and
telecommunications carriers. They, too, are strategically significant. When
Russia crippled Georgia's communications systems during their 2008 war,
citizens "could not connect to any outside news or information sources and

42 David E. Sanger et al., U.S. Plans Attack and Defense in Web Warfare, N.Y. TIMES, Apr.
28,
2009, at Al (quoting former Director of National Intelligence Mike McConnell); accord Sklerov, supra
note 19, at 19-20.

1513

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.139

 NORTHWESTERN UNIVERSITY LAW REVIEW

could not send e-mail out of the country."43 These markets are less
competitive; consumers typically have only a handful of Internet providers
or telephone companies to choose from. At the far right are power
companies and other public utilities. These firms rate high on the strategic
significance scale. A cyber-attack on the power grid would be truly
catastrophic. The industrial control, or SCADA," systems used by power
plants and other utilities are increasingly connected to the Internet.45
Hackers could exploit this connectivity to disrupt power generation and
leave tens of millions of people in the dark for months.46 They could even
destroy key system components like turbines.47 In 2009, the Stuxnet
worm-"the most sophisticated cyberweapon ever deployed" 4 -Caused
similar physical damage to Iran's nuclear program.4 9 Utility markets are
uncompetitive. Municipalities typically have only one power company or
natural gas supplier, and there is no meaningful prospect that disappointed
consumers will switch to a competitor.

LA
The y-axis depicts the assailants that might commit a cyber-attack.
They are arranged from bottom to top in order of increasing sophistication.
A sophisticated attacker is capable of compromising the most secure
IM
systems; unsophisticated attackers are only able to compromise relatively
unsecured systems. At the bottom are recreational hackers-intruders out
for "a digital joy ride."" One step above are "hacktivists." Hacktivists are
SH

relatively skilled hackers who use cyber-intrusions to advance a political

LU

43 CLARKE & KNAKE, supra note 1, at 19; see also BRENNER, supra note 1, at 39-40; Jensen, Cyber
Warfare,supra note 15, at 1540.
PN

The acronym stands for "supervisory control and data acquisition." CTR. FOR STRATEGIC &
INT'L STUDIES, supra note 8, at 54; CLARKE & KNAKE, supra note 1, at 98; Randal C. Picker,
Cybersecurity: Of Heterogeneityand Autarky, in THE LAW AND ECONOMICS OF CYBERSECURITY, supra
H

note 19, at 115, 126.

45 See BRENNER, supra note 1, at 97; CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 54;
Steven R. Chabinsky, Cybersecurity Strategy, 4 J. NAT'L SEC. L. & POL'Y 27, 27 n.l (2010); Condron,
supra note 19, at 407; Coyne & Leeson, supranote 14, at 474; Sklerov, supra note 19, at 18.
46 See BRENNER, supra note 1, at 105; CLARKE & KNAKE, supra note 1, at 99; Sean Watts,
Combatant Status and Computer Network Attack, 50 VA. J. INT'L L. 391, 404-05 (2010); Ellen
Nakashima & Steven Mufson, Hackers Have Attacked Foreign Utilities, CIA Analyst Says, WASH.
POST, Jan. 19, 2008, at A4.
47 See BRENNER, supra note 1, at I10; CLARKE & KNAKE, supra note 1, at 100; Gable, supra note
2, at 59-60; ECONOMIST, supranote 3, at 28.
48 William J. Broad et al., Israel Tests Called Crucial in Iran Nuclear Setback, N.Y. TIMES, Jan.
16, 2011, at Al; accord BRENNER, supra note 1, at 102; Ellen Nakashima, US. Systems Are Vulnerable
to Hackers, WASH. POST, Oct. 2, 2011, at A3; Kim Zetter, How Digital Detectives DecipheredStuxnet,
the Most Menacing Malware in History, WIRED (July 11, 2011, 7:00 AM), http://www.wired.com/
threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/all/.
49 BRENNER, supra note 1, at 103; Bambauer, Conundrum, supra note 12, at 585-86; John
Markoff, A Silent Attack, but Not a Subtle One, N.Y. TIMES, Sept. 27, 2010, at A6.
50 Dunlap, supra note 12, at
358.

1514

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.140

107: 1503 (2013) Regulating Cyber-security

agenda; they typically do not group themselves into formal organizations."

An example is "Anonymous," a loose association that in late 2010
launched DDOS attacks on financial institutions that refused to let
customers send money to WikiLeaks, an antisecrecy group that had
published a number of classified documents." Next are organized crime
syndicates, such as those operating out of Russia." They, too, are fairly
sophisticated. They engage in cyber-intrusions primarily for financial gain
and by definition they are structured organizations.54 International terrorists
might be placed here as well, though they have shown little enthusiasm or
aptitude for cyber-attacks thus far." However, al Qaeda reportedly
established "an academy of cyber-terrorism" in Afghanistan," and
computers taken from members contained information about SCADA
systems in the United States. At the top are foreign governments'
militaries and intelligence services. These are the most sophisticated
adversaries of all, and they are capable of breaking into even highly secure
systems. Internet giant Google recently saw its Gmail service penetrated by

LA
Chinese spies who wanted to eavesdrop on the Dalai Lama." Similarly,
RSA-a software firm that issues online security credentials for the
IM
Pentagon, defense contractors, and other sensitive enterprises-was
compromised so badly (probably by China) that it had to offer new
credentials to all its customers.59
SH

The curve roughly predicts the combinations of victims and attackers

that are likely to occur. Quadrant (4) involves high-frequency, low-severity
attacks. Retailers and other relatively insignificant firms will be targeted
LU

fairly often by comparatively unsophisticated recreational hackers and,

perhaps, by more sophisticated hacktivists who disapprove of their
corporate policies. (The Anonymous attacks on banks are a good example.)
PN

Quadrant (2) involves attacks that are low-frequency and high-severity.

More strategically significant firms like ISPs and public utilities will face
attacks from sophisticated militaries and intelligence services, and perhaps
H

51 See Byron Acohido, Hacktivists Will Be Busy This Year, Experts Warn, USA TODAY, Jan. 11,
2012, at IB.
52 Somini Sengupta, 16 People Arrested in Wave of Attacks on Web Sites, N.Y. TIMES, July 20,
2011, at B2.
Brian Krebs, Shadowy Russian Finn Seen as Conduit for Cybercrime, WASH. POST, Oct. 13,
2007, at Al5.
S4 See BRENNER, supranote 1, at 7-8, 25.
SCondron, supra note 19, at 405; Dunlap, supra note 12, at 359-60.
56 Joel P. Trachtman, Global Cyberterrorism,Jurisdiction,and InternationalOrganization,in THE
LAW AND EcoNoMics OF CYBERSECURITY, supra note 19, at 259, 259-60.
57 BRENNER, supranote 1, at 106.
See
S8 BAKER, supra note 24, at 208-13; BRENNER, supra note 1, at 46-47; Bambauer, Ghost,
supra note 25, at 2-3; Ellen Nakashima, Google to Enlist NSA to Ward Off Attacks, WASH. POST, Feb.
4, 2010, at Al; Rosenzweig, supranote 14, at 6.
59 Baker, supra note 29, at 2-3.

1515

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.141

 NORTHWESTERN UNIVERSITY LAW REVIEW

from organized crime syndicates seeking to extract blackmail payments.

These attacks will occur rarely, but they are likely to be devastating. In
quadrant (3), recreational hackers and hacktivists might launch attacks
against utilities and similarly significant enterprises, but these targets are
probably less attractive to them than they are to foreign militaries or
intelligence services."o In quadrant (1), foreign governments are unlikely to
target insignificant firms like retailers, because they gain little by
compromising them, though organized crime may do so (again, for
blackmail purposes).
We are now in a position to make predictions about various
companies' cyber-security expenditures. The closer we are on the curve to
the lower left corner, the higher the probability that the firm is investing a
socially optimal amount in cyber-defense. This is so in part because the
expected social cost of an attack on an ordinary company is fairly low.
Society will not grind to a halt if Amazon.com is knocked offline;

LA
bookworms might experience minor annoyance but they will still be able to
buy a copy of Gilead from Barnes & Noble. In addition, these companies
are unlikely to face attacks by skilled and determined foreign governments,
IM
so it is not necessary for them to spend huge sums of money on the very
best and most impregnable defenses. The efficient level of cyber-security
SH

investment for them thus is fairly low. Importantly, market forces may
provide these firms with meaningful incentives to protect their systems
against cyber-attacks. Retailers, banks, and similar companies operate in
competitive markets. The risk of customer exit provides them with strong
LU

incentives to cater to customer demand. If consumers want the companies

with which they do business to provide better security against cyber-
attacks-the jury is out on that question, incidentally"-they will have
PN

good reason do so.62

H

60 Zetter, supra note 48 ("[C]ontrol systems aren't a traditional hacker target, because
there's no
obvious financial gain in hacking them .... .").
61 Compare BRENNER, supra note 1, at 225-26 ("[S]oftware consumers buy on price, and they
haven't been willing to pay for more secure software."), and Paul M. Schwartz & Edward J. Janger,
Notification of DataSecurity Breaches, 105 MICH. L. REv. 913, 946-47 (2007) (noting that consumers
often lack direct relationships with the entities to which retailers outsource data processing and which
are often the targets of intrusions), with Dunlap, supra note 12 (arguing that the growth in online retail
will incentivize companies to invest in reliable computer security technology), and Doug Lichtman &
Eric P. Posner, Holding Internet Service Providers Accountable, in THE LAW AND ECONOMICS OF
CYBERSECURIfY, supra note 19, at 221, 256 ("[W]orms and viruses ... impose[] a cost on the average
user and thus reduce[] the incentive to subscribe.").
62 Note that current liability rules both diminish and augment these incentives. The Federal Wiretap
Act makes it a crime to intercept electronic communications, and some ISPs fear that this prohibition
prevents them from filtering botnet traffic or other malware; the threat of liability undermines their
incentives to improve the security of their systems. See infra notes 201-08 and accompanying text. By
contrast, the Gramm-Leach-Bliley Act requires banks, on pain of significant money damages, to
protect customer data against unauthorized access; the threat of liability amplifies their incentives to
improve the security of their systems. See infra notes 209-17 and accompanying text.

1516

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.142

107:1503 (2013) Regulating Cyber-security

The closer we are on the curve to the upper right corner-low-

frequency, high-severity cyber-attacks-the lower the probability that the
firm is adequately investing in cyber-security. First, the expected social
cost of such an intrusion is monumental. The consequences of an attack on,
say, the power grid would reverberate throughout the economy, causing
harm to the utility, its customers, and countless third parties. Because the
expected cost of an attack on these firms is so high, it is efficient to invest
greater sums in securing them against intruders. In addition, the modest,
low-cost defenses that are usually capable of thwarting recreational hackers
will do nothing to prevent intrusions by foreign governments; more
expensive countermeasures are needed to protect against these
exceptionally sophisticated adversaries. The socially optimal level of
cyber-security investment for these firms is thus fairly high.
Second, power companies and other utilities are not subject to market
forces that might incentivize them to improve their cyber-defenses. Utilities
face little if any competition; a given customer typically will be served by

LA
only one power company. Customer exit is essentially impossible, and the
utility therefore has weaker incentives to supply what its customers
IM
demand. This absence of beneficial market forces may help explain why
public utilities often fail to implement even relatively costless security
measures." Many electric companies use vendor default passwords to
SH

protect their SCADA systems," and a recent study found that they take an
average of 331 days to implement security patches for these systems. 5
Perhaps not coincidentally, hackers-most likely Chinese and Russian
spies-have been able to insert logic bombs into the power grid.66
LU

If this analysis is correct, then strategically significant firms in

uncompetitive markets are less likely to adequately invest in cyber-security
PN

than ordinary firms in competitive markets. The question then becomes

who should be responsible for securing these most sensitive companies
against the most dangerous adversaries. Economists often argue that risk
H

should be allocated to the low cost avoider.67 If the government can reduce
a vulnerability more efficiently than a firm, it should pay; if the firm can
reduce the vulnerability more efficiently, it should pay. But there is no
single low cost avoider in this context. Defending critical infrastructure

63 Availability bias is another reason why firms might tend to underinvest in cyber-defense. See
generally Timur Kuran & Cass R. Sunstein, Availability Cascades and Risk Regulation, 51 STAN. L.
REV. 683 (1999) (describing availability bias). The United States has not experienced a major cyber-
incident that has captured the public's imagination, so firms might irrationally discount the probability
that they will suffer a catastrophic attack. See MCAFEE, supra note 37; John Grant, Will There Be
Cybersecurity Legislation?, 4 J. NAT'L SEC. L. & POL'Y 103, 111 (2010).
6 McAFEE & CTR. FOR STRATEGIC & INT'L STUDIES, supra note 15, at 8.
65 BRENNER, supra note 1, at 98.
66 Siobhan Gorman, Electricity Grid in US. Penetrated by Spies, WALL ST. J., Apr. 8, 2009, at Al.
67 See LAWRENCE LESSIG, CODE VERSION 2.0, at 169-70 (2006); Katyal, Criminal Law, supra note
10, at 1095-96.

1517

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.143

 NORTHWESTERN UNIVERSITY LAW REVIEW

against sophisticated cyber-attackers is a task that features dueling

comparative advantages. Private firms typically know more than outsiders,
including the government, about the architecture of their systems, so they
often are in a better position to know about weaknesses that intruders might
exploit." The private sector thus has a comparative advantage at identifying
cyber-vulnerabilities. On the other hand, the government's highly skilled
intelligence agencies typically know more than the private sector about
malware used by foreign governments and how to defeat it.69 The
government thus has a comparative advantage at detecting sophisticated
attacks and developing countermeasures. This suggests that responsibility
for defending the most sensitive systems against the most sophisticated
adversaries should be shared.
What might such a partnership look like? All private firms might be
asked to provide a baseline level of cyber-security-modestly effective
(and modestly expensive) defenses that are capable of thwarting intrusions

LA
by adversaries of low to medium sophistication. The government would
then assume responsibility for defending public utilities and other sensitive
enterprises against catastrophic attacks by foreign militaries and other
IM
highly sophisticated adversaries.70 This division of labor-basic security
provided by firms, supplemental security provided by the government-is
SH

in a sense the opposite of what we see in realspace criminal law. In

realspace, the government offers all citizens a baseline level of protection
against criminals in the form of police officers, prosecutors, and courts.
Individuals may supplement these protections at their own expense, such as
LU

by installing alarm systems in their homes or hiring private security

guards." This arrangement also is consistent with our intuitions about the
respective roles of government and the private sector in times of conflict.72
PN

Consider another realspace analogy: in World War II, factories were not
expected to install anti-aircraft batteries to defend themselves against
Luftwaffe bombers." Nor should we expect power plants to defend
H

themselves against foreign governments' cyber-attacks. Protecting vital

national assets from destruction by foreign militaries is a quintessential,
perhaps the quintessential, government function.74
The division of labor I suggest also seems sound from an economic
standpoint. If a firm invested in extraordinarily expensive cyber-defenses

68 See infra notes 272-75 and accompanying text.

69 See infra notes 276-78 and accompanying text.
70 See Trachtman, supra note 56, at 272; Jeremy A. Rabkin & Ariel Rabkin, To Confront Cyber
Threats, We Must Rethink the Law ofArned Conflict, HOOVER INST. 4 (2012), http://media.hoover.org/
sites/default/files/documents/EmergingThreatsRabkin.pdf
71 See Rosenzweig, supra note 14, at 20.
72 See CLARKE & KNAKE, supra note 1, at
144.
7 Rosenzweig, supranote 14, at 25.
74 BRENNER, supra note 1, at 223; CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 15; see
Katyal, DigitalArchitecture,supra note 15, at 2282.

1518

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.144

107:1503 (2013) Regulating Cyber-security

capable of thwarting doomsday attacks by foreign intelligence services, it

would effectively be subsidizing the rest of the population. The company
would capture some benefits of increased security, but a large portion of
the benefits would be in the form of a positive externality conferred on
others." In other words, the firm would be providing a public good, a good
that is both nonrivalrous and nonexcludable." Economic theory predicts
that public goods will be underprovided on the market;" a standard
response is to subsidize their production." Here, the government might
provide a sensitive enterprise with a subsidy equal in value to its costs of
defending against the most sophisticated cyber-attackers.79 This subsidy
could take many forms. The government could either pay for the firm's
defenses directly or reimburse it for its cyber-security expenditures. Or the
company could be offered various tax credits, deductions, and other
benefits. Or it could be granted immunity from certain forms of legal
liability. (In that case, the subsidy would not run from society as a whole,
but from those who were injured by the firm's otherwise unlawful conduct

LA
and whose entitlement to redress had been extinguished. This sort of
subsidy is potentially regressive.) Or the government might provide the
IM
company with intelligence about the types of attacks it may face. This sort
of subsidy appears to be occurring already: the National Security Agency
(NSA) reportedly is providing malware signature files to Google and
SH

certain banks to help them detect sophisticated intrusions into their

systems.so
In short, private companies-especially firms that operate critical
infrastructure in uncompetitive markets-may not be adequately investing
LU

in defenses against the most devastating forms of cyber-attacks. The next

section explores several regulatory models that might be consulted when
PN

devising an appropriate response.

II. CYBER-SECURITY FRAMEWORKS, CONVENTIONAL AND

H

UNCONVENTIONAL
Cyberspace is beset by externalities." An externality is "an effect on
the market the source of which is external to the market";82 it occurs when

75 Supriya Samikar & D. Bruce Johnsen, Cyber Security in the National Market System,
6 RUTGERS Bus. L.J. 1, 16-17 (2009).
76 See infra notes 137-38 and accompanying
text.
See infra note 139 and accompanying text.
78 See, e.g., Nojeim, supra note 14, at 128.
Amitai Aviram, Network Responses to Network Threats, in THE LAW AND ECONOMICS OF
CYBERSECURITY, supra note 19, at 143, 149, 156; Bambauer, Conundrum, supra note 12, at 658;
Rosenzweig, supra note 14, at 25.
so See infra notes 277-78 and accompanying text.
81 See Picker, supra note 44, at 115.
82 Niva Elkin-Koren & Eli M. Salzberger, Law and Economics in Cyberspace, 19 INT'L REV. L. &
ECON. 553, 563 (1999).

1519

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.145

 NORTHWESTERN UNIVERSITY LAW REVIEW

an actor's conduct results in the imposition of a cost or benefit on a

nonconsenting third party. Externalities can be either positive or negative.
"Positive externalities occur whenever an activity generates benefits that
the actor is unable to internalize," such as through prices; "[n]egative
externalities occur when one's activity imposes costs on others" that
likewise are not transmitted through prices.83 Economic theory predicts that
the market will oversupply negative externalities relative to socially
optimal levels "because the producer will internalize all benefits of the
activity but not all of the costs."84 It also predicts that the market will
undersupply positive externalities because third parties will free ride."
Externalities thus represent a form of market failure." The standard
government response to a negative externality is to discourage the
responsible conduct (e.g., with taxation or regulation); the standard
response to a positive externality is to encourage the responsible conduct
(e.g., with a subsidy)."

LA
Cyber-security can be understood in these terms. If a company suffers
an intrusion, much of the harm will fall on third parties; the attack results in
a negative externality." It can be extraordinarily difficult to internalize
IM
these costs. The class of persons affected by the intrusion will often be so
large that it would be prohibitively expensive to use market exchanges to
internalize the resulting externalities; the transaction costs are simply too
SH

great. Nor can tort law internalize the costs, as firms generally do not face
liability for harms that result from cyber-attacks on their systems or
products." Because many companies do not bear these costs, they ignore
LU

them when deciding how much to spend on cyber-defense and therefore

tend to underinvest relative to socially optimal levels. (This is true both of
companies that produce computer products, such as software
PN

manufacturers, and companies that use them, such as ISPs and utility
companies.) Cyber-security also involves positive externalities.o A
company that secures itself against intruders makes it harder for assailants
H

to commandeer its systems to attack others. Investments in cyber-defense

thus effectively subsidize other firms. Because the investing company
doesn't capture the full benefit of its expenditures, it has weaker incentives
to secure its systems. And because other companies are able to free ride on
the investing firm's expenditures, they have weaker incentives to adopt
defenses of their own.

83 Id
84 Coyne & Leeson, supra note 14, at 479.
85 Id
Id; see also Timothy F. Malloy, Regulating by Incentives, 80 TEx. L. REV. 531, 534 n.13 (2002).
87 Coyne & Leeson, supra note 14, at 479; Rosenzweig, supra note 14, at 10.
88 See infra notes 126-32 and accompanying text.
89 See infra notes 190-94 and accompanying text.
90 See infra notes 134-44 and accompanying text.

1520

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.146

107:1503 (2013) Regulating Cyber-security

These externality and free-rider problems are largely overlooked in the

law review literature. The vast majority of commentary regards cyber-
security as a problem of the criminal law or the law of armed conflict." The
problem is not that these conventional approaches are mistaken. The
problem is that they are incomplete. Treating cyber-security as a matter for
cops or soldiers brings certain challenges into sharper focus. But it tends to
obscure other problems-problems that may be illuminated if we consult
alternative regulatory frameworks, such as environmental law, antitrust
law, products liability law, and public health law. In short, a wider
selection of analytical lenses allows us to fully comprehend cyber-security
challenges in all their complexity. The following sections will explore these
frameworks and their relevance for cyber-security.
A. The ConventionalApproaches: Law Enforcement andArmed Conflict
Scholars typically use a pair of analytical frameworks to understand

LA
cyber-attacks: criminal law and the law of armed conflict. Consider the
former first. Broadly speaking, the criminal law seeks to protect people
from unjustified acts of violence against their persons or property. The
IM
criminal law pursues this objective by imposing sanctions, such as
incarceration, on those adjudged to have violated the law. These penalties
SH

will punish those who have transgressed society's moral code (retribution),
dissuade the perpetrator or others from committing similar offenses in the
future (specific or general deterrence), isolate the dangerous perpetrator
from society (incapacitation), or teach the misguided perpetrator the error
LU

of his ways (rehabilitation). Cyber-attacks fit into this conceptual

framework fairly comfortably. A person who hacks into another's
computer may have thereby violated any number of laws, such as the
PN

federal Computer Fraud and Abuse Act.92 Society regards this sort of
conduct as sufficiently blameworthy that it proscribes it and subjects those
who engage in it to criminal penalties of varying severity.
H

Scholars who approach cyber-security from a law enforcement

perspective focus on the "whodunit" questions. Who was responsible for
launching this particular attack? Was it an individual hacker or a larger
criminal enterprise? This framework also emphasizes jurisdictional
questions." Which courts properly may exercise subject matter jurisdiction
over a given cyber-attack? 94 State courts, federal courts, or perhaps
international tribunals? Should jurisdiction be determined by the location of
the target? By the location of the attacker? By the location in which the
effects of the attack are felt? Should cyber-attacks be subject to universal

91 See sources cited supra note

19.
92 18 U.S.C.A.§ 1030 (West Supp. 2012).
See Gable, supra note 2, at 99-117.
94 See DAVID G. POST, IN SEARCH OF JEFFERSON'S MOOSE 163-71 (2009); Jack L. Goldsmith,
Against Cyberanarchy, 65 U. CHI. L. REV. 1199, 1200-01 (1998).

1521

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.147

 NORTHWESTERN UNIVERSITY LAW REVIEW

jurisdiction-the notion that a court may try certain crimes regardless of

where in the world they occurred?" How might courts gain personal
jurisdiction over those suspected of committing the attack, especially if
they are overseas? Do existing extradition treaties cover the range of
offenses that cyber-criminals might commit? Should the United States
negotiate new bilateral agreements with key international partners, such as
our European allies, or with countries in which cyber-attacks are likely to
originate, such as China and Russia? Or should there be a multilateral
global convention on cyber-crime, one that will facilitate extradition of
suspects from their home countries to the states in which they will stand
trial for their alleged crimes?
The law enforcement framework also emphasizes punishment and
deterrence." Certain economic theories of criminal law posit that a person's
willingness to commit crimes is a function of the expected penalty for that
activity-i.e., the sanction for the particular offense discounted by the

LA
probability that the person will get caught.97 The greater the sanction, and
the greater the likelihood of detection and punishment, the less likely a
person will choose to commit that crime. The question then becomes what
IM
should be done to increase the deterrent effect of laws that proscribe
various cyber-intrusions. Should the penalties for violating these statutes be
SH

increased? Should society invest more resources in detecting cyber-crime,

thereby increasing the probability that perpetrators will be caught and
punished?" Or should lawmakers pursue "cost deterrence," the objective of
which is to increase the costs one must incur to perpetrate cyber-crime?"
LU

The second conventional approach regards cyber-attacks from the

standpoint of the law of armed conflict (LOAC). The LOAC, also known
as international humanitarian law (IHL), is a body of international law that
PN

regulates a state's ability to use force in several ways. First, it sets forth the
circumstances in which a state lawfully may engage in armed conflict-the
jus ad bellum regulations. For instance, the United Nations Charter forbids
H

signatories "from the threat or use of force against the territorial integrity or
political independence of any state,"'" but also recognizes an inherent right

95 See generally Eugene Kontorovich, The Piracy Analogy: Modern Universal Jurisdiction's
Hollow Foundation,45 HARV. INT'L L.J. 183, 190-92 (2004) (describing universal jurisdiction).
96 See AM. BAR ASS'N, supra note 18, at 13; Gable, supra note 2, at 65; Katyal, Criminal Law,
supra note 10, at 1006, 1011, 1040; O'Neill, supra note 19, at 265-68; K.A. Taipale, Cyber-Deterrence
18 (Jan. 1, 2009) (unpublished manuscript), available at http://papers.ssm.com/sol3/papers.cfm?
abstract id=1336045.
9 See generally Gary S. Becker, Crime and Punishment:An Economic Approach, 76 J. POL. ECON.
169 (1968) (analyzing the economically optimal level of enforcement).
98 See id. at 169-95; George J. Stigler, The Optimum Enforcement ofLaws, 78 J. POL.
ECON. 526,
527 (1970).
Katyal, CriminalLaw, supra note 10, at 1006, 1012, 1039-40; see also O'Neill, supra note 19, at
265-88.
'" U.N. Charter art. 2, para. 4.

1522

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.148

107:1503 (2013) Regulating Cyber-security

to use force in self-defense against an "armed attack."o. Second, the LOAC

regulates what kinds of force may be used during an authorized armed
conflict-the jus in bello regulations. For instance, a state may not
deliberately kill civilians or destroy civilian infrastructure (the "distinction"
or "discrimination" principle), may not inadvertently inflict harm on
civilian populations and structures that is disproportionate to the
importance of the military objective ("proportionality"), and may not cause
more harm to legitimate targets than is needed to achieve the military
objective ("necessity"). 102
Scholars who see cyber-security as an armed conflict problem
typically focus on determining who was responsible for a particular
attack."' Was this attack launched by a state or an international terrorist
organization, in which case the LOAC may permit some form of military
retaliation? Or was it carried out by criminals, in which case the distinction
principle likely would rule out a military response? If the attacker was in
fact a state or terrorist group, which one? Was it China, or maybe Russia,

LA
or perhaps North Korea? Or was it al Qaeda, or al Qaeda in the Arabian
Peninsula, or Hezbollah? Until the identity of the assailant is known, it will
IM
be unclear against whom to retaliate-or whether retaliation is lawful at
all."
Another set of important questions concerns how to characterize a
SH

cyber-incident. Is a given intrusion espionage or an attack? It can be quite

difficult to answer that question because the steps an intruder would take to
steal information often are identical to the steps it would take to bring down
LU

a system. If the intrusion is properly understood as an attack, does it rise to

the level of an "armed attack" that triggers the right of self-defense?'
Should these questions be resolved with an "instrument-based" test, which
PN

counts a cyber-intrusion as an armed attack when it causes harms that

previously could have been caused only by a kinetic attack?0 6 Or a less
demanding "effects-" or "consequence-based" test, which counts a cyber-
H

intrusion as an armed attack when it has a sufficiently harmful effect on the

targeted state?o' Or an even less demanding "intent" test, which counts a

101U.N. Charter art. 51 ("Nothing in the present Charter shall impair the inherent right of
individual or collective self-defense if an armed attack occurs . . . .").
102 See generally ERIC A. POSNER & ADRIAN VERMEULE, TERROR IN THE BALANCE
261-66 (2007)
(describing LOAC principles); Eric A. Posner, A Theory of the Laws of War, 70 U. CHI. L. REV. 297,
298-99 (2003) (same).
103 Graham, supra note 19, at 92; Lin, supra note 19, at 77.
'" Condron, supranote 19, at
414.
105 Id. at 412-13; Graham, supra note 19, at 90-92; Jensen, Computer Attacks, supra
note 19, at
221; Lin, supra note 19, at 74. See generally Sklerov, supra note 19, at 50-59 (discussing various
analytical models under which a cyber-attack could be considered an "armed attack").
106 Graham, supra note 19, at 91; Sklerov, supra note
19, at 54.
107 See Graham,supra note 19, at 91; Schmitt, supra note 19, at 913-15; Sklerov, supra note 19, at
54-55.

1523

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.149

 NORTHWESTERN UNIVERSITY LAW REVIEW

cyber-intrusion as an armed attack whenever it evinces a hostile intent,

regardless of whether it causes actual damage?'o The LOAC approach also
addresses possible responses. When a nation suffers a cyber-attack, is it
limited to responding with a cyber-intrusion of its own?'0 9 Or may a victim
retaliate by launching a kinetic attack?..o How severe must the cyber-attack
be before a kinetic response would be justified?
Other problems for the LOAC arise from the fact that much of the
world's critical infrastructure is dual use-it serves a state's civilian
population but the state's political leadership and armed forces also rely
upon it."' In the United States, for instance, civilian networks carry up to
98% of the federal government's communications traffic," 2 including 95%
of defense-related traffic." 3 When, if ever, may a combatant direct a cyber-
attack at an adversary's dual-use infrastructure?" 4 Finally, the LOAC
focuses on deterrence. Given the differences between cyber-conflicts and
kinetic ones, how can a state dissuade its adversaries from committing

LA
cyber-attacks? Key differences include the difficulty in determining who
was responsible for a given intrusion, the possibility that a retaliatory
cyber-strike might end up harming innocent third parties more than the
IM
actual assailant, and the fact that different nations are more or less
dependent on cyber-infrastructure and therefore have more or less to lose
SH

from an exchange of cyber-weapons."'

A central problem for both the law enforcement and armed conflict
approaches to cyber-security is determining the identity of the assailant.
Attribution is extraordinarily difficult; the challenges are "staggering""'
LU

and "[n]o one has come close to solving" them."' The problem is inherent
PN

tos WALTER GARY SHARP, SR., CYBERSPACE AND THE USE OF FORCE
129-31 (1999). Some
scholars describe the intent test as a form of "strict liability." See, e.g., Graham, supra note 19, at 91;
H

Sklerov, supra note 19, at 55. This seems incorrect. A strict liability regime imposes liability solely on
the basis of the social harm produced by the actor's conduct, without reference to his mens rea. WAYNE
R. LAFAVE, CRIMINAL LAW § 5.5 (5th ed. 2010). It would be more accurate to say that the intent test
imposes liability solely on the basis of mens rea, without any requirement that the actor's conduct result
in social harm.
109 See Condron, supranote 19, at 415-16; Graham, supra note 19, at 90.
110 Jensen, ComputerAttacks, supranote 19, at 229-30.
I"I CLARKE & KNAKE, supra note 1, at 242; Brown, supranote 13, at 193-94.
112 Jensen, Cyber Warfare,supra note 15, at 1534.
13 Condron, supranote 19, at 407; Jensen, Computer Attacks, supra note 19, at 211.
114 See CLARKE & KNAKE, supra note 1, at 243; Brown, supra note 13, at 194; Jensen,
Cyber
Warfare,supra note 15, at 1543-46.
t15 CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 25-27; see also Lynn, supra note 19, at
99-100; James P. Terry, Responding to Attacks on Critical Computer Infrastructure,INT'L L. STUD.
421, 432-33 (2002).
1 Jensen, Computer Attacks, supranote 19, at 234.
117Lin, supra note 19, at 77; see also Dycus, supra note 11, at 163; Katyal, CriminalLaw, supra
note 10, at 1047-48; O'Neill, supra note 19, at 275.

1524

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.150

107:1503 (2013) Regulating Cyber-security

in the basic architecture of the Internet. The Internet's TCP/IP protocol"'

was designed to move packets of data as efficiently as possible; it is utterly
unconcerned with who sent them."' As such, it is fairly easy for attackers
to obscure their true identities by routing their intrusions through a series of
dispersed intermediary computers.120 These attribution difficulties can
severely frustrate the law enforcement and armed conflict approaches to
cyber-security.

B. Cyber-security as an EnvironmentalLaw Problem

Given the limits of the conventional cyber-security frameworks, it's
advisable to look for guidance in other legal disciplines-particularly the
regulatory disciplines that confront the same sorts of problems seen in the
cyber-security context. For instance, a principal goal of environmental law
is to regulate externalities. Various forms of environmental degradation
involve negative externalities-i.e., spillover costs that are imposed on

LA
third parties and that are not transmitted through prices. 2 ' Sometimes these
externalities are geographic: toxins emitted by a factory in Ohio might
affect residents of New York.' 22 Sometimes they are temporal: carbon
IM
emissions today might affect the planet's climate for future generations.'23
The critical point is that these costs are borne by people other than those
SH

who are responsible for the pollution, and market transactions cannot
readily be used to internalize the costs onto the polluter. Many scholars
therefore believe that regulatory controls are necessary.'24 These controls
often take the form of strict limits on regulated activity backed by the threat
LU

of civil damages or criminal sanctions,'25 though less coercive forms of

regulation exist.
Cyber-security can be understood in terms of negative externalities.'26
PN

A given firm-whether it is a company that produces or uses computer

118 TCP/IP is the primary way data is transmitted online. It stands for "Transmission
H

Control
Protocol/Intemet Protocol."
119 LESSIG, supra note 67, at 44; Bambauer, Conundrum, supra
note 12, at 595-96.
120 BRENNER, supra note 1, at 32; Gable, supranote 2, at 101; Graham, supra note 19,
at 92; Ruth
G. Wedgwood, Proportionality,Cyberwar,and the Law of War, 76 INT'L L. STUD. 219, 227 (2002).
121See supra notes 81-87 and accompanying text.
122 See, e.g., Massachusetts v. EPA, 549 U.S. 497, 521-25 (2007).
123 Richard J. Lazarus, A Different Kind of "RepublicanMoment" in EnvironmentalLaw, 87
MINN.
L. REv. 999, 1000, 1005 (2003).
124 See, e.g., id at 1005-06 (citing a "need for government regulation because of the spatial
and
temporal spillovers caused by unrestricted resource exploitation").
125 See, e.g., Clean Water Act, 33 U.S.C. § 1319(b)-(c) (2006) (providing civil and criminal
penalties); Clean Air Act, 42 U.S.C. §7413(b) (2006) (providing civil penalties).
126 Anderson, supra note 35. One potential difference between pollution and cyber-security
is that
pollution is a harmful byproduct of socially beneficial activity (such as manufacturing) whereas cyber-
attacks involve intentionally malicious conduct. See Rattray et al., supra note 8, at 171. Yet cyber-
intrusions likewise may be seen as a harmful byproduct of beneficial activity. A cyber-attack on a
computer is a byproduct of the computer being connected to the Internet. And connecting a computer to

1525

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.151

 NORTHWESTERN UNIVERSITY LAW REVIEW

products-will not bear the full costs of its cyber-insecurities. (By "cyber-
insecurity," I mean a firm's failure to implement defenses capable of
defeating a cyber-attack.) Instead, some of these costs are borne by third
parties; they are partially externalized.127 Imagine a cyber-attack that
disables a power plant. The intrusion would harm the utility as well as
consumers who buy electricity from itl 2 8-hospitals, manufacturers, and
others. The attack also would harm a number of third parties who have no
relationship with the power company-hospital patients, downstream
manufacturers in the supply chain, and so on. These "indirect effects of a
cyber attack are almost always more important to the attacker than the
direct effects."' 29 And it would be prohibitively expensive to internalize
them through market exchanges; the transaction costs would be staggering,
in part because it is extraordinarily difficult to identify the universe of third
parties affected by the intrusion.
The fact that many costs of cyber-attacks are externalized is

LA
enormously significant. Some commentators have argued that firms have
strong "financial incentives to protect [their systems] from cyber
attacks."' 30 Those incentives are weaker than might be supposed. A firm
IM
that is deciding how much to invest in securing its systems will not account
for the costs that an attack will impose on third parties."' Firms tend to
SH

oversupply pollution, since they capture all the benefits of the associated
productive activity but not all of the resulting costs. In a similar way, firms
tend to oversupply cyber-insecurity--or, to say the same thing, they tend to
undersupply cyber-defense-because they internalize all of the benefits but
LU

only some of the costs.'32 Firms thus may invest less in cyber-defense than
would be optimal from a societal standpoint.
The point can be illustrated with a simple hypothetical. Imagine a
PN

cyber-attack that will result in $1 million in expected costs for the target
firm and $10 million in expected costs for third parties. From a societal
standpoint, it would be worthwhile to invest up to $11 million to prevent
H

the attack. But from the company's standpoint, it would only be worthwhile
to invest up to $1 million. If the firm spent more than that, the cost of the

the Internet is socially beneficial because it produces network effects; by joining the network, the user
increases its value to all users. POST, supra note 94, at 47-49.
127 AM. BAR ASS'N, supra note 18; Schwartz & Janger, supra note 61, at 928; Anderson, supra
note 35; Jim Harper, Government-Run Cyber Security? No Thanks, CATO INST. (Mar. 13, 2009), http://
www.cato.org/publications/techknowledge/govemmentrun-cyber-security-no-thanks; Rosenzweig,
supra note 14, at 9-10.
128 Aviram, supra note 79, at 155; Lin, supra note 19, at 68.
129 Lin, supranote 19, at 68.
130 Nojeim, supra note 14, at 134; accordColdebella & White, supra note 14, at 236, 241; Dunlap,
supra note 12; Yang & Hoffstadt, supra note 15, at 203.
131See AM. BAR ASS'N, supra note 18; Coyne & Leeson, supranote 14, at 479; Rosenzweig, supra
note 14, at 9-10.
132 Coyne & Leeson, supra note 14, at 480.

1526

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.152

107: 1503 (2013) Regulating Cyber-security

precautions would exceed the benefit to the firm and the firm would be
conferring uncompensated benefits on third parties. Thus, there is a gap
between the welfare of the company and the welfare of society as a whole.
Levels of cyber-security investment that are efficient for particular firms
may turn out to be inefficient for society at large. 133
Cyber-security can also be understood as a positive externality. When
a firm expends resources to defend itself against intruders, that investment
can make other users' systems marginally more secure as well. This is so
because the defenses not only help prevent harm to the company's system,
they also help prevent the firm's system from being used to inflict harm on
others' systems.1 34 If Pepsi's network is well-defended, it is less likely to be
infected by a worm and thus less likely to transmit the malware through the
Internet to Coke. The effect is to decrease the overall incidence of
infection, but the investing firm does not capture the full benefit. A classic
positive externality. Cyber-defenses can differ from realspace defenses in
this respect. If I install an alarm in my home, that might prevent burglars

LA
from breaking into my house, but it will not necessarily decrease the
overall incidence of burglary. The alarm might simply displace the burglar
IM
who would have targeted me onto my neighbor"'-a form of negative
externality. By contrast, cyber-defenses can make my system more secure
at the same time they increase the overall security of the Internet."'
SH

Relatedly, some aspects of cyber-security resemble public goods."' A

public good is both nonrivalrous (one person's use of the good does not
reduce its availability for use by others) and nonexcludable (the owner of
LU

the good cannot prevent particular persons from using it)."' A classic
example of a public good is a large municipal park: the park is open to all
comers, and one person enjoying a crisp fall afternoon on a bench generally
PN

does not prevent anyone else from doing the same. Some scholars argue
that cyber-security information-information about the vulnerability of a
particular system, or the most effective way to counter a particular cyber-
H

133Sarnikar & Johnsen, supra note 75, at 15.

134 Katyal, Criminal Law, supra note 10, at 1081-82; O'Neill, supra note 19, at 278; Rosenzweig,
supranote 14, at 9.
135 O'Neill, supra note 19, at 278; see also Neal Katyal, Community Self-Help, 1 J.L. ECON. &
POL'Y 33, 46 (2005); Katyal, CriminalLaw, supra note 10, at 1081.
136 But see Bruce K. Kobayashi, Private Versus Social Incentives in Cybersecurity: Law and
Economics, in THE LAW AND ECONOMICS OF CYBERSECURITY, supra note 19, at 13, 16; Rosenzweig,
supranote 14, at 9.
137 See CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 50; Mulligan & Schneider, supra
note 19, at 71; Powell, supranote 14, at 498-99.
138Elkin-Koren & Salzberger, supra note 82, at 559; James Grimmelmann, The Internet Is a
Semicommons, 78 FORDHAM L. REv. 2799, 2806 (2010); Rosenzweig, supra note 14, at 8-9; see also
Harold Demsetz, The Private Production of Public Goods, 13 J.L. & ECON. 293, 295 (1970)
(distinguishing between nonrivalrous goods, which are properly characterized as public goods, and
nonexclusive goods, which are properly characterized as "collective goods").

1527

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.153

 NORTHWESTERN UNIVERSITY LAW REVIEW

threat-is a public good that the market will tend to underproduce.'" There
is also a sense in which defensive measures themselves are public goods.
Like a municipal park, cyber-defenses can be nonrivalrous.' 40 When Pepsi
expends resources to secure its computer network, that does not decrease
the amount of security available for Coke. Doing so can actually increase
security for third parties, as attackers will be unable to use Pepsi's secured
system as a platform to launch attacks on other companies. Cyber-defenses
also can be nonexcludable.14 ' When Pepsi secures its system against
conscription into a botnet-a network of "zombie" computers ordered by
the "master" to commence a DDOS attack' 42-it isn't possible to specify
which third parties will enjoy the benefit of Pepsi's immunity; for instance,
protecting Coke but not Snapple. All such users are thereby protected from
attacks launched from Pepsi's system.
Environmental law and the underlying economic principles it reflects
thus provide an important framework to understand the tendency of some

LA
firms to neglect cyber-defense. It's a free-rider problem.'43 Companies tend
to underinvest in cyber-defenses for the same reason they tend to
underinvest in pollution controls-because insecurities that result in
IM
successful attacks produce negative externalities that are borne by third
parties. Firms also tend to underinvest in cyber-defenses because such
SH

expenditures create positive externalities and provide opportunities for free

riding. "The individual undertaking the security precautions does not
internalize all the benefits, and will seek to free-ride off of the efforts taken
by others"; as a result, "theory predicts that security will be undersupplied
LU

on the market."'" Understood in these terms, the challenge for a cyber-

security regime is to internalize the externalities-to ensure that firms that
fail to secure their systems are made to bear the resulting costs.
PN

C. . .. as an Antitrust Problem
Antitrust law is another useful framework for understanding cyber-
H

security problems. The ultimate goal of antitrust, promoting consumer

welfare, is achieved by restraining businesses from engaging in
anticompetitive conduct. Antitrust law is especially concerned about the
possibility that firms will take coordinated action that undermines

139 Kobayashi, supra note 136, at 16; Rosenzweig, supra note 14, at 9. But see Amitai Aviram &
Avishalom Tor, Overcoming Impediments to Information Sharing, 55 ALA. L. REv. 231, 234-35, 240-
47 (2004) (arguing that information can be a rivalrous good, insofar as sharing it can cause a firm to
"los[e] a competitive edge over rivals that benefit from the information").
140 Kobayashi, supra note 136, at 20-21; Trachtman, supra note 56, at 270.
141 Trachtman, supra note 56, at 270.
142 See supra note 24.
143 Aviram & Tor, supra note 139, at 238; Elkin-Koren & Salzberger, supra note 82, at 559;
Trachtman, supra note 56, at 281; see also CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 50.
But see Powell, supra note 14, at 504-05.
'" Coyne & Leeson, supra note 14, at 480.

1528

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.154

107: 1503 (20 13) Regulating Cyber-security

competition-an agreement to divide a market, for instance. Antitrust also

is apprehensive about information sharing among competitors; such
exchanges, it is feared, "can facilitate anti-competitive collusion or
unilateral oligopolistic behavior."'45 Hence Section 1 of the Sherman Act
sweepingly prohibits "[e]very contract, combination in the form of trust or
otherwise, or conspiracy, in restraint of trade or commerce among the
several States." 46
Antitrust law often subjects coordinated conduct by multiple
competitor firms to stricter scrutiny than isolated conduct by a single
firm.1471The law condemns many such arrangements-namely, "naked"
restraints or coordinated actions that are "formed with the objectively
intended purpose or likely effect of increasing price or decreasing output in
the short run"l4 8-under a per se rule against cartelization. 49 With a per se
rule, there is no need to inquire whether a particular arrangement actually
has anticompetitive effects. Antitrust law takes a shortcut and simply
presumes that the conduct is harmful.5 0 This approach may lead to the

LA
occasional false positive--coordinated action that is actually beneficial to
consumers but that nevertheless is condemned as unlawful. But the
IM
conventional wisdom is that the costs of these false positives would be
dwarfed by the decision costs of distinguishing the small number of naked
restraints that are procompetitive from the much larger number that are
SH

anticompetitive.
Yet some interfirm cooperation is beneficial to consumers,"' and
antitrust law can struggle to determine whether a given instance of joint
LU

action is pro- or anticompetitive."' In the cyber-security context, various

forms of coordination and information sharing can help firms better defend
themselves against intrusions, and thus prevent consumers from incurring
PN

losses. Firms in a particular industry might agree to exchange threat

information."' An ISP that discovers it has been victimized by a particular
form of malware could alert others to be on the lookout for the same threat.
H

Or firms could share vulnerability information. 5 4 A power plant that learns

that its SCADA system can be compromised by a particular type of
intrusion could tell other companies about the vulnerability. Firms also

145 Aviram & Tor, supra note 139, at 236.

146 15 U.S.C. § 1 (2006).
147 HERBERT HOvENKAMP, FEDERAL ANTITRUST POLICY: THE LAW OF COMPETITION AND ITS
PRACTICE § 5.1, at 211 (4th ed. 2011); see also id. § 5.1b, at 214-16.
148 Id.§ 5.1a, at 212.
149 Id. § 5.1, at211.
150 Id. § 5.1, at 211-12.
151See id. § 5.1, at 211; Aviram & Tor, supra note 139, at 231.
152 See HOVENKAMP, supra note 147; Aviram & Tor, supra note 139, at 236.
153 See Emily Frye, The Tragedy of the Cybercommons, 58 Bus. LAW. 349, 368-69 (2002);
Lichtman & Posner, supra note 61, at 236.
154 Aviram & Tor, supra note 139, at 263.

1529

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.155

 NORTHWESTERN UNIVERSITY LAW REVIEW

might share countermeasure information. A company might discover an

especially effective way to defend against a DDOS attack, and the
company might notify other firms to use the same technique. Finally, an
industry might agree to establish a uniform set of cyber-security standards,
along with monitoring and enforcement mechanisms to ensure that all
members are implementing the agreed-upon measures. They might, in other
words, form something like a cartel.
Which brings us to the problem. Coordinating on cyber-defense could
give rise to antitrust liability, and firms therefore are reluctant to share
information or to adopt common security standards.' These liability fears
appear to be fairly widespread. A 2002 analysis found that, among the
private sector's "major concerns about fully communicating
cybervulnerabilities," one of the most important is "the potential for
antitrust action against cooperating companies."' 56 In a 2009 report, the
American Bar Association (ABA) likewise recounted the concerns of

LA
several firms that "antitrust laws created a barrier to some forms of
sharing" cyber-security information.' Government officials have reported
the same fears. The White House's 2009 Cyberspace Policy Review
IM
acknowledged that some interfirm coordination takes place, but went on to
report that "some in industry are concerned that the information sharing
and collective planning that occurs among members of the same sector
SH

under existing partnership models might be viewed as 'collusive' or

contrary to laws forbidding restraints on trade."' 58
These concerns seem well-founded. There are a number of scenarios in
LU

which cyber-security coordination could trigger liability under federal

antitrust statutes. For instance, suppose that firms in a particular industry
PN

155 Cf Jonathan H. Adler, Conservation Through Collusion: Antitrust as an Obstacle to Marine

H

Resource Conservation, 61 WASH. & LEE L. REv. 3 (2004) (arguing that antitrust regulation
discourages cooperative interfirm efforts to control effects of pollution on marine life).
156 Frye, supra note 153, at 374. The other two reported concerns are "an increased risk of liability"
and the "loss of proprietary information." Id.
157 AM. BAR ASS'N, supra note 18, at 10.
15 EXEC. OFFICE OF THE PRESIDENT, supra note 6, at 18-19. But see BRENNER, supra note
1, at
228 (dismissing the fear that cyber-security coordination might give rise to antitrust liability as
"overblown"); Rosenzweig, supra note 14, at 16 (same). Cyber-security experts sometimes exchange
information about threats and vulnerabilities notwithstanding the antitrust laws. For instance, an
informal collaboration between researchers at Symantec, the computer security company, and several
freelance computer experts in Europe revealed that Stuxnet, originally thought to be a "routine and
unambitious" piece of malware, was in fact a sophisticated cyber-weapon aimed at Iran's nuclear
program. Zetter, supra note 48. This episode is important for two reasons. First, it confirms that
information sharing can produce significant cyber-security gains. Second, it suggests that information
sharing is more likely to take place where there is little risk of antitrust liability. Symantec and
European researchers could freely exchange information because they did not offer competing goods or
services, so the arrangement was unlikely to be condemned as a contract, combination, or conspiracy in
restraint of trade.

1530

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.156

107:1503 (2013) Regulating Cyber-security

agree to implement a uniform set of cyber-security practices.'" It is

improbable that these new standards would be costless. Whether the
companies have agreed to purchase and install new firewall software, or to
transition from vulnerable commercial-off-the-shelf (COTS) systems to
more expensive proprietary systems, the measures are likely to affect their
bottom lines. Industry members might decide to absorb these increased
costs, depending on the elasticity of consumer demand for the goods or
services they offer. But they might further decide to pass on these costs to
consumers, either in the form of a general price hike or as a free standing
surcharge. Would the arrangement be lawful? This sort of venture may
amount to price fixing in violation of Section 1 of the Sherman Act.'60 Even
if the participating firms do not set a specific price for their products (e.g.,
everyone will now charge $50 for widgets instead of $45), they still
establish a premium that will be assessed for their products (e.g., everyone
will increase the price they charge for their widgets by $5). The economic
effect is the same. Indeed, the arrangement may even amount to a "naked"

LA
restraint that results in reflexive condemnation under the per se rule.'
As a second example, consider an arrangement that imposes no new
IM
costs on consumers-at least not directly. Suppose firms in a particular
industry agree to install intrusion-detection or -prevention capabilities to
scan for malware on their networks.'62 These systems rely on a technique
SH

known as "deep-packet inspection," in which all data traversing the

network is scanned and checked against signature files of known
malware." The effect is often to slow down the network's performance,
sometimes dramatically." Suppose further that the firms decide to absorb
LU

the costs of the monitoring or detection system rather than pass them on to
their consumers. Would that forbearance save the arrangement from
PN

159 Cf Nat'l Soc'y of Prof I Eng'rs v. United States, 435 U.S. 679 (1978) (invalidating an industry
group's safety standards that prohibited members from engaging in competitive bidding).
160 See 15 U.S.C. § 1 (2006).
H

161See HOVENKAMP, supra note 147, § 5.1a, at 212. The venture also might stand condemned as an
unlawful tying arrangement. Tying occurs when a firm requires a consumer to purchase one product as
a condition of purchasing another. Id. § 10.1, at 435. For instance, Canon refuses to sell you a camera
unless you also buy a flash. Like naked restraints, tying arrangements are often reviewed under a per se
rule, especially where the firm has market power. But see Jefferson Parish Hosp. Dist. No. 2 v. Hyde,
466 U.S. 2, 40 & n.10 (1984) (O'Connor, J., concurring in the judgment) (arguing that tying
arrangements should be reviewed under a rule of reason). Transferring the increased costs of cyber-
security to consumers might be seen as an effort to force them to buy a new security product in addition
to the firm's basic product. Imagine a bank that previously would have offered financial services, such
as the ability to use a credit card, for $45 a year. After the agreement, it now sells financial services plus
enhanced security for $50 a year. Firms might fear that regulators and private litigants will regard that
additional $5 as the price for a separate product, cyber-security, which consumers may or may not
independently wish to purchase. See sources cited supranote 61.
162 See POST, supra note 94, at 85.
163 See CLARKE & KNAKE, supra note 1, at 161-62; LESSIG, supra note 67, at 55-56; Lynn, supra
note 19, at 103.
164 See CLARKE & KNAKE, supra note 1, at 81; Smith, supra note 17, at 180.

1531

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.157

 NORTHWESTERN UNIVERSITY LAW REVIEW

antitrust liability? Not necessarily. The shared security standards still

plausibly could be described as an unlawful price-fixing agreement. While
the participating companies have not agreed to raise prices directly, they
have indirectly accomplished something similar; instead of requiring
consumers to pay a higher price for the same product, the firms have
agreed to require consumers to pay the same price for a lesser product
(where speed is an important component of the product's value).
Notice that clear and unambiguous prohibitions on interfirm
coordination may not be necessary to deter businesses from participating in
joint cyber-security ventures. Mere uncertainty about the applicability of
the antitrust laws-and the corresponding risk of liability-may be enough.
The deterrent effect is likely to be especially strong because of the severe
sanctions that may be imposed on antitrust defendants. Firms that are
alleged to have violated federal antitrust laws face criminal prosecutions as
well as federal civil actions,' state civil actions,' 6 and lawsuits by
aggrieved private parties.' Each type of civil litigation carries the prospect

LA
of treble damages payouts to the successful plaintiffs.' 8 Private firms
therefore will have good reasons to avoid coordinating their efforts to
IM
improve cyber-security.
To be sure, fear of antitrust liability is not the only reason firms are
reluctant to coordinate and share information. The difficulties of forming
SH

and maintaining cartels are well-known. Among other problems, individual

cartel members have strong incentives to cheat, such as by offering a
greater quantity of product or by charging a different price than allotted by
LU

the cartel.' 69 In the cyber-security context, businesses will have comparable

incentives to shirk their responsibilities to implement any agreed-upon (and
likely costly) security standards. In addition, firms may be especially
PN

reluctant to share information with their competitors.'70 If a firm discovers

an effective way to defend its systems against a particular form of cyber-
intrusion, that information gives it a comparative advantage over rivals that
H

may not be as adept at protecting their own networks. Sharing the

information with competitors enables them to free ride and thereby
eliminates the firm's comparative advantage. As such, even if fears of
antitrust liability were eliminated completely, it is doubtful that firms
would fully cooperate with one another. Nevertheless, liability concerns
appear to be a significant impediment to cyber-security coordination and

165 § 15a.
166 Id. § 15c.
167 Id. § 15.
168 Compare id.§ 15(a) (treble damages in private lawsuits), with id. § 15a (treble damages in
lawsuits by United States), with id. § 15c(a)(2) (treble damages in lawsuits by state attorneys general).
169 See HOVENKAMP, supra note 147, § 4.1a, at 161-68.
170 Aviram & Tor, supra note 139, at 252-54; accord Nathan Alexander Sales, Share
and Share
Alike, 78 GEO. WASH. L. REv. 279, 319-20 (2010).

1532

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.158

107:1503 (2013) Regulating Cyber-security

information sharing. Reducing these fears would not by itself ensure

cooperation, but might make it more likely at the margin.

D. . . . as a ProductsLiability Problem
Private investment in cyber-security also resembles a tort problem-
more precisely, a products liability problem. Broadly speaking, the law of
products liability has two complementary goals."' First, from an ex post
perspective, the law seeks to compensate consumers injured by products
that did not perform as expected. Second, from an ex ante perspective,
products liability law uses the risk of money damages to incentivize firms
to take reasonable precautions when designing and manufacturing products.
The branch of products liability law that is most relevant to cyber-
security is design defects. In a design defect case, the theory is that "the
intended design of the product line itself is inadequate and needlessly
dangerous."l72 (By contrast, a manufacturing defect occurs when a product

LA
suffers from "a random failing or imperfection,""' such as a crack in a
Coke bottle that causes it to explode,'74 and a marketing defect occurs when
an otherwise safe product "become[s] unreasonably dangerous and
IM
defective if no information explains [its] use or warns of [its] dangers.")"'
In its infancy, products liability law typically assigned blame on a theory of
SH

strict liability."' A plaintiff could recover damages by establishing that a

given product had a defective design and that he was injured by that defect;
it wasn't necessary to show that the manufacturer was negligent, or
otherwise blameworthy, in producing the defect."' The modem approach
LU

abandons strict liability in favor of a negligence standard."' How do courts

determine whether a manufacturer was at fault when it produced a product
with a design defect? One common approach is the risk-utility test."' The
PN

test, which has its roots in Learned Hand's negligence formula,'" compares
H

171 See, e.g., DAN B. DOBBS, THE LAW OF TORTS § 353, at 975-76 (2000); WILLIAM
M. LANDES &
RICHARD A. POSNER, THE ECONOMIC STRUCTURE OF TORT LAW 4-5 (1987).
172 DOBBS, supra note 171, § 355, at 980; accord MICHAEL . KRAUSS, PRINCIPLES
OF PRODUCTS
LIABILITY 81 (2011).
173 DOBBS, supra note 171, § 355, at 979.
174 See Lee v. Crookston Coca-Cola Bottling Co., 188 N.W.2d 426 (Minn. 1971).
175DOBBS, supra note 171, § 355, at 981.
176 See, e.g., Greenman v. Yuba Power Prods., Inc., 377 P.2d 897, 901 (Cal. 1963); RESTATEMENT
(SECOND) OF TORTS § 402A (1965).
1 DOBBS, supra note 171, § 353, at 974-75.
178 See RESTATEMENT (THIRD) OF TORTS: PRODUCTS LIABILITY § 1 cmt. a, at 7 (1998); see also
DOBBS, supra note 171, § 353, at 977; KRAUSS, supra note 172, at 40; LANDES & POSNER, supra note
171, at 292.
179 RESTATEMENT (THIRD) OF TORTS: PRODUCTS LIABILITY § 2 cmts. a & f, at 15-17; see also
DOBBS, supra note 171, § 357, at 985-87 (describing the risk-utility test); LANDES & POSNER, supra
note 171, at 291-92 (describing the test in terms of "cost-benefit").
180 See United States v. Carroll Towing Co., 159 F.2d 169, 173
(2d Cir. 1947).

1533

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.159

 NORTHWESTERN UNIVERSITY LAW REVIEW

"the risks of the product as designed against the costs of making the
product safer.""' If the risks can be reduced by a significant amount at a
relatively low cost, a manufacturer that declines to do so is negligent. If the
risks can be reduced only by a small amount at a relatively high cost, a
manufacturer that declines to do so is not negligent.
Tort liability creates important incentives for manufacturers to prevent
or eliminate design defects.'82 Imagine a company that makes residential
furnaces; it is trying to decide whether to remedy a design defect that
increases the probability that the furnaces will explode. The company will
do so if the expected benefits of reducing the risk of explosion exceed the
expected costs of making the fix. Without tort liability, the benefit of
making defect-free furnaces is lower than it otherwise would be. Furnaces
that occasionally explode would damage the firm's reputation, and some
consumers likely would buy competitors' products instead. The
manufacturer benefits to the extent it reduces these harms. But it does not

LA
face the prospect of paying money damages to homeowners whose houses
burned down. The cost-benefit calculus looks very different once a
products liability regime is in place. Tort liability increases a firm's
IM
expected benefit of remedying design defects-namely, the benefit of
foregone money damages, discounted by the probability that they would be
SH

awarded. It thus increases the number of circumstances in which firms will

find it welfare maximizing to improve the safety of their products. The
result is that, at the margin, products will be safer than they otherwise
would be.
LU

Internet-related goods and services sometimes suffer from design

defects that increase their vulnerability to cyber-attacks. 3 Perhaps the best
known example is Microsoft Windows. The operating system software,
PN

which accounts for more than 90% of the PC market,'84 is notoriously

riddled with vulnerabilities. These flaws stem in part from the software's
size. In 2006, Microsoft projected that Windows Vista would feature some
H

50 million lines of code, compared to 35 million for Windows XP (released

in 2001) and just 15 million for Windows 95 (released in 1995).185 It is
more or less inevitable that the programmers who write these millions of
lines will make mistakes, and it can be quite difficult to detect and repair
them.16 (Given that it probably would cost a great deal to eliminate all of
these vulnerabilities, the failure to do so may not be negligent under the

181 DOBBS,supranote 171, § 357, at 985.

182 See LANDES & POSNER, supranote 171, at 10-11 (discussing the deterrent effects of tort law).
183 See Lichtman & Posner, supra note 61, at 255.
1" Steve Lohr & John Markoff, Windows Is So Slow, but Why?, N.Y. TIMES, Mar. 27, 2006, at Cl.
185 Id.
186 See DOROTHY E. DENNING, INFORMATION WARFARE AND SECURITY 12
(1999); Bambauer,
Ghost, supra note 25, at 9-10; Katyal, DigitalArchitecture, supra note 15, at 2264-65; Mulligan &
Schneider, supra note 19, at 72.

1534

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.160

107:1503 (2013) Regulating Cyber-security

risk-utility test.)"' Other examples abound. Indeed, many of the

vulnerabilities described in Part I can be understood as the results of design
defects. Consider the decision by power companies to connect generators
and other elements of the electrical grid to the Internet. This might be
described as a form of defective system design, in that Internet connectivity
exposes the nation's power grid to potentially catastrophic cyber-attacks in
exchange for relatively modest benefits."' The same can be said of
companies that continue to protect their SCADA systems with vendor-
supplied default passwords'89-a defect, incidentally, that could be
remedied at a negligible cost.
The incentives to cure these design defects are fairly weak because
poor cyber-security generally does not trigger civil liability.1 90 One reason
for this is a venerable chestnut of tort law known as the economic loss
doctrine. The economic loss doctrine provides that, while a defendant who
causes physical injuries is also liable for any resulting economic harms, he
generally is not liable for freestanding economic harms.191 Many of the

LA
harms that would result from a cyber-attack on, say, the power grid or the
financial sector would be purely economic in nature. An automobile
IM
manufacturer might be unable to run its assembly line because the power is
out, or a consumer might default on a loan because he can't make a
payment online. Few of these harms would derive from a physical injury,
SH

and they therefore would not be actionable. For instance, in 2009, the
Supreme Judicial Court of Massachusetts dismissed a lawsuit brought by
credit unions against a retailer after hackers accessed the retailer's
computer systems and stole customer credit card data.19 2 The court agreed
LU

with the lower court's conclusion that, because "the plaintiffs suffered only
economic harm due to the theft of the credit card account information," the
PN

"economic loss doctrine barred recovery on their negligence claims." 93

187 But see Lichtman & Posner, supra note 61, at 255 (arguing that improving the security
H

of
Windows "is simply a matter of investing more resources in product design as well as testing").
188 See supra notes 44--49 and accompanying
text.
189 See supra notes 63-65 and accompanying
text.
190 See BRENNER, supra note 1, at 224; Schneier, supra note 35, at 2.
191See DOBBS, supra note 171, § 452, at 1282, 1285-87 (discussing the economic loss doctrine as
well as exceptions and modifications to the rule); LANDES & POSNER, supra note 171, at 251. The rule
has two familiar rationales: first, "financial harm tends to generate other financial harm endlessly and
often in many directions" and liability "would be onerous for defendants and burdensome for courts,"
and second, the notion that "contract law is adequate to deal with the problem and also usually more
appropriate." DOBBS, supra note 171, § 452, at 1283.
192 See Cumis Ins. Soc'y, Inc. v. BJ's Wholesale Club, Inc., 918 N.E.2d 36, 39, 49-51 (Mass.
2009).
193 Id. at 46-47; accord Pa. State Emps. Credit Union v. Fifth Third Bank, 398 F. Supp. 2d 317,
330 (M.D. Pa. 2005) ("A plaintiff must show physical damage to property, not its tangible nature, to
avoid the application of the economic loss doctrine."), af'd in part sub nom. Sovereign Bank v. BJ's
Wholesale Club, Inc., 533 F.3d 162, 176-78 (3d Cir. 2008). But see Lone Star Nat'1 Bank, N.A. v.
Heartland Payment Sys. Inc., 729 F.3d 421 (5th Cir. 2013) (concluding that New Jersey tort law did not

1535

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.161

 NORTHWESTERN UNIVERSITY LAW REVIEW

Cyber-attacks that cause physical injuries would remain actionable, as

would any resulting economic harms. So, for instance, if an attacker
exploited a design defect in a dam's control system and opened the
floodgates,1 94 the dam operator might be held liable for the deaths of the
downstream landowners and any corresponding economic losses.
The problem also can be understood in Coasean terms.' Consider the
famous example of a train that emits sparks that bum the wheat in
neighboring fields."' Regardless of whether the legal entitlement is initially
assigned to the railroad (a right to emit sparks) or the farmers (a right to be
free from incinerated crops), the parties will bargain to reallocate the
entitlement to its socially most efficient use, assuming that the transaction
costs are sufficiently small. In the cyber-security context, the absence of
tort liability essentially grants firms a legal right to refrain from taking
precautions that would protect third parties from attacks on their systems or
products. This may be an efficient allocation of the legal entitlement in

LA
some contexts, but not always. In these latter circumstances, companies and
third parties theoretically should negotiate and establish a new legal right to
be free from harm due to cyber-intrusions. But Coasean bargaining over
IM
cyber-security seems unlikely to occur because of the staggering
transaction costs. It would be prohibitively expensive, if not impossible, for
SH

companies to bargain with everyone who conceivably could be injured by

cyber-attacks on their systems or products.
Beyond tort, it is doubtful that other sources of law will threaten
cyber-security shirkers with liability. Contract law does not seem well
LU

suited to the task. Software manufacturers typically do not offer warranties

that their products are secure.' Indeed, some do not "sell" software at all.
They merely grant a license, and users cannot install the software unless
PN

they click a button to accept terms and conditions that usually include a
limit on the manufacturer's liability.' Likewise, federal law extends broad
immunity to ISPs. Section 230 of the Communications Decency Act
H

provides that an ISP will not "be treated as the publisher or speaker of any
information provided by another information content provider." 9 9 At least
one federal appellate court has interpreted this statute to foreclose a lawsuit
alleging that an ISP negligently failed to prevent malware from being sent

bar recovery for economic harms resulting from a cyber-intrusion); Patco Constr. Co. v. People's
United Bank, 684 F.3d 197 (1st Cir. 2012) (upholding liability under contract governed by Uniform
Commercial Code for economic harms resulting from a cyber-intrusion).
194 Frye, supra note 153, at 350; Sklerov, supra note 19, at 20.
195 See R.H. Coase, The Problem of Social Cost, 3 J.L. & ECON. 1 (1960).
196 See id. at 29-34.
' See Frye, supranote 153, at 367.
198 See BRENNER, supra note 1, at 224.
199 47 U.S.C. § 230(c)(1) (2006).

1536

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.162

107:1503 (2013) Regulating Cyber-security

over its network. 200 From the standpoint of a profit-maximizing firm, the
expected benefits of remedying a cyber-vulnerability often will be lower
than the expected costs. Without the prospect of tort liability, firms have
weaker incentives to invest in measures to secure their systems and
products against cyber-attacks.
Not only do liability fears fail to incentivize firms to take better
precautions against cyber-attacks, they can actually discourage them from
doing so. Companies sometimes are reluctant to better secure their systems
because of concerns that these steps could expose them to civil liability.
For instance, ISPs typically do not offer assistance if they discover that
their customers' PCs have been infected by malware. ISPs often are able to
tell, through routine traffic analysis, that a particular machine on the
network is part of a botnet or has been infected by a worm.20 ' "[B]ut they
don't dare inform the customer (much less cut off access) out of fear that
customers would ... try to sue them for violating their privacy."202 Doing

LA
so might even be a crime. The Federal Wiretap Act makes it unlawful to
"intentionally intercept[] . . . any wire, oral, or electronic
communication," 203 and some companies fear that filtering botnet traffic or
IM
other malware might fall within this prohibition.204 And while federal law
makes an exception for ISPs that intercept communications to protect their
own property,205 there is no parallel exception for intercepts intended to
SH

protect the property of subscribers. Likewise, some ISPs use deep packet
inspection to examine the data streams on their networks for malicious
code. This is probably lawful under the exception mentioned above, or a
LU

separate exception for "mechanical or service quality control checks."206

But even when they uncover malware, ISPs "have been reluctant to 'black
hole' (or kill) malicious traffic because of the risk that they might be sued
PN

by customers whose service is interrupted."207 Again, as in the antitrust

context, even if the applicable service contracts or state and federal laws do
not clearly forbid these measures, the mere risk of liability may be enough
H

to dissuade firms from undertaking them.208

While firms with poor cyber-defenses generally do not face the
prospect of civil lawsuits, there is one context in which a credible liability
threat exists. The Gramm-Leach-Bliley Act of 1999 (GLB Act) imposes

200 Green v. Am. Online (AOL), 318 F.3d 465, 470-72 (3d Cir. 2003). See
generally Lichtman &
Posner, supranote 61, at 251-52 (discussing Green case).
201 See BRENNER, supra note 1, at 229; CLARKE & KNAKE, supranote 1, at 164-65.
202 CLARKE & KNAKE, supra note 1, at 164-65; accordBRENNER, supra note 1, at 229; Coldebella
& White, supranote 14, at 236-37.
203 18 U.S.C. § 2511 (1)(a) (2006).
204 BRENNER, supra note 1, at 229-30.
205 § 2511(2)(a)(i).
206 Id.
207 CLARKE & KNAKE, supra note 1, at 163; see also MCAFEE, supra note 37, at 5.
208 See supra notes 165-68 and accompanying text.

1537

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.163

 NORTHWESTERN UNIVERSITY LAW REVIEW

liability for data breaches in the financial services sector. The Act directs a
group of federal agencies, such as the Federal Trade Commission (FTC)
and the Federal Deposit Insurance Corporation, to issue data security
regulations for financial institutions.2 09 In particular, the Act mandates the
adoption of "administrative, technical, and physical safeguards" that will,
among other things, "insure the security and confidentiality of customer
records and information" and "protect against unauthorized access to or use
of such records."210 The sanctions for violating these data security
requirements can be severe. Gramm-Leach-Bliley does not enumerate
specific penalties, but rather directs the enforcing agencies to apply the
Act's requirements according to their respective enabling statutes.2 1 ' Thus,
for example, a bank subject to FTC jurisdiction would face a civil penalty
of up to $16,000 for each violation.212 If the FTC treated every customer
affected by a cyber-intrusion as a separate violation, the penalties could
very quickly become staggering.

LA
Perhaps not coincidentally, financial institutions are widely believed to
do a better job of protecting customer data than members of other
industries.2 13 Unlike other firms, which typically spend only modest sums
IM
on cyber-security, most banks devote "between 6 and 7 percent of their
entire information technology budgets."214 Financial institutions also are
more likely to adopt specific security measures like intrusion-detection and
SH

-prevention systems, antivirus software, smart cards, and biometrics.215 The

unique risk of liability that banks face may be responsible, at least in part,
for that record. The GLB Act has the effect of increasing the expected
LU

benefit of cyber-security-namely, avoiding potentially crippling civil

penalties-and thus creates strong incentives for banks to invest in
defenses. (Another explanation is the risk of customer exit. Unlike, say, the
PN

customers of public utilities, it is relatively easy for a depositor who fears

cyber-intrusions to switch banks, so the bank has an incentive to maintain
data integrity.)2 16
H

Of course, the GLB Act's emphasis on protecting consumer data might

distort firms' cyber-security investments. Rather than expending resources
on defenses against the attacks they regard as the most dangerous, or the

209 See 15 U.S.C. §§ 6801(b), 6805 (2006). See generally, e.g., FTC
Standards for Safeguarding
Customer Information, 16 C.F.R. pt. 314 (2012).
210 § 6801(b); see Kenneth A. Bamberger, Regulation as Delegation, 56 DUKE
L.J. 377, 391
(2006); Schwartz & Janger, supra note 61, at 920.
211 See §6805(b).
212 16 C.F.R. § 1.98.
213 Frye, supra note 153, at 367-68; see also AM. BAR ASS'N, supra note 18, at 21; Powell, supra
note 14, at 501-05. But see Gable, supra note 2, at 84 (emphasizing that the international financial
system remains vulnerable to cyber-attack).
214 Powell, supra note 14, at 502.
215 See id. at 503.
216 See supra notes 42-49 and accompanying text.

1538

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.164

107:1503 (2013) Regulating Cyber-security

most likely to occur, financial institutions will tend to prioritize defenses

against the one form of intrusion singled out by their regulators-the
compromise of customer data. 217 The effect may be to ensure that firms are
well-defended against one threat at the expense of increased exposure to
many other threats.2 18 Even so, Gramm-Leach-Bliley remains an example
of how the risk of civil liability might be used to incentivize firms to
improve at least some of their cyber-defenses.

E. . . . as a PublicHealth Problem
As several scholars have noted, in more or less detail, cyber-security
can be thought of in terms of public health. 219 A critically important goal for
any cyber-security regime is to keep attacks from happening and to contain
their ill effects. 220 The same is true of public health, the ultimate goal of
which is prevention.22 ' Unlike medical practice, which typically has an ex
post orientation toward treating illnesses that have already occurred, public

LA
health is primarily oriented toward ex ante solutions-preventing people
from contracting infectious diseases, preventing pathogens from spreading,
and so on. Broadly summarized, public health law, including the subset
IM
known as public health emergency law, involves government efforts "to
persuade, create incentives, or even compel individuals and businesses to
conform to health and safety standards for the collective good." 2 2 Some
SH

scholars defend these interventions on controversial paternalistic grounds.

The notion is that the state may curtail individuals' freedoms to promote
their own physical health and safety. 223 The more common justification is
LU

the risk of harm to others: the state may coerce persons who have
contracted an infectious disease or are at risk of doing so to prevent them
from transmitting the disease to, and thereby harming, others.224 Seen in this
PN

light, a principal objective of public health law is to internalize negative

217 Similar distortions may arise at the state level, as a number of states have enacted laws requiring
H

designated companies to disclose breaches of customer data. Vincent R. Johnson, Cybersecurity,

Identity Theft, and the Limits of Tort Liability, 57 S.C. L. REv. 255, 283-87 (2005); see also Schwartz
& Janger, supra note 61, at 917.
218 Cf BAKER, supra note 24, at 238-39 (noting that state law causes companies to divert resources
to measures that would prevent having to disclose a breach, such as encrypting files, rather than
focusing on keeping hackers out of the system); MCAFEE, supra note 37, at 29 (noting that disclosure
laws "might be driving companies to make investment and policy decisions that will reduce the number
of reportable incidents, rather than strengthening the overall security of the enterprise").
219 IBM, supra note 19; Mulligan & Schneider, supra note 19; Rattray et al., supra note 8, at 151-
68; see also Coyne & Leeson, supra note 14, at 480; Hunker, supra note 19, at 202-03; Katyal,
CriminalLaw, supra note 10, at 1081; Rosenzweig, supra note 14, at 19 & 32 n.83.
220 See Katyal, Community, supra note 135, at 34; Katyal, CriminalLaw, supra note 10, at 1078-
79.
221 LAWRENCE 0. GosTIN, PUBLIC HEALTH LAW: POWER, DUTY, RESTRAINT 19 (2d ed. 2008).
222
223 Id. at 50-54.
224 Id at 49.

1539

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.165

 NORTHWESTERN UNIVERSITY LAW REVIEW

externalities-in particular, the costs associated with spreading infections

to others.
Public health law contemplates three specific measures that are
relevant here: mandatory inoculations to reduce susceptibility to infectious
diseases, biosurveillance to monitor for epidemics and other outbreaks, and
isolation and quarantine to treat those who have been infected and prevent
them from spreading the pathogen.22 5 We will consider each in turn along
with their potential relevance to cyber-security.
Inoculation, in which a healthy subject is exposed to a pathogen, helps
prevent disease both directly (a person who is inoculated against a disease
is thereby rendered immune) and indirectly (the person's immunity reduces
the risk that he will transmit the disease to others). Inoculation mandates
can take several forms. In the nineteenth and early twentieth centuries, state
and local governments sometimes opted for direct regulation-a firm legal
requirement that citizens must receive a particular vaccine, backed by the

LA
threat of sanctions.226 In the 1905 case of Jacobson v. Massachusetts, 22 7
the
Supreme Court upheld such a requirement against a lawsuit invoking the
Fourteenth Amendment's privileges or immunities, due process, and equal
IM
protection clauses. According to the Court, mandatory inoculation is a
permissible exercise of the states' police powers. 228 The modern approach
SH

usually involves a lighter touch. Now, state and local governments

typically create incentives for citizens to undergo inoculation by making it
a condition of eligibility for certain valuable benefits. The best known
example is to deny children access to public schools unless they have been
LU

vaccinated. 229 The Supreme Court upheld such a scheme in 1922 in Zucht v.
King.230
It isn't necessary to inoculate all members of a population to frustrate
PN

the transmission of a given disease. This is so because of "herd immunity."

When large numbers of a population are immune to a given contagious
disease, their immunity helps prevent the disease from spreading, even to
H

those who are not immune. 2 3' The critical number is typically around 85%
of the population, but it can be as low as 75% for some diseases, such as
mumps, and as high as 95% for others, such as pertussis.232 Herd immunity
is a form of positive externality-those who undergo vaccination provide

225 Id at 11, 39.

226 See id at 379 (describing laws that required certain vaccinations as a precondition to attending
public school).
227 197 U.S. 11 (1905).
228 Id. at 24-30,
38.
229 See GOSTIN, supra note 221, at 379-80, 382; Hunker, supra
note 19, at 203.
230 260 U.S. 174, 176-77 (1922).
231 Katyal, Criminal Law, supra note 10, at 1081; Mulligan & Schneider, supra note 19, at 76.
232 History and Epidemiology of Global Smallpox Eradication,CTRS. FOR DISEASE CONTROL
&
PREvENTION 17, http://www.bt.cdc.gov/agent/smallpox/trainingoverview/pdf/eradicationhistory.pdf
(last visited Sept. 5, 2013).

1540

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.166

107:1503 (2013) Regulating Cyber-security

an uncompensated benefit to those who do not-which creates a potential

free-rider problem.233 Many people would prefer to enjoy the benefits of
herd immunity without themselves undergoing vaccination, which is costly
in terms of money, discomfort, and risk of reaction. This free-rider problem
weakens each person's incentive to undergo vaccination, and overall
vaccinations may drop below the levels needed to support herd immunity.
State and local governments therefore sometimes use their coercive powers
to require inoculation. (Another approach would be to provide subsidies to
those who have been inoculated. Public school vaccination requirements
can be understood in these terms; the government is subsidizing the
education of children who are inoculated.)
Ensuring widespread immunity-not to disease, but to malicious
code-is also an important goal of cyber-security. The average Internet-
connected computer may be even more susceptible to infection by malware
than the average person is to infection by a pathogen, because malicious
code can propagate more efficiently than disease. Many pathogens are

LA
transmitted by person-to-person contact; you are unlikely to contract polio
unless you come into close proximity with someone who is already
IM
infected. But one can contract malware from virtually any networked
computer in the world. The Internet effectively brings dispersed systems
into direct contact with one another. Alternatively, the Internet is a disease
SH

vector that, like mosquitoes and malaria, can transmit a contagion between
dispersed systems. It is therefore essential for the elements at the edge of
the network, such as the SCADA system that runs the local power plant, to
LU

maintain effective defenses against cyber-intrusions, such as isolating the

power plant's controls from the public Internet. And there's the rub. As
with herd immunity, cyber-security raises free-rider problems.234 A user
PN

who takes steps to prevent his computer from being infected by a worm or
impressed into a botnet thereby makes other systems more secure; if the
user's machine is not infected, it cannot transmit the malware to others. But
H

the user receives no compensation from those who receive this benefit; he
does not internalize the positive externality. He therefore has weaker
incentives to secure his system, as he-like everyone else-would prefer to
free ride on others' investments. A critical challenge for any cyber-security
regime is to reverse these incentives.
The second key element of public health law is biosurveillance.
"Biosurveillance is the systematic monitoring of a wide range of health
data of potential value in detecting emerging health threats .. "2 Public
health officials collect and analyze data to determine a given disease's

233 See GosTIN, supra note 221, at 378-79; Coyne & Leeson, supra note 14, at 480. See generally
supra notes 143-44 and accompanying text (discussing the free-rider problem in the context of cyber-
defense investments).
234 See supra notes 143-44 and accompanying
text.
235 GOSTIN, supra note 221,
at 291.

1541

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.167

 NORTHWESTERN UNIVERSITY LAW REVIEW

incidence, or "the 'rate at which new cases occur in a population during a

specified period,"' as well as its prevalence, or "the 'proportion of a
population that are cases at a point in time."'236 Effective biosurveillance is
a vital first step in managing an epidemic or other outbreak.237
Biosurveillance takes place through a partnership among the U.S. Centers
for Disease Control and Prevention, the CDC's state level counterparts, and
front line health care providers, such as hospitals, clinics, and individual
medical practitioners. Many, if not all, states have enacted legislation
requiring specified health care professionals to notify state authorities if
their patients have contracted any number of infectious diseases,238 such as
smallpox or polio.239 These reports typically include the patient's name, the
type of disease, medical history, and other personal information.240 State
authorities then share the data with the CDC. These reports are not required
by law, but most states appear to be fairly conscientious about them.241
Public health law thus uses a system of distributed surveillance. No central

LA
regulator is responsible for collecting all the data needed to detect and
respond to infectious disease outbreaks. Instead, the system relies on
individual nodes within a far-flung network-from state agencies to
IM
hospitals to individual doctors-to gather the necessary information and
route it to the CDC's central storehouse. The CDC then analyzes the data
and issues alerts advising state agencies and medical practitioners about
SH

disease trends and offering recommendations about how to respond.242

The third public health intervention involves containing infectious
diseases once an outbreak has occurred, and preventing them from
LU

spreading further.243 Two key measures are isolation and quarantine. 2" The
goal of each is to segregate from the population those who have contracted
PN

236 Rattray et al., supra note 8, at 152 (quoting Dan Geer, Measuring Security, Address at the 16th
USENIX Security Symposium 132, 134 (Aug. 6, 2007), availableat http://geer.tinho.net/usenix/).
237 See IBM, supra note 19, at 11-12.
H

238 See GOSTIN, supra note 221, at 295-96.

239 Summary of Notifiable Diseases-UnitedStates, 2009, 58 MORBIDITY & MORTALITY WKLY.
REP. 1, 3 (2011), availableat http://www.cdc.gov/mmwr/pdf/wk/mm5853.pdf.
240 GOSTIN, supra note 221, at 297.
241 Id at 296; Hunker, supra note 19, at 202-03.
242 This reporting scheme is permissible under the Health Insurance Portability and Accountability
Act privacy rule, which generally limits the use and disclosure of protected health information, see
45 C.F.R. § 164.502(a) (2012), but which contains an exception for disclosures to public health
authorities, see id. § 164.512(b). The reporting is probably constitutional as well. The Supreme Court in
Whalen v. Roe, 429 U.S. 589 (1977), upheld, against a Fourteenth Amendment challenge, a similar New
York law requiring physicians to report information about drug prescriptions. Id. at 603-04, 606.
243 See Rattray et al., supra note 8, at 154-55.
244 Isolation and quarantine differ in subtle ways, though in colloquial usage the terms are
essentially synonymous. Isolation involves separating persons who are known to be infected with a
disease, for as long as the disease remains communicable. GOSTIN, supra note 221, at 429. Quarantine
involves separating persons who, though asymptomatic, may have been exposed to a disease, for the
period of communicability. Id.

1542

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.168

107:1503 (2013) Regulating Cyber-security

or been exposed to an infectious disease, and thus prevent them from

transmitting it to those who are well.245 Isolation and quarantine are often
coupled with mandatory treatment, which helps reduce the risk of further
contagion; a person who has been cured of an infectious disease cannot
transmit it to others. 246 The rationale for these interventions is the familiar
harm principle-the risk that a person who has contracted or been exposed
to a pathogen will infect others.247 Isolation and quarantine thus seek to
reduce negative externalities.
At the federal level, isolation and quarantine are accomplished under
the Public Health Service Act of 1944. The Secretary of Health and Human
Services has authority under the Act "to make and enforce such regulations
as in his judgment are necessary to prevent the introduction, transmission,
or spread of communicable diseases" into or within the United States.248
The law further provides for "the apprehension, detention, or conditional
release" of persons who may have been exposed to any one of several

LA
communicable diseases that the President has specified by executive
order.249 The list, which was updated most recently in 2005,250 includes
cholera, tuberculosis, plague, smallpox, SARS, and several other
IM
diseases. 251 Large-scale isolation and quarantine are rarely used; the most
recent example is from the 1918 Spanish flu pandemic, which was carried
out under different legal authorities. 25 2 However, isolation and quarantine
SH

are sometimes used for particular individuals. In May 2007, HHS issued an
isolation order for an American with multidrug-resistant tuberculosis who
flew from the Czech Republic to Canada and then crossed the land border
into the United States.253 Violations of the quarantine regulations carry
LU

criminal penalties, including a fine of up to $1000 and incarceration for up

to a year.254
PN

Both biosurveillance and isolation/quarantine carry important lessons

for cyber-security. Like the public health system, effective cyber-defenses
H

245 Id.
246 See id.at 411-12.
247 Id. at 414-15.
248 42 U.S.C. § 264(a) (2006).
249 Id. § 264(b).
250 Exec. Order No. 13,375, 70 Fed. Reg. 17,299 (Apr. 1, 2005).
251 Exec. Order No. 13,295, 68 Fed. Reg. 17,255 (Apr. 4, 2003).
252 See Legal Authorities for Isolation and Quarantine, CTRS. FOR DISEASE CONTROL
&
PREVENTION, http://www.cdc.gov/quarantine/aboutlawsregulationsquarantineisolation.html (last
updated Jan. 10, 2012).
253 Cracks in the System-An Examination of One Tuberculosis Patient's InternationalPublic
Health Threat: Hearing Before the Subcomm. on Labor, Health, & Human Serys., Educ. & Related
Agencies of the S. Comm. on Appropriations, 110th Cong. 14 (2007) (statement of Julie Gerberding,
Director, Centers for Disease Control and Prevention), available at http://www.gpo.gov/fdsys/pkg/
CHRG-1 10shrg41837/pdflCHRG-1 10shrg41837.pdf.
254 § 271(a).

1543

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.169

 NORTHWESTERN UNIVERSITY LAW REVIEW

depend on information about the incidence and prevalence of various kinds

of malware. Users need to know what new forms of malicious code are
circulating on the Internet in order to secure their systems against them.
And measures resembling isolation and quarantine can help ensure that
systems infected with malicious code do not spread the contagion to other,
healthy computers.
There is, of course, a significant difference between infectious diseases
and malicious computer code: diseases typically develop and spread on
their own, whereas malware is created by human beings and sometimes
requires human intervention to propagate. This is true as far as it goes, but
the differences between cyberspace and realspace pathogens can be
overstated. Infectious diseases can be engineered (e.g., biological
weapons), and sometimes malware is able to spread on its own (e.g., a
worm that is programmed to search for other computers on which to
replicate itself"). Another potential obstacle is the tension between antique

LA
public health legislation and contemporary constitutional law. These
statutes often restrict civil liberties and privacy to a degree rarely seen
today,256 and the judicial precedents upholding them against various
IM
constitutional challenges typically antedate the Supreme Court's modem
civil rights and liberties jurisprudence. It is not clear that today's Court
SH

would uphold, say, mandatory vaccination of adults as readily as it did in

1905.257 Yet even if public health law fits uneasily with modem
constitutional law, it can still be a useful framework for cyber-security
because, as explained below, the cyber versions of public health
LU

interventions can be friendlier to civil liberties and privacy than their

realspace counterparts.258
PN

III. REGULATORY PROBLEMS, REGULATORY SOLUTIONS

This concluding Part examines the responses of environmental,
antitrust, products liability, and public health law to various challenges, and
H

it considers how those solutions might be adapted for cyber-security. The

possible responses to cyber-insecurity are determined by our antecedent
choice of how to describe that problem. If we regard cyber-security from
the standpoint of law enforcement and armed conflict, we will tend to favor
the responses of law enforcement and armed conflict-stronger penalties
for cyber-intrusions, retaliating with kinetic attacks, and so on. Those are
plausible frameworks and equally plausible solutions. But they are not the
only ones. A wider angle lens is needed.

255 See supra note 22 and accompanying text.

256 See GOSTIN, supra note 221,
at 24.
257 Jacobson v. Massachusetts, 197 U.S. 11, 39 (1905). But see GOSTIN, supra note 221, at 130
(proposing that the Court "indisputably" would reach the same result if it decided Jacobson today).
258 See infra notes 285-86 and accompanying
text.

1544

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.170

107:1503 (2013) Regulating Cyber-security

Taken together, the regulatory frameworks described in Part II suggest

that an effective cyber-security regime should include four components:
(1) monitoring and surveillance to detect malicious code, (2) hardening
vulnerable targets and enabling them to defeat intrusions, (3) building
resilient systems that can function during an attack and recover quickly,
and (4) responding in the aftermath of an attack. 259 There are two
complementary objectives here: preventing intrusions from happening at
all, and enabling firms to withstand the intrusions that do take place.2 60
Stronger defenses would provide an obvious, first-order level of protection:
better defense means less damage. They also would provide an important
second-order level of protection: stronger defenses can help achieve
deterrence. By enabling victims to defeat, survive, and recover from cyber-
attacks, these measures increase the expected costs of an intrusion to an
attacker and also decrease its expected benefits.261 And that means weaker
incentives to attack in the first place; why try to take down the power grid

LA
if the effort is likely to fail?
Of course, it is inevitable that some attacks will succeed. Some
intrusions can be prevented or mitigated but others cannot, and any
IM
defensive scheme is necessarily imperfect.262 This is so because offense is
much less costly than defense in cyberspace. "Defending a modem
information system" is like "defending a large, thinly-populated territory
SH

like the nineteenth century Wild West: the men in black hats can strike
anywhere, while the men in white hats have to defend everywhere." 263 The
goal therefore is not to develop impregnable defenses. Doing so may be
LU

impossible from a technological standpoint and, even if such defenses were

feasible, they may be inefficiently costly. 26 4 Instead, the goal is to attain
efficient levels of investment in defenses that are better at protecting
PN

society's critical systems than current defenses are.265 Another important

point is that cyber-defense is not a one-size-fits-all proposition. Security
H

259 Cf Trachtman, supra note 56, at 265 (describing the various goals of an effective cyber-security
regime).
260 BRENNER, supra note 1, at 214; CLARKE & KNAKE, supra note 1, at 159; Bambauer,
Conundrum, supra note 12, at 673; Yochai Benkler, Peer Production of Survivable Critical
Infrastructures,in THE LAW AND ECONOMICS OF CYBERSECURITY, supra note 19, at 73, 76-77.
261 CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 26; Bambauer, Ghost, supra note 25, at
7; Lynn, supra note 19, at 99-100; Taipale, supra note 96, at 36.
262 CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 51; IBM, supra note
19, at 12;
Bambauer, Conundrum, supra note 12, at 673; Bambauer, Ghost, supra note 25, at 5; Gable, supra note
2, at 65; Lynn, supra note 19, at 99; Sklerov, supra note 19, at 8; Taipale, supranote 96, at 9.
263 Ross Anderson, Why Information Security Is Hard-An Economic Perspective, in 17TH
ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE: PROCEEDINGS 358 (2001), available at
http://www.acsac.org/2001/papers/110.pdf, accord BAKER, supra note 24, at 213; Bambauer, Ghost,
supra note 25, at 11; Jensen, Cyber Warfare, supra note 15, at 1536. But see Libicki, supra note 12, at
38.
264 See supra notes 31-32 and accompanying text.
265 DENNING, supranote 186.

1545

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.171

 NORTHWESTERN UNIVERSITY LAW REVIEW

measures should be tailored to the unique risks faced by specific firms or

industries-their combinations of vulnerabilities, threats, and
consequences.26 6 The strongest, and presumably most costly, defenses
should be reserved for the firms that are most vulnerable to cyber-attacks,
that face the most severe threats (e.g., from foreign intelligence services as
opposed to recreational hackers), and whose compromise would have the
most devastating consequences for society. Strategically unimportant firms
might get by with modest defenses, whereas robust defenses may be
needed for critical industries."6 Finally, what follows is by no means an
exhaustive list of possible responses to cyber-insecurity. It is merely a list
of responses suggested by conceiving of cyber-security in environmental,
antitrust, products liability, and public health terms. Other solutions,
suggested by other analytical frameworks, may be just as promising.

A. Monitoring and Surveillance

LA
Effective cyber-security depends on the generation and exchange of
information.268 An ideal system would create and distribute vulnerability
data (the holes intruders might exploit to gain access to computer systems),
IM
threat data (the types of malware circulating on the Internet and the types of
attacks firms have suffered), and countermeasure data (steps that can be
SH

taken to prevent or combat infection by a particular piece of malicious

code).269 Perhaps the best way to collect this information is through a
distributed surveillance network akin to the biosurveillance system at the
heart of public health law. Companies are unlikely to participate in this sort
LU

of arrangement due to fears of liability under antitrust and other laws.270 A

suite of measures is therefore needed to help foster favorable incentives,
including subsidies, threats of liability, and offers of immunity. These steps
PN

would not guarantee that firms will collect and share cyber-security data,
but they would make such arrangements more viable than they are at
present.
H

Public health law's system of distributed biosurveillance seems well

suited to the challenge of gathering and disseminating cyber-security data.
Like health care providers who diagnose and then report their patients'
infectious diseases, firms could be tasked with monitoring their systems for
vulnerabilities and intrusions, then reporting their findings and the
countermeasures they have implemented to designated recipients.27t Such a

266 AM. BAR Ass'N, supra note 18, at 21; Katyal, CriminalLaw, supra note 10, at 1080; Nojeim,
supra note 14, at 119.
267 See supranotes 61-66 and accompanying text.
268 But see CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 45 (information sharing should
not be "a primary goal").
269 See supranotes 153-54 and accompanying text.
270 See supranotes 155-68, 201-08 and accompanying text.
271 Mulligan & Schneider, supra note 19, at 81.

1546

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.172

107:1503 (2013) Regulating Cyber-security

system would take advantage of important information asymmetries.

Individual companies often know more than outsiders about the
vulnerabilities in their systems and the types of intrusions they have faced;
they have a comparative advantage in compiling this data. 272 The principal
alternative-surveillance by a single, central regulator-is unlikely to be as
effective. As F.A. Hayek emphasized, "the knowledge of the [economic]
circumstances of which we must make use never exists in concentrated or
integrated form, but solely as the dispersed bits of incomplete and
frequently contradictory knowledge which all the separate individuals
possess."273 The same is true of cyber-security data. A central regulator
lacks the capacity to examine each device that is connected to the Internet
to determine its vulnerabilities, and cannot inspect every data packet
transiting the Internet to determine whether it contains malicious code. And
even if the scope of the project was not prohibitively vast, the privacy costs
associated with a central monitor-especially a government monitor-
would likely be intolerable.274 Instead, the better course would be to rely on

LA
individual firms to gather the relevant information.275
While firms would be responsible for the lion's share of monitoring,
IM
the government still has an important role to play: providing especially
sensitive companies, such as power companies and ISPs, with information
about especially sophisticated forms of malware. Here, the comparative
SH

advantage is reversed; the government's highly resourceful intelligence

agencies are simply better than the private sector at detecting intrusions by
sophisticated adversaries like foreign militaries and developing
countermeasures.2 76 The government can provide these firms with the
LU

signatures of malware used in previous attacks, and firms can use the
signature files to detect future intrusions. In 2010 the National Security
PN

Agency began assisting Google in detecting intrusions into its systems. The
partnership was announced in the wake of reports that sophisticated
hackers, most likely affiliated with China's intelligence service, had broken
H

into Google's systems and collected data about users, including a number
of human rights activists.277 The NSA reportedly has entered a similar
partnership with a number of large banks.278

272 See CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 53; Bamberger, supra
note 210, at
391-92; Katyal, Criminal Law, supra note 10, at 1091. See generally Bamberger, supra note 210, at
399 (emphasizing "the information asymmetries between regulated firms and administrative agencies").
273 F.A. Hayek, The Use of Knowledge in Society, 35 AM. ECON. REv. 519, 519 (1945).
274 Mulligan & Schneider, supranote 19, at
81.
275 See CLARKE & KNAKE, supranote 1, at
162.
276 Coldebella & White, supranote 14; Condron, supranote 19, at 407. But see O'Neill, supra
note
19, at 265, 275; Taipale, supra note 96, at 9.
277 Nakashima, Google, supra
note 58.
278 Andrea Shalal-Esa & Jim Finkle, National Security Agency Helps Banks
Battle Hackers,
REUTERS (Oct. 26, 2011, 2:51 PM), http://www.reuters.com/article/2011/10/26/us-cybersecurity-banks-
idUSTRE79P5EO20111026.

1547

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.173

 NORTHWESTERN UNIVERSITY LAW REVIEW

At least two possibilities exist for how to structure the system used to
disseminate the information compiled by private firms. Some
commentators have called for a central repository of cyber-security data-a
"cyber-CDC,"27 9as it were. Under such a system, an individual firm would
notify the clearinghouse if it discovers a new vulnerability in its systems, or
a new type of malicious code, or a particular countermeasure that is
effective against a particular kind of threat. The repository would analyze
the information, looking for broader trends in vulnerabilities and threats,
then issue alerts and recommendations to other firms. This clearinghouse
might be a government entity, as in public health law, but it need not be.
An alternative architecture would be for firms to exchange cyber-security
information with one another directly, on a peer-to-peer basis, rather than
first routing it through a central storehouse. One advantage of the peer-to-
peer approach is that it may be more resilient. A CDC-type clearinghouse
would be an attractive target for cyber-adversaries, and the entire system

LA
would fail if it were compromised.
Distributed surveillance may be an even better fit for cyber-security
than for public health, for several reasons. First, malicious computer code
IM
can often be detected more quickly than biological pathogens,280 which
means that countermeasures can be developed and put in place rapidly.
Biosurveillance can be slow because the incubation period for certain
SH

diseases-the amount of time between when a disease is contracted and

when its symptoms first manifest-can be days or weeks. By contrast, it is
possible to detect known malware in real time, as the code is passing
LU

through a company's system. Of course, malware detection is imperfect.28'

Deep packet inspection and other forms of network monitoring typically
work by comparing streams of data against signatures of known malicious
PN

code.282 These systems are only as good as their underlying definitions files.
If there is no signature for a particular type of malware, chances are it will
not be detected. As a result, sophisticated "zero-day" attacks-so called
H

because they occur before the first day on which security personnel become
aware of them and begin to develop countermeasures-may well go
unnoticed.283 Former CIA director Jim Woolsey emphasizes that "[i]f you
can't deal with a zero-day attack coming from a thumb drive ... you have
nothing."284 Of course, these are the very sorts of attacks likely to be
launched by sophisticated adversaries like foreign intelligence services.
Public health law's biosurveillance framework thus is probably better at

279 IBM, supra note 19, at 13-14; see also Sharp, supra
note 8, at 25.
280 Rattray et al., supra note 8, at 152.
281 CLARKE & KNAKE, supra note 1,at 162; Sklerov, supra note 19, at 74.
282 See supra note 163 and accompanying text.
283 Rosenzweig, supra note 14, at 28 n.23; Zetter, supra note 48.
284 MCAFEE & CTR. FOR STRATEGIC & INT'L STUDIES, supra note 15, at 1.

1548

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.174

107:1503 (2013) Regulating Cyber-security

detecting intrusions of low to modest complexity than those undertaken by

foreign governments.
Second, cyber-threat monitoring has the potential to raise fewer
privacy concerns than biosurveillance.285 Health care providers often give
authorities sensitive information about individual patients, such as their
names, Social Security numbers, and other personally identifiable
information, as well as the diseases they have contracted.286 A properly
designed cyber-monitoring system need not compile and disseminate
information of the same sensitivity. Collection and sharing could be limited
to information about the incidence and prevalence of known malware. The
fact that the "ILoveYou" worm has infected a particular system exposes a
great deal less personal information, and thus raises weaker privacy
concerns, than the fact that a particular patient suffers from HIV or breast
cancer.
The challenge, then, is to provide firms with incentives to collect and
disseminate cyber-security information.2 At present companies have

LA
strong disincentives to do so, partly due to fears of legal liability,288 but also
because of concerns about compromising trade secrets, losing customer
IM
goodwill, and reputational harms.289 Public health law facilitates collection
and sharing through both direct regulation, such as state statutes requiring
health care providers to notify authorities about patients who have
SH

contracted various infectious diseases, and less coercive alternatives. 29 0 A

similar arrangement might be adopted for cyberspace. The government
could require firms to gather information about the vulnerabilities in their
LU

systems, the types of attacks they have suffered, and the countermeasures
they have used to combat malware, and then to disseminate the data to
designated recipients."' Imposing such an obligation would not eliminate
PN

companies' incentives to withhold cyber-security data. It would simply

make it more costly for them to do so, where costs include the sanctions for
hoarding discounted by the probability of punishment. Firms will be more
H

likely to collect and share cyber-security data, but some will still find it
advantageous to hoard.
There is also a less coercive, and probably more effective, alternative.
Cyber-security data is a sort of public good, and economic theory predicts

285 But see Nojeim, supra note 14, at 126.

286 See GoSTIN, supra note 221, at 297.
287 Nojeim, supra note 14, at
128.
288 See supra notes 155-68, 201-08 and accompanying text.
289 See, e.g., Aviram, supra note 79, at 154; Aviram & Tor, supra note 139, at 240; Bambauer,

Conundrum, supra note 12, at 611; Katyal, Digital Architecture, supra note 15, at 2278; Nojeim, supra
note 14; Powell, supra note 14, at 501; Rosenzweig, supra note 14, at 9. But see O'Neill, supra note 19,
at 281 (arguing that intercompany cooperation against cyber-attacks is not altogether uncommon).
290 See supra notes 235-42 and accompanying text.
291 Frye, supra note 153, at 370-71.

1549

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.175

 NORTHWESTERN UNIVERSITY LAW REVIEW

that it will be underproduced.2 92 Firms might be offered subsidies to

encourage them to compile and exchange the needed information.2 93 These
bounties could be direct payments from the government, tax credits, or
deductions. They could also take the form of enhanced intellectual property
protections for the cyber-security information firms generate. If the
subsidies are large enough, firms will have an incentive not just to report
the data they have already compiled, but to invest in discovering previously
unknown vulnerabilities, threats, and countermeasures.294
Antitrust law can also help recalibrate firms' incentives.295 Antitrust is
often skeptical of information sharing and other forms of cooperation
among competitors.2 96 But exchanges of cyber-security data can enhance
consumer welfare by preventing attacks from taking place or at least
mitigating their effects.297 One way to incentivize companies to cooperate is
to alleviate their apparently widespread fears of antitrust liability through
judicial, administrative, or legislative action. Federal courts could expressly

LA
discard the per se approach and substitute a rule of reason when reviewing
private sector agreements to share cyber-security data or to adopt common
security protocols. Instead, arrangements would be judged on a case-by-
IM
case basis, and would stand or fall based on the degree to which they
actually advance or hinder consumer welfare. This would reduce the risk of
false positives-the danger that the coarse-grained per se rule might
SH

invalidate a cyber-security initiative that is actually welfare-enhancing.

While this approach shows promise, it also carries some significant
drawbacks. A judicial response may not sufficiently remove legal
LU

uncertainty. Companies will not always be able to predict whether

reviewing courts will sustain or invalidate a proposed cyber-security
venture, and the risk of liability will dissuade firms from forming them.2 98
PN

In short, the uncertain prospects of ex post judicial approval may not

provide firms with enough assurance ex ante.
A more promising approach would be for administrative agencies to
H

sponsor cyber-security exchanges, as some in Congress have proposed.2 99

Agencies with special expertise in cyber-security (such as the NSA and the
Department of Homeland Security) could partner with the agencies that are

292 See supra notes 137-39 and accompanying text. But see Aviram & Tor, supra note 139, at 240-
47 (arguing that information can be a rivalrous good).
293 See Nojeim, supra note 14, at 128.
294 But see Malloy, supra note 86, at 572-73 (predicting that firms will tend to neglect "regulatory
investments"-i.e., expending scarce resources to obtain benefits offered to those who comply with
government regulations).
295 Cf Adler, supra note 155 (discussing antitrust law in the context of marine resources, another
public good).
296 See supra notes 235-42 and accompanying text.
297 See supra notes 153-54 and accompanying text.
298 See supra notes 165-68 and accompanying text.
299 See Cybersecurity Act of 2012, S. 2105, 112th Cong. § 301 (2012).

1550

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.176

107:1503 (2013) Regulating Cyber-security

responsible for enforcing federal antitrust laws (the Federal Trade

Commission and the Justice Department's antitrust division) to establish
fora in which companies could establish common security standards and
exchange information. The government's participation in these fora would
offer assurances that they are being used for legitimate purposes and not as
vehicles for anticompetitive conduct. From the standpoint of participating
firms, this approach is advantageous because it offers them de facto
antitrust immunity.30 0 It is unlikely that an agency such as the FTC or DOJ
that sponsored a cooperative cyber-security arrangement later would go to
court to have it invalidated. And while the blessing of these agencies does
not formally bind other potential plaintiffs, such as state attorneys general
or private parties, their determination that a proposed venture is permissible
under federal antitrust laws probably would receive a healthy dose of
judicial deference. Government sponsorship has another advantage: it can
help solve the coordination and free-rider problems associated with
collective action.30 ' A regulator can mitigate these tendencies by coercing

LA
firms into participating in the forum and complying with its requirements;
it also can withhold the forum's benefits from firms that shirk.
IM
A third alternative would be for Congress to enact a cyber-security
exception to the antitrust laws.302 The upside of a legislative carve-out is
that it would eliminate virtually all risk of liability and thus remove one
SH

powerful disincentive for companies to cooperate on cyber-security

initiatives. Ideally, such a measure would be narrowly tailored to the
precise sort of interfirm cooperation that is desired-the exchange of
vulnerability, threat, and countermeasure information and the development
LU

of common security protocols. In other words, the exemption would be

pegged to specific conduct, and would not immunize entire industries (as
used to be the case with major league baseball303 ). A broader exception
PN

would offer few additional cyber-security gains and could open the door to
anticompetitive conduct.
H

We also might consult products liability law for ideas on how to

incentivize companies to exchange cyber-security data. Firms do not have
strong incentives to search for vulnerabilities in their systems or products,
and ISPs are reluctant to monitor network traffic for malicious code."
Lawmakers might use a combination of carrots and sticks to recalibrate
these incentives. Offers of immunity would increase companies' expected

300 BRENNER, supra note 1, at 228.

301 See Kobayashi,supra note 136, at 23.
302 Katyal, Community, supra note 135, at 52.
303 See Flood v. Kuhn, 407 U.S. 258 (1972), superseded by statute, 15 U.S.C. § 26b (2006); Fed.
Baseball Club of Bait., Inc. v. Nat'l League of Prof'1 Baseball Clubs, 259 U.S. 200 (1922).
See supra notes 201-08 and accompanying text.

1551

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.177

 NORTHWESTERN UNIVERSITY LAW REVIEW

benefits of compiling and sharing cyber-security data; threats of liability

would increase their expected costs of failing to do so."'
Consider the carrots first. Firms could be offered immunity from
various laws that presently inhibit them from collecting and exchanging
certain information about cyber-vulnerabilities and threats. In particular,
Congress could expand the service-provider exception to the Federal
Wiretap Act's general ban on intercepting electronic communications.30
And the exception could be broadened to authorize ISPs to monitor
network traffic for malicious code that threatens their subscribers' systems,
not just their own. Congress could also authorize ISPs to notify customers
whose systems are found to be infected by malware.3 0 It further could
expressly preempt any state laws to the contrary. This would foreclose any
claims that monitoring for malware violates state privacy law or breaches
the terms of service between an ISP and its subscribers. In all cases,
eligibility for these forms of immunity could be conditioned on information

LA
sharing: a company would not be able to take advantage of the safe harbor
unless it shared the information it discovered with other firms. The result
would be to foster strong incentives to exchange data about threats and
IM
vulnerabilities.
As for the sticks, below I propose modifying tort law's traditional
economic loss doctrine in the cyber-security context.3 0 Firms that
SH

implement approved security standards would enjoy immunity from

lawsuits seeking redress for injuries sustained from an intrusion; companies
that disregard the protocols would be subject to lawsuits for any resulting
LU

damages. Under such a scheme, a company that implemented the standards

might have its immunity stripped if it failed to share information about
known weaknesses in its systems or products. As for firms that fail to adopt
PN

the security standards, the lack of information sharing could be treated as

an aggravating factor; extra damages could be imposed on firms that are
aware of vulnerabilities or threats but fail to share that information with
H

other companies. This series of tiered penalties would produce marginal

deterrence; firms would have good reason not only to implement the
approved security standards, but also to exchange the threat and
vulnerability information on which those protocols depend.

B. Hardening Targets
A second objective for a cyber-security regime is to harden critical
systems against attack by developing effective security protocols.30' The

305 Malloy, supra note 86, at 531-32. But see id. at 572-73 (predicting
that firms will tend to
neglect "regulatory investments"-i.e., complying with regulations to receive the benefits they offer).
306 See 18 U.S.C. § 2511(2)(a)(i) (2006).
307 BRENNER, supra note 1, at 229-31; CLARKE & KNAKE,
supra note 1, at 164-65.
308 See infra notes 339-44 and accompanying text.
3 CLARKE & KNAKE, supra note 1,at 159.

1552

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.178

107:1503 (2013) Regulating Cyber-security

goal of such measures is to prevent cyber-intruders from harming these

systems at all, as opposed to limiting the amount of damage intrusions can
do; the objective is to increase impregnability as opposed to their
survivability."o Of course, some cyber-attacks inevitably will succeed, so
enhancing survivability, as discussed below,"' is an essential goal as well.
The regulatory disciplines surveyed above suggest various techniques for
encouraging companies to adequately secure their networks. Environmental
law suggests the need for industry-wide security standards; these rules
should be developed through collaborative partnerships between regulatory
agencies and private firms, rather than imposed via direct regulation.
Products liability law suggests that pairing threats of liability with offers of
immunity can incentivize firms to implement the security standards. And
public health law's use of mandatory vaccinations might be adapted by
incentivizing firms to take certain minimum steps to secure their systems.
Again, different firms and industries face different vulnerabilities, threats,
and consequences, so the resulting security standards should be calibrated

LA
to the particular conditions in individual industries.
Regulators could improve critical systems' defenses by establishing
IM
and enforcing new cyber-security protocols akin to the environmental
regulations that restrict, say, the amount of sulfur dioxide a given source
may emit into the atmosphere.312 Regulatory standards can help manage the
SH

negative externalities that result when a company suffers a cyber-intrusion.

It should be emphasized at the outset that the specific content of any cyber-
security standards is well beyond the scope of this Article.3 13 My focus here
LU

310 See supra note 260 and accompanying text.

PN

311 See infra Part III.C.

312 It is also possible to develop new cyber-security standards through litigation. See Harper, supra

note 127; Johnson, supra note 217, at 275-76; Rosenzweig, supra note 14, at 23. A court might hold,
for instance, that a given firm's failure to adopt a particular security measure breaches a general duty of
H

care. This option seems less promising than the regulatory approach for several reasons. First, courts
may not have the technical expertise to fashion detailed security protocols for complicated systems and
products. Second, there is the problem of legal uncertainty. A regulation is likely to be more
determinate than a series of incremental judicial opinions, especially in the context of a highly complex
subject matter like cyber-security; relying on litigation thus runs the risk that firms will not know what
is expected of them. There is, of course, an important role for litigation-the prospect of civil liability
creates incentives for firms to comply with the regulatory standards. See infra notes 339-51 and
accompanying text. But litigation should be limited to enforcing the standards, not formulating them in
the first place.
313 Just within the legal literature-to say nothing of computer science, economics, and other
fields-authors have debated relatively modest regulations, such as mandating that firms use
encryption, firewalls, and intrusion-detection systems, Condron, supra note 19, at 410; Gable, supra
note 2, at 94-95, requiring companies that operate certain sensitive systems to authenticate users before
granting them access, Nojeim, supra note 14, at 131-33; Sklerov, supra note 19, at 22-24, and
disconnecting vulnerable SCADA systems from the Internet, see CLARKE & KNAKE, supra note 1, at
167-69; MCAFEE, supra note 37, at 34. Others have debated even more dramatic proposals, such as
requiring ISPs to monitor the traffic that flows over their networks for malicious code, Katyal, Criminal
Law, supra note 10, at 1007, 1095-101; Lichtman & Posner, supra note 61, at 222; Taipale, supra note

1553

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.179

 NORTHWESTERN UNIVERSITY LAW REVIEW

is not on the technical feasibility or policy advantages of any particular

defensive measure. Instead, the focus of this Article is establishing
regulatory mechanisms by which new cyber-security standards-whatever
their content-may be adopted.
Turning to that question, one obvious option would be for
administrative agencies to use traditional "command and control"
regulation-to issue a set of mandatory standards and incentivize firms to
comply with them by threatening civil or criminal penalties.314 This is a
fairly common approach in environmental law,' and some scholars have
urged the government to adopt it here. Neal Katyal argues that "direct
government regulation" of cyber-security "is the best solution," and calls
for regulatory agencies to issue "the equivalent of building codes to require
proper design and performance standards for software.""' Likewise, a
prominent think tank argues that "the federal government bears primary
responsibility" for cyber-security and that "it is completely inadequate" to

LA
leave the matter "to the private sector and the market."m' Some have even
called for the federal government to take over certain sectors of the
economy in the name of cyber-security. According to an ABA task force,
IM
"government may also need to 'semi-nationalize' some sectors (like the
electricity grid) where isolation is not an option and the adverse
SH

consequences of certain low probability events are likely to be very

high.""'" It isn't steel mills, but Harry Truman would have admired the
proposal.319
Traditional command-and-control regulation seems ill suited to the
LU

task of securing the nation's cyber-infrastructure. The better course would

be to involve the firms that operate these assets in establishing and
implementing new security protocols. Private sector participation-an
PN

approach sometimes seen in environmental law-is desirable for several

familiar reasons. First, information asymmetries: companies often know
more than regulators about the vulnerabilities in their systems, the types of
H

96, at 34, or moving to an entirely new Internet architecture (such as IPv6) in which anonymity is
reduced and user activity is capable of being traced. BAKER, supra note 24, at 231-32; LESSIG, supra
note 67, at 45, 54; POST, supra note 94, at 84; Bambauer, Conundrum, supra note 12, at 590, 601; Frye,
supra note 153, at 354; Katyal, DigitalArchitecture, supra note 15, at 2269-70; Taipale, supra note 96,
at 31.
314 Malloy, supra note 86, at 531.
315 See, e.g., Clean Water Act, 33 U.S.C. § 1319(b)-(c) (2006) (providing civil and criminal
penalties); Clean Air Act, 42 U.S.C. § 7413(b) (2006) (providing civil penalties).
316 Katyal, DigitalArchitecture, supranote 15, at 2284, 2286. But see Katyal, CriminalLaw, supra
note 10, at 1091 ("[Cyber-security regulation] places law enforcement in uncharted territory. It cannot
know what the best, or cheapest, form of protection is. . . .").
317 CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 15 (deeming cyber-security a matter of
national security); see also Frye, supra note 153, at 376.
318 AM. BAR ASs'N, supranote 18, at 27.
319 See generally Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579 (1952).

1554

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.180

107:1503 (2013) Regulating Cyber-security

intrusions they have faced, and the most effective countermeasures for
dealing with those threats.320 Second, a related concern is that regulators
probably lack the knowledge necessary to determine the socially optimal
level of cyber-breaches and set the security standards accordingly.3 2 1 The
market, through the price system, is capable of aggregating and processing
this information in a way that central planners cannot. Third, rapid
technological change makes it difficult for regulators to formulate durable
security rules.322 Vulnerabilities, threats, and countermeasures are in a
constant state of flux, and regulatory standards cannot keep pace with these
developments. Notice-and-comment rulemaking rarely takes less than two
years, sometimes much longer,3 23 and the rules likely would be obsolete
before the ink in the Federal Register was dry. Fourth, there is a risk that
government protocols will stifle innovation.3 24 If regulatory agencies
promulgate a set of mandatory standards, regulated firms will have less
reason to search for newer and more efficient countermeasures; they will
simply implement the government's directives.

LA
What specific role should private firms have in developing and
implementing cyber-security standards? At least two possibilities come to
IM
mind. First, regulators could practice a form of "delegated regulation"3 25 in
which they mandate broad security goals and establish the penalties for
falling short, then leave it up to companies to achieve those goals in
SH

whatever manner they deem most effective.326 Regulation by delegation is

said to be appropriate where administrative agencies have the capacity to
"identify specific outcomes but cannot easily codify in generally-applicable
rules the means for achieving them."327 Environmental law sometimes
LU

follows this approach, as do other fields such as food safety328 and

PN

320 See supra notes 272-75 and accompanying

text.
321 Coyne & Leeson, supra note 14, at 488-89; Powell, supra note
14, at 502, 505.
322 See BAKER, supra note 24, at 235, 237; CTR. FOR STRATEGIC & INT'L STUDIES,
H

supra note 8, at
51; Rosenzweig, supra note 14, at 10.
323 See William F. West, Formal Procedures, Informal Processes, Accountability, and
Responsiveness in BureaucraticPolicy Making: An InstitutionalPolicy Analysis, 64 PUB. ADMIN. REV.
66, 66, 69 (2004) (finding after studying the development of forty-two regulatory rules that the average
time period between initiation of research and promulgation of a proposed rule was 4.3 years and the
average length of comment taking was 5.3 years). In calculating the average length of comment taking,
West excluded seven rules that either had open-ended notice-and-comment periods or were routine
rules issued annually gr under a statutory deadline. The average length of comment taking for these
rules was still 2.2 years. Id.
324 CTR. FOR STRATEGIC & INT'L STUDIES, supranote 8, at 51; Kobayashi, supra note 136, at 26.
325 Schwartz & Janger, supra note 61, at 919; accord Bamberger, supra note 210, at 386; Jody
Freeman, The PrivateRole in Public Governance, 75 N.Y.U. L. REv. 543, 551 (2000).
326 Bamberger, supranote 210, at 380-81; accord AM. BAR Ass'N, supra note 18, at 9;
CLARKE &
KNAKE, supranote 1, at 134; Jensen, Cyber Warfare, supra note 15, at 1565.
327 Bamberger, supra note 210, at 389.
328 Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private
Management to Achieve Public Goals, 37 LAW & Soc'Y REv. 691, 696-98 (2003).

1555

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.181

 NORTHWESTERN UNIVERSITY LAW REVIEW

securities regulation.32 9 For instance, the EPA's acid rain program affords
companies a measure of discretion in deciding how to comply with their
obligation under the Clean Air Act to reduce various emissions. And the
EPA's "bubble" approach to the Clean Air Act allowed polluters to offset
increased emissions from one source with decreased emissions from other
sources, providing them with an incentive to experiment with new
technologies that could reduce emissions at lower cost.330 (Note that both
programs involve discretion in implementing numerical values rather than,
as would be true in the cyber context, substantive standards.) Delegated
regulation seems a good fit for cyber-security, though not a perfect one.
Giving companies discretion to implement the government's security
standards achieves three of the four benefits of private action mentioned
above: it avoids some problems with information asymmetries, allows for
flexibility in reacting to fast-changing technologies, and promotes rather
than stifles private sector innovation. However, difficulties would remain

LA
with formulating the standards. Regulators probably lack the knowledge
needed to determine the socially optimal level of cyber-breaches and set the
security standards accordingly.
IM
An alternative would be a form of "enforced self-regulation""' in
which private companies develop new cyber-security protocols in tandem
SH

with the government.332 These requirements would not be handed down by

administrative agencies, but rather would be developed through a
collaborative partnership in which both regulators and regulated would play
a role. In particular, firms might prepare sets of industry-wide security
LU

standards. The National Industrial Recovery Act, famously invalidated by

the Supreme Court in 1935 on nondelegation grounds, contained such a
mechanism,333 and today the energy sector develops reliability standards in
PN

the same way.334 Or agencies could sponsor something like a negotiated

rulemaking in which regulators, firms, and other stakeholders forge a
consensus on new security protocols.3 In either case, agencies would then
H

ensure compliance through standard administrative techniques like audits,

investigations, and enforcement actions. 336 This approach would achieve all
four of the benefits of private action mentioned above: it avoids some

329 Bamberger, supra note 210, at 390-91.

330 Chevron U.S.A. Inc. v. Natural Res. Def. Council, Inc., 467 U.S. 837, 839-40 (1984); see also
Malloy, supra note 86, at 536, 541, 547-49 (discussing conflicting accounts of whether the bubble
approach actually promoted innovation).
33 Bamberger, supra note 210, at 461 (citing IAN AYRES & JOHN BRAITHWAITE, RESPONSIVE
REGULATION: TRANSCENDING THE DEREGULATION DEBATE 101-32 (1995)).
332 AM. BAR ASS'N, supra note 18, at 9; Coldebella & White, supra note 14, at 241-42; Katyal,
CriminalLaw, supra note 10, at 1099.
A.L.A. Schechter Poultry Corp. v. United States, 295 U.S. 495, 542 (1935).
334 See CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 52-53.
See 5 U.S.C. §§ 561-70 (2006).
336 CTR. FOR STRATEGIC & INT'L STUDIES, supra note 8, at 52.

1556

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.182

107:1503 (2013) Regulating Cyber-security

problems with information asymmetries, takes advantage of distributed

private sector knowledge about vulnerabilities and threats, accommodates
rapid technological change, and promotes innovation. On the other hand,
allowing firms to help set the standards that will be enforced against them
may increase the risk of regulatory capture-the danger that agencies will
come to promote the interests of the companies they regulate instead of the
public's interests."' The risk of capture is always present in regulatory
action, but it is probably even more acute when regulated entities are
expressly invited to the decisionmaking table."'
Products liability law likewise offers several strategies for hardening
critical infrastructure against cyber-attacks. The prospect that a company
might be required to pay money damages to those who have been injured
by an attack on their systems or products would internalize costs that are
now externalized onto others. Liability thus would incentivize firms to
offer goods (such as computer software) and services (such as online
banking) that are more secure.3 Thanks to the economic loss doctrine,

LA
companies presently face little risk of liability for the injuries that result
from their failure to prevent cyber-intrusions.34 0 Modifying this default rule
IM
of de facto immunity could help foster incentives for firms to improve their
cyber-defenses.
What could a recalibrated liability regime for cyber-security look like?
SH

Again, a combination of carrots and sticks could be used. Congress might

abolish the economic loss doctrine for injuries that result from a given
company's wrongful failure to prevent a cyber-attack. In its place,
LU

lawmakers could substitute a regime that imposes liability or offers

immunity based on what steps a company has taken to secure its products
or systems. As for the carrots, firms that implement the security standards
PN

that are developed in tandem with regulators, but nevertheless suffer cyber-
H

m See generally George J. Stigler, The Theory ofEconomic Regulation, 2 BELL J. ECON. & MGMT.
SCI. 3 (1971) (arguing that industries seek out regulation in a manner that is designed and operated to
primarily benefit the industry). A related problem is that, because of information asymmetries, agencies
often depend on the companies they regulate to provide the data they need to formulate rules. Yet firms
will have an incentive to underestimate vulnerabilities and threats to persuade regulators to approve
lenient and less costly security protocols. Coyne & Leeson, supra note 14, at 489. Of course, that
concern is also present in traditional regulation. There are also doctrinal difficulties. Depending on how
the public-private partnership is structured, it conceivably could violate what remains of the
nondelegation doctrine. See, e.g., Carter v. Carter Coal Co., 298 U.S. 238, 310-12 (1936) (striking
down a statute that authorized coal producers to establish minimum prices in certain geographic regions
on the ground that it was an unconstitutional delegation of legislative power to private companies).
338 USA Grp. Loan Servs., Inc. v. Riley, 82 F.3d 708, 714 (7th Cir. 1996) (Posner, C.J.) (describing
negotiated rulemaking as "an abdication of regulatory authority to the regulated, the full burgeoning of
the interest-group state, and the final confirmation ofthe 'capture' theory of administrative regulation").
3 See Coyne & Leeson, supranote 14, at 492; Hunker, supranote 19, at 211; Johnson, supra note
217, at 260; Lichtman & Posner, supra note 61, at 232-39; Yang & Hoffstadt, supra note 15, at 207-
10; Rosenzweig, supranote 14, at 23; Schneier, supra note 35.
340 See supra notes 190-93 and accompanying text.

1557

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.183

 NORTHWESTERN UNIVERSITY LAW REVIEW

attacks, could be offered immunity from lawsuits seeking redress for the
resulting damages.34 ' This cyber "safe harbor" could extend not just to
purely economic injuries (for which firms currently enjoy de facto
immunity) but also to physical injuries and the associated economic harms
(for which firms presently may be held liable). The scope of immunity thus
would be broader than under current law, but it would only be available to
companies that take the desired steps to improve their cyber-defenses.
Lawmakers might use the Safety Act as a model.342 The Support Anti-
Terrorism by Fostering Effective Technologies Act of 2002 grants
immunity to firms that sell certain antiterrorism goods and services, so long
as they comply with various standards, including a requirement that they
carry liability insurance.343
As for the sticks, firms that fail to implement the agreed security
measures and then suffer cyber-attacks could be held liable for the full
range of injuries that result from the intrusions. The severity of the

LA
damages could be pegged to the severity of their misconduct, thereby
achieving marginal deterrence. A company that fails to adopt the approved
security standards might be made to pay compensatory damages or even a
IM
smaller fixed sum set by statute, but a company whose conduct is more
egregious-one that fails to share information about known vulnerabilities
SH

or threats, for instance-might be eligible for exemplary damages. For

inspiration, lawmakers might look to the Gramm-Leach-Bliley Act, which
imposes liability on banks that fail to protect consumer data,3" contributing
to the financial services sector's relatively robust defenses against cyber-
LU

intrusions.345 Such a liability regime would increase both a firm's expected

benefits of implementing the security protocols, as well as the expected
costs of defying them.
PN

Civil liability would also help promote a more robust market for
cyber-security insurance. Insurers can have a profound effect on the steps
firms take to secure their systems and products against cyber-intrusions,
H

because they can insist that companies implement various security

measures as a condition of coverage or charge higher premiums to those
that do not.346 Insurance companies provide a sort of second-order
regulation, enforcing cyber-security standards by refusing to bear the losses
of firms with poor records or engaging in price discrimination against
them. The result is to provide the insured with financial incentives to
implement the defenses their insurers are calling for. These incentives have

341 See Coldebella & White, supra note 14, at 235.

342 BAKER, supranote 24, at 234-35.
343 6 U.S.C. §§ 441-44 (2006).
344 15 U.S.C. § 6801(b) (2006); see supra notes 209-10 and accompanying text.
345 See supra notes 213-17 and accompanying text.
346 See BRENNER, supra note 1, at 225; Bamberger, supra note 210, at 456; Coyne & Leeson, supra
note 14, at 491-92; Rosenzweig, supra note 14, at 23-24.

1558

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.184

107:1503 (2013) Regulating Cyber-security

already borne fruit. According to Bruce Schneier, "[flirewalls are

ubiquitous because auditors started demanding firewalls. This changed the
cost equation for businesses. The cost of adding a firewall was expense and
user annoyance, but the cost of not having a firewall was failing an
audit."347 Enforcement by insurers also can decrease the government's
enforcement costs; there is less need for regulators to verify that firms are
complying with the agreed security standards if insurers, pursuing their
own financial interests, are already doing so.
At present, the market for cyber-security insurance is fairly
underdeveloped (though some insurance companies have begun to offer
coverage348), in part because firms currently face very little risk of liability
for injuries resulting from cyber-attacks on their systems or products; why
insure when one is effectively immune?349 The prospect of civil liability is a
critical first step in creating a viable market for cyber-security insurance."o
Lawmakers might further stimulate the market by offering various kinds of
subsidies. For instance, the government might provide insurers with more

LA
information (including, perhaps, classified information) about the
incidence, prevalence, and consequences of various sorts of malicious
IM
code. Insurers could use this data to more accurately assess the probability
of cyber-intrusions and their potential costs, which would help in setting
premiums.35 ' Or the government might offer tax benefits to insurers that
SH

offer cyber-security policies. Or it might require certain companies, such as

strategically important firms like public utilities or companies that supply
goods or services to the government, to carry cyber-security insurance.
LU

Public health law suggests a final approach to hardening critical

infrastructure. Most states have enacted laws requiring schoolchildren to be
vaccinated against various diseases,352 and lawmakers might adopt similar
PN

measures for cyberspace. In both contexts, compulsory inoculation helps

reduce negative externalities and foster positive ones. Just as an
unvaccinated child might infect classmates with a pathogen, a computer
H

system that lacks effective cyber-defenses might be commandeered into a

botnet. In addition, a child who has been vaccinated contributes to herd
immunity and thereby decreases the probability that other, unvaccinated
students will contract the disease. In the same way, companies that adopt

347 Schneier, supranote 35, at 1.

348 Coyne & Leeson, supra note 14, at 491; Yang & Hoffstadt, supra note 15,
at 208-09.
349 AM. BAR ASS'N, supra note 18; BRENNER, supra note 1, at 225. Another challenge is that it is
difficult for insurers to write policies when-as is often the case with cyber-attacks---the probability
and consequences of an incident are uncertain. See, e.g., Michelle Boardman, Known Unknowns: The
Illusion of Terrorism Insurance, 93 GEO. L.J. 783, 784 (2005) (arguing that insurance coverage for
international terrorism is not possible without adequate actuarial data to calculate risk levels).
350 Rosenzweig, supra note 14, at 23.
351 Coyne & Leeson, supra note 14, at 491-92; Frye, supra note
153, at 366-67.
352 See supra note 229 and accompanying text.

1559

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.185

 NORTHWESTERN UNIVERSITY LAW REVIEW

effective cyber-defenses make it less likely that their systems will be used
to transmit malware to other users.
What would mandatory vaccination look like in cyberspace? Several
variants exist. The most coercive approaches involve direct regulation, akin
to a requirement that all citizens receive a particular vaccine. One option
would be for lawmakers to mandate that every computer user (or, less
dramatically, firms in particularly sensitive industries such as the
telecommunications sector) install certain security products on their
systems, such as antivirus software or firewalls. Think of it as a digital
equivalent of the Patient Protection and Affordable Care Act's "individual
mandate" to purchase health insurance.' An alternative would be for the
government to require ISPs to provide their customers with a specified
security software package.354 ISPs presumably would pass on the costs of
the software to their subscribers, so the effect would be the same as the
individual mandate approach-users would be made to pay a premium for

LA
a security product they previously declined to purchase. Or, the
government could compensate the ISPs for the costs of making the security
package available to their subscribers. In that event, the scheme would
IM
represent a (likely regressive) wealth transfer from taxpayers who do not
use computers to those who do.
SH

Another less coercive set of options would withhold or offer certain

benefits to incentivize security improvements; they are the equivalent of
making vaccination a condition of eligibility to attend public schools. The
ability to access the Internet, as opposed to local or proprietary networks, is
LU

a valuable benefit of the service one receives from an ISP-for many

subscribers it is the most valuable benefit ISPs offer-and it might be
conditioned on a subscriber taking steps to improve cyber-security. In
PN

particular, regulators could direct ISPs to refuse to route users' traffic to the
public Internet unless they are able to verify that the users have installed
specified security software on their systems." Alternatively, government
H

web sites could refuse any traffic sent from a system that has not adopted
specified security measures. Users thus would be unable to, for example,
post comments in an online rulemaking docket or check the status of a tax
refund unless they adopted the security measures. This sort of measure
depends on the ability to authenticate the identity of the sender, as well as
the presence of various cyber-defenses on its system. That capability does
not presently exist, because the TCP/IP routing protocol is unconcerned
with the sender's identity,' though some scholars believe an authenticated
Internet is inevitable." Finally, the government could offer tax credits or

26 U.S.C.A. § 5000A(a) (West 2010).

354 See CLARKE & KNAKE, supra note 1, at 165; Sharp, supra note 8, at 25.
3ss See Rattray et al., supra note 8, at 160.
356 See supranotes 118-20 and accompanying text.
See BAKER, supra note 24, at 231-32; LESSIG, supranote 67, at 45.

1560

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.186

107:1503 (2013) Regulating Cyber-security

deductions to firms or individual users that install the specified security

software on their systems-another (likely regressive) wealth transfer.

C. Survivability andRecovery
The third thing an ideal cyber-security regime would do is promote
resilience, thus limiting the amount of damage attackers can do to critical
infrastructure. Here, the goals are survivability and recovery, not
impregnability."' As Derek Bambauer emphasizes, "[m]itigation, not
prevention, is the key."" The need to build resilience into the nation's
cyber-defenses is a concession to reality; no matter how good one's
defenses are, some attackers will be able to breach them. As a result, it is
not enough to try to prevent attacks altogether. It is also necessary to
minimize the amount of harm that the inevitably successful intrusions can
do, and to restore victims to the status quo ante as quickly as possible.
Public health law offers several strategies for improving resilience. In

LA
realspace, quarantine and isolation aim at minimizing the harm a pathogen
can do; once an outbreak is underway, we want to contain the disease and
limit the number of people to whom it can spread. Quarantine and isolation
IM
might be adapted for cyberspace-where the goal is to prevent malicious
code from infecting more machines-in any number of ways. The most
SH

straightforward approach would be for authorities, in the event of a cyber-

attack, to order systems that are known or suspected to be infected with
malware to temporarily disconnect from the Internet. While in quarantine,
the systems could be inspected to see if they are in fact carrying malicious
LU

code. If not, they could be reconnected; if so, they could be repaired. The
analogy to public health law is fairly exact: separation of the infected,
whether physical or virtual, prevents them from spreading the contagion to
PN

others and presents an opportunity for treatment. While potentially

effective, this approach has a significant drawback-legitimate users will
be unable to access the infected system while it is offline. Putting a bank
H

into cyber-quarantine does not just keep hackers from stealing money, it
also keeps a customer from logging on to pay a credit card bill. A less
drastic way of preventing the spread of malware would be to isolate traffic
rather than systems. Infected systems would remain connected to the
Internet, but authorities could use or require firms to use deep packet
inspection to determine if the data the systems are sending and receiving
contain malware. If a given packet is found to be carrying malicious code,
it could be blocked; if not, it would be allowed to continue on its way. The
public health analogy is allowing a man infected with SARS to leave an
isolation facility and go about his business while wearing a surgical mask
that intercepts the respiratory droplets through which the virus is spread.
The virtue of this finer-grained variant is that it allows legitimate users to

358 See supra note 260 and accompanying text.

359 Bambauer, Ghost, supra note 25, at 5.

1561

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.187

 NORTHWESTERN UNIVERSITY LAW REVIEW

continue to access an infected system even as attackers are prevented from

using it for their malign purposes; the hackers are thwarted, but customers
can still access their accounts, although perhaps a bit more slowly than
usual. On the other hand, traffic quarantines will only be as effective as the
packet sniffers and malware signature files on which they rely, and
sophisticated adversaries might be able to defeat both.
Another more controversial set of options involves preventive
quarantine-separating systems that have not been infected but that are
vulnerable. This approach would turn public health law on its head: rather
than isolating the sick, authorities would isolate the healthy. The most
aggressive variant would require a select group of strategically significant
firms, such as the power grid, financial institutions, and
telecommunications carriers, to temporarily disconnect from the Internet if
a cyber-attack takes place.3 60 Senator Nelson Rockefeller introduced
legislation along these lines in 2009,6' but critics denounced it as an

LA
"Internet Kill Switch."36 2 Preventive quarantine would be a fairly effective
way of preventing malware from spreading to critical infrastructure
because a system that isn't on the Internet can't contract a virus that
IM
spreads online. But it wouldn't be infallible. Even "air gapped" systems-
those that are physically separated from the Internet 363-are vulnerable to
SH

infection via USB devices and other removable media."* A disconnection

requirement could also prove quite costly: the affected systems would be
unavailable to legitimate users for as long as the order remained in effect.
There is also a risk that regulators might pull the disconnection trigger too
LU

readily. As an alternative to a strict disconnection requirement, regulators

might direct strategically significant firms to implement security
countermeasures of their own devising in the event of a cyber-attack.
PN

Senator Joseph Lieberman introduced legislation along these lines in

2010,6' and it likewise was denounced as a kill switch.366 Whatever the
content of these security protocols-encrypting data to prevent its theft, for
H

360 Cf BRENNER, supra note 1, at 234 (recommending efforts to "restrain the connection of the
electricity grid to public networks"); CLARKE & KNAKE, supra note 1, at 167 (proposing that federal
regulators "focus[] on disconnecting the control network for the power generation and distribution
companies from the Internet"); Picker, supra note 44, at 126-27 (arguing that critical infrastructure
should be isolated from public networks as a means to lessen the impact of cyber-terrorism).
361 Cybersecurity Act of 2009, S. 773, 111th Cong. (2009).
362 See, e.g., Mark Gibbs, The Internet Kill Switch, NETWORK WORLD, Apr. 13, 2009, at 34.
363 BRENNER, supra note 1, at 84; Ellen Nakashima, A Cyberspy Is Halted, but Not a Debate,
WASH. POsT, Dec. 9, 2011, at Al, available at http://articles.washingtonpost.com/2011-12-08/national/
35287794 1 malware-computer-network-military-operations.
3 See BAKER, supra note 24, at 216; BRENNER, supra note 1, at 61; CLARKE & KNAKE, supra
note 1, at 127; Baker, supra note 29; Nakashima, Cyberspy, supranote 363.
365 Protecting Cyberspace as a National Asset Act of 2010, S. 3480, 111 th Cong. (2010).
366 See e.g., Adam Cohen, What's Missing in the Internet Kill-Switch Debate, TIME (Aug. 11,
2010), http://www.time.com/time/nation/article/0,8599,2009758,00.html.

1562

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.188

107:1503 (2013) Regulating Cyber-security

instance, or requiring users to authenticate themselves before gaining

access to the system-they could be established through the collaborative
regulatory partnership described above."' An even more modest version of
preventive quarantine would be, as above, to segregate traffic rather than
entire systems. In the event of a cyber-attack, packet sniffers might be used
to inspect all traffic that is sent to and from designated systems. This would
allow the systems to continue to operate more or less as usual, though
perhaps at a cost of less security.
Another important goal is to ensure that critical systems are able to
continue functioning during a cyber-attack and recover quickly thereafter.
One way to achieve this is to build systems with excess capacity-to
include more capabilities than a firm needs for its day-to-day operations,
which can be held in reserve and called into service if an attack takes
place.368 In particular, regulators might require certain companies to build
their systems with excess bandwidth. A "strategic reserve of bandwidth" is
an especially useful countermeasure for defending against denial-of-service

LA
attacks;369 if a company's servers are being overwhelmed, the reserve
bandwidth can be brought into service to process the requests. Regulators
IM
also might require certain companies to maintain redundant data storage
capabilities. These firms might routinely back up their data to servers that
are dispersed both geographically and in network terms. If a cyber-attack
SH

corrupted their systems, it would be relatively easy to wipe them clean and
restore the data from an uncorrupted backup.o An attacker thus might
succeed in taking down one site "only to find that the same content
LU

continues to appear through other servers. This is like playing electronic

Whac-A-Mole on a global scale . . .. ""' These sorts of measures are akin to
the public health practice of stockpiling medicines and vaccines for use in a
PN

crisis. The CDC may not need 300 million doses of smallpox vaccine in its
everyday operations, but they would prove critical in the event of an
outbreak.
H

Excess capacity can be expensive; requiring firms to keep reserves of

largely unused bandwidth costs money, and "[h]aving information located
in multiple places makes it more costly to maintain."372 One way to pay for
these measures would be for companies to pass their costs of complying
with resilience mandates to their customers in the form of price increases,
service decreases, or both. A difficulty with this approach is that improving
a given company's ability to withstand an attack does not just confer
benefits on its customers. It also confers benefits on third parties; if

367 See supra Part IlI.B.

368 See Benkler, supra note 260, at 75.
369 Taipale, supra note 96, at 37.
370 See Bambauer, Conundrum, supra note 12, at 637; Taipale, supra note 96, at 38.
371 BRENNER, supra note 1, at 179.
372 Bambauer, Conundrum, supra note 12, at 637.

1563

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.189

 NORTHWESTERN UNIVERSITY LAW REVIEW

Citibank can continue to operate notwithstanding a DDOS, its customers

will still be able to pay their bills, and third-party vendors will still be able
to receive payments. Excess capacity thus creates positive externalities, and
the customers who pay higher prices for excess capacity are effectively
subsidizing others. Another option would be for the government to offer
various subsidies to firms that are subject to survivability mandates. This
approach is based on a recognition that excess capacity is, in a sense, a
public good that the market will tend to undersupply.373 In part because
excess capacity requirements can be costly, regulators would only apply
them to selected firms of special strategic significance.

D. Responding to Cyber-attacks
The fourth and final component of an effective cyber-security regime
is responding to individuals, groups, and states that have committed cyber-
attacks. This topic naturally lends itself to analysis under the law

LA
enforcement and armed conflict frameworks, and it is exhaustively covered
in the existing literature.374 For instance, scholars have proposed better
international cooperation on cyber-crime investigations, increasing the
IM
penalties for certain computer-related offenses, increasing the costs that
perpetrators must bear to commit cyber-crimes, treating intrusions as
SH

"armed attacks" that trigger the right to self-defense under the United
Nations Charter, treating cyber-attacks as acts of aggression that justify
retaliating with conventional military force, and so on."'7 This Article does
not seek to add to this already voluminous literature. There is, however,
LU

one type of response that deserves brief mention: active self-defense, or

"hackbacks."
A hackback is an in-kind response to a cyber-attack. The victim
PN

essentially mounts a counterattack against the assailant, "shutting down the

attack before it can do further harm and/or damaging the perpetrator's
system to stop it from launching future attacks.""' This might be
H

accomplished in several ways. If a victim detects that it is experiencing a

cyber-attack, it might direct a flood of traffic to the servers through which
the attack is being routed, temporarily overwhelming them and preventing
them from continuing the intrusion."' Or it might hack into the responsible
servers, taking control of them or damaging them." Some scholars believe

See supra notes 137-44 and accompanying text.

374 See sources cited supranote 19.
37 See supra Part II.A.
376 Sklerov, supra note 19, at 25; see also Condron, supra note 19, at 410-11; O'Neill, supra note
19, at 280.
377 Condron, supra note 19, at 410-11.
378 Smith, supra note 17, at 177-78.

1564

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.190

107:1503 (2013) Regulating Cyber-security

that hackbacks are the most effective defense against cyber-attacks,"' in

part because active self-defense can avoid the attribution problem; a victim
firm that is experiencing an intrusion could retaliate against any computer
that is attacking it without knowing who is behind the incident or his
purposes.3"o Needless to say, active self-defense is only possible if the
victim is aware that it is under attack. It will not be an option if, as is
sometimes the case, the intrusion goes undetected.
Active self-defense fits into the law enforcement framework fairly
comfortably. Although hackbacks are probably illegal under the Computer
Fraud and Abuse Act"'-the victims are, after all, perpetrating cyber-
intrusions of their own-fundamental principles of criminal law can
explain why they might be acceptable if we were writing on a blank slate.
The basic idea is justification. Conduct that ordinarily is condemned can
become permissible, or even desirable, in certain circumstances.382
Homicide is typically illegal, but we are allowed to use deadly force against

LA
those who pose a threat to our lives or the lives of others. The same might
be said of hackbacks. Society ordinarily condemns those who break into
others' computers, but one might be justified in hacking a machine to
IM
frustrate its attack on one's own system."'
Active self-defense is controversial, but it offers one potential benefit
that has been largely overlooked in the literature. Like the other regulatory
SH

solutions discussed in this Article, hackbacks can incentivize firms to

improve the security of their systems. Cyber-perpetrators typically do not
launch attacks directly; to obscure their responsibility, they usually route an
LU

attack through a chain of unsecured intermediary systems before reaching

the ultimate target.3 84 If a victim responds to an intrusion with active self-
PN

3 O'Neill, supra note 19, at 240, 280; Sklerov, supra note 19, at 25 & n.160; cf Richard A.
H

Epstein, The Theory and Practice of Self-Help, I J.L. ECON. & POL'Y 1, 30 (2005) (emphasizing the
need for "self-help remedies").
380 Condron, supra note 19, at 415-16; Jensen, Computer Attacks, supra note 19, at 232. See
generally supra notes 116-20 and accompanying text (discussing attribution difficulties).
381 See AM. BAR ASS'N, supra note 18, at 18; BAKER, supra note 24, at 212; CLARKE & KNAKE,
supra note 1, at 214; Smith, supra note 17, at 180, 182.
382 See generally Joshua Dressler, Foreword: Justifications and Excuses: A Brief Review of
the
Concepts and the Literature, 33 WAYNE L. REv. 1155 (1987) (exploring the defense of justification in
criminal law).
383 See Katyal, Community, supra note 135, at 61; O'Neill, supra note 19, at 280; Smith, supranote
17, at 190-91. But see Susan W. Brenner, "At Light Speed": Attribution and Response to
Cybercrime/Terrorism/Warfare,97 J. CRIM. L. & CRIMINOLOGY 379, 448 (2007) (condemning active
self-defense as "vigilantism"); Orin S. Kerr, Virtual Crime, Virtual Deterrence: A Skeptical View of
Self-Help, Architecture, and Civil Liability, 1 J.L. ECON. & POL'Y 197, 204-05 (2005) (same).
Hackbacks also can be described in armed conflict terms. Ari and Jeremy Rabkin argue that private
citizens who conduct cyber-intrusions with a state's blessing are the equivalent of privateers who
operate under state-issued letters of marque. Rabkin & Rabkin, supra note 70, at 12-13.
384 See supra note 120 and accompanying text.

1565

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.191

 NORTHWESTERN UNIVERSITY LAW REVIEW

defense, it is likely that these third-party systems will be harmed.' The

realspace analog is a driver who leaves his car unlocked with the keys in
the ignition; the car is then stolen by bank robbers and destroyed when the
thieves open fire and the bank's security guards shoot back. Many scholars
regard this third-party problem as a sufficient reason to forbid hackbacks. 86
Yet the prospect of damage to third parties may have beneficial effects. The
threat of harm would incentivize third parties to prevent their systems from
being used as conduits for attacks on others. Suppose Citibank knows that,
if attackers gain control of its computers and use them to conduct DDOS
attacks, the victims will be allowed to retaliate against Citibank's
machines. Citibank will have a fairly strong incentive to ensure that its
computers are not commandeered into botnets. Damage from hackbacks
thus would internalize some of the costs that third parties impose on others
by maintaining insecure systems." (Likewise in realspace. If drivers know
that security guards are allowed to damage getaway cars even if they are

LA
stolen, they will lock their doors.) Active self-defense also might weaken
attackers' incentives to commit cyber-attacks. If assailants know that
victims will be able to use hackbacks to render their attacks ineffective, or
IM
less effective, they will have less reason to undertake them in the first
place. By increasing the futility of intrusions, hackbacks can help achieve
SH

deterrence."' Active self-defense thus can simultaneously foster favorable

incentives to improve security and weaken unfavorable incentives to
commit attacks.
At the same time, active self-defense has a number of glaring
LU

downsides. It seems inequitable to force third parties whose systems have

been compromised to bear the costs of the ensuing hackbacks-especially
if they are individual users rather than sophisticated firms capable of
PN

devoting meaningful sums to cyber-defense.* Moreover, as Orin Kerr

points out, active self-defense "would create an obvious incentive for
attackers to be extra careful to disguise their location or use someone else's
H

computer to launch the attack."390 Permitting hackbacks also would

385 See Epstein, supra note 379, at 31; Katyal, Community, supra note 135, at 62-63; Kerr, supra

note 383, at 205; Smith, supranote 17, at 180.

386 Katyal, Community, supra note 135, at 60-66; Kerr, supra note 383, at 205-06.
Cf Picker, supra note 44, at 116, 136 (discussing externalities that arise from poorly secured
computers being used as zombies for DDOS attacks).
388 See O'Neill, supra note 19, at 280; Sklerov, supra note 19, at 10. See generally supra note 261
and accompanying text (explaining how lowering the benefits of cyber-attacks can contribute to
deterrence).
389 These injuries might be partially cured by granting third parties a right against the initial
intruder to compensation for all resulting harms, including those caused by a hackback. Of course, this
sort of compensation mechanism depends on the ability to identify the initial intruder, and that is often
an impossible task. See supra notes 116-20 and accompanying text. The possibility of compensation
would also weaken third parties' incentives to secure their systems.
390 Kerr, supra note 383, at 205.

1566

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.192

107:1503 (2013) Regulating Cyber-security

"encourage foul play designed to harness the new privileges"; one example
is the "bankshot attack," in which an assailant who wants a computer to be
attacked "can route attacks through that one computer towards a series of
victims, and then wait for the victims to attack back at that computer.""' It
cannot be predicted a priori whether the harmful conduct produced by these
negative incentives would be greater or lesser than the beneficial conduct
produced by the positive incentives. A good deal more study is needed
before an active self-defense regime could be put into place.
Conclusion
Cyber-threats aren't going away. As society increasingly comes to rely
on networked critical infrastructure such as banks and the power grid,
adversaries will find that they have ever more to gain by attacking these
digital assets. And we will find that we have ever more to lose.
It therefore becomes essential to think about cyber-security using an
analytical framework that is rich enough to account for the problem in all

LA
its complexity. Cyber-security is too important, and too intricate, to leave
to the criminal law and the law of armed conflict. Instead, as this Article
has proposed, an entirely new conceptual approach is needed-an approach
IM
that can account for the systematic tendency of many private firms to
underinvest in cyber-defense. Companies sometimes fail to secure their
systems against attackers because they do not bear the full costs of the
SH

resulting intrusions; the harms are partially externalized onto third parties.
Firms also tend to neglect cyber-security because by improving their own
defenses they contribute to the security of others' systems; the benefits are
LU

partially externalized, which creates opportunities for free riding. If these

problems sound familiar, that's because they are. These challenges of
negative externalities, positive externalities, and free riding are similar to
PN

challenges that the modern administrative state encounters in a number of

other settings, such as environmental law, antitrust law, products liability
law, and public health law. Scholars and lawmakers might look to these
H

other fields for suggestions on how to incentivize private firms to improve

their defenses; conceiving of cyber-security in regulatory terms opens the
door to regulatory solutions.
Of course, "regulatory solutions" need not mean "command-and-
control solutions." Often it will be possible to promote better cyber-security
by appealing to firms' self-interest-encouraging them to improve their
defenses by immunizing them from liability or offering other subsidies-
instead of sanctioning them when they fail to do so. For instance, rather
than empowering a central regulator to monitor the Internet for outbreaks
of malicious code, companies should use something like public health
law's distributed biosurveillance network to collect and share information
about cyber-threats. Similarly, the private sector should play an active role
in establishing industry-wide cyber-security standards, as it frequently does

391 Id; accord Katyal, Community, supra note 135, at 62-63.

1567

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.193

 NORTHWESTERN UNIVERSITY LAW REVIEW

in environmental law and other regulatory contexts. Offers of immunity

and threats of liability then would be used to encourage companies to adopt
the agreed-upon standards. And as for improving the ability of critical
systems to survive intrusions, infected computers could be temporarily
disconnected from the Internet to keep them from spreading the malware,
and companies should be encouraged to build their systems with excess
capacity (such as reserve bandwidth and remote backups) that can be called
into service during cyber-attacks.
Virtually no one is happy with the state of America's cyber-defenses,
and scholars have felled entire forests exploring how to prosecute cyber-
criminals more effectively or retaliate against countries that launch cyber-
attacks. Maybe we've been asking the wrong questions. Maybe what we
need to secure cyberspace isn't cops, spies, or soldiers. Maybe what we
need is administrative law.

LA
IM
SH
LU
PN
H

1568

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.194

 HOTMAIL CORPORATION,

v.

VAN$ MONEY PIE INC

United States District Court, N.D. California. April 16, 1998.

ORDER GRANTING PRELIMINARY INJUNCTION

WARE, J.

LA
1 THIS MATTER was submitted on the papers by the Court on the Motion of plaintiff Hotmail
Corporation ("Hotmail") for Preliminary Injunction to enjoin defendants ALS Enterprises, Inc.

IM
("ALS"); LCGM, Inc. ("LCGM"); Christopher Moss d/b/a Genesis Network ("Moss"); Palmer &
Associates ("Palmer"); Financial Research Group ("Financial") and Darlene Snow d/b/a
SH
Visionary Web Creations and/or d/b/a Maximum Impact Marketing ("Snow") from infringing
Hotmail's HOTMAIL trade name and service mark, diluting this mark, engaging in acts of unfair
LU

competition, violating the Computer Fraud and Abuse Act, breaching a contract, and violating
California law. 15 U.S.C. §§ 1125(a) & (c); 18 U.S.C. § 1030; Cal. Bus. & Prof.Code §§ 14330,
17200; Cal. Civ.Code §§ 1709-10; and 3420-22. Having reviewed the entire court record
PN

pertaining to this Motion, and having considered the evidence and argument of counsel in
support of Hotmail's Motion, the Court enters the following Findings of Fact and Conclusions of
H

Law:

FINDINGS OF FACT

1. Plaintiff Hotmail is a Silicon Valley company that provides free electronic mail ("e-mail") on
the World Wide Web. Hotmail's online services allow its over ten million registered subscribers
to exchange e-mail messages over the Internet with any other e-mail user who has an Internet e-
mail address throughout the world. Every e-mail sent by a Hotmail subscriber automatically
displays a header depicting Hotmail's domain name "hotmail.com" and a footer depicting
Hotmail's "signature" at the bottom of the e-mail which reads "Get Your Private, Free Email at

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.195

http://www.hotmail.com." Every e-mail received by a Hotmail subscriber also automatically
displays a header depicting Hotmail's domain name. Thus, plaintiff's HOTMAIL mark--
contained within its domain name and signature--appears on millions of e-mails transmitted
worldwide daily.

2. In or about 1996, Hotmail developed the mark HOTMAIL and obtained the Internet domain
name "hotmail.com" which incorporates its mark. Hotmail is the sole and exclusive holder of
that domain name.

3. In or about 1996, Hotmail began using its HOTMAIL mark in various forms and styles,
continuously in commerce in association with its online services as a means of identifying and

LA
distinguishing Hotmail's online services from those of others. Thus Hotmail's mark has appeared
in the headers and footers of e-mail sent from and received by Hotmail subscribers, on Hotmail's

IM
homepage and on nearly every page of its Website, on letterhead and envelopes, on business
cards, in promotional materials and in press releases.
SH
4. Hotmail has spent approximately $10 million marketing, promoting, and distributing its
services in association with its HOTMAIL mark. Hotmail does not authorize any other e-mail
service provider to use its HOTMAIL mark, or Hotmail's domain name or signature.
LU

5. "Spam" is unsolicited commercial bulk e-mail akin to "junk mail" sent through the postal mail.
PN

The transmission of spam is a practice widely condemned in the Internet Community and is of
significant concern to Hotmail.
H

6. Hotmail has invested substantial time and money in efforts to disassociate itself from spam
and to protect e-mail users worldwide from receiving spam associated in any way with Hotmail.

7. To become a Hotmail subscriber, one must agree to abide by a Service Agreement ("Terms of
Service") which specifically prohibits subscribers from using Hotmail's services to send
unsolicited commercial bulk e-mail or "spam," or to send obscene or pornographic messages.
Hotmail can terminate the account of any Hotmail subscriber who violates the Terms of Service.

8. In or about the Fall of 1997, Hotmail learned that defendants were sending "spam" e-mails to
thousands of Internet e-mail users, which were intentionally falsified in that they contained
return addresses bearing Hotmail account return addresses including Hotmail's domain name and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.196

thus its mark, when in fact such messages did not originate from Hotmail or a Hotmail account.
Such spam messages advertised pornography, bulk e-mailing software, and "get-rich- quick"
schemes, among other things.

9. In addition, Hotmail learned that defendants had created a number of Hotmail accounts for the
specific purpose of facilitating their spamming operations. Such accounts were used to collect
responses to defendants' e-mails and "bounced back" messages in what amounted to a "drop box"
whose contents were never opened, read or responded to. It was these Hotmail accounts that
were used as return addresses by defendants in lieu of defendants' actual return addresses when
defendants sent their spam e-mail.

LA
10. As a result of the falsified return addresses described above, Hotmail was inundated with
hundreds of thousands of misdirected responses to defendants' spam, including complaints from

IM
Hotmail subscribers regarding the spam and "bounced back" e-mails which had been sent by
defendants to nonexistent or incorrect e-mail addresses. This overwhelming number of e-mails
SH
took up a substantial amount of Hotmail's finite computer space, threatened to delay and
otherwise adversely affect Hotmail's subscribers in sending and receiving e- mail, resulted in
significant costs to Hotmail in terms of increased personnel necessary to sort and respond to the
LU

misdirected complaints, and damaged Hotmail's reputation and goodwill.

11. In particular, Hotmail discovered a spam e-mail message advertising pornographic material
PN

that was sent by ALS. While this spam originated from ALS and was transmitted through an E-
mail Provider other than Hotmail, ALS falsely designated a real Hotmail e-mail address as the
H

point of origin. The e-mail address chosen for this purpose was "geri748@hotmail.com."

12. Hotmail also discovered a number of spam e-mail messages advertising pornographic
material that were sent by LCGM. While these spam e-mails originated from LCGM and were
transmitted through an E-mail Provider other than Hotmail, LCGM falsely designated a number
of real Hotmail e-mail address as the points of origin. The e-mail addresses chosen for this
purpose were "becky167 @hotmail.com;" "deena54@hotmail.com;" "marisa104@hotmail.com;"
"shelly345 @hotmail.com;" "sonnie67@hotmail.com;" "ashley_113@hotmail.com;" "grace44
@hotmail.com;" "jess_59@hotmail.com;" "kristina17@hotmail.com;" "nellie24 @hotmail.com;"
and, tyrona56@hotmail.com.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.197

13. Hotmail also discovered a spam e-mail message advertising pornographic material that was
sent by Moss. While this spam originated from Moss and was transmitted through an E-mail
Provider other than Hotmail, Moss falsely designated a real Hotmail e-mail address as the point
of origin. The e- mail address chosen for this purpose was "rebecca_h19@hotmail.com."

14. Hotmail also discovered a spam e-mail message advertising a cable descrambler kit that was
sent by Palmer. While this spam originated from Palmer and was transmitted through an E-mail
Provider other than Hotmail, Palmer falsely designated two real Hotmail e-mail addresses as the
points of origin. The e-mail addresses chosen for this purpose were "kelCA@hotmail.com" and
"angiCA@hotmail.com."

LA
15. Hotmail also discovered a spam e-mail message advertising a service that matches people
seeking cash grants that was sent by Financial. While this spam originated from Financial and

IM
was transmitted through an E-mail Provider other than Hotmail, Financial falsely designated a
real Hotmail e-mail address as the point of origin. The e-mail address chosen for this purpose
SH
was "order_desk66 @hotmail.com."

16. Hotmail also discovered a number of spam e-mail messages advertising pornography that
were sent by Snow. While this spam originated from Snow and was transmitted through an E-
LU

mail Provider other than Hotmail, Snow falsely designated several real Hotmail e-mail address as
the point of origin. The e- mail addresses chosen for this purpose were
PN

"bettyharris123@hotmail.com;" "annharris123@hotmail.com;" "cindyharris123@hotmail.com;"

"wilmasimpson @hotmail.com;" "rw3570@hotmail.com;" "rw3560@hotmail.com;" and,
H

"jw2244 @hotmail.com."

CONCLUSIONS OF LAW

Jurisdiction and Venue

17. This Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. § 1331. This
Court has supplemental jurisdiction over the state law claims under 28 U.S.C. § 1367. This Court
has personal jurisdiction over the defendants ALS, LCGM, Moss, Palmer, Financial, and Snow,
who have engaged in business activities in or directed in California.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.198

18. Venue is proper in this district pursuant to 28 U.S.C. § 1391 because a substantial portion of
the events giving rise to the claims pled herein occurred in this judicial district and defendants do
business in this judicial district.

Standard For Granting Preliminary Injunction

19. The standard for preliminary injunction relief in trademark infringement cases and related
actions is well-settled. Hotmail must show either: (a) a likelihood of success on the merits and
the possibility of irreparable injury; or (b) the existence of serious questions going to the merits
and the balance of hardships tips in Hotmail's favor. Apple Computer. Inc. v. Formula Int'l, Inc.,
725 F.2d 521, 523 (9th Cir.1984).

LA
Plaintiff's Legal Claims

IM
20. Hotmail seeks preliminary injunctive relief in this Motion for false designations of origin,
federal and state dilution, violation of the Computer Fraud and Abuse Act, state and common
SH
law unfair competition, breach of contract, fraud and misrepresentation, and trespass to chattel,
pursuant to 15 U.S.C. §§ 1116, 1125(a) & (c); 18 U.S.C. § 1030; Cal. Bus. & Prof.Code §§
14330, 17203; and Cal Civ.Code §§ 1709-10.
LU

21. The core element of a cause of action for false designation of origin under 15 U.S.C. §
1125(a) as well as other unfair competition is "likelihood of confusion, i.e., whether the
PN

similarity of the marks is likely to confuse customers about the source of the products." E. & J.
Gallo Winery v. Gallo Cattle Co., 967 F.2d 1280, 1290 (9th Cir.1992); Academy of Motion
H

Picture Arts & Sciences v. Creative House Promotions, Inc., 944 F.2d 1446, 1454 (9th Cir.1991).

22. Courts will consider the following factors, among others, as relevant to a determination of the
likelihood of confusion for claims under 15 U.S.C. § 1125(a) and related other unfair
competition claims: (a) strength or weakness of plaintiff's mark; (b) the degree of similarity with
defendant's mark; (c) class of goods; (d) marketing channels used; (e) evidence of actual
confusion; and (f) intent of the defendant. Americana Trading Inc. v. Russ Berrie & Co., 966
F.2d 1284, 1287 (9th Cir.1992). However, there is not a mandated test for likelihood of
confusion applied by the courts in this Circuit, and the appropriate time for full consideration of
all relevant factors is when the merits of the case are tried. Apple Computer, 725 F.2d at 526.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.199

23. The majority of these factors supports a finding that Hotmail is likely to succeed on the
merits of its claims that defendants' use of the HOTMAIL mark is likely to cause consumer
confusion or mistake as to the origin, sponsorship, or approval of defendants' spam e-mails and
spam e-mail business, and that there are at least serious questions going to the merits of
plaintiff's claims.

24. Plaintiff's mark is strong. The "strength" of a mark depends in part on whether it is arbitrary
or fanciful, suggestive, merely descriptive, or generic. Chronicle Pub. Co. v. Chronicle
Publications, Inc., 733 F.Supp. 1371, 1375 (N.D.Cal.1989). In addition, a company's "extensive
advertising, length of time in business, public recognition, and uniqueness" all strengthen its
trademarks. Century 21 Real Estate Corp. v. Sandlin, 846 F.2d 1175, 1179 (9th Cir.1988). While

LA
the second part of the mark--"mail"--may be suggestive by conveying some aspect of the e-mail
process, the mark as a whole is arbitrary and fanciful because it neither describes nor suggests

IM
that Hotmail is a provider of electronic mail as a Web-based service on the Internet. Moreover,
plaintiff has spent substantial sums of money to advertise and market its services in association
SH
with the mark and has extensively featured the mark in its promotions.

25. Defendants' "mark" is not only confusingly similar to plaintiff's mark, it is identical to it. A
LU

comparison of defendants' and plaintiff's uses shows such striking similarity that a jury could not
help but find that defendants' use is confusing. Indeed, there has been actual confusion among
PN

consumers regarding the marks. This factor alone may be determinative. See E. Remy Martin &
Co., S.A. v. Shaw-Ross International Imports, Inc., 756 F.2d 1525, 1529, 1530 (11th Cir.1985)
(it is "well-settled" that "evidence of actual confusion is not necessary to a finding of likelihood
H

of confusion, although it is the best such evidence;" indeed, "a sufficiently strong showing of
likelihood of confusion may be itself constitute a showing of substantial likelihood of prevailing
on the merits and/or a substantial threat of irreparable harm"); World Carpets, Inc. v. Dick
Littrell's New World Carpets, 438 F.2d 482, 489 (5th Cir.1971) ( "[t]here can be no more
positive or substantial proof of likelihood of confusion than proof of actual confusion").

26. The class of goods and services distributed by defendants--e-mails-- which bear a mark
identical to plaintiff's, are the same as the class of goods and services distributed by plaintiff--e-
mails.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.200

27. The marketing channels through which the parties sell their goods and services are the same--
via e-mail over the Internet. Their consumer audience is likewise the same. Moreover, because e-
mail is specifically designed for the rapid exchange of information, consumers are unlikely to
exercise a great deal of care in distinguishing between marks on e-mails they receive.

28. Defendants' intent further supports possible confusion. Levi Strauss & Co. v. Blue Bell, 632
F.2d 817, 822 (9th Cir.1981); Pacific Telesis Group v. International Telesis Communications,
994 F.2d 1364, 1369 (9th Cir.1993). Here, the evidence supports an inference that defendants
intended to emulate plaintiff's trademark, given their knowing falsification of e-mail return

LA
addresses, their fraudulent creation of Hotmail mailboxes, as well as their attempts to circumvent
plaintiff's efforts to prevent its subscribers from receiving spam.

IM
29. The core elements of a cause of action under the federal dilution statute are plaintiff's
ownership of a famous mark and dilution of the distinctive quality of plaintiff's mark, regardless
SH
of whether consumers are confused about the parties' goods. 15 U.S.C. § 1125(c)(1). Under the
California dilution statute as well, actual injury or likelihood of confusion need not be shown;
plaintiff need only show its business reputation is likely to be injured or the distinctive value of
LU

its mark is likely to be diluted. Cal. Bus. & Prof.Code § 14330; Academy, 944 F.2d at 1457.
PN

30. In determining whether a mark is distinctive and famous so as to support a claim for federal
dilution, the Court has considered the following factors; (a) the degree of inherent or acquired
distinctiveness of the mark; (b) the duration and extent of use of the mark in connection with the
H

goods or services with which the mark is used; (c) the duration and extent of advertising and
publicity of the mark; (d) the geographical extent of the trading area in which the mark is used;
(e) the channels of trade for the goods or services with which the mark is used; (f) the degree of
recognition of the mark in the trading areas and channels of trade used by the mark's owner and
the person against whom the injunction is sought; and (g) the nature and extent of use of the
same or similar marks by third parties. 15 U.S.C. § 1125(c)(1).

31. Under California's anti-dilution statute, the plaintiff need only show the "[l]ikelhihood of
injury to business reputation or of dilution of the distinctive quality of a mark." Cal. Bus. &
Prof.Code § 14330.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.201

32. Here, the evidence supports a finding that plaintiff will likely prevail on its federal and state
dilution claims and that there are at least serious questions going to the merits of these claims.
First, there is sufficient evidence to lead to a finding that plaintiff's trademark is "famous" within
the meaning of 15 U.S.C. § 1125(c)(1) and also that it is entitled to state dilution protection.
Plaintiff's mark is distinctive, has been advertised and used extensively both nationally and
internationally in connection with plaintiff's services, and has established considerable consumer
recognition. Moreover, the use of identical marks by defendants who aresending e-mails to
thousands of e-mail users across the country and the world through identical trade channels
threatens to dilute the distinctiveness of plaintiff's trademark and threatens to harm plaintiff's
business reputation.

LA
Violation Of Computer Fraud And Abuse Act

IM
33. The Computer Fraud and Abuse Act prohibits any person from knowingly causing the
transmission of information which intentionally causes damage, without authorization, to a
SH
protected computer. 18 U.S.C. § 1030.

34. The evidence supports a finding that plaintiff will likely prevail on its Computer Fraud and
Abuse Act claim and that there are at least serious questions going to the merits of this claim in
LU

that plaintiff has presented evidence of the following: that defendants knowingly falsified return
e-mail addresses so that they included, in place of the actual sender's return address, a number of
PN

Hotmail addresses; that such addresses were tied to Hotmail accounts set up by defendants with
the intention of collecting never- to-be-read consumer complaints and "bounced back" e-mails;
H

that defendants knowingly caused this false information to be transmitted to thousands of e- mail
recipients; that defendants took this action knowing such recipients would use the "reply to"
feature to transmit numerous responses to the fraudulently created Hotmail accounts, knowing
thousands of messages would be "bounced back" to Hotmail instead of to defendants, and
knowing that numerous recipients of defendants' spam would e-mail complaints to Hotmail; that
defendants took such actions knowing the risks caused thereby to Hotmail's computer system and
online services, which include risks that Hotmail would be forced to withhold or delay the use of
computer services to its legitimate subscribers; that defendants' actions caused damage to
Hotmail; and that such actions were done by defendants without Hotmail's authorization

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.202

Breach Of Contract

35. The evidence supports a finding that plaintiff will likely prevail on its breach of contract
claim and that there are at least serious questions going to the merits of this claim in that plaintiff
has presented evidence of the following: that defendants obtained a number of Hotmail
mailboxes and access to Hotmail's services; that in so doing defendants agreed to abide by
Hotmail's Terms of Service which prohibit using a Hotmail account for purposes of sending
spam and/or pornography; that defendants breached their contract with Hotmail by using
Hotmail's services to facilitate sending spam and/or pornography; that Hotmail complied with
the conditions of the contract except those from which its performance was excused; and that if
defendants are not enjoined they will continue to create such accounts in violation of the Terms

LA
of Service.

IM
Fraud And Misrepresentation

36. The cause of action for fraud includes willfully deceiving another with intent to induce him
SH
to alter his position to his injury or risk by asserting, as a fact, that which is not true, by one who
has no reasonable ground for believing it to be true; or by suppressing a fact, by one who is
bound to disclose it, or who gives information of other facts which are likely to mislead for want
LU

of communication of that fact; or by making a promise without any intention of performing it.
Civ.Code §§ 1709-10.
PN

37. The evidence supports a finding that plaintiff will likely prevail on its fraud and
misrepresentation claim and that there are at least serious questions going to the merits of this
H

claim in that plaintiff has presented evidence of the following: that defendants fraudulently
obtaineda number of Hotmail accounts, promising to abide by the Terms of Service without any
intention of doing so and suppressing the fact that such accounts were created for the purpose of
facilitating a spamming operation, and that defendants' fraud and misrepresentation caused
Hotmail to allow defendants to create and use Hotmail's accounts to Hotmail's injury. In
addition, the evidence supports a finding that defendants' falsification of e-mails to make it
appear that such messages and the responses thereto were authorized to be transmitted via
Hotmail's computers and stored on Hotmail's computer system--when defendants knew that
sending such spam was unauthorized by Hotmail--constitutes fraud and misrepresentation, and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.203

that Hotmail relied on such misrepresentations to allow the e-mails to be transmitted over
Hotmail's services and to take up storage space on Hotmail's computers, to Hotmail's injury.

Trespass To Chattel

38. "Trespass to chattel ... lies where an intentional interference with the possession of personal
property has proximately caused injury." Thrify-Tel, Inc. v. Bezenek, 46 Cal.App.4th 1559,
1566, 54 Cal.Rptr.2d 468 (1996).

39. The evidence supports a finding that plaintiff will likely prevail on its trespass to chattel
claim and that there are serious questions going to the merits of this claim in that plaintiff has
presented evidence of the following: that the computers, computer networks and computer

LA
services that comprise Hotmail's e-mail system are the personal property of Hotmail; that
defendants obtained consent to create Hotmail accounts within the limitations set forth in the

IM
Terms of Service: no spamming and no pornography; that defendants intentionally trespassed on
Hotmail's property by knowingly and without authorization creating Hotmail accounts that were
SH
used for purposes exceeding the limits of the Terms of Service; that defendants trespassed on
Hotmail's computer space by causing tens of thousands of misdirected e-mail messages to be
transmitted to Hotmail without Hotmail's authorization, thereby filling up Hotmail's computer
LU

storage space and threatening to damage Hotmail's ability to service its legitimate customers; and
that defendants' acts of trespass have damaged Hotmail in terms of added costs for personnel to
PN

sort through and respond to the misdirected e-mails, and in terms of harm to Hotmail's business
reputation and goodwill.
H

Irreparable Harm To Plaintiff

40. In cases where trademark infringement is shown, irreparable harm is presumed. Apple
Computer, 725 F.2d at 525; Charles Schwab & Co. v. Hibernia Bank, 665 F.Supp. 800, 812
(N.D.Cal.1987).

41. Plaintiff has suffered and, if defendants are not enjoined, will continue to suffer irreparable
harm from the distribution, promotion and use of e-mails bearing plaintiff's mark--particularly
spam e-mails, some of which advertise pornography--because of the loss of goodwill and
reputation arising from customer confusion about the source of defendants' spam e-mails and/or

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.204

plaintiff's affiliation or sponsorship of them. This kind of harm is not easily quantified and not
adequately compensated with money damages. Plaintiff thus has no adequate remedy at law.

Balance Of Hardships

42. The Court finds that the irreparable harm to plaintiff should injunctive relief not be granted
outweighs any injury to defendants resulting from a temporary injunction. Plaintiff has
introduced evidence that it has been involved in extensive distribution and promotion of its
online services in association with its mark for years andhas expended vast amounts of time and
money developing and promoting its mark. Plaintiff also is a service mark owner entitled to
avoid having its reputation and goodwill placed in jeopardy. In contrast, if enjoined, defendants

LA
would not suffer harm in that they would be free to continue advertising by means of e-mail so
long as they did not use Hotmail's mark or services to facilitate such advertising. Thus, the

IM
balance of hardships strongly tips in favor of plaintiff.

43. The Court therefore concludes that plaintiff is entitled to a preliminary injunction on the
SH
grounds that plaintiff is likely to succeed on the merits, that there is a possibility of irreparable
injury, that there are serious questions going to the merits, and that the balance of hardships tips
sharply in plaintiff's favor. It is therefore,
LU

ORDERED AND ADJUDGED:

PN

That defendants ALS, LCGM, Moss, Palmer, Financial, and Snow, their officers, agents, co-
conspirators, servants, affiliates, employees, parent and subsidiary corporations, attorneys and
H

representatives, and all those in privity or acting in concert with defendants are temporarily and
preliminarily enjoined and restrained during the pendency of this action from directly or
indirectly:

1. Using any images, designs, logos or marks which copy, imitate or simulate Hotmail's
HOTMAIL mark, and/or Hotmail's "hotmail.com" domain name for any purpose, including but
not limited to any advertisement, promotion, sale or use of any products or services;

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.205

2. Performing any action or using any images, designs, logos or marks that are likely to cause
confusion, to cause mistake, to deceive, or to otherwise mislead the trade or public into believing
that Hotmail and defendants, or any of them, are in any way connected, or that Hotmail sponsors
defendants; or that defendants, or any of them, are in any manner affiliated or associated with or
under the supervision or control of Hotmail, or that defendants and Hotmail or Hotmail's services
are associated in any way.

3. Using any images, designs, logos or marks or engaging in any other conduct that creates a
likelihood of injury to the business reputation of Hotmail or a likelihood of misappropriation
and/or dilution of Hotmail's distinctive mark and the goodwill associated therewith;

LA
4. Using any trade practices whatsoever, including those complained of herein, which tend to
unfairly compete with or injure Hotmail, its business and/or the goodwill appertaining thereto;

IM
5. Sending or transmitting, or directing, aiding, or conspiring with others to send or transmit,
electronic mail or messages bearing any false, fraudulent, anonymous, inactive, deceptive, or
SH
invalid return information, or containing the domain "hotmail.com," or otherwise using any other
artifice, scheme or method of transmission that would prevent the automatic return of
undeliverable electronic mail to its original and true point of origin or that would cause the e-
LU

mail return address to be that of anyone other than the actual sender;
PN

6. Using, or directing, aiding, or conspiring with others to use, Hotmail's computers or computer
networks in any manner in connection with the transmission or transfer of any form of electronic
information across the Internet, including, but not limited to, creating any Hotmail e-mail
H

account, or becoming a Hotmail subscriber, for purposes other than those permitted by Hotmail's
Terms of Services, including but not limited to, for purposes of participating in any way in
sending spam e-mail or operating a spamming business, or sending or advertising or promoting
pornography and/or sending e- mails for any commercial purpose.

7. Opening, creating, obtaining and/or using, or directing, aiding, or conspiring with others to
open, create, obtain and/or use, any Hotmail account or mailbox;

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.206

8. Acquiring or compiling Hotmail member addresses for use in the transmission of unsolicited
promotional messages to those Hotmail members; and,

9. Sending or transmitting, or directing, aiding, or conspiring with others to send or transmit, any
unsolicited electronic mail message, or any electronic communication of any kind, to or through
Hotmail or its members without prior written authorization.

IT IS FURTHER ORDERED AND ADJUDGED:

That plaintiff shall provide a bond in the amount of only $100.

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.207

 Hill v Gateway 105 F. 3d. 1147

JUDGMENT

EASTERBROOK, Circuit Judge.

[1] A customer picks up the phone, orders a computer, and gives a credit card number. Presently
a box arrives, containing the computer and a list of terms, said to govern unless the customer
returns the computer within 30 days. Are these terms effective as the parties' contract, or is the
contract term-free because the order-taker did not read any terms over the phone and elicit the

LA
customer's assent?

[2] One of the terms in the box containing a Gateway 2000 system was an arbitration clause.

IM
Rich and Enza Hill, the customers, kept the computer more than 30 days before complaining
about its components and performance. They filed suit in federal court arguing, among other
SH
things, that the product's shortcomings make Gateway a racketeer (mail and wire fraud are said
to be the predicate offenses), leading to treble damages under RICO for the Hills and a class of
all other purchasers. Gateway asked the district court to enforce the arbitration clause; the judge
LU

refused, writing that "[t]he present record is insufficient to support a finding of a valid arbitration
agreement between the parties or that the plaintiffs were given adequate notice of the arbitration
PN

clause." Gateway took an immediate appeal, as is its right. 9 U.S.C. sec. 16(a)(1)(A).

[3] The Hills say that the arbitration clause did not stand out: they concede noticing the statement
H

of terms but deny reading it closely enough to discover the agreement to arbitrate, and they ask
us to conclude that they therefore may go to court. Yet an agreement to arbitrate must be
enforced "save upon such grounds as exist at law or in equity for the revocation of any contract."
9 U.S.C. § 2. Doctor's Associates, Inc. v. Casarotto, 116 S. Ct. 1652 (1996), holds that this
provision of the Federal Arbitration Act is inconsistent with any requirement that an arbitration
clause be prominent. A contract need not be read to be effective; people who accept take the risk
that the unread terms may in retrospect prove unwelcome. Carr v. CIGNA Securities, Inc.,
MANU/FEVT/0815/1996 : 95 F.3d 544, 547 (7th Cir. 1996); Chicago Pacific Corp. v. Canada
Life Assurance Co., MANU/FEVT/0355/1988 : 850 F.2d 334 (7th Cir. 1988). Terms inside

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.208

Gateway's box stand or fall together. If they constitute the parties' contract because the Hills had
an opportunity to return the computer after reading them, then all must be enforced.

[4] ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996), holds that terms inside a box of
software bind consumers who use the software after an opportunity to read the terms and to
reject them by returning the product. Likewise, Carnival Cruise Lines, Inc. v. Shute,
MANU/USSC/0159/1991 : 499 U.S. 585 (1991), enforces a forum-selection clause that was
included among three pages of terms attached to a cruise ship ticket. ProCD and Carnival Cruise
Lines exemplify the many commercial transactions in which people pay for products with terms
to follow; ProCD discusses others. 86 F.3d at 1451-52. The district court concluded in ProCD
that the contract is formed when the consumer pays for the software; as a result, the court held,

LA
only terms known to the consumer at that moment are part of the contract, and provisos inside
the box do not count. Although this is one way a contract could be formed, it is not the only way:

IM
"A vendor, as master of the offer, may invite acceptance by conduct, and may propose
limitations on the kind of conduct that constitutes acceptance. A buyer may accept by performing
SH
the acts the vendor proposes to treat as acceptance." Id. at 1452. Gateway shipped computers
with the same sort of accept-or-return offer ProCD made to users of its software. ProCD relied
on the Uniform Commercial Code rather than any peculiarities of Wisconsin law; both Illinois
LU

and South Dakota, the two states whose law might govern relations between Gateway and the
Hills, have adopted the UCC; neither side has pointed us to any atypical doctrines in those states
PN

that might be pertinent; ProCD therefore applies to this dispute.

[5] Plaintiffs ask us to limit ProCD to software, but where's the sense in that? ProCD is about the
H

law of contract, not the law of software. Payment preceding the revelation of full terms is
common for air transportation, insurance, and many other endeavors. Practical considerations
support allowing vendors to enclose the full legal terms with their products. Cashiers cannot be
expected to read legal documents to customers before ringing up sales. If the staff at the other
end of the phone for direct-sales operations such as Gateway's had to read the four-page
statement of terms before taking the buyer's credit card number, the droning voice would
anesthetize rather than enlighten many potential buyers. Others would hang up in a rage over the
waste of their time. And oral recitation would not avoid customers' assertions (whether true or
feigned) that the clerk did not read term X to them, or that they did not remember or understand

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.209

it. Writing provides benefits for both sides of commercial transactions. Customers as a group are
better off when vendors skip costly and ineffectual steps such as telephonic recitation, and use
instead a simple approve-or-return device. Competent adults are bound by such documents, read
or unread. For what little it is worth, we add that the box from Gateway was crammed with
software. The computer came with an operating system, without which it was useful only as a
boat anchor. See Digital Equipment Corp. v. Uniq Digital Technologies, Inc.,
MANU/FEVT/0332/1996 : 73 F.3d 756, 761 (7th Cir. 1996). Gateway also included many
application programs. So the Hills' effort to limit ProCD to software would not avail them
factually, even if it were sound legally - which it is not.

[6] For their second sally, the Hills contend that ProCD should be limited to executory contracts

LA
(to licenses in particular), and therefore does not apply because both parties' performance of this
contract was complete when the box arrived at their home. This is legally and factually wrong:

IM
legally because the question at hand concerns the formation of the contract rather than its
performance, and factually because both contracts were incompletely performed. ProCD did not
SH
depend on the fact that the seller characterized the transaction as a license rather than as a
contract; we treated it as a contract for the sale of goods and reserved the question whether for
other purposes a "license" characterization might be preferable. 86 F.3d at 1450. All debates
LU

about characterization to one side, the transaction in ProCD was no more executory than the one
here: Zeidenberg paid for the software and walked out of the store with a box under his arm, so if
PN

arrival of the box with the product ends the time for revelation of contractual terms, then the time
ended in ProCD before Zeidenberg opened the box. But of course ProCD had not completed
H

performance with delivery of the box, and neither had Gateway. One element of the transaction
was the warranty, which obliges sellers to fix defects in their products. The Hills have invoked
Gateway's warranty and are not satisfied with its response, so they are not well positioned to say
that Gateway's obligations were fulfilled when the motor carrier unloaded the box. What is more,
both ProCD and Gateway promised to help customers to use their products. Long-term service
and information obligations are common in the computer business, on both hardware and
software sides. Gateway offers "lifetime service" and has a round-the-clock telephone hotline to
fulfil this promise. Some vendors spend more money helping customers use their products than
on developing and manufacturing them. The document in Gateway's box includes promises of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.210

future performance that some consumers value highly; these promises bind Gateway just as the
arbitration clause binds the Hills.

[7] Next the Hills insist that ProCD is irrelevant because Zeidenberg was a "merchant" and they
are not. Section 2-207(2) of the UCC, the infamous battle-of-the-forms section, states that
"additional terms [following acceptance of an offer] are to be construed as proposals for addition
to a contract. Between merchants such terms become part of the contract unless. . .". Plaintiffs
tell us that ProCD came out as it did only because Zeidenberg was a "merchant" and the terms
inside ProCD's box were not excluded by the "unless" clause. This argument pays scant attention
to the opinion in ProCD, which concluded that, when there is only one form, "sec. 2-207 is
irrelevant." 86 F.3d at 1452. The question in ProCD was not whether terms were added to a

LA
contract after its formation, but how and when the contract was formed - in particular, whether a
vendor may propose that a contract of sale be formed, not in the store (or over the phone) with

IM
the payment of money or a general "send me the product," but after the customer has had a
chance to inspect both the item and the terms. ProCD answers "yes," for merchants and
SH
consumers alike. Yet again, for what little it is worth we observe that the Hills misunderstand the
setting of ProCD. A "merchant" under the UCC "means a person who deals in goods of the kind
or otherwise by his occupation holds himself out as having knowledge or skill peculiar to the
LU

practices or goods involved in the transaction", sec. 2-104(1). Zeidenberg bought the product at a
retail store, an uncommon place for merchants to acquire inventory. His corporation put ProCD's
PN

database on the Internet for anyone to browse, which led to the litigation but did not make
Zeidenberg a software merchant.
H

[8] At oral argument the Hills propounded still another distinction: the box containing ProCD's
software displayed a notice that additional terms were within, while the box containing
Gateway's computer did not. The difference is functional, not legal. Consumers browsing the
aisles of a store can look at the box, and if they are unwilling to deal with the prospect of
additional terms can leave the box alone, avoiding the transactions costs of returning the package
after reviewing its contents. Gateway's box, by contrast, is just a shipping carton; it is not on
display anywhere. Its function is to protect the product during transit, and the information on its
sides is for the use of handlers ("Fragile!" "This Side Up!") rather than would-be purchasers.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.211

[9] Perhaps the Hills would have had a better argument if they were first alerted to the bundling
of hardware and legal-ware after opening the box and wanted to return the computer in order to
avoid disagreeable terms, but were dissuaded by the expense of shipping. What the remedy
would be in such a case - could it exceed the shipping charges? - is an interesting question, but
one that need not detain us because the Hills knew before they ordered the computer that the
carton would include some important terms, and they did not seek to discover these in advance.
Gateway's ads state that their products come with limited warranties and lifetime support. How
limited was the warranty - 30 days, with service contingent on shipping the computer back, or
five years, with free onsite service? What sort of support was offered? Shoppers have three
principal ways to discover these things. First, they can ask the vendor to send a copy before

LA
deciding whether to buy. The Magnuson-Moss Warranty Act requires firms to distribute their
warranty terms on request, 15 U.S.C. § 2302(b)(1)(A); the Hills do not contend that Gateway

IM
would have refused to enclose the remaining terms too. Concealment would be bad for business,
scaring some customers away and leading to excess returns from others. Second, shoppers can
SH
consult public sources (computer magazines, the Web sites of vendors) that may contain this
information. Third, they may inspect the documents after the product's delivery. Like
Zeidenberg, the Hills took the third option. By keeping the computer beyond 30 days, the Hills
LU

accepted Gateway's offer, including the arbitration clause.

[10] The Hills' remaining arguments, including a contention that the arbitration clause is
PN

unenforceable as part of a scheme to defraud, do not require more than a citation to Prima Paint
Corp. v. Flood & Conklin Mfg. Co., MANU/USSC/0154/1967 : 388 U.S. 395 (1967). Whatever
H

may be said pro and con about the cost and efficacy of arbitration (which the Hills disparage) is
for Congress and the contracting parties to consider. Claims based on RICO are no less arbitrable
than those founded on the contract or the law of torts. Shearson/American Express, Inc. v.
McMahon, MANU/USSC/0123/1987 : 482 U.S. 220, 238-42 (1987). The decision of the district
court is vacated, and this case is remanded with instructions to compel the Hills to submit their
dispute to arbitration.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.212

 Pro CD, Incorporated,

Matthew Zeidenberg And Silken Mountain Web Services, Inc.,

86 F.3d.1447

JUDGMENT

[1] Must buyers of computer software obey the terms of shrinkwrap licenses? The district court

LA
held not, for two reasons: first, they are not contracts because the licenses are inside the box
rather than printed on the outside; second, federal law forbids enforcement even if the licenses

IM
are contracts. 908 F. Supp. 640 (W.D. Wis. 1996). The parties and numerous amici curiae have
briefed many other issues, but these are the only two that matter - and we disagree with the
SH
district judge's conclusion on each. Shrinkwrap licenses are enforceable unless their terms are
objectionable on grounds applicable to contracts in general (for example, if they violate a rule of
positive law, or if they are unconscionable). Because no one argues that the terms of the license
LU

at issue here are troublesome, we remand with instructions to enter judgment for the plaintiff.

[2] ProCD, the plaintiff, has compiled information from more than 3,000 telephone directories
PN

into a computer database. We may assume that this database cannot be copyrighted, although it
is more complex, contains more information (nine-digit zip codes and census industrial codes), is
H

organized differently, and therefore is more original than the single alphabetical directory at
issue in Feist Publications, Inc. v. Rural Telephone Service Co., MANU/USSC/0089/1991 : 499
U.S. 340 (1991). See Paul J. Heald, The Vices of Originality, 1991 Sup. Ct. Rev. 143, 160-68.
ProCD sells a version of the database, called SelectPhone (trademark), on CD-ROM discs. (CD-
ROM means "compact disc - read only memory." The "shrinkwrap license" gets its name from
the fact that retail software packages are covered in plastic or cellophane "shrinkwrap," and some
vendors, though not ProCD, have written licenses that become effective as soon as the customer
tears the wrapping from the package. Vendors prefer "end user license," but we use the more
common term.) A proprietary method of compressing the data serves as effective encryption too.
Customers decrypt and use the data with the aid of an application program that ProCD has

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.213

written. This program, which is copyrighted, searches the database in response to users' criteria
(such as "find all people named Tatum in Tennessee, plus all firms with `Door Systems' in the
corporate name"). The resulting lists (or, as ProCD prefers, "listings") can be read and
manipulated by other software, such as word processing programs.

[3] The database in SelectPhone (trademark) cost more than $10 million to compile and is
expensive to keep current. It is much more valuable to some users than to others. The
combination of names, addresses, and sic codes enables manufacturers to compile lists of
potential customers. Manufacturers and retailers pay high prices to specialized information
intermediaries for such mailing lists; ProCD offers a potentially cheaper alternative. People with
nothing to sell could use the database as a substitute for calling long distance information, or as a

LA
way to look up old friends who have moved to unknown towns, or just as a electronic substitute
for the local phone book. ProCD decided to engage in price discrimination, selling its database to

IM
the general public for personal use at a low price (approximately $150 for the set of five discs)
while selling information to the trade for a higher price. It has adopted some intermediate
SH
strategies too: access to the SelectPhone (trademark) database is available via the America On-
line service for the price America Online charges to its clients (approximately $3 per hour), but
this service has been tailored to be useful only to the general public.
LU

[4] If ProCD had to recover all of its costs and make a profit by charging a single price - that is,
PN

if it could not charge more to commercial users than to the general public - it would have to raise
the price substantially over $150. The ensuing reduction in sales would harm consumers who
value the information at, say, $200. They get consumer surplus of $50 under the current
H

arrangement but would cease to buy if the price rose substantially. If because of high elasticity of
demand in the consumer segment of the market the only way to make a profit turned out to be a
price attractive to commercial users alone, then all consumers would lose out - and so would the
commercial clients, who would have to pay more for the listings because ProCD could not obtain
any contribution toward costs from the consumer market.

[5] To make price discrimination work, however, the seller must be able to control arbitrage. An
air carrier sells tickets for less to vacationers than to business travelers, using advance purchase
and Saturday-night-stay requirements to distinguish the categories. A producer of movies
segments the market by time, releasing first to theaters, then to pay-per-view services, next to the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.214

videotape and laserdisc market, and finally to cable and commercial tv. Vendors of computer
software have a harder task. Anyone can walk into a retail store and buy a box. Customers do not
wear tags saying "commercial user" or "consumer user." Anyway, even a commercial-user-
detector at the door would not work, because a consumer could buy the software and resell to a
commercial user. That arbitrage would break down the price discrimination and drive up the
minimum price at which ProCD would sell to anyone.

[6] Instead of tinkering with the product and letting users sort themselves - for example,
furnishing current data at a high price that would be attractive only to commercial customers, and
two-year-old data at a low price - ProCD turned to the institution of contract. Every box
containing its consumer product declares that the software comes with restrictions stated in an

LA
enclosed license. This license, which is encoded on the CD-ROM disks as well as printed in the
manual, and which appears on a user's screen every time the software runs, limits use of the

IM
application program and listings to non-commercial purposes.
SH
[7] Matthew Zeidenberg bought a consumer package of SelectPhone (trademark) in 1994 from a
retail outlet in Madison, Wisconsin, but decided to ignore the license. He formed Silken
Mountain Web Services, Inc., to resell the information in the SelectPhone (trademark) database.
LU

The corporation makes the database available on the Internet to anyone willing to pay its price -
which, needless to say, is less than ProCD charges its commercial customers. Zeidenberg has
PN

purchased two additional SelectPhone (trademark) packages, each with an updated version of the
database, and made the latest information available over the World Wide Web, for a price,
through his corporation. ProCD filed this suit seeking an injunction against further dissemination
H

that exceeds the rights specified in the licenses (identical in each of the three packages
Zeidenberg purchased). The district court held the licenses ineffectual because their terms do not
appear on the outside of the packages. The court added that the second and third licenses stand
no different from the first, even though they are identical, because they might have been
different, and a purchaser does not agree to - and cannot be bound by - terms that were secret at
the time of purchase. 908 F. Supp. at 654.

[8] Following the district court, we treat the licenses as ordinary contracts accompanying the sale
of products, and therefore as governed by the common law of contracts and the Uniform
Commercial Code. Whether there are legal differences between "contracts" and "licenses"

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.215

(which may matter under the copyright doctrine of first sale) is a subject for another day. See
Microsoft Corp. v. Harmony Computers & Electronics, Inc., 846 F. Supp. 208 (E.D. N.Y. 1994).
Zeidenberg does not argue that Silken Mountain Web Services is free of any restrictions that
apply to Zeidenberg himself, because any effort to treat the two parties as distinct would put
Silken Mountain behind the eight ball on ProCD's argument that copying the application
program onto its hard disk violates the copyright laws. Zeidenberg does argue, and the district
court held, that placing the package of software on the shelf is an "offer," which the customer
"accepts" by paying the asking price and leaving the store with the goods. Peeters v. State, 154
Wis. 111, 142 N.W. 181 (1913). In Wisconsin, as elsewhere, a contract includes only the terms
on which the parties have agreed. One cannot agree to hidden terms, the judge concluded. So far,

LA
so good - but one of the terms to which Zeidenberg agreed by purchasing the software is that the
transaction was subject to a license. Zeidenberg's position therefore must be that the printed

IM
terms on the outside of a box are the parties' contract - except for printed terms that refer to or
incorporate other terms. But why would Wisconsin fetter the parties' choice in this way? Vendors
SH
can put the entire terms of a contract on the outside of a box only by using microscopic type,
removing other information that buyers might find more useful (such as what the software does,
and on which computers it works), or both. The "Read Me" file included with most software,
LU

describing system requirements and potential incompatibilities, may be equivalent to ten pages
of type; warranties and license restrictions take still more space. Notice on the outside, terms on
PN

the inside, and a right to return the software for a refund if the terms are unacceptable (a right
that the license expressly extends), may be a means of doing business valuable to buyers and
sellers alike. See E. Allan Farnsworth, 1 Farnsworth on Contracts sec. 4.26 (1990); Restatement
H

(2d) of Contracts sec. 211 comment a (1981) ("Standardization of agreements serves many of the
same functions as standardization of goods and services; both are essential to a system of mass
production and distribution. Scarce and costly time and skill can be devoted to a class of
transactions rather than the details of individual transactions."). Doubtless a state could forbid the
use of standard contracts in the software business, but we do not think that Wisconsin has done
so.

[9] Transactions in which the exchange of money precedes the communication of detailed terms
are common. Consider the purchase of insurance. The buyer goes to an agent, who explains the
essentials (amount of coverage, number of years) and remits the premium to the home office,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.216

which sends back a policy. On the district judge's understanding, the terms of the policy are
irrelevant because the insured paid before receiving them. Yet the device of payment, often with
a "binder" (so that the insurance takes effect immediately even though the home office reserves
the right to withdraw coverage later), in advance of the policy, serves buyers' interests by
accelerating effectiveness and reducing transactions costs. Or consider the purchase of an airline
ticket. The traveler calls the carrier or an agent, is quoted a price, reserves a seat, pays, and gets a
ticket, in that order. The ticket contains elaborate terms, which the traveler can reject by
cancelling the reservation. To use the ticket is to accept the terms, even terms that in retrospect
are disadvantageous. See Carnival Cruise Lines, Inc. v. Shute, MANU/USSC/0159/1991 : 499
U.S. 585 (1991); see also Vimar Seguros y Reaseguros, S.A. v. M/V Sky Reefer, 115 S.Ct. 2322

LA
(1995) (bills of lading). Just so with a ticket to a concert. The back of the ticket states that the
patron promises not to record the concert; to attend is to agree. A theater that detects a violation

IM
will confiscate the tape and escort the violator to the exit. One could arrange things so that every
concertgoer signs this promise before forking over the money, but that cumbersome way of
SH
doing things not only would lengthen queues and raise prices but also would scotch the sale of
tickets by phone or electronic data service.

[10] Consumer goods work the same way. Someone who wants to buy a radio set visits a store,
LU

pays, and walks out with a box. Inside the box is a leaflet containing some terms, the most
important of which usually is the warranty, read for the first time in the comfort of home. By
PN

Zeidenberg's lights, the warranty in the box is irrelevant; every consumer gets the standard
warranty implied by the UCC in the event the contract is silent; yet so far as we are aware no
H

state disregards warranties furnished with consumer products. Drugs come with a list of
ingredients on the outside and an elaborate package insert on the inside. The package insert
describes drug interactions, contraindications, and other vital information - but, if Zeidenberg is
right, the purchaser need not read the package insert, because it is not part of the contract.

[11] Next consider the software industry itself. Only a minority of sales take place over the
counter, where there are boxes to peruse. A customer pay place an order by phone in response to
a line item in a catalog or a review in a magazine. Much software is ordered over the Internet by
purchasers who have never seen a box. Increasingly software arrives by wire. There is no box;
there is only a stream of electrons, a collection of information that includes data, an application

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.217

program, instructions, many limitations ("MegaPixel 3.14159 cannot be used with Byte-Pusher
2.718"), and the terms of sale. The user purchases a serial number, which activates the software's
features. On Zeidenberg's arguments, these unboxed sales are unfettered by terms - so the seller
has made a broad warranty and must pay consequential damages for any shortfalls in
performance, two "promises" that if taken seriously would drive prices through the ceiling or
return transactions to the horse-and-buggy age.

[12] According to the district court, the UCC does not countenance the sequence of money now,
terms later. (Wisconsin's version of the UCC does not differ from the Official Version in any
material respect, so we use the regular numbering system. Wis. Stat. sec. 402.201 corresponds to
UCC sec. 2-201, and other citations are easy to derive.) One of the court's reasons - that by

LA
proposing as part of the draft Article 2B a new UCC sec. 2-2203 that would explicitly validate
standard-form user licenses, the American Law Institute and the National Conference of

IM
Commissioners on Uniform Laws have conceded the invalidity of shrinkwrap licenses under
current law, see 908 F. Supp. at 655-66 - depends on a faulty inference. To propose a change in a
SH
law's text is not necessarily to propose a change in the law's effect. New words may be designed
to fortify the current rule with a more precise text that curtails uncertainty. To judge by the flux
of law review articles discussing shrinkwrap licenses, uncertainty is much in need of reduction -
LU

although businesses seem to feel less uncertainty than do scholars, for only three cases (other
than ours) touch on the subject, and none directly addresses it. See Step-Saver Data Systems, Inc.
PN

v. Wyse Technology, MANU/FETC/0122/1991 : 939 F.2d 91 (3d Cir. 1991); Vault Corp. v.
Quaid Software Ltd., MANU/FEFT/0432/1988 : 847 F.2d 255, 268-70 (5th Cir. 1988); Arizona
H

Retail Systems, Inc. v. Software Link, Inc., 831 F. Supp. 759 (D. Ariz. 1993). As their titles
suggest, these are not consumer transactions. Step-Saver is a battle-of-the-forms case, in which
the parties exchange incompatible forms and a court must decide which prevails. See Northrop
Corp. v. Litronic Industries, MANU/FEVT/0399/1994 : 29 F.3d 1173 (7th Cir. 1994) (Illinois
law); Douglas G. Baird & Robert Weisberg, Rules, Standards, and the Battle of the Forms: A
Reassessment of sec. 2-207, 68 Va. L. Rev. 1217, 1227-31 (1982). Our case has only one form;
UCC sec. 2-207 is irrelevant. Vault holds that Louisiana's special shrinkwrap-license statute is
preempted by federal law, a question to which we return. And Arizona Retail Systems did not
reach the question, because the court found that the buyer knew the terms of the license before
purchasing the software.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.218

[13] What then does the current version of the UCC have to say? We think that the place to start
is sec. 2-204(1): "A contract for sale of goods may be made in any manner sufficient to show
agreement, including conduct by both parties which recognizes the existence of such a contract."
A vendor, as master of the offer, may invite acceptance by conduct, and may propose limitations
on the kind of conduct that constitutes acceptance. A buyer may accept by performing the acts
the vendor proposes to treat as acceptance. And that is what happened. ProCD proposed a
contract that a buyer would accept by using the software after having an opportunity to read the
license at leisure. This Zeidenberg did. He had no choice, because the software splashed the
license on the screen and would not let him proceed without indicating acceptance. So although
the district judge was right to say that a contract can be, and often is, formed simply by paying

LA
the price and walking out of the store, the UCC permits contracts to be formed in other ways.
ProCD proposed such a different way, and without protest Zeidenberg agreed. Ours is not a case

IM
in which a consumer opens a package to find an insert saying "you owe us an extra $10,000" and
the seller files suit to collect. Any buyer finding such a demand can prevent formation of the
SH
contract by returning the package, as can any consumer who concludes that the terms of the
license make the software worth less than the purchase price. Nothing in the UCC requires a
seller to maximize the buyer's net gains.
LU

[14] Section 2-606, which defines "acceptance of goods", reinforces this understanding. A buyer
accepts goods under sec. 2-606(1)(b) when, after an opportunity to inspect, he fails to make an
PN

effective rejection under sec. 2-602(1). ProCD extended an opportunity to reject if a buyer
should find the license terms unsatisfactory; Zeidenberg inspected the package, tried out the
H

software, learned of the license, and did not reject the goods. We refer to sec. 2-606 only to show
that the opportunity to return goods can be important; acceptance of an offer differs from
acceptance of goods after delivery, see Gillen v. Atalanta Systems, Inc.,
MANU/FEVT/0126/1993 : 997 F.2d 280, 284 n. 1 (7th Cir. 1993); but the UCC consistently
permits the parties to structure their relations so that the buyer has a chance to make a final
decision after a detailed review.

[15] Some portions of the UCC impose additional requirements on the way parties agree on
terms. A disclaimer of the implied warranty of merchantability must be "conspicuous." UCC sec.
2-316(2), incorporating UCC sec. 1-201(10). Promises to make firm offers, or to negate oral

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.219

modifications, must be "separately signed." UCC secs. 2-205, 2-209(2). These special provisos
reinforce the impression that, so far as the UCC is concerned, other terms may be as
inconspicuous as the forum-selection clause on the back of the cruise ship ticket in Carnival
Lines. Zeidenberg has not located any Wisconsin case - for that matter, any case in any state -
holding that under the UCC the ordinary terms found in shrinkwrap licenses require any special
prominence, or otherwise are to be undercut rather than enforced. In the end, the terms of the
license are conceptually identical to the contents of the package. Just as no court would dream of
saying that SelectPhone (trademark) must contain 3,100 phone books rather than 3,000, or must
have data no more than 30 days old, or must sell for $100 rather than $150 - although any of
these changes would be welcomed by the customer, if all other things were held constant - so, we

LA
believe, Wisconsin would not let the buyer pick and choose among terms. Terms of use are no
less a part of "the product" than are the size of the database and the speed with which the

IM
software compiles listings. Competition among vendors, not judicial revision of a package's
contents, is how consumers are protected in a market economy. Digital Equipment Corp. v. Uniq
SH
Digital Technologies, Inc., MANU/FEVT/0332/1996 : 73 F.3d 756 (7th Cir. 1996). ProCD has
rivals, which may elect to compete by offering superior software, monthly updates, improved
terms of use, lower price, or a better compromise among these elements. As we stressed above,
LU

adjusting terms in buyers' favor might help Matthew Zeidenberg today (he already has the
software) but would lead to a response, such as a higher price, that might make consumers as a
PN

whole worse off.

[16] The district court held that, even if Wisconsin treats shrinkwrap licenses as contracts, sec.
H

301(a) of the Copyright Act, 17 U.S.C. § 301(a), prevents their enforcement. 908 F. Supp. at
656-59. The relevant part of sec. 301(a) preempts any "legal or equitable rights [under state law]
that are equivalent to any of the exclusive rights within the general scope of copyright as
specified by section 106 in works of authorship that are fixed in a tangible medium of expression
and come within the subject matter of copyright as specified by sections 102 and 103". ProCD's
software and data are "fixed in a tangible medium of expression", and the district judge held that
they are "within the subject matter of copyright". The latter conclusion is plainly right for the
copyrighted application program, and the judge thought that the data likewise are "within the
subject matter of copyright" even if, after Feist, they are not sufficiently original to be
copyrighted. 908 F. Supp. at 656-57. Baltimore Orioles, Inc. v. Major League Baseball Players

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.220

Ass'n, MANU/FEVT/0534/1986 : 805 F.2d 663, 676 (7th Cir. 1986), supports that conclusion,
with which commentators agree. E.g., Paul Goldstein, III Copyright sec. 15.2.3 (2d ed. 1996);
Melville B. Nimmer & David Nimmer, Nimmer on Copyright sec. 101[B] (1995); William F.
Patry, II Copyright Law and Practice 1108-09 (1994). One function of sec. 301(a) is to prevent
states from giving special protection to works of authorship that Congress has decided should be
in the public domain, which it can accomplish only if "subject matter of copyright" includes all
works of a type covered by sections 102 and 103, even if federal law does not afford protection
to them. Cf. Bonito Boats, Inc. v. Thunder Craft Boats, Inc., MANU/USSC/0060/1989 : 489 U.S.
141 (1989) (same principle under patent laws).

[17] But are rights created by contract "equivalent to any of the exclusive rights within the

LA
general scope of copyright"? Three courts of appeals have answered "no." National Car Rental
Systems, Inc. v. Computer Associates International, Inc., MANU/FEET/0076/1993 : 991 F.2d

IM
426, 433 (8th Cir. 1993); Taquino v. Teledyne Monarch Rubber, MANU/FEFT/0301/1990 : 893
F.2d 1488, 1501 (5th Cir. 1990); Acorn Structures, Inc. v. Swantz, MANU/FEFO/0205/1988 :
SH
846 F.2d 923, 926 (4th Cir. 1988). The district court disagreed with these decisions, 908 F. Supp.
at 658, but we think them sound. Rights "equivalent to any of the exclusive rights within the
general scope of copyright" are rights established by law - rights that restrict the options of
LU

persons who are strangers to the author. Copyright law forbids duplication, public performance,
and so on, unless the person wishing to copy or perform the work gets permission; silence means
PN

a ban on copying. A copyright is a right against the world. Contracts, by contrast, generally
affect only their parties; strangers may do as they please, so contracts do not create "exclusive
H

rights." Someone who found a copy of SelectPhone (trademark) on the street would not be
affected by the shrinkwrap license - though the federal copyright laws of their own force would
limit the finder's ability to copy or transmit the application program.

[18] Think for a moment about trade secrets. One common trade secret is a customer list. After
Feist, a simple alphabetical list of a firm's customers, with address and telephone numbers, could
not be protected by copyright. Yet Kewanee Oil Co. v. Bicron Corp., MANU/USSC/0183/1974 :
416 U.S. 470 (1974), holds that contracts about trade secrets may be enforced - precisely because
they do not affect strangers' ability to discover and use the information independently. If the
amendment of sec. 301(a) in 1976 overruled Kewanee and abolished consensual protection of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.221

those trade secrets that cannot be copyrighted, no one has noticed - though abolition is a logical
consequence of the district court's approach. Think, too, about everyday transactions in
intellectual property. A customer visits a video store and rents a copy of Night of the Lepus. The
customer's contract with the store limits use of the tape to home viewing and requires its return in
two days. May the customer keep the tape, on the ground that sec. 301(a) makes the promise
unenforceable?

[19] A law student uses the LEXIS database, containing public-domain documents, under a
contract limiting the results to educational endeavors; may the student resell his access to this
database to a law firm from which LEXIS seeks to collect a much higher hourly rate? Suppose
ProCD hires a firm to scour the nation for telephone directories, promising to pay $100 for each

LA
that ProCD does not already have. The firm locates 100 new directories, which it sends to ProCD
with an invoice for $10,000. ProCD incorporates the directories into its database; does it have to

IM
pay the bill? Surely yes; Aronson v. Quick Point Pencil Co., MANU/USSC/0028/1979 : 440
U.S. 257 (1979), holds that promises to pay for intellectual property may be enforced even
SH
though federal law (in Aronson, the patent law) offers no protection against third-party uses of
that property. See also Kennedy v. Wright, MANU/FEVT/0330/1988 : 851 F.2d 963 (7th Cir.
1988). But these illustrations are what our case is about. ProCD offers software and data for two
LU

prices: one for personal use, a higher price for commercial use. Zeidenberg wants to use the data
without paying the seller's price; if the law student and Quick Point Pencil Co. could not do that,
PN

neither can Zeidenberg.

H

[20] Although Congress possesses power to preempt even the enforcement of contracts about
intellectual property - or railroads, on which see Norfolk & Western Ry. v. Train Dispatchers,
MANU/USSC/0158/1991 : 499 U.S. 117 (1991) - courts usually read preemption clauses to
leave private contracts unaffected. American Airlines, Inc. v. Wolens, 115 S.Ct. 817 (1995),
provides a nice illustration. A federal statute preempts any state "law, rule, regulation, standard,
or other provision . . . relating to rates, routes, or services of any air carrier." 49 U.S.C. App. sec.
1305(a)(1). Does such a law preempt the law of contracts - so that, for example, an air carrier
need not honor a quoted price (or a contract to reduce the price by the value of frequent flyer
miles)? The Court allowed that it is possible to read the statute that broadly but thought such an

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.222

interpretation would make little sense. Terms and conditions offered by contract reflect private
ordering, essential to the efficient functioning of markets. 115 S.Ct. at 824-25. Although some
principles that carry the name of contract law are designed to defeat rather than implement
consensual transactions, id. at 826 n. 8, the rules that respect private choice are not preempted by
a clause such as sec. 1305(a)(1). Section 301(a) plays a role similar to sec. 1301(a)(1): it prevents
states from substituting their own regulatory systems for those of the national government. Just
as sec. 301(a) does not itself interfere with private transactions in intellectual property, so it does
not prevent states from respecting those transactions. Like the Supreme Court in Wolens, we
think it prudent to refrain from adopting a rule that anything with the label "contract" is
necessarily outside the preemption clause: the variations and possibilities are too numerous to

LA
foresee. National Car Rental likewise recognizes the possibility that some applications of the law
of contract could interfere with the attainment of national objectives and therefore come within

IM
the domain of sec. 301(a). But general enforcement of shrinkwrap licenses of the kind before us
does not create such interference.
SH
[21] Aronson emphasized that enforcement of the contract between Aronson and Quick Point
Pencil Company would not withdraw any information from the public domain. That is equally
true of the contract between ProCD and Zeidenberg. Everyone remains free to copy and
LU

disseminate all 3,000 telephone books that have been incorporated into ProCD's database.
Anyone can add sic codes and zip codes. ProCD's rivals have done so. Enforcement of the
PN

shrinkwrap license may even make information more readily available, by reducing the price
ProCD charges to consumer buyers. To the extent licenses facilitate distribution of object code
H

while concealing the source code (the point of a clause forbidding disassembly), they serve the
same procompetitive functions as does the law of trade secrets. Rockwell Graphic Systems, Inc.
v. DEV Industries, Inc., MANU/FEVT/0244/1991 : 925 F.2d 174, 180 (7th Cir. 1991). Licenses
may have other benefits for consumers: many licenses permit users to make extra copies, to use
the software on multiple computers, even to incorporate the software into the user's products. But
whether a particular license is generous or restrictive, a simple two-party contract is not
"equivalent to any of the exclusive rights within the general scope of copyright" and therefore
may be enforced.

[22] REVERSED AND REMANDED

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.223

******************************************************************************

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.224

 Appellants: P.R. Transport Agency

Vs.

Respondent: Union of India (UOI) and Ors.

JUDGMENT

Sushil Harkauli and Umeshwar Pandey, JJ.

1. We have heard Sri Manish Goyal for the Petitioner and Sri Madhur Prakash representing
Respondents No. 2 and 3 at length.

LA
2. During the course of hearing Sri Madhur Prakash raised a preliminary objection regarding
want of territorial jurisdiction on part of this Court to entertain and hear this writ petition. The

IM
objection of Sri Madhur Prakash can be divided into three parts:

(1) No part of cause of action has arisen within the territory of U.P.
SH
(2) No facts have been pleaded in the writ petition on the basis of which it can be said that any
part of cause of action has arisen within the territory of U.P.
LU

(3) The jurisdiction of this Court under Article 226 of the Constitution of India stands ousted in
favour of the Jharkhand High Court under Clause 10.5 of the Tender Agreement, the relevant
PN

part of which reads that (any) dispute arising out of this scheme shall be subject to the
jurisdiction of the Jharkhand High Court'.
H

3. On this objection, both the sides were granted time to examine the matter. From the
Petitioner's side, a (second) supplementary-affidavit has been filed stating that district Chandauli
(in U. P.) is the principal place of business of the Petitioner. This averment in para 2 of the
second supplementary'-affidavit of Rakesh Kumar Srivastava is sought to be corroborated by the
copy of the registered partnership deed of the Petitioner which has been enclosed as 1st
Annexure to that affidavit. The said deed is dated 7.7.2000, and in it the principal place of
business is at Chandauli and the only other place where the Petitioner carries on business is
Varanasi, which is also in the State of U. P.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.225

4. Sri Madhur Prakash raised an objection that this second supplementary-affidavit, from the side
of the Petitioner, should not be entertained or accepted by this Court because all the facts
mentioned in this affidavit were within the knowledge of the Petitioner at the time when the writ
petition was filed and there is no explanation from the Petitioner's side why these facts were not
mentioned in the writ petition as originally filed.

5. Having considered the matter, we are unable to sustain this objection. This kind of objection is
available either in cases of review under Order XLVII, Rule 1 (a) or in cases of additional
evidence in appeal under Order XLI, Rule 27 (1) (aa) of the Code of Civil Procedure or in suits
for specific performance of contracts where the pleadings of 'readiness and willingness' required
under Section 16(1)(c) of the Specific Relief Act has not been made originally in the plaint and is

LA
sought to be added by amendment of the plaint. Apart from the above three cases, we are not
aware of any other principle of law which permits exception to be taken to narration of additional

IM
facts by way of amendment application or by way of supplementary-affidavit in a writ petition.
SH
6. The contention of the Petitioner with regard to territorial jurisdiction is that because the
communication of the acceptance of the tender was received by the Petitioner by e-mail at
Chandauli (U. P.), therefore, the contract from which this dispute arises was completed at
LU

Chandauli and in a case seeking performance of the contract or alleging breach of the contract by
the Respondents, the completion of the contract is a part of the 'cause of action'. There the place
PN

where the contract was completed by receipt of communication of acceptance is a place where
'part of cause of action' arises.
H

7. According to Halsbury's laws of England 4th Edition Reissue Vol. 9 (1) Paragraph 683 Pages
434, 435 it has been said in reference to contracts made orally as by telephone, or in writing as
by telex or fax, that the contract is complete when and where the acceptance is received.
However, those principles can apply only where the transmitting terminal and the receiving
terminal are at fixed points. In case of e-mail, the data (in this case acceptance) can be
transmitted from any where by the e-mail account holder, it goes to the memory of a 'server'
which may be located anywhere and can be retrieved by the addressee account holder from
anywhere in the world and, therefore, there is no fixed point either of transmission or of receipt.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.226

8. Anticipating the difficulties likely to arise from this, the Information Technology Act, 2000 in
Section 13(3) provides as follows:

(3) Save as otherwise agreed to between the originator and the addressee, an electronic record is
deemed to be dispatched at the place where the originator has his place of business, and is
deemed to be received at the place where the addressee has his place of business.

9. Thus, the acceptance of the tender, communicated by the Respondents to the Petitioner by e-
mail, will be deemed to be received by the Petitioner at Varanasi/Chandauli, which are the only
two places where the Petitioner has his place of business.

10. In view of the facts mentioned in the supplementary-affidavit, read with Information

LA
Technology Act, the acceptance having been received by the Petitioner at Chandauli/Varanasi,
the contract became complete by receipt of such acceptance at Varanasi/Chandauli, both of

IM
which places are within the territorial jurisdiction of this Court. Therefore, a part of the cause of
action having arisen in U. P., this Court has territorial jurisdiction to entertain the writ petition.
SH
However, it has to be examined whether the 'ouster' Clause (No. 10.5) of the tender agreement
has the effect of excluding the writ jurisdiction of this Court.
LU

11. Jurisdiction of civil courts is created by statute and cannot be created or conferred by the
consent of the parties upon a Court which has not been granted territorial or pecuniary or other
PN

(subject matter related) jurisdiction by statute.

12. Under Section 28 of the Indian Contract Act, 1872, the parties by their agreement are not
H

permitted to totally exclude the jurisdiction of civil courts which has been created by statute.
However, where several civil courts have territorial jurisdiction in respect of a suit, parties may
by agreement confine themselves to any one or more of such civil courts and such an agreement
would not be violative of Section 28 of the Contract Act.

The above principles apply to civil suits and civil courts.

13. Generally, the Courts are reluctant to accept ouster of the jurisdiction of the civil courts and,
therefore, ouster clauses in agreement are construed strictly and jurisdiction is held to be
excluded only when it is inevitable result of the agreement. In this light the Supreme Court in the
case of A. B. C. Laminart Pvt. Ltd. and Anr. v. A. P. Agencies, MANU/SC/0001/1989 : AIR

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.227

1989 SC 1239, laid down that either the agreement ousting jurisdiction of some courts and
confining the jurisdiction to one or more courts should use the words like 'alone', 'only',
'exclusive' etc. in the ouster clause with regard to the courts to which jurisdiction has been
confined ; or in the alternative where such isolating words have not been used, the maxim
'expressio unius est exclusio alterius' meaning 'expression of one is the exclusion of another' may
be applied in appropriate cases where the facts so demand.

14. After considering the facts of the said case as well as the alleged ouster clause which said
"any dispute arising out of this sale shall be subject to Kaira jurisdiction", the Supreme Court
held that it would not oust the jurisdiction of other courts which had territorial jurisdiction under
Section 20(c) of the Code of Civil Procedure.

LA
15. But, a more fundamental question needs to be examined, viz. whether the ouster clauses can

IM
exclude the jurisdiction of civil courts only or whether such clause can exclude the jurisdiction
under Article 226 of the Constitution of India also.
SH
16. Section 20, Code of Civil Procedure for the civil court and Article 226 of the Constitution of
India for the High Courts permit the exercise of territorial jurisdiction where the cause of action
wholly or in part arises within their territories. To that extent, the words used in the two
LU

provisions are similar.

PN

17. But, there is one vital difference, namely, that while the jurisdiction to pass a decree accrues
to the civil court only upon institution of suit by filing of a plaint and the civil court cannot act
suo motu, but under Article 226 of the Constitution of India the power to issue writs, orders or
H

directions is not necessarily dependant upon filing of a writ petition. The High Court has the
power to act suo motu if an appropriate matter comes to its knowledge calling for intervention by
it. Such knowledge may be received by the High Court by means of a writ petition or otherwise.

18. When the parties enter into an agreement confining themselves to the jurisdiction of one of
the several civil courts having territorial jurisdiction in respect of a suit, basically the parties are
placing a restraint upon themselves from approaching the other civil courts whose jurisdiction
has been excluded by the agreement. In this manner the jurisdiction of the other civil courts gets
ousted, subject only to one restriction which is provided in Section 28 of the Contract Act.
However, the power of judicial review given to the High Courts by Article 226 of the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.228

Constitution of India, and being a basic feature of the Constitution cannot be curtailed even by
statute, as held by the Supreme Court in the case of L. Chandra Kumar v. Union of India and
Ors. MANU/SC/0261/1997: (1997) 3 SCC 261. Therefore, it is not possible to accept the
contention that the said constitutional power of the High Court to issue a writ suo motu can be
curtailed by an agreement between litigants.

19. We, therefore, hold that the ouster clauses can oust a territorial jurisdiction only of civil
courts and not of the High Court in respect of the power under Article 226 of the Constitution of
India, provided such power exists in the High Court on account of part of cause of action having
arisen within its territorial jurisdiction.

LA
20. Coming to the merits of the matter, the case of the Petitioner is that Respondents No. 2 and 3
held an e-auction for certain coal in different lots. The Petitioner submitted its tender or bid in

IM
the said auction and the Petitioner's bid was accepted for 4000 metric tons of coal

from Dobari Colliery at the price of Rs. 1,625 per metric tons. The acceptance letter was issued
SH
on 19.7.2005 by e-mail at the Petitioner's e-mail address. Acting upon the said acceptance, the
Petitioner deposited the full amount of Rs. 81,12,000 through cheque in favour of Respondent
No. 3 on 28.7.2005. The cheque was accepted and encashed by Respondent No. 3.
LU

21. Subsequently, instead of delivering the coal to the Petitioner, Respondent No. 4 sent an e-
PN

mail dated 10.8.2005 to the Petitioner saying that the sale as well as the e-auction in favour of the
Petitioner stands cancelled "due to some technical and unavoidable reasons". This
communication has been challenged in this writ petition and a copy of the same has been
H

enclosed as Annexure-1 to this writ petition.

22. On 13.9.2005, the following interim order was passed in this case:

In the meantime, if 4000 metric ton of coal, for which the Petitioner had submitted his bid at the
e-auction, has not been given to any body else, it will not be transferred to any other person so
that if the writ petition succeeds that coal may be directed to be delivered to the Petitioner.

23. Sri Madhur Prakash, who had received copy of this writ petition on 29.8.2005 (i.e., almost a
month ago) on behalf of Respondents No. 2 and 3, has stated on instructions, that the only reason
for this cancellation is that there was some other person whose bid for the same coal was slightly

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.229

higher than the Petitioner, but due to some flaw in the computer or its programme or feeding of
data the said bid could not be considered.

24. We have considered this defence. That third party is not before us and there is no averment
from the side of the Petitioner or the Respondents that the said third party has so far challenged
the acceptance of the bid of the Petitioner. In absence of such challenge, Respondents No. 2, 3
and 4 are firstly bound by their concluded contract and thereafter they are further bound by the
principle of promissory estoppel, inasmuch as the Petitioner has altered its legal position to its
disadvantage, acting upon the communication of acceptance sent to it by these Respondents, by
depositing large amount of money, viz. Rs. 81,12,000 by cheque which has also been encashed
by the Respondents.

LA
25. There can be no doubt that the Respondents are 'State' within the meaning of Article 12 of the

IM
Constitution of India and the cancellation of the auction and the contract of sale in favour of the
Petitioner at such a highly belated stage, without giving any opportunity of hearing to the
SH
Petitioner, is violative of the principles of natural justice and on that ground also it cannot be
sustained.

26. In view of what has been stated above, we allow the writ petition; set aside the
LU

communication dated 10.8.2005 (Annexure-1 to the writ petition) as well as the decision
contained in that communication, and direct Respondents No. 2 and 3 to handover the coal,
PN

covered by the Petitioner's accepted bid, to the Petitioner without further delay.

27. As requested, certified copies of this order may be issued to the parties, on payment of
H

requisite charges, within a week.

******************************************************************************

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.230

 LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.231

 Playboy Enterprises, Inc., Plaintiff,

v.

Calvin Designer Label, Calvin Fuller, and Calvin Merit, Defendants.

985 F. Supp. 1218 (1997)

TEMPORARY RESTRAINING ORDER AND ORDER TO SHOW CAUSE FOR

PRELIMINARY INJUNCTION

LEGGE, District Judge.

LA
This cause has been presented to the Court, upon the motion of Plaintiff Playboy Enterprises,
Inc. ("PEI"), seeking a Temporary Restraining Order, and an Order To Show Cause why this

IM
Court should not preliminarily enjoin Defendants during the pendency of this action from
infringing PEI's trademarks on Defendants' Internet World Wide Web site.
SH
PEI's motion is supported by a Complaint; a Memorandum of Points and Authorities; the
Declaration of Michelle A. Kaiser, Staff Attorney of PEI; and the Declaration of Maryann
Hayes, outside intellectual property counsel to PEI.
LU

This Court having given full consideration to all of PEI's papers and the relevant authorities, and
in accordance with Federal Rule of Civil Procedure 65(b),
PN

IT IS HEREBY ORDERED AND ADJUDGED as follows:

H

1. This Court has subject matter jurisdiction under 28 U.S.C. §§ 1331 and 1332.

2. This Court has personal jurisdiction over Defendants by virtue of their California citizenship
and tortious acts within this Judicial District.

3. PEI owns Federal Trademark Reg. No. 721,987 for the mark PLAYMATE, several Federal
Trademark Reg. Nos. ______ for the mark PLAYBOY, and other registrations for the marks
PLAYMATE and PLAYBOY.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.232

4. Defendants have used the mark PLAYMATE as part of their domain name on the Internet and
used the marks PLAYMATE and PLAYBOY within the Internet Web pages offered at the site
www.playmatelive.com, all without PEI's authority.

5. Plaintiff PEI has demonstrated a sufficient (i) likelihood of success on the merits of its
trademark infringement, unfair competition and dilution claims, (ii) irreparable harm if it is not
granted a temporary restraining order pending hearing on its motion for a preliminary injunction
(iii) the balance of hardships tipping in its favor, (iv) and the absence of any public interest
factors militating against the interim relief sought in its application, to merit and constitute good
cause for the issuance of a Temporary Restraining Order as more particularly described herein.

LA
6. The Court finds that Plaintiff PEI is likely to succeed on the merits in proving inter alia
trademark infringement, unfair competition, including a false designation of origin and false

IM
representation, in defendants' use of the domain name "playmatelive.com", the use of the name
Playmate Live Magazine which include plaintiff's PLAYMATE registered trademark, and the
SH
use of the PLAYBOY trademark in machine readable code in defendants' Internet Web page, so
that the PLAYBOY trademark is accessible to individuals or Internet search engines which,
attempt to access plaintiff under plaintiff's PLAYBOY registered trademark. IT IS THEREFORE
LU

FURTHER ORDERED that:

1. Defendants, their officers, agents, servants, employees, attorneys, parents, subsidiaries and
PN

related companies having notice of this Order by personal service, electronic mail, or otherwise,
and all persons acting for, with, by, through or under them, and each of them, shall be
H

immediately temporarily enjoined and restrained from:

a. using in any manner the PLAYMATE or PLAYBOY trademarks and any other term or terms
likely to cause confusion therewith, including PLAYMATELIVE or "playmatelive.com", as
Defendants' domain name, directory name, or other such computer address, as the name of
Defendants' Web site service, in buried code or metatags on their home page or Web pages, or in
connection with the advertising or promotion of their goods, services or web sites;

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.233

b. using in any manner the PLAYMATE or PLAYBOY trademarks in connection with the
Defendants' goods or services in such a manner that is likely to create the erroneous belief that
said goods or services are authorized by, sponsored by, licensed by or are in some way
associated with PEI;

c. disseminating, using or distributing any Web site pages, advertising or Internet code words or
titles, or any other promotional materials whose appearance so resembles the Web site pages or
trademarks used by PEI, so as to create a likelihood of confusion, mistake or deception;

d. otherwise engaging in any other acts or conduct which would cause consumers to erroneously
believe that Defendants' goods or services are somehow sponsored by, authorized by, licensed

LA
by, or in any other way associated with PEI; and

2. Defendants shall preserve and retain in hard copies or digital copies, all evidence and

IM
documentation relating in any way to their use of the domain name "playmatelive.com" and the
trademarks PLAYMATE and PLAYBOY in any form, including all records relating to such Web
SH
site or any other Web sites or subscription magazines or services where such names or marks
have been used, all records relating to the names, addresses (e-mail or otherwise) of any parties
with whom Defendants have communicated, and all financial records relating to such Web sites,
LU

services, magazines, or any products or services, advertising, on or offered on or through such

Internet Web sites.
PN

3. Defendants shall immediately cease using and claiming ownership of the marks "playmate" or
"playmatelive" on the Internet.
H

4. Personal service of a copy of the Summons and Complaint in this action, together with a copy
of this Order and the paper upon which it is based, shall be effected by personal delivery upon
Defendants or service at their homes or business address at 345 California Drive # 38,
Burlingame, California 94010, by 5:00 p.m. on 8/29, 1997, or such other date as may be *1220
extended by the Court; and such service shall constitute good and sufficient service hereof.

5. Answering papers, if any, shall be filed and personally served upon plaintiff's counsel, Neil A.
Smith, Limbach & Limbach L.L.P., 2001 Ferry Building, San Francisco, California 94111,
Telephone: (415) 433-4150, on or before 5:00 p.m. on September 5, 1997, and such service shall

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.234

constitute good and sufficient service hereof. Any reply by plaintiff shall be filed and personally
served upon Defendants or their counsel on or before 12:00 Noon on September 8, 1997.

6. This Court shall conduct and Defendants shall appear at a hearing on PEI's motion for a
preliminary injunction at 2:00 p.m. on September 8, 1997, at the United States Courthouse for
the Northern District of California, 450 Golden Gate Avenue, San Francisco, California, in the
courtroom of The Honorable Charles A. Legge at which hearing Defendants shall show cause
why a Preliminary Injunction should not be entered by this Court in the form and nature of the
above Order.

7. It is further ordered that plaintiff shall post a bond in the amount of $1000.00 within two (2)

LA
business days from the date of this Order in cash or surety for this Temporary Restraining Order.

***************************************************************************

IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.235

 Brookfield Communications, Inc.,

West Coast Entertainment Corporation

174 F.3d. 1036(1062-64)(9th Cir.1999)

[2] We must venture into cyberspace to determine whether federal trademark and unfair
competition laws prohibit a video rental store chain from using an entertainment-industry
information provider's trademark in the domain name of its web site and in its web site's
metatags.

LA
[3] Brookfield Communications, Inc. ("Brookfield") appeals the district court's denial of its
motion for a preliminary injunction prohibiting West Coast Entertainment Corporation ("West

IM
Coast") from using in commerce terms confusingly similar to Brookfield's trademark,
"MovieBuff." Brookfield gathers and sells information about the entertainment industry.
SH
Founded in 1987 for the purpose of creating and marketing software and services for
professionals in the entertainment industry, Brookfield initially offered software applications
featuring information such as recent film submissions, industry credits, professional contacts,
LU

and future projects. These offerings targeted major Hollywood film studios, independent
production companies, agents, actors, directors, and producers.
PN

[4] Brookfield expanded into the broader consumer market with computer software featuring a
searchable database containing entertainment-industry related information marketed under the
H

"MovieBuff" mark around December 1993.[fn1] Brookfield's "MovieBuff" software now targets
smaller companies and individual consumers who are not interested in purchasing Brookfield's
professional level alternative, The Studio System, and includes comprehensive, searchable,
entertainment-industry databases and related software applications containing information such
as movie credits, box office receipts, films in development, film release schedules, entertainment
news, and listings of executives, agents, actors, and directors. This "MovieBuff" software comes
in three versions - (1) the MovieBuff Pro Bundle, (2) the MovieBuff Pro, and (3) MovieBuff -
and is sold through various retail stores, such as Borders, Virgin Megastores, Nobody Beats the
Wiz, The Writer's Computer Store, Book City, and Samuel French Bookstores.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.236

[5] Sometime in 1996, Brookfield attempted to register the World Wide Web ("the Web")
domain name "moviebuff.com" with Network Solutions, Inc. ("Network Solutions"),[fn2] but
was informed that the requested domain name had already been registered by West Coast.
Brookfield subsequently registered "brookfieldcomm.com" in May 1996 and
"moviebuffonline.com" in September 1996.[fn3] Sometime in 1996 or 1997, Brookfield began
using its web sites to sell its "MovieBuff" computer software and to offer an Internet-based
searchable database marketed under the "MovieBuff" mark. Brookfield sells its "MovieBuff"
computer software through its "brookfieldcomm.com" and "moviebuffonline.com" web sites and
offers subscribers online access to the MovieBuff database itself at its "inhollywood.com" web
site.

LA
[6] On August 19, 1997, Brookfield applied to the Patent and Trademark Office (PTO) for
federal registration of "MovieBuff" as a mark to designate both goods and services. Its trademark

IM
application describes its product as "computer software providing data and information in the
field of the motion picture and television industries." Its service mark application describes its
SH
service as "providing multiple-user access to an on-line network database offering data and
information in the field of the motion picture and television industries." Both federal trademark
registrations issued on September 29, 1998. Brookfield had previously obtained a California state
LU

trademark registration for the mark "MovieBuff" covering "computer software" in 1994.
PN

[7] In October 1998, Brookfield learned that West Coast - one of the nation's largest video rental
store chains with over 500 stores - intended to launch a web site at "moviebuff.com" containing,
inter alia, a searchable entertainment database similar to "MovieBuff." West Coast had registered
H

"moviebuff.com" with Network Solutions on February 6, 1996 and claims that it chose the
domain name because the term "Movie Buff" is part of its service mark, "The Movie Buff's
Movie Store," on which a federal registration issued in 1991 covering "retail store services
featuring video cassettes and video game cartridges" and "rental of video cassettes and video
game cartridges." West Coast notes further that, since at least 1988, it has also used various
phrases including the term "Movie Buff" to promote goods and services available at its video
stores in Massachusetts, including "The Movie Buff's Gift Guide"; "The Movie Buff's Gift
Store"; "Calling All Movie Buffs!";"Good News Movie Buffs!"; "Movie Buffs, Show Your
Stuff!";"the Perfect Stocking Stuffer for the Movie Buff!"; "A Movie Buff's Top Ten"; "The

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.237

Movie Buff Discovery Program";"Movie Buff Picks"; "Movie Buff Series"; "Movie Buff
Selection Program"; and "Movie Buff Film Series."

[8] On November 10, Brookfield delivered to West Coast a cease-and-desist letter alleging that
West Coast's planned use of the "moviebuff.com" would violate Brookfield's trademark rights; as
a "courtesy" Brookfield attached a copy of a complaint that it threatened to file if West Coast did
not desist.

[9] The next day, West Coast issued a press release announcing the imminent launch of its web
site full of "movie reviews, Hollywood news and gossip, provocative commentary, and coverage

LA
of the independent film scene and films in production." The press release declared that the site
would feature "an extensive database, which aids consumers in making educated decisions about

IM
the rental and purchase of" movies and would also allow customers to purchase movies,
accessories, and other entertainment-related merchandise on the web site.
SH
[10] Brookfield fired back immediately with a visit to the United States District Court for the
Central District of California, and this lawsuit was born. In its first amended complaint filed on
LU

November 18, 1998, Brookfield alleged principally that West Coast's proposed offering of online
services at "moviebuff.com" would constitute trademark infringement and unfair competition in
PN

violation of sections 32 and 43(a) of the Lanham Act, 15 U.S.C. § 1114, 1125(a).[fn4] Soon
thereafter, Brookfield applied ex parte for a temporary restraining order ("TRO") enjoining West
Coast "[f]rom using . . . in any manner . . . the mark MOVIEBUFF, or any other term or terms
H

likely to cause confusion therewith, including moviebuff.com, as West Coast's domain name, . . .
as the name of West Coast's website service, in buried code or metatags on their home page or
web pages, or in connection with the retrieval of data or information on other goods or services."

[11] On November 27, West Coast filed an opposition brief in which it argued first that
Brookfield could not prevent West Coast from using "moviebuff.com" in commerce because
West Coast was the senior user. West Coast claimed that it was the first user of "MovieBuff"
because it had used its federally registered trademark, "The Movie Buff's Movie Store,"[fn5]
since 1986 in advertisements, promotions, and letterhead in connection with retail services
featuring videocassettes and video game cartridges. Alternatively, West Coast claimed seniority

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.238

on the basis that it had garnered common-law rights in the domain name by using
"moviebuff.com" before Brookfield began offering its "MovieBuff" Internet-based searchable
database on the Web. In addition to asserting seniority, West Coast contended that its planned
use of "moviebuff.com" would not cause a likelihood of confusion with Brookfield's trademark
"MovieBuff" and thus would not violate the Lanham Act.

[12] The district court heard arguments on the TRO motion on November 30. Later that day, the
district court issued an order construing Brookfield's TRO motion as a motion for a preliminary
injunction and denying it. The district court concluded that West Coast was the senior user of the
mark "MovieBuff" for both of the reasons asserted by West Coast. The court also determined
that Brookfield had not established a likelihood of confusion

LA
[13] Brookfield responded by filing a notice of appeal from the denial of preliminary injunction

IM
followed by a motion in the district court for injunction pending appeal, which motion the district
court denied. On January 16, 1999, West Coast launched its web site at "moviebuff.com."
SH
Fearing that West Coast's fully operational web site would cause it irreparable injury, Brookfield
filed an emergency motion for injunction pending appeal with this court a few days later. On
February 24, we granted Brookfield's motion and entered an order enjoining West Coast "from
LU

using, or facilitating the use of, in any manner, including advertising and promotion, the mark
MOVIEBUFF, or any other term or terms likely to cause confusion therewith, including
PN

@moviebuff.com or moviebuff.com, as the name of West Coast's web site service, in buried
code or metatags on its home page or web pages, or in connection with the retrieval of data or
information on other goods or services." The injunction was to take effect upon the posting of a
H

$25,000 bond in the district court by Brookfield. We scheduled oral argument on an expedited
basis for March 10.

[14] West Coast thereupon filed a motion for reconsideration and modification - seeking a stay
of the injunction pending appeal and an increase in the bond requirement to $400,000 - which we
denied. After oral argument on March 10, we ordered that our previously issued injunction
remain in effect pending the issuance of this opinion.

[15] To resolve the legal issues before us, we must first understand the basics of the Internet and
the World Wide Web. Because we will be delving into technical corners of the Internet - dealing

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.239

with features such as domain names and metatags - we explain in some detail what all these
things are and provide a general overview of the relevant technology.

[16] The Internet is a global network of interconnected computers which allows individuals and
organizations around the world to communicate and to share information with one another. The
Web, a collection of information resources contained in documents located on individual
computers around the world, is the most widely used and fastest-growing part of the Internet
except perhaps for electronic mail ("e-mail"). See United States v. Microsoft,
MANU/UDCC/0152/1998 : 147 F.3d 935, 939 (D.C. Cir. 1998). With the Web becoming an
important mechanism for commerce, see Reno v. ACLU, 117 S.Ct. 2329, 2334 (1997) (citing an
estimate that over 200 million people will use the Internet in 1999), companies are racing to

LA
stake out their place in cyberspace. Prevalent on the Web are multimedia "web pages" -
computer data files written in Hypertext Markup Language ("HTML") - which contain

IM
information such as text, pictures, sounds, audio and video recordings, and links to other web
pages. See id. at 2335; Panavision Int'l, L.P. v. Toeppen, MANU/FENT/0024/1998 : 141 F.3d
SH
1316, 1318 (9th Cir. 1998).
LU

[17] Each web page has a corresponding domain address, which is an identifier somewhat
analogous to a telephone number or street address. Domain names consist of a second-level
PN

domain - simply a term or series of terms (e.g., westcoastvideo) - followed by a top-level

domain, many of which describe the nature of the enterprise. Top-level domains include ".com"
H

(commercial), ".edu" (educational), ".org" (non-profit and miscellaneous organizations), ".gov"

(government), ".net" (networking provider), and ".mil" (military). See Panavision, 141 F.3d at
1318. Commercial entities generally use the ".com" top-level domain, which also serves as a
catchall top-level domain. See id. To obtain a domain name, an individual or entity files an
application with Network Solutions listing the domain name the applicant wants. Because each
web page must have an unique domain name, Network Solution checks to see whether the
requested domain name has already been assigned to someone else. If so, the applicant must
choose a different domain name. Other than requiring an applicant to make certain
representations, Network Solutions does not make an independent determination about a
registrant's right to use a particular domain name.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.240

[18] Using a Web browser, such as Netscape's Navigator or Microsoft's Internet Explorer, a
cyber "surfer" may navigate the Web - searching for, communicating with, and retrieving
information from various web sites. See id.; Microsoft, 147 F.3d at 939-40, 950. A specific web
site is most easily located by using its domain name. See Panavision, 141 F.3d at 1327. Upon
entering a domain name into the web browser, the corresponding web site will quickly appear on
the computer screen. Sometimes, however, a Web surfer will not know the domain name of the
site he is looking for, whereupon he has two principal options: trying to guess the domain name
or seeking the assistance of an Internet "search engine.

[19] Oftentimes, an Internet user will begin by hazarding a guess at the domain name, especially
if there is an obvious domain name to try. Web users often assume, as a rule of thumb, that the

LA
domain name of a particular company will be the company name followed by ".com." See id.;
Playboy Enters. v. Universal Tel-a-Talk, Inc., No. 96-6961, 1998 WL 767440, at *2 (E.D. Pa.

IM
Nov. 3, 1998); Cardservice Int'l, Inc. v. McGee, 950 F. Supp. 737, 741 (E.D. Va. 1997), aff'd by,
129 F.3d 1258 (4th Cir. 1997). For example, one looking for Kraft Foods, Inc. might try
SH
"kraftfoods.com," and indeed this web site contains information on Kraft's many food products.
Sometimes, a trademark is better known than the company itself, in which case a Web surfer
may assume that the domain address will be " `trademark'.com." See Panavision, 141 F.3d at
LU

1327; Beverly v. Network Solutions, Inc., No. 98-0337, 1998 WL 320829, at *1 (N.D. Cal. June
12, 1998) ("Companies attempt to make the search for their web site as easy as possible. They do
PN

so by using a corporate name, trademark or service mark as their web site address."). One
interested in today's news would do well visiting "usatoday.com," which features, as one would
H

expect, breaking stories from Gannett's USA Today. Guessing domain names, however, is not a
risk-free activity. The Web surfer who assumes that " `X'.com" will always correspond to the
web site of company X or trademark X will, however, sometimes be misled

[20] One looking for the latest information on Panavision, International, L.P., would sensibly try
"panavision.com." Until recently, that Web surfer would have instead found a web site owned by
Dennis Toeppen featuring photographs of the City of Pana, Illinois. See Panavision, 141 F.3d at
1319. Having registered several domain names that logically would have corresponded to the
web sites of major companies such as Panavision, Delta Airlines, Neiman Marcus, Lufthansa,
Toeppen sought to sell "panavision.com" to Panavision, which gives one a taste of some of the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.241

trademark issues that have arisen in cyberspace. See id.; see also, e.g., Cardservice, 950 F. Supp.
at 740-42

[21] A Web surfer's second option when he does not know the domain name is to utilize an
Internet search engine, such as Yahoo, Altavista, or Lycos. See ACLU v. Reno, 31 F. Supp.2d
473, 484 (E.D. Pa. 1999); Washington Speakers Bureau, Inc. v. Leading Authorities, Inc., No.
98-634, 1999 WL 51869, at *9 (E.D. Va. Feb. 2, 1999). When a keyword is entered, the search
engine processes it through a self-created index of web sites to generate a (sometimes long) list
relating to the entered keyword. Each search engine uses its own algorithm to arrange indexed
materials in sequence, so the list of web sites that any particular set of keywords will bring up
may differ depending on the search engine used. See Niton Corp. v. Radiation Monitoring

LA
Devices, Inc., 27 F. Supp.2d 102, 104 (D. Mass. 1998); Intermatic Inc. v. Toeppen, 947 F. Supp.
1227, 1231-32 (N.D. Ill. 1996); Shea v. Reno, 930 F. Supp. 916, 929 (S.D.N.Y. 1996), aff'd, 117

IM
S.Ct. 2501 (1997). Search engines look for keywords in places such as domain names, actual text
on the web page, and metatags. Metatags are HTML code intended to describe the contents of
SH
the web site. There are different types of metatags, but those of principal concern to us are the
"description" and "keyword" metatags. The description metatags are intended to describe the
web site; the keyword metatags, at least in theory, contain keywords relating to the contents of
LU

the web site. The more often a term appears in the metatags and in the text of the web page, the
more likely it is that the web page will be "hit" in a search for that keyword and the higher on the
PN

list of "hits" the web page will appear. See Niton, 27 F. Supp.2d at 104

[22] With this basic understanding of the Internet and the Web, we may now analyze the legal
H

issues before us

[23] We review the district court's denial of preliminary injunctive relief for an abuse of
discretion. See, e.g., Foti v. City of Menlo Park, MANU/FENT/0270/1998 : 146 F.3d 629, 634-
35 (9th Cir. 1998). Under this standard, reversal is appropriate only if the district court based its
decision on clearly erroneous findings of fact or erroneous legal principles. See FDIC v. Garner,
MANU/FENT/0795/1997 : 125 F.3d 1272, 1276 (9th Cir. 1997), cert. denied, 118 S.Ct. 1229
(1998). "A district court would necessarily abuse its discretion if it based its ruling on an
erroneous view of the law," Cooter & Gell v. Hartmarx Corp., MANU/USSC/0086/1990 : 496
U.S. 384, 405 (1990), so we review the underlying legal issues injunction de novo, see, e.g.,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.242

Barahona-Gomez v. Reno, No. 97-15952, 1999 WL 61709, at *4 (9th Cir. Feb. 11, 1999);
S.O.C., Inc. v. County of Clark, MANU/FENT/0116/1998 : 152 F.3d 1136, 1142 (9th Cir. 1998),
amended by, 160 F.3d 541 (9th Cir. 1998); Foti, 146 F.3d at 635; Garner, 125 F.3d at 1276; San
Antonio Community Hosp. v. Southern Cal. Dist. Council of Carpenters,
MANU/FENT/0814/1997 : 125 F.3d 1230, 1234 (9th Cir. 1997)

[24] "A plaintiff is entitled to a preliminary injunction in a trademark case when he demonstrates
either (1) a combination of probable success on the merits and the possibility of irreparable
injury or (2) the existence of serious questions going to the merits and that the balance of
hardships tips sharply in his favor." Sardi's Restaurant Corp. v. Sardie, MANU/FENT/0550/1985
: 755 F.2d 719, 723 (9th Cir. 1985). To establish a trademark infringement claim under section

LA
32 of the Lanham Act or an unfair competition claim under section 43(a) of the Lanham Act,
Brookfield must establish that West Coast is using a mark confusingly similar to a valid,

IM
protectable trademark of Brookfield's.[fn6] See AMF Inc. v. Sleekcraft Boats,
MANU/FENT/0335/1979 : 599 F.2d 341, 348 (9th Cir. 1979). The district court denied
SH
Brookfield's motion for preliminary injunctive relief because it concluded that Brookfield had
failed to establish that it was the senior user of the "MovieBuff" mark or that West Coast's use of
the "moviebuff.com" domain name created a likelihood of confusion
LU

[25] We review each of the district court's conclusions in turn.

PN

[26] [1] To resolve whether West Coast's use of "moviebuff.com" constitutes trademark
infringement or unfair competition,[fn8] we must first determine whether Brookfield has a valid,
H

protectable trademark interest in the "MovieBuff" mark. Brookfield's registration of the mark on
the Principal Register in the Patent and Trademark Office constitutes prima facie evidence of the
validity of the registered mark and of Brookfield's exclusive right to use the mark on the goods
and services specified in the registration. See 15 U.S.C. § 1057(b); 1115(a). Nevertheless, West
Coast can rebut this presumption by showing that it used the mark in commerce first, since a
fundamental tenet of trademark law is that ownership of an inherently distinctive mark such as
"MovieBuff"[fn9] is governed by priority of use. See Sengoku Words Ltd. v. RMC Int'l, Ltd.,
MANU/FENT/0812/1996 : 96 F.3d 1217, 1219 (9th Cir. 1996) ("It is axiomatic in trademark law
that the standard test of ownership is priority of use. To acquire ownership of a trademark it is
not enough to have invented the mark first or even to have registered it first; the party claiming

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.243

ownership must have been the first to actually use the mark in the sale of goods or services."),
cert. denied, 521 U.S. 1103 (1997). The first to use a mark is deemed the "senior" user and has
the right to enjoin "junior" users from using confusingly similar marks in the same industry and
market or within the senior user's natural zone of expansion. See Union Nat'l Bank of Tex.,
Laredo, Tex. v. Union Nat'l Bank of Tex., Austin, Tex., MANU/FEFT/0115/1990 : 909 F.2d
839, 842-43 (5th Cir. 1990); Tally-Ho, Inc. v. Coast Community College Dist.,
MANU/FEEE/0587/1989 : 889 F.2d 1018, 1023 (11th Cir. 1990); New West Corp. v. NYM Co.
of Cal., MANU/FENT/0528/1979 : 595 F.2d 1194, 1200-01 (9th Cir. 1979)

[27] It is uncontested that Brookfield began selling "MovieBuff" software in 1993 and that West
Coast did not use "moviebuff.com" until 1996. According to West Coast, however, the fact that

LA
it has used "The Movie Buff's Movie Store" as a trademark since 1986 makes it the first user for
purposes of trademark priority. In the alternative, West Coast claims priority on the basis that it

IM
used "moviebuff.com" in commerce before Brookfield began offering its "MovieBuff"
searchable database on the Internet. We analyze these contentions in turn.
SH
[28] [2] Conceding that the first time that it actually used "moviebuff.com" was in 1996, West
Coast argues that its earlier use of "The Movie Buff's Movie Store" constitutes use of
LU

"moviebuff.com."[fn10] West Coast has not provided any Ninth Circuit precedent approving of
this constructive use theory, but neither has Brookfield pointed us to any case law rejecting it.
PN

We are not without guidance, however, as our sister circuits have explicitly recognized the
ability of a trademark owner to claim priority in a mark based on the first use date of a similar,
but technically distinct, mark - but only in the exceptionally narrow instance where "the
H

previously used mark is `the legal equivalent of the mark in question or indistinguishable
therefrom' such that consumers `consider both as the same mark.'" Data Concepts, Inc. v. Digital
Consulting, Inc., MANU/FEST/0065/1998 : 150 F.3d 620, 623 (6th Cir. 1998) (quoting Van
Dyne-Crotty, Inc. v. Wear-Guard Corp., MANU/USFD/0050/1991 : 926 F.2d 1156, 1159 (Fed.
Cir. 1991)); accord Van Dyne-Crotty, 926 F.2d at 1159. This constructive use theory is known as
"tacking," as the trademark holder essentially seeks to "tack" his first use date in the earlier mark
onto the subsequent mark. See generally 2 J. Thomas McCarthy, McCarthy on Trademarks &
Unfair Competition § 17:25-27 (4th ed. 1998) [hereafter "McCarthy"].

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.244

[29] [3] We agree that tacking should be allowed if two marks are so similar that consumers
generally would regard them as essentially the same. Where such is the case, the new mark
serves the same identificatory function as the old mark. Giving the trademark owner the same
rights in the new mark as he has in the old helps to protect source-identifying trademarks from
appropriation by competitors and thus furthers the trademark law's objective of reducing the
costs that customers incur in shopping and making purchasing decisions. See Qualitex Co. v
Jacobson Prods. Co., MANU/USSC/0028/1995 : 514 U.S. 159, 163-64 (1995); Falcon Rice Mill,
Inc. v. Community Rice Mill, Inc., MANU/FEFT/0234/1984 : 725 F.2d 336, 348 (5th Cir. 1984).

[30] Without tacking, a trademark owner's priority in his mark would be reduced each time he
made the slightest alteration to the mark, which would discourage him from altering the mark in

LA
response to changing consumer preferences, evolving aesthetic developments, or new advertising
and marketing styles. In Hess's of Allentown, Inc. v. National Bellas Hess, Inc., for example, a

IM
department store ("Allentown") with trademark rights in the terms "Hess Brothers" and "Hess"
dating from 1899 began promoting itself in 1952 instead as "Hess's," largely because customers
SH
and employees commonly referred to the store as "Hess's" rather than "Hess Brothers" or "Hess."
See 169 U.S.P.Q. 673, 674-75 (T.T.A.B. 1971). Another department store ("Bellas") first used
"Hess" in its mark around 1932. In light of the fact that Allentown first used "Hess's" after Bellas
LU

commenced using "Hess," Bellas would have priority on the basis of the actual first use dates of
those two marks. Even though Allentown had acquired over a half-century's worth of goodwill in
PN

the essentially identical marks "Hess" and "Hess Brothers," Allentown no longer had trademark
rights in those terms because it had ceased using those marks when it adopted "Hess's."
H

Nevertheless, the Trademark Board allowed the owner of "Hess's" to tack his first use date of
"Hess Brothers" and "Hess" onto "Hess's" since those terms were viewed as identical by the
public.

[31] [4] The standard for "tacking," however, is exceedingly strict: "The marks must create the
same, continuing commercial impression, and the later mark should not materially differ from or
alter the character of the mark attempted to be tacked." Van Dyne-Crotty, 926 F.2d at 1159
(emphasis added) (citations and quotation marks omitted). In other words, "the previously used
mark must be the legal equivalent of the mark in question or indistinguishable therefrom, and the
consumer should consider both as the same mark." Id. (emphasis added); see also Data Concepts,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.245

150 F.3d at 623 (adopting the Van Dyne-Crotty test). This standard is considerably higher than
the standard for "likelihood of confusion,"

[32] The Federal Circuit, for example, concluded that priority in "CLOTHES THAT WORK.
FOR THE WORK YOU DO" could not be tacked onto "CLOTHES THAT WORK." See Van
Dyne-Crotty, 926 F.2d at 1160 (holding that the shorter phrase was not the legal equivalent of
the longer mark). The Sixth Circuit held that "DCI" and "dci" were too dissimilar to support
tacking. See Data Concepts, 150 F.3d at 623-24. And the Trademark Board has rejected tacking
in a case involving "American Mobilphone" with a star and stripe design and "American
Mobilphone Paging" with the identical design, see American Paging, Inc. v. American
Mobilphone, Inc., 13 U.S.P.Q.2d 2036 (T.T.A.B. 1989), aff'd, 17 U.S.P.Q.2d 1726 (Fed. Cir.

LA
1990), as well as in a case involving "PRO-CUTS" and "PRO-KUT," see Pro-Cuts v. Schilz-
Price Enters., 27 U.S.P.Q.2d 1224, 1227 (T.T.A.B. 1993)

IM
[33] [5] In contrast to cases such as Van Dyne-Crotty and American Paging, which were close
SH
questions, the present case is clear cut: "The Movie Buff's Movie Store" and "moviebuff.com"
are very different, in that the latter contains three fewer words, drops the possessive, omits a
space, and adds ".com" to the end. Because West Coast failed to make the slightest showing that
LU

consumers view these terms as identical, we must conclude that West Coast cannot tack its
priority in "The Movie Buff's Movie Store" onto "moviebuff.com." As the Federal Circuit
PN

explained, "it would be clearly contrary to well-established principles of trademark law to

sanction the tacking of a mark with a narrow commercial impression onto one with a broader
commercial impression." Van Dyne-Crotty, 926 F.2d at 1160 (noting that prior use of "SHAPE
H

UP" could not be tacked onto "EGO," that prior use of "ALTER EGO" could not be tacked onto
"EGO," and that prior use of "Marco Polo could not be tacked onto "Polo").

[34] [6] Since tacking does not apply, we must therefore conclude that Brookfield is the senior
user because it marketed "MovieBuff" products well before West Coast began using
"moviebuff.com" in commerce: West Coast's use of "The Movie Buff's Movie Store" is simply
irrelevant. Our priority determination is consistent with the decisions of our sister circuits in
Lone Star Steakhouse & Saloon, Inc. v. Longhorn Steaks, Inc., MANU/FEEE/0130/1997 : 106
F.3d 355, 362-63 (11th Cir. 1997), modified by, MANU/FEEE/0421/1997 : 122 F.3d 1379 (11th
Cir. 1997) (per curiam), and J. Wiss & Sons Co. v. W. E. Bassett Co., MANU/USFD/0282/1972

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.246

: 462 F.2d 567, 568-69 (C.C.P.A. 1972). Like the present case, J. Wiss & Sons is a three-
competing-trademark situation in which one company owned a single mark with a first use date
in between the first use dates of the two marks owned by the other company. In that case, the
intervening mark ("Trim") was found to be confusingly similar with the later mark ("Trim-
Line"), but not with the earlier mark ("Quick-Trim"); similarly here, the intervening mark
("MovieBuff") is purported to be confusingly similar with the later mark "moviebuff.com," see
infra Part V, but is not confusingly similar with the earlier used mark "The Movie Buff's Movie
Store," see infra pp. 3739. The Court of Customs and Patent Appeals (now the Court of Appeals
for the Federal Circuit) concluded that priority depended upon which of the two confusingly
similar marks was used first - disregarding the first use date of the earlier used mark since it was

LA
not confusingly similar with the others. It thus awarded priority to the holder of the intervening
mark, as we do similarly here.

IM
[35] Longhorn Steaks, involving the same basic three-competing-trademark situation, is
particularly instructive. The defendant owned the mark "Lone Star Steaks" with a first use date
SH
between the plaintiff's earlier used mark "Lone Star Cafe" and its later used mark "Lone Star
Steakhouse & Saloon." In its initial opinion, the Eleventh Circuit awarded priority to the holder
of "Lone Star Steaks" on the basis that "Lone Star Steaks" was used before "Lone Star
LU

Steakhouse & Saloon." See Longhorn Steaks, 106 F.3d at 362-63. The Eleventh Circuit,
however, later modified its opinion, stating that the conclusion reached in its initial opinion
PN

would be correct only if defendant's "Lone Star Steaks" was not confusingly similar to plaintiff's
earlier used mark, "Lone Star Cafe." See Longhorn Steaks, MANU/FEEE/0421/1997 : 122 F.3d
H

1379 (11th Cir. 1997).

[36] [7] West Coast makes a half-hearted claim that "MovieBuff" is confusingly similar to its
earlier used mark "The Movie Buff's Movie Store." If this were so, West Coast would
undoubtedly be the senior user. See id. "Of course, if the symbol or device is already in general
use, employed in such a manner that its adoption as an index of source or origin would only
produce confusion and mislead the public, it is not susceptible of adoption as a trademark."
Hanover Star Milling Co. v. Metcalf, MANU/USSC/0289/1916 : 240 U.S. 403, 415 (1916). West
Coast, however, essentially conceded that "MovieBuff" and "The Movie Buff's Movie Store" are
not confusingly similar when it stated in its pre-argument papers that it does not allege actual

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.247

confusion between "MovieBuff" and West Coast's federally registered mark. We cannot think of
more persuasive evidence that there is no likelihood of confusion between these two marks than
the fact that they have been simultaneously used for five years without causing any consumers to
be confused as to who makes what. See Libman Co. v. Vining Indus., Inc.,
MANU/FEVT/0626/1995 : 69 F.3d 1360, 1361 (7th Cir. 1995) ("Vining sold several hundred
thousand of the allegedly infringing brooms, yet there is no evidence that any consumer ever
made such an error; if confusion were likely, one would expect at least one person out of this
vast multitude to be confused. . . ."). The failure to prove instances of actual confusion is not
dispositive against a trademark plaintiff, because actual confusion is hard to prove; difficulties in
gathering evidence of actual confusion make its absence generally unnoteworthy. See Eclipse

LA
Assocs. Ltd. v. Data Gen. Corp., MANU/FENT/0344/1990 : 894 F.2d 1114, 1118-19 (9th Cir.
1990); Sleekcraft, 599 F.2d at 353. West Coast, however, did not state that it could not prove

IM
actual confusion; rather, it conceded that there has been none. This is a crucial difference.
Although there may be the rare case in which a likelihood of future confusion is possible even
SH
where it is conceded that two marks have been used simultaneously for years with no resulting
confusion, West Coast has not shown this to be such a case

[37] Our conclusion comports with the position of the PTO, which effectively announced its
LU

finding of no likelihood of confusion between "The Movie Buff's Movie Store" and "MovieBuff"
when it placed the latter on the principal register despite West Coast's prior registration of "The
PN

Movie Buff's Movie Store." Priority is accordingly to be determined on the basis of whether
Brookfield used "MovieBuff" or West Coast used "moviebuff.com" first.
H

[38] West Coast argues that we are mixing apples and oranges when we compare its first use
date of "moviebuff.com" with the first sale date of "MovieBuff" software. West Coast reminds
us that Brookfield uses the "MovieBuff" mark with both computer software and the provision of
an Internet database; according to West Coast, its use of "moviebuff.com" can cause confusion
only with respect to the latter. West Coast asserts that we should accordingly determine seniority
by comparing West Coast's first use date of "moviebuff.com" not with when Brookfield first sold
software, but with when it first offered its database online.

39] As an initial matter, we note that West Coast's argument is premised on the assumption that
its use of "moviebuff.com" does not cause confusion between its web site and Brookfield's

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.248

"MovieBuff" software products. Even though Brookfield's computer software and West Coast's
offerings on its web site are not identical products, likelihood of confusion can still result where,
for example, there is a likelihood of expansion in product lines. See Official Airline Guides, Inc.
v. Goss, MANU/FENT/0766/1993 : 6 F.3d 1385, 1394 (9th Cir. 1993). As the leading trademark
commentator explains: "When a senior user of a mark on product line A expands later into
product line B and finds an intervening user, priority in product line B is determined by whether
the expansion is `natural' in that customers would have been confused as to source or affiliation
at the time of the intervening user's appearance." 2 McCarthy § 16:5. We need not, however,
decide whether the Web was within Brookfield's natural zone of expansion, because we conclude
that Brookfield's use of "MovieBuff" as a service mark preceded West Coast's use.

LA
[40] [8] Brookfield first used "MovieBuff" on its Internet-based products and services in August
1997,[fn13] so West Coast can prevail only if it establishes first use earlier than that. In the

IM
literal sense of the word, West Coast "used" the term "moviebuff.com" when it registered that
domain address in February 1996. Registration with Network Solutions, however, does not in
SH
itself constitute "use" for purposes of acquiring trademark priority. See Panavision, 141 F.3d at
1324-25. The Lanham Act grants trademark protection only to marks that are used to identify
and to distinguish goods or services in commerce - which typically occurs when a mark is used
LU

in conjunction with the actual sale of goods or services. The purpose of a trademark is to help
consumers identify the source, but a mark cannot serve a source-identifying function if the public
PN

has never seen the mark and thus is not meritorious of trademark protection until it is used in
public in a manner that creates an association among consumers between the mark and the
H

mark's owner.

[41] Such use requirement is firmly established in the case law, see, e.g., Armstrong Paint &
Varnish Works v. Nu-Enamel Corp., MANU/USSC/0174/1938 : 305 U.S. 315, 334 (1938); New
West, 595 F.2d at 1198-99, and, moreover, is embodied in the Lanham Act itself. See 15 U.S.C.
§ 1127 ("The term `trademark' includes any word, name, symbol, or device, or any combination
thereof . . . used by a person . . . to identify and distinguish his or her goods.") (emphasis added);
id. ("The term `service mark' means any word, name, symbol, or device, or any combination
thereof . . . used by a person . . . to identify and distinguish the services of one person) (emphasis
added). In fact, Congress amended the Lanham Act in 1988 to strengthen this "use in commerce"

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.249

requirement, making clear that trademark rights can be conveyed only through "the bona fide use
of a mark in the ordinary course of trade, and not[use] made merely to reserve a mark." 15
U.S.C. § 1127. Congress provided more specifically:

For purposes of this chapter, a mark shall be deemed to be in use in commerce -

(1) on goods when -

(A) it is placed in any manner on the goods or their containers or the displays associated
therewith or on the tags or labels affixed thereto, or if the nature of the goods makes such
placement impracticable, then on documents associated with the goods or their sale, and

LA
(B) the goods are sold or transported in commerce, and

(2) on services when it is used or displayed in the sale or advertising of services and the services

IM
are rendered in commerce, or the services are rendered in more than one State or in the United
States and a foreign country and the person rendering the services is engaged in commerce in
SH
connection with the services.

[43] The district court, while recognizing that mere registration of a domain name was not
LU

sufficient to constitute commercial use for purposes of the Lanham Act, nevertheless held that
registration of a domain name with the intent to use it commercially was sufficient to convey
PN

trademark rights. This analysis, however, contradicts both the express statutory language and the
case law which firmly establishes that trademark rights are not conveyed through mere intent to
use a mark commercially, see, e.g., Allard Enters. v. Advanced Programming Resources, Inc.,
H

MANU/FEST/0233/1998 : 146 F.3d 350, 356 (6th Cir. 1998); Zazu Designs v. L'Oreal, S.A.,
MANU/FEVT/0171/1992 : 979 F.2d 499, 504 (7th Cir. 1992) ("[A]n intent to use a mark creates
no rights a competitor is bound to respect."), nor through mere preparation to use a term as a
trademark, see, e.g., Hydro-Dynamics, Inc. v. George Putnam & Co., MANU/USFD/0074/1987 :
811 F.2d 1470, 1473-74 (Fed. Cir. 1987); Computer Food Stores, Inc. v. Corner Store
Franchises, 176 U.S.P.Q. 535, 538 (T.T.A.B. 1973).

[44] [9] West Coast no longer disputes that its use - for purposes of the Lanham Act - of
"moviebuff.com" did not commence until after February 1996. It instead relies on the alternate
argument that its rights vested when it began using "moviebuff.com" in e-mail correspondence

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.250

with lawyers and customers sometime in mid-1996. West Coast's argument is not without
support in our case law - we have indeed held that trademark rights can vest even before any
goods or services are actually sold if "the totality of [one's] prior actions, taken together, [can]
establish a right to use the trademark." New West, 595 F.2d at 1200. Under New West, however,
West Coast must establish that its e-mail correspondence constituted " `[u]se in a way
sufficiently public to identify or distinguish the marked goods in an appropriate segment of the
public mind as those of the adopter of the mark.'" Id. (quoting New England Duplicating Co. v.
Mendes, MANU/FEFC/0020/1951 : 190 F.2d 415, 418 (1st Cir. 1951)); see also Marvel Comics
Ltd. v. Defiant, 837 F. Supp. 546, 550 (S.D.N.Y. 1993) ("[T]he talismanic test is whether or not
the use was sufficiently public to identify or distinguish the marked goods in an appropriate

LA
segment of the public mind as those of the adopter of the mark.") (quotation marks and citation
omitted).

IM
SH
[45] [10] West Coast fails to meet this standard. Its purported "use" is akin to putting one's mark
"on a business office door sign, letterheads, architectural drawings, etc." or on a prototype
displayed to a potential buyer, both of which have been held to be insufficient to establish
LU

trademark rights. See Steer Inn Sys., Inc. v. Laughner's Drive-In, Inc., MANU/USFD/0073/1969
: 405 F.2d 1401, 1402 (C.C.P.A. 1969); Walt Disney Prods. v. Kusan, Inc., 204 U.S.P.Q. 284,
PN

288 (C.D. Cal. 1979). Although widespread publicity of a company's mark, such as Marvel
Comics's announcement to 13 million comic book readers that "Plasma" would be the title of a
new comic book, see Marvel Comics, 837 F. Supp. at 550, or the mailing of 430,000 solicitation
H

letters with one's mark to potential subscribers of a magazine, see New West, 595 F.2d at 1200,
may be sufficient to create an association among the public between the mark and West Coast,
mere use in limited e-mail correspondence with lawyers and a few customers is not.

[46] [11] West Coast first announced its web site at "moviebuff.com" in a public and widespread
manner in a press release of November 11, 1998, and thus it is not until at least that date that it
first used the "moviebuff.com" mark for purposes of the Lanham Act.[fn14] Accordingly, West
Coast's argument that it has seniority because it used "moviebuff.com" before Brookfield used
"MovieBuff" as a service mark fails on its own terms. West Coast's first use date was neither
February 1996 when it registered its domain name with Network Solutions as the district court

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.251

had concluded, nor April 1996 when it first used "moviebuff.com" in e-mail communications,
but rather November 1998 when it first made a widespread and public announcement about the
imminent launch of its web site. Thus, West Coast's first use of "moviebuff.com" was preceded
by Brookfield's first use of "MovieBuff" in conjunction with its online database, making
Brookfield the senior user.

[47] For the foregoing reasons, we conclude that the district court erred in concluding that
Brookfield failed to establish a likelihood of success on its claim of being the senior user.

[48] [12] Establishing seniority, however, is only half the battle. Brookfield must also show that
the public is likely to be somehow confused about the source or sponsorship of West Coast's

LA
"moviebuff.com" web site - and somehow to associate that site with Brookfield. See 15 U.S.C. §
1114(1); 1125(a).[fn15] The Supreme Court has described "the basic objectives of trademark

IM
law" as follows: "trademark law, by preventing others from copying a source-identifying mark,
`reduce[s] the customer's costs of shopping and making purchasing decisions,' for it quickly and
SH
easily assures a potential customer that this item - the item with this mark - is made by the same
producer as other similarly marked items that he or she liked (or disliked) in the past. At the
same time, the law helps assure a producer that it (and not an imitating competitor) will reap the
LU

financial, reputation-related rewards associated with a desirable product." Qualitex, 514 U.S. at
163-64 (internal citations omitted). Where two companies each use a different mark and the
PN

simultaneous use of those marks does not cause the consuming public to be confused as to who
makes what, granting one company exclusive rights over both marks does nothing to further the
objectives of the trademark laws; in fact, prohibiting the use of a mark that the public has come
H

to associate with a company would actually contravene the intended purposes of the trademark
law by making it more difficult to identify and to distinguish between different brands of goods.

[49] [13] "The core element of trademark infringement is the likelihood of confusion, i.e.,
whether the similarity of the marks is likely to confuse customers about the source of the
products." Official Airline Guides, 6 F.3d at 1391 (quoting E. & J. Gallo Winery v. Gallo Cattle
Co., MANU/FENT/0449/1992 : 967 F.2d 1280, 1290 (9th Cir. 1992)) (quotation marks omitted);
accord International Jensen, Inc. v. Metrosound U.S.A., Inc., 4 F.3d 819, 825 (9th Cir. 1993);
Metro Publ'g, Ltd. v. San Jose Mercury News, MANU/FENT/0548/1993 : 987 F.2d 637, 640
(9th Cir. 1993). We look to the following factors for guidance in determining the likelihood of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.252

confusion: similarity of the conflicting designations; relatedness or proximity of the two
companies' products or services; strength of Brookfield's mark; marketing channels used; degree
of care likely to be exercised by purchasers in selecting goods; West Coast's intent in selecting
its mark; evidence of actual confusion; and likelihood of expansion in product lines. See Dr.
Seuss Enters. v. Penguin Books USA, Inc., MANU/FENT/0513/1997 : 109 F.3d 1394, 1404 (9th
Cir. 1997), petition for cert. dismissed by, 118 S.Ct. 27 (1997); Sleekcraft, 599 F.2d at 348-49;
see also Restatement (Third) of Unfair Competition §§ 20-23 (1995). These eight factors are
often referred to as the Sleekcraft factors.

[50] A word of caution: this eight-factor test for likelihood of confusion is pliant. Some factors
are much more important than others, and the relative importance of each individual factor will

LA
be case-specific. Although some factors - such as the similarity of the marks and whether the two
companies are direct competitors - will always be important, it is often possible to reach a

IM
conclusion with respect to likelihood of confusion after considering only a subset of the factors.
See Dreamwerks Prod. Group v. SKG Studio, MANU/FENT/0837/1997 : 142 F.3d 1127, 1130-
SH
32 (9th Cir. 1998). Moreover, the foregoing list does not purport to be exhaustive, and non-listed
variables may often be quite important. We must be acutely aware of excessive rigidity when
applying the law in the Internet context; emerging technologies require a flexible approach.
LU

[51] We begin by comparing the allegedly infringing mark to the federally registered
PN

mark.[fn16] The similarity of the marks will always be an important factor. Where the two marks
are entirely dissimilar, there is no likelihood of confusion. "Pepsi" does not infringe Coca-Cola's
"Coke." Nothing further need be said. Even where there is precise identity of a complainant's and
H

an alleged infringer's mark, there may be no consumer confusion - and thus no trademark
infringement - if the alleged infringer is in a different geographic area or in a wholly different
industry. See Weiner King, Inc. v. Wiener King Corp., MANU/USFD/0011/1980 : 615 F.2d 512,
515-16, 521-22 (C.C.P.A. 1980) (permitting concurrent use of "Weiner King" as a mark for
restaurants featuring hot dogs in New Jersey and "Wiener King" as a mark for restaurants in
North Carolina); Pinocchio's Pizza Inc. v. Sandra Inc., 11 U.S.P.Q.2d 1227, 1228 (T.T.A.B.
1989) (permitting concurrent use of "PINOCCHIO'S" as a service mark for restaurants in
Maryland and "PINOCCHIOS" as a service mark for restaurants elsewhere in the country).
Nevertheless, the more similar the marks in terms of appearance, sound, and meaning, the greater

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.253

the likelihood of confusion. See, e.g., Dreamwerks, 142 F.3d at 1131; Goss, 6 F.3d at 1392 ("The
court assesses the similarity of the marks in terms of their sight, sound, and meaning."). In
analyzing this factor, "[t]he marks must be considered in their entirety and as they appear in the
marketplace," Goss, 6 F.3d at 1392 (citing Nutri/System, Inc. v. Con-Stan Indus., Inc.,
MANU/FENT/0288/1987 : 809 F.2d 601, 605-06 (9th Cir. 1987)), with similarities weighed
more heavily than differences, see id. (citing Rodeo Collection Ltd. v. West Seventh,
MANU/FENT/0550/1987 : 812 F.2d 1215, 1219 (9th Cir. 1987)).

[52] [14] In the present case, the district court found West Coast's domain name
"moviebuff.com" to be quite different than Brookfield's domain name "moviebuffonline.com."
Comparison of domain names, however, is irrelevant as a matter of law, since the Lanham Act

LA
requires that the allegedly infringing mark be compared with the claimant's trademark, see 15
U.S.C. § 1114(1), 1125(a), which here is "MovieBuff," not "moviebuffonline.com." Properly

IM
framed, it is readily apparent that West Coast's allegedly infringing mark is essentially identical
to Brookfield's mark "MovieBuff." In terms of appearance, there are differences in capitalization
SH
and the addition of ".com" in West Coast's complete domain name, but these differences are
inconsequential in light of the fact that Web addresses are not capssensitive and that the ".com"
top-level domain signifies the site's commercial nature.
LU

[53] [15] Looks aren't everything, so we consider the similarity of sound and meaning. The two
PN

marks are pronounced the same way, except that one would say "dot com" at the end of West
Coast's mark. Because many companies use domain names comprised of ".com" as the top-level
domain with their corporate name or trademark as the second-level domain, see Beverly, 1998
H

WL 320829, at *1, the addition of ".com" is of diminished importance in distinguishing the

mark. The irrelevance of the ".com" becomes further apparent once we consider similarity in
meaning. The domain name is more than a mere address: like trademarks, second-level domain
names communicate information as to source. As we explained in Part II, many Web users are
likely to associate "moviebuff.com" with the trademark "MovieBuff," thinking that it is operated
by the company that makes "MovieBuff" products and services.[fn17] Courts, in fact, have
routinely concluded that marks were essentially identical in similar contexts. See, e.g., Public
Serv. Co. v. Nexus Energy Software, Inc., No. 98-12589, 1999 WL 98973, at *3 (D. Mass. Feb.
24, 1999) (finding "energyplace.com" and "Energy Place" to be virtually identical); Minnesota

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.254

Mining & Mfg. Co. v. Taylor, 21 F. Supp.2d 1003, 1005 (D. Minn. 1998) (finding "postit.com"
and "Post-It" to be the same); Interstellar Starship Servs. Ltd. v. Epix, Inc., 983 F. Supp. 1331,
1335 (D. Or. 1997) ("In the context of Internet use, [ `epix.com'] is the same mark as [
`EPIX']."); Planned Parenthood Federation of America, Inc. v. Bucci, No. 97-0629, 1997 WL
133313, at *8 (S.D.N.Y. Mar. 24, 1997) (concluding that "plannedparenthood.com" and
"Planned Parenthood" were essentially identical), aff'd by, 152 F.3d 920 (2d Cir. 1998), cert.
denied, 119 S.Ct. 90 (1998). As "MovieBuff" and "moviebuff.com" are, for all intents and
purposes, identical in terms of sight, sound, and meaning, we conclude that the similarity factor
weighs heavily in favor of Brookfield.

[54] [16] The similarity of marks alone, as we have explained, does not necessarily lead to

LA
consumer confusion. Accordingly, we must proceed to consider the relatedness of the products
and services offered. Related goods are generally more likely than unrelated goods to confuse the

IM
public as to the producers of the goods. See Official Airline Guides, 6 F.3d at 1392 (citing
Sleekcraft, 599 F.2d at 350). In light of the virtual identity of marks, if they were used with
SH
identical products or services likelihood of confusion would follow as a matter of course. See
Lindy Pen Co. v. Bic Pen Corp., MANU/FENT/0391/1986 : 796 F.2d 254, 256-57 (9th Cir.
1986) (reversing a district court's finding of no likelihood of confusion even though the six other
LU

likelihood of confusion factors all weighed against a finding of likelihood of confusion);

Interpace Corp. v. Lapp, Inc., MANU/FETC/0195/1983 : 721 F.2d 460, 462 (3d Cir. 1983). If,
PN

on the other hand, Brookfield and West Coast did not compete to any extent whatsoever, the
likelihood of confusion would probably be remote. A Web surfer who accessed "moviebuff.com"
H

and reached a web site advertising the services of Schlumberger Ltd. (a large oil drilling
company) would be unlikely to think that Brookfield had entered the oil drilling business or was
sponsoring the oil driller. See, e.g., Toys "R" Us, Inc. v. Feinberg, 26 F. Supp.2d 639, 643
(S.D.N.Y. 1998) (no likelihood of confusion between "gunsrus.com" firearms web site and
"Toys `R' Us" trademark); Interstellar Starship, 983 F. Supp. at 1336 (finding no likelihood of
confusion between use of "epix.com" to advertise the Rocky Horror Picture Show and "Epix"
trademark registered for use with computer circuit boards). At the least, Brookfield would bear
the heavy burden of demonstrating (through other relevant factors) that consumers were likely to
be confused as to source or affiliation in such a circumstance.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.255

[55] [17] The district court classified West Coast and Brookfield as non-competitors largely on
the basis that Brookfield is primarily an information provider while West Coast primarily rents
and sells videotapes. It noted that West Coast's web site is used more by the somewhat curious
video consumer who wants general movie information, while entertainment industry
professionals, aspiring entertainment executives and professionals, and highly focused
moviegoers are more likely to need or to want the more detailed information provided by
"MovieBuff." This analysis, however, overemphasizes differences in principal lines of business,
as we have previously instructed that "the relatedness of each company's prime directive isn't
relevant." Dreamwerks, 142 F.3d at 1131. Instead, the focus is on whether the consuming public
is likely somehow to associate West Coast's products with Brookfield. See id. Here, both

LA
companies offer products and services relating to the entertainment industry generally, and their
principal lines of business both relate to movies specifically and are not as different as guns and

IM
toys, see Toys "R" Us, 26 F. Supp.2d at 643, or computer circuit boards and the Rocky Horror
Picture Show, see Interstellar Starship, 983 F. Supp. at 1336. Thus, Brookfield and West Coast
SH
are not properly characterized as non-competitors. See American Int'l Group, Inc. v. American
Int'l Bank, MANU/FENT/0345/1991 : 926 F.2d 829, 832 (9th Cir. 1991) (concluding that
although the parties were not direct competitors, they both provided financial services and that
LU

customer confusion could result in light of the similarities between the companies' services).

[56] [18] Not only are they not non-competitors, the competitive proximity of their products is
PN

actually quite high. Just as Brookfield's "MovieBuff" is a searchable database with detailed
information on films, West Coast's web site features a similar searchable database, which
H

Brookfield points out is licensed from a direct competitor of Brookfield. Undeniably then, the
products are used for similar purposes." [T]he rights of the owner of a registered trademark . . .
extend to any goods related in the minds of consumers," E. Remy Martin & Co. v. Shaw-Ross
Int'l Imports, Inc., MANU/FEEE/0486/1985 : 756 F.2d 1525, 1530 (11th Cir. 1985), and
Brookfield's and West Coast's products are certainly so related to some extent. The relatedness is
further evidenced by the fact that the two companies compete for the patronage of an
overlapping audience. The use of similar marks to offer similar products accordingly weighs
heavily in favor of likelihood of confusion. See Sleekcraft, 599 F.2d at 348 (concluding that
high-speed waterskiing racing boats are sufficiently related to family-oriented recreational boats
that the public is likely to be confused as to the source of the boats); Fleischmann Distilling

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.256

Corp. v. Maier Brewing Co., MANU/FENT/0248/1963 : 314 F.2d 149, 153-55 (9th Cir. 1963)
(concluding that beer and whiskey are sufficiently similar to create a likelihood of confusion
regarding the source of origin when sold under the same trade name); see also Champions Golf
Club, Inc. v. Champions Golf Club, Inc., MANU/FEST/0257/1996 : 78 F.3d 1111, 1118 (6th
Cir. 1996).

[57] [19] In addition to the relatedness of products, West Coast and Brookfield both utilize the
Web as a marketing and advertising facility, a factor that courts have consistently recognized as
exacerbating the likelihood of confusion. See, e.g., Public Serv. Co., 1999 WL 98973, at *3;
Washington Speakers Bureau, Inc. v. Leading Auths., Inc., No. 98-634, 1999 WL 51869, at *9
(E.D. Va. Feb. 2, 1999); Jews for Jesus v. Brodsky, 993 F. Supp. 282, 304-05 (D.N.J. 1998),

LA
aff'd, 159 F.3d 1351 (3d Cir. 1998); Interstellar Starship Servs., 983 F. Supp. at 1336; Planned
Parenthood Fed'n of America, 1997 WL 133313, at *8. Both companies, apparently recognizing

IM
the rapidly growing importance of Web commerce, are maneuvering to attract customers via the
Web. Not only do they compete for the patronage of an overlapping audience on the Web, both
SH
"MovieBuff" and "moviebuff.com" are utilized in conjunction with Web-based products.

[58] [20] Given the virtual identity of "moviebuff.com" and "MovieBuff," the relatedness of the
LU

products and services accompanied by those marks, and the companies' simultaneous use of the
Web as a marketing and advertising tool, many forms of consumer confusion are likely to result.
PN

People surfing the Web for information on "MovieBuff" may confuse "MovieBuff" with the
searchable entertainment database at "moviebuff.com" and simply assume that they have reached
Brookfield's web site. See, e.g., Cardservice Int'l, 950 F. Supp. at 741. In the Internet context, in
H

particular, entering a web site takes little effort - usually one click from a linked site or a search
engine's list; thus, Web surfers are more likely to be confused as to the ownership of a web site
than traditional patrons of a brick-and-mortar store would be of a store's ownership.
Alternatively, they may incorrectly believe that West Coast licensed "MovieBuff" from
Brookfield, see, e.g., Indianapolis Colts, Inc. v. Metropolitan Baltimore Football Club Ltd.,
MANU/FEVT/0131/1994 : 34 F.3d 410, 415-16 (7th Cir. 1994), or that Brookfield otherwise
sponsored West Coast's database, see E. Remy Martin, 756 F.2d at 1530; Fuji Photo Film Co. v.
Shinohara Shoji Kabushiki Kaisha, MANU/FEFT/0027/1985 : 754 F.2d 591, 596 (5th Cir.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.257

1985). Other consumers may simply believe that West Coast bought out Brookfield or that they
are related companies.

[59] Yet other forms of confusion are likely to ensue. Consumers may wrongly assume that the
"MovieBuff" database they were searching for is no longer offered, having been replaced by
West Coast's entertainment database, and thus simply use the services at West Coast's web site.
See, e.g., Cardservice Int'l, 950 F. Supp. at 741. And even where people realize, immediately
upon accessing "moviebuff.com," that they have reached a site operated by West Coast and
wholly unrelated to Brookfield, West Coast will still have gained a customer by appropriating
the goodwill that Brookfield has developed in its "MovieBuff" mark. A consumer who was
originally looking for Brookfield's products or services may be perfectly content with West

LA
Coast's database (especially as it is offered free of charge); but he reached West Coast's site
because of its use of Brookfield's mark as its second-level domain name, which is a

IM
misappropriation of Brookfield's goodwill by West Coast. See infra Part V.B.
SH
[60] The district court apparently assumed that likelihood of confusion exists only when
consumers are confused as to the source of a product they actually purchase. It is, however, well
established that the Lanham Act protects against the many other forms of confusion that we have
LU

outlined. See Pebble Beach, 155 F.3d at 544; Indianapolis Colts, 34 F.3d at 415-16; Fuji Photo
Film, 754 F.2d at 596; HMH Publ'g Co. v. Brincat, 504 F.2d 713, 716-17 & n. 7 (9th Cir. 1974);
PN

Fleischmann Distilling, 314 F.2d at 155.

[61] The factors that we have considered so far - the similarity of marks, the relatedness of
H

product offerings, and the overlap in marketing and advertising channels - lead us to the tentative
conclusion that Brookfield has made a strong showing of likelihood of confusion. Because it is
possible that the remaining factors will tip the scale back the other way if they weigh strongly
enough in West Coast's favor, we consider the remaining likelihood of confusion factors,
beginning with the strength of Brookfield's mark. The stronger a mark - meaning the more likely
it is to be remembered and associated in the public mind with the mark's owner - the greater the
protection it is accorded by the trademark laws. See Kenner Parker Toys Inc. v. Rose Art Indus.,
Inc., MANU/USFD/0009/1992 : 963 F.2d 350, 353 (Fed. Cir. 1992); Nutri/System, 809 F.2d at
605. Marks can be conceptually classified along a spectrum of generally increasing inherent
distinctiveness as generic, descriptive, suggestive, arbitrary, or fanciful.[fn19] See Two Pesos,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.258

505 U.S. at 768. West Coast asserts that Brookfield's mark is "not terribly distinctive," by which
it apparently means suggestive, but only weakly so. Although Brookfield does not seriously
dispute that its mark is only suggestive, it does defend its (mark's) muscularity.

[62] [21] We have recognized that, unlike arbitrary or fanciful marks which are typically strong,
suggestive marks are presumptively weak. See, e.g., Nutri/Systems, 809 F.2d at 605. As the
district court recognized, placement within the conceptual distinctiveness spectrum is not the
only determinant of a mark's strength, as advertising expenditures can transform a suggestive
mark into a strong mark, see id., where, for example, that mark has achieved actual marketplace
recognition, see Streetwise Maps, Inc. v. Vandam, Inc., MANU/FESC/0318/1998 : 159 F.3d
739, 743-44 (2d Cir. 1998). Brookfield, however, has not come forth with substantial evidence

LA
establishing the widespread recognition of its mark; although it argues that its strength is
established from its use of "MovieBuff" for over five years, its federal and California state

IM
registrations, and its expenditure of $100,000 in advertising its mark, the district court did not
clearly err in classifying "MovieBuff" as weak. Some weak marks are weaker than others, and
SH
although "MovieBuff" falls within the weak side of the strength spectrum, the mark is not so
flabby as to compel a finding of no likelihood of confusion in light of the other factors that we
have considered. Importantly, Brookfield's trademark is not descriptive because it does not
LU

describe either the software product or its purpose. Instead, it is suggestive - and thus strong
enough to warrant trademark protection - because it requires a mental leap from the mark to the
PN

product. See Self-Realization Fellowship Church v. Anada Church of Self-Realization,

MANU/FENT/0414/1995 : 59 F.3d 902, 910-11 (9th Cir. 1995). Because the products involved
H

are closely related and West Coast's domain name is nearly identical to Brookfield's trademark,
the strength of the mark is of diminished importance in the likelihood of confusion analysis. See
McCarthy P 11:76 ("Whether a mark is weak or not is of little importance where the conflicting
mark is identical and the goods are closely related.").

[63] We thus turn to intent. "The law has long been established that if an infringer `adopts his
designation with the intent of deriving benefit from the reputation of the trade-mark or trade
name, its intent may be sufficient to justify the inference that there are confusing similarities.'"
Pacific Telesis v. International Telesis Comms., MANU/FENT/0590/1993 : 994 F.2d 1364, 1369
(9th Cir. 1993) (quoting Restatement of Torts, § 729, Comment on Clause (b)f (1938)). An

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.259

inference of confusion has similarly been deemed appropriate where a mark is adopted with the
intent to deceive the public. See Gallo, 967 F.2d at 1293 (citing Sleekcraft, 599 F.2d at 354). The
district court found that the intent factor favored West Coast because it did not adopt the
"moviebuff.com" mark with the specific purpose of infringing Brookfield's trademark. The intent
prong, however, is not so narrowly confined.

[64] [22] This factor favors the plaintiff where the alleged infringer adopted his mark with
knowledge, actual or constructive, that it was another's trademark. See Official Airline Guides, 6
F.3d at 1394 ("When an alleged infringer knowingly adopts a mark similar to another's, courts
will presume an intent to deceive the public."); Fleischmann Distilling,
MANU/FENT/0248/1963 : 314 F.2d 149 at 157. In the Internet context, in particular, courts have

LA
appropriately recognized that the intentional registration of a domain name knowing that the
second-level domain is another company's valuable trademark weighs in favor of likelihood of

IM
confusion. See, e.g., Washington Speakers, 1999 WL 51869, at *10. There is, however, no
evidence in the record that West Coast registered "moviebuff.com" with the principal intent of
SH
confusing consumers.[fn20] Brookfield correctly points out that, by the time West Coast
launched its web site, it did know of Brookfield's claim to rights in the trademark "MovieBuff."
But when it registered the domain name with Network Solutions, West Coast did not know of
LU

Brookfield's rights in "MovieBuff" (at least Brookfield has not established that it did). Although
Brookfield asserts that West Coast could easily have launched its web site at its alternate domain
PN

address, "westcoastvideo.com," thereby avoiding the infringement problem, West Coast claims
that it had already invested considerable sums in developing its "moviebuff.com" web site by the
H

time that Brookfield informed it of its rights in the trademark. Considered as a whole, this factor
appears indeterminate.

[65] [23] Importantly, an intent to confuse consumers is not required for a finding of trademark
infringement. See Dreamwerks, 142 F.3d at 1132 n. 12 ("Absence of malice is no defense to
trademark infringement"); Daddy's Junky Music Stores, 109 F.3d at 287 ("As noted, the presence
of intent can constitute strong evidence of confusion. The converse of this proposition, however,
is not true: the lack of intent by a defendant is largely irrelevant in determining if consumers
likely will be confused as to source.") (internal quotation marks and citations omitted);
Fleischmann Distilling, 314 F.2d at 157. Instead, this factor is only relevant to the extent that it

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.260

bears upon the likelihood that consumers will be confused by the alleged infringer's mark (or to
the extent that a court wishes to consider it as an equitable consideration). See Sleekcraft Boats,
599 F.2d at 348 n. 10. Here, West Coast's intent does not appear to bear upon the likelihood of
confusion because it did not act with such an intent from which it is appropriate to infer
consumer confusion.

[66] [24] The final three Sleekcraft factors - evidence of actual confusion, likelihood of
expansion in product lines, and purchaser care - do not affect our ultimate conclusion regarding
the likelihood of confusion. The first two factors do not merit extensive comment. Actual

LA
confusion is not relevant because Brookfield filed suit before West Coast began actively using
the "moviebuff.com" mark and thus never had the opportunity to collect information on actual

IM
confusion. The likelihood of expansion in product lines factor is relatively unimportant where
two companies already compete to a significant extent. See Official Airline Guides, 6 F.3d at
SH
1394. In any case, it is neither exceedingly likely nor unlikely that West Coast will enter more
directly into Brookfield's principal market, or vice versa.

[67] Although the district court did not discuss the degree of care likely to be exercised by
LU

purchasers of the products in question, we think that this issue deserves some consideration.
Likelihood of confusion is determined on the basis of a "reasonably prudent consumer."
PN

Dreamwerks, 142 F.3d at 1129; Sleekcraft, 599 F.2d at 353. What is expected of this reasonably
prudent consumer depends on the circumstances. We expect him to be more discerning - and less
H

easily confused - when he is purchasing expensive items, see, e.g., Official Airline Guides, 6
F.3d at 1393 (noting that confusion was unlikely among advertisers when the products in
question cost from $2,400 to $16,000), and when the products being sold are marketed primarily
to expert buyers, see, e.g., Accuride Int'l, Inc. v. Accuride Corp., MANU/FENT/0038/1989 : 871
F.2d 1531, 1537 (9th Cir. 1989). We recognize, however, that confusion may often be likely
even in the case of expensive goods sold to discerning customers. See Sleekcraft, 599 F.3d at
353; see also, e.g., Daddy's Junky Music Stores, 109 F.3d at 286; Banff, Ltd. v. Federated Dep't
Stores, Inc., 841 F.2d 486, 492 (2d Cir. 1988). On the other hand, when dealing with inexpensive
products, customers are likely to exercise less care, thus making confusion more likely. See, e.g.,
Gallo, 967 F.2d at 1293 (wine and cheese).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.261

[68] [25] The complexity in this case arises because we must consider both entertainment
professionals, who probably will take the time and effort to find the specific product they want,
and movie devotees, who will be more easily confused as to the source of the database offered at
West Coast's web site. In addition, West Coast's site is likely to be visited by many casual movie
watchers. The entertainment professional, movie devotee, and casual watcher are likely to
exercise high, little, and very little care, respectively. Who is the reasonably prudent consumer?
Although we have not addressed the issue of purchaser care in mixed buyer classes, another
circuit has held that "the standard of care to be exercised by the reasonably prudent purchaser
will be equal to that of the least sophisticated consumer." Ford Motor Co. v. Summit Motor
Prods., Inc., MANU/FETC/0212/1991 : 930 F.2d 277, 283 (3d Cir. 1991); see also Omega

LA
Importing Corp. v. Petri-Kine Camera Co., 451 F.2d 1190, 1200 (2d Cir. 1971) (instructing that,
where a product is targeted both to discriminating and casual buyers, a court must consider the

IM
likelihood of confusion on the part of the relatively unknowledgeable buyers as well as of the
former group); 3 McCarthy § 23:100 (advocating this approach). This is not the only approach
SH
available to us, as we could alternatively use a weighted average of the different levels of
purchaser care in determining how the reasonably prudent consumer would act. We need not,
however, decide this question now because the purchaser confusion factor, even considered in
LU

the light most favorable to West Coast, is not sufficient to overcome the likelihood of confusion
strongly established by the other factors we have analyzed.
PN

[69] [26] West Coast makes one last ditch argument - that, even if there is a likelihood of
confusion, Brookfield should be estopped from asserting its trademark rights because it waited
H

too long to file suit. Although we have applied laches to bar trademark infringement claims, we
have done so only where the trademark holder knowingly allowed the infringing mark to be used
without objection for a lengthy period of time. See E-Systems, Inc. v. Monitek, Inc.,
MANU/FENT/0210/1983 : 720 F.2d 604, 607 (9th Cir. 1983). In E-Systems, for example, we
estopped a claimant who did not file suit until after the allegedly infringing mark had been used
for eight years where the claimant had known of the infringing use for at least six years. See id.;
see also Carter-Wallace, Inc. v. Procter & Gamble Co., MANU/FENT/0657/1970 : 434 F.2d 794,
803 (9th Cir. 1970). We specifically cautioned, however, that "had defendant's encroachment
been minimal, or its growth slow and steady, there would be no laches." ESystems, 720 F.2d at
607; accord Carter-Wallace, 434 F.2d at 803 n. 4. Here, although Brookfield waited over two

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.262

years before notifying West Coast that its intended use of "moviebuff.com" would infringe on
Brookfield's trademark, West Coast did not do anything with its domain address during that time,
and Brookfield filed suit the very day that West Coast publicly announced its intention to launch
a web site at "moviebuff.com." Accordingly, we conclude that Brookfield's delay was not such
that it should be estopped from pursuing an otherwise meritorious claim. See generally American
Int'l Group, 926 F.2d at 831 (outlining six-factor test for determining whether laches operates to
bar a claim of trademark infringement).[fn21]

[70] [27] In light of the foregoing analysis, we conclude that Brookfield has demonstrated a
likelihood of success on its claim that West Coast's use of "moviebuff.com" violates the Lanham
Act. We are fully aware that although the question of "[w]hether confusion is likely is a factual

LA
determination woven into the law," we nevertheless must review only for clear error the district
court's conclusion that the evidence of likelihood of confusion in this case was slim. See Levi

IM
Strauss & Co. v. Blue Bell, Inc., MANU/FENT/0217/1985 : 778 F.2d 1352, 1356 (9th Cir. 1985)
(en banc). Here, however, we are "left with the definite and firm conviction that a mistake has
SH
been made." Pacific Telesis Group v. International Telesis Comms., MANU/FENT/0590/1993 :
994 F.2d 1364, 1367 (9th Cir. 1993).
LU

[71] So far we have considered only West Coast's use of the domain name "moviebuff.com."
Because Brookfield requested that we also preliminarily enjoin West Coast from using marks
PN

confusingly similar to "MovieBuff" in metatags and buried code, we must also decide whether
West Coast can, consistently with the trademark and unfair competition laws, use "MovieBuff"
or "moviebuff.com" in its HTML code.
H

[72] [28] At first glance, our resolution of the infringement issues in the domain name context
would appear to dictate a similar conclusion of likelihood of confusion with respect to West
Coast's use of "moviebuff.com" in its metatags. Indeed, all eight likelihood of confusion factors
outlined in Part V-A - with the possible exception of purchaser care, which we discuss below -
apply here as they did in our analysis of domain names; we are, after all, dealing with the same
marks, the same products and services, the same consumers, etc. Disposing of the issue so
readily, however, would ignore the fact that the likelihood of confusion in the domain name
context resulted largely from the associational confusion between West Coast's domain name
"moviebuff.com" and Brookfield's trademark "MovieBuff." The question in the metatags context

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.263

is quite different. Here, we must determine whether West Coast can use "MovieBuff" or
"moviebuff.com" in the metatags of its web site at "westcoastvideo.com" or at any other domain
address other than "moviebuff.com" (which we have determined that West Coast may not use).

[73] Although entering "MovieBuff" into a search engine is likely to bring up a list including
"westcoastvideo.com" if West Coast has included that term in its metatags, the resulting
confusion is not as great as where West Coast uses the "moviebuff.com" domain name. First,
when the user inputs "MovieBuff" into an Internet search engine, the list produced by the search
engine is likely to include both West Coast's and Brookfield's web sites. Thus, in scanning such
list, the Web user will often be able to find the particular web site he is seeking. Moreover, even
if the Web user chooses the web site belonging to West Coast, he will see that the domain name

LA
of the web site he selected is "westcoastvideo.com." Since there is no confusion resulting from
the domain address, and since West Coast's initial web page prominently displays its own name,

IM
it is difficult to say that a consumer is likely to be confused about whose site he has reached or to
think that Brookfield somehow sponsors West Coast's web site.
SH
[74] [29] Nevertheless, West Coast's use of "moviebuff.com" in metatags will still result in what
is known as initial interest confusion. Web surfers looking for Brookfield's "MovieBuff"
LU

products who are taken by a search engine to "westcoastvideo.com" will find a database similar
enough to "MovieBuff" such that a sizeable number of consumers who were originally looking
PN

for Brookfield's product will simply decide to utilize West Coast's offerings instead. Although
there is no source confusion in the sense that consumers know they are patronizing West Coast
rather than Brookfield, there is nevertheless initial interest confusion in the sense that, by using
H

"moviebuff.com" or "MovieBuff" to divert people looking for "MovieBuff" to its web site, West
Coast improperly benefits from the goodwill that Brookfield developed in its mark. Recently in
Dr. Seuss, we explicitly recognized that the use of another's trademark in a manner calculated "to
capture initial consumer attention, even though no actual sale is finally completed as a result of
the confusion, may be still an infringement." Dr. Seuss, 109 F.3d at 1405 (citing Mobil Oil Corp.
v. Pegasus Petroleum Corp., 818 F.2d 254, 257-58 (2d Cir. 1987)).[fn24]

[75] The Dr. Seuss court, in recognizing that the diversion of consumers' initial interest is a form
of confusion against which the Lanham Act protects, relied upon Mobil Oil. In that case, Mobil
Oil Corporation ("Mobil") asserted a federal trademark infringement claim against Pegasus

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.264

Petroleum, alleging that Pegasus Petroleum's use of "Pegasus" was likely to cause confusion with
Mobil's trademark, a flying horse symbol in the form of the Greek mythological Pegasus. Mobil
established that "potential purchasers would be misled into an initial interest in Pegasus
Petroleum" because they thought that Pegasus Petroleum was associated with Mobil. Id. at 260.
But these potential customers would generally learn that Pegasus Petroleum was unrelated to
Mobil well before any actual sale was consummated. See id. Nevertheless, the Second Circuit
held that "[s]uch initial confusion works a sufficient trademark injury." Id.

[76] Mobil Oil relied upon its earlier opinion in Grotrian, Helfferich, Schulz, Th. Steinweg
Nachf. v. Steinway & Sons, 523 F.2d 1331, 1341-42 (2d Cir. 1975). Analyzing the plaintiff's
claim that the defendant, through its use of the "Grotrian-Steinweg" mark, attracted people really

LA
interested in plaintiff's "Steinway" pianos, the Second Circuit explained:

IM
We decline to hold, however, that actual or potential confusion at the time of purchase
necessarily must be demonstrated to establish trademark infringement under the circumstances of
SH
this case.

The issue here is not the possibility that a purchaser would buy a Grotrian-Steinweg thinking it
was actually a Steinway or that Grotrian had some connection with Steinway and Sons. The
LU

harm to Steinway, rather, is the likelihood that a consumer, hearing the "Grotrian-Steinweg"
name and thinking it had some connection with "Steinway," would consider it on that basis. The
PN

"Grotrian-Steinweg" name therefore would attract potential customers based on the reputation
built up by Steinway in this country for many years.
H

[78] Both Dr. Seuss and the Second Circuit hold that initial interest confusion is actionable
under the Lanham Act, which holdings are bolstered by the decisions of many other courts which
have similarly recognized that the federal trademark and unfair competition laws do protect
against this form of consumer confusion. See Green Prods., 992 F. Supp. 1070, 1076 (N.D. Iowa
1997) ("In essence, ICBP is capitalizing on the strong similarity between Green Products'
trademark and ICBP's domain name to lure customers onto its web page."); Securacomm
Consulting, Inc. v. Securacomm Inc., 984 F. Supp. 286, 298 (D.N.J. 1997) (" `Infringement can
be based upon confusion that creates initial customer interest, even though no actual sale is
finally completed as a result of the confusion.' ") (citing 3 McCarthy § 23:6), rev'd on other

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.265

grounds, MANU/FETC/0098/1999 : 166 F.3d 182, 186 (3d Cir. 1999) ("In this appeal,
[appellant] does not challenge the district court's finding of infringement or order of injunctive
relief."); Kompan A.S. v. Park Structures, Inc., 890 F. Supp. 1167, 1180 (N.D.N.Y. 1995)
("Kompan argues correctly that it can prevail by showing that confusion between the Kompan
and Karavan lines and names will mistakenly lead the consumer to believe there is some
connection between the two and therefore develop an interest in the Karavan line that it would
not otherwise have had."); Blockbuster Entertainment Group v. Laylco, Inc., 869 F. Supp. 505,
513 (E.D. Mich. 1994) ("Because the names are so similar and the products sold are identical,
some unwitting customers might enter a Video Busters store thinking it is somehow connected to
Blockbuster. Those customers probably will realize shortly that Video Busters is not related to

LA
Blockbuster, but under [Ferraria S.P.A. Esercizio v. Roberts, MANU/FEST/0444/1991 : 944
F.2d 1235 (6th Cir. 1991)] and Grotrian that is irrelevant."); Jordache Enters., Inc. v. Levi

IM
Strauss & Co., 841 F. Supp. 506, 514-15 (S.D.N.Y. 1993) ("Types of confusion that constitute
trademark infringement include where . . . potential consumers initially are attracted to the junior
SH
user's mark by virtue of its similarity to the senior user's mark, even though these consumers are
not actually confused at the time of purchase."); Sara Lee Corp. v. Kayser-Roth Corp., No. 92-
00460, 1992 WL 436279, at (W.D.N.C. Dec. 1, 1992) ("That situation offers an opportunity for
LU

sale not otherwise available by enabling defendant to interest prospective customers by

confusion with the plaintiff's product."); Television Enter. Network, Inc. v. Entertainment
PN

Network, Inc., 630 F. Supp. 244, 247 (D.N.J. 1986) ("Even if the confusion is cured at some
intermediate point before the deal is completed, the initial confusion may be damaging and
wrongful."); Koppers Co. v. Krupp-Koppers GmbH, 517 F. Supp. 836, 844 (W.D. Pa. 1981)
H

("[S]ecuring the initial business contact by the defendant because of an assumed association
between the parties is wrongful even though the mistake is later rectified."). See also Forum
Corp. of North America v. Forum, Ltd., MANU/FEVT/0526/1990 : 903 F.2d 434, 442 n. 2 (7th
Cir. 1990) ("We point out that the fact that confusion as to the source of a product or service is
eventually dispelled does not eliminate the trademark infringement which has already
occurred."). But see Astra Pharm. Prods., Inc. v. Beckman Instruments, Inc.,
MANU/FEFC/0058/1983 : 718 F.2d 1201, 1206-08 (1st Cir. 1983) (suggesting that only
confusion that affects "the ultimate decision of a purchaser whether to buy a particular product"
is actionable); Teletech Customer Care Mgmt. (Cal.), Inc. v. Tele-Tech Co., 977 F. Supp. 1407,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.266

1410, 1414 (C.D. Cal. 1997) (finding likelihood of initial interest confusion but concluding that
such "brief confusion is not cognizable under the trademark laws").

[79] Using another's trademark in one's metatags is much like posting a sign with another's
trademark in front of one's store. Suppose West Coast's competitor (let's call it "Blockbuster")
puts up a billboard on a highway reading - "West Coast Video: 2 miles ahead at Exit 7" - where
West Coast is really located at Exit 8 but Blockbuster is located at Exit 7. Customers looking for
West Coast's store will pull off at Exit 7 and drive around looking for it. Unable to locate West
Coast, but seeing the Blockbuster store right by the highway entrance, they may simply rent
there. Even consumers who prefer West Coast may find it not worth the trouble to continue
searching for West Coast since there is a Blockbuster right there. Customers are not confused in

LA
the narrow sense: they are fully aware that they are purchasing from Blockbuster and they have
no reason to believe that Blockbuster is related to, or in any way sponsored by, West Coast.

IM
Nevertheless, the fact that there is only initial consumer confusion does not alter the fact that
Blockbuster would be misappropriating West Coast's acquired goodwill. See Blockbuster, 869 F.
SH
Supp. at 513 (finding trademark infringement where the defendant, a video rental store, attracted
customers' initial interest by using a sign confusingly to its competitor's even though confusion
would end long before the point of sale or rental); see also Dr. Seuss, 109 F.3d at 1405; Mobil
LU

Oil, 818 F.2d at 260; Green Prods., 992 F. Supp. at 1076.

PN

[80] The few courts to consider whether the use of another's trademark in one's metatags
constitutes trademark infringement have ruled in the affirmative. For example, in a case in which
Playboy Enterprises, Inc. ("Playboy") sued AsiaFocus International, Inc. ("AsiaFocus") for
H

trademark infringement resulting from AsiaFocus's use of the federally registered trademarks
"Playboy" and "Playmate" in its HTML code, a district court granted judgment in Playboy's
favor, reasoning that AsiaFocus intentionally misled viewers into believing that its Web site was
connected with, or sponsored by, Playboy. See Playboy Enters. v. AsiaFocus Int'l, Inc., No. 97-
734, 1998 WL 724000,

[81] In a similar case also involving Playboy, a district court in California concluded that
Playboy had established a likelihood of success on the merits of its claim that defendants'
repeated use of "Playboy" within "machine readable code in Defendants' Internet Web pages, so
that the PLAYBOY trademark [was] accessible to individuals or Internet search engines which

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.267

attempt[ed] to access Plaintiff under Plaintiff's PLAYBOY registered trademark" constituted
trademark infringement. See Playboy Enters. v. Calvin Designer Label, 985 F. Supp. 1220, 1221
(N.D. Cal. 1997). The court accordingly enjoined the defendants from using Playboy's marks in
buried code or metatags.

[82] In a metatags case with an interesting twist, a district court in Massachusetts also enjoined
the use of metatags in a manner that resulted in initial interest confusion. See Niton, 27 F.
Supp.2d at 102-05. In that case, the defendant Radiation Monitoring Devices ("RMD") did not
simply use Niton Corporation's ("Niton") trademark in its metatags. Instead, RMD's web site
directly copied Niton's web site's metatags and HTML code. As a result, whenever a search
performed on an Internet search engine listed Niton's web site, it also listed RMD's site.

LA
Although the opinion did not speak in terms of initial consumer confusion, the court made clear
that its issuance of preliminary injunctive relief was based on the fact that RMD was

IM
purposefully diverting people looking for Niton to its web site.
SH
[83] [30] Consistently with Dr. Seuss, the Second Circuit, and the cases which have addressed
trademark infringement through metatags use, we conclude that the Lanham Act bars West Coast
from including in its metatags any term confusingly similar with Brookfield's mark. West Coast
LU

argues that our holding conflicts with Holiday Inns, in which the Sixth Circuit held that there
was no trademark infringement where an alleged infringer merely took advantage of a situation
PN

in which confusion was likely to exist and did not affirmatively act to create consumer
confusion. See Holiday Inns, 86 F.3d at 622 (holding that the use of "1-800-405-4329" - which is
equivalent to "1-800-H[zero]LIDAY" - did not infringe Holiday Inn's trademark, "1-800-
H

HOLIDAY"). Unlike the defendant in Holiday Inns, however, West Coast was not a passive
figure; instead, it acted affirmatively in placing Brookfield's trademark in the metatags of its web
site, thereby creating the initial interest confusion. Accordingly, our conclusion comports with
Holiday Inns.

[84] [31] Contrary to West Coast's contentions, we are not in any way restricting West Coast's
right to use terms in a manner which would constitute fair use under the Lanham Act. See New
Kids on the Block v. News Amer. Publ'g, Inc., MANU/FENT/0347/1992 : 971 F.2d 302, 306-09

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.268

(9th Cir. 1992); see also August Storck K.G. v. Nabisco, Inc., MANU/FEVT/0456/1995 : 59
F.3d 616, 617-18 (7th Cir. 1995). It is well established that the Lanham Act does not prevent one
from using a competitor's mark truthfully to identify the competitor's goods, see, e.g., Smith v.
Chanel, Inc., MANU/FENT/0367/1968 : 402 F.2d 562, 563 (9th Cir. 1968) (stating that a copyist
may use the originator's mark to identify the product that it has copied), or in comparative
advertisements, see New Kids on the Block, 971 F.2d at 306-09. This fair use doctrine applies in
cyberspace as it does in the real world. See Radio Channel Networks, Inc. v. Broadcast.Com,
Inc., No. 98-4799, 1999 WL 124455, at *5-*6 (S.D.N.Y. Mar. 8, 1999); Bally Total Fitness
Holding Corp. v. Faber, 29 F. Supp.2d 1161 (C.D. Cal. 1998); Welles, 7 F. Supp.2d at 1103-04;
Patmont Motor Werks, Inc. v. Gateway Marine, Inc., No. 96-2703, 1997 WL 811770,

LA
[85] In Welles, the case most on point, Playboy sought to enjoin former Playmate of the Year
Terri Welles ("Welles") from using "Playmate" or "Playboy" on her web site featuring

IM
photographs of herself. See 7 F. Supp.2d at 1100. Welles's web site advertised the fact that she
was a former Playmate of the Year, but minimized the use of Playboy's marks; it also contained
SH
numerous disclaimers stating that her site was neither endorsed by nor affiliated with Playboy.
The district court found that Welles was using "Playboy" and "Playmate" not as trademarks, but
rather as descriptive terms fairly and accurately describing her web page, and that her use of
LU

"Playboy" and "Playmate" in her web site's metatags was a permissible, good faith attempt to
index the content of her web site. It accordingly concluded that her use was permissible under
PN

the trademark laws.

[86] [32] We agree that West Coast can legitimately use an appropriate descriptive term in its
H

metatags. But "MovieBuff" is not such a descriptive term. Even though it differs from "Movie
Buff" by only a single space, that difference is pivotal. The term "Movie Buff" is a descriptive
term, which is routinely used in the English language to describe a movie devotee. "MovieBuff"
is not. The term "MovieBuff" is not in the dictionary. See Merriam-Webster's Collegiate
Dictionary 762 (10th ed. 1998); American Heritage College Dictionary 893 (3d ed. 1997);
Webster's New World College Dictionary 889 (3d ed. 1997); Webster's Third New Int'l
Dictionary 1480 (unabridged 1993). Nor has that term been used in any published federal or state
court opinion. In light of the fact that it is not a word in the English language, when the term
"MovieBuff" is employed, it is used to refer to Brookfield's products and services, rather than to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.269

mean "motion picture enthusiast." The proper term for the "motion picture enthusiast" is "Movie
Buff," which West Coast certainly can use. It cannot, however, omit the space

[87] Moreover, West Coast is not absolutely barred from using the term "MovieBuff." As we
explained above, that term can be legitimately used to describe Brookfield's product. For
example, its web page might well include an advertisement banner such as "Why pay for
MovieBuff when you can get the same thing here for FREE?" which clearly employs
"MovieBuff" to refer to Brookfield's products. West Coast, however, presently uses Brookfield's
trademark not to reference Brookfield's products, but instead to describe its own product (in the
case of the domain name) and to attract people to its web site in the case of the metatags). That is
not fair use

LA
VI

IM
[88] [33] Having concluded that Brookfield has established a likelihood of success on the merits
of its trademark infringement claim, we analyze the other requirement for preliminary injunctive
SH
relief inquiry, irreparable injury. Although the district court did not address this issue, irreparable
injury may be presumed from a showing of likelihood of success on the merits of a trademark
infringement claim. See Metro Publ'g, Ltd. v. San Jose Mercury News,
LU

MANU/FENT/0548/1993 : 987 F.2d 637, 640 (9th Cir. 1993) ("Once the plaintiff has
demonstrated a likelihood of confusion, it is ordinarily presumed that the plaintiff will suffer
PN

irreparable harm if injunctive relief is not granted."). Preliminary injunctive relief is appropriate
here to prevent irreparable injury to Brookfield's interests in its trademark "MovieBuff" and to
H

promote the public interest in protecting trademarks generally as well

VII

[89] As we have seen, registration of a domain name for a Web site does not trump long-
established principles of trademark law. When a firm uses a competitor's trademark in the
domain name of its web site, users are likely to be confused as to its source or sponsorship.
Similarly, using a competitor's trademark in the metatags of such web site is likely to cause what
we have described as initial interest confusion. These forms of confusion are exactly what the
trademark laws are designed to prevent.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.270

[90] Accordingly, we reverse and remand this case to the district court with instructions to enter
a preliminary injunction in favor of Brookfield in accordance with this opinion.

[91] REVERSED and REMANDED.

------------------------------

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.271

 NALSAR Hyderabad - Indian Journal of Intellectual Property Law

2012

Article

DIGITAL RIGHTS MANAGEMENT: A PANDORA'S BOX TRYING TO WIPE OFF

THE RIGHTS OF CONSUMERS

Arnab Naskar & Shubhangi Gupta

I. Introduction

"Imagine young Chris Disk sitting at home, one afternoon, listening to the radio when he hears
that his favorite band, The Screaming Monkey Bandits, released a new CD. Upon hearing this,

LA
he runs up to his mom and asks her for money to go and buy the new CD. She proceeds to
explain to Chris the importance of money and that he needs to work for the money. Chris then
spends the next two weeks working hard...Finally, Chris has made enough money to buy the CD

IM
and he rushes off and buys the new Screaming Monkey Bandits CD. He races home, pops the
CD into his computer setup with speakers, hits play, and then KABLAM! The computer makes a
loud noise, starts smoking and won't work. Chris begins to cry. After saving up more money to
SH
pay a computer repairman to extricate the CD from the computer drive and repair his computer,
Chris returns to the store to get his money back. At this point the retailer explains that this CD
has a new copyright protection "format" that cannot be played in a computer. Unfortunately the
LU

new Screaming Monkey Bandits CD was not marked to warn Chris that he could not play it in
his computer..."

In the above scenario, Chris was left with nothing other than a damaged computer. This story is
PN

more than just a hypothetical incident; it led to class action lawsuit in California against five
major record labels for distributing defective and unstable audio-discs containing no-copy
technology.
H

Before proceeding further, it is pertinent to highlight the changing digital status quo. In the pre-
digital era, people's ability to do various things to or with content was limited. However, the
networked digital age allows doing anything to digital content, instantaneously, and at virtually
no cost. While this is indeed a great opportunity for new content business models, but it threatens
the livelihood of content creators by making rampant piracy possible. Thus, there was felt a need
for a technology that will enable to secure content, management, distribution and promotion of
Digital Content on the cyberspace.

Such progressive technology has been termed as Digital Rights Management ('DRM') and
Technological Protection Measure ('TPM'). DRM is a broad term that refers to any technologies
and tools which have been specifically developed for managing digital rights or information. In
this Article, 'Digital Content' means any text, graphics, images, audio, video, software, etc.,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.272

necessarily in digital format. DRM aims to protect ownership / copyright of Digital Content by
allowing only an authorized recipient to do certain permitted act with the content.

For better explanation, some of the instances of DRM are- a movie production company embeds
software on its Digital Versatile Disc('DVD') that limits the number of copies a user can make
form that DVD; an e-book server restricts access to, copying of and printing of material based on
constraints set by the copyright holder of the Digital Content, etc.

Digital Content Owners ('Content Owner') consider DRM as a tool to secure their interest in the
digital world. Other important reasons to choose DRM are as follows: First and much reported in
the media, DRM aims at making illegal copying harder and more costly. In simple words, DRM
aims to increase the cost of piracy. Second, often overlooked, but of equal importance, DRM
intends to reduce costs of obtaining Digital Content legally. Thus, DRM encourages the Digital
Content Users / Consumers ('User') to obtain the Digital Content legally.

LA
Though on the face of it DRM appears to create a win-win situation for both the side, but in
reality it largely helps the Content Owners. Different approaches may be adopted by the User to

IM
address this issue. Recourse can be taken to the law(s) dealing with the Copyright; and/ or the
law(s) dealing with the Competition; and/ or the law(s) dealing with the Consumer Protection.
This article primarily aims on the first recourse available in India and in light of that seeks to
SH
address the concern of Indian User so as to provide them with the benefit of technological
innovations without abusive restrictions.

This Article exposes the extent to which Content Owners aims to restrict the User's rights by
LU

enforcing DRM / TPM. To balance this inequity, the analytical research investigates the
application of Copyright law of various jurisdictions, which somewhere promotes, and
somewhere restricts the curtailment of User's rights though DRM / TPM. Furthermore, this
PN

article also highlights the recent Amendment to the Copyright Act, 1957, with special reference
to the introduction of anti- circumvention provision in India.
H

The first part of the Article, after a brief definition of the term DRM and TPM, deals with the
functioning of this system. The second part discusses the reasons by virtue of which DRM / TPM
has stormed up controversies around the Globe. This part also throws light on various practical
cases like Apple i-Tunes case, Sony BMG Rootkit case, etc, which have stretched far in exposing
the pessimism of DRM / TPM. The third part deals with the direct nexus of DRM / TPM
technology with the User's interests. In addendum, it also raises the obligation on the part of the
Content Owner's to disclose information while selling DRM / TPM encrypted material to protect
the right to privacy of consumers. Prior concluding, the fourth part takes into consideration the
endeavours put in by the Indian Legislature by incorporating Section 65(A) and 65(B) in the
Copyright Amendment (Amendment) Act, 2012. The last part recommends certain changes to
improve the position of the Indian User at par with the Content Owner and concludes.

II. DRM, TPM: Definition and Functioning

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.273

Introduction of DRM took place in 1994 as a panacea for control of accessing and handling the
digital content. Since then, DRM have been a very controversial topic and the story of
implementing DRM has been full of turns and twists. However, with the passage of time DRM
started restricting the User to view, access and use the Digital Content.

The Article uses the term TPM and DRM, therefore, it will be unjustified to keep the concept of
TPM untouched. The term DRM and TPM is often considered a synonym. But fundamentally the
difference lies between their respective mode of application: TPM's are generally designed to
impede access or copying, whereas DRM systems do not impede access or copying per se, but
rather create an environment in which various types of use, including copying, are only
practically possible in compliance with the terms set by the right holders.

DRM usually embeds with the Digital Content and aim to limit the ways in which Digital
Content can be used, reducing the User's choice and generating interoperability problems.

LA
Through DRM, Content Owner's also access Users' personal information, posing a powerful
threat to Right to Privacy. Such situation creates conflict with the interests of legitimate User, i.e.
the Consumers rights and privilege. DRM used to control distribution of an e-book, enforcing a

IM
'read but don't lend' permission, restricting the ability of the individual to read the e-book on
more than one computer. Other conditions which are being enforced by the DRM includes: 'read
SH
once', 'erase in two weeks', 'do not copy text', 'do not print' or 'do not copy'. DRM sometimes also
restricts enjoyment of creative works by allowing its access though some specified type of
device(s), such as an iPod, iPhone, and other Apple products.
LU

Due to the above-enumerated reasons, DRM generated huge controversy. The proponents of
DRM / TPM, specifically the Content Owner, contend that DRM / TPM is imperative for
protecting consumers against viruses and preserving the interest of Copyright Owner in the
PN

digital environment. Whereas, the opponents raise the contention that DRM has gone too far, by
placing excessive control in the hands of copyright holders, which upsets the balance in
Copyright law. However though the first claim raised by the proponents lacks any evidentiary
H

support, second claim is indeed true.

The second claim of the Content Owners, on the face of it appears only a humble claim. But for
the below mentioned instances it can be stated that in reality such interest of the Content Owners
actually aimed to limit the legitimate interests of the User. A Celine Dion album released in 2002
by EPIC and Sony records is capable of crashing a User's computer upon insertion of the same in
a CD-ROM drive. In the same year, Microsoft implemented Palladium system that combines
software and hardware controls to create a 'trusted' computing platform. Palladium system
embeds DRM into software and hardware. There are large numbers of such restrictions imposed
by the Content Owners, which aims to cornerstone the User's rights and privileges.

III. Controversy Surrounding DRM and TPM

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.274

DRM is a great relief for copyright holders. DRM, though initially created to protect Digital
Content, turned out to be an oppressive weapon against the User. A simple technical discussion
will help to establish the implications of DRM crystal clear.

DRM is specific computer code that works as a protective layer over the Digital Content,
allowing Content Owners to limit a consumer's use of that product. To secure content, DRM
users (Content Owner) usually takes two approaches: The first is 'containment' (or the wrapper),
an approach where the content is encrypted in a shell so that it can only be accessed by
authorized users. The second is 'marking' (or using an encrypted header), such as the practice of
placing a watermark, flag, XML or XrML tag on content as a signal to a device that the media is
copy protected."

DRM's unpopularity is because of the reason that it offers nothing to the User, other than a one-
sided requirement, imposed by the Content Owner. The metaphor of User's right from the real

LA
world can be easily carried on to the cyber world. Hence the Statutes/ Rules enacted to protect
User from deceptive marketing practices, negligent misrepresentation, unfair terms, or unfair
business practices apply with full force in the digital world as well.

IM
Till date legal battle against the Content Owners for imposing DRM or TPM has not been
observed in India. Hence, following are the few instances of Conflicts, observed in the Western
SH
countries, between the Content Owners and the Users:

3.1. THE APPLE - iTUNES CASE[Pamela Samuelson & Jason Schultz, Regulating Digital
Rights Management Technologies: Should Copyright Owners Have to Give Notice About
LU

DRM Restrictions?,March 2012, available at

http://people.ischool.berkeley.edu/~pam/papers/notice%20of%20DRM-701.pdf.]
PN

On April 2, 2007, Apple Inc. and EMI Music held a joint press conference in London, considered
H

being the harbinger of significant changes in the digital music arena. The conference relieved
the User's by assuring them that their Apple Inc. will not disappoint them further by continuing
the enforcement of DRM. However, the situation was not the same before 2007.

The iTunes Music Store, a service of Apple Inc., enforces its standard contract terms by means
of a DRM system called 'FairPlay' and according to the terms of service, the provider reserves
the right, at its sole discretion, to modify, replace or revise the terms of use of the downloaded
files. In the European Communities ('EC') market, this behaviour is prohibited by law and
considered unfair, particularly when applied in a standard form contract not subject to
negotiation.

On January 25, 2006, based on the EC laws, the Norwegian Consumer Council presented a
complaint with the Consumer Ombudsman (Mr. Bjorn Erik Thon) against iTunes Music Store

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.275

for breach of fundamental consumer rights. Although Norway is just an European Economic
Area member, its copyright and consumer protection law fully complies with the EC Copyright
and Consumer acquis. On January 2007, Norway declared Apple's DRM illegal and ordered
them to remove the restrictions of Fair Play within October 2007.

In the meantime, France and Germany also raised their voices against the unfair activities of the
iPod giant. The tussle came however ended in 2009 when after the Apple Inc. withdrew its unfair
'FairPlay' restrictions.

3.2. SONY-BMG ROOTKIT

In 2005 Sony BMG Music distributed thousands of musical Compact Disks ('CD') that contained
TPM software designed to embed itself in the Windows Operating System where it could
monitor and restrict use of the musical files from the CD. Because of the statement given by

LA
Thomas Hessee, Ex-President of Sony BMG's Global Digital Business that, "Most people don't
even know what a rootkit is, so why should they care about it", it is pertinent explain the concept
of 'Rootkit'.

IM
Sony BMG secretly included Extended Copy Protection (XCP) and MediaMax CD-3 software
on millions of music CD, of various artists like Celine Dion, Neal Diamond and Santana in the
SH
mid-2000. The software designed to keep Users at bay from making too many copies of the
CD's. It was in form of a Rootkit, undetectable by anti-virus and anti- spyware programs that
opened the door for other malware to infiltrate computers. Even if Sony BMG disclosed the
existence of this software in the End User's License Agreement ('EULA'). The agreement did not
LU

disclose the real nature of the software being installed, the security and privacy risks it created,
the practical impossibility of uninstalling and many other potential problems for the User's
computer.
PN

When users and consumer organizations were informed of this matter, they filed more than
twenty lawsuits against Sony BMG in Canada, United States and Europe. The main motive was
H

to restrict the content on the copy-protected CD's so that the data can only be transferred to
certain media players and portable devices (i.e., those using Sony or Micro-soft products) and
could not be transferred to an iPod device or iTunes media player. Though the iPod is the
dominant portable device and that iTunes is one of the most popular media players, many
purchasers of Sony's copy-protected CDs were denied the right to "space-shift" their music.

Following the discovery of the use of this surreptitious copy protection technology, in November
2005, the Attorney General of Texas filed a class action lawsuit against Sony BMG under Texas'
Consumer Protection Against Computer Spyware Act of 2005 followed by a number of class
action law-suit. Those cases were the first cases in the US, based on consumer law as an
instrument of defence against DRM technologies.

3.3. REGION CODES

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.276

All hail to the Content Owner, DVD region coding system recently prevented the British Prime
Minister from viewing a set of 25 "American classics", which were gifted by President Barack
Obama, considered to the most powerful person on Earth.

So what is this 'Region Code'? DVD Region Coding is an early form of TPM. DVD's are often
encoded with a numerical identifier that corresponds to a specific geographic region in which
that DVD is authorized to play. For example, if one purchases a DVD with a European Region
Code while on vacation in France that DVD may not play on most U.S. or India manufactured
DVD players, thanks to the Region Code. Users who then travel or move from one region to
another risk an unfair surprise in finding that the Digital Content, which they legally purchased,
does not work with equipment(s) at their home. Though pervasive, most DVD manufacturers
neither disclose this to the User either at the point of sale, nor through any agreement (like
EULA), entered therein. Thus, the consumer is kept unaware of such TPM restriction imposed
on them by the Content Owners in conjunction with the DVD Copy Control Association.

LA
Such problems have also extended beyond the Digital Content. Like, Hewlett-Packard has started
'region coding' its printers to match only certain printer cartridges bought in the same region of

IM
the world as the printer . If the wrong cartridge is inserted, the printer refuses to print, even
though it is functionally identical to the approved cartridges.
SH
3.4. EMI FRANCE[Urs Gasser and John Palfrey, Case study on DRM - protected music
Interoperability and Elnnovation, Berkman Publication Series, University of St. Gallen,
2007.]
LU

A French court, to take another example, fined EMI Music France for selling CDs with DRM
protection schemes that would not play on car radios and computers. EMI was held guilty for
violating the consumer protection law because it did not appropriately inform consumers of
PN

these restrictions. The Court ordered EMI to label its CD's with the text:

"Attention: cannot be listened on all players or car radios" to aware the User of such restriction.
H

Even the EMI Music was made liable to pay 3000 € as damages.

IV. DRM / TPM and its Direct Nexus with Consumerism

Copyright Act primarily deals with the rights of the Content Owners. Hence to ascertain the
rights of the Users it will be useful to have a brief analysis of the Common law rights that the
Consumers enjoys, which DRM / TPM contradicts. DRM / TPM tend to contradict mainly three
distinct rights of the Users. Firstly, the right to know, i.e. the Content Owners have a disclosure
obligation. Secondly, right to privacy. Thirdly, right to private copy, usually this right emanates
from the Copyright Act.

4.1. DISCLOSURE OBLIGATIONS WHEN SELLING DRM / TPM ENCRYPTED

MATERIALS

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.277

There is little doubt that disclosure and transparency are effective means of protecting the User's
rights and interests, especially in cases of information asymmetry. Users have a right to know
about the permissible extent to which they are entitled to access a Digital Content. This right is
considered as the grand norm of Consumer jurisprudence. It is an express obligation for the
Content Owner to disclose any material limitations of access rights (including, but not limited to,
technological limitations such as an inability to use the media on another platform) clearly and
conspicuously before selling those to the Consumer.

Repeatedly the Content Owner's failed to provide full disclosure of DRM / TPM software(s),
embedded in their Digital Content which in turn deprived User's of their basic rights. For
instance, Sony did not inform Consumers that the Rootkit would collect information from Users'
computers and use it to serve advertisements; which will ultimately compromise the security of
the Consumers system. It is undisputable that the Users have right to play their CDs on their
electronic systems, capable of processing Digital Contents, without being monitored and targeted

LA
for marketing. The Commission in US has challenged this type of conduct by adware purveyors.

Indian Consumer Protection Act, 1886 does not specifically talk about the protection of

IM
Consumers from DRM. However, under Section 6(b) of the Indian Consumer Protection Act,
1986, Consumers have the rights to receive information about the quality, quantity, potency,
SH
purity, standard and price of goods or services. Hence, interpreting the statute, Content Owners
selling DRM / TPM encrypted material in India may be obliged to disclose the same to the User.

4.2. OBLIGATIONS TO PROTECT PRIVACY

LU

Right to privacy is a fundamental right guaranteed by all major international human rights
Covenants. Users are not much aware of violation of this right through DRM / TPM. This
violation takes place in such a way that it is not possible for a Consumer to identify it. A factual
PN

example will make it clear how this violation takes place.

Microsoft's Windows Media Player ('WMP') for Windows XP violated the privacy right of
H

User's. WMP allowed Microsoft to track DVD movies been watched by users on their Windows
PC. This problem was introduced in version 8 of WMP that were preinstalled on all Windows
XP systems. Microsoft violated the Privacy Rights though the following process:

"Each time a new DVD movie is played on a computer, the WMP software contacts Microsoft
Web server to get title and chapter information for the DVD. When this contact is made, the
Microsoft Web server is given an electronic fingerprint, which identifies the DVD movie being
watched, and a cookie, which uniquely identifies a particular WMP player. With these two-
pieces of information, Microsoft can track what DVD movies are being watched on a particular
computer. The WMP software also builds a small database on the computer hard drive of all
DVD movies that have been watched on the computer. As of Feb. 14, 2002, the Microsoft
privacy policy for WMP version 8 does not disclose that the fact that WMP 'phones home' to get
DVD title information, what kind of tracking Microsoft does of which movies consumers are

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.278

watching, and how cookies are used by the WMP software and the Microsoft servers. There does
not appear to be any option in WMP to stop it from phoning home when a DVD movie is
viewed. In addition, there does not appear any easy method of clearing out the DVD movie
database on the local hard drive."

This is not a single instance of privacy violation but there are many more instances hidden in the
sacks that are appearing in forefront with the passage of time. In India also this DRM / TPM is
violating the Privacy Right, may be in a much more aggressive manner. But mainly due to two
reasons such violations are not being addressed. Firstly, India lacks any statutory enactment
which expressly guarantees a general Right of Privacy to individuals; therefore, it is becoming
increasingly difficult to protect the Privacy rights of Indian Users / Consumers. Secondly, there
is a lack of awareness about privacy right in India.

However, elements of privacy right, traditionally embedded in the common law and criminal

LA
law, have been recognized by Indian courts . But lack of any specific recognition of this right in
the Digital World threatens the privacy rights of Indian Users / Consumers. However, recently
the Indian Government issued Information Technology (Reasonable Security Practices and

IM
Procedures and Sensitive Personal Data or Information) Rules, 2011 ('IT Rules'), as a delegated
legislation deriving its power from Section 43A of the Information Technology Act, 2000.
SH
As the Indian Content Owners falls under the definition of Body Corporate , hence they will be
bound to protect privacy of Sensible Personal Data of the Users. IT Rule covers only Body
Corporate(s) located in India, hence Content Owners located outside India will not be bound to
LU

abide by this delegated legislation. Further the consent, in writing, of the User also need to be
taken, pursuant to the IT Rules to access the Sensible Personal Data.

4.3. OBLIGATION TO PROTECT 'RIGHT TO PRIVATE COPY‟

PN

A User who buys a Digital Content from the Content Owner has the right to reproduce that
article for his own purpose; academically this right has been referred to as 'right to private use'.
H

This right is guaranteed under various international covenants dealing with the Intellectual
Property rights.

In India, 'Right to Private copy' is enshrined under the doctrine of Fair Dealing. Fair Dealing is
statutorily laid down under Section 52 of the Indian Copyright Act, 1957, which stipulates, that a
Fair Dealing with a literary work for the purpose of criticism or review, whether of that work or
of any other work shall not constitute infringement of copyright. In the case of Wiley Eastern
Ltd. and Ors.v. Indian Institute of Management ; the Delhi High Court traced the purpose of the
enforcing Fair Dealing with reference to the Constitution of India:

"The basic purpose of Section 52 of the Indian Copyright Act, 1957 is to protect the freedom of
expression under Article 19(1) of the Constitution of India...Section 52 is not intended by
Parliament to negatively prescribe what infringement is." *61

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.279

Thus, the Content Owners have a duty to respect the 'right to private copy' and, therefore, the
same may not be curtailed by imposing DRM / TPM.

V. Role Of Copyright Law In Protecting The Interest Of The Content Owners

In India, the only effective protection against DRM can be obtained though the Copyright Act,
1957 due to the 2012 Amendment. The recent amendment to the Indian Copyright Act
drastically changed the Copyright regime of India. The anti-circumvention law introduced in
India is quite different compared to that of the United States of America ('USA'). This part deals
firstly, with the anti-circumvention law prevalent in USA and secondly with the recent
amendment of the Indian Copyright Law, 1957 and the features of the newly inserted Indian anti-
circumvention law.

5.1. USA: DIGITAL MILLENNIUM COPYRIGHT ACT, 1998

LA
With the rising concern of Content Owners regarding their intellectual rights and adoption of the
World Intellectual Property Organization ('WIPO') Treaty ; in 1998 Congress of the United

IM
States of America ('US'), enacted the Digital Millennium Copyright Act ('DMCA'). The DMCA
and its anti-circumvention provisions for copy protection technology goes beyond the Audio
Home Recording Act,1992 ; DMCA not only prevents coping but also prevents unauthorized
SH
access. With the enactment of DMCA, scholars raised fear that the anti- circumvention
legislation went too far to protect Copyright Owners and would directly contradict the US
Constitution.
LU

By virtue of DMCA, the Copyright Owners deploy DRM mechanisms that do not allow Fair Use
of the Digital Content, resulting in a curtailment of Users' ability to engage in lawful Fair Uses
of digital copyrighted works.
PN

5.2. INDIA: COPYRIGHT (AMENDMENT) ACT, 2012

Recently the Indian Parliament passed the Copyright (Amendment) Act, 2012 ('Amendment
H

Act') which amended the Copyright Act, 1957 with certain changes for clarity, and aimed to
remove operational difficulties by addressing certain new issues that have emerged in the context
of digital technologies and the Internet. The Amendment Act aimed to bring the Copyright Act,
1957, in conformity with the two WIPO Internet Treaties, viz., the WIPO Copyright Treaty
(WCT), 1996 and the WIPO Performances and Phonograms Treaty (WPPT), 1996 to the extent
considered necessary and desirable This Amendment imposed 'TRIPS plus' standards on India
for which there was no legal obligation.

The Amendment Act allowed User's to break DRM / TPM on legally purchased Digital Content,
as long as do not violate copyright terms. The Amendment Act inserted two new provisions,
section 65A and section 65B to the Copyright Act, 1957, relating to protection of technological
measures and protection of rights management information.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.280

Section 65A has been drafted to provide certain rights to the Users. However, many pressure
groups like Indian Music Industry, RPG Enterprises-Saregama, Indian Performing Right Society
Limited and many more tried to influence the Standing Committee of Parliament to enforce
stringent law in line of USAs' Digital Millennium Copyright Act, 1998, but the Committee
refused to recommend so.

Section 65A(1) of the Amendment Act, imposes punishment to the User of the Digital Content in
the event of circumventing any DRM / TPM technology imposed by the Copyright Owner.
However, Users are exempted from such punishment provided :

a. the act of circumvention is not expressly prohibited by the

Copyright Act;

b. does anything necessary to conduct encryption research using a lawfully obtained encrypted

LA
copy: or

c. conducts any lawful investigation; or

IM
d. does anything necessary for the purpose of testing the security of a computer system or a
computer network with the authorization of its owner; or
SH
e. operator; or

f. does anything necessary to circumvent technological measures intended for identification or

LU

surveillance of a user; or

g. any measure is taken necessary in the interest of national security

PN

Thus, the ambit of section 65A of the Amendment Act does not exclude the right of Fair
Dealing, guaranteed under section 52 of the Copyright Act, 1957 unlike that of the DMCA.
Section 65B prevents removal of the information regarding the management of rights included in
H

the digital copies of the work. This newly inserted section provides protection to the Content
Owner against any removal of DRM / TPM, without authority. Section 65B mandates
punishment to the User, who knowingly:

a. removes or alters any rights management information (DRM / TPM) without authority; or

b. distributes, imports for distribution, broadcasts or communicates to the public, without

authority, copies of any work, or performance knowing that any rights management information
(DRM / TPM) has been removed or altered without authority.

This provision also allows the Content Owner to obtain civil remedy, in addition to the criminal
punishment as per the Copyright Act, 1957.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.281

However one serious concern cab be raised here. TRIPS only require criminal procedures for
copyright infringement in case of "piracy on a commercial scale" . DRM / TPM measures may
be circumvented both in commercial and private non commercial level. Section 65A and 65B
denies recognition of the difference between the two and thereby provides for criminal
punishment to both.

Criminality is being judged depending upon the harm to the society as a whole. This general
requirement of harm to society is not satisfied by instances of private non-commercial level
circumvention. Hence, there is no justification to treat both commercial and non-commercial
private circumvention equally.

VI. Conclusion

Personal computers entered the Indian market much later compared to the Western countries.

LA
Indian legislature though trying to bring the enactments dealing with Digital world at par with
the Western counterparts, but the process is very slow. Positive attitude of the India legislature to
address the international issues can be witnessed in recent years, post enactment of the

IM
Information Technology Act, 2000.

The Western Countries address the implications of DRM / TPM invoking their respective
SH
municipal laws. India, prior to the 2012 amendment of the Copyright Act, 1957, was unable to
acknowledge, the presence of DRM / TPM, statutorily. With the 2012 amendment of the
Copyright Act, 1957, India not only recognised the existence of DRM / TPM but also provided
relief to the User's by allowing them to circumvent such technological measures in certain
LU

prescribed situations.

However, the Indian legislature failed to justify the treatment both commercial and non-
PN

commercial private circumvention equally. As it is already mentioned that TRIPS only require
criminal proceedings against copyright infringement done on commercial scale, hence treating
the both under equal footing may be unreasonable for the Indian Democratic setup.
H

Amendment Act though provides rights to the Content Owner's, failed to provide with a limit of
such technological measures that aims to curtail the freedom of the User / Consumer. Taking
non-digital world as a baseline for User's right, digital world does not allow the same level of
freedom to them. Instead the rights of the User in the digital world are much narrower. Hence the
burden lies upon the legislature to equalize the rights of the Users in both the world. Every right
has a corresponding duty; hence the Content Owner though entitled to protect their Digital
Content must also be bound to fulfil their obligations like: protect privacy rights of the Users;
provide right to private copy; disclose the existence and implications of DRM / TPM software in
a Digital Content.

However, this paper only attempt to deal with the Copyright Act and its role in controlling DRM
/ TPM but it is indisputable that Copyright law primarily aims to protect the interests of the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.282

copyright owner. Therefore, to protect the interests of the Consumers, laws relating to the
Consumers right must also provide protection against encroachment of their rights by the
Content Owners. With regard to the international perspective, it is pertinent to note the efforts of
amending the UN Consumer Protection Guidelines for the safeguarding of consumers against the
embargo created by DRM technologies. Indian Consumer Protection Act, 1986, till date, does
not provide for any such special safeguards in the digital world against the Content Owner.

It is worth mentioning at end that the Indian legislature took a reasoned approach while
protecting the DRM / TPM technology of the Content Owners through the Amendment Act. The
Amendment Act did not provide any 'blanket prohibitions' against circumvention like that are
present in the DMCA. In near future Privacy Act can also be expected in India which will
protect the privacy of Users. Until then the Amendment Act will be the guiding star in dealing
with DRM / TPM issues in India.

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.283

 NLSIU Bangalore - Indian Journal of Law and Technology

2013

Article

GIVE ME MY SPACE AND TAKE DOWN HIS

Ananth Padmanabhan

TRANSIENT 'AND' INCIDENTAL: OR SHOULD IT BE AN 'OR'?

In 2010, the controversial Copyright (Amendment) Bill came up for deliberation before the
Parliamentary Standing Committee on Human Resource Development, headed by Mr. Oscar
Fernandes. While a major part of the discussion revolved around the altered royalty structure and

LA
rights allocation between music composers and lyricists on one hand, and film producers on the
other, it can be safely stated that this is the most significant amendment to the Copyright Act,
1957 beyond this reason alone. The amendment seeks to reform the Copyright Board, bring in a

IM
scheme of statutory licenses, expand the scope of performers' rights and introduce anti-
circumvention measures to check copyright piracy. As part of its ambitious objective, the
amendment also attempts to create a new fair use model to protect intermediaries and file-sharing
SH
websites.

The Copyright (Amendment) Act, 2012, which gives expression to this fair use model through
Sections 52(1)(b) and (c), reads thus:
LU

52. Certain acts not to be infringement of copyright. - (1) The following acts shall not constitute
an infringement of copyright, namely:
PN

(a) to (ad) - *****

(b) the transient or incidental storage of a work or performance purely in the technical process of
H

electronic transmission or communication to the public;

(c) transient or incidental storage of a work or performance for the purpose of providing
electronic links, access or integration, where such links, access or integration has not been
expressly prohibited by the right holder, unless the person responsible is aware or has reasonable
grounds for believing that such storage is of an infringing copy:

Provided that if the person responsible for the storage of the copy has received a written
complaint from the owner of copyright in the work, complaining that such transient or incidental
storage is an infringement, such person responsible for the storage shall refrain from facilitating
such access for a period of twenty-one days or till he receives an order from the competent court
refraining from facilitating access and in case no such order is received before the expiry of such
period of twenty-one days, he may continue to provide the facility of such access.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.284

From a plain reading, it is clear that two important exceptions are carved out: first, in respect of
the technical process of electronic transmission, and second, in respect of providing electronic
links, access or integration. The discussion on this provision by the Parliamentary Standing
Committee, and the representations made before this Committee by various stakeholders have
been recorded in the Standing Committee Report and merit attention. The Human Resources
Department, in its submission, made it clear that the purpose behind clause (b) was only to
exempt liability arising out of 'caching', in tandem with international practice. Therefore, any
deliberate storing of the works would still amount to infringement. Similarly, the Department
contended that clause (c) only sought to carve out a safe harbour exemption for internet service
providers.

Content providers such as Saregama RPG Enterprises, the Indian Motion Picture Producers
Association, the Indian Music Industry and the South India Music Companies Association cried
wolf and placed on record their concern that such a fair use model would certainly end up being

LA
abused. The specific worries were that even illegal downloaders and suppliers of copyrighted
content would rely upon this provision to plead that their storage was incidentally made, in the

IM
process of transmission, and that these provisions cast an additional burden on content providers
to specifically request the take down of each infringing file - a task virtually impossible in the
case of online piracy. The Business Software Alliance also lent their support to these
SH
stakeholders by submitting that the initially prescribed period of fourteen days, given to the
content providers to obtain a judicial order to ensure the continued restriction on access to the
infringing content, was too short a period.
LU

On the other hand, intermediaries and online service providers were critical of the proposed
provisions which, in their opinion, did precious little to safeguard their interests. Ebay India
proposed that the words "transient and incidental", as found in the Bill, should be substituted
PN

with "transient or incidental". Yahoo India incisively analysed the wording of the Bill and
submitted that the loose language employed therein could result in problems while carrying out
various operations such as search, hosting, information retrieval and caching. A specific request
H

was placed to amend the Act to provide clearly that an internet service provider would be liable
only if it: (i) had knowledge of the infringing activity, and despite such knowledge, failed to
remove the infringing content, or (ii) induced, caused or materially contributed to the infringing
conduct of another. The Standing Committee accepted some of the above suggestions and
recommended that the fourteen day period may be reviewed in order to achieve a more
harmonious balance between the rights of content owners and that of a service provider to do
business. This later translated into the twenty-one day window, as currently seen in Section
52(1)(c). The Standing Committee also accepted Ebay India's proposal to substitute the
expression "transient and incidental" with the expression "transient or incidental". However, no
heed was paid to the submissions made by Yahoo India pertaining to the inherent ambiguity in
the language employed in Section 52(1)(c), and this is precisely where the amendments could
actually falter in achieving their stated objective.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.285

Infringement: Of Primary and Secondary

The conceptual issue that lies at the heart of the debate on fair use exemption for intermediaries
is one of liability. Liability for copyright infringement can either be primary or secondary in
nature. Primary liability, such as the case of a file-sharer deliberately storing or facilitating the
transmission of infringing works to the public, is in any case not covered within the purview of
the fair use exceptions introduced. It is only secondary liability, where the primary infringer is
provided with a space that can be used as a conduit pipe, channel or network to transmit illegal
copies created by him, that forms the subject matter of the newly introduced fair use model.
Hence, it is imperative to understand the difficulty faced, even by Courts, while adjudicating on
the permissible limits of activity that facilitates, or could potentially facilitate, copyright
infringement.

The classic divide on this issue is reflected in two judicial pronouncements - separated by a gap

LA
of more than two decades - delivered by the U.S. Supreme Court. In Sony Corporation v.
Universal City Studios Inc., popularly known as the Betamax case, the U.S. Supreme Court held
that the manufacturers of home video recording devices, known in the market as Betamax, would

IM
not be liable to copyright owners for secondary infringement since the technology was capable of
substantially non-infringing and legitimate purposes. The U.S. Supreme Court even observed
SH
that such time-shifting devices would actually enhance television viewership and therefore find
favour with a majority of copyright holders as well. The majority did concede however, that in
an appropriate situation, liability for secondary infringement of copyright could well arise. In the
words of the Court, "vicarious liability is imposed in virtually all areas of the law, and the
LU

concept of contributory infringement is merely a species of the broader problem of identifying

the circumstances in which it is just to hold one individual accountable for the actions of
another." However, if vicarious liability had to be imposed on the manufactures of the time-
PN

shifting devices, it had to rest on the fact that they sold equipment with constructive knowledge
of the fact that their customers may use that equipment to make unauthorised copies of
copyrighted material. In the view of the Court, there was no precedent in the law of copyright for
H

the imposition of vicarious liability merely on the showing of such fact.

Notes of dissent were struck by Justice Blackmun, who wrote an opinion on behalf of himself
and three other judges. The learned judge noted that there was no private use exemption in
favour of making of copies of a copyrighted work and hence, unauthorised time-shifting would
amount to copyright infringement. He also concluded that there was no fair use in such activity
that could exempt it from the purview of infringement. The dissent held the manufacturer liable
as a contributory infringer and reasoned that the test for contributory infringement would only be
whether the contributory infringer had reason to know or believe that infringement would take
place, and not whether he actually knew of the same. Off-the-air recording was not only a
foreseeable use for the Betamax, but also its intended use, for which Sony would be liable for
copyright infringement. This dissent has considerably influenced the seemingly contrarian
position taken by the majority in the subsequent decision, Metro-Goldwyn-Mayer Studios Inc. v.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.286

Grokster, Ltd. This case called into question the liability of websites that facilitated peer-to-peer
(P2P) file-sharing. Re-formulating the test for copyright infringement, the U.S. Supreme Court
held that "one who distributes a device with the object of promoting its use to infringe copyright,
as shown by clear expression or other affirmative steps taken to foster infringement, is liable for
the resulting acts of infringement by third parties." In re-drawing the boundaries of contributory
infringement, the Court observed that contributory infringement is committed by any person who
intentionally induces or encourages direct infringement, and vicarious infringement is committed
by those who profit from direct infringement while declining to exercise their right to limit or
stop it. When an article of commerce was good for nothing else but infringement, there was no
legitimate public interest in its unlicensed availability and there would be no injustice in
presuming or imputing intent to infringe in such cases. This doctrine would at the same time
absolve the equivocal conduct of selling an item with substantial lawful as well as unlawful uses,
and would limit the liability to instances of more acute fault than the mere understanding that

LA
some of the products shall be misused, thus ensuring that innovation and commerce are not
unreasonably hindered.

IM
The Court distinguished the case at hand from the Betamax case, and noted that there was
evidence here of active steps taken by the respondents to encourage direct copyright
infringement, such as advertising an infringing use or instructing how to engage in an infringing
SH
use. This evidence revealed an affirmative intent that the product be used to infringe, and an
encouragement of infringement. Without reversing the decision in Betamax, but holding that it
was misinterpreted by the lower court, the Court observed that Betamax was not an authority for
the proposition that whenever a product was capable of substantial lawful use, the producer
LU

could never be held liable as a contributor for the use of such product for infringing activity by
third parties. In the view of the Court, Betamax did not displace other theories of secondary
PN

liability. This other theory of secondary liability applicable to the case at hand was held to be the
inducement rule, as per which any person who distributed a device with the object of promoting
its use to infringe copyright, as evidenced by clear expression or other affirmative steps taken to
foster infringement, would be liable for the resulting acts of infringement by third parties.
H

However, the Court clarified that mere knowledge of infringing potential or of actual infringing
uses would not be enough under this rule to subject a distributor to liability. Similarly, ordinary
acts incident to product distribution, such as offering customers technical support or product
updates, support liability, etc. would not by themselves attract the operation of this rule. The
inducement rule, instead, premised liability on purposeful, culpable expression and conduct, and
thus did nothing to compromise legitimate commerce or discourage innovation having a lawful
promise.

These seemingly divergent views on secondary infringement expressed by the U.S. Supreme
Court are of significant relevance for India, due to the peculiar language used in the Indian
Copyright Act, 1957 (hereinafter, "the Act"). As I will seek to show, this language has been
retained even in the amendments of 2012, thus casting doubts on the efficacy of the fair use

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.287

model that they legitimise. The starting point for this enquiry is Section 51 of the Act, which
defines infringement. This provision bifurcates the two types of infringement, i.e., primary and
secondary infringement, without indicating so in as many words. While Section 51(a)(i) speaks
to primary infringement, 51(a)(ii) and 51(b) renders certain conduct to be secondary
infringement. Even here, there is an important distinction between Sections 51(a)(ii) and 51(b).
The former exempts the alleged infringer from liability if he can establish that he was not aware
and had no reasonable ground for believing that the communication to the public, facilitated
through the use of his "place", would amount to copyright infringement. The latter, on the other
hand, permits no such exception. Thus, any person, who makes for sale or hire, or by way of
trade, displays or offers for sale or hire, or distributes for the purpose of trade, or publicly
exhibits by way of trade, or imports into India, any infringing copies of a work, shall be liable for
infringement, without any specific mens rea required to attract such liability. It is in the context
of the former provision, i.e., Section 51(a)(ii) that the liability of certain file-sharing websites for

LA
copyright infringement has arisen.

The Myspace Litigation and Secondary Infringement

IM
In Super Cassettes Industries Ltd. v. Myspace Inc., the defendant was running a website that
facilitated the sharing of media content by users/subscribers. The plaintiff, a leading sound
SH
recording and video label, alleged that the defendant, by providing a search and indexing
function that allowed users to search for video/sound recordings and play such content on a
computer, promoted copyright infringement. The plaintiff alleged both primary and secondary
infringement on the part of the defendant. The plaintiff's case for primary infringement was that
LU

the defendant authorised the communication of the copyrighted works of the plaintiff to
members of the public without the plaintiff's consent. To support the plea of secondary
infringement, the plaintiff relied on Section 51(a)(ii) of the Act.
PN

Rejecting the primary infringement plea raised by the plaintiff, the Delhi High Court held that
although authorising an act which was part of the owner's exclusive right under Section 14 would
H

no doubt amount to primary infringement under Section 51(a) (i), such authorisation required
something more than merely providing the means to communicate the work to the public or
providing the place for such communication. Explaining the level of involvement required for
being a primary infringer on the ground of authorisation of infringement, the High Court held
that active participation, inducement, or approval was a necessary ingredient to establish
authorisation. The High Court clarified that knowledge of the fact that certain acts were
infringing in character was different from active participation in, or any inducement of, such
acts. The Court concluded that merely providing the means for infringement would not establish
control, and therefore, any person providing such means could not be said to have approved or
countenanced such act.

However, on the secondary infringement plea, the High Court, with all due respect, adopted a
fairly dangerous yardstick to define the expression "was not aware and had no reasonable ground

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.288

for believing" found in Section 51(a) (ii). The first error committed by the Court was in equating
physical space and the virtual world, and assuming that the word "place" in this provision would
automatically apply to the internet. To justify the view, the Court relied upon certain prior
precedents on statutory interpretation to the effect that the language used in a statute must be
given dynamic meaning to accommodate technological changes. These judgments were
extremely fact-sensitive and most often involved situations where the regulation in question
could realistically be extended to the new technology. The internet and physical space can
perhaps be equated while drawing parallels between domain name infringement and passing off
due to the common nature of the property involved, i.e., the identity of the person or business
source identifier. However, the regulatory laws applicable to the control of physical property
cannot be extended to the virtual world in similar fashion. Section 51(a)(ii) is, in effect, a
provision that regulates control of physical property, by casting the onus upon the owner or
possessor of the property to ensure that his place is not used for copyright infringement. The

LA
natural presumption is that this actor is indeed in a position to control the use to which his
property can be put. This presumption does not hold good at all in the case of the internet. The
architecture of the internet is such that an individual has much less control over what can be

IM
termed as his " space", whether it be an e-mail account, a page in a social networking website,
or a website "managed" by him. Hence, it was erroneous in the first *26 place, to have applied a
SH
provision such as Section 51(a)(ii), worded with the specific purpose of fixing liability on a
person having control over a physical space, to a similar actor in the online world, because the
level of control in the hands of the latter is much lesser.

The second error was in interpreting the safe harbour provision contained in this section in a
LU

manner highly inconsistent with the spirit of other internet regulations, such as the Information
Technology Act, 2000 (hereinafter, "the IT Act"). This again stemmed from the previous error,
PN

i.e., assuming that a person has reasonable ground of belief in respect of activities that go on in
his backyard, except in certain limited situations. This assumption is valid in the case of physical
spaces, and the actor who owns or possesses the same would indeed be in the best position to
ascertain what really goes on. In the virtual world, this assumption breaks down and it is self-
H

evident to any internet user that the level of control over any information that passes through our
Twitter handles, Facebook status updates and so on, is quite low. Axiomatically, the situations
for which we are exempt from liability for failing to regulate should be much higher in the latter
scenario. The Delhi High Court completely ignored this perspective. While furnishing cause for
its conclusion that the defendant was in a position of such reasonable belief as to the infringing
activity, the Court relied on facts such as the revenue model of the defendant, which depended
largely on advertisements displayed on the web pages, and automatically generated
advertisements that would come up for a few seconds before the infringing video clips started
playing. Shockingly, the Court even considered relevant the fact that the defendant provided
safeguards such as hash block filters, take-down-stay-down functionality and rights management
tools operational through fingerprinting technology, to prevent or curb infringing activities on its
website. This, in the view of the Court, made it evident that the defendant had a reasonable

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.289

apprehension or belief that the activities on the website could infringe someone else's copyright,
including that of the plaintiff.

Once the Court had committed an error of such alarming proportions, having misunderstood the
internet's architecture and the role and responsibilities of various actors therein, it was but natural
for its interpretation of the safe harbour provisions in the Information Technology Act, 2000 to
be coloured by such error. The defendant had, as an argument of last resort, contended that it
was an intermediary under Section 2(w) of the IT Act, and thus stood protected under Section
79 of the same. Rejecting this contention, the Court reasoned that while the fulfilment of either
one of the conditions under Section 79(2)(a) or 79(2)(b) would suffice, the immunity under
Section 79(1) would not be available unless the due diligence requirement under Section 79(2)(c)
was mandatorily satisfied along with the condition in Section 79 (2) (a) or 79(2) (b). Coming to
each sub-clause, the Court held that Section 79(2) (a) was not attracted as the function of the
defendant was not confined to only providing access to the communication system where the

LA
third party information was stored, transmitted or hosted. Section 79(2) (b), to be attracted,
required all three conditions mentioned therein to be satisfied. Since the defendant was already

IM
found to be modifying the content uploaded on its website, the Court held that the condition of
non-modification of the information contained in the transmission was unfulfilled. Section
79(2) (c) was also held to be inapplicable, as the Court explained that such due diligence was
SH
required while the intermediary was discharging its duties. Thus, if the defendant was put to
notice about the rights of the plaintiff in certain works, the defendant had to conduct a
preliminary check in all the cinematographic works relating to Indian titles before
communicating the works to the public, rather than falling back on post-infringement measures.
LU

The defendant's act of permitting the user to upload content on its server, and then modifying the
same, was held to be contrary to the due diligence requirement. In the view of the Court, this
PN

conduct signified that the defendant had the chance to keep a check on the works, which the
defendant avoided making use of for reasons best known to it. With all due respect, this view is
erroneous as the modification of content was only auto- generated and done as part of the
business model of the service provider, and happened regardless of the infringing or non-
H

infringing character of the content uploaded onto its server. The view taken by the Court could
potentially cripple a novel business model by rendering the service provider a pirate in the eyes
of the law.

Website Blocking Orders and Intermediary Liability

The development in the My space case has to be considered along with the issuance of widely
worded orders blocking access to websites, which courts in India have been granting of late. The
strategy employed by counsel representing the copyright owner in such cases is to seek
injunctive relief against various John Does, i.e., unknown infringers, as well as to implead
different internet service providers ('ISPs') as defendants along with such John Does. The
permissibility of this strategy was called into question before the Madras High Court in R.K.
Productions Pvt. Ltd. v. B.S.N.L.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.290

This case arose out of John Doe orders, or their Indian variant, Ashok Kumar orders, sought in
respect of the Tamil film "3", which enjoyed considerable pre-release buzz due to its song
"Kolaveri Di". The producers of the film wanted an omnibus order against all websites that
hosted torrents or links facilitating access to or download of the film, apprehending that such
electronic access would be made available immediately after the film's release due to the pre-
release popularity. The Madras High Court initially granted an ex parte order. A plain reading
of this order made it clear that the known defendants, i.e., the ISPs, and the unknown Ashok
Kumars, were restrained only from infringing the copyright in the specific cinematographic
film/motion picture "3" through different means. However, the operationalisation of this order
for a period of around two months after it was pronounced resulted in the blocking of access to
various torrent and file- sharing websites. The other problem with this order was the possibility
of hauling up ISPs for contempt, upon failure to effectively implement this order. This prompted
the ISPs to file applications under Order VII, Rule 11 of the Civil Procedure Code, 1908, seeking

LA
rejection of the plaint on the ground that the suit against them was barred by law.

In the R.K. Productions case, the Madras High Court has dismissed these applications for

IM
rejection of the plaint, after accepting the contention that the ISPs are necessary parties to the suit
as the act of piracy occurs through the channel or network provided by them. The High Court has
in fact relied on the decision in the My space case as well as given independent reasoning to
SH
conclude that the ISPs are liable for infringement. This is evident from the view taken by the
Court on the safe harbour provision in Section 79 of the IT Act. Relying on the proviso to
Section 81, the Court held that the exemption from intermediary liability carved out in Section
79 would not apply to cases of copyright infringement under Section 51(a)(ii) of the Copyright
LU

Act, 1957. This is totally incorrect as the proviso to Section 81 only mandates that "nothing
contained in this Act shall restrict any person from exercising any right conferred under the
PN

Copyright Act". This then would bring us back to the language contained in Section 51(a)(ii),
wherein the copyright owner would enjoy the right to maintain an action of infringement only if
the alleged infringer was either aware or had reasonable ground to believe that the
communication to the public was infringing in character. By holding that the proviso to Section
H

81 would override the exemption from liability in Section 79, the Madras High Court is in effect
saying that an ISP, whose activity is restricted to facilitating the technical transmission of
information, can be imputed with reasonable grounds of belief that various communications that
happen through the use of its network amount to copyright infringement. This is indeed
shocking, and goes way beyond the decision in the Myspace case as well.

The other infirmity with this order is that it is per in curiam. The counsel appearing for both
sides, i.e., the content owner and the ISPs, do not seem to have brought the factum of notification
of the Copyright (Amendment) Act, 2012 about a month prior to the actual date of hearing in this
case, to the Court's attention. A bare perusal of the newly introduced Sections 52(1)(b) and
52(1)(c), reproduced above, alone makes it abundantly clear that their content posed significant
relevance to the issue at hand in the R.K. Productions case. Unfortunately, the Court missed out

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.291

on the opportunity to be the first in the country to take a hard look at the correct interpretation of
Sections 52(1)(b) and 52(1)(c), a task left now for us to undertake in the coming years. The
author hence avails this opportunity to develop some of the interpretive possibilities.

Interpreting Section 52(1) (b) - The "Mere Conduit" Exception in U.K.

A plain reading of Section 52(1)(b) of the Copyright Act makes it clear that an entity, which
carries on the sole activity of facilitating the technical process of electronic transmission or
communication of infringing works to the public, or is in other words a "mere conduit", can in no
situation be held liable for copyright infringement. There is no room for fixing any kind of
liability on such entities, including contributory or vicarious liability. As a necessary corollary,
the decision in the R.K. Productions case is incorrect as no suit for infringement would be
maintainable against ISPs, who are solely facilitating such electronic transmission in a technical
manner. However, it is still debatable whether ISPs can be impleaded as parties to a copyright

LA
infringement action on the basis that the current legal regime casts a duty on ISPs to remove, or
disable access to, infringing content once they are put to notice of such infringement. This
dichotomy between liability for infringement on the one hand and a general duty to assist in the

IM
prevention of infringement on the other is explained clearly by the Chancery Division in
Twentieth Century Fox Film Corporation v. British Telecommunications Plc.
SH
Thus, it is seen that in the United Kingdom, though a "mere conduit" activity is not
considered infringement, the concerned ISP can be directed by the Court to block access to a
LU

website that hosts infringing content on the basis of the above legislative scheme. The enquiry
should therefore be directed towards whether India has a similar scheme for copyright
enforcement.
PN

The IT Act - An Inapplicable Scheme for Website Blocking

H

The IT Act, read with the recently framed Information Technology (Intermediary Guidelines),
2011 which came into effect on April 4, 2011, provides for a duty that could be thrust upon even
"mere conduit" ISPs to disable access to copyrighted works. This is due to the presence of
Section 79(2)(c) of the Act, which makes it clear that an intermediary shall be exempt from
liability only where the intermediary observes due diligence and complies with other guidelines
framed by the Central Government in this behalf. Moreover, Section 79(3) provides that the
intermediary shall not be entitled to the benefit of the exemption in Section 79(1) in a situation
where the intermediary, upon receiving actual knowledge that any information, data, or
communication link residing in or connected to a computer resource controlled by the
intermediary, is being used to commit an unlawful act, fails to expeditiously remove or disable
access to that material on that resource without vitiating the evidence in any manner. Rule 4,
when read along with Rule 2(d) of these Guidelines, casts an obligation on an intermediary on
whose computer system copyright infringing content has been stored, hosted or published, to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.292

disable such information within thirty six hours of it being brought to its actual knowledge by
any affected person.

One way of understanding and harmoniously interpreting the provisions of the IT Act and the
Guidelines therein along with the recent amendments to the Copyright Act, is to contend that the
issue of copyright infringement by "mere conduit" ISPs is governed by Section 52(1)(b), which
completely absolves them of any liability, while that of enforcement of copyright through the
medium of such ISPs is governed by the IT Act. This bifurcation suffers from the difficulty that
Section 79 of the IT Act is not an enforcement provision. It is a provision meant to exempt
intermediaries from certain kinds of liability, in the same way as Section 52 of the Copyright
Act. This provision, read with Section 81, makes it clear that the IT Act does not speak to
liability for copyright infringement. From this, it has to necessarily follow that all issues
pertaining to liability for such infringement have to be decided by the provisions of the
Copyright Act. Therefore, the scheme in the IT Act read with the Intermediaries Guidelines

LA
cannot confer additional liability for copyright infringement on ISPs, where the Copyright Act
exempts them from liability. More to the point, the intermediary cannot be liable for copyright

IM
infringement in the event of non- compliance with Section 79(3) or Rule 4 of the Intermediaries
Guidelines read with Section 79(1)(c) of the IT Act. Rule 4 of the Intermediaries Guidelines,
2011 to the extent that it renders intermediaries outside the protective ambit of Section 79(1),
SH
upon failure to disable access to copyrighted content, is of no relevance as "mere conduits" have
already been exempted from liability under Section 52(1)(b). Moreover, since these provisions in
the IT Act do not deal with enforcement measures such as injunction orders from the Court to
disable access to infringing content in particular or infringing websites in general, it would be
LU

wrong to contend that the scheme in India is similar to the one in the United Kingdom, where the
issue of infringement has been divorced from that of enforcement.
PN

To conclude, Section 52(1) (b) is a blanket "mere conduit" exemption from liability for copyright
infringement that stands uninfluenced by the presence of Section 79 of the IT Act or the
Intermediaries Guidelines. In the absence of a legislative scheme for enforcement in India akin to
H

Section 97A of the U.K. Copyright, Designs and Patents Act, 1988, Indian Courts cannot grant
an injunction directing such "mere conduit" ISPs to block access to websites in general or
infringing content in particular, and any such action is not even maintainable in law post the
insertion of Section 52(1) (b). The decision to the contrary in the R.K. Productions case is
incorrect.

Interpreting Section 52(1) (c) – My space and Interpretive Concerns

The liability for copyright infringement of file-sharing websites and other service providers who
perform roles beyond that of a "mere conduit" shall again be governed solely by the Copyright
Act and not the IT Act, for the same reasons advanced above in the context of Section 52(1)(b).
However, in the case of such file-sharing networks, the important issue is whether a safe harbour
has really been created. One striking distinction between clauses (b) and (c) is the presence of the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.293

phrase "unless the person responsible is aware or has reasonable grounds for believing" in the
latter provision. As a result, if a file-sharer has such reasonable grounds of belief, the exemption
from liability would not be attracted.

The actual concern for file-sharing websites is the similarity in language employed in Sections
51(a)(ii) and 52(1)(b) of the Copyright Act. As already seen above, the My space case interprets
this expression in a wide manner, to include even conduct such as the inclusion of system
generated advertisements, the introduction of specific measures to curb the possibility of
infringing content being made available, and the receipt of a general list from the content owner
that contains the names of all their copyrighted works without identifying specific acts of
infringement in respect of these works. It is reiterated that this standard is incorrect as it confuses
the possibility of regulation over physical space with that over the internet, paying no heed to
specificities of the latter medium and its architecture.

LA
Assuming that the interpretation in the Myspace case will be discarded while giving meaning to
the fair use exception in Section 52(1)(c), this provision is again attracted only where the storage
of the infringing file is transient or incidental to the act of providing links or access to the work.

IM
A possible rationale for the usage of the expression "transient or incidental" could be to
distinguish legitimate file-sharing websites that operate in content neutral fashion from those
SH
where the file- sharing website actively promotes the perpetration of piracy and the storage of the
file is no longer incidental. In the latter kind of situation, the file-sharing website would also be
liable under the doctrine of contributory liability for communication of the copyrighted work to
the public, using the standard laid down in Grokster.
LU

Finally, Section 52(1)(c), as opposed to Section 52(1)(b), is not a blanket exemption and permits
the issuance of notice to the file-sharing website to remove infringing content. This is indeed a
PN

healthy practice and can result in a culture of self-regulation, which in the author's view, is the
only effective kind of regulation when it comes to the internet.
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.294

 LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.295

 Madras Law Journal

COPYRIGHT AND P2P FILE SHARING - THE LAW ACROSS JURISDICTION

Mohammed Fayaz Ali, Advocate

"Earlier generations of technology . . . have presented challenges to existing copyright law, but
none have posed the same threat as the digital age."

Infringement of copyright on cyberspace is rampant as many internet users are unaware that
certain acts committed by them constitute infringement of copyright; others choose to ignore the
fact that when they download photos, duplicate software etc., and more importantly, when they

LA
download or share songs/videos using Peer to Peer (P2P) file sharing software, they are
committing an illegal act.2 The greatest threat posed to the protection of copyright is the digital
technology through which information and data are transmitted globally with or without the

IM
knowledge that such transfer of materials might result in copyright infringement.

A user who has downloaded a P2P file sharing software (Limewire, Ares, e-mule etc.) may
SH
request any file using the software (e.g. an audio album, movie), a search is then made among all
the users using the same software and a list is provided to the requestor from which he can
choose to download his preferred file. If the user chooses to download a copyrighted file, he
commits an infringement under the Copyright Laws.
LU

Though P2P file sharing software ("P2P software") has many legal uses, it is widely used to
share copyrighted songs. Many users are unaware that the songs which are available online
PN

through P2P software for free are actually copyright-ed material and sharing/downloading of the
same without the authorization of the owner is an offence under the Indian Copyright Act, 1957
(the Act) and thereby make themselves vulnerable to civil and criminal proceedings. According
H

to Section 2(xx), Sound Recording is "a recording of sounds from which such sounds may be
produced regardless of the medium on which such recording is made or the method by which the
sounds are produced" and the same is protected under Section 13(1)(c) of the Act. A person
commits infringement when he "without the licence of the copyright owner does or authorises
another to do, any of the acts restricted by the copyright"

P2P file sharing software which enables sharing of music online gravely endangers the economy
and threatens the mu-sic industry to a great extent. The file sharing software had caused a 25%
decline in the global income of music industry during the period 1999-2004. Therefore, music
industry and the governments worldwide have initiated proceedings against the developers of
P2P software for copyright infringement.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.296

The earliest case concerning the illegal distribution of songs through peer-to-peer software was
decided in A & M Rec-ords v. Napster (Napster's case). "Napster maintained a central database
of music files available for download through which End Users could access, search and copy
music files" Napster was able to monitor copyright infringement by its users as it relied on
central 'server' thereby having knowledge about the infringing act which is a sufficient
prerequisite to constitute indirect copyright infringement. Napster was held liable for copyright
infringement by the United States Court of Appeal.

After a period of years the "File-sharing systems have evolved from a centralised model
(Napster, etc.) to second-generation hybrid decentralised systems (Direct Connect Servers,
eDonkey, etc.), and third-generation wholly decentralised systems (Kazaa, Bit-Torrent, Videora,
etc.) where the files are stored, shared and downloaded by and among the users themselves with
there being no central server. The Napster decision will not have any impact on the decentralized
P2P file sharing cases since the decentralized system inter-connects the users of the software as a

LA
result of which they can exchange files among themselves without the knowledge, authorization
and control of the software provider. There is also considerable difficulty in prosecuting the

IM
persons who provide such decentralised software as can be seen from below.

In an American case Metro-Goldwyn-Mayer Studios Inc v. Grokster Ltd (Grokster's case), the
SH
respondents were sued for distributing decentralized file sharing software which enabled users to
download copyrighted material. The re-spondents relied on Sony Corp of America v. Universal
City Studios, Inc 10(Sony's case) and put forth the following arguments:-
LU

1. They could not be held liable for contributory infringement for distributing software
which had substan-tial fair uses, unless they had knowledge of infringing activities and failed to
PN

act over it.

2. There could be no liability as the respondents had no knowledge of the infringing

H

activities due to the decentralized nature of software (unlike the case of Napster which was a
centralized system).

These arguments found favour with the United States Court of Appeal, which accordingly ruled
that '.....the respondents did not materially contribute to their users' infringement because the
users themselves searched for, retrieved, and stored the infringing files, with no involvement by
the respondents beyond providing the software in the first place'. The Court also held that the
respondents could not be held vicariously liable because they had no power to control or manage
the activities of the user and had no knowledge of what type of files were being downloaded
using its software.

On appeal, the Supreme Court of the United States reversed the decision of the Appellate Court
and held the respondent liable on the following grounds:-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.297

1. The respondents were catering to the needs of the former Napster consumers by 'inserting
digital codes into its website so that computer users using web search engines to look for
"Napster" or "free file sharing" would be directed to the Grokster website, where they could
download the Grokster software'.

2. The respondents did not attempt to prevent copyright infringement by developing

filtering software so that the users may not access copyrighted material.

3. The respondents utilized their software to host advertisements and generate revenue from
their website.

It has been commented that 'The respondents have been held liable for secondary infringement
under the inducement theory; however this decision may be subject to an appeal'.

LA
After the judgment delivered in Grokster's case, a similar case came up before the Australian
Federal Court namely Universal Music Australia Pty Ltd v. Sharman Networks (Sharman's

IM
case). Though the facts of both the cases were identical, the copyright laws of Australia were
different and even more stringent than that of United States' laws and therefore the respondents
SH
were without much difficulty held liable on a different ground '.....for the authorisation of
copyright infringement on the basis of its encouragement by advertising and its lack of sufficient
measures to prevent or thwart the use of the Kazaa system for direct copyright infringement'.
LU

The Federal Court of Australia refused to apply Section 112-E16 of the Australian Copyright
Act, 1968; instead the Court approached the case in a wider sense by relying on Section 101(1A)
which states:-
PN

'(1A) In determining, for the purposes of sub-section (1), whether or not a person has authorized
the doing in Australia of any act comprised in a copyright subsisting by virtue of this Part
without the licence of the owner of the copyright, the matters that must be taken into account
H

include the following:

(a) the extent (if any) of the person's power to prevent the doing of the act concerned;

(b) the nature of any relationship existing between the person and the person who did the act
concerned;

(c) whether the person took any other reasonable steps to prevent or avoid the doing of the
act, including whether the person complied with any relevant industry codes of practice'.

In the instant case, the respondents had authorized the download of copyrighted songs and had in
fact encouraged the same - this was the main reason they were held liable. 'WILCOX J. followed

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.298

the decision in UNSW v. Moorhouse, and said the test for establishing whether a person had
authorised the infringing act remained whether that person had sanc-tioned, approved or
countenanced the infringement'. The Judge further observed that the respondents had the means
to prevent illegal downloads by making use of filters and had the knowledge of infringing
activities but did not take necessary steps to curb it and moreover were being financially
benefited by the activities of the users.

Turning to another jurisdiction i.e. England, it has to be stated that English Courts haven't yet
had an occasion to deal with cases of alleged infringement through decentralized P2P software.
The closest they have come is CBS Songs Ltd and Others v. Amstrad Consumer Electronics Plc
and Another (Amstrad's case) - the issue even in this case was how-ever quite remote from that
of infringement arising out of sharing of recorded songs over P2P software. Here, the plain-tiffs
alleged that the defendants, by manufacturing and offering for sale hi-fi systems capable of
recording at high speeds contents of pre-recorded cassettes onto blank tapes, were authorizing

LA
and inciting users to commit copyright infringement. The Plaintiffs relied on Section 1(1) and (2)
of the Copyright Act, 1956, and also argued that the defend-ants were liable as joint tort feasors;

IM
they also alleged that defendants had committed a breach of the duty of care that the respondent
owed towards the plaintiff. However, LORD TEMPLEMAN in his judgment rejected the above
contentions of the Plaintiff and held as follows: '.....Amstrad do not commit infringement by
SH
offering for sale a machine which may be used for lawful or unlawful copying and they do not
commit infringement by advertising the attractions of their machine to any purchaser who may
decide to copy unlawfully.' It was further held that the Defendant had no control over the
purchaser after the product had been purchased and hence could not supervise whether the user
LU

was using the product for legal or illegal purposes; lastly it was also held that the Defendant did
not owe a duty to prevent, discourage or warn its customers against infringement.
PN

While it may be that the issue of copyright infringement by P2P software providers has not yet
been raised before any judicial fora in England, it has to be noted that the provisions pertaining
to copyright infringement under the Copyright Designs and Patents Act, 1988 (CDPA) are quite
H

stringent with respect to decentralized P2P file sharing software pro-viders, whereas the Indian
Copyright Act, 1957 does not contain any such strong provision to penalize or punish the
decentralized P2P file sharing software provider for infringement of copyright.

The software provider can be liable for copyright infringement in UK under the following
grounds:-

1. Primary Infringement:-

Every Description of copyright work is restricted from being copied and it also includes storing
the copyrighted material in any medium by electronic means.20 Further, issuing and making

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.299

available copyrighted copies to the public through electronic means also constitutes
infringement,

2. Secondary Infringement:-

The P2P software provider can be held liable for the secondary infringement under Section 24 of
the CDPA for provid-ing means for making infringing copies.

'Copyright in a work is infringed by a person who, without the licence of the copyright owner-

(a) makes, an article specifically designed or adapted for making copies of that work,

LA
knowing or having reason to believe that it is to be used to make infringing copies'.

'Copyright in a work is infringed by a person who without the licence of the copyright owner
transmits the work by means of a telecommunications system (otherwise than by communication

IM
to the public), knowing or having reason to believe that infringing copies of the work will be
made by means of the reception of the transmission in the United Kingdom or elsewhere'.
SH
Moreover, Section 26 of CDPA could also be invoked considering that it provides that a person
who had supplied an apparatus and had a reason to believe that the apparatus would be used to
infringe copyright could be held liable. The P2P software may be construed as an apparatus used
LU

to infringe copyright and the provider may be held liable under this section.
PN

3. Criminal Liability

Section 107 (2) enumerates that a person commits an offence when he makes an article in course
H

of his business which is specifically designed or adapted to make copies of a copyright work and
has the knowledge that the article could be made use of for making copies of a copyrighted work.

Thus, the CDPA contains various provisions which could be invoked against a P2P software
provider for copyright in-fringement.

Turning to India, the question is if a decentralized P2P software provider were to be proceeded
against are there provi-sions in the Indian Copyright Act, 1957 which enable the Courts here to
deal with such a case effectively.

The provision which comes closest is Section 58 of the Copyright Act, 1957 which deals with
the recovery of possession of the plates24 by the copyright holder utilized for the purpose of
producing infringing copies of copyright material and the person in possession of the plate is
punishable under Section 65. Section 58 deals with the repossession and as the infringement is

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.300

committed on cyberspace, the P2P software cannot be physically handed over to the copyright
holder.

There is no provision under the Indian Copyright Act, 1957 which deals severely with the person
providing means (P2P software) for reproducing infringing copies of copyright material unlike
the CDPA, 1988 or the Australian Copyright Act 1968. It is therefore in the interest of all
concerned that stringent provisions against P2P software providers are in-troduced in the
Copyright Act in India to curb the menace of music and video piracy.

*************

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.301

 Madras Law Journal

CYBERSQUATTING: INTERNET DOMAIN NAME DISPUTE - A COMPARATIVE

ANALYSIS OF INDIA WITH U.S.

J.Starli, M.L. (Business Law), Advocate, Madras High Court, Chennai

Introduction

The internet has brought a revolution which can be equaled with the industrial revolution of the
19th century. In an era when technology dominates, the Internet has becomes an indispensable
and expedient source for a wealth of infor-mation. From purchasing clothes and cars, to dating
and corresponding with people across the globe, the Internet is the modern day choice for

LA
instantaneous communications. It has comprehensively extended the reach of technology and
acquisition of data. It has provided opportunities to millions and also brought liabilities to many
especially in the field of intellectual property, data privacy etc. Many businesses, relying heavily

IM
on customer website usage, distinguish products through their trademarks, which indicate quality
and help develop brand names. Thus, using trademarks as domain names helps business to create
SH
a strong presence on the Internet. Yet, domain name registration, once a convenient identification
method for consumers, has become a profitable venture for clever entrepreneurs such as
cybersquatters. The challenge the law has faced in recent years is, how to foster the development
of intellectual property on the Internet while preventing its unauthorized use.
LU

This article tries to briefly outline the present structure of the Domain Name System, the problem
relating to Cyber-squatting in the cyberspace and the Domain Name Dispute Resolution Policy
PN

and mechanism reflecting of ICANN and the Indian scenario.

H

Domain Names

The domain names are nothing but simple forms of addresses on the internet. These addresses
enable users to locate websites on the net in an easy manner. Domain names correspond to
various IP (Internet Protocol) numbers which con-nect various computers and enable direct
network routing system to direct data requests to the correct addressee1. In other words, a
domain name is a "uniform source locator". Domain names are big business nowadays, for the
past sev-eral years, domain names, the "real estate of the Internet," have generated substantial
returns for savvy investors, who often refer to themselves as "domineers." Today, a domain name
holder can display pay-per-click advertising on a website, and sit-back and let the money roll in
while Internet users click on those ads. A single domain name can bring in hundreds of dollars a
day, and many domain name holders have thousands or even millions of domain names

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.302

Domain Name System

The Domain Name System (DNS) serves the central function of facilitating users' ability to
navigate the Internet.2 It does so with the aid of two components: the domain name and its
corresponding Internet Protocol (IP) number. A do-main name is the human-friendly address of a
computer that is usually in a form that is easy to remember or to identify, such as www.wipo.int.
An IP number is the unique underlying numeric address, such as 192.91.247.53. Distributed
databases contain the list of domain names and their corresponding address and perform the
function of mapping the domain names to their IP numeric addresses for the purpose of directing
requests to connect computers on the Internet3. The DNS is structured in a hierarchical manner
which allows for the decentralized administration of name-to-address mapping.

LA
In the case of American Civil Liberties Union v. Reno , Judge MOKENNA has explained the
Internet address system, as follows; each host computer providing Internet services (site) has a
unique Internet address. Users seeking to exchange digital information with a particular internet

IM
host require the host's address in order to establish a connection.

Internet Domain names are similar to telephone number mnemonics, but they are of greater
SH
importance, since there is no satisfactory Internet equivalent to a telephone company white pages
or directory assistance, and Domain names may be a valuable corporate asset, as it facilitates
communication with a customer. Domain name today serves as an on-line trademark, source
identifier, indicates quality and repositories of goodwill.
LU

Domain names must not be confused with property rights in names, such as trademarks. A
domain name is acquired through simple contract with a registry, and any rights which the holder
PN

has in respect of the name derive from the con-tract. Fundamentally, a 'domain name registration'
refers to a process by which a new SLD6 is created under an estab-lished TLD7 (such
as.com.org). By this process, a person or a firm (the Registrant) contacts a Domain Name
H

Registrar and requests the use of a particular name as a domain name in the DNS. Generally, no
examination is done regards the presence of any right of the Registrant in the proposed domain
name. The registrar then contacts the registry for that top-level domain and asks whether the
desired name is still available. If no one has a previously registered it, then the registrar may
process the request and register the desired name to the registrant. However, successful
registration of a domain name with an accredited domain name registrar does not confer any
legal rights to use that domain name be-yond those created by the registration agreement itself.

The DNS has been administered by IANN (Internet Assigned Names and Numbers), pursuant to
principles that were described in Request for Comments (RFC) 1591 of March 1994. The DNS
operates on the basis of a hierarchy of names. At the top, are the top-level domains, which are
usually divided into two categories: the generic top-level do-mains (gTLDs) and the country
code top-level domains (ccTLDs).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.303

There were, at the onset seven gTLDs which were established by ICANN8. Three of these are
open, as there is no re-striction on the persons or entities that may register names in them. These
three gTLDs are.com,.net and.org. The other four restrictive gTLDs are.int, which can only be
registered to use by international organization,.edu, which is restricted to use by four-year,
degreegranting colleges and universities.gov, which is restricted to use by agencies of the federal
government of Unites States of America and.mil which is restricted to use by the military of the
Unites States of Amer-ica. In addition to gTLDs and ccTLDs, there is one special TLD,.arpa,
which is used for technical infrastructure pur-poses.9

In 2001, ICANN introduced seven new domain name extensions, which

include,.aero,.museum,.coop,.biz,.info,.pro" and.name. Among the seven new domain name
extensions, the only unrestrictive extension is.info. However, in order to combat cyber squatting
in.info a system of Sunrise Period was created. Thus, for the first month (sunrise period), only
trademark holders were permitted to register domain names under this extension and it is only

LA
after this one month that the extension was opened to general public.10

Further, .biz, meant for the business community, came with a unique system that enabled the

IM
filing of an intellectual property claim. At the initial stages of.biz registrations, any trademark
owner could file an IP claim for his/her trade-mark, listing the various registration particulars
SH
such as the registration number, registration date, date of first use of the trademark, description
of goods, in respect of which the mark is registered, the international class under which the
goods fall etc.
LU

Definition of Cyber squatting

PN

According to Wikipedia 'Squatting' means occupying an abandoned or unoccupied space or

building, usually residential, that the squatter does not own, rent or otherwise have permission to
use. 'Cyber-squatting' refers to the bad faith registration of a domain name containing another
H

person's brand or trademark in a domain name. It can be defined as registering, trafficking in, or
using a domain name with bad-faith i.e. mala fide intent to make profit from the goodwill of a
trademark belonging to someone else. The 'cyber squatter' then offers to sell the domain to the
person or company who owns a trademark contained within the name at an inflated price.

Cyber squatting is the most crucial type of domain dispute prevalent around the world. It is a
practice where individuals buy domain names reflecting the names of existing companies, with
an intention to sell the names back to businesses to attain profit when they want to set up their
own websites.

The definition of Cyber squatting can be best summarized in Manish Vij v. Indra Chugh, the
Court held that "an act of obtaining fraudulent registration with an intent to sell the domain name
to the lawful owner of the name at a premium". Many multinational companies like Tata,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.304

Bennett & Coleman, Mc Donald's etc were among the first victims of cyber squatting. Many
cases are also decided by the WIPO13 and ICANN.

History of Cyber Squatting:

The business world was resisting the need for the Internet as a tool for success till 1999. They
didn't see the need to reg-ister their trademarks as domain names14. The first cyber squatters was
'Dennis Toeppen' in the early 1994's who regis-tered some very famous marks and then
demanded a ransom of 13,000 for each domain name. This type of cyber squatting causes firms
to lose money not only by paying cyber squatters to get their domain names, but as a loss of
profit for what they could be making with an effective website. Cyber squatting causes monetary
losses and damaged reputations. Businesses were not happy when these issues become apparent

LA
to them. They have learned of the important benefits of owning their trademark domain
names15. US Congress decided to take action in 1999 to help out businesses and stop cyber
squatting. The Anti Cyber Squatting Consumer Protection Act enacted in 29.11.1999. This new

IM
domain name dispute law is intended to give trademark and service mark owner's legal remedies
against defendants who obtain domain names "in bad faith" that are identical or confusingly
similar to a trademark or service mark.
SH
Comparative analysis of Cyber squatting with U.S. and India:
LU

Cyber squatting in the United States:

PN

The United States, has the U.S. Anti-cyber squatting Consumer Protection Act (ACPA) of 1999.
This expansion of the Lanham (Trademark) Act (15 U.S.C.) is intended to provide protection
H

against cyber squatting for individuals as well as owners of distinctive trademarked names.16

A victim of cyber squatting in the United States has two options:

a) sue under the provisions of the Anti cyber squatting Consumer Protection Act (ACPA),
or

b) use an international arbitration system created by the Internet Corporation of Assigned

Names and Numbers (ICANN).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.305

In Court system, jurisdiction is often a problem, as different Courts have ruled that the proper
location for a trial is that of the plaintiff, the defendant, or the location of the server through
which the name is registered.

The two important cases which can be considered pivotal in the development of cyber squatting
case law decisions in the US are

i) Intermatic v. Toeppen

In this case, the Court observed that the respondent, Mr Toeppen's conduct caused trademark
dilution since the registration of the domain name intermatic.com lessened the capacity of
Intermatic to identify and distinguish its goods and services on the internet. Another reason given
by the Court was that the use of Intermatic name on the respondent's web page diluted the value

LA
of the mark.

ii) Panavision v Toeppen,

IM
SH
In this case, the Court ruled in favour of the plaintiff. In this case, it was Panavision which had
filed a case against Toeppen. The respondent Toeppen had registered domain names with names
panavision.com and panaflex.com.
LU

These two cases also give an insight as to how vulnerable Domain names are and how trademark
holders need to be careful from these modern day cyber extortionists (cyber squatters). These
two judgments have played an important role in the drafting of the Anti cyber squatting
PN

Consumer Protection Act. It was enacted to specifically target trademark infringements in

cyberspace. In the year 2000 another well known cyber squatter John Zuccarini lost two suits
under the newly enacted Anti Cyber Squatting Consumer Protection Act (ACPA). The two
H

federal Courts ordered him to pay huge amount of statutory damages amounting to US $500,000
plus attorney's fees.

Maruti.com et al. v. Maruti Udyog Ltd.

In this case, Maruti Udyog, India's largest automaker had filed a case in 2006 against Rao Tella
who was deemed a cybersquatter three times by WIPO. In this case, the defendant had registered
a domain name www.maruti.com. The US Court held that since Maruti does not manufacture or
sell cars in the United States, therefore the ACPA would not be applicable. Though the WIPO
arbitration panel had given an order in favour of Maruti Udyog, it was not binding on the US
district Court.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.306

Cyber squatting has been a serious issue in the United States over the years. The US has the
highest number of cyber-squatting suits so far and every year the numbers are rising. Only time
will tell as to when this monster on the internet would be routed out completely.

Cyber squatting and WIPO:

In view of the problems raised by clash between domain name system and trademarks, the World
Intellectual Property Organization (WIPO) Arbitration and Mediation Centre has developed an
online Internet based system for administer-ing commercial disputes involving intellectual
property. This Dispute Resolution Mechanism is unique in that it is de-signed to be used online
both for document exchange and for filling of evidence. However, the original documentary
evidence will still be needed to be filled in a physical form. The dispute resolution is simply

LA
signed and thus, providing an inexpensive and efficient service and does not in any way seek to
take the place of national jurisdiction. A successful complainant's remedy is limited to requiring
the cancellation of the registrant's domain name or the transfer of domain name registration to

IM
the complainant.

The procedure will be handled in large part online and is designed to take less than 45 days with
SH
a provision for the par-ties to go to Courts to resolve their disputes or contest the outcome of the
procedure.

Internationally, since 1999, the United Nations copyright agency WIPO (World Intellectual
LU

Property Organization) has, provided an arbitration system wherein a trademark holder can
attempt to claim a squatted site. In 2006, there were 1823 complaints filed with WIPO, which
was a 25% increase over the 2005 rate. In 2007, it was stated that 84% of claims made since
PN

1999 were decided in the complaining party's favor21. WIPO is the UN's specialized agency for
de-veloping a balanced and accessible international system in the field of intellectual property
rights.
H

Cyber squatting in India

In India, victims of cyber squatting have several options to combat cyber squatting. These
options include: sending cease-and-desist letters to the cyber squatter, bringing an arbitration
proceeding under ICANN's rules, or bringing a lawsuit in state or federal Court. Whatever
strategy a victim of cyber squatting elects to use, that person should not dismiss the serious
effects that cyber squatting can have if left unchecked. A case could be filed with the.in registry
handled by National Internet Exchange of India(NiXI) who brings the matter to fast track dispute
resolution process whereby decisions are transferred within 30 days of filling a complaint. Like
always our legal system is silent on this matter too, there is no provision in the current or

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.307

proposed Information Technology Act in India to punish cyber-squatters, at best, the domain can
be taken back. Though there is no legal compensation under the IT Act,.in registry has taken
proactive steps to grant compensation to victim companies to deter squatters from further
stealing domains. Most squatters however operate under guise of obscure names.

Under NIXI, the IN Registry functions as an autonomous body with primary responsibility for
maintaining the.IN ccTLD and ensuring its operational stability, reliability, and security. It will
implement the various elements of the new policy set out by the Government of India and its
Ministry of Communications and Information Technology, De-partment of Information
Technology.

Cyber Squatting cases:-

LA
Companies in India have also faced the brunt of cyber squatting in the recent past. Besides, the
Courts in India have been extremely vigilant in protecting the trademark interest of the domain

IM
owners who have suffered from cyber squat-ters.
SH
i) Yahoo Inc. v. Aakash Arora and Another

It is the first reported Cyber squatting case. In this case, the plaintiff is the registered owner of
the domain name [#65533]yahoo.com[#65533]. The defendant launched a website nearly
LU

identical to the plaintiff's renowned website and also provided similar services, viz.,
"YahooIndia.com". The Court observed, "it was an effort to trade on the fame of yahoo's
trademark. A domain name registrant does not obtain any legal right to use that particular
PN

domain name simply because he has registered the domain name, he could still be liable for
trademark infringement."
H

ii) Rediff Communication v. Cyberbooth and Another

In this case, the Bombay High Court observed that the value and importance of a domain name is
like a corporate asset of a company. In this case, the defendant had registered a domain name
radiff.com which was similar to rediff.com. The Court gave a decision in favour of the plaintiff.

iii) M/s. Mahindra & Mahindra v. Neoplanet

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.308

In this case, the respondent registered domain name 'mahindra.com' with the Network Solution
Inc (NSI). The panel concluded that the respondent is a cyber pirates and he does not have any
rights or interest in the disputed domain name which he was registered and used in bad faith.

iv) Tata Sons Ltd v. Monu Kasuri and Others

In this case ,the defendant registered a number of domain names bearing the name Tata. It was
held by the Court that domain names are not only addresses but trademarks of companies and
that they are equally important.

v) Tata Sons Ltd v. Ramadasoft

LA
Tata Sons, the holding company of India's biggest industrial conglomerate, the Tata Group, won
a case to evict a cyber-squatter from contested internet domain names. Tata Sons had filed a

IM
complaint at the World Intellectual Property Organization. The Respondent was proceeded ex-
parte. The Panel concluded that the Respondent owns the domain names. These domain names
are confusingly similar to the Complainant's trademark TATA, and the Respond-ent has no
SH
rights or legitimate interests in respect of the domain names, and he has registered and used the
domain names in bad faith. These facts entitle the Complainant to an order transferring the
domain names from the respondent
LU

vi) Bennett Coleman & Co Ltd. v. Steven S Lalwani and Bennett Coleman & Co Ltd. v. Long
PN

Distance Telephone Company

In this case, Since 1996, the complainant has held the domain names, www.economictimes.com,
using them for the electronic publication of their respective newspapers. The complainant had
H

registered in India this mark for literary purposes. However, in 1998, Steven S. Lalwani, USA
registered the same domain name. The respondent had registered domain names
www.theeconomictimes.com and the www.timesofindia.com with network solutions of the
United States. These two names are similar to the names of the Plaintiff's websites
www.economictimes.com and www.timesoftimes.com. Another important fact was that the
respondent's websites using the domain names in conten-tion redirect the users to a different
website www.indiaheadlines.com which provided India related news.

The WIPO judgment made it clear that the complainant have a very substantial reputation in
their newspaper titles arising from their daily use in hard copy and electronic publication. It was
also categorically held that the registration and use of the domain names by the respondents is in

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.309

bad faith in the sense that their use amounted to an attempt intentionally to attract, for
commercial gain, Internet users to their web sites by creating a likelihood of confusion with the
complainant's marks as to the source, sponsorships, affiliation or endorsement of those web sites
and the services on them.

vii) Satyam Infoway Ltd. v Sifynet Solutions31

In this case, the respondent had registered domain names www.siffynet.com and
www.siffynet.net which were similar to the Plaintiff's domain name www.sifynet.com. Satyam
(Plaintiff) had an image in the market and had registered the name Sifynet and various other
names with ICANN and WIPO. The word Sify was first coined by the plaintiff using elements
from its corporate name Satyam Infoway and had a very wide reputation and goodwill in the

LA
market. The Supreme Court held that "domain names are business identifiers, serving to identify
and distinguish the business itself or its goods and services and to specify its corresponding
online location." The Court also observed that domain name has all the characteristics of a

IM
trademark and an action of Passing off can be found where domain names are involved. The
decision was in favour of the plaintiff.
SH
viii) Sbicards.com v. Domain Active Property Ltd.32
LU

Sbicards.com was ordered by the World Intellectual Property Organization to be transferred to

the Indian Company from an Australian entity, which hijacked the domain name hoping to later
sell it for a hefty sum to the State Bank of India subsidiary. The panel accepted SBI Card
PN

counsel's argument that "the Australian company was in the business of buying and selling
domain name through its website.

Cyber-squatting is a major concern especially for the domains which involve financial
H

transactions, because usually these squatters may sometimes fool people and misuse take their
credit card details. So many corporate and banks have their special dedicated IT teams which
keep a check on all these domains. In India cyber squatting cases are decided through the
principle of Passing off. India does not have a law for prohibition of cyber squatting. Therefore,
Courts interpret the principle of Passing off with regard to domain names.

Conclusion

Looking at the current situation prevailing in the world, it is certain that cyber squatting is a
menace. It is a menace which has no boundaries. In my opinion, it is similar to terrorism. The
only difference is that in the latter human life is affected. Cyber squatters have robbed businesses

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.310

of their fortune. Looking from the Indian perspective, cyber squatting has been prevalent since
internet came to the subcontinent. The Courts in India have decided many cases related to cyber
squatting. It is the imperative for the parliament to enact a law which would deal with this
menace. As of now there is no such law which prohibits cyber squatting like that of the United
States.

Cyber squatting has opened the eyes of governments across the world and has prompted them to
look into this phe-nomenon in a serious manner. The United States by enacting the ACPA33, has
taken a monumental step in protecting domain names in its cyberspace. It is high time India and
other countries come out with legislations to protect this virus from spreading. There is a urgent
need for the strict laws in this field, so that these squatters could be punished and the-se crimes
could be avoided in future. The new domain name dispute law should be intended to give
trademark and service mark owners legal remedies against defendants who obtain domain names
"in bad faith" that are identical or confusingly similar to a trademark. And the plaintiff may elect

LA
statutory damages and has discretion to award in damages for bad faith registration. It should act
as an important weapon for trademark holders in protecting their intellectual property in the

IM
online world.
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.311

Journal of Intellectual Property Rights
Vol 13, March 2008 pp 118-128

Trademark Issues in Digital Era

Mayuri Patel† and Subhasis Saha
Hidayatullah National Law University, HNLU Bhavan, Civil Lines, Near Raj Bhavan, Raipur, Chattishgarh 492 001

Received 26 November 2007, revised 14 February 2008

The prime objective of this endeavour is to understand and analyse various issues with respect to trademarks, which
have emerged as a result of the Internet or digital era. The scope of the paper is limited to various trademark issues only. The
paper highlights various issues relating to trademark infringement with respect to different use on the Internet, starting from

LA
the issues related to domain name disputes, jurisdiction, linking, framing, meta-tagging or invisible use, banner advertising,
spamming and phishing. The approach of various courts over such trademark issues in the digital era is also analysed in the
paper.

Keywords: Digital era, Internet, trademark issues, infringement, dilution, domain name, cybersquatting, jurisdiction,

IM
linking, meta-tagging, initial interest confusion, banner advertising, framing, spamming, phishing.

The convergence of computer networks and name assignment and dispute resolution as well as
SH
telecommunications facilitated by the digital litigations is the one that has caused great controversy
technologies has started a new ‘Digital Era’. There is and cries for reform from time to time.
hardly any activity which has remained untouched by Use of marks on the Internet has also lead to
this digital era through Internet. Internet is various other issues, especially with regard to the
increasingly being used for communication, practice of using another party’s mark on one’s
LU

commerce, advertising, banking, education, research website as a link to another site. Courts have
and entertainment. This cyber manthan has bestowed struggled with the issue whether merely operating a
many gifts to humanity but they come with passive website should expose a party to jurisdiction
unexpected pitfalls. It has become a place to do all in all states where the website can be accessed. As use
PN

sorts of activities which are prohibited by law. The of the Internet continues to increase in ways not yet
emergence of the Internet as a tool for imagined, intellectual property rights are likely to
e-communication and e-commerce has resulted in continue to be affected, requiring courts to be
H

complex intellectual property issues. Each sunrise imaginative, and flexible in dealing with emerging
now seems to bring with it yet another change in the technologies.
legal landscape of this unchartered multi-dimensional
world evolving beyond the monitor screen. Domain Name Disputes
The system of allocating rights under trademark In order to understand the legal complexities, one
laws, works reasonably well in the physical world, would first have to understand and appreciate the
which can be partitioned both geographically and by concept of domain names and their use on the
categorizing the goods or services on offer;1 there is Internet. To communicate on the Internet, the
far less partitioning in the Internet. Companies that authorities assign alphanumeric addresses called
have invested significant amount of time and money ‘domain names’ to businesses and individuals. On the
in their marks have been surprised when they have Internet, domain names serve as the primary
attempted to use their marks as part of their domain identifiers of the Internet user.2 For instance, in
names, only to find that the names have been taken by ‘acer.com’, the top-level domain name is ‘com’ which
cyber-squatters or electronic pirates who register indicates that the domain name is owned by a
famous domain names in the hope of ransoming them commercial enterprise, while ‘acer’ is the second
back to their rightful owners. The issue of domain level domain name which identifies source of goods.
It is due to the fact that consumers, who do not know
_____________
†
Email: Corresponding author: mayuri.hnlu@gmail.com a company’s domain name, often merely type in the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.312

 PATEL & SAHA: TRADEMARK ISSUES IN DIGITAL ERA 119

company name, such as ‘acer.com’ in the hope of principle of likelihood of confusion or passing off. The
locating the company’s site. The domain name second claim is based on the dilution doctrine i.e. the
becomes more than a mere Internet address as it also assertion that a domain name dilutes the value of a
functions as a designation of origin and a symbol of trademark. The third claim is to prevent cybersquatting.
goodwill i.e. a trademark and therefore, it is entitled
to protection.3 In Umbro Int’l Inc v 3263851 Canada Trademark Infringement Cases
Inc,4 it was held that domain names are property and In order to establish trademark infringement in the
can thus be garnished and sold. cases where a trademark has been used by another in the
In order to ensure the uniqueness of Internet domain name, the traditional approach of finding
addresses, registration of domain name is necessary. likelihood of confusion has been adopted by courts, and
further various principles have been laid down by courts:
Pre-1999, the registration services were ensured by
the Internet Network Information Center (InterNIC),
• Mere registration of well-known trademark as
which was a collaborative project established by the
domain name could give rise to liability for
National Science Foundation, Network Solutions Inc

LA
passing off. In appropriate circumstances,
(NSI).5
registration of a domain name can itself constitute
The assignment of domain names by this sole an instrument of deception or fraud, leading to the
private for-profit enterprise raised international liability for passing off.12

IM
concern that the United States is dominating Internet
• If the domain name owner uses its site to promote
and assignment of domain names. This resulted in the
or offer goods or services confusingly similar to
formation of a not-for-profit benefit corporation, the
those offered by a trademark owner with prior
SH
Internet Corporation for Assigned Names and
rights and the domain name and mark are
Numbers (ICANN) in 1999. ICANN is more
confusingly similar, the trademark owner can
internationally based organization than NSI.6
bring an action for infringement just as it would
To date, registration of domain names has been for any act of infringement.13
conducted by various registrar organizations on a •
LU

The use of another’s trademark in the domain

first-come, first-served basis. In order to get a domain name is allowed where the domain name itself
name registered, person has to make an application does not give rise to confusion.14
and pay certain amount of fees.7 Dispute arises as • Due to the peculiar nature of the domain name
PN

soon as one party, who is having a registered system identical names cannot exist. In such type
trademark, discovers that it cannot obtain its mark as of cases both the parties have historical
domain name on the ground that such name has connection to a mark and find themselves
already been registered by the authorities to a prior confronted with a domain name conflict. Subject
H

applicant. This often results in disputes between to any dilution claims that a senior user may have,
trademark owners and domain name registrants when it has been the tendency of courts in such cases to
the domain name uses another entity’s mark.8 find no likelihood of confusion where both the
ICANN adopted a policy on 24th October 1999, parties have historical connection to mark and
Uniform Domain Name Dispute Resolution Policy they operate in different industries.15
(UDRP), which offers an expedited administrative
proceeding for trademark holders to contest ‘abusive However, initial interest confusion should not be
registrations of domain names’, and this may result in ignored, otherwise the defendant will be capitalizing
cancellation, suspension or transfer of a domain name on the strong similarity between the plaintiff’s
by the registrar.9 Under the UDRP, a complainant is trademark and the defendant’s domain name to lure
required to file a complaint with a ‘Dispute customers onto its webpage. This view seems to be
Resolution Service Provider’ approved by ICANN.10 economically justified also because many sites tie
Each of these providers in turn have their own set of their advertising rates to their ability to attract page
supplemented rules which have to be adhered to by a views. Thus, a defendant may profit simply by
complainant who opts for that particular provider.11 misdirecting some of the markholders’s customers to
Domain name litigations are encircled on basically the defendant’s site through the use of a confusingly
three claims. The first cause of action is the traditional similar domain name, even if the customer will no
trademark infringement which is based on the longer be confused once he or she views the website.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.313

120 J INTELLEC PROP RIGHTS, MARCH 2008

Trademark Dilution Cases Misspellings or Typographical Errors are Covered under the
Dilution Doctrine
The trademark owner cannot bring an action for
infringement in as much as the owner cannot show Because domain name can be registered until it is
likelihood of confusion. Such type of difficult identical with other domain name, some people
issues arise when domain names have simply been misuse this kind of lacuna and get registered the
registered and are used merely for an e-mail domain name which is nothing but a misspelling of a
address with no website associated with them or are registered trademark. The perceived goal of these
used in connection with goods or services that are registrations is to get ‘hits’ from consumers who
unrelated to those offered by the trademark inadvertently misspell or mistype the name of the
owner.16 Hence, the trademark dilution doctrine has famous sites they actually want to visit. For instance,
been adopted by courts in order to prohibit the some porn operators have reserved a misspelling of a
misuse of famous and well-known marks as domain name, such as, ‘newswek.com’ as porn sites.
names on the Internet.17 For instance, the use of Generally, such sites are shut down by courts relying
domain name ‘rolex.com’ for shoes would on the dilution doctrine.22 Although the use of

LA
necessarily dilute the registered and famous typographical errors in this fashion has been
trademark ‘Rolex’ used for watches. So, viewing prohibited under this doctrine, the practice of
the relevant customer group en masse, for the group registering such sites continues because such sites can
sometimes remain unnoticed.

IM
of customers who may be confused as to source or
connection between the marks, the legal claim is However, J Thomas McCarthy criticizes use of the
the traditional one of a likelihood of confusion; dilution doctrine in such cases as there has been
while for the group of customers who recognize the expansion in the ‘likelihood of confusion’ concept.
SH
independence of the source, the legal claim is one Now, the likelihood of confusion is not limited to
of the dilution.18 confusion over origin but it also encompasses the
confusion that there is an association of domain name
In 2003, Advocate General, Jacobs, defined owner with the famous mark by sponsorship,
dilution as ‘detriment to the distinctive character of affiliation or connection.23 Further, the dilution
LU

a trademark’ and divided it into two classic doctrine had not been intended to prohibit or threaten
categories of ‘blurring’ and ‘tarnishment’.19 In US, non-commercial expression, such as, parody, satire,
under the Lanham Act, the term ‘dilution’ has been editorial, and other forms of expression that are not a
PN

defined to mean lessening of the capacity of the part of commercial transaction.24

famous mark to identify and distinguish goods or
services, regardless of the presence or absence of Cybersquatting Cases
competition between the owner of famous mark and Cybersquatting is when the defendant goes out and
H

other parties or likelihood of confusion, mistake or registers domain name(s) that are similar or identical
deception.20 In Intermatic v Toeppen,21 the plaintiff to the plaintiff’s registered trademark(s) and then
was owner of the well-known trademark, attempts to sell the domain name to the rightful owner
‘Intermatic’, which was used on variety of and figuratively holds the domain names captive until
electronic products. Although, the defendant the trademark owners pay ransom amount.25 The
registered the domain name ‘intermatic.com’, he Court in Panavision International LP v Toeppan,26
did not offer any goods or services on his site. The relying upon Intermatic v Toeppan27 held that the
plaintiff sued the defendant alleging dilution of its defendant’s acts of registering more than two hundred
trademark. The district court held that the and forty trademarks as domain name and then later
defendant’s act has diluted the plaintiff’s mark by offered to sell to their rightful owners for sums
decreasing the owner’s ability to identify and ranging between $ 10,000 and $15,000, acted as
distinguish its goods on the Internet. The domain ‘spoiler’ preventing the plaintiff and others from
name registration system does not permit two doing business on the Internet under their
entities to use the same domain name unlike trademarked names unless they pay his fees and
marketplace conditions in which similar or identical hence, diluted the plaintiff’s registered trademark.
marks may coexist; and by decreasing the The 1999 Anti-Cybersquatting Consumer
plaintiff’s ability to control the association that the Protection Act (ACPA) defines the out lawed conduct
public would make with its mark. of cybersquatting as reserving a domain name that is

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.314

 PATEL & SAHA: TRADEMARK ISSUES IN DIGITAL ERA 121

confusingly similar to a trademark or dilutive of a which features prominent use of the mark. Moreover,
famous mark with the bad faith intent to profit.28 So, one or both companies offer goods or services for sale
passage in ACPA made dilution by cybersquatting on their respective websites. Obviously both websites
largely obsolete.29 Another issue related to the can be accessed by an Internet user from anywhere in
cybersquatting is that the cost-benefit analysis leads the world, raising the possibility that someone in UK
some mark-owners to pay rather than litigate, which who is familiar with the UK company will encounter
further encourages the continued proliferation of the website of the US company, and vice-versa. Here,
cyber-squatters and the resulting systemwide costs. the trademark issue arises as to whether the use of
trademark by the US company on its US website
Trademark in Post-Domain Name ‘Url’ Path constitute infringement of the UK registered
Another trademark issue in the domain name trademark, and vice-versa?
litigation arises under the situation when someone
uses a registered trademark, not in the main domain In this type of situation, claimants have argued that
name but in the post-domain ‘path’ of URL so as to

LA
increase the number of visits to its webpage by such • Use of the trade mark on a website constitutes use
customers also who are aware about or searching the of the trademark throughout the world because
plaintiff’s mark.30 In Patmont Motor Works Inc v the website can be accessed throughout the world;
Gateway Marine Inc,31 the Court held that because a

IM
and
path only shows how a particular website’s data is
• Placing a trademark on a website was a potential
organized within the host computer’s files, as opposed
trademark infringement all over the world as this
to a domain name which identifies the site to the
SH
was tantamount to use in an ‘omnipresent
world, use of a particular path does not indicate or
cyberspace’ and was ‘putting a tentacle’ into the
imply sponsorship, or endorsement of goods to the
computer of each and every user accessing the
public and thus, held that use of a trademark in the
site.
path of a URL might never constitute an infringement.
However, where a trademark is simply put in the post-
LU

Rejecting these arguments, the courts have laid

domain path gratuitously to facilitate more page views down following principles and guidelines for
and not to use it fairly the aforesaid reasoning is not determining the jurisdiction in cases of trademark
adopted.32 infringement on the websites:
PN

With the development in the Internet technology

and digital era, new issues for the courts have often Mere Website Access: No Jurisdiction
been guided by the equitable principles in deciding If a party is merely posting information or
cases. Thus, if it appears that a party is only using a advertising its products and services on a passive
H

domain name to take advantage of another’s rights, website, jurisdiction cannot be exercised over a non-
courts are highly likely to fine against them even if resident defendant. Mere website access is not
issues of confusion or dilution may not otherwise be generally sufficient to confer jurisdiction on a court.33
clear. This is because of the danger of accepting the
proposition that placing a sign on the Internet in an
Jurisdiction advertisement for goods or services is to use it in
With the shrinking of global marketplace and every jurisdiction, has very serious consequences in
advancements in communication technologies, the view of many traders having small businesses with
biggest issue that has arisen is to determine accurately restricted physical catchment areas. This kind of
the appropriate jurisdiction in a particular transaction. problem became subject matter in Euromarket
The insensitive nature of Internet to local constraints Designs Inc v Peters and Crate & Barrel.34 In this
is the basis of all the jurisdictional problems. This case, the plaintiff had registered trademark ‘Crate &
issue can be illustrated with the help of an example: Barrel’ in UK while the defendant had a shop in
Take a situation where the same trademark is owned Dublin, named ‘Crate & Barrel’, and the defendant
and used by independent companies in the US and the placed an advertisement on its website. The Court
UK. Each company has a website (‘philips.com’ and rejected the argument that the advertisement was
‘philips.co.uk’ respectively) which provides directed at anyone in the UK. Any person carrying out
information about the company and its product, and a search will often pick up lots of irrelevant ‘hits’,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.315

122 J INTELLEC PROP RIGHTS, MARCH 2008

many of which will be foreign. Anyone accessing that intended markets not otherwise. However, the extent
website from another country would realize that it of the defendant’s trade with customers in the UK will
was not directed to him. be an important factor in the inquiry whether there is
However, where the courts have seen clear use in the course of trade in the UK. If a significant
dishonest adoption of well-known trademarks, they number of customers in the UK have purchased goods
have exercised jurisdiction even on mere website bearing a mark through a foreign website, then use in
access.35 This is also evident from the recent case of the course of trade in the UK will have been
Casio India Co Ltd v Ashita Tele Systems Pvt Ltd,36 established. So, if the defendant is actively conducting
where the Court said that due to ubiquity, universality business, entering into contracts, or transmitting files
and utility of the features of the Internet and the world over the Internet, jurisdiction can likely be exercised.
wide web, any matter associated therewith, possesses
global jurisdiction. The jurisdiction in such matters The Theory of ‘Sliding Scale of Jurisdiction’
may not be confined to the territorial limits of the In order to tackle this issue, the court has laid down
residence of the defendant. the theory of ‘sliding scale of jurisdiction’ in relation

LA
to cases pertaining to websites whereby the various
Minimum Contacts or Active Conduct of Business by the levels are as follows.39
Defendant
In general, a state can only subject a party to 1 A passive website with mere access, will

IM
personal jurisdiction if the party has had some generally offer no ground for the exercise of
minimum contacts with the state such that subjecting personal jurisdiction. However, where courts
him or her to jurisdiction does not offend traditional have seen clear dishonest adoption of well-
SH
notions of justice.37 Further, in order to confer known trademarks, they have exercised
jurisdiction, it is necessary that the defendant had jurisdiction even on mere website access.
‘used’ the sign in the course of trade in relation to 2 An interactive website that provides something
goods or services in that country where the same had more than mere access, i.e. a user may exchange
been registered as trademark. So, for example, in information with the host computer, where the
LU

order to exercise jurisdiction by the UK courts, the exercise of jurisdiction will be determined by
use (of the trademark which is registered in UK) on examining the level of interactivity and
the US or any foreign website must constitute use in commercial nature of the exchange of
PN

the course of trade in the UK before it can amount to information that occurs on the website; and
infringement of a UK registered trademark. This is, 3 An integral website that provides activities
however, question of fact to be decided in all the directed at a particular jurisdiction such that
circumstances. there is maximum contact through receiving
H

This ‘use’ within a particular jurisdiction requires online orders and pushing messages directly to
evidence of actual trade or an intention to trade within specific customers, the analysis support personal
that jurisdiction. This can be best explained with the jurisdiction.
help of the observation of Buxton L J in 1-800-
FLOWERS Inc v Phonenames Ltd.38 “…there is In sum, the exercise of personal jurisdiction
something inherently unrealistic in saying that A depends upon the level of interactivity between the
‘uses’ his mark in the UK when all he does is to place consumer and the web operator.
the mark on the Internet, from a location outside the Ways to Avoid This Issue
UK, and simply wait in the hope that someone from As far as traders using websites to advertise their
the UK will download it and thereby use on part of A. wares is concerned, they ought to consider about
The very idea of ‘use’ within a certain area would including statements, making the geographic
seem to require some active step in that area on the boundary of their prospective target audience quite
part of the user that goes beyond providing facilities clear. And if they do intend to sell anywhere, they
that enable others to bring the mark into the area”. must ensure that there are no conflicting trademarks
The appearance of a mark on a foreign website will anywhere else. There are ways to do so:
constitute use of the mark in the course of trade in UK
only if the website is aimed at or intended for 1 A prominent disclaimer may be shown on the
consumers in the UK, even if UK is only one of the home page; or

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.316

 PATEL & SAHA: TRADEMARK ISSUES IN DIGITAL ERA 123

2 The terms and conditions of sale may will not lead a web user to conclude that the owner of
stipulate that products are not for sale to the site he is visiting is associated with the owner of
foreign countries; or the linked site’.42 Further, the decision of the Court in
3 The payment methods may themselves Playboy Enterprises Inc v Universal Tel-a-Talk Inc 43
prevent sales to foreign countries; or demonstrated that links can be actionable if they
4 The screen on which the user enters the create confusion. The defendants used the word
shipping address may not accept a foreign ‘playboy’ and ‘bunny’ liberally both on its site and
address. URL. They established a link between their own and
the plaintiff’s website. The Court held that since both
In most of the cases, these types of indications the parties marketed their services via Internet only,
should be determinative while deciding upon the consumers were likely to be confused as to Playboy’s
issue of trademark infringement and jurisdiction connection with Tel-a-Talk.
issue.
Deep Linking

LA
Linking It allows a user at one site to proceed directly to
Generally, web page owners provide symbols, certain information at another site, bypassing the
called hyperlinks, which designate other web pages homepage at the second site. Hence, it deprives the
second site owners of advertisement revenue.

IM
that may be of interest to a user. With the help of
these hyperlinks, users may easily navigate the Although technology exists to prohibit and prevent
Internet without typing the websites addresses again deep linking, not every site operator uses it, or is
and again. Linking allows users to ‘click’ onto the even aware that it exists. The ruling in ACLU case,
SH
symbol and be transported to a different location, however, with respect to deep linking may become
either to a different page within the same web site or unfair for the second site owner. In Ticketmaster
to an entirely different website on the Internet. Thus, a Corpn v Microsoft Corpn 44, the plaintiff sued the
trademark owner’s mark may be displayed on defendant based on a link from defendant’s ‘Seattle
Sidewalk’ webpage to deep within the plaintiff’s
LU

thousands of different web sites. This linking process

has raised few legal issues with respect to trademarks. site, bypassing the plaintiff’s homepage and
On one hand, linking may be considered as advertising pages. The plaintiff alleged that the
footnote which merely shows that additional defendant’s website illegally used plaintiff’s name
PN

information can be sought elsewhere; on the other and trademark by providing deep-links to plaintiff’s
hand, it may be regarded as intellectual property site despite their refusal to enter into a license
misappropriation. This is because most website agreement with the defendant. Through settlement
owners do not seek permission from others to link agreement, the plaintiff prohibited Microsoft from
H

their site. Linking might suggest a non-existent deep-linking into plaintiff’s site. Further, the Court
affiliation between businesses. However, most in Ticketmaster Corp v tickets.com Inc,45 held that
companies also do not object to linking, rightfully deep linking per se is not an act of unfair
believing that linking allows more individuals to visit competition. Deep linking could become unfair
their site and thus increases commercial use. only if the person providing the deep link falsely
suggested or implied an association or connection
General Linking with the target web site.
The use of another’s name or trademark for At this time, the trademark law regarding linking is
informational purposes, known as either collateral use not settled. Linking in general seems acceptable, but
of a trademark or fair use, is a well-worn, long if it implies an affiliation or deep-link, then trademark
established doctrine of trademark law and hence, the infringement issues get involved. Permission of the
Court in ACLU v Miller,40 held the First Amendment original website owner, hence, should be sought in
which protects the linking function as free speech. So, order to deep-link or bypass a homepage, which can
if the symbol or word, used for linking, is someone be done through ‘linking agreements’. Challenge with
else’s trademark but the context of use precludes the the trademark law is to demarcate a line as to when
likelihood of confusion, then it is not an infringing linking function have gone beyond the protected
use.41 As Judge Buchwald observed: ‘The mere sphere of free speech and entered uncovered area of
appearance on a website of a hyperlink to another site infringement.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.317

124 J INTELLEC PROP RIGHTS, MARCH 2008

Meta-tagging/Clandestine Trademark Misuse and ‘Initial Interest Confusion’: Infringing or Not?

Banner Advertising In US, the use of another’s trademark in meta-tags
Clandestine trademark misuse is another growing to capture initial consumer attention has also been
concern in the digital era. It is done through ‘meta- regarded as a potential infringement of a trademark.
tags’, which are special computer codes whose This is clear from the illustration given by the Court
function is to emphasize key words, making it easier in Brookfield Communications Inc v West Coast
for search engines to locate the web site. Meta-tags Entertainment Corp.50 Court said, ‘Using another’s
are embedded in HTML code and remain invisible to trademark in one’s meta-tags is much like posting a
the Internet user. When a webpage creator creates the sign with another’s trademark in front of one’s store.
site, he lists meta keywords in the computer code that Suppose West Coast’s competitor (say ‘Blockbuster’)
makes up the webpage. When someone searching for puts up a billboard on a highway reading ‘West Coast
the information on the Internet types in one or more Video: 2 miles ahead at Exit 7’ where West Coast is
keywords that relate to the information sought in the really located at Exit 8 but Blockbuster is located at
‘search-field’ of a search engine, those websites Exit 7. Customers looking for West Coast’s store will

LA
having meta-tags that match the keywords come up as pull off at Exit 7 and drive around looking for it.
‘hits’. Being open to abuse, this system has raised Unable to locate West Coast, but seeing the
very important issue in this digital era as to whether Blockbuster store right by the highway entrance, they
may simply rent there. Even consumers who prefer

IM
the use in a meta-tag of a word or phrase that is
similar to another’s/competitor’s registered trademark West Coast may find it not worth the trouble to
or famous/well-known trademark infringes that continue searching for West Coast since there is a
Blockbuster right there. Customers are not confused
SH
trademark? The approach adopted in France,
Germany and Italy has been that use of a third party in the narrow sense: they are fully aware that they are
mark as an Internet advertising keyword or a meta-tag purchasing from Blockbuster and they have no reason
can be restrained as trademark infringement.46 to believe that Blockbuster is related to, or in any way
Through various judgments, the following points have sponsored by West Coast. Nevertheless, the fact that
LU

come up with regard to the use of meta-tags: there is only initial consumer confusion does not alter
the fact that Blockbuster would be misappropriating
• As long as one uses keywords in good faith in West Coast’s acquired goodwill’.
one’s meta-tags that actually describe the site or However, in UK this concept of ‘initial interest
PN

relate to the contents of the site, is within the confusion’ does not hold well in cases of infringement
domain of ‘fair use’, no trademark infringement which requires ‘confusion’ as its element. This is
issue comes up.47 because the level of confusion needed in order to
prove infringement of trademark is to be ‘confusion
• Where the registered trademark, being a non-
H

as to origin’.51 In the case of initial interest confusion,

stylised word or phrase, is used without
persons picking up the wrong website, because of its
modifications and the goods or services
embedded meta-tags, will quickly realize that it is not
offered are identical, infringement is made
the website they were seeking.
out, per se.48
• When a site owner uses its competitor’s Recent Doubt: Reed Executive Plc v Reed Business Information
keywords, trademarks or trade names in its Limited 52
meta-tags in such a way as to take unfair The approach of courts in resolving the trademark
advantage of or detriment to the repute of issue with respect to meta-tagging became debatable
competitor’s trademark, it constitutes trademark after the views expressed by Jacob L J in the recent
infringement.49 Reed case. The case raised the very fundamental
• The use of trademarks in meta-tags may question of whether meta-tag use or other invisible
escape if the word used in the meta-tag is not use of a trademark constitutes use of a trademark for
identical to the trademark. However, this the purposes of infringement. However, Jacob L J did
situation would be different if the trademark not express a final opinion, but made it clear that he
and the word used in the meta-tag had no doubted whether such use constitutes use for the
ordinary meaning or the trademark is fanciful purposes of trademark infringement under the Trade
or invented mark. Marks Act, 1994. In this case, the defendant used the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.318

 PATEL & SAHA: TRADEMARK ISSUES IN DIGITAL ERA 125

word ‘Reed’ within the sign ‘Reed Business charged for trademark infringement. The trademark
Information’ as a meta-tag for his website and as a infringement claims, normally, alleges that computer
keyword for the generation of Internet advertising. So, users were confused and deceived into thinking that
the plaintiff sued alleging trademark infringement the linking ads were authorized or approved by the
under Sections 10(1) and 10(2) of the 1994 Act. Jacob company whose trademark they typed into the search
L J held that there was no identity between the sign engine.54 The courts have emphasized that where the
used by the defendant and the mark registered. As a source of the banner ads is clearly marked as distinct
result, the infringement claim under Section 10(1) from the owner of the trademark used as a keyword,
failed. The allegation of infringement under there is no actionable harm and no initial interest
Section10(2) was rejected on the grounds that in all confusion.55 Generally, the issues related to the
circumstances , the defendant’s use did not constitute banner advertising have also been concluded in the
a misrepresentation leading to deception and would same manner by courts as in the case of meta-tagging.
not be likely to give rise to confusion, respectively.
The findings on deception and likelihood of confusion Framing

LA
were dependant on the evidences before the Court. Another unresolved issue which arose in digital era
The Court doubted about the trademark infringement is related to ‘framing’. Framing allows a web site to:
issue by meta-tagging on the following grounds: (1) pull in the contents of an external site into the
local site; (2) ‘chop’ up the contents of the external

IM
• The use of a mark as a meta-tag does not affect site into different ‘frames’ or parts; and (3) display
the functions of a trademark. only the frames that are beneficial to the framing
site.56 It enables operators to create a new page that
• In many circumstances, it is the consumer who
SH
may eliminate content, advertising and even the site
has typed in the mark in issue, and the only
identifier from the framed page, which in-turn raises
visible use in the search results may be the
legal issues. Apart from the potential copyright issues,
words remaining in the search window on the
the use of framing does raise significant trademark
consumer’s screen, alongside the advertisements
and dilution issues because the linked content pages,
LU

and search results complained of.

with their advertising and trademarks and service-
• Invisible or meta-tag use could not be the use in
marks visible, are displayed as part of the frame’s
order to create or preserve an outlet for goods
content, and often in a distorted manner. Here then is
and services.53
PN

a potential for confusion as to source or affiliation,

This issue is of considerable importance and until a since it is quite conceivable that a user is likely to
definitive answer has been provided, a degree of believe that endorsement of some kind has been
uncertainty will cast over the issue of trademark required to actually display another’s content through
H

infringement by ‘use’. Ultimately, technology may the host frame. In Washington Post Co v Total News
eliminate the meta-tagging issue as the search Inc57 the defendant’s site incorporated links to the
industry moves away from meta-tags in favour of plaintiff’s website that were framed by Total News’
indexing actual content on a page. logo and paid advertisements. Moreover, the
defendant replaced the advertisements on the
Banner Advertising plaintiff’s original site with his own advertisements.
Banner advertising is a method of selling Hence, the plaintiffs alleged misappropriation,
advertising. Many of the large search engines sell copyright and trademark infringement and false
advertisers the right to an advertisement with a advertising. Through settlement the defendant agreed
particular keyword in order to target the not to frame plaintiffs’ content or use non text-based
advertisement to an audience interested in that general links.
area. For example, a mobile phone company can buy The principle that has emerged is that cutting out
the right to have its advertisement pop-up on the advertisements from other sites is unaccepted, and
search result screen along with the search results atleast in commercial context framing is generally not
whenever a user types in the search term such as permitted.58 Framing also presents a potential for
‘mobile phone’. In such cases, the search engines take trade dress infringement if the web site of the
commercial advantage of drawing power and framed party can be considered so distinctive as to
goodwill of the famous marks and hence being constitute protectable trade dress.59 If so,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.319

126 J INTELLEC PROP RIGHTS, MARCH 2008

incorporating all or parts of the distinctive external of sending Internet communications, such as e-mails,
site via framing may be likely to create confusion which counterfeit and reproduce the trademarks and
or mistake.60 As this issue has not been settled by logos of well-known companies, especially financial
Courts yet, the law relating to framing is uncertain. institutions.64 It falsely and fraudulently requests the
However, it is always better to provide general recipient to supply some sensitive information, such
links than to frame. as, social security number, passwords or credit card
details. Because it uses deception and the fraudulent
Spamming and Phishing imitation of another’s trademarks as lure to deceive
Though traditionally disfavoured and increasingly recipients into divulging confidential financial data, it
statutorily regulated, ‘spamming’ is currently a legal would constitute a form of both trademark
Internet practice. Spamming is sending unsolicited infringement and false advertising.65
mass e-mail especially for advertising purposes. Civil In 2006, Microsoft launched a global anti-phishing
liability has been imposed on the spammer under the initiative, filing cases in nations around the world. In
law of tort of trespass to personal property, negligence US, Senator Patrick Leahy introduced Section 472,

LA
per se, invasion of privacy, unlawful trade practice the federal Anti-Phishing Act of 2005, on 1 March
and computer fraud. However, the trademark issues 2005. This federal anti-phishing bill proposed that
arise when a spammer uses another party’s trademark those who create fake web sites and spam bogus

IM
or domain name without permission in order to emails in order to defraud consumers could receive a
identify his own goods. In America Online Inc v fine up to $250,000 and receive jail terms of up to
LCGM Inc 61 defendants had sent approximately 92 five years. In 2005, both California and Washington
million unsolicited bulk e-mail messages to AOL enacted an anti-phishing statute.
SH
members offering access to pornographic websites for
a fee. In the ‘from’ line of the e-mail, defendants had Conclusion
put ‘aol.com’ instead of its own name, thus While the global advertising and sales activity that
suggesting that the message originated from the the new communication technologies have brought
within reach constitutes a considerable potential for
LU

plaintiff and thus induced members to open that e-

mail. The Court granted summary judgement on its business expansion, it also involves considerable legal
claims of false designation of origin and trademark risks. So far, the most frequent cause of disputes on
dilution. the Internet has been infringement of another’s
PN

trademark rights. Since the Internet is accessible from

In order to address this issue, several US states so many countries around the world, and since it
have enacted anti-spam legislation, namely, would be virtually impossible and commercially non-
Nevada, Washington, California, Virginia, Texas viable to search each country for similar registered
H

and Maryland. However, in view of ‘the dormant trademarks, the utilization of a trademark on the
commerce clause’ and its interpretation on its Internet is still a complex issue, the consequences of
applicability to the Internet in few cases, it is which are far from easy to predict.
doubtful that these state statutes regulating spam The assignment of domain names, or Internet
will survive constitutional scrutiny. The Dormant addresses, has resulted in disputes between the
Commerce clause may be invoked to limit state owners of domain names and the owners of
attempts to regulate the Internet because it trademarks. Courts have protected the rights of
generally prevents states from enforcing state laws trademark owners as against ‘cyber-squatters’, those
or regulations, even those purportedly for health, who register domain names for the purpose of selling
safety and welfare, which are inimical to interstate them to their rightful owners rather than for some
commerce.62 In American Library Assn v Pataki,63 bonafide use or purpose. Moreover, with a growing
the New York law, which made it illegal to use a number of complaints resorting to the UDRP, the
computer to disseminate obscene material to number of instances of cyber-squatting has been
minors, held to violate the Dormant Commerce decreasing almost proportionately. It has been
Clause. observed that extensive protection of trademarks
‘Phishing’ is a word coined to denote financial sometimes, immediately creates a conflict with the
fraudsters who ‘fish’ the Internet to obtain fundamental principle of freedom of speech.66 Since
confidential financial information. It usually consists the Internet does not recognize traditional territorial

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.320

 PATEL & SAHA: TRADEMARK ISSUES IN DIGITAL ERA 127

and jurisdictional boundaries, the approach to 11 Currently, the World Intellectual Property Organisation
trademark infringement on the Internet will (WIPO), eResolution Consortium, the National Arbitration
Forum (NAF), the CPR Institute for Dispute Resolution and
necessarily have to be different. At present, courts the Asian Domain Name Dispute Resolution Centre
have held that merely providing links to another (ADNDRC) are the only authorized providers.
party’s website is permissible. Deep linking, 12 British Telecommunications plc v One in a Million Ltd,
however, is subject to dispute. The practice of [1999] 1 WLR 903: [1999] FSR 1 CA.
13 Brookfield Communications Inc v West Coast Entertainment
embedding another party’s trademarks on a website
Corp, 174 F 3d 1036 (9th Cir, 1999)-The US Court of
may also constitute trademark infringement. In Appeals, Ninth Circuit confirmed that a comparison between
addition, merely having a passive presence or the alleged infringing domain name and the registered
website on the Internet will likely not subject a party trademark is relevant. The Court emphasized on the eight
to personal jurisdiction; however, if goods are factor test used for determining whether confusion exists:
(i)The similarity of the marks;
offered for sale or contracts are entered into through (ii)The relatedness or proximity of the products or services;
a website, a court may subject the website owner to (iii)The marketing channels used;
personal jurisdiction. Finally, use of another’s mark (iv)The strength of the claimant’s mark;

LA
on a non-commercial website for the purposes of (v)The defendants’ intention in selecting its mark;
satire, parody, or consumer commentary is likely (vi)Evidence of actual confusion;
permissible as long as there is no likelihood of (vii)Likelihood of expansion into other product lines;
(viii)The degree of care likely to be exercised by the

IM
confusion. customers.
It seems the conflict between various issues 14 Bally Total Fitness Holding Corp v Faber, 29 F Supp 2d
regarding trademark infringement and legal protection 1161 (CD Calif 1998) - In this case, the defendant was
allowed to use the plaintiff’s registered trademark ‘Bally
SH
of trademarks will not be resolved by legislation. Total Fitness Health Club’ in post-domain path of his site
Instead, legal focus in the coming years will be on ‘www.compupix.com/ballysucks’, which was dedicated to
methods of resolving that conflict. complaints about the plaintiff’s health club.
15 Howitt Deborah, War.com: Why the battles over domain
References names will never cease? Hastings Communications and
LU

1 A trademark is a sign, or combination of signs, which is used Entertainment Law Journal, 19 (719) (1997) 728-738.
to distinguish the goods or services of one undertaking from 16 Interstellar Starship Services Ltd v Epix Inc, 983 F Supp
those of another undertaking. The basis of trademarks is that 1331: 45 USPQ 2d 1304 (D Ore, 1997) - Court seems to
they distinguish goods and services from those of other reason that once the user visits the defendant’s website and
views its content, any confusion will be dispelled. Courts
PN

undertakings, and there is clearly no danger of confusion if

the same mark is used by different undertakings for quite finding of no infringement in this type of case typically focus
different goods and services. on the content of the defendant’s website and its non-
2 Dupre Jennifer R, A solution to the problem? Trademark confusing nature, rather than on initial confusion over the
infringment and dilution by domain names: Bringing the domain. See also Green Products Co v Independence Corn
By-Products (ICBP), 992 F Supp 1070 (ND Ia 1997) where
H

cyberworld in line with the ‘Real’ world, Trademark

Reporter, 87 (1997) 613, 614-616. the Court explained the damage created by such initial
3 Info Edge (India) Pvt Ltd v Sailesh Gupta, 2002 (24) PTC interest confusion.
355 (Del), per Dr Mukundakam Sharma J. 17 In US, this doctrine has been concretised under the Federal
4 Civ No 174388 1999 WL 117760 (Va Cir 12 March 1999). Trademark Dilution Act, known as the Lanham Act, 1996.
5 The Intersection of Trademarks and Domain Names - Inta 18 McCarthy J Thomas, McCarthy on Trademarks and Unfair
‘White-Paper’, Internet Subcommittee of the Issues and Competition (4th edition, 2003 revised), §24:70.
Policy Committee, International Trademark Association, 19 Adidas-Salomon AG v Fitnessworld Trading Ltd [2004]
Trademark Reporter, 87 (1997) 668, 676-681. 1 CMLR 14, at paras. 37-40.
6 Franklyn David J, Owning words in cyberspace: The 20 Lanham Act Section 45, 15 USC 1127; Kera David J &
accidental trademark regime, Wisconsin Law Review, 4 Davis Theodore H Jr, United States: The fifty-fifth year of
(2001) 1251, 1263-1266. administration of the Lanham Trademark Act of 1946,
7 Solomon Barbara A, Domain name disputes: New developments Trademark Reporter, 93 (2003) 197.
and open issues, Trademark Reporter, 91 (2001) 833. 21 947 F Supp 1227 (ND Ill 1996); Hasbro Inc v Internet
8 Cendali Dale M, Forssander Charlotte E, & Turiello Ronald J Entertainment Group Ltd, 40 USPQ 2d 1479
Jr, An overview of intellectual property issues relating to the (WD Wash 1996); Teletech Customer Care Management
Internet, Trademark Reporter, 89 (1999) 485. (California) Inc v Tele-Tech Co Inc, 49 USPQ 2d 1893.
9 Final report of the WIPO Internet Domain Name Process, 22 Citicorp v Internet Entertainment Group, No. 99 CV 02737
Management of Internet Names and Addresses: Intellectual (SDNY, 4th April 1999).
Property Issues (30 April 1999), http://wipo2.wipo.int. 23 McCarthy J Thomas, Dilution of a trademark: European and
10 Buchan Ian A, Internet issues in the United Kingdom, United States law compared in Intellectual Property in the
Trademark Reporter, 87 (1997) 660. New Millennium, 165-166.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.321

128 J INTELLEC PROP RIGHTS, MARCH 2008

24 Bally Total Fitness Holding Corp v Faber, 29 F Supp 2d 51 Dogan S L & Lemley M A, Trademarks and consumer
1161 (CD Calif 1998). search costs on the Internet, Houston Law Review,
25 Mashantucket Pequot Tribe v Redican, 403 F Supp 2d 184, 41 (777) (2004) 822 (The courts erred by finding initial
196 (D Conn 2005). interest confusion merely because the ads in question
26 141 F 3d 1316 (9th Cir 1998). ‘might divert potential customers from plaintiff’ on the
27 947 F Supp 1227 (ND Ill, 1996). basis of proximity in space and the subject matter of the
28 McCarthy J Thomas, McCarthy on Trademarks and Unfair advertisements, absent any proof of actual confusion. In
Competition, 4th edition, 2003 revised, §25:78. short, they were not prohibiting ‘initial interest
29 Ford Motor Co v Greatdomains.Com Inc, 177 F Supp 2d confusion’, but the mere fact of ‘initial interest’ itself).
635, 653-656, (2001). 52 [2004] RPC 40.
30 The post-domain path of a URL appears after the domain 53 As required by Ansul v Ajax, [2003] ECR I-2439 (C40/01).
name in the URL as a user delves further into the pages of a 54 Google Inc v American Blind & Wallpaper Factory Inc,
website. It shows how the website’s data is organised within 74 USPQ 2d 1385, 2005 WL 832398 (ND Cal 2005);
the host computer’s files. For example, in Government Employees Ins Co v Google Inc, 77 USPQ 2d
‘www.abc.com/path=xyz/’, ‘path=xyz’ is the post-domain 1841, 2005 WL 1903128 (ED Va 2005); Saunders K M,
name path. Confusion is the key: A trademark law analysis of keyword
31 No C 96-2703 THE, 1997 US Dist Lexis 20877 at 11 fn 6 banner advertising, Fordham Law Review, 71 (101) (2002)

LA
(ND Calif, 17th December 1997). 543, 576-577 (Keyword banner advertising does not confuse
32 Playboy Enterprises Inc v Universal Tel-a-Talk Inc, No Civ consumers and does not abate or denigrate famous marks;
A 96-CV-6961, 1998 US Dist Lexis 17282 (ED Penn rather it offers them more choices based on keywords used
2nd November 1998). and this ultimately encourages competition in the electronic

IM
33 1-800-FLOWERS Inc v Phonenames Ltd, [2002] FSR 12 CA, marketplace).
[2000] FSR 697 at first instance. 55 Playboy Enterprises Inc v Netscape Communications Corp,
34 [2001] FSR 20. 354 F 3d 1020, 1025, 69 USPQ 2d 1417 (9th Cir 2004);
35 Tatasons v Ghassan Yacoub & Ors, Suit No 1672/1999 Glzaer D C & Dhamja D R, Revisiting initial interest
SH
(Del). confusion on the Internet, Trademark Reporter, 95 (2005)
36 (2003) (27) PTC 501 (Del); Dow Jones & Co Inc v Gutnic, 952, 972.
(2002) HCA 56. 56 Chan Raymond, Internet framing - Complement or hijack?
37 Cybersell Inc v Cybersell Inc, 130 F 3d 414 (1997, 9th Cir). The ‘what if’ scenario to the TotalNews case, Trademark
38 [2002] FSR 12 CA 136-139. Reporter, 89 (1999) 577, 579-580.
39 Zippo Manufacturing Company v Zippo.com Inc (1997) 42 57 No 97 Civ 1190 SDNY filed 20 February 1997.
LU

USPQ 2d 1062 (DC). 58 Futuredontics Inc v Applied Anagramic Inc, 45 USPQ 2005
40 43 USPQ 2d 1356 (ND Ga 1997). (CD Calif, 24th November 1997), affirmed by the Court of
41 Weinberg Steven M, Cyberjinks: Trademark hijinks in Appeal 52 F3d 925 (CA 9 1998).
cyberspace through hyperlinking and meta-tags, Trademark 59 Berne J R, All dressed up and no place to go: The need for
PN

Reporter, 87 (1997) 576, 580- 83. trade dress protection of Internet sites, AIPLA Quarterly
42 Knight-McConnell v Cummins, 2004 WL 1713824 (SD NY Journal, 27 (1999) 265; Nguyen X N, Should it be a free for
2004). all? The challenge of extending trade dress protection to the
43 No Civ A 96-CV-6961, 1998 US Dist Lexis 17282 (ED Penn look and feel of web sites in the evolving Internet, American
2nd November 1998). University Law Review, 49 (2000) 1233.
H

44 No 97-3055 (DDP) (CD Calif filed 28 April 1997). 60 However, it is probable that few web sites have an
45 54 USPQ 2d 1344, 2000 WL 525390 (CD Cal 2000). appearance that is so unusual or distinctive that it can
46 Viaticum v Google France, [2004] ETMR 63; VNU Business constitute protectable ‘web dress’ or ‘site dress’.
Publications BV v Monster Board BV [2002] ETMR 111, 61 No Civ A 98-102-A, 1998 WL 940347 (ED Va 10 November
Hague District Court; Estee Lauder v Fragrance Counter 1998).
Inc, [2000] ETMR 843, Hamburg District Court; Trieste e 62 Southern Pacific Co v. Arizona, 325 US 761 (1945).
Venezia Assicurazioni Genertel SPA v Crowe Italia [2001] 63 969 F Supp 160 (SDNY 1997).
ETMR 66, Tribunal of Rome. 64 McCarthy J Thomas, McCarthy on Trademarks and Unfair
47 Playboy Enterprises Inc v Welles, 47 USPQ 2d 1186 (SD Competition, (4th edition, 2003 revised), §25:68.50.
Calif 1998), affd 162 F 3d 1169 (CA 9 1998). 65 America Online Inc v IMS, 24 F Supp 2d 548, 48 USPQ 2d
48 Providing the use is deemed to be in relation to goods or 1857, 107 ALR 5th 781 (ED Va 1998).
services in the same country, Pfizer Ltd v Eurofood Link Ltd, 66 Indeed, this conflict has already come before the US courts
[2001] FSR 17; Playboy Enterprises Inc v Calvin Designer when the Georgia Computer Systems Protection Act, 1996
Labels, 985 F Supp 1220 (ND Cal, 1997). (OCGA §16-9-93.1) criminalized unauthorized trademark
49 This includes cases when it misleads consumers as to the use on the Internet. The Act was heavily criticized and
site’s affiliation, or an association between the claimant’s finally in June 1997 it was held void and unconstitutional in
and defendant’s trade, or where the material available on the ACLU of Georgia v Miller, 977 F Supp 1228 (ND Ga,
defendant’s website tarnishes the claimant’s trademark; See 1997);, Landau Michael B, Problems arising out of the use of
Instituform Technologies Inc v National Envirotech Group, ‘www.trademark.com’: The application of principles of
No 97-2064 (ED La 27 August 1997). trademark law to Internet domain name disputes, Georgia
50 174 F 3d 1036 (9th Cir 1999). State University Law Review, 13 (1997) 455-520.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.322

 REGULATING SEARCH ENGINES:
TAKING STOCK AND LOOKING AHEAD

“To exist is to be indexed by a search engine”

(Introna & Nissenbaum)

URS GASSER*

LA
TABLE OF CONTENTS

IM
I. INTRODUCTION .......................................................................................202
II. A BRIEF (AND CASUAL) HISTORY OF SEARCH ENGINES .....................203
SH
III. SEARCH ENGINE REGULATION: PAST AND PRESENT ........................208
A. OVERVIEW OF SEARCH ENGINE-RELATED CASES ............................208
B. LEGISLATION AND REGULATION ......................................................216
C. SUMMARY ..........................................................................................219
LU

III. POSSIBLE FUTURE: HETEROGENEOUS POLICY DEBATES AND THE

NEED FOR A NORMATIVE FRAMEWORK .........................................220
A. THEMES OF FUTURE POLICY DEBATES .............................................220
B. CHALLENGES AHEAD ........................................................................224
PN

C. NORMATIVE FOUNDATIONS ..............................................................227

IV. CONCLUSION .......................................................................................234
H

*
Associate Professor of Law, S.J.D. (St. Gallen), J.D. (St. Gallen ), LL.M. (Harvard),
Attorney at Law, Director, Research Center for Information Law, Univ. of St. Gallen,
Faculty Fellow, Berkman Center for Internet & Society, Harvard Law School. I owe
special thanks to my colleague James Thurman and the research team at the Research
Center for Information Law at the Univ. of St. Gallen. Particular thanks also to the
organizers and participants of the Information Society Project’s “Regulating Search?”
conference at Yale Law School. Further thanks are due to Herbert Burkert, John Palfrey,
and Sacha Wunsch-Vincent.

201
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.323
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

I. INTRODUCTION

Since the creation of the first pre-Web Internet search engines in the
early 1990s, search engines have become almost as important as email as a
primary online activity. Arguably, search engines are among the most
important gatekeepers in today’s digitally networked environment. Thus, it
does not come as a surprise that the evolution of search technology and the
diffusion of search engines have been accompanied by a series of conflicts
among stakeholders such as search operators, content creators,
consumers/users, activists, and governments. While few tussles existed in
the initial phase of innovation where Internet search engines were mainly
used by ‘techies’ and academics, substantial conflicts emerged once the
technology got out of the universities and entered the commercial space.

LA
When search technology advanced and search services gained commercial
significance, these conflicts became more severe and made their way into
the legal arena. At the core of most of these disputes were controversies

IM
over intellectual property, particularly trademark and copyright issues.
Recently, the growing market power of a few search engine
providers and their increased role in controlling access to information and
SH
agenda setting has triggered a new series of concerns and conflicts,
permeating consumer protection, competition law, and free speech issues.
Some of these issues have been subject to litigation; others have been dealt
with in the context of industry self-regulation. However, certain issues are
LU

or will be considered by regulators and legislators. In contrast to the initial

responses by the legal system to the new phenomena—responses that have
been rather perfunctory and based on traditional doctrines—the emerging
legal and regulatory issues are likely to concern the role and functionality of
PN

search engines in broader terms. At this inflection point, it becomes

important to avoid premature legislative or other forms of governmental
intervention. Rather, a thorough assessment of alternative regulatory
H

approaches and strategies that might be applied in the future is required.

Such an assessment, however, requires an open discussion and shared
understanding of what fundamental policy objectives should underlie
today’s information society in the first place.
In this light, the paper has two objectives. First, it seeks to take stock
and provide a brief summary of the current state of an emerging law of
search engines, mainly from a U.S. perspective. Second, it aims to
contribute to the development of an analytical framework that may provide
guidance in assessing proposals aimed at regulating search engines in
particular and search more generally. The paper is organized in three Parts.
In Part I, I provide a brief history of search engines to set the stage for Part
II, which will briefly discuss the initial responses by the legal system to the
phenomenon “search engines,” hereby focusing on the past and the present
and looking at case law on the one hand and regulatory as well as legislative

202
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.324
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

interventions on the other hand. This discussion is not intended to be a

detailed exposition, but rather will simply map out overall trends. Part III, in
broader terms, identifies key policy themes of an evolving debate about the
regulation of search engines that seems more comprehensive than previous
discussions. Against this backdrop, I will briefly illustrate the need for a
systematic evaluation of alternative (or competing) approaches to search
regulation. The paper finally discusses core values of a democratic
information ecosystem from which one might derive normative criteria for
the assessment of search engine governance proposals.

II. A BRIEF (AND CASUAL) HISTORY OF SEARCH ENGINES

The history of Internet search tools starts in 1990,1 when a group of

LA
McGill University of Montreal students created Archie, a script-based data
gathering program that downloaded the directory listings of all the files
located on FTP sites and created a searchable database of filenames.2 Archie

IM
was a response to the primary method of storing and retrieving files in the
pre-Web days, where files where scattered on public anonymous FTP
servers and could only be located if someone announced the availability of
SH
the file via email to a message list, a discussion forum, or the like. A year
later, a distributed document search and retrieval network protocol called
Gopher was released by a group of researchers at the University of
Minnesota,3 followed by the appearance of the searching programs
LU

Veronica and Jughead, which searched the files sorted in the Gopher index
systems and provided a keyword search of menu titles and listings on
thousands of Gopher servers.4
Access to the Internet rapidly expanded outside its previous domain
PN

of academia and industrial research organizations once the World Wide

Web (WWW), publicly available since August 1991,5 gained critical mass
in 1993 through the appearance of the web browser “Mosaic,” the first
program providing a graphical user interface.6 Parallel to Mosaic’s release,
H

the first Web search engine emerged. Wandex was an index of captured

1
See, e.g., Search Engine, in WIKIPEDIA, http://en.wikipedia.org/wiki/Search_engine (last
visited April 24, 2006) (providing a timeline of search engine development).
2
See Archie Search Engine, in WIKIPEDIA,
http://en.wikipedia.org/wiki/Archie_search_engine (last visited April 24, 2006).
3
See Gopher Protocol, in WIKIPEDIA, http://en.wikipedia.org/wiki/Gopher_protocol (last
visited April 24, 2006).
4
See Veronica (Computer), in WIKIPEDIA,
http://en.wikipedia.org/wiki/Veronica_%28computer%29 (last visited April 24, 2006);
Jughead (Computer), in WIKIPEDIA,
http://en.wikipedia.org/wiki/Jughead_%28computer%29 (last visited April 24, 2006).
5
See World Wide Web, in WIKIPEDIA, in http://en.wikipedia.org/wiki/World_wide_web
(last visited April 24, 2006).
6
See Mosaic Web Browser, in WIKIPEDIA,
http://en.wikipedia.org/wiki/Mosaic_web_browser (last visited April 24, 2006).

203
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.325
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

URLs and based on the first web crawler called World Wide Web
Wanderer, originally designed at MIT to track the web’s growth. At the
same time, other search engines appeared, including Aliweb, where
webmasters of participating sites posted their own index information for the
pages they wanted to list, and which avoided the early web crawler’s
problem causing performance degradation. The first full-text crawler-based
search engine, however, appeared in 1994. The search engine WebCrawler
with its simple browser-based interface let users search for any word in any
web page and became very popular within months.7 Also in 1994, the
search engine Lycos was created, born from a research project at
Pittsburgh's Carnegie Mellon University. It was the first search engine to
use (outbound) links to a web site to determine context and relevance,
respectively.8 Additionally, Lycos displayed not only the title and ranking

LA
of a page as its predecessor, but provided “snippets” of web pages,9 and
added features such as prefix matching and word proximity. Arguably,
however, Lycos’ main difference was the size of its catalog, which had

IM
reached 1.5 million documents by January 1995 and 60 million documents
by November 1996, more than any other search engine back in the early
days of the WWW.10
SH
By 1995, several other search tools—providing different degrees of
innovation—had emerged, including Infoseek, AltaVista, and Excite.
Infoseek was based on existing technology; it introduced a complex system
of search modifiers11 and became popular due to a strategic partnership with
web browser Mosaic Netscape.12 AltaVista, developed and marketed by
LU

Digital Equipment Corporation (DEC), went online in late 1995 and soon
became the “king of search.”13 It is considered to be the first high-speed
search engine that enabled natural language search. AltaVista was also the
PN

first multi-lingual search engine, and included features such as advanced

searching techniques (e.g. searching for phrases using quotes),14 and the
ability to search for sites that link to a particular URL.15 Excite, created by
H

a group of Stanford students, also launched in 1995 with a web directory

7
See Webcrawler, inWIKIPEDIA, http://en.wikipedia.org/wiki/WebCrawler (last visited
April 24, 2006).
8
JOHN BATTELLE, THE SEARCH: HOW GOOGLE AND ITS RIVALS REWROTE THE RULES OF
BUSINESS AND TRANSFORMED OUR CULTURE 53 (2005).
9
Id. at 54.
10
See Michael Maudlin, Lycos: Design Choices in an Internet Search Service, IEEE
EXPERT, Jan.-Feb., 1997, at 8, available at http://www.lazytd.com/lti/pub/ieee97.html.
11
See Infoseek, in WIKIPEDIA, http://en.wikipedia.org/wiki/Infoseek (last visited April 24,
2006).
12
Wes Sonnenreich, A History of Search Engines (1997),
http://www.wiley.com/legacy/compbooks/sonnenreich/history.
13
BATTELLE, supra note 8, 51.
14
Alta Vista, in WIKIPEDIA, http://en.wikipedia.org/wiki/Alta_Vista (last visited April 24,
2006).
15
See Sonnenreich, supra note 12.

204
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.326
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

and a search engine. Reportedly, it was the first search engine “to transcend
classic keyword-based searching with technology that grouped Web pages
by their underlying concepts” to fine-tune search results to its users.16 These
full-text indexing search engines were in strong competition with Yahoo!,
which made its debut in late 1994 and followed a different search paradigm
by providing hierarchical, subject-classified directories of web content.17
Since competing search engines used different techniques, they
produced different search results—a phenomenon that led in the mid 1990s
to the development of meta-search engines such as MetaCrawler or Savvy
Search. This generation of search engines forwarded search queries to all of
the major web engines at once and compiled search results, although they
were not able to synchronize the search syntaxes offered by the various
search engines.18 Another innovation was the introduction of personalized

LA
search, where search results were custom tailored to personal profiles or the
like. HotBot, for instance, a search engine released in 1996 with a capacity
to index over 10 million pages per day, made use of cookies to store

IM
personal search preferences. In a later version of the program, however, the
functionality disappeared. In 2000, finally, major search engine providers
including AltaVista introduced customized search.19
SH
Several other search engines were released between 1995 and 2000,
while others were acquired, integrated, or otherwise disappeared from the
market.20 By 2001, Google (launched in 1998 by Larry Page and Sergey
Brin) had become one of the most prominent search engines.21 Arguably, its
LU

success was based on its simple user-interface on the one hand, and the
concept of link popularity and PageRank, “a method for rating Web pages
objectively and mechanically, effectively measuring the human interest and
attention devoted to them,” on the other hand.22 Since 2000, several other
PN

search engines have appeared, among them Yahoo! Search, MSN Search,
and (Google-based) A9, to name just a few. The underlying technologies of
H

16
BATTELLE, supra note 8, 55.
17
See, e.g., The History of Yahoo – How it all Started (2005),
http://docs.yahoo.com/info/misc/history.html.
18
Sonnenreich, supra note 12.
19
See, e.g., Greg Notess, Customization Options for Web Searching, ONLINE, Jan. 2001,
available at http://www.onlinemag.net/OL2001/net1_01.html.
20
For an overview, see Search Engine, in WIKIPEDIA,
http://en.wikipedia.org/wiki/Search_engine#History (last visited April 24, 2006).
21
See, e.g., Corporate Information, http://www.google.com/corporate/history.html (last
visited April 4, 2006).
22
Lawrence Page, Sergey Brin, Rajeev Motwani, Terry Winograd, The PageRank Citation
Ranking: Bringing Order to the Web (Jan. 28, 1998),
http://dbpubs.stanford.edu:8090/pub/showDoc.Fulltext?lang=en&doc=1999-
66&format=pdf&compression=&name=1999-66.pdf. For a detailed account of the Google
success story, see BATTELLE, supra note 8. For an overview, see, e.g., Google (Search
Engine), in WIKIPEDIA, http://en.wikipedia.org/wiki/Google_%28search_engine%29 (last
visited April 24, 2006).

205
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.327
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

search engines—web crawling, indexing, and searching—have become

even more advanced and efficient. Recently, search engines are using new
protocols such as XML or RSS that are increasingly provided automatically
by websites such as weblogs and news sites and that allow for more
efficient data indexing without requiring extensive crawling. Another recent
innovation in search engine technology is the inclusion of geocoding, a
process that matches search results to geographic locations such as street
address, neighborhood, and the like.23 Other trends in search are, among
others, vertical search (e.g. image or product search), local, personal, and
contextual search.24
The technological advancement has been accompanied by an
enormous increase in the index size of search engines. Despite difficulties
in measuring and comparing index sizes over time, the following numbers

LA
might illustrate the scale of growth in the size of search engines. By the end
of 1999, for instance, major search engines indexed up to 200 million
documents. In June 2000, Google set a new benchmark of 500 million

IM
indexed pages. In 2002, the largest search engines reportedly indexed
already 3 billion pages, by the end of 2003 4 billion indexed pages (and
other file formats.) By 2004, MSN indexed 5 billion documents, and in
SH
November 2004 Google increased its database index to a record of 8 billion
documents.25 By mid 2005, the Yahoo! Search index provided access to 20
billion items, including 19.2 billion web documents, 1.6 billion images, and
over 50 million audio and video files.26 It is expected that the trend will
LU

continue as new content is indexed, both in the form of existing online

content (such as home videos)27 and in offline materials (such as books)28
that are digitized for the purpose of online search and accessibility.
PN

23
See, Search Engine, in WIKIPEDIA,
http://en.wikipedia.org/wiki/Search_engine#Geospatially_enabled_search_engines (last
visited April 24, 2006).
H

24
"Vertical" search refers to specialized search engines. For instance, Indeed.com,
LinkedIn.com, and SimplyHired.com are all vertical search engines designed for searching
for jobs. Examples of "local" search are local.google.com, local.yahoo.com, and
local.ask.com/local. Yahoo provides a "contextual" search tool which allows users to
conduct searches relating to the content of a webpage while viewing that very webpage.
See, Margaret Kane, Yahoo Launches 'Contextual' Search, NEWS.COM, Feb. 3, 2005,
http://news.com.com/Yahoo+launches+contextual+search/2100-1038_3-5561712.html.
25
These numbers have been taken from Danny Sullivan, Search Engine Sizes, SEARCH
ENGINE WATCH, Jan. 28, 2005, http://searchenginewatch.com/reports/article.php/2156481.
26
See Tim Mayer, Our Blog is Growing Up – And So Has Our Index (Aug. 8, 2005),
http://www.ysearchblog.com/archives/000172.html. Google, however, questioned the
accuracy of this number. See, e.g., Elinor Mills, Google to Yahoo: Ours Is Bigger,
NEWS.COM, Sept. 26, 2005,
http://news.com.com/Google+touts+size+of+its+search+index/2100-1038_3-
5883345.html.
27
Google has begun a project in which they permit users to upload their personal videos to
Google's servers. See Juan Carlos Perez, Google Lets You Upload Your Own Videos,

206
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.328
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

Since the early days of web search, search engine providers are not
only in the search business, but to varying degree also in the advertising
business.29 In fact, advertisement is the main revenue source of many search
engines—including players such as Google, Yahoo!, AskJeeves, and
LookSmart.30 Advertising in the search engine context can take different
forms. On the one hand, traditional types of advertisements such as display
ads, sponsorships, and listings or classified ads have been replicated by
search engine providers.31 On the other hand, search-specific advertising
products have emerged.32 The two most prominent types of search-specific
advertisements are paid placement, where an advertisement is linked to a
search term, and paid inclusion, where the advertiser pays a fee to the
search engine provider in order to get a site included in the search index.33
As will be discussed below, paid inclusion in particular has caused much

LA
controversy among users and even intervention on the part of regulators.34
Current trends in advertising, as far as search engines are concerned,
include portal advertising, such as that found on yahoo.com, "query-based

IM
paid placement," where favorable link positioning is sold or advertising is
tied to particular search terms, and "content-targeted advertising," where a
search service sends advertising to a web page upon determining relevant
SH
topics covered in the web page.35 Google's AdSense program is the prime
example of this last form of advertising. The revenue derived from
advertising can be substantial. Google, which derives the majority of its
LU

PCWORLD.COM, April 14, 2005,

http://www.pcworld.com/news/article/0,aid,120434,00.asp.
28
Google's library project involves the scanning of books in the collections of the Harvard,
PN

Stanford, Oxford and University of Michigan libraries as well as that of the New York
Public Library. See e.g., Jefferson Graham, Google's Library Plan 'a Huge Help', USA
TODAY.COM, Dec. 15, 2004, http://www.usatoday.com/money/industries/technology/2004-
12-14-google-usat_x.htm.
29
See, e.g., Elizabeth Van Couvering, New Media? The Political Economy of Internet
H

Search Engines, Sept. 2, 2004, at 6, available at

http://personal.lse.ac.uk/vancouve/IAMCR-
CTP_SearchEnginePoliticalEconomy_EVC_2004-07-14.pdf.
30
According to Van Couvering’s study, 95% of Google’s, 82% of Yahoo!’s , 96% of
AskJeeves, and 90% of LookSmart’s total revenues in 2003 came from advertisement. Id.
at 7. Some commentators, however, have questioned the wisdom of Google's (continued)
dependence on advertising as well as the viability of advertising in web applications as
opposed to web content. See, e.g., the discussion on ZDNet from December, 2005,
http://blogs.zdnet.com/SAAS/?cat=24 (last visited April 24, 2006).
31
See Van Couvering, supra note 29, at 11-13.
32
Id. at 13-17.
33
See, e.g., Rita Vine, The Business of Search Engines, at 26, available at
http://www.workingfaster.com/2004_business_of_search_engines_final.pdf (last visited
April 24, 2006).
34
Infra Part B.
35
See, e.g., Michael Rappa, Business Models on the Web,
http://digitalenterprise.org/models/models.html (last visited April 24, 2006).

207
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.329
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

revenue from advertising, posted income of $6,065,003,000 in 2005.36 In

the third quarter of 2005, Yahoo reported revenue of $442 million from
search advertisements, compared with Google's $1.6 billion in that
quarter.37

III. SEARCH ENGINE REGULATION: PAST AND PRESENT

A. OVERVIEW OF SEARCH ENGINE-RELATED CASES

1. Period before 2000

In the years before 2000, the number of cases concerning search

engines and/or web search had been limited, although the importance of

LA
search engines was widely recognized only a few years after the web started
off and the first full-text crawler-based search engine emerged. Courts, too,
acknowledged the role of search engines in cyberspace. In mid 1996, the

IM
District Court for the Eastern District of Pennsylvania, for instance,
described the situation based on a stipulation filed by the parties as follows:
SH
“… A variety of systems have developed that allow users of the Web to
search particular information among all of the public sites that are part of
the Web. Services such as Yahoo, Magellan, Altavista, Webcrawler, and
Lycos are all services known as "search engines" which allow users to
search for Web sites that contain certain categories of information, or to
LU

search for key words. For example, a Web user looking for the text of
Supreme Court opinions would type the words "Supreme Court" into a
search engine, and then be presented with a list of World Wide Web sites
that contain Supreme Court information. This list would actually be a
PN

series of links to those sites. Having searched out a number of sites that
might contain the desired information, the user would then follow
individual links, browsing through the information on each site, until the
desired material is found. For many content providers on the Web, the
ability to be found by these search engines is very important.”38
H

ACLU v. Janet Reno was among the first rulings where the
functionality and importance of web search engines were explicitly
discussed. The role of search engines was also mentioned in Lockheed

36
Google Income Statement, http://investor.google.com/fin_data.html (last visited April
24, 2006).
37
Saul Hansell, Yahoo Reports Revenue Gains Bolstered by Online Ads, NYTIMES.COM
(Oct. 19, 2005),
http://www.nytimes.com/2005/10/19/technology/19yahoo.html?ex=1287374400&en=bdaf
d1ae5ed986ac&ei=5090&partner=rssuserland&emc=rss and Google Income Statement,
http://investor.google.com/fin_data.html. The New York Times' figure of $1.16 million for
Yahoo's total advertising revenue for the third quarter of 2005 must certainly be a
typographical error.
38
ACLU v. Reno, 929 F. Supp. 824, 837 (E.D. Pa. 1996).

208
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.330
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

Martin Corp. v. Network Solutions, Inc., a trademark case brought by a

company against the domain name registrar.39 The ruling highlighted the
importance of corporate names, trademarks or servicemarks as domain
names, arguing that keyword searches on the web (as opposed to cases in
which users know the exact address) “often yield thousands of possible
Web sites,” and that “[s]uch a cumbersome process is rarely satisfactory to
businesses seeking to use the Web as a marketing tool.”40
At the same time, the first search engine-specific cases were brought
before courts. One might roughly distinguish between two categories of
cases. First, there were disputes between web site providers (beneficiaries
of search engines) who sought to use certain features of search engines in
order to get more attention. Second, there emerged a few conflicts between
web site providers on the one hand and search engine operators on the other

LA
hand.

 The first category, of course, refers to the use of meta tags by web

IM
page providers. Meta tags are HTML elements used to provide
metadata about a web page. In the early days of web search, search
engines had used meta tag data to classify a given web page and,
SH
based on this system, to generate and display a list of search results
matching a given query.41 However, webmasters quickly learned
the commercial significance of having the ‘right’ meta tag, as it
frequently led to a high ranking in the search engines and,
LU

consequently, to more ‘hits.’ One practice that soon became subject

to litigation was “pagejacking,” where the traffic to a web page was
increased by “falsifying the information in metatags to emulate the
appearance of another Web site in search engine results.”42 Among
PN

the first cases concerning meta tagging,43 starting in mid 1997, were
Oppedahl & Larson v. Advanced Concepts (no opinion issued),44
Insituform Technologies, Inc v. National Envirotech Group, LLC,45
Playboy Enterprises, Inc. v. Calvin Designer Label,46 Patmont
H

Motor Werks, Inc. v. Gateway Marine, Inc.,47 Playboy Enterprises,

39
985 F. Supp. 949 (D. Cal. 1997).
40
Id. at 952.
41
Since early 2000, search engines have not relied on meta tags due to the inappropriate
use of meta keywords or other practices aimed at increasing a web page’s search engine
ranking. Some search engines still take meta tags into consideration. In addition,
techniques are applied to down-rank web sites that “game the system.” See, e.g., Metatags,
WIKIPEDIA, http://en.wikipedia.org/wiki/Metatags (last visited April 24, 2006).
42
DAVID W. QUINTO, LAW OF INTERNET DISPUTES, §10.01[A], 10-5 (2001 & Supp. 2003).
43
See, e.g., QUINTO, supra note 42, at § 10.01; Danny Sullivan, Search Engine Lawsuits
O'Plenty, Dec. 16, 1999, http://searchenginewatch.com/sereport/article.php/2167671.
44
No. 97-1592 (D. Colo. 1998).
45
No. 97-2064 (E.D. La. 1997).
46
985 F. Supp. 1220 (N.D. Cal. 1997).
47
1997 WL 811770 (N.D. Cal. 1997).

209
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.331
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

Inc. v. AsiaFocus International, Inc.,48 Playboy Enterprises, Inc. v.

Welles,49 Niton Corp. v. Radiation Monitoring Devices, Inc.,50 and
Brookfield Communications, Inc. v. West Coast Entertainment
Corp.51

 The second group of early cases is more interesting from the

perspective of search engine regulation, because here the lawsuits
were directly targeted against search engine operators. Prior to
2000, at least three cases deserve particular attention. In Ken
Roberts Co. v. GoTo.com,52 the Ken Roberts Company brought suit
for the unauthorized use of Roberts' name (in both web content and
meta tags) and likeness on the part of several financial trading
related websites. Although GoTo.com was dismissed from the suit

LA
on February 9, 2000, Hi-Tech Futures Trading, Inc. and Softrade,
Inc. were found liable of Lanham Act trademark-related violations
as well as violations of state-based laws, such as unfair business

IM
acts.53 The suit in Playboy Enterprises, Inc. v. Netscape
Communications Corp.54 concerned the search engine’s business
practice of “keying” search terms (plaintiff's marks) to advertising
SH
banners for adult products. The plaintiff claimed, in essence, “'that
Excite [and Netscape] has hijacked and usurped PEI’s good will
and reputation by exploiting a search based on a PEI mark as an
opportunity to run banner advertisements and display directories
specifically keyed to the PEI marks'”55 and therefore sought a
LU

preliminary injunction against Netscape's and Excite's further use of

the marks. The District Court held that Playboy had failed to show
that Netscape had used Playboy's marks in interstate commerce—as
PN

opposed to generic terms of the English language, failed to show

that there was likelihood for consumer confusion, failed to show
sufficient evidence of trademark dilution, and additionally held that
H

Netscape's use of search terms was protected by the First

Amendment and constituted fair use as well.56 The third case, Kelly
v. Arriba Soft Corp.,57 is neither linked to meta tagging nor keying.
Rather, it involved copyright issues triggered by a technological

48
1998 WL 724000 (E.D. Va. 1998).
49
7 F. Supp. 2d 1098 (S.D. Cal. 1998).
50
27 F. Supp. 2d 102 (D. Mass. 1998).
51
174 F.3d 1036 (9th Cir. 1999).
52
2000 WL 33680439 (N.D. Cal. 2000).
53
Id.
54
55 F. Supp. 2d 1070 (C.D. Cal. 1999).
55
Id. at 1081.
56
See generally, Playboy Enterprises, Inc., 55 F. Supp. 2d 1070 (C.D. Cal. 1999). Part
II.A.2 of this paper discusses later decisions involving this case.
57
77 F. Supp. 2d 1116 (C.D. Cal. 1999).

210
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.332
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

innovation. The defendant operated a visual search engine on the

Internet, which allowed users to search the web for pictures and
produced a list of reduced, “thumbnail” pictures related to the
user’s query. The plaintiff, a photographer, claimed that some of his
online images were indexed by the search engine’s crawler and put
in the defendant’s image database, thus becoming available in
thumbnail form to the search engine’s users. He argued, among
other things, that his copyrights in the images were infringed by the
defendant’s actions and claimed a violation of the DMCA. The
court, on first impression, held the use of copyrighted images by the
visual search engine as a prima facie copyright violation, but one
that was justified under the fair use doctrine. It further held that the
DMCA was not violated.

LA
In sum, a rough overview of the case law prior to 2000 suggests that
the growing importance of search engines was widely acknowledged and

IM
undisputed as early as 1996. Further, this brief analysis has made clear that
initial conflicts surrounding search engine and search practices that made
their way into courtrooms dominantly concerned intellectual property
SH
rights—a set of claims and issues that can be seen as typical for the
transition from the phase of innovation to the phase of commercial
exploitation. Interestingly, though, the majority of the early rulings
concerned beneficiaries of search engines, i.e., web site providers who used
LU

legitimate and illegitimate practices to increase their visibility in

cyberspace. Only in a few cases (that made it to the courts) claims were
brought against search engine operators directly. In this context, it might be
interesting to note that our survey has not proven the possible hypothesis
PN

that the subject of litigation would be closely related (although time-

delayed) to the steps of evolution in search technology or the underlying
business models as they have been outlined in Part I of this paper. Rather,
H

the claims prior to 2000 involved rather basic and stable features of
contemporary search engines. Only Kelly v. Arriba Soft Corp. concerning
image search could be interpreted as a reaction to a more specific
innovation in search technology.

2. Period after 2000

According to an extensive Westlaw search, the year 2000 marks the

crossroad in search engine-specific case law, primarily from a quantitative,
but to some extent also qualitative perspective. First, some of the cases
decided by the courts of first instance got appealed and were decided in the
new millennium by appellate courts. Among them were the above-
mentioned Playboy Enterprises, Inc. v. Netscape Communications Corp.58
58
354 F.3d 1020 (9th Cir. 2004).

211
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.333
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

and Kelly v. Arriba Soft Corp.59 In the former case, the Ninth Circuit
reversed the lower court’s grant of summary judgment in favor of Netscape
and Excite, holding that there was a genuine issue of fact as to whether the
keying practices constituted trademark infringement and dilution. The
Playboy court heavily relied on the initial interest confusion analysis as set
forth in an earlier case,60 ruling that a banner ad that clearly identified its
source with the sponsor’s name might eliminate the existing likelihood of
initial interest confusion. A week after the appeals court ruling, the
companies reached a settlement under undisclosed terms.61 Kelly was also
appealed. The Ninth Circuit remanded the case in part, ruling that the use of
the images as thumbnails was fair use, but declined to extend that holding to
the use of full size images.62
Second, many more lawsuits against search engines concerning the

LA
sales of third party trademarks for use in sponsored links and banner ads
were filed after 2000, since keyword advertising had become the key driver
of the search engine business.63 Some of them were settled or dismissed

IM
before judgment, others decided by courts. Among the cases that gained a
lot of attention was Geico v. Google.64 The plaintiff claimed, inter alia, that
Google and Overture’s sale of the marks GEICO and GEICO DIRECT as
SH
keywords constituted trademark infringement, contributory infringement,
vicarious trademark infringement, unfair competition, and trademark
dilution under the Lanham Act. A district court denied the defendants’
motion to dismiss and held that the plaintiff had alleged facts sufficient to
LU

support its liability claims. While Geico and Overture reached a settlement,
the trial court later held that Geico had not presented sufficient evidence
that Google’s sale of trademarks to others as keywords constituted
trademark infringement since the ads themselves did not include the
PN

trademarks and there was no evidence that the relevant activity standing
alone caused confusion. Other cases concerning similar trademark issues
include Google v. American Blind and Wallpaper Factory, Inc.,65 Novak v.
H

59
280 F.3d 934 (9th Cir. 2002).
60
Brookfield Communications Inc. v. West Coast Entertainment Corp., 174 F.3d 1036 (9th
Cir. 1999).
61
Update 14, LINKS AND LAW, Feb. 14, 2004, http://www.linksandlaw.com/news-
update14.htm.
62
336 F.3d 811, 2003 (9th Cir. 2003).
63
For a comprehensive overview, see, e.g., Heidi S. Padawer, Google This: Search Engine
Results Weave a Web for Trademark Infringement Actions on the Internet, 81 WASH. U.
L.Q. 1099 (Winter 2003); Lauren Troxclair, Search Engines and Internet Advertisers: Just
one Click Away from Trademark Infringement?, 62 WASH. & LEE L.REV. 1365 (Summer
2005); Perry Viscounty & Jordan Kushner, Order to Confusion: Trademark Infringement
Liability for Search Engine Keying Ads, 1 HASTINGS BUS. L.J. 151 (May 2005); see also
Eric Goldman, Deregulating Relevancy in Internet Trademark Law, 54 EMORY L.J. 507
(2005).
64
Government Employees Ins. Co. v. Google, Inc., 330 F. Supp. 2d 700 (D. Va. 2004).
65
74 U.S.P.Q.2d 1385, 2005 WL 832398, No. 03-05340 (N.D. Cal. 2005).

212
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.334
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

Overture Services Inc.,66 and 800-JR-Cigar v. Overture,67 and (more

recently) Newborn v. Yahoo!, Inc.68
Similarly, the number of copyright-related claims against search
engine operators has increased, especially recently. The plaintiff in Perfect
10 v. Google, Inc. claimed, among other things, that Google directly
infringed Perfect 10's copyrights in images by making those images
available as thumbnails and was vicariously and contributorily liable for
linking to third party sites which featured unauthorized full-size images
belonging to Perfect 10.69 In ruling on Perfect 10's motion for a preliminary
injunction, the District Court for the Central District of California held with
regard to Google that Perfect 10 was likely to succeed on its claim for direct
infringement but not on the claims for vicarious and contributory
infringement.70 Another series of recent cases deals with the cache function

LA
as provided, for instance, by Google. In Field v. Google, Inc.,71 the plaintiff
claimed that Google directly infringed copyright when Google users clicked
on a cached link to the web pages containing copyrighted materials and

IM
downloaded a copy of these works. The court, in contrast, held that it was
the search engine user rather than the search engine operator that created
and distributed copies of the copyrighted work in this process. Since Google
SH
remained passive in this process and only responded automatically to users’
requests, Google’s conduct did not constitute a direct copyright
infringement. Further, the court held, inter alia, that Google held an implied
license since the plaintiff took several steps to get his works included in the
LU

engine’s search results, where he knew they would be archived. Further, the
plaintiff deliberately ignored options that would have instructed Google not
to present cached links. The court also ruled that the relevant use of the
copyrighted materials constituted a fair use. A similar claim underlay
PN

Parker v. Google,72 where the plaintiff alleged direct infringement from

Google’s automatic archiving of a USENET site that contained a posting of
the plaintiff’s ebook. The court found no direct infringement because of the
H

automated and non-volitional nature of archiving.

Third, other types of conflicts emerged post-2000 and were brought
to courts. A series of cases was triggered by the increased use of so-called
“spiders” for the purpose of content aggregation. EBay, Inc. v. Bidder’s
Edge, Inc.73 is among the landmark cases in this context.74 EBay, as the

66
309 F. Supp. 2d 446 (E.D. N.Y. 2004).
67
No. 2:00-03179 (D. N.J. 2000).
68
391 F. Supp. 2d 181 (D.D.C. 2005).
69
Perfect 10 v. Google, Inc., 78 U.S.P.Q.2d 1072 (C.D. Cal. 2006).
70
Id.
71
F. Supp. 2d, 77 U.S.P.Q.2d 1738 (D. Nev. 2006).
72
Parker v. Google, Inc., No. 04-CV-3918, 2006 WL 680916 (E.D. Pa. 2006).
73
100 F.Supp.2d 1058 (N.D. Cal. 2000).

213
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.335
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

provider of the famous Internet auction site, sued its competitor, Bidder’s
Edge, which, by using spiders, compiled listings for specific items from
several online auction sites, including eBay and displayed them in
aggregated form on its own website. After technological measures aimed at
blocking the entry of the competitor’s spiders failed, eBay filed suit and
claimed that the defendant was committing a trespass to chattels. The
district court granted preliminary injunction in favor of eBay. The court
held that the use of spiders was likely to qualify as “trespassing” in eBay’s
servers, thereby consuming at least a portion of eBay’s bandwidth and
server capacity and therefore depriving eBay of the ability to use that
portion of its personal property for its own purposes.75
Another problem involved the alleged manipulation of PageRanks
by Google. SearchKing, a company selling ad space on sites ranked highly

LA
by the PageRank system, claimed that the search engine purposefully and
maliciously manually decreased the PageRank of SearchKing and certain
other web sites once it learned that SearchKing profited from the search

IM
engine’s system. The plaintiff alleged that the down-ranking caused
immensurable harm to its goodwill and business relations. Google, by
contrast, considered PageRank to be a protected opinion under the First
SH
Amendment. The court in Search King, Inc. v. Google Technology, Inc.76
agreed and held that Google’s actions were privileged, although it could be
argued that the search engine had acted maliciously and wrongfully as to
SearchKing. The court ruled that the defendant (absent any business
LU

relationship with the plaintiff) had no duty to rank, or refrain from ranking,
the plaintiff’s or any other website. The court concluded that the plaintiff
took the risk to build a business model that largely depended on a factor
over which it had no control, and concluded that a unilateral change of the
PN

factor under such circumstances cannot give rise to a claim for tortious
interference with contractual relations. The controversy over downgrading
PageRanks, however, is not yet over. A more recent class action lawsuit has
been filed in the Northern District of California.77 Time will tell if the
H

California District Court will reach a similar conclusion regarding the

manipulation of rankings on the part of search engine providers.
Other issues up for discussion that recently emerged in the search
engine context are privacy and defamation, respectively. In Parker v.
Google, the plaintiff alleged that Google is liable, inter alia, for the tort of
defamation, because the defendant archived defamatory messages posted by

74
But see Ticketmaster Corp. v. Tickets.com, Inc., No. CV 99-7654 HCH (BQRx) (C.D.
Cal. 2000); eBay, Inc. v. ReverseAuction.com, Inc., No. C-00 20023 RMW (N.D. Cal.
2000); Register.com, Inc. v. Verio, Inc., 126 F. Supp. 2d 238 (S.D.N.Y. 2000).
75
Bidder's Edge, Inc., 100 F.Supp.2d at 1070-71.
76
SearchKing, Inc. v. Google Technology, Inc., No. CIV-02-1457-M, 2003 WL 21464568
(W.D. Okla. 2003).
77
Kinderstart.com, LLC v. Google, Inc., No. C-06 2057 (N.D. Cal. 2006), available at
http://blog.searchenginewatch.com/blog/googlesuit_031806.pdf.

214
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.336
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

USENET users and because of defamatory statements that were located on

a website that was in Google’s cache. Further, the plaintiff claimed liability
for invasion of privacy because “the act of Google users putting in a search
query of his name led Google to produce a list of websites in which his
name appeared, thus creating what he called ‘an unauthorized biography of
Plaintiff that is an invasion of his right to privacy.’”78 The court held that
the defendant is immune from such state tort claims under the
Communication Decency Act.79

3. Conclusion

A high-level overview of cases against search engine operators since

the mid 1990s leads to three tentative conclusions. First, the overview

LA
suggests that different types of concerns, tussles, and conflicts have evolved
over time and made their way into the legal system. In the early days of
web search and roughly up to 2000, meta tagging was apparently the most

IM
frequent subject of litigation involving search engine operators. The second
generation of lawsuits against search engine operators, however, has
become more diverse, although intellectual property issues—probably with
SH
a shift from trademark issues towards copyright issues—continue to play an
important if not predominant role. An increased number of claims based on
trespass to chattels, defamation, privacy, and other grounds might indeed
signal that the conflicts surrounding search engines are broadening.
LU

Connecting the evolution of case law with the history of search

engines as outlined in Part I, it is interesting to observe that the different
waves of litigation are in fact related to particular technological
advancements (e.g. keyword search) and the evolution of business models
PN

(e.g. paid placement), but are less tightly connected to them as one might
expect. On the one hand, important and potentially controversial
innovations such as the introduction of web page summaries (“snippets”) in
H

search results, for instance, does not seem to have triggered waves of
(copyright) litigation. On the other hand, conflicts that are clearly connected
with an innovation in search technology—conflicts surrounding spiders, for
example—found entry into the legal system only several years after mass-
adaptation by users. Similarly, the timing of the legal system’s response to
certain business practices (like keying) is likely to depend on various factors
besides the first appearance of the respective conduct, making both causal
explanations and predictions difficult.
Third, the case law overview demonstrates that search engines, and
search more generally, have been regulated to one degree or another since
the early days of web search. Evidently, the emerging case law has a direct
impact on the behavior of the involved parties. In Bidder's Edge,

78
Parker v. Google, Inc., 2006 WL 680916, at *6.
79
47 U.S.C. § 230 (2000).

215
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.337
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

Register.com, and Perfect 10, for example, the plaintiffs succeeded in

obtaining preliminary injunctions with respect to at least part of their
claims. In some instances, the regulatory effects of litigation have been even
broader. One example in this context is the strategic response of search
engines to intense litigation regarding keyword advertisement. Vis-à-vis
remaining uncertainty as to the applicable legal standards, some players
have crafted and/or revised their respective keyword policies. Google, for
instance, revised its keyword policy in 2004 in the light of recent case law,
allowing U.S. advertisers to bid on trademarked keywords, but prohibiting
the use of third party trademarks in the text of an advertisement.80
Microsoft’s current U.S. policy for its MSN keywords program allows
informal uses of third party trademarks, but enforces its well-balanced
policy by filters and other technologies, complaint procedures, and the

LA
like.81 Yahoo! Search Marketing went a step further and recently announced
that U.S. advertisers will no longer be allowed to bid on keywords
trademarked by competitors.82

B. LEGISLATION AND REGULATION

IM
SH
Not only courts have been dealing with legal issues accompanying
the emergence and further development of search engine technology and
business. Legislators and regulators have addressed aspects related to online
LU

search in general and search engines in particular. As is not uncommon in

other contexts as well, legislative proposals concerning the online
environment have sometimes emerged in reaction to controversial cases.
Based on the result analysis of an extensive search with terms such as
PN

“search engine,” “internet directory” and “internet resources guide” on

Westlaw and on THOMAS, one might discern areas of legislation where
Congress clearly had implications for search engines in mind. On the other
H

hand, amendments to Title 47 of the U.S. Code introduced new legislative

terminology in response to the emerging digital revolution. Although terms
such as "interactive computer service," "access software provider" and
"information location tool" have become fairly common parlance in bill
drafting, these terms do not always refer to the definitions contained within
Title 47, nor are they always defined in the same manner. In some
instances, the use of a particular term clearly implicates search engines

80
Pamela Parker, Google Shifts Trademark Policy, CLICKZNEWS, April 13, 2004,
http://www.clickz.com/news/article.php/3339581.
81
See, e.g., Jon M. Zieger, Search Engine Liability for Trademark Infringement: Seeking a
Balanced Policy Amidst Legal Uncertainty, Position Paper presented at the “Regulating
Search” conference at Yale Law School, December 3, 2005, available at
http://islandia.law.yale.edu/isp/search_papers/zieger.doc.
82
Kevin Newcomb, Yahoo Modifies Trademark Keyword Policy, CLICKZNEWS, Feb. 24,
2006, http://www.clickz.com/news/article.php/3587316.

216
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.338
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

while in some instances, search engines are clearly not implicated, and in
yet other instances, the implications are not clear.83 Irrespective of these
problem areas, overall, one may roughly distinguish among three areas of
law and regulation in which search engines have specifically gained policy-
makers’ and regulators’ attention.84
The first area relates to content regulation and its limitations. Given
the ubiquitous availability of online content and the absence of customary
consumer controls that exist in brick-and-mortar stores of adult products, a
number of these legislative proposals have concerned the protection of
minors. The 1998 Senate Report on Commercial Distribution of Material
Harmful to Minors on World Wide Web,85 for instance, emphasized the role
of search engines in cyberspace,86 and described the problem of spoofing,
where pornographers trick search engines by including innocent search

LA
terms on their web sites.87 Similarly, the 1998 House Report on the Child
Online Protection Act discussed the problem where children enter
seemingly unrelated terms such as “toy” or “dollhouse” into a search engine

IM
and would be led to material harmful to minors.88 On the other hand,
search-related techniques such as meta tagging were considered as possible
means of identifying harmful content and restricting its availability.89 These
SH
issues had also been repeated, for instance, in the 1999 Senate Report on the
Children’s Internet Protection Act.90 There, the Committee on Commerce,
Science, and Transportation discussed the ease with which minors could
come upon adult-oriented materials through the use of search engines, since
search services contained no artificial intelligence to omit the content.91
LU

83
The term "information location tool," for instance, appears to always include search
PN

engines within the ambit of its meaning, whereas "access software provider," as defined in
§ 230 of the Communications Decency Act, clearly includes search engines, but as defined
in the Internet Election Information Act of 1997 (H.R. 653.IH) would not likely include
search engines.
84
More obscure regulatory issues would include, for example, the SEC’s statement issued
H

March 27, 1998, in which the application of U.S. securities regulation to websites that
promulgate “offering and solicitation materials” for offshore sales of investment services
and securities was discussed. In a footnote, the SEC addressed the issue of meta-tagging
and targeted communications, stating that it will generally not view the use of tags relating
to securities or investments as transforming web sites into a targeted communication that
would require additional measures to assure against sales to U.S. persons. See 63 Fed. Reg.
14806, 14807 (Mar. 27, 1998).
85
S. REP. No. 105-225 (1998). The Report states that the bill was "in response to the
Supreme Court ruling on the 'indecency' and 'patently offensive' provisions of the
Communications Decency Act, and addresses the concerns of the Court in the case, Reno
v. ACLU, 117 S. Ct. 2329 (1997)." Id. at 2.
86
Id. at 2.
87
Id. at 4.
88
H.R. REP. No. 105-775, at 10 (1998).
89
Id. at 17.
90
S. REP. No. 106-141, at 3 (1999).
91
Id.

217
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.339
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

Also with regard to the promotion of freedom of expression, the role of

engines has recently been considered in the Global Online Freedom Act of
2006.92 If the bill becomes law, it would prohibit search engines from
locating any hardware associated with their services within a country
designated by the act as Internet restricting,93 and would prohibit operators
from altering their search services within such a country.94 Further, it would
oblige search engine operators to provide a special committee with a list of
terms intended for the filtering policy of an Internet restricting country.95
Thus, there has been a desire on the part of Congress to limit access by
certain classes to content on the one hand, and preserve the free expression
of content on the other.
The second area where search engines attracted legislators' attention
relates to liability of search operators. Search engines have been explicitly

LA
mentioned in the context of limitations on liability for copyright
infringement. A bill aimed at providing limitations on copyright liability
relating to material online (Digital Copyright Clarification and Technology

IM
Education Act of 1997), for instance, provided in section 102 (a proposed
additional section 512 to chapter 5 of title 17 of the United States Code) a
safe harbor from copyright infringement liability for search engines.96
SH
Similarly, the Senate Report on the Digital Millennium Copyright Act of
1998 mentioned search engines in discussion of the limitation on the
liability for copyright infringement included in the bill.97 The corresponding
House Report, too, mentioned search engines in the context of the safe
harbor provisions.98 Opposition to the imposition of criminal liability on
LU

search engines, among other ISPs, for content supplied or controlled by a

third party was expressed in a 2001 House of Representatives Resolution.99
More generally, but without explicit reference to search engines, section
PN

230 of the Communications Decency Act shields access software providers

from liability derived from the “publication” of content. The term “access
software provider” means a provider of software or enabling tools that, inter
alia, cache, search, or organize content.100 The Child Online Protection Act
H

also contained a provision exempting persons in the business of providing

an "Internet information location tool" as well as anyone engaged in the
92
H.R. 4780, 109th Cong. (2006).
93
Id. § 201.
94
Id. § 202.
95
Id. § 203.
96
S. 1146, 105th Cong. § 102 (1997).
97
S. REP. No. 105-190, at 48 (1998).
98
H.R. REP. No. 105-551, at 56 (1998)
99
H.R. Res. 12, 107th Cong., (2001).
100
Pub. L. No. 104-104, tit. V, § 230(f)(4)(C), 110 Stat. 113, invalidated by Reno v.
ACLU, 117 S. Ct. 2329 (1997). For a discussion of the Safe Harbor provisions under the
DMCA and Communications Decency Act, see generally Jonathan Band & Matthew
Schruers, Safe Harbors Against the Liability Hurricane: The Communications Decency Act
and the Digital Millennium Copyright Act, 20 CARDOZO ARTS & ENT. L.J. 295 (2002).

218
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.340
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

"storage, retrieval, hosting, formatting, or translation" of internet

communications.101 Similarly, several other bills contemplated liability
exemptions for information location tools or exempted them from the bill's
purview altogether.102
The third area of intervention has been (general) consumer
protection. The most prominent example belonging to this category are
actions taken by the Federal Trade Commission, which issued a letter with
recommendations to search engine operators in response to a complaint
filed by Commercial Alert requesting the agency to investigate whether
certain search engines were violating Section 5 of the Federal Trade
Commission Act by failing to disclose that advertisements are inserted into
search engine results lists.103 In response, the FTC drafted a letter to search
operators recommending that they review their web sites to ensure that (1)

LA
any paid ranking search results are distinguished from non-paid results with
clear and conspicuous disclosures; (2) the use of paid inclusion is clearly
and conspicuously explained and disclosed; and (3) no affirmative

IM
statement is made that might mislead consumers as to the basis on which a
search result is generated.104 Additionally, the Anti-Phishing Act of 2004105
and the Internet False Identification Prevention Act of 2000106 were both
SH
proposed as measures to combat online fraud. The Anti-Phishing Act would
create criminal liability for search engines wherever they point to a
fraudulent site with knowledge or intent to commit fraud or identity theft.107
The False Identification Prevention Act, on the other hand, exempts search
LU

engines as "access software providers" or "interactive computer services"

from liabilty that would be imposed by the bill with certain exceptions.108

C. SUMMARY
PN

101
H.R. REP. No. 105-775, at 30 (1998). Also consider the provisions of the Online
Parental Control Act of 1996, H.R. 3089.IH relating to "access software providers."
102
See, e.g., Internet False Identification Prevention Act of 2000, Pub. L. No. 106-578, 114
H

Stat. 3075 (2000); Prisoner Web Site Disclosure Act of 1999, H.R. 1930, 106th Cong.
(1999); Securely Protect Yourself Against Cyber Trespass Act , H.R. 29, 109th Cong.
(2005); Ryan Haight Internet Pharmacy Consumer Protection Act of 2005, H.R. 840, 109th
Cong. (2005); Medicare Drugs for Seniors (MED) Act of 2006, H.R. 4697, 109th Cong.
(2006).
103
Letter from Commercial Alert to Federal Trade Commission (July 16, 2001),
http://www.commercialalert.org/PDFs/SearchEngines.pdf.
104
Draft Letter from the Federal Trade Commission (June 27, 2002),
http://www.ftc.gov/os/closings/staff/commercialalertattatch.htm.
105
S. 2636, 108th Cong. (2004).
106
S. 2924, 106th Cong. (2000).
107
S. 2636, 108th Cong. § 3 (2004).
108
S. 2924, 106th Cong. § 3(6) (Engrossed as Agreed to or Passed by Senate, October 31,
2000). The exceptions include, inter alia, where the service has knowingly permitted its
service to be used to perpetrate an act prohibited under the bill's provisions and an officer,
director, partner, or controlling shareholder has the specific intent that the service be used
to that purpose. Id.

219
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.341
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

Part II of this paper has provided an overview of what one might call
the emerging law of search engines. The previous sections have illustrated
that certain search practices in general and certain forms of behavior of
search engine operators in particular have been the subject of legal
regulation—using the term regulation in its broad sense—since the early
days when web search became a mass-phenomenon. The responses by the
legal system have either been triggered by technological innovation in
search or new business models, or by a combination of these factors.
In a first phase, trademark disputes were predominant issues to be
resolved in courts. In a second phase, additional issues have entered the
legal arena, including privacy concerns and free speech issues—although
IPR disputes (including trademark and copyright) still play a very important

LA
role. At the legislative and regulatory level, content regulation and its limits,
immunity from liability for copyright infringement as well as liability
derived from publication of content, and consumer protection have been the

IM
key topics where the specific role of search engines has been taken into
account.
The high-level analysis has shown that interventions by courts,
SH
legislators, and regulators alike have generally been issue-specific, ranging
from specialties such as keying, meta tagging, spiders, to caching and paid
inclusion. At the same time, however, more and more issues have become
relevant from the legal and regulatory perspective, thus broadening over
LU

time the scope and reach of the law governing search and search engines. A
brief overview of emerging legal and regulatory issues up for discussion in
various fora, finally, has confirmed this trend.
PN

III. POSSIBLE FUTURE: HETEROGENEOUS POLICY DEBATES AND THE

NEED FOR A NORMATIVE FRAMEWORK
H

A. THEMES OF FUTURE POLICY DEBATES

The current state of search engine regulation as sketched in Part II

has suggested that the emerging body of law is characterized by thematic
diversity. In that regard, it mirrors the state of cyberlaw more generally.109
Based on the analysis of past and present discourses in courts, parliaments,
agencies, academic fora, etc., the following threads of discussion

109
See Herbert Burkert, Von künftigen Aufgaben des Informationsrechts, in RECHT UND
INTERNATIONALISIERUNG, 157-158 (Christian J. Meier-Schatz and Rainer J. Schweizer
eds., 2000).

220
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.342
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

concerning the law and policy of search engines are likely to be the key
topics of intensified regulatory debates in the future:110

– The infrastructure debate concerns the ordering of the physical and

logical infrastructure necessary to provide search functionalities on the
web. Issues such as the informational equivalent of common carrier
rules for search engines, the obligation of providing even-handed
listings, or the disclosure of a search engines’ algorithm are topics
belonging to this thread of discussion.111 In some jurisdictions
(particularly in Europe), this debate also includes the question of the
state’s role in information processes (service public) vis-à-vis privately
owned and controlled search infrastructure. This debate intensifies in
the current digital environment where the search engine market is rather

LA
concentrated and centralized.112

– The content debate covers at least three related, but analytically distinct

IM
issues. First, the discussion of search engines’ role in promoting
freedom of expression in general and political speech in particular.113
Second, the controversies concerning the limitations on free speech and
SH
the search engines’ responsibility in enforcing these limits, for example
with regard to materials harmful to minors (should search engines
remove objectionable content?). Third, the debate about the cultural
bias of search engines and cultural diversity, respectively.114
LU

– The ownership debate is directed at the future of intellectual property

rights and similar claims in light of existing and evolving search
technology and corresponding business models. At least three issues
PN

relate to this category. First, the discussion about the adequate scope of
IP rights for search engine operators that enable them to protect their
H

110
Inspired by Burkert’s discussion of legal issues in cyberlaw, supra note 109, at 157. See
also Urs Gasser, What is Information Law – and what could it be?, in INFORMATION LAW
IN EENVIRONMENTS 11-12 (Urs Gasser ed., 2002).
111
See, e.g., Lucas D. Introna & Helen Nissenbaum, Shaping the Web: Why the Politics of
Search Engines Matters, available at
http://www.nyu.edu/projects/nissenbaum/papers/searchengines.pdf (last visited Apr. 24,
2006).
112
A recent global user survey, for instance, suggests that Google’s global usage share has
reached 57.2%. Google User Share Rising (Feb. 7, 2005),
http://www.webrankinfo.com/english/seo-news/topic-503.htm. In addition, not all search
engines use their own technology. Instead, they rely on other search providers for their
listings. E.g. Van Couvering, supra note 29, at 9.
113
See, e.g., the discussions surrounding the Global Online Freedom Act of 2006, supra
note 92.
114
See the rationale for building the above-mentioned Franco-German Search Engine
“Quaero”. German Partners for European Search Engine ‘Quaero’, HEISE ONLINE, Mar.
11, 2006, http://www.heise.de/english/newsticker/news/70717.

221
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.343
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

algorithms and databases. Second, IPR issues that arise between

competitors; such claims often involve patent disputes,115 but might also
include other copyright or trademark issues. Third, the obligations of
search engine operators vis-à-vis the copyright and trademark claims of
the providers of content that is indexed, categorized, linked, cached,
etc.116 Recent controversies regarding digitization projects suggest that
these conflicts will even intensify in the months and years to come.117

– The security debate takes as central themes, among others, the security
of the search infrastructure as well as security in search-related
transactions. Recent disputes about click fraud attacks against search
engines’ advertising programs are illustrations of infrastructure security-
related issues.118

LA
– The identity and privacy debate comprises a broad spectrum of
questions about identity management in search engine-mediated

IM
information processes, and issues about data protection and
informational self-determination vis-à-vis large databases controlled by
search engine operators.119 Examples include the recent controversy
SH
surrounding the disclosure of a search engine’s data requested by the
Department of Justice for the purpose of monitoring sexually explicit
materials on the Web,120 the use of search history for marketing and
LU

115
For examples of suits brought by Digital Envoy, NetJumper, and Overture against
Google for patent infringement, see Danny Sullivan, Search Engines and Legal Issues,
Search Engine Watch,
http://searchenginewatch.com/resources/article.php/2156541#Patents (last visited Apr. 24,
PN

2006).
116
See supra Part II.A. for illustrations of such conflicts.
117
See, e.g., the Google Print controversy: Author’s Guild v. Google, Inc., No. 05CV8136
(S.D.N.Y. Sept. 20, 2005), and McGraw-Hill Co. v. Google, Inc., No. 05Civ8881
(S.D.N.Y. Oct. 19, 2005). See also the tussle over Google’s News Services: Agence France
H

Press v. Google, Inc., No. 05-00546 (D.D.C. filed Mar. 3, 2005). See Daniel Farey-Jones,
News Producers Single Out Google News in Battle Over Free Content, BRAND REPUBLIC,
Feb. 1, 2006, available at
http://www.brandrepublic.com/bulletins/media/article/538934/news-producers-single-
google-news-battle-free-content/ (last visited April 24, 2006).
118
See, e.g., Brian Quinton, Will $90 Million Make Google Click Fraud Go Away?,
MULTICHANNEL MERCHANT, Mar. 21, 2006,
http://multichannelmerchant.com/searchline/3-15-06-Google-settlement/, (discussing
Lane's Gifts & Collectibles LLC v. Yahoo! Inc., No. CV-2005-52-1 (Ark. Cir. Ct. filed
Feb. 17, 2005) and Advanced Internet Techs. v. Google, 2006 WL 889477 (N.D. Cal. Apr.
5, 2006)).
119
See, e.g., Herman T. Tavani, Search Engines, Personal Information and the Problem of
Privacy in Public, 3 IRIE 39 (2005), available at http://www.i-r-i-
e.net/inhalt/003/003_tavani.pdf.
120
See, e.g., Gonzales v. Google, Inc., 2006 WL 778720 (N.D.Cal. 2006); Judge: Google
Must Give Info to Feds, CBS NEWS, Mar. 14, 2006,
http://www.cbsnews.com/stories/2006/03/14/tech/main1401585.shtml.

222
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.344
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

other purposes, or practices such as “Google hacking,” where search

engines are used to gather sensitive information on the Internet.121

– The debate about participation focuses on the role of search engines in

political and cultural processes and spaces. In the age of power-law
distribution, what are the implications of technologies and techniques of
search such as PageRank for information participation, individual
dissent, and personal liberty?122 The debate also includes questions
concerning a potential “right to access search technology,” and the
possible need for a “right to get indexed.”123

– The ethics debate concerns the reevaluation of basic concepts of right

and wrong behavior in a dynamic and globalized information

LA
environment. The question is not only about the moral values shared in
a given society, but also about the relationship between ethics and the
law. The latter topic has gained relevance in the context of global

IM
business activities carried out by search engines, leading to conflicts
between local laws and ethical commitments of U.S.-based Internet
intermediaries.124 Currently, non-legal rules for search engine providers
SH
such as code of ethics or best practices models, and the like are under
consideration.125

In sum, this rough overview suggests that the law and policy
discourse on search engines is still fairly fragmented. 126 However, given the
LU

search engines’ important role in the digital society and the

interdependencies between the policy areas outlined above, this discourse is
likely to result in a broader governance discussion where the interactions
PN

among legal and regulatory measures, search engines, and other

constituencies of the digitally networked environment need to be explored
H

121
See, e.g., Tom Sanders, Worms turn on Google to hunt for victims, VNUnet UK, Feb 15,
2006, http://www.vnunet.com/vnunet/news/2150292/worms-google-hunt-victims
122
See, e.g., Symposium, “Regulating Search?” Panel 4, held by the Yale Law School,
available at http://islandia.law.yale.edu/isp/regulatingsearch.html#paneldescriptions (last
visited April 24, 2006).
123
Conversely, and linked to the privacy debate, is the issue of withholding or intentionally
"down-ranking" undesirable materials with regard to search results. See, e.g., Frank A.
Pasquale, Rankings, Reductionism, and Responsibility, Seton Hall Public Law Research
Paper No. 888327, Feb. 25, 2006, available at http://ssrn.com/abstract=888327.
124
See, e.g., Andrew McLaughlin, Congressional Human Rights Caucus Members’
Briefing “Human Rights and the Internet – The People’s Republic of China,” Feb. 1, 2006,
http://googleblog.blogspot.com/2006/02/human-rights-caucus-briefing.html.
125
See, e.g., John G. Palfrey, Jr., Testimony to the U.S. House of Representatives
Committee on International Relations, Feb. 15, 2006, available at
http://blogs.law.harvard.edu/palfrey/stories/storyReader$1063.
126
Among the most comprehensive studies is that of Rolf H. Weber & Dirk Spacek,
RECHTSFRAGEN RUND UM SUCHMASCHINEN (2003).

223
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.345
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

carefully. Taking the recent Internet governance debate as a background and

looking ahead, the following section seeks to sketch some of the emerging
cross-sectional challenges for future policy-making concerning search
engines.

B. CHALLENGES AHEAD

Policy-makers face a series of challenges when crafting governance

frameworks aimed at regulating search engines in particular and online
search in general. Some of the challenges are problems generally associated
with law and policy-making, both in offline environments and cyberspace,
and others are more search engine-specific. With regard to search engine
regulation, one might identify, inter alia, the following key challenges:

LA
 Justification: At least in Western societies, the burden of proof
regarding the need for regulation is on the regulator. In the case of

IM
search engines, especially the existence of information
asymmetries—e.g. regarding search algorithms127—and market
power128 may be considered justifications for future regulation.129
SH
However, cyberspace creates a “quicksilver technological
environment”130 that might make yesterday’s regulation superfluous
tomorrow. In fact, the brief history of search engines sketched in
Part I of this paper not only illustrated how fast-paced innovation in
LU

search technology has been, but also demonstrated the power of

new technologies to reallocate the market power of search engine
operators.131
 Prioritization: Legislation and regulation, respectively, are costly
PN

processes, requiring that the many items on the broad policy

agenda132 are prioritized. As discussed in Part II, IPR issues have
traditionally gained a significant amount of attention both by courts
H

and legislators, while debates about content regulation, consumer

protection, and privacy have intensified more recently. Vis-à-vis the
complex interactions among powerful interest groups involved in
127
See, e.g., NIVA ELKIN-KOREN & ELI M. SALZBERGER, LAW, ECONOMICS AND
CYBERSPACE: THE EFFECTS OF CYBERSPACE ON THE ECONOMIC ANALYSIS OF LAW 73
(2004).
128
Id. at 77.
129
For a general discussion, see, for example, STEPHEN BREYER: REGULATION AND ITS
REFORM 15-35 (1982), and ROBERT BALDWIN & MARTIN CAVE, UNDERSTANDING
REGULATION: THEORY, STRATEGY, AND PRACTICE 9-17 (1999).
130
See MGM Studios, Inc. v. Grokster Ltd., 380 F.3d 1154, 1167 (9th Cir. 2004) (citing
AT&T Corp. v. City of Portland, 216 F.3d 871, 876 (9th Cir.1999)).
131
Supra Part I. See also Neil Gandal, The Dynamics of Competition in the Internet Search
Engine Market, Univ. of Cal., Berkeley Competition Policy Ctr., Working Paper No.
CPC01-17 (Jan. 2001), available at http://repositories.cdlib.org/iber/cpc/CPC01-017/.
132
See supra Part III.A.

224
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.346
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

legislative processes, however, it remains an open question which

policy area will be in the focus of a next wave of regulation.
 Reconciliation: Arguably, proposals of legal and/or regulatory
interventions aimed at governing search engines in the policy areas
outlined above pursue a wide range of policy goals, some of which
will not be perfectly aligned. Such regulatory trade-offs—or at least
tensions—may exist, for instance, between open access to search
infrastructure and infrastructure security, or between privacy and
content control.133 The challenge to reconcile different policy
objectives might thereby increase in the case of staggered
legislation and regulation due to effects such as path-dependency or
the like.
 Timing and Change: The history of technology-regulation is rich

LA
with examples of outdated laws.134 As noted above, search
technology has been evolving rapidly, too. Thus, policy-makers
face the challenge of synchronizing technological innovation with

IM
legal evolution if they choose to regulate search engines.135
Techniques such as “sunset-clauses” and fixed periods of evaluation
will become particularly important in the search governance
SH
context.
 Design: In the case of search engine regulation, as in others, policy-
makers have to make a series of design choices,136 including
decisions about the appropriate regulatory strategy (e.g., command
LU

and control regulation, incentive-based regimes, liability laws), and

choices about institutions and structures. Most recently, the
promises and limits of self-regulation of search engine operators
PN
H

133
The latter tension is illustrated by the law enforcement agencies' interest in search data.
See, e.g., Fred von Lohmann, Could Future Subpoenas Tie You to ‘Britney Spears Nude’?,
Special to Law.com, Feb. 6, 2006, http://www.eff.org/deeplinks/archives/004385.php.
134
See, for example, the Audio Home Recording Act of 1992, 17 U.S.C. § 10 (2000). The
Act was primarily aimed at DAT technology and sought to establish a system of royalty
levies. But DATs were quickly supplanted by compact discs before DAT technology had a
chance to take hold in the U.S. market, due probably in large part to threatened legal action.
By the time recordable CD media became available which may have fallen within the Act's
provisions, other digital recording technology—the MP3—had emerged and was held by
the Ninth Circuit Court to escape the purview of the Act. See WILLIAM W. FISHER III,
PROMISES TO KEEP: TECHNOLOGY, LAW, AND THE FUTURE OF ENTERTAINMENT 83-87
(2004).
135
On the myth of technological neutrality in information regulation, see Herbert Burkert,
Four Myths About Regulating the Information Society – A Comment, in STARTING POINTS
FOR ICT REGULATION. DECONSTRUCTING PREVALENT POLICY ONE-LINERS 240-42 (Bert-
Jaap Koops, Miriam Lips, Corien Prins et al. eds., 2006).
136
See, e.g., BALDWIN & CAVE, supra note 129, at 34-75.

225
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.347
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

have come up for discussion, especially in the context of speech

regulation.137
 Internationalization and transcultural issues: Online search engines
are operating in a globalized and networked environment. It is well
established that this particular environment is characterized by a
tension between the global scope of business activities and local
laws that seek to regulate such activities,138 a situation that poses
manifold challenges for policy-making, both at the legislative139
and judicial140 level. Search engine operators themselves, in turn,
are currently particularly concerned about the significant
differences among national laws, regulations, and ethics that govern
content and informational privacy, as a recent congressional hearing
illustrated.141

LA
137
The German example of the Subcode of Conduct for Search Engine Providers of the

IM
Association of Voluntary Self-Regulating Multimedia Service Providers, available at
http://www.fsm.de/en/SubCoC_Search_Engines (last visited April 10, 2006), aimed at
improving consumer protection as well as protection of children and young persons with
their use of search engines in Germany, illustrates in this context how blended governance
SH
models of state-based regulation and self-regulation can emerge.
138
For a general overview of the cyber-internationalist discourse, see Viktor Mayer-
Schönberger, The Shape of Governance: Analyzing the World of Internet Regulation, 43
VA. J. INT’L L. 605, 626-30 (2003).
139
See, e.g., Global Online Freedom Act of 2006, H. R. RES. 4780, 109th Cong. (2006). For
LU

another interesting example, see also H.R. RES. 12, 107th Cong., at 3 (2001), opposing the
imposition of criminal liability on Internet service providers based on the actions of their
users (“Whereas a number of European and Asian countries have held Internet service
providers in the United States liable for content that is illegal under the laws of those
PN

countries, but protected by the first amendment to our Constitution . . . . ”).

140
Consider, for example, the long-running dispute between Yahoo!, U.S. courts, and
French courts. See Ordonnance de référé rendue le 20 novembre 2000, available at
http://www.juriscom.net/txt/jurisfr/cti/tgiparis20001120.pdf; Yahoo!, Inc. v. La Ligue
Contre Le Racisme et L’Antisémitisme, 169 F. Supp. 2d 1181 (N.D.Cal. 2001); Yahoo!,
H

Inc. v. La Ligue Contre Le Racisme et L’Antisémitisme, 379 F.3d 1120 (9th Cir. 2004)
(holding that the French associations were not subject to personal jurisdiction in ISPs
action.); Yahoo! Inc. v. La Ligue Contre Le Racisme, 433 F.3d 1199 (9th Cir. 2006)
(where, before a panel of 11 judges, a majority of the bench concluded that the suit should
be dismissed, but no majority agreed on the grounds for dismissal). For a legal analysis,
see, for example, Joel R.Reidenberg, The Yahoo Case and the International
Democratization of the Internet, Fordham Law & Economics Research Paper No. 11 (Apr.
2001), available at http://ssrn.com/abstract=267148. From a business ethics perspective,
see Mark Hunter, Marc Le Menestrel, & Henri-Claude de Bettignies, Ethical Crisis on the
Internet: The Case of Licra vs. Yahoo!, in BUSINESS ETHICS AND THE ELECTRONIC
ECONOMY 177-208 (Peter Koslowski, Christoph Hubig & Peter Fischer eds., 2004).
141
The Internet in China: A Tool for Freedom or Suppression?: Joint Hearing of the
House Subcommittee on Africa, Global Human Rights and International Operations and
the Subcommittee on Asia and the Pacific, 109th Cong. (2006),
http://wwwc.house.gov/international_relations/109/af021506.htm; witness testimony
available at http://wwwc.house.gov/international_relations/afhear.htm (last visited Apr. 24,
2006).

226
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.348
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

In sum, policy-makers—both at the national and international

level—have to make a complex set of choices about sometimes
complementary, sometimes competing policy goals, regulatory strategies
and techniques, institutional designs, and timing, to name just a few, if they
seek to establish a governance framework for search engines. In the
discursive processes of policy-making, these choices—as the history of
cyberlaw teaches us142–require an open discussion and shared
understanding of what fundamental values should underlie today’s
information society in the first place. The next section seeks to contribute to
this discourse.

C. NORMATIVE FOUNDATIONS

LA
1. Democratic values

IM
The heated global Internet Governance debate over the past few
years has illustrated the extent to which information-related values, like
others, are mostly culture-specific. However, despite all differences,
SH
overlapping consensus exists with regard to certain ethical convictions on
the one hand and certain universal values—i.e., human rights—on the other
hand.143 It remains the challenge of future discourses in various fora to
identify such clusters of basic norms, values, and rules. In the context of
LU

this paper, I would like to suggest three core values of a democratic

ecosystem that are hopefully widely acceptable at least in the Western part
of the world.144 These core values are: (a) informational autonomy; (b)
diversity; and (c) information quality.
PN

The first value suggested here is informational autonomy. Viewed

from an information law perspective,145 autonomy in this sense includes at
least three elements. First, an individual must have the freedom to make
H

choices among alternative sets of information, ideas, and opinions. This

142
See Burkert, supra note 109, at 171.
143
See, e.g., Thomas Hausmanninger, Controlling the Net: Pragmatic Actions or Ethics
Needed? IJIE Vo. 1 (June, 2004), available at http://www.i-r-i-
e.net/inhalt/001/ijie_001_04_hausmanninger.pdf.
144
Note that some of the values mentioned below, in fact, are fundamental rights, including
human rights. I use the term value in this context as a generic term for various categories
of policy goals. The following sections are based upon Urs Gasser, The Good, The Bad,
and The Ugly: Information Quality on the Internet (unpublished manuscript, on file with
author.)
145
The relation between autonomy and information has been analyzed in great detail by
Yochai Benkler, Siren Songs and Amish Children: Autonomy, Information, and Law, 76
N.Y.U. L. REV. 23 (2001) (discussing the potential effects of law on autonomy by
structuring the information environment), and most recently in YOCHAI BENKLER, THE
WEALTH OF NETWORKS: HOW SOCIAL PRODUCTION TRANSFORMS MARKETS AND
FREEDOM, ch. 5 (133 et seq.) (2006).

227
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.349
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

includes the freedom to decide what information someone wants to receive

and process.146 Second, informational autonomy as an aspect of individual
liberty necessitates that everyone has the right to express her own beliefs
and opinions.147 Third, informational autonomy in the digitally networked
environment arguably requires that every user can participate in the creation
of information, knowledge, and entertainment.148 It is the shift from passive
receivers of information to active users149 that fosters individual
participation and enables new forms of creative expression, thereby
expanding the possibilities for the realization of a semiotic democracy.150
The development of an individual’s own personality and self-fulfillment151
intersects with a second core value of a democratic information society: its
diversity.
Diversity in the sense of a wide distribution of information from a

LA
great variety of competing sources as a societal value has traditionally been
emphasized in First Amendment jurisprudence and scholarship, where it has
long been considered to be essential to public welfare.152 Diversity, in

146

IM
In the U.S., this right is an inherent corollary of the rights of free speech and free press.
Thomas v. Collins, 323 U.S. 516, 534 (1944). “The dissemination of ideas can accomplish
SH
nothing if otherwise willing addressees are not free to receive and consider them.” Jamie
Kennedy, Comment, The Right to Receive Information: The Current State of the Doctrine
and the Best Application for the Future, 35 SETON HALL L. REV. 789, 792 (2005) (quoting
Lamont v. Postmaster General, 381 U.S. 301, 308 (1965) (Brennan, J., concurring)).
147
The freedom to speak has long been recognized as an aspect of individual liberty and,
LU

consequently, as an end in itself. See Bose Corp. v. Consumers Union of United States,
Inc., 466 U.S. 485 (1984). See, e.g., Edwin Baker, First Amendment Limits on Copyright,
55 VAND.L. REV. 891 (2002) (conceptualizing “expressive liberty” as part of a person’s
autonomy that must be respected by the state).
PN

148
See Jack Balkin, Digital Speech and Democratic Culture: A Theory of Freedom of
Expression for the Information Society, 79 N.Y.U. L. REV. 1 (2004) (arguing that digital
technologies have altered the social conditions of speech and, thus, that free speech theory
should focus on protecting and promoting a democratic culture; Balkin frames democratic
culture both in terms of individual liberty as well as collective self-governance).
H

149
See, e.g., Yochai Benkler, Viacom-CBS Merger: From Consumers to Users: Shifting the
Deeper Structures of Regulation Towards Sustainable Commons and User Access, 52 FED.
COMM. L.J. 561, 562 (2000).
150
See, e.g., William W. Fisher III, PROMISES TO KEEP: TECHNOLOGY, LAW, AND THE
FUTURE OF ENTERTAINMENT, 28-31 (Stanford University Press , 2004). See also Rosemary
J. Coombe, Author/izing Celebrity: Publicity Rights, Postmodern Politics, and
Unauthorized Genders, 10 CARDOZO ARTS & ENTERTAINMENT L.J. 365 (1992); Michael
Madow, Private Ownership of Public Image: Popular Culture and Publicity Rights, 81
CAL. L. REV. 125 (1993); Sudakshina Sen, Fluency of the Flesh: Perils of an Expanding
Right of Publicity, 59 ALBANY L. REV 739, 752-3 (1995). The phrase “semiotic
democracy” goes back to cultural theorist John Fiske. JOHN FISKE, TELEVISION CULTURE
236-39 (1987).
151
See, e.g., Melville Nimmer, The Right to Speak from Times to Time: First Amendment
Theory Applied to Libel and Misapplied to Privacy, 56 CAL. L. REV. 935 (1968).
152
See Associated Press v. U.S., 326 U.S. 1, 20 (1945) (“[The First] Amendment rests on
the assumption that the widest possible dissemination of information from diverse and
antagonistic sources is essential to the welfare of the public…”).

228
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.350
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

essence, can either be seen as a valuable mechanism to attain truth,153 or as

a crucial instrument for protecting democratic process and democratic
deliberation.154 However, a diverse information environment in its current
incarnation not only improves deliberation and decision-making processes.
Rather, the diversity of information, knowledge, and entertainment is an
important aspect of the broader concept of cultural diversity which has been
recognized as a fundamental value of our societies.155 A diverse
informational and cultural environment, in turn, has important feedback
effects on individuals. The greater the variety in information, knowledge,
and entertainment opportunities available to the members of a society, the
more they are asked to decide for themselves what to think and how to act.
In this process, users further develop their own informational skills and
routines and, in turn, contribute to a richer and more diverse information

LA
environment.156
As individuals, groups, and societies, we heavily depend in our
decision-making processes on information, which is increasingly acquired

IM
over the Internet. According to an April 2006 survey by the Pew Research
Center, for instance, 45% of Internet users indicated that the Internet helped
them make big decisions or negotiate their way through major episodes in
SH
LU

153
The theory that free speech is an instrument of the search for truth on a “marketplace of
ideas” underlies Holmes’ famous dissent in Abrams v. United States: “the best test for truth
is the power of the thought to get itself accepted in the competition of the market.” 250
U.S. 616, 630 (1919). The truth and social utility approach to the legitimation of free
PN

speech has been contested. See, e.g., Derek Bambauer, Shopping Badly: Cognitive Biases,
Communications, and the Fallacy of the Marketplace of Ideas, 77 UNIV. OF COLO. L. REV.
(forthcoming, spring 2006).
154
One school of thought sees freedom of speech as a mean to assure the effectiveness of
democratic processes. See, e.g., ALEXANDER MEIKLEJOHN, FREE SPEECH AND ITS
H

RELATION TO SELF-GOVERNMENT (1948), reprinted in POLITICAL FREEDOM: THE

CONSTITUTIONAL POWERS OF THE PEOPLE (1979). The consideration of as many facts and
arguments as possible which can be put forth in support of or against a proposition, so the
argument goes, is the best way to make sound and rational judgments. See, e.g., Thomas I.
Emerson, Toward a General Theory of the First Amendment, 72 YALE L.J. 877 (1963).
Another approach focuses on democratic participation in the sense of collective self-
determination. See, e.g., OWEN M. FISS, THE IRONY OF FREE SPEECH (1996).
155
Cultural diversity has been recognized in the international arena. See UNESCO,
Universal Declaration on Cultural Diversity (November 2, 2001), available at
http://unesdoc.unesco.org/images/0012/001271/127160m.pdf; Convention on the
Protection and Promotion of the Diversity of Cultural Expressions (October 20, 2005),
available at http://unesdoc.unesco.org/images/0014/001429/142919e.pdf; see, e.g., Ivan
Bernier, A UNESCO International Convention on Cultural Diversity, in FREE TRADE
VERSUS CULTURAL DIVERSITY: WTO NEGOTIATIONS IN THE FIELD OF AUDIOVISUAL
SERVICES 65-76 (Christoph Beat Graber, Michael Girsberger, Mira Nenova eds., 2004).
156
See also FISHER, supra note 134, at 26-28 (discussing the social benefits of cultural
diversity).

229
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.351
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

their lives in the previous two years.157 Another earlier Pew study suggests
that 67% of Americans expect that they can find reliable information about
health or medical conditions online,158 while 63% expect that businesses
have a web site that provides information about a product they are
considering to buy, and 65% of all Americans expect the Web to have
information from a government agency.159 A recent Pew Report suggests
that online news takes center stage as a news source for 40% of broadband
users,160 while an earlier study indicates that 85% of American Internet
users expect to be able to find reliable, up-to-date news online.161 In order
to make sound decisions in the above-mentioned and other areas of life, we
depend on high-quality information. However, functional and cognitive
aspects are only two dimensions of the information quality concept.162 It
also includes aesthetic and ethical requirements of different stakeholders

LA
such as users, creators, experts, and administrators. In order to increase an
individual’s opportunity to live her life according to her own informational
preferences, legal and regulatory regimes should contribute to the creation

IM
and further development of a high-quality information ecosystem.
It is important to note that these core values are not necessarily
always aligned. Unleashed diversity in the digitally networked environment,
SH
for instance, might have negative feedback effects on user autonomy
because it increases an individual’s risk to be exposed to undesired
information. A regulatory approach aimed at ensuring high-quality
information, by contrast, might be in tension with informational autonomy,
LU

because it may impose a quality requirement leading to a level of quality

157
John Horrigan & Lee Rainie, The Internet’s Growing Role in Life’s Major Moments,
PN

Pew Internet & American Life Project (April 19, 2006),

http://www.pewinternet.org/pdfs/PIP_Major%20Moments_2006.pdf.
158
A recent study suggests that 79%of American Internet users have searched for health
information online. See Susanna Fox, Reports: Health Information Online, Pew Internet &
American Life Project (May, 2005),
H

http://www.pewinternet.org/pdfs/PIP_Healthtopics_May05.pdf.
159
John Horrigan & Lee Rainie, Counting on the Internet, Pew Internet & American Life
Project (December 29, 2002), http://www.pewinternet.org/pdfs/PIP_Expectations.pdf.
Compare with more recent studies conducted by UCLA and the USC Annenberg School,
Center for the Digital Future, which find that user perception of the reliability and accuracy
of information on the internet has been falling; 48.8% of users in 2005 indicated that they
believed most or all information on the internet was reliable and accurate, whereas 81.3%
of users indicated that they believed most or all information on sites they visit regularly
was reliable and accurate. Center for the Digital Future, USC Annenberg School, Fifth
Study of the Internet by the Digital Future Project Finds Major New Trends in Online Use
for Political Campaigns (Dec. 7, 2005), at 4-5, http://www.digitalcenter.org/pdf/Center-
for-the-Digital-Future-2005-Highlights.pdf.
160
John Horrigan, Online News: For many home broadband users, the internet is a
primary news source, Pew Internet & American Life Project (March 22, 2006),
http://www.pewinternet.org/pdfs/PIP_News.and.Broadband.pdf.
161
Horrigan, Counting on the Internet, supra note 159.
162
See, e.g., MARTIN EPPLER, MANAGING INFORMATION QUALITY (2003), 58 et seq.

230
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.352
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

that does not meet an individual’s informational needs.163 Thus, policy-

makers seeking to regulate the digitally networked environment face the
challenge of dynamically balancing among autonomy, diversity, and
quality.

2. Quest for policy principles

However, the three fundamental information-related values outlined

in the preceding paragraph set the stage for crafting guiding principles for
policy-making. With regard to search engine regulation, specifically, one
might derive, inter alia, the following policy principles, which may provide
guidance for policy-makers in the public and private sector, respectively:

LA
1. Access: Search engine governance frameworks should aim to maximize
access to search engines both for users and content providers on non-
discriminatory terms. The role of search engines as the new gatekeepers

IM
has been discussed elsewhere and does not have to be repeated here.164
In any event, “access” has at least two important meanings from a
normative perspective. Access in the sense of access to search
SH
infrastructure is crucial for users,165 because it is the prerequisite for the

163
In the case of search engine regulation, this problem is accentuated by the fact that
LU

search engines simultaneously affect all three aspects. For example, since search engine
users often do not know in advance what specific piece of information they are looking for,
the quality of the information that users get depends to a great extent on search engines.
Consequently, the quality of information is intertwined with the quality of the search
PN

engine that defines which information becomes available based on any given query.
Similarly, search engines have effects on autonomy and diversity in the digitally networked
environment.
164
This role has been particularly emphasized by German scholars. E.g. Marcel Machill,
Wegweiser im Netz: Qualität und Nutzung von Suchmaschinen, in WEGWEISER IM NETZ
H

(Marcel Machill and Welp Carsten. eds, 2003); WOLFGANG SCHULZ, THORSTEN HELD,
AND ARNE LAUDIEN, SUCHMASCHINEN ALS GATEKEEPER IN DER ÖFFENTLICHEN
KOMMUNIKATION (2005). See generally Introna & Nissenbaum, supra note 111; Nico van
Eijk, Search Engines: Seek and Ye Shall Find? The Position of Search Engines in Law,
IRIS PLUS 2006-02 (Jan. 2006), available at
http://www.obs.coe.int/oea_publ/iris/iris_plus/iplus2_2006.pdf.en; Eszter Hargittai, Online
Gatekeepers: Myth or Reality, http://tprc.org/papers/2002/82/hargittai-tprc2002paper.pdf
(last visited Apr. 24, 2006); Niva Elkin-Koren, Let the Crawlers Crawl: On Virtual
Gatekeepers and the Right To Exclude Indexing, 26 DAYTON L. REV. 179 (2001); Karine
Barzilai-Nahon & Seev Neumann, Gatekeeping in Networks: A Metatheoretical
Framework for Exploring Information Control (Nov. 2005),
http://www.ischool.washington.edu/karineb/html/pub/GatekeepingMetatheory.pdf
(providing a more theoretical discussion of gatekeepers in networked environments).
165
Competing search engines, too, can have an interest in accessing the search
infrastructure—or parts of it such as the index—of their competitors. For a German view
on the competition law issues involved, see Wolfgang Schulz, Thorsten Held and Arne
Laudien, Search Engines as Gatekeepers of Public Communication: Analysis of the

231
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.353
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

above-mentioned freedom to efficiently and effectively make choices

among alternative sets of ideas, information, and opinions in the digital
age. Consequently, policies that pursue the goal of fostering
informational autonomy in the digitally networked environment would
aim to create an ecosystem that tends to increase access to search
infrastructures.166 However, in an environment where consumers are no
longer passive receivers of information, but increasingly active
contributors to the information ecosystem, access also concerns the
(controversial) debate about the entitlement of users (as creators) to be
integrated into search indexes and ranking lists, or at least the possible
remedies against discrimination in the indexing or ranking processes.
Viewed from the autonomy and diversity perspective and as a matter of
policy,167 technologies and politics that are aimed at inclusion are

LA
therefore prima vista favorable over alternative approaches that would
result in significant decrease in content inclusion.
2. Informational self-determination: A second principle that derives from

IM
the values outlined above and is closely related to informational
autonomy is the users’ right to make choices about the collection and
use of personal search data collected by search engine operators. Thus,
SH
the respective policy principle asks for the creation of governance
regimes where the collection and storage of personal search data—
taking the different interests into account—is optimized or, preferably,
minimized.168 The problems associated with information collection
LU

practices by search engines have been illustrated both in the domestic

and international contexts.169
3. Transparency: Another policy principle that might be derived from the
values discussed above is transparency of search engines. Transparency
PN

requirements in the context of search engines are often considered as the

H

German framework applicable to internet search engines including media law and
antitrust law, 5 GERMAN L.J. No. 10 – 1, 1424-27 (October 2005).
166
The means to achieve this goal, of course, do not need to follow a command-and-control
approach. Rather, the regulatory strategy might be a completely incentive-based, market-
driven approach. However, interventionist proposals such as the above-mentioned idea of
the creation of a service public search engine might be evaluated in the light of their impact
on equal and universal access to search.
167
For the current state of and developments in U.S. case law, see Part II. Access rights of
this sort, in contrast, are considered in some European jurisdictions. See, e.g., SCHULZ ET
AL., supra note 164, at 1424 (differentiating between “normal” inclusion and “paid
inclusion”, id. 1425).
168
A potential “right to search anonymously” was also on the agenda at the Regulating
Search? Conference at Yale Law School in December 2005.
169
See, e.g., A Code of Conduct for Internet Companies in Authoritarian Regimes (Feb. 15,
2006), http://www.eff.org/deeplinks/archives/004410.php (“With the stakes so high in
countries like China, no Internet company should gather more information than they
absolutely need about their costumers …”); von Lohmann, supra note 133.

232
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.354
 REGULATING SEARCH ENGINES: TAKING STOCK AND LOOKING AHEAD

potential response to a problem of asymmetric information,170 i.e., the

fact that the algorithms of search engines are generally trade secrets171
and might therefore result in undetected, inherent biases172 that
ultimately shape the construction of meaning in cyberspace.173 A policy
principle—applicable at the corporate level—might suggest that
operators inform the users about the way in which the search engine
works and explain the basic criteria of ranking.174 Additionally,
transparency as a policy principle can also relate to yet another
controversial subject: the separation of advertisement from the list of
unpaid results and the question of appropriate labeling of commercial
communications. As a model for a policy principle one might consider
§ 2 of the German Subcode of Conduct for Search Engine Providers.175
In a third interpretation, transparency as a mechanism can be applied to

LA
alleviate the impact of content filtering requirements imposed on search
engines by legislation or regulations. Google, for instance, uses this
mechanism in several jurisdictions if search results are removed for

IM
legal reasons. In response to a search on Google.de for the keyword
“stormfront,” for example, Google informs at the bottom of the result
page how many results had to be removed due to legal requirements.176
SH
This notice links to the ChillingEffects.org project, where the user can

170
See, e.g., Introna & Nissenbaum, supra note 111, at 32; SCHULZ ET AL., supra note 164,
at 1431.
LU

171
See, e.g., SearchKing, Inc. v. Google Technology, Inc., No. CIV-02-1457-M, 2003 WL
21464568, at *3 n.2 (W.D. Okla. May 27, 2003).
172
For a detailed discussion, see Eric Goldman, Search Engine Bias and the Demise of
Search Engine Utopianism in this volume.
PN

173
On search engines’ role in construction meaning, see, e.g., ELKIN-KOREN &
SALZBERGER, supra note 127.
174
See Subcode of Conduct for Search Engine Providers of the Association of Voluntary
Self-Regulating Multimedia Service Provider, supra note 141, at § 2 Rules of Conduct,
clause 1 ("The Code signatories agree to clarify to the user the functioning method of the
H

search engine. In the same way, the signatories shall describe the circumstances that will
cause an exclusion from the search results. This information should be easily accessible to
the user."). See also Carsten Welp and Marcel Machill, Code of Conduct. Transparency in
the Net: Search Engines, 3 IRIE (June 2005), available at http://www.i-r-i-
e.net/inhalt/003/003_code.pdf. For a critical view on regulatory interventions, see
Goldman, supra note 179.
175
Subcode of Conduct for Search Engine Providers of the Association of Voluntary Self-
Regulating Multimedia Service Provider, supra note 137, at § 2 Rules of Conduct, clause 2
(“Within the framework of its possibilities, the Code signatories agree to transparently
structure its search results pages. Search engine results which owe their position on the
search results page to a commercial agreement with the respective search engine provider
shall be reasonably designated. This can occur, in particular, by use of the terms
‘Advertisement’, ‘Sponsor Link’, ‘Sponsored Link’ or ‘Sponsored Web Site’.”).
176
“Aus Rechtsgründen hat Google 3 Ergebnis(se) von dieser Seite entfernt. Weitere
Informationen über diese Rechtsgründe finden Sie unter ChillingEffects.org.” Stormfront –
Google-Suche, http://www.google.de/search?hl=de&q=stormfront&btnG=Google-Suche
(last visited Apr. 24, 2006).

233
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.355
 YALE JOURNAL OF LAW & TECHNOLOGY SPRING 2006

learn more about the reasons that led to the filtering of the results, and
can compare search results across national domains.177 This practice is
well suited to contribute to all of the three values outlined above and
should be considered as a minimum transparency principle for search
engines in particular and Internet intermediaries more generally.178

The rough sketch of three basic principles might illustrate how

concrete guidance for policy-makers both in the public and private sector
can be derived from core values that underlie today’s information society.
The proposed policy principles may also serve as an initial basis for a
systematic comparison and thorough normative evaluation of future
governance regimes aimed at regulating search engines in particular and
searches in general.

LA
IV. CONCLUSION

IM
Building upon a brief history of the technological innovations that
underlie web search and corresponding business models, this paper has
traced the emerging law of search engines in broad strokes. This analysis
SH
illustrates how and in what respect the legal system has responded to search
engine-related legal issues. Past and present issues considered by courts,
regulators, and legislators reveal seven core themes of future policy debates:
infrastructure, content, ownership, security, identity and privacy,
LU

participation, and the ethics debate. For these policy areas, policy-makers
have to deal with the manifold challenges touched upon in this paper,
including the task of prioritizing items on the regulatory agenda, reconciling
competing policy goals, ensuring the legal system’s ability to learn in
PN

response to technological change, and managing transcultural issues, among

others. Three basic values—informational autonomy, diversity, and,
information quality—intersect the policy debates surrounding the role and
H

function of search engines within the digital environment. Taken together,

these considerations may chart out a more comprehensive governance
framework which effectively addresses total policy concerns, yet retains the
flexibility to respond to technological change and innovation.

177
Chilling Effects Google Search Comparator,
http://www.chillingeffects.org/images/search-comparator/ (last visited Apr. 24, 2006).
178
A best practice-oriented approach could go further by obliging search engine operators,
if not prohibited by law, to report data on search terms and web sites that are considered to
be sensitive under the applicable law and by the respective authorities, respectively.

234
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.356
Note

Transnational Cyber Offenses:

Overcoming Jurisdictional Challenges
Alexandra Perloff-Gilest

INTRODUCTION..........................................................................191

I. INTERNET ARCHITECTURE AND THE MECHANICS OF CYBER ATTACKS.......................................193

A. Historical Overview of Internet Design ................................. 193
B. Transnational Cyber Attacks Defined ................................... 195
C. Common Types of Transnational Cyber Attacks ....................................197

LA
II. BEYOND DOMESTIC CRIMINAL LAW AND INTERNATIONAL HUMANITARIAN LAW:
TRANSNATIONAL CYBER OFFENSES AND THE PROBLEM OF JURISDICTION ................................. 200
IM
A. The International Humanitarian Law Framework and Its Limitations............................201
B. The Domestic Criminal Law Framework and Its Limitations ........... ....... 204
SH

III. ACCOUNTABILITY FOR TRANSNATIONAL CYBER OFFENSES: INTERNATIONAL DISPUTE

R ESOLUTION ......................................................... 209
A. International Arbitration and Civil Liability... ............................... ........... 211
B. Transnational Criminal Law ............................. ............. ............ 215
C. International Criminal Law .......................................... 220
LU

1. Universal Jurisdiction. ............................... ..... ......... 223

2. Complementarity .................. ............................ ....................... 225
PN

CONCLUSION........... ................................................................ 226

INTRODUCTION
H

In his 1996 Declaration of the Independence of Cyber Space, cyber

activist (and former Grateful Dead lyricist) John Perry Barlow vividly
described the Internet as a place beyond national borders:
Governments of the Industrial World, you weary giants of flesh and steel, ... I
declare the global social space we are building to be naturally independent of the
tyrannies you seek to impose on us. You have no moral right to rule us nor do you
possess any methods of enforcement we have true reason to fear. ... Cyberspace

t Law clerk to the Hon. Marsha S. Berzon, Ninth Circuit Court of Appeals; Yale Law
School, J.D. 2017; Harvard College, A.B. 2011. I am very grateful to Professors Joan Feigenbaum,
Oona Hathaway, and especially Scott Shapiro, for providing the impetus for this Note and helpful
suggestions throughout the writing process. I would also like to thank Peter Tzeng and my classmates in
the Law and Technology of Cyber Conflict course, as well as Erin Biel, Valerie Comenencia Ortiz,
Shikha Garg, Beatrice Walton, Mattie Wheeler, and the other editors of the Yale Journal of
InternationalLaw, for their valuable feedback and careful editing.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.357

192 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

does not lie within your borders.'

As Barlow's declaration makes clear, cyberspace lacks geographic boundaries
and does not map neatly onto the traditional system of territorial jurisdiction.
2
While this jurisdictional dilemma has long been recognized, few have
examined its precise contours. Partly because of this failure to map the precise
nature of the jurisdictional problem, regulation of the Intemet is commonly
seen as either empirically unfeasible or normatively illegitimate. Meanwhile,
cyber threats have proliferated, accentuating the need to regulate cyber activity
and to impose sanctions for cyber offenses.
This Note examines one category of cyber threat for which the problems
of territorial jurisdiction are particularly acute: transnational cyber offenses.
Transnational cyber offenses ripple across borders, exploiting the global,
interconnected architecture of Internet communications. They affect multiple
countries, their reach often difficult to cabin or predict. They may be carried
out by individuals or non-State groups, affiliated or not with a government;
they may target individuals, corporations, foreign media, State entities, or all of

LA
the above. By distinguishing transnational cyber offenses such as malware
from other cyber threats such as cyberwarfare or ordinary computer crime, this
Note invites regulators to develop and implement more creative, tailored
IM
solutions to address this increasingly common and disruptive form of attack.
Part I provides the technical background to illuminate why transnational
SH

cyber offenses represent a distinctive legal challenge. I describe the

architectural design choices that shaped the modem cyber landscape; define
transnational cyber offenses; and explain the technical features of common
transnational cyber offenses. Part II shows why transnational cyber offenses in
LU

particular cannot be adequately regulated under the standard legal frameworks

of domestic crime or war. Reassessing the much-debated issue of whether
existing law applies to the cyber context, I contend that the proper question is
PN

not whether those frameworks apply but when they apply or what kinds of
cyber. hostilities existing frameworks can properly regulate. I show that, while
both domestic criminal law and the international law of armed conflict may be
H

appropriate legal frameworks for some cyber activity, neither properly applies
to transnational cyber offenses. 3
Finally, Part III offers possible legal solutions for holding perpetrators of
transnational cyber offenses accountable. Without accountability measures,
cyberspace risks becoming a Hobbesian state of nature in which victims engage
in self-help and cyber-vigilantism. Recognizing the need for creative
alternatives to either domestic criminal law or international humanitarian law, I
look to both historical and contemporary models of international dispute

1. John Perry Barlow, A Declaration of the Independence of Cyberspace, ELECTRONIC

FRONTIER FOUND. (Feb. 8, 1996), http://www.eff.org/cyberspace-independence.
2. See generally David R. Johnson & David Post, Law and Borders-The Rise of Law in
-Cyberspace,48 STAN. L. REV. 1367 (1996).
3. Long before the invention of the Internet, Philip Jessup coined the term "transnational
law" to refer to law that "regulates actions or events that transcend national frontiers." PHILIP JESSUP,
TRANSNATIONAL LAW 2 (1956). Cyber activities are quintessential transnational events.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.358

 2018] TransnationalCyber Offenses 193

resolution to offer novel solutions based on international civil arbitration,

transnational criminal law, and international criminal law. As the number of
transnational cyber offenses continues to escalate, and the nascent Internet of
Things-a rapidly growing network of "smart" or Internet-connected devices-
promises to raise the stakes of these threats, the stability and security of
cyberspace depend upon the elaboration of an effective global accountability
regime.

I. INTERNET ARCHITECTURE AND THE MECHANICS OF CYBER ATTACKS

A. HistoricalOverview ofInternet Design

The same features of the Internet that were crafted to ensure its
survivability in the Cold War era create security vulnerabilities today. Rather
than taking an uninterrupted journey from one point to another, digital
information makes many short trips as it navigates computer networks. This
node network system opens up many more points of attack and allows attacks

LA
to spread widely across geographic boundaries. Put briefly, "[t]he origin of the
threat posed by cyberspace is found in the architecture of the Internet itself." 4
In the early 1960s, as the United States and the Soviet Union were
IM
building up their nuclear ballistic missile systems and became ensnared in the
Cuban Missile Crisis, a nuclear attack seemed imminent. The central node of
SH

telephony systems, through which all communications passed, came to be

regarded as "a single, very attractive target."5 Consequently, U.S. officials and
researchers sought alternatives to command and control communications
systems that could withstand nuclear devastation.
LU

Taking up that challenge, engineer Paul Baran developed a new

communications network built upon the principles of redundancy and
decentralization. In contrast to telephony systems, Baran's system relies on a
PN

distributed network, whereby each node is connected to multiple other nodes in

a web. Information is routed from one node to another until it reaches its final
destination in a process Baran referred to as "hot-potato routing." 6 Without a
H

centralized switching facility, links can survive attacks on some of the

switching nodes: if there is a problem or congestion at one node, information
can simply route around it. In Baran's words, "[t]here is no central control;
only a simple local routing policy is performed at each node, yet the over-all
system adapts."7 Compared to hierarchical systems, Baran's distributed

4. William M. Stahl, The Uncharted Waters of Cyberspace: Applying the Principles of

InternationalMaritime Law to the Problem of Cybersecurity, 40 GA. J. INT'L & COMP. L. 247, 252
(2011).
5. JANET ABBATE, INVENTING THE INTERNET 16 (1999) (quoting PAUL BARAN, 5 ON
DISTRIBUTED COMMUNICATIONS: HISTORY, ALTERNATIVE APPROACHES, AND COMPARISONS 8 (1964)).
6. PAUL BARAN & SHARLA P. BOEHM, 2 ON DISTRIBUTED COMMUNICATIONS: DIGITAL
SIMULATION OF HOT-POTATO ROUTING IN A BROADBAND DISTRIBUTED COMMUNICATIONS NETWORK
(1964), http://www.rand.org/pubs/researchmemoranda/RM3 103.html.
7. Paul Baran, On Distributed Communications Networks, 12 IEEE TRANSACTIONS ON
COMMUNICATIONS SYSTEMS 1, 8 (1964). The distributed network, made up of many short links
connected by nodes, was made possible by the emergence of digital technology. Analog signals

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.359

194 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

network has the advantage, as he described it, of "survivability in the cases of

enemy attack directed against nodes, links or combinations of nodes and
links." 8
Additionally, Baran's system divides information into packets, or what he
termed "message blocks." 9 On older, circuit-switched networks like the analog
telephone network, an act of communication takes up the entire circuit between
two endpoints for the duration of the communication. Packet-switched
networks like the modem Internet, by contrast, break communications into
packets of data that get routed along potentially different paths before
ultimately being reassembled at their final destination. In the Cold War context,
the division of a single message into packets had the advantage of making it
10
more difficult for spies to eavesdrop.
Baran's research laid the groundwork for modem computer networking.
After an initial phase in which the U.S. Department of Defense, and later the
U.S. National Science Foundation, funded and managed the development of the
Internet, public commercial use of the Internet began in 1989, and by 1995, the

LA
U.S. government relinquished control. The World Wide Web, an information-
sharing medium built on top of the Internet's system of interconnected
computer networks, helped bring the technology of the Internet to life.
IM
Embracing an ethos of openness, Timothy Bemers-Lee and the other founders
of the Web aspired to a model of "radically democratic" social organization in
SH

place of governmental or corporate control."

Since then, Internet technology has grown organically and transformed
nearly every aspect of contemporary life. Today, the topology of the Internet
12
routing system consists of over 59,000 individual networks, situated within
LU

dozens of large networks that control routing and that extend across geographic
borders.13 Whereas the Internet was once accessible only through desktop
computers whose locations were fixed and traceable, wireless devices now
PN

abound. Fiber optic cables crisscross the Atlantic Ocean, transmitting ever
more data at ever higher speeds. And the advent of cloud computing, whereby
data is stored on a privately-owned or a public third-party cloud, rather than on
H

local computers, further accentuates the tension between national sovereignty

and the borderless nature of online activity.
The Internet as we know it thus reflects a deliberate repudiation of
centralized, top-down authority. Its technological infrastructure was built to

degenerated when they moved between links and became increasingly distorted, whereas digital signals
could be regenerated at each node, preventing distortion. See ABBATE, supra note 5, at 16.
8. Baran, supra note 7, at 1.
9. Id. at 6.
10. ABBATE, supra note 5, at 19.
11. See Jemima Kiss, An Online Magna Carta: Berners-Lee Callsfor Bill of Rightsfor Web,
GUARDIAN (Mar. 12, 2014), http://www.theguardian.com/technology/2014/mar/12/online-magna-carta-
berners-lee-web.
12. See CIDR REPORT, http://www.cidr-report.org/as2.0/ (last visited Nov. 12, 2017)
(providing an up-to-date count of autonomous systems or ASes-collections of Internet Protocol routing
prefixes operating under a single administrative authority-in the inter-domain routing system).
13. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.360

2018] TransnationalCyber Offenses 195

prioritize survivability and flexibility over security; as it has evolved, that

infrastructure has become ever more global and more reliant upon shared
resources. How, then, can cyberspace be regulated in the twenty-first century?
How do we balance the freedom and openness of the Internet with rules-and
authorities empowered to enforce those rules? In short, how can we maintain
order in a virtual space that, by design, is not subject to the control of any
single jurisdiction?

B. TransnationalCyber Attacks Defined

As the previous Section showed, the designers of the Internet considered

the possibility of harm to the physical infrastructure of the Internet and built
systems that would continue to operate if one node were destroyed. They
failed, however, to consider the possibility of damage caused by the very data
being communicated. 14 Transnational cyber offenses work from within: they
use the language of code to infiltrate systems, disrupt service, and compromise
data.

LA
Transnational cyber offenses share three defining features. First, they are
deliberate offenses: they require some willful act from which it is reasonably
IM
foreseeable that harm will result. (There may be circumstances in which
negligent failure to take reasonable cyber security measures could give rise to
liability,15 but a computer technician who inadvertently disrupts his company's
SH

network temporarily has not committed a transnational cyber offense.)

Second, transnational cyber offenses are quintessentially cyber offenses:
they take advantage of the design characteristics of the Internet described
LU

above. Offenses by a single perpetrator against a single victim that merely

employ digital tools-for example, an identity thief hacking into a person's
computer to steal credit card information, a corporation engaging in industrial
PN

cyber espionage against a competitor, or one country penetrating another

country's nuclear controllers to disable weapons development-are not
transnational cyber offenses. Rather, those offenses can all exist in the kinetic
H

world-a thief stealing the credit card of an unsuspecting victim, a corporate

spy sneaking in to obtain trade secrets, a country bombing or otherwise
disabling another country's nuclear weapons facility. Similarly, crimes such as
money laundering and child pornography may use the Internet, but they can
also exist without the Internet; nothing about them depends upon a networked
architecture. Transnational cyber offenses, by contrast, are particular to
cyberspace: indirect and easily transmitted, they exploit the decentralized,
networked nature of the web to cause harms that have no kinetic-world
equivalent.
Third, transnational cyber offenses are transnational. Like other

14. See, e.g., Stahl, supra note 4, at 254 ("The routing system's structure was intended to
ensure the Internet's continuing functionality in the event of an external attack, but it was not designed
to prevent damage caused by the very data that it transfers.").
15. See, eg, Michael L. Rustad & Thomas H. Koenig, The Tort of Negligent Enablement of
Cybercrime,20 BERKELEY TECH. L.J. 1553 (2005).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.361

 196 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

transnational offenses such as environmental crime or illicit traffic in drugs and

arms, transnational cyber offenses involve more than one country in their
"inception, perpetration and/or direct or indirect effects."' 6 They are, in other
words, what Kofi Annan called "problems without a passport."" They may be
carried out by a government or by non-State actors and may affect individuals,
government entities, corporations, non-governmental organizations, or other
groups. Crucially, however, they present challenges that transcend borders and
that, for a variety of reasons, cannot be addressed by any one nation alone.
Attacks may be launched from any location with Internet access; attackers can
18
hide their location with anonymizing services; and the Internet reduces the
transaction costs of cross-border cooperation in planning and executing
attacks.' 9 Further, Internet traffic, designed to travel through the fastest route,
may not always take the most geographically direct route: a single piece of
20
malicious code may be routed through multiple countries. Moreover, because
of the packet system, whereby different packets can take different routes, the
2
potential for information to traverse different jurisdictions is multiplied.
'

LA
Network architecture makes it difficult for Internet users to predict the
22
territorial jurisdictions of which they are potentially availing themselves : "the
ease, speed, and unpredictability with which data flows across borders make its
IM
23
location an unstable and often arbitrary determinant of the rules that apply."
Finally, transnational cyber offenses often have a wide reach, such that the
SH

impact of an attack can be felt far from either the initial launch point or the
target first hit. 2 4 In short, the configuration of cyberspace allows offensive acts

16. Ninth U.N. Congress on the Prevention of Crime & the Treatment of Offenders, Interim
LU

Report by the Secretariat,19, U.N. Doc. A/CONF.169/15/Add.l (Apr. 4 1995).

17. Press Release, Secretary General, Environmental Threats Are Quintessential "Problems
Without Passports," Secretary General Tells European Environment Ministers, U.N. Press Release
PN

SG/SM/6609 (June 23, 1998).

18. Jennifer Daskal, The Un-TerritorialityofData, 125 YALEL.J. 326, 331 (2015).
19. Kamala D. Harris, California Attorney General, Gangs Beyond Borders: California and
the Fight Against Transnational Organized Crime, OFF. CAL. ATr'Y GEN. 59 (March 2014),
http://oag.ca.gov/sites/all/files/agweb/pdfs/toc/report-2014.pdf ("[W]hile in the past criminal cross-
H

border cooperation was cumbersome, expensive, and vulnerable to law enforcement, the Internet and
other advances in high-speed international communication have dramatically reduced these 'transaction
costs.' Now, far-flung criminal network operatives can exploit new criminal opportunities from their
desktops without even having to leave their homes-let alone their home countries.").
20. See Jonathan A. Ophardt, Cyber Warfare and the Crime of Aggression: The Need for
IndividualAccountability on Tomorrow's Battlefield, 9 DUKE L. & TECH. REV. ¶60 (2010).
21. Id. ¶ 25.
22. Patricia L. Bellia, Chasing Bits Across Borders, 2001 U. CHI. LEGAL F. 35, 56 ("The
physical location of electronic evidence . . . often depends upon the fortuity of network architecture: an
American subsidiary of a French corporation may house all of its data on a server that is physically
located in France; two Japanese citizens might subscribe to America Online and have their electronic
mail stored on AOL's Virginia servers.").
23. Daskal, supra note 18, at 329; see also id. at 367 ("[D]ata can move from Point A to Point
B in circuitous and arbitrary ways, all at breakneck speed.").
24. Kristin M. Finklea, The Interplay of Borders, Turf Cyberspace, andJurisdiction: Issues
Confronting U.S. Law Enforcement, CONG. RES. SERV., R41927, at 5 (Jan. 17, 2013) ("Due to the global
nature of the Internet and other rapid communication systems, crimes committed via or with the aid of
the Internet can quickly impact victims in multiple state and national jurisdictions."); PAUL SCHIFF
BERMAN, GLOBAL LEGAL PLURALISM: A JURISPRUDENCE OF LAW BEYOND BORDERS 92 (2012) ("[I]n
an electronically connected world the effects of any given action may immediately be felt elsewhere
with no relationship to physical geography at all.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.362

 2018] TransnationalCyber Offenses 197

to originate, move through cyber space, and affect their targets in ways that are
distinctly transnational.

C. Common Types of TransnationalCyber Attacks

Infectious malware and denial-of-service are two common examples of

transnational cyber offenses. The first, malware, is code designed to inflict
harm on data, hosts, or networks. Malware typically infects a computer system
when a user accesses a corrupt website or downloads an email attachment. The
two most familiar forms of malware-viruses and worms-spread easily from
one computer to another. Viruses insert themselves into an executable file or
program, lying dormant until a user runs the infected program; they then get
passed on when the program is transferred to another computer via e-mail, CD-
ROM, USB key, or some other file-sharing system. Worms, by contrast, are
standalone software; they can replicate independently within a host computer
and can travel unaided to other computer systems connected by a network or
the Internet. Both forms of malware thus capitalize on features of the cyber

LA
landscape, whether interoperability or Internet connectivity, to disseminate
threats to potentially unknown victims.
IM
An increasingly common variant of malware is ransomware-computer
malware that spreads covertly and holds victims' computer data hostage by
locking their screens ("locker ransomware") or by encrypting their files
SH

("crypto ransomware"). Once inside the system, crypto ransomware creates

encrypted copies of files that can be opened only with a decryption key, deletes
the original files, and leaves instructions demanding a ransom payment to
access the key. According to one estimate, as many as forty percent of
LU

companies worldwide have been targeted by ransomware attacks.25

A second common transnational cyber offense is a denial-of-service
PN

(DoS) attack. In a DoS attack, a perpetrator launches a barrage of fake requests

from a single source, overwhelming the target computer system, server, or
network. Unlike malware, which changes the functionality of the target system,
H

DoS attacks temporarily block access to the target system. Malware and denial-
of-service can be combined to create a distributed denial-of-service (DDoS)
attack. Perpetrators of DDoS attacks use malware to hijack and enslave
numerous computers called "zombies" that flood target networks with traffic.
Fake requests issued by the network of zombie computers or devices-known
as a "botnet"-can disable target systems for several hours, or even days.26 The

25. Victoria Woollaston, WannaCry Ransomware: What It Is and How To Protect Yourself
WIRED (May 22, 2017), http://www.wired.co.uk/article/wannacry-ransomware-virus-patch.
Governments are also increasingly susceptible to such attacks: state and local government networks are
reportedly nearly twice as likely to be infected with malware or ransomware as small or medium-sized
businesses. Malware, Ransomware Twice As Likely To Hit State, Local Networks, GCN (Dec. 1, 2015),
http://gcn.com/articles/2015/12/01/sled-ransomware.aspx.
26. DDoS attacks can take place either at the application layer (Layer 7), or at the network or
transport layer (Layer 3 or 4). Application layer attacks flood a server with requests such as HTTP
floods or DNS query floods that drain all computing resources and prevent the server from answering
legitimate requests. Network or transport layer attacks send malicious requests over different network
protocols, consuming all available bandwidth and shutting down most network infrastructures. See Nat'l

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.363

198 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43:191

use of zombie armies or "tiered" botnets enables hackers to execute attacks

"across many different, geographically dispersed computer servers" rather than
from "a single point of command."27 In many cases, the attacker can remotely
control zombie devices without the device owner even knowing his or her
device was hijacked: Vint Cerf, one of the fathers of the Internet, once
estimated that up to one-fourth of all networked computers may be part of
botnets.28
Recent history is rife with examples of transnational cyber offenses that
caused significant global impact yet were carried out with impunity. Perhaps
the most notorious is the so-called "Love Bug" attack. As a student at the
Amable Mendoza Aguiluz (AMA) Computer University in the Philippines,
Onel de Guzman wrote a program designed to steal Internet passwords. In May
2000, the "1LOVEYOU" virus-so-named for the phrase displayed in the
subject line of each contaminated e-mail-began attacking millions of
Microsoft Windows computers, scanning computers for log-in names and
passwords, destroying image and sound files, and spreading via e-mail

LA
attachment to everyone in the targeted user's address book. The virus, which
29
caused an estimated ten billion dollars in damage, reportedly penetrated the
computer systems of at least fourteen federal agencies in the United States,
IM
foreign governments such as the British Parliament, the Belgian banking
system, U.S. state governments, international organizations like the
International Monetary Fund, media outlets like the Washington Post and ABC
SH

News, credit unions, and large corporations like AT&T and Ford Motor
Company. 3 0
Internet Service Providers traced the virus to de Guzman." Philippine law
LU

enforcement initially pressed charges, but the Philippine Department of Justice

was ultimately forced to drop the case because Philippine law at the time did
not prohibit computer hacking.32 Meanwhile, the U.S. Department of Justice
PN

charged de Guzman in absentia but could not extradite him, as extradition

treaties require dual criminality and de Guzman's actions were not illegal under
H

Cybersecurity & Commc'ns Integration Center, DDoS Quick Guide, U.S. DEP'T OF HOMELAND SEC.
(Jan. 29, 2014), http://www.us-cert.gov/sites/default/files/publications/DDoS%/20Quick/20Guide.pdf
27. SUSAN W. BRENNER, CYBERTHREATS 2 (2009).
28. See Tim Weber, Criminals "May Overwhelm the Web," BBC NEWS (Jan. 25, 2007),
http://news.bbc.co.uk/2/hi/business/6298641.stm.
29. Kevin Poulsen, May 4, 2000: Tainted "Love" Infects Computers, WIRED (May 3, 2010),
http://www.wired.con2010/05/0504i-love-you-virus.
30. The Love Bug Virus: ProtectingLovesick Computers from Malicious Attack: Hearing
Before the Subcomm. on Tech. of the H. Comm. on Sci., 106th Cong. 12 (2000) (statement of Keith A.
Rhodes, Director, Office of Computer and Information Technology Assessment).
31. Shannon C. Sprinkel, Note, Global Internet Regulation: The Residual Effects of the
"ILOVEYOU" Computer Virus and the Draft Convention on Cyber-Crime, 25 SuFFOLK TRANSNAT'L L.
REv. 491, 492 (2002).
32. The Philippines quickly tried to correct its mistake. On June 14, 2000, Philippine President
Joseph Estrada signed the Electronic Commerce Act, outlawing computer crimes. However, because the
Act did not apply retroactively, it could not cover de Guzman. See Mark Landler, A FilipinoLinked to
'Love Bug' Talks About His License To Hack, N.Y. TIMES (Oct. 21, 2000),
http://www.nytimes.com/2000/10/21/business/a-filipino-linked-to-love-bug-talks-about-his-license-to-
hack.html.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.364

 2018] TransnationalCyber Offenses 199

the law of the Philippines. 3 3 Thus, de Guzman escaped punishment.

Since then, there have been countless other denial-of-service and malware
attacks with similarly devastating consequences. The 2007 attacks on Estonian
websites disrupted emergency services for over an hour and implicated zombie
computers in as many as 178 countries.3 4 The October 2016 Dyn attack on
U.S.-based data centers disrupted access to news sites and major commercial
websites and caused ripple effects not only across the United States, but also in
Europe.35 Most recently, in May 2017, the WannaCry ransomware attack
infected an estimated 230,000 computers in more than 150 countries.36
Impacting Russia especially severely, the WannaCry ransomware infected
telecommunications and utility companies, banks, universities, government
offices, electronic payment machines at gas stations and rail companies, and
more.37 In England, the ransomware severely disrupted the National Health
Service, preventing doctors from accessing patient files and forcing hospitals to
turn people away at the emergency room. 38
At the dawn of the Internet of Things, DDoS attacks are poised to become

LA
an even bigger threat. More and more everyday objects and devices, from
thermostats and coffee pots to clothing, heart monitors, cars, and even roads,
are becoming or could soon be embedded with sensors and connected to the
IM
Internet. 3 9 As the number of Internet-connected devices grows, not only are
there more potential targets for attackers but the potential size and force of
zombie botnets also increases. 40
SH

33. Under the double or dual criminality principle of extradition law, a person may be
extradited "only if the acts charged are criminal by the laws of both countries." Collins v. Loisel, 259
LU

U.S. 309, 311 (1922); see also SATYA D. BEDI, EXTRADITION IN INTERNATIONAL LAW AND PRACTICE
69-84 (1966) (characterizing the dual criminality principle as a rule of customary international law). The
United States' extradition treaty with the Philippines, like virtually all extradition treaties, contains a
dual criminality clause. Extradition Treaty Between the Government of the United States of America
PN

and the Government of the Republic of the Philippines, Phil.-U.S., art. 2(1), Nov. 13, 1994, S. TREATY
Doc. No. 104-16 (1995).
34. See MARCEL H. VAN HERPEN, PUTIN'S WARS: THE RISE OF RuSSIA's NEW IMPERIALISM
140 n.25 (2d ed. 2015); Jeffrey T.G. Kelsey, Hacking into International HumanitarianLaw: The
H

Principles of Distinction and Neutrality in the Age of Cyber Warfare, 106 MICH. L. REV. 1427, 1429
(2008).
35. Three waves of DDoS attacks flooded Dyn, a key Domain Name System provider, with
DNS look-up requests, blocking access to major online commerce, social media, and news websites. See
Tess Owen, What You Need To Know About Friday's Massive Cyber Attack, VICE NEWS (Oct. 23,
2016), http://news.vice.com/story/what-you-need-to-know-about-fridays-massive-cyber-attack.
36. Peter Dockrill, Experts Warn the Global "WannaCry" Ransomware Hack Is Far From
Over, SCIENCEALERT (May 1, 2017), http://www.sciencealert.com/experts-are-warning-the-global-
wannacry-ransomware-hack-isn-t-over; David E. Sanger, Sewell Chan & Mark Scott, Ransomware's
Aftershocks Feared as U.S. Warns of Complexity, N.Y. TIMES (May 14, 2017), http://
www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html.
37. See, e.g., Ransomware Cyber-Attack: Who Has Been Hardest Hit?, BBC (May 15, 2017),
http://www.bbc.com/news/world-39919249; Bill Chappell, WannaCry Ransomware: What We Know
Monday, NPR (May 15, 2017), http://www.npr.org/sections/thetwo-way/2017/05/15/528451534/
wannacry-ransomware-what-we-know-monday.
38. See, e.g., Global Cyberattack Strikes Dozens of Countries, Cripples UK. Hospitals, CBS
NEWS (May 12, 2017), http://www.cbsnews.com/news/hospitals-across-britain-hit-by-ransomware-
cyberattack.
39. See MICHAEL MILLER, THE INTERNET OF THINGS: How SMART TVs, SMART CARS,
SMART HOMES, AND SMART CITIES ARE CHANGING THE WORLD (2015).
40. JoT Devices Being Increasingly Used for DDoS Attacks, SYMANTEC (Sept. 22, 2016),

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.365

200 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43:191

In short, the architectural interconnectivity of the Internet and the ability

41
of threats to propagate in cyberspace create "collective vulnerability." With
malware worms rapidly infecting computers an ocean away, denial-of-service
attacks blocking access to websites for users anywhere in the world, and DDoS
attacks hijacking swarms of slave computers, questions of who has the
authority to respond and how perpetrators can be held accountable are urgent.
By recognizing transnational cyber offenses as a distinct category, we can
begin to formulate legal solutions that fit the technological realities, rather than
trying to fit quintessentially digital problems into standard regulatory
frameworks.

II. BEYOND DOMESTIC CRIMINAL LAW AND INTERNATIONAL HUMANITARIAN

LAW: TRANSNATIONAL CYBER OFFENSES AND THE PROBLEM OF
JURISDICTION

In the physical world, "we divide threats into internal ('crime') and
external ('war') and assign responsibility for each to a separate institution (law

LA
enforcement and the military)." 42 In the cyber context, we have largely
replicated that division: in the United States, computer crime is prosecuted by
the Federal Bureau of Investigation (FBI), while cyberwarfare is under the
IM
purview of the Defense Department. But that division between internal and
external threats maps awkwardly onto the cyber context where, as Susan
SH

Brenner notes, "what we define as 'internal' threats can now come from
3
external, civilian actors."A
The bulk of the scholarly literature on cyber threats has hewed to this
traditional division. Computer crime is written about by criminal law scholars
LU

and criminologists, while cyberwarfare is seen as the purview of international

lawyers and national security experts. Some scholars, recognizing that the law
PN

of war is a blunt instrument, have concluded that we need a new

4
"comprehensive . . . solution to the emerging threat of cyber-attacks."4 This
Note advocates for a more nuanced approach. I argue that, rather than
attempting to apply any one existing legal framework to all cyber threats, we
H

ought to be more attentive to the particular characteristics of each cyber threat.

Just as there is no single body of law for all wrongful acts in the physical
world, so, too, there is no single body of law for all wrongful acts in
cyberspace. The question is not simply what body of law applies but when.
For ordinary cybercrimes with kinetic world analogues, such as child
pornography or financial fraud, domestic criminal law is generally appropriate.
When the perpetrator of such crimes is located in the same jurisdiction as the
victim, prosecution is relatively straightforward. For other, rare kinds of cyber

http://www.symantec.com/connect/blogs/iot-devices-being-increasingly-used-ddos-attacks.
41. ENEKEN TIKK, KADRI KASKA & LiIS VIHUL, INTERNATIONAL CYBER INCIDENTS: LEGAL
CONSIDERATIONS 95-96 (2010).
42. Susan W. Brenner, The Council of Europe's Convention on Cybercrime, in CYBERCRIME:
DIGITAL COPS IN A NETWORKED ENVIRONMENT 207, 210 (Jack M. Balkin et al. eds., 2007).
43. Id.
44. Oona A. Hathaway et al., The Law of Cyber-Atack, 100 CAL. L. REV. 817, 822 (2012).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.366

2018] TransnationalCyber Offenses 201

hostilities-namely, highly destructive attacks by one government against

another government-the law of armed conflict offers an appropriate legal
framework.
Transnational cyber offenses, however, do not fit comfortably within
either category. Cyber criminals' ability to collaborate internationally, to
launch cyber operations remotely, and to execute attacks with global effects
complicates the application of domestic law. At the same time, borderless,
transnational attacks on computers and on the civilian information
infrastructure do not look like traditional warfare between States. Transnational
cyber offenses are typically undertaken by private individuals or non-State
groups, not States, 4 5 and to the extent they are attributable to national
governments, few such incidents meet the threshold for an armed conflict. 46
Transnational cyber offenses thus fall into a legal lacuna, neither adequately
covered by domestic criminal law, nor subject to international humanitarian
law. In this Part, I discuss the limitations of these two traditional legal
frameworks when it comes to the regulation of transnational cyber offenses.

LA
A. The InternationalHumanitarianLaw Frameworkand Its Limitations
IM
International law offers potentially useful guidance for addressing cyber
offenses carried out by one State against another State. Some human rights
treaties may speak to elements of cybercrimes. For example, the right to
SH

privacy recognized in international human rights documents like the Universal

Declaration of Human RightS 47 or the International Covenant on Civil and
Political Rights 48 could be understood to prevent unlawful access to other
people's private data, while the right to freedom of expression and freedom of
LU

information in those documents arguably prohibits interfering with access to

media websites.49
PN

More often, international law approaches to cyber offenses have focused

on jus ad bellum andjus in bello. Jus ad bellum determines when a State may
lawfully use.force against another State. Under Article 51 of the U.N. Charter,
H

an "armed attack" allows States to engage in self-defense-that is, to respond

with a "use of force," notwithstanding Article 2(4)'s general prohibition on the
"use of force against the territorial integrity or political independence of any
[S]tate." 50 Regardless of the legality of the use of force, international

45. Mary Ellen O'Connell, Cyber Security Without Cyber War, 17 J. CONFLICT & SECURITY
L. 187, 206 (2012).
46. See infra note 51 and accompanying text.
47. Universal Declaration of Human Rights, G.A. Res. 217 (III) A, U.N. Doc. A/810, art. 12
(Dec. 10, 1948) [hereinafter UDHR].
48. International Covenant on Civil and Political Rights art. 17, adopted Dec. 19, 1966, S.
EXEC. DOC. E, 95-2 (1978), 999 U.N.T.S. 171 [hereinafter ICCPR].
49. See UDHR, supra note 47, art. 19; ICCPR, supra note 48, art. 19.
50. U.N. Charter art. 2, 1 4; id. art. 51; see also Michael N. Schmitt, "Attack" as a Term ofArt
in InternationalLaw: The Cyber Operations Context, in 4TH INTERNATIONAL CONFERENCE ON CYBER
CONFLICT 283, 286 (C. Czosseck et al. eds., 2012) ("[A~n 'armed attack' is an action that gives States
the right to a response rising to the level of a 'use of force,' as that term is understood in the jus ad
helium.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.367

202 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

humanitarian law (orjus in bello) applies whenever an armed conflict arises.

According to the now-classic formulation of the International Criminal
Tribunal for the former Yugoslavia in the celebrated Tadi6 case, an
international "armed conflict exists whenever there is a resort to armed force
between States."51 Codified notably in the post-World War II Geneva
Conventions and their Additional Protocols, the law of armed conflict was
designed to regulate traditional horizontal warfare between States. In the
archetypal case, international armed conflict arises "when parts of the armed
forces of two [or more] States clash with each other." 52 In such a case, "[a]s
soon as the armed forces of one State find themselves with wounded or
surrendering members of the armed forces or civilians of another State on their
hands, as soon as they detain prisoners or have actual control over a part of the
territory of the enemy State, then they must comply with the [Geneva
Conventions]."
In the context of cyber conflict, however, the question arises whether
cyber operations can constitute an "armed attack" under Article 51, permitting

LA
a State to respond in self-defense, or a "resort to armed force," triggering the
existence of an international armed conflict. 5 4 As to the former, Marco Roscini
points out that "both the scale and the effects of the use of force ... determine
IM
the occurrence of an armed attack." 55 Thus, an intentional power grid outage, a
deadly crash engineered by hacking into aircraft computers, or a shutdown of
computers controlling waterworks and dams, thereby causing flooding in
SH

populated areas, could all rise to the level of an armed attack, while a DDoS
attack temporarily disrupting non-critical infrastructure would not.56 As to the
existence of an international armed conflict, Michael Schmitt, director of the
LU

Tallinn Manual Project, maintains when a cyber attack is carried out by a State
and is "either intended to cause injury, death, damage or destruction (and
analogous effects), or such consequences are foreseeable," international
PN

"humanitarian law principles apply ... even though classic armed force is not
being employed."" The International Committee of the Red Cross (ICRC) goes
H

51. Prosecutor v. Tadid, Case No. IT-94-1-A, Decision on the Defence Motion for
Interlocutory Appeal on Jurisdiction, ¶ 70 (Int'l Crim. Trib. for the Former Yugoslavia Oct. 2, 1995).
52. Dietrich Schindler, The Diferent Types of Armed Conflicts According to the Geneva
Conventions and Protocols, 163 RCADI 117, 131 (1979).
53. Hans-Peter Gasser, InternationalHumanitarianLaw: An Introduction, in HUMANITY FOR
ALL: THE INTERNATIONAL RED CROSS AND RED CRESCENT MOVEMENT 491, 510-11 (Hans Haug ed.,
1993).
54. There is disagreement as to whether a "resort to armed force"-i.e., the threshold for
determining the existence of an international armed conflict under the law of armed conflict-is
tantamount to a "use of force" under Article 2(4) of the U.N. Charter, see MARCO ROSCINI, CYBER
OPERATIONS AND THE USE OF FORCE IN INTERNATIONAL LAW 128-32 (2014), and as to whether a "use
of force" under Article 2(4) is tantamount to an "armed attack" under Article 51, see Michael N.
Schmitt, InternationalLaw in Cyberspace: The Koh Speech and Tallinn Manual Juxtaposed, 54 HARV.
INT'L L.J. ONLINE 13, 21-22 (2012).
55. RoscINi, supra note 54, at 73.
56. See id; Yoram Dinstein, Computer Network Attacks and Self-Defense, in COMPUTER
NETWORK ATTACK AND INTERNATIONAL LAW 105 (Michael N. Schmitt & Brian T. O'Donnell eds.,
2002).
57. Michael N. Schmitt, Wired Warfare: Computer Network Attack and Jus in Bello, 84 IRRC
.365, 374 (June 2002) (emphasis omitted).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.368

2018] TransnationalCyber Offenses 203

further, taking the position that physical damage or destruction is not required;
cyber operations need only disable an object to qualify as a use of armed force
subject to international humanitarian law rules.ss Still, there must be some
intensity threshold for disabling or disruption, such that the effects are
analogous to those of destruction by traditional armed force. 59 Thus, even cyber
operations targeting government facilities or critical infrastructure such as
hospitals or power grids may or may not qualify as a "resort to armed force,"
depending on their impact. In short, very few, if any, cyber events to date
would meet the threshold for an international armed conflict or qualify as
"armed attacks" permitting States. to respond with either cyber or kinetic force
in self-defense.
The second major challenge in applying international humanitarian law
principles to cyber hostilities is the application of the State responsibility
doctrine. Historically, if an attack was carried out by a foreign power, there was
little doubt regarding State responsibility; soldiers were uniformed, and only
nations had the resources to carry out attacks in another country. Cyber attacks,

LA
however, can be carried out at low cost by States, by hacker groups with ties to
foreign governments, or simply by individuals whose identities and geographic
locations are frequently hidden. 0 Holding a nation responsible for an attack is
IM
significantly more difficult in the cyber world than in the physical world.
Notwithstanding these challenges, for a narrow set of cyber operations,
SH

international humanitarian law offers the most appropriate legal framework.

The Stuxnet attack on the Natanz nuclear enrichment facilities-perhaps the
most prominent cyber attack to date-is one such example. Stuxnet was a
targeted direct attack on a nuclear facility operated by the Iranian
LU

government.61 It is widely thought to have been carried out by the United States
and Israel. (Although neither State has officially assumed responsibility,
experts point out that no non-State actor has, and few States have, the capacity
PN

to build and deploy Stuxnet. 6 2 ) Moreover, Natanz operated on a closed

computer system. Because the target was not connected to the public Internet,
the attack did not cause the kinds of ripple effects that characterize
H

transnational cyber offenses. 6 3 Indeed, buried inside the code was a "do-not-

58. InternationalHumanitarian Law and the Challenges of Contemporary Armed Conflicts,

Report 31IC/11/5.1.2, INT'L COMMITTEE OF THE RED CROSS 37 (Oct. 2011), http://e-brief.icrc.org/wp-
content/uploads/2016/08/4-intemational-humanitarian-law-and-the-challenges-of-contemporary-armed-
conflicts.pdf.
59. RosCINI, supra note 54, at 135.
60. See Michael Schmitt, Classication of Cyber Conflict, 17 J. CONFLICT & SECURITY L.
245, 246 (2012).
61. See, e.g., John Richardson, Stuxnet as Cyberwarfare: Applying the Law of War to the
VirtualBattlefield, 29 J. MARSHALL J. COMPUTER & INFO. L. 1, 3-4, 21 (2011).
62. Thomas Rid & Ben Buchanan, Attributing Cyber Attacks, 38 J. STRATEGIC STUD. 4, 22
(2015).
63. Overseen by Iranian engineers, the Natanz computer network involved a supervisory
control and data acquisition-or SCADA-control system whereby process commands are issued and
activity monitored by a supervisory computer system. In a SCADA system, centralized computers
monitor and regulate industrial-control systems that in turn monitor machinery operations such as
uranium enrichment "by adjusting, switching, manufacturing, and controlling key processes based on
digitized feedback of data gathered by sensors." David Maimon & Alexander Testa, On the Relevance

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.369

204 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

infect" indicator; when the virus encountered a computer that did not fit the
target profile, the virus destroyed itself, minimizing incidental or "knock-on"
effects.64 The Stuxnet attack therefore fits within familiar paradigms of States
carrying out carefully targeted, politically motivated strikes against other
States-and, according to some scholars at least, Stuxnet rose to the level of an
Article 51 armed attack.65 So, while determinations of intensity and attribution
can be challenging, jus ad bellum andjus in bello provide the right framework
for analyzing-and potentially responding to-incidents like Stuxnet. For most
transnational cyber offenses, however, the perpetrators and the victims are not
(or not exclusively) States, the offense does not constitute an Article 51 "armed
attack" or a "resort to armed force," and the international humanitarian law
framework is unavailing.

B. The Domestic CriminalLaw Framework and Its Limitations

In addition to the law of armed conflict, the other legal framework often
applied to cyber operations is domestic criminal law. Domestic criminal law is

LA
66
a tool for the "protection of public mores within a specific locality" : it
functions effectively when a crime takes place in a particular jurisdiction,
which is able to regulate the activity, investigate the crime, and punish the
IM
perpetrator. Conventional crimes that are committed by a resident of the
country where the crime takes place and that happen to make use of
SH

computers-for example, identity theft, fraud, copyright violations, child

pornography, cyber stalking, and online bullying-may be effectively regulated
by domestic criminal law.
Domestic criminal law is ill-adapted, however, to transnational cyber
LU

67
offenses, which have effects beyond the reach of a State's police power. Law
enforcement agencies are candid about the difficulties of policing crimes that
PN

implicate multiple jurisdictions. Testifying before Congress, then-FBI Assistant

Director Thomas Kubic evoked the challenges of the Westphalian nation-state
model of jurisdiction as applied to transnational cyber threats:
H

In the past, a nation's border acted as a barrier to the development of many

criminal enterprises, organizations and conspiracies. . . . [T]he advent of the
Internet . . . has erased these borders. . . . Subjects located in other countries are

of Cyber Criminological Research in the Design of Policies and Sophisticated Security Solutions
Against Cyberterrorism Events, in THE HANDBOOK OF THE CRIMINOLOGY OF TERRORISM 553, 555
(Gary LaFree & Joshua D. Freilich eds., 2016).
64. Gregg Keizer, Stuxnet Code Hints at Possible Israeli Origin, Researchers Say,
COMPUTERWORLD (Sept. 30, 2010), http://www.computerworld.com/s/article/
9188982/Stuxnet-code hints at-possibleIsraeliorigin researchers say.
65. See TALLINN MANUAL ON THE INTERNATIONAL LAw APPLICABLE TO CYBER WARFARE
342, 384 (Michael N. Schmitt ed., 2013) (noting disagreement among the Tallinn Manual drafters on
whether Stuxnet represented an armed attack).
66. Cameron S.D. Brown, Investigating and Prosecuting Cyber Crime: Forensic
Dependenciesand Barriersto Justice, 9 INT'L J. CYBER CRIMINOLOGY 55, 62 (2015).
67. See Bertrand de La Chapelle & Paul Fehlinger, Jurisdictionon the Internet: From Legal
Arms Race to Transnational Cooperation, INTERNET & JURISDICTION 7 (Apr. 2016),
http://www.intemetjurisdiction.net/uploads/pdfs/Papers/IJ-Paper-Jurisdiction-on-the-Internet.pdf
("[O]verlapping and often conflicting territorial criteria make both the application of laws in cyberspace
and the resolution of Internet-related disputes difficult and inefficient.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.370

2018] TransnationalCyber Offenses 205

increasingly targeting victims in the U.S. utilizing the Internet. Evidence can be
stored remotely in locations not in physical proximity to either their owner or the
location of criminal activity. In addition, losses suffered by victims in individual
jurisdictions may not meet prosecutive thresholds even though total losses through
the same scheme may be substantial. In order to subpoena records, utilize
electronic surveillance, execute search warrants, seize evidence and examine it in
foreign countries, the FBI must rely upon local authorities for assistance. In some
cases, local police forces do not understand or cannot cope with technology. In
other cases, these nations simply do not have adequate laws regarding cyber crime
and are therefore limited in their ability to provide assistance.68
As Kubic observes, cross-border activity was historically rare: territoriality
established "the bedrock principles for the development of modem
international law." 69 But in the Internet era, cross-border activity is ubiquitous,
and the transnational nature of many cyber offenses is at odds with those
bedrock territoriality principles. Territorial jurisdiction is generally understood
to have three dimensions: legislative or prescriptive jurisdiction (the
jurisdiction to prescribe legal rules); judicial or adjudicative jurisdiction (the
jurisdiction to resolve disputes); and executive or enforcement jurisdiction (the

LA
jurisdiction to enforce judgments). 7 0 Transnational cyber offenses are
problematic along all three dimensions.
IM
When it comes to legislative jurisdiction, different countries have
different laws governing cybercrime. If the territoriality principle of
international law permits any State to exercise regulatory control over
SH

transnational events "sufficiently closely linked or connected" to that State,71

any State that experiences the effects of online activity could exercise
jurisdiction. In this way, a single act could potentially subject the perpetrator to
LU

the substantive laws of several, perhaps even dozens of, jurisdictions. But, as
James Brierly remarked long before the emergence of the Internet, "the
suggestion that every individual is or may be subject to the laws of every State
PN

at all times and in all places is intolerable." 7 2 Internet users have not
meaningfully consented to be governed by other countries' norms, particularly
given the unpredictability of Internet data routing. As Jennifer Daskal explains,
H

"[i]t is widely understood that when one travels to . . . a foreign jurisdiction,

68. Fighting Cyber Crime: Hearing Before the Subcomm. on Crime of the H. Comm. on the
Judiciary, 107th Cong. 51-53 (2001) (prepared statement of Thomas T. Kubic, Principal Deputy
Assistant Director, Criminal Investigative Division, FBI).
69. See KAL RAUSTIALA, DOES THE CONSTITUTION FOLLOW THE FLAG? THE EVOLUTION OF
TERRITORIALITY IN AMERICAN LAW 11 (2009).
70. See, e.g., RESTATEMENT (THIRD) OF THE FOREIGN RELATIONS LAW OF THE UNITED
STATES § 401 (AM. LAW INST. 1987) (describing categories of jurisdiction).
71. Uta Kohl, Jurisdictionin Cyberspace, in RESEARCH HANDBOOK ON INTERNATIONAL LAW
AND CYBERSPACE 30, 33 (Nichlas Tsagourias & Russell Buchan eds., 2015) (emphasis omitted).
72. James L. Brierly, The "Lotus" Case, 44 L.Q. REv. 154, 162 (1928); see also, e.g., AARON
SCHWABACH, INTERNET AND THE LAW: TECHNOLOGY, SOCIETY, AND COMPROMISES 161 (2d ed. 2014)
("Internet content is thus potentially subject to the law of every jurisdiction on the planet."); id at 163
("[T]he advent of the Internet makes multiple-jurisdiction transactions the norm rather than the
exception... .If disputes arise from the transaction, any or all of the states and countries involved might
conceivably have jurisdiction over the matter."); Adria Allen, Internet Jurisdiction Today, 22 Nw. J.
INT'L L. & BUS. 69, 75 (2001) ("Cyberlaw jurisdictional theorists are faced with the reality that a simple
homespun web page could be subject to jurisdiction by all of the nearly three-hundred sovereigns
around the world.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.371

206 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

one is subject to that sovereign nation's laws," but if an individual sends data
over the Internet, which happens to transit through another nation, "that
individual is not consciously choosing to bind himself to any particular foreign
government's laws."7 3
Subjecting every online actor to the law of every State, under a theory
that activity on the Internet can be experienced anywhere, cannot be the
solution to the problem of transnational cyber offenses. But what country's law
should apply? Should any country in which malware is downloaded have
jurisdiction? Only countries hosting servers that the malware passes through?
Only the country where the perpetrator was physically located when the attack
was launched? Choice of law rules do not offer ready answers-some rules
provide for jurisdiction over acts that affect that territory, while others provide
for jurisdiction over conduct set in motion in that territory-and countries are
unlikely to forego jurisdiction over incidents affecting their own citizens.74
Even as legislative jurisdiction may be over-inclusive in the context of
cyber activity, it may also be under-inclusive. Laws must apply

LA
extraterritorially for a State to bring charges for criminal acts initiated outside
its territorial limits. When cybercrime legislation does not apply
extraterritorially, attackers can forum shop for favorable jurisdictions where
IM
their activities are not proscribed. As Claude Lombois put it vividly, "the reach
of the police officer is only as long as his arm .... [H]e is a constable only at
SH

home."7
Most domestic cybercrime laws, including in the United States, do not
apply extraterritorially;7 6 extraterritorial exercises of authority are typically
seen to infringe upon the sovereignty of other countries.77 In recent years, the
LU

United States has somewhat expanded its legislative and adjudicative

jurisdiction, extending the reach of U.S. laws and empowering U.S. courts to
hear some cases involving foreign parties. In 2001, Russians Vasiliy Gorshkov
PN

and Alexey Ivanov were found responsible for stealing data and extorting
money from U.S. businesses. 7 8 In order to prosecute them, the U.S. government
created a fake computer security firm, "Invita," and invited Gorshkov and
H

Ivanov to come to Seattle to interview with the firm.7 9 The FBI promptly
81
arrested both of them.80 Gorshkov was tried and sentenced in Washington,

73. Daskal, supra note 18, at 367-68.

74. See, e.g., Andre R. Jaglom, Liability On-Line: Choice of Law and Jurisdiction on the
Internet, or Who's In Charge Here?, TANNENBAUM HELPERN SYRACUSE & HIRSCHTRITr LLP 10,
http://www.thsh.com/documents/liabilityon-line.pdf
75. CLAUDE LOMBois, DRoIT PENAL INTERNATIONAL 536 (2d ed. 1979), translatedin Pierre
Trudel, JurisdictionOver the Internet: A CanadianPerspective,32 INT'L LAWYER 1027, 1047 (1998).
76. See Hathaway et al., supra note 44, at 874 ("The majority of the existing criminal laws
bearing on cyber-attack do not apply extraterritorially-that is, they do not reach criminal activity
occurring outside the United States.").
77. Anthony J. Colangelo, What Is ExtraterritorialJurisdiction?,99 CORNELL L. REv. 1303,
1311-12 (2014).
78. United States v. Ivanov, 175 F. Supp. 2d 367, 373 (D. Conn. 2001); United States v.
Gorshkov, 2001 WL 1024026 (W.D. Wash. May 23, 2001).
79. Robert Lemos, FBI "Hack" Raises Global Security Concerns, CNET (Mar. 28, 2002),
http://www.cnet.com/news/fbi-hack-raises-global-security-concems.
80. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.372

2018] TransnationalCyber Offenses 207

while Ivanov's case was transferred to Connecticut, 82 where the district court
determined that the relevant statutes did apply extraterritorially and that,
"because the intended and actual detrimental effects of Ivanov's actions in
Russia occurred within the United States," Ivanov could be tried and sentenced
in the United States for crimes committed outside the country. Still, the
successful prosecutions of Gorshkov and Ivanov under U.S. law are the
exception, not the norm. Put simply, a territorial approach to jurisdiction over
transnational cyber offenses leads, in theory, to too many countries exercising
legislative and adjudicative jurisdiction-and, in practice, to too few.
The third dimension of territorial jurisdiction-enforcement
jurisdiction-is also problematic for transnational cyber offenses, as other
countries may be unable to provide the necessary digital evidence or unwilling
to cooperate with investigations and extradition. First, enforcing cybercrime
statutes requires expertise and resources that not all States have. Developing
nations may lack the capacity to adequately investigate and prosecute
cybercrimes or even to assist in cross-border investigations, even if they have

LA
the legal authority to do so and are willing to comply. Meanwhile, even
technologically sophisticated nations may fail to provide effective assistance.
Mutual Legal Assistance Treaties (MLATs)-agreements between two or more
IM
countries to provide assistance on criminal legal matters-are key tools for
dealing with cross-border evidence requests. But MLATs are of limited
efficacy in the cyber context": they typically require dual criminality (that is,
SH

the act must be criminalized in both the requesting and receiving countries),85
and are only useful when countries have explicitly entered bilateral
arrangements-a requirement at odds with the global nature of the Internet.
LU

MLAT requests are also slow to process. The United States, for instance, takes
an average of ten months-and sometimes much longer-to comply with valid
electronic evidence records requests from other countries pursuant to
PN

MLATs.86 Such waiting times represent "an eternity in Internet time" 87 and can
not only delay investigations and prosecutions but also lead to the potential loss
of fragile digital evidence. 88
H

Second, countries may deliberately thwart enforcement of another

country's criminal law. Without the cooperation of foreign governments in

81. See Gorshkov, 2001 WL 1024026, at *4.

82. One of the companies whose computers he had hacked was located in Vernon,
Connecticut. Ivanov, 175 F. Supp. 2d at 368.
83. Id. at 370-75.
84. Susan Brenner has described MLATs as "so unsuitable as to be almost futile with regard
to cybercrime and cybercriminals." Brenner, supra note 42, at 209.
85. See R.E. Bell, The Prosecution of Computer Crime, 9 J. FIN. CRIME 308, 317 (2002); see
also supranote 33.
86. Liberty and Security in a Changing World, PRESIDENT'S REVIEW GROUP ON
INTELLIGENCE & COMM. TECH. 227 (Dec. 12, 2013),
http://obamawhitehouse.archives.gov/sites/default/files/docs/2013-12-12rgfinal-report.pdf
87. See Curtis E.A. Karnow, Counterstrike, in CYBERCRIME: DIGITAL COPS IN A NETWORKED
ENVIRONMENT 135, 138 (Jack M. Balkin et al. eds., 2007).
88. See Brenner, supra note 42, at 213 ("Digital evidence is fragile and can easily be
destroyed or altered."); MOHAMED CHAWKI ET AL., CYBERCRIME, DIGITAL FORENSICS AND
JURISDICTION 20 (2015) ("[Nletwork traffic is transient and must be captured while it is in transit.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.373

 208 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

gathering and processing digital forensic evidence located abroad and in

executing warrants and subpoenas, a country can struggle to give effect to its
domestic laws. More problematic still is the extradition of foreign citizens. The
refusal by countries like Russia and China to extradite their citizens has
repeatedly proven an obstacle to prosecution, 89 as it did initially with Gorshkov
and Ivanov, before the U.S. government concocted its clever scheme. 90 Often,
the United States issues arrest warrants or indicts cybercriminals in absentia,
without the perpetrators ever facing jail time. For example, in 2014, the United
States indicted five Chinese military hackers on charges of economic espionage
in its first ever indictment of State actors for cyber theft;91 an FBI cybercrime
investigator later admitted that "[t]he chance of us ever getting those Chinese
guys is about zero." 92 Enforcement of monetary penalties is similarly difficult:
the country that issues a judgment may be unable to enforce the judgment if the
perpetrator is not physically located there and does not hold assets there. As
Jack Goldsmith explains:
[A] nation can only enforce its laws against: (i) persons with a presence or assets in

LA
the nation's territory; (ii) persons over whom the nation can obtain personal
jurisdiction and enforce a default judgment against abroad; or (iii) persons whom
the nation can successfully extradite. . . . The large majority of persons who
IM
transact in cyberspace have no presence or assets in the jurisdictions that wish to
regulate their information flows in cyberspace. ..
.

In short, even if legislative and adjudicative jurisdiction can be established and

SH

a judgment is entered against the perpetrator, there is little real threat of

LU

89. See, e.g., Mansur Mirovalev & Colin Freeman, Russian Hacker Wanted by US Hailed as
Hero at Home, TELEGRAPH (June 7, 2014), http://www.telegraph.co.uk/news/worldnews/
europe/russia10883333/Russian-hacker-wanted-by-US-hailed-as-hero-at-home.html (explaining that
there is little likelihood of prosecuting a Russian national who reportedly distributed malware causing
PN

over $100 million in economic losses); US. Charges Russian FSB Officers and Their Criminal
Conspiratorsfor Hacking Yahoo and Millions of Email Accounts, U.S. DEP'T OF JUSTICE (Mar. 15,
2017), http://wwwjustice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-
hacking-yahoo-and-millions (noting that one of the FBI's Cyber Most Wanted criminals escaped to
H

Russia to avoid extradition); Message from the President of the United States Transmitting the
Agreement Between the Government of the United States of America and the Government of Hong
Kong for the Surrender of Fugitive Offenders, S. TREATY DOC. No. 105-3, at iii (1997) (noting "the
absence of an extradition treaty with the People's Republic of China").
90. Ariana Eunjung Cha, A Tempting Offer for Russian Pair, WASH. POST (May 19, 2003),
http://www.washingtonpost.com/archive/politics/2003/05/19/a-tempting-offer-for-russian-pair/2c6a5407
-8378-4939-8491-038efab2c5fb ("Not having an extradition treaty with Russia made the hackers case
more difficult to prosecute, says Stephen Schroeder, who worked on the case as a U.S. attorney.").
91. US. Charges Five Chinese Military Hackers for Cyber Espionage Against U.S.
Corporationsand a Labor Organizationfor CommercialAdvantage, U.S. DEP'T OF JUSTICE (May 19,
2014), http://www.justice.gov/opa/pr/us-charges-five-chinese-military-hackers-cyber-espionage-against-
us-corporations-and-labor (quoting Eric Holder stating that the case "represents the first ever charges
against a state actor for this type of hacking").
92. Adam Goldman & Matt Apuzzo, U.S. Faces Tall Hurdles in Detaining or Deterring
Russian Hackers, N.Y. TIMES (Dec. 15, 2016), http://www.nytimes.com/2016/12/15/us/politics/russian-
hackers-election.html.
93. Jack Goldsmith, Against Cyberanarchy, 65 U. CI. L. REv. 1199, 1216-17 (1998). For
Goldsmith, the limits of enforcement jurisdiction-i.e., the fact that in practice there is often no real
threat of extraterritorial legal liability-obviates the problem of overly broad legislative jurisdiction.
But, to the extent one believes in law as a constraining force, reliance upon the fact that foreign laws
may reveal themselves ex post to apply but cannot be enforced is unsatisfying. See David G. Post,
GoverningCyberspace: Law, 24 SANTA CLARA COMPUTER & HIGH TECH. L.J. 883, 893 (2008).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.374

 2018] TransnationalCyber Offenses 209

extraterritorial legal liability.

Domestic criminal law is thus often an ineffectual tool when it comes to
bringing foreign cyber criminals to justice. Domestic criminal law works when
a perpetrator commits a crime in one jurisdiction, which is empowered to
investigate the crime and arrest the perpetrator. Transnational cyber offenses
cross borders, giving rise to jurisdictional overlap and conflict. For such
offenses, "[t]he actions of individual states are insufficient" 94: solutions lie
beyond domestic criminal law.

III. ACCOUNTABILITY FOR TRANSNATIONAL CYBER OFFENSES:

INTERNATIONAL DISPUTE RESOLUTION

As the previous Parts have shown, neither international humanitarian law

nor domestic criminal law effectively regulates or deters transnational cyber
offenses. In the face of this challenge, some scholars have thrown up their
hands, concluding that cyberspace is "a largely ungovernable space," 9 5 While
computer scientists have prioritized preventive security measures.96 While

LA
prevention is, of course, essential, it must be coupled with some form of
accountability if we wish to avoid a Hobbesian reality in which victims of
cyber attacks take it upon themselves to hack back. 97 Put bluntly, if there is not
IM
a forum where businesses can bring complaints and receive some relief, victims
of cyber attacks will increasingly resort to cyber-vigilantism. 98
SH

It is difficult to know how frequently victims engage in self-help given

the uncertain legality of hacking back. 99 For well over a decade, companies
have complained that passive defense measures are insufficient to combat
cyber threats and have attempted self-defense measures.100 According to a 1999
LU
PN

94. Abraham D. Sofaer & Seymour E. Goodman, Cyber Crime and Security: The
TransnationalDimension, in THE TRANSNATIONAL DIMENSION OF CYBER CRIME AND TERRORISM 1, 30
(Abraham D. Sofaer & Seymour E. Goodman eds., 2001).
95. MARINELLA MARMO & NERIDA CHAZAL, TRANSNATIONAL CRIME AND CRIMINAL
H

JUSTICE 66 (2016).
96. See Joan Feigenbaum et al., Systematizing "Accountability" in Computer Science 1 (Yale
Dep't of Comput. Sci. Tech. Report No. 1452, 2012), http://dedis.cs.yale.edu/dissent/papers/trl452.pdf
("Traditionally, computer-science researchers have taken a preventive approach to security and privacy
in online activity." (emphasis omitted)); Joan Feigenbaum et al., Accountability and Deterrence in
Online Life (Extended Abstract), in PROCEEDINGS OF THE 3RD INTERNATIONAL WEB SCIENCE
CONFERENCE (2011), https://dl.acm.org/citation.cfm?id=2527031 ("The standard technical approach to
privacy and security in online life is preventive." (emphasis omitted)).
97. See THOMAS HOBBES, THE LEVIATHAN (1651) (describing the state of nature as a war of
all against all).
98. A decade ago, Curtis Kamow described a growing interest in hacking back, based on the
premise that "only a computer can react fast enough to ... disable the attacking machine." Karnow,
supra note 87, at 140. Conversations at the Spring 2017 Yale Cyber Leadership Forum made clear that
the interest in self-help has only increased. Yale Cyber Leadership Forum, Yale University (Mar. 30-
Apr. 1, 2017) (notes on file with Author).
99. See, e.g., COMM. ON OFFENSIVE INFO. WARFARE, NAT'L RES. COUNCIL OF THE NAT'L
ACADS., TECHNOLOGY, POLICY, LAW, AND ETHICS REGARDING U.S. ACQUISITION AND USE OF
CYBERATTACK CAPABILITIES 207 (William A. Owens et al. eds., 2009).
100. See, e.g., Paul A. Strassman, New Weapons of Information Warfare, COMPUTERWORLD
(Dec. 1, 2003), http://www.strassmann.com/pubs/computerworld/new-weapons.shtml ("Current
methods of blocking intruders aren't likely to be adequate to secure Internet commerce . . . .The cost of
launching attacks will decrease and the expense for defenses will escalate until it becomes prohibitive

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.375

 210 0THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

survey of Fortune 500 companies, approximately thirty percent of companies

had installed software that could launch counterattacks, and many of the
companies surveyed said they would rather rely on such counterstrikes than
involve law enforcement, 0 1 which some companies feared could affect their
reputation and stock price. 10 2 Moreover, "[h]ighly skilled private groups-
untethered from the many constraints and rules that bind governments-often
03
can be more nimble in pursuing bad actors in cyberspace."1 Hack-back tools
04
to fight fire with fire have now become commercially available;1 there is even
an underground market where banks and other large corporations can hire
contractors to shut down their attackers. 05
But, as Major General Brett Williams, former director of operations for
Cyber Command, noted, "[t]he fact that it's very easy for a civilian to take
actions that are normally reserved for law enforcement or military doesn't
make it right."1 06 Cyber-vigilantism is problematic for the same reason
07
vigilantism in the kinetic world is problematic : vigilantes can botch the
attack and alert offenders; vigilantes are not privy to government strategy and

LA
may interfere with legitimate law enforcement; vigilantism lacks the procedural
08
safeguards that ensure accuracy in identifying the offender; punishments
inflicted by vigilantes may not be proportionate to the initial offense; and, most
IM
importantly, vigilantes lack the accountability that lies at the heart of
democratic society. Put simply, "[i]t would be dangerous and short-sighted to
SH

delegate the roles of police, judge, jury, and punisher to private parties that
exist outside of the democratic system."1 0 9

for companies to pursue the current policy of adhering to static defensive measures."); Jay P. Kesan
LU
&

Ruperto P. Majuca, Hacking Back: Optimal Use of Self-Defense in Cyberspace 3 (Ill. Pub. Law and
Legal Theory Research Papers Series, Working Paper No. 08-20, 2009),
http://papers.ssm.com/sol3/papers.cfn?abstractid=1363932 ("[Miany firms feel that simply protecting
one's computer network with a defensive boundary is not adequate given today's hostile Internet
PN

environment ... [and] feel that hacking back is necessary in order to prevent further degradation to the
firm's systems and to deter or reform the hacker.").
101. Barbara Gengler, Strikeback, 1 COMPUTER FRAUD & SECURITY 8, 8-9 (1999).
102. Kesan & Majuca, supra note 100, at 2.
H

103. Jeff Kosseff, The Hazards of Cyber- Vigilantism, 32 COMPUTER L. & SECURITY REV. 642,
643 (2016).
104. In 2004, network infrastructure security company Symbiot Security Inc. launched a
program that offered several levels of graduated response to attacks. See Raksha Shetty, Associated
Press, Networks Lash Back at Cyber Hacks, CBS NEWS (June 18, 2004),
http://www.cbsnews.com/news/networks-lash-back-at-cyber-hacks/. That same year, Lycos Europe
briefly released a screensaver that, when used, launched DDoS attacks on span websites. See Lilian
Edwards, Dawn of the Death of DistributedDenial of Service: How to Kill Zombies, 24 CARDOZO ARTS
& ENT. L.J. 23, 33 (2006).
105. Wyatt Hoffman & Ariel (Eli) Levite, Private Sector Cyber Defense: Can Active Measures
Help Stabilize Cyberspace?, CARNEGIE ENDOWMENT FOR INT'L PEACE (June 14, 2017),
http://camegieendowment.org/2017/06/14/private-sector-cyber-defense-can-active-measures-help-
stabilize-cyberspace-pub-71236.
106. Major Gen. Brett Williams, Why Cyber-Vigilantism Cannot Be Tolerated, MSNBC (Jan.
13, 2015), http://www.msnbc.com/the-last-word/watch/why-cyber-vigilantism-cannot-be-tolerated-
383995459547.
107. Cf United States v. Fraser, 647 F.3d 1242, 1246 (10th Cir. 2011) ("Ours is not the rule of
vigilante justice but the rule of law.").
108. See, e.g., United States v. Morris, 549 F.3d 548, 551 (7th Cir. 2008) (noting that vigilantes
"might botch their investigation, alerting the offender in time for him to elude justice").
109. Kosseff, supra note 103, at 643.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.376

 2018] TransnationalCyber Offenses 211

This Part sketches possible solutions to the problem of regulating

transnational cyber offenses. Drawing upon existing models of international
dispute resolution and imagining new roles for international institutions, I offer
proposals for both civil and criminal liability. Crucially, these proposals are not
mutually exclusive: a robust accountability regime could combine an
international arbitration scheme to make victims whole with criminal
prosecution to deter cyber criminals. The same attentiveness to the
particularities of a given attack that counsels against reflexive reliance on either
domestic criminal law or international humanitarian law also motivates the
elaboration of a multi-pronged set of solutions. Transnational cyber offenses
can vary in intensity and geographic reach, can be conducted by individuals or
non-State actors, and can hit individuals, corporations, state entities, and
international organizations, among other victims. The appropriate legal tool
may be different from one case to the next; the aim of this Part is not to
prescribe but to propose new tools for the toolbox.

A. InternationalArbitrationand Civil Liability

LA
International arbitration offers one little-considered mechanism for
holding perpetrators of cyber attacks accountable. Even before the modem
IM
international arbitration regime emerged, countries used civil arbitration to
regulate transnational activity and resolve disputes. International arbitration is
SH

not only for disputes between nations, however. International civil arbitration
can also be used to hold private actors accountable, without impermissibly
undermining State sovereignty. 110
Today, international commercial arbitration operates under the United
LU

Nations Convention on the Recognition and Enforcement of Foreign Arbitral

Awards of 1958, more commonly known as the New York Convention.'" As
PN

of November 2017, 157 nations had ratified the Convention. 112 Aimed at
promoting international uniformity in the recognition and enforcement of
arbitral awards, the New York Convention imposes two sets of rules on the
H

national courts of member States. First, under Article 11(3), national courts in
member States must recognize arbitration agreements made between the
parties. When confronted with a dispute governed by an arbitration agreement,

110. For example, under treaties Britain entered into with other nations in the nineteenth
century, slave trade vessels could be seized by British vessels, and a so-called "mixed court" with
arbitrators from each country would decide whether the seizure was lawful. See Eugene Kontorovich,
The Constitutionality of InternationalCourts: The Forgotten Precedent of Slave-Trade Tribunals, 158
U. PA. L. REv. 39 (2009). If the seizure was unlawful, the "Seizor" was liable for payments. See, e.g,
An Act for Carrying Into Effect a Treaty Between Her Majesty and the Republic of Bolivia for the
Abolition of the Slave Trade 1843, 6 & 7 Vict. c. 14, arts. XVII-XIX.
111. United Nations Convention on the Recognition and Enforcement of Foreign Arbitral
Awards, June 10, 1958, 21 U.S.T. 2517, 330 U.N.T.S. 38 [hereinafter New York Convention]. One
commentator has described the Convention as "the most effective instance of international legislation in
the entire history of commercial law." Michael John Mustill, Arbitration: History and Background, 6 J.
INT'L ARB. 43, 49 (1989).
112. List of ContractingStates, N.Y. ARB. CONVENTION, http://www.newyorkconvention.org/
list+of+contracting+states (last visited Nov. 21, 2017).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.377

212 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

113
courts must refer the parties to arbitration if either party so requests. Second,
under Article III, the Convention requires States parties to recognize and
1 14
enforce arbitral awards issued in the territory of another State. The
Convention thus enables prevailing parties to collect on the assets of the losing
party, even when the latter resides in another jurisdiction.
The New York Convention's widely adopted system of civil
accountability for transnational wrongs could be harnessed to promote
accountability for transnational cyber offenses. In the commercial context,
businesses often agree to arbitration under the New York Convention, not only
because arbitral awards are enforceable worldwide, but also because arbitration
offers an efficient and confidential process with judges experienced in the
subject area and no possibility for appeal. In turn, making this dispute-
resolution channel available to businesses is an important reason why so many
States have chosen to ratify the Convention, despite having to sacrifice a
degree of sovereignty in the enforcement of foreign arbitral awards. In the
cyber context, software companies and Internet Service Providers could

LA
require, as part of their terms of service, that disputes relating to cyber attacks
be subject to arbitration. And because virtually every country in the world-
including countries like Russia that are seen as cybercrime havens-has been
IM
hit by malware and DDoS attacks, countries may be incentivized by their own
citizens and corporations to recognize the jurisdiction of an international
SH

arbitral body.
Significantly, there is precedent for tying a specialized arbitral scheme to
the New York Convention. The Court of Arbitration for Sport (CAS), founded
in 1984, harnesses the machinery of the New York Convention to resolve
LU

international sports-related disputes and to punish violators of international

1 15
norms quickly, impartially, and cost-effectively. The CAS is widely regarded
as the final decision-maker for international sports-related disputes, "to the
PN

exclusion of national courts." 1 6 Once the CAS renders a judgment, sports

organizations can enforce the judgment directly-for example, through bans on
registering or playing--or parties can apply to national courts, typically the
H

Swiss Federal Supreme Court, for enforcement under the New York
Convention.117
We might imagine a specialized arbitral tribunal for cyber-related

113. New York Convention, supra note 111, art. 11(3).

114. Id art. III.
115. See Matthieu Reeb, The Role and Functionsof the Court ofArbitrationfor Sport (CAS), in
TiE COURT OF ARBITRATION FOR SPORT 1984-2004, at 31, 31-39 (Ian S. Blackshaw et al. eds., 1st ed.
2006). Athletes before the CAS may also be subject to criminal proceedings in national courts. Louise
Reilly, An Introduction to the Court of Arbitrationfor Sport (CAS) & the Role of National Courts in
InternationalSports Disputes, 2012 J. DIsP. RESOL. 63, 63, 77.
116. Reilly, supra note 115, at 67; see also Tribunal fddral [TF] [Federal Supreme Court] May
27, 2003, III Arrdts du Tribunal Fdd6ral Suisse [ATF] 129 445 (Switz.), translated in 3 DIGEST OF CAS
AWARDS 2001-2003, at 674 (Matthieu Reeb ed., 2004). As with any arbitral proceeding, the parties
must consent to have their dispute heard by the CAS. Generally, consent arises out of an arbitration
clause inserted into a contract, into the statutes or regulations of sports-related associations, or into the
entry forms that athletes often sign to participate in sports events. See Reilly, supra note 115, at 66-67.
117. Reilly, supra note 115, at 76 & n.66.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.378

2018] TransnationalCyber Offenses 213

disputes, analogous to the CAS. A cyber arbitration body could issue civil
penalties for cyber infractions, with enforcement tied to the New York
Convention such that a cyber attacker's assets could be seized wherever they
may be located. Just as CAS arbitrators generally have recognized expertise in
sports and sports law, so too an arbitral tribunal for cyber issues could benefit
from arbitrators with technology expertise.
A cyber arbitration scheme could also be tailored to the unique features of
transnational cyber offenses. Individuals, corporations, or States could all sue
perpetrators. Class actions could also be permitted, allowing parties affected by
a malware or ransomware attack to aggregate their claims to meet harm
thresholds and, conceivably, to financially wipe out cyber villains. We could
even envision liability for parties that negligently fail to secure critical
infrastructure or fail to comply with cyber hygiene requirements, thereby
permitting their devices to become part of botnets.
There is already one international body within which a cyber arbitration
forum could reside. Under the aegis of the United Nations, the International

LA
Telecommunication Union (ITU) is a specialized agency that promotes
international cooperation relating to telecommunications infrastructure and
global technical standards. With a membership of 193 countries and nearly
IM
eight hundred private entities, the ITU has used its technical expertise to
support less technically sophisticated countries and to engage in Internet-
SH

related research and development.' 18 For example, the ITU in 2014 announced
the creation of a Global Cybersecurity Index to evaluate and compare
cybersecurity strategies worldwide.11 9 Additional ITU activities include
building capacity and helping countries establish national Computer Incident
LU

Response Teams.1 2 0 As a result of initiatives like these, there has been talk in
recent years of the ITU taking on a bigger role in Internet regulation.1 2 1
Proposals for the ITU to regulate the Internet have prompted outcries
PN

from those concerned that such regulation would destroy the open,
decentralized governance system envisioned by Paul Baran and other pioneers
of the early Internet.1 2 2 At worldwide telecommunications conferences in 2012
H

and 2014, a number of countries, including Russia and Saudi Arabia, rejected
proposals to expand the ITU's role in Internet governance, supposedly "to

118. About International Telecommunication Union, INT'L TELECOMM. UNION,

http://www.itu.int/en/about (last visited Nov. 19, 2017); ITUs 150 Years of Innovation, ITU NEWS,
May-June 2015, at 27-29, http://www.itu.int/en/itunews/Documents/2015_ITUNewsO3-en.pdf.
119. Global Cybersecurity Index (GCI) 2017, INT'L TELECOMM. UNION iii, 3 (July 19, 2017),
http://www.itu.int/dmsjpub/itu-d/opb/str/D-STR-GCI.01-2017-R1-PDF-E.pdf
120. CIRT Programme, INT'L TELECOMM. UNION, http://www.itu.int/en/ITU-D/
Cybersecurity/Pages/Organizational-Structures.aspx (last visited Nov. 29, 2017).
121. See, e.g., Johannes Thimm & Christian Schaller, Internet Governance and the ITU:
Maintaining the Multistakeholder Approach-The German Perspective, COUNCIL ON FOREIGN REL.
(Oct. 22, 2014), http://www.cfr.org/report/internet-governance-and-itu-maintaining-multistakeholder-
approach; Jyoti Panday, An Over-The-Top Approach to Internet Regulation in Developing Countries,
ELECTRONIC FRONTIER FOUND. (Oct. 23, 2017), http://www.eff.org/deeplinks/2017/10/over-top-
approach-internet-regulation-developing-countries.
122. Rebecca Mackinnon, The United Nations and the Internet: It's Complicated, FOREIGN
POL'Y (Aug. 8, 2012), http://foreignpolicy.com/2012/08/08/the-united-nations-and-the-internet-its-
complicated.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.379

214 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

correct historical imbalances resulting from the perceived dominance of the

[United States] over the internet."123 If international resistance could be
overcome, however, the ITU would seem to be a natural entity to call upon to
develop cyber regulations and to arbitrate disputes. A 2016 meeting of the ITU
Telecommunication Standardization Sector saw some significant compromises
on Internet governance, including agreements that governments should take on
a "broader policy role"; 12 4 that global, interoperable processes for sharing
information about cybersecurity incidents should be promoted; 1 25 and that the
ITU should assist member States in establishing a framework for "rapid
response to major incidents." 1 26
Two non-profit entities responsible for ensuring the reliable operation of
the Internet could also take on a bigger role in cyber security and cyber dispute
resolution. The Internet Engineering Task Force, an international open
standards organization, develops voluntary standards for the Internet to
promote interoperability and usability. The Internet Corporation for Assigned
Names and Numbers (ICANN) coordinates the global Domain Name System

LA
(DNS), performs technical maintenance on DNS root zone registries, and
manages IP address space. ICANN currently administers the Uniform Domain-
Name Dispute-Resolution Policy (UDRP), a system for resolving disputes
IM
related to trademarks and Internet domain name registration. The UDRP
administrative adjudication process could serve as a model for arbitrating
SH

disputes involving transnational cyber offenses. As of October 1, 2016, ICANN

is no longer subject to U.S. government oversight, 12 7 potentially making it
more likely that other countries would accept a greater regulatory role for
ICANN.
LU

Whether tied to an existing entity like the ITU or ICANN or entirely

independent, an international civil arbitration system that allows victims of
transnational cyber offenses to seek redress for losses could obviate the
PN

temptation to hack back. Further, the potential for individual victims to

aggregate claims and obtain significant damages awards could meaningfully
deter would-be cyber attackers. Of course, erecting an international arbitration
H

system for cyber actions would present its own set of challenges that would
have to be overcome-including developing an arbitration agreement
analogous to the CAS and requiring or incentivizing Internet users to agree to
submit to arbitration. Still, international civil arbitration tied to the New York

123. Sheetal Kumar, Cybersecurity: What's the ITU Got To Do With It? (July 9, 2015),
http://www.gp-digital.org/cybersecurity-whats-the-itu-got-to-do-with-it (internal quotation marks
omitted).
124. ITU WTSA 2016 Outcomes: An Internet Society Perspective, INTERNET SOC'Y 1 (Nov. 22,
2016), http://www.internetsociety.org/wp-content/uploads/2017/08/ISOC-WTSAl6-Outcomes-201611
22.pdf (internal quotation marks omitted).
125. World Telecomm. Standardization Assembly, Resolution 50 - Cybersecurity, TELECOMM.
STANDARDIZATION SECTOR OF ITU 4 (2016), http://www.itu.int/dms_pub/itu-t/opb/res/T-RES-T.50-
2016-PDF-E.pdf
126. Id at 5.
127. Press Release, ICANN, Stewardship of IANA Functions Transitions to Global Internet
Community as Contract with U.S. Government Ends (Oct. 1, 2016), http://www.icann.org/
news/announcement-2016-10-01-en.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.380

2018] TransnationalCyber Offenses 215

Convention offers one possible new weapon in the legal arsenal for combating
transnational cyber offenses.

B. TransnationalCriminalLaw

In addition to civil remedies for victims, a robust liability scheme for

transnational cyber offenses ought also to include criminal penalties. As
Section II.B demonstrates, relying on individual States to apply their penal law
is inadequate. Countries without strong legal sanctions for cyber criminals
can-either advertently or inadvertently, by design or by neglect-become
havens for cybercrime. 128 One solution is therefore to harmonize laws across
countries and to promote international cooperation on law enforcement,
developing a transnational criminal law regime. While purely domestic crimes
are criminalized only at the election of the State, and international law crimes
create individual penal responsibility under international law, transnational
criminal law indirectly creates criminal liability by imposing obligations on
States to enact certain domestic penal laws. 12 9

LA
Legal harmonization is an important part of developing a transnational
criminal law for transnational cyber offenses. At a minimum, every country
IM
ought to enact laws prohibiting core cybercrimes, such as the deliberate release
of malware. But international cooperation at the level of enforcement is also
important. Countries should commit to assist one another with real-time
SH

collection of traffic data, and technologically sophisticated countries should

provide training to less technologically advanced countries. Additionally,
provided there is reasonable cause for suspicion, countries in which evidence is
found should be required to turn over evidence, such as computer hard drives,
LU

for investigation in other countries that may wish to attempt to decrypt files. A
global agency, similar to Interpol, could also be charged with developing
PN

digital forensics techniques and conducting investigations to support national

prosecutions. These proposals for developing international law norms of
information-sharing and for assimilating those norms into domestic law suggest
H

how transnational criminal law could promote accountability: countries would

have to sacrifice a degree of State sovereignty as a precondition for more
effective prosecutions of transnational cyber offenses.
Proposals for increasing criminal enforcement of cyber offenses are often
met with concerns about attribution. 13 0 In fact, the problem of attribution may
be overstated. To be sure, the architecture of the Internet is built to ensure
anonymity, complicating technical attribution. But legal attribution, even in the
kinetic world, often relies upon the accumulation of multiple incomplete pieces

128. Brenner, supra note 42, at 209.

129. See generally NEIL BOISTER, AN INTRODUCTION TO TRANSNATIONAL CRIMINAL LAW
(2012) (providing an overview of the features of developing transnational criminal law); Neil Boister,
TransnationalCriminalLaw?, 14 EuR. J. INT'L L. 953 (2003) (coining the term "transnational criminal
law").
130. See, e.g., P.W. SINGER & ALLAN FRIEDMAN, CYBERSECURITY AND CYBERWAR: WHAT
EVERYONE NEEDS TO KNOW 73 (2014) ("Perhaps the most difficult [cybersecurity] problem is that of
attribution.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.381

216 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

of evidence, forensic tools with less-than-perfect accuracy, inferences, analysis

of motive, and judgment.13 ' Those same strategies can be applied in the cyber
context to find individuals criminally liable "beyond a reasonable doubt." 3 2 To
the extent a prosecution in one country depends upon evidence obtained in
another country that reveals sensitive information about the latter country's
information-gathering capacities, States could commit to requiring that courts
review sensitive evidence in camera and to sealing the court records.' 33 W ie
evidentiary issues in the cyber context are no doubt complex, attribution is a
nuanced process that could benefit from the skills and resources-both
technical and non-technical-of States acting together.
Some efforts to foster international cooperation along these lines are
already underway. In 1997, the G-8 countries established the "24/7 Network of
Contact Points" ("24/7 Network") for data preservation. Presently consisting of
approximately seventy member countries, the G-8 24/7 Network allows
countries to solicit the urgent assistance of other countries in cybercrime
matters in order to preserve data for subsequent transfer through mutual legal

LA
assistance agreements.' 34 The 24/7 Network is just a first step; the United
Nations General Assembly has repeatedly called for a global framework to
protect cyber infrastructure and combat cybercrime.1 35 Several countries have
IM
also formed interjurisdictional task forces to address transnational
cybercrime,' 3 6 and the ITU has drafted model cybercrime legislation and
SH

compiled resources to assist countries in drafting their own cybercrime laws

and procedural rules.1 37
The most important step toward a transnational criminal law for cyber
offenses to date is the Budapest Convention on Cybercrime.1 38 Drafted by the
LU

131. See Thomas Rid & Ben Buchanan, Attributing Cyber Attacks, 38 J. STRATEGIC STUD. 4, 6
PN

(2014) (explaining that attribution is an art as well as a science).

132. The standard of proof for a civil liability scheme such as that discussed in Section IIIA,
supra, would presumably be lower; as I suggest, strict liability may even be appropriate for failure to
secure critical infrastructure or to comply with cyber hygiene rules. See supra p. 213.
H

133. Examples ofjudicial procedures for ensuring the confidentiality of information include the
Foreign Intelligence Surveillance Act (FISA) courts in the United States, closed material procedures
(CMPs) pursuant to the Justice and Secrecy Act in the United Kingdom, and special magistrate
procedures pursuant to the Act on Shielded Witnesses in the Netherlands.
134. Leslie R. Caldwell, Assistant Attorney General, Remarks at the CCIPS-CSIS Cybercrime
Symposium 2016: Cooperation and Electronic Evidence Gathering Across Borders, U.S. DEP'T OF
JUSTICE (June 6, 2016), http://www.justice.gov/opalspeech/assistant-attomey-general-leslie-r-caldwell-
speaks-ccips-csis-cybercrime-symposium-2016. The Office of International Affairs within the
Department of Justice's Criminal Division saw a 1,000 percent increase in formal requests for computer
records stored in the United States between 2000 and 2016. Id.
135. See, e.g., Creation of a Global Culture of Cybersecurity and the Protection of Critical
Information Infrastructures, G.A. Res. 58/199 (Jan. 30, 2004); Creation of a Global Culture of
Cybersecurity, G.A. Res. 57/239 (Jan. 31, 2003); Combating the Criminal Misuse of Information
Technologies, G.A. Res. 56/12 (Jan. 23, 2002); Combating the Criminal Misuse of Information
Technologies, G.A. Res. 55/63 (Jan. 22, 2001).
136. Deb Shinder, What Makes Cybercrime Laws So Difficult To Enforce, TECHREPUBLIC (Jan.
26, 2011, 4:05 AM PST), http://www.techrepublic.com/blog/it-security/what-makes-cybercrime-laws-
so-difficult-to-enforce.
137. See Int'l Telecomm. Union, ITU Toolkit for Cybercrime Legislation (2010),
http://www.cyberdialogue.ca/wp-content/uploads/2011/03/ITU-Toolkit-for-Cybercrime-Legislation.pdf.
138. Council of Europe Convention on Cybercrime, opened for signatureNov. 23, 2001, S.
TREATY Doc. No. 108-11 (2006), E.T.S. No. 185 (entered into force July 1, 2004) [hereinafter

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.382

2018] TransnationalCyber Offenses 217

Council of Europe and adopted in 2001, the Budapest Convention has so far
been ratified or acceded to by fifty-six States, largely European nations but also
the United States, Canada, Australia, Israel, and Japan.1 3 9 It represents, in
former Secretary of State John Kerry's words, "[t]he best . .. legal framework
for working across borders to define what cyber crime is and how breaches of
the law should be prevented and prosecuted."140
The Budapest Convention assumes that criminal prosecutions will
continue to take place at the level of the State but aims to harmonize national
laws and promote international cooperation on evidence-gathering. Member
States have jurisdiction over any offense that occurs in their territory,
regardless of where the attacker is located. Additionally, States have
jurisdiction over offenses committed by their nationals, provided that the
offense was punishable under the criminal law of the State where it was
committed or was committed outside the territorial jurisdiction of any State.141
Further, the Convention facilitates mutual assistance and extradition by
allowing for the Convention itself to be used as an extradition or legal

LA
assistance treaty in the absence of any preexisting MLAT between the relevant
States.1 42
While the Budapest Convention is an important step, so far it remains
IM
largely symbolic. Many important States, including Brazil, Russia, India, and
China, have refused to join the Budapest Convention. Russia-the only
SH

Council of Europe nation not to have signed-insists that granting foreign

countries access to stored data could undermine national security and
sovereignty and has put forward its own alternative proposal.1 43 Until the
Budapest Convention is universally adopted, countries like Russia and China
LU

can continue to shelter cyber criminals from prosecution.1 44 Additionally, many

States that have formally ratified the Budapest Convention have yet to pass
new domestic legislation to implement its provisions, while other countries
PN

have opted out of various provisions by making reservations. 14 5 Finally, the

Convention provides only vague definitions of several key terms and does not
elaborate the elements required for various offenses, leaving such details to
H

Budapest Convention].
139. Chart of Signatures and Ratifications of Treaty 185-Convention on Cybercrime,
COUNCIL OF EuR. (Apr. 20, 2017), http://www.coe.int/en/web/conventions/full-list/-
/conventions/treaty/1 85/signatures. The membership count is current as of November 27, 2017.
140. John Kerry, Secretary of State, Remarks at Korea University in Seoul, South Korea, An
Open and Secure Internet: We Must Have Both (May 18, 2015), http://www.voanews.com/a/text-of-
john-kerrys-remarks-in-seoul-on-open-and-secure-internet/2776139.htnl.
141. Budapest Convention, supra note 140, art. 22(1).
142. Id arts. 24(3), 27(1).
143. See Russia Prepares New UN Anti-Cybercrime Convention-Report, RT (Apr. 14, 2017),
http://www.rt.com/politics/384728-russia-has-prepared-new-international. The Russian Foreign
Ministry prepared its own draft convention, which it presented to U.N. experts in April 2017. The
Russian draft convention proposes certain forms of international cooperation but contains a special
paragraph on the protection of national sovereignty, which critics see as part of Russia's attempt to
tighten State control over the Internet. See id.
144. See SUSAN W. BRENNER, CYBERCRIME: CRIMINAL THREATS FROM CYBERSPACE 210
(2010).
145. Nancy E. Marion, The Council ofEurope's Cyber Crime Treaty: An Exercise in Symbolic
Legislation, 4 INT'L J. CYBER CRIMINOLOGY 699, 703, 705 (2010).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.383

218 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

State discretion. 1 46 As a result, notwithstanding the promise of legal

harmonization, inconsistencies in cybercrime legislation and enforcement
remain.
Several features of the Convention have also proven controversial. First,
there is no dual criminality provision, meaning that activity does not have to be
illegal in both the State requesting foreign cooperation and the State whose
assistance is requested. A State could therefore be required to investigate acts it
considers legal. 14 7 Second, the Convention requires signatory States to have
broad surveillance powers. Article 21 provides that States should collect or
record-or compel an Internet Service Provider to collect or record-real-time
traffic data associated with online communications,148 while Article 32 allows
law enforcement in one member State to conduct an extraterritorial
investigation in another State without notifying that State's authorities.14 9 A
few commentators have argued that the Convention does not go far enough in
authorizing data collection and sharing among States. For example, the
Convention does not authorize unilateral cross-border searches, even in

LA
emergency situations, instead requiring that nations consult with local officials
before seizing data.so Many other commentators and civil liberties groups,
however, have raised privacy concerns, objecting to the fact that the
IM
Convention incorporates the United States' lesser privacy protections rather
than Europe's higher standards of data protection."'
SH

Concerns about individual privacy may represent the biggest obstacle to

the development of a true transnational criminal law of cyber and to the deep
international law enforcement cooperation on which national prosecutions
often depend. When it comes to the Budapest Convention, though, concerns
LU

about privacy may be overblown. Article 15 of the Budapest Convention

explicitly provides that each Party shall ensure that the implementation of the
Convention is subject to the safeguards provided under its domestic law and
PN

respects human rights and liberties. 152 The Convention also does not prevent
member States from submitting to stricter privacy standards, like those found in
the Council of Europe's Data Protection Convention. 1 53
H

Moreover, from a U.S. perspective at least, international cooperation

146. See, e.g., Shannon L. Hopkins, Cybercrime Convention: A Positive Beginning to a Long
RoadAhead, 2 J. HIGH TECH. L. 101, 113 (2003).
147. Marion, supra note 145, at 704.
148. Budapest Convention, supra note 138, art. 21(1).
149. Id. art. 32(b) ("A Party may, without the authorisation of another Party ... access or
receive, through a computer system in its territory, stored computer data located in another Party, if the
Party obtains the lawful and voluntary consent of the person who has the lawful authority to disclose the
data to the Party through that computer system.").
150. JACK GOLDSMITH & TIM Wu, WHO CONTROLS THE INTERNET?: ILLUSIONS OF A
BORDERLESS WORLD 166-67 (2006).
151. See, e.g., Marion, supra note 145, at 705; Brenner, supra note 42, at 215; Jonathan
Clough, A World of Difference: The Budapest Convention on Cybercrime and the Challenges of
Harmonization,40 MONASH U. L. REv. 698, 711 (2014).
152. Budapest Convention, supra note 138, art. 15.
153. Convention for the Protection of Individuals with Regard to Automatic Processing of
Personal Data, Council of Europe, ETS No. 108 (Jan 28, 1981), http://www.coe.int/en/web/
conventions/full-list/-/conventions/rms/0900001680078b37.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.384

2018] TransnationalCyber Offenses 219

could potentially promote rather than undermine respect for individual privacy.
Perpetrators of transnational cyber offenses do not have a reasonable
expectation of privacy in malware; code and other information knowingly
exposed to the public or shared widely with third parties are not protected
under the Fourth Amendment, 15 4 nor are communications that have been
received by the intended recipient.155 Physical hard drives and server data,
though, may be protected by the Fourth Amendment. Currently, under the
exigent circumstances exception to the warrant requirement, law enforcement
can lawfully search electronic evidence that is in imminent danger of
destruction. Given concerns about data being perishable-for example, if it is
overwritten or if a device is set to delete information after a certain amount of
time-law enforcement may be more likely to rely on the exigent
circumstances exception to avoid the warrant requirement.156 But if police can
rely on other countries to effectuate cross-border preservation requests in
accordance with the Budapest Convention, they may be less likely to resort to
the exigent circumstances exception.

LA
Conversely, if the U.S. government cannot rely on obtaining information
relevant to an ongoing investigation from other countries, it may be more likely
to try to obtain more data across the board and to retain that data for indefinite
IM
periods. 157 Thus, rather than enabling law enforcement to evade Fourth
Amendment privacy protections for U.S. residents by relying on other
SH

countries, international cooperation on cyber investigations could in fact

empower law enforcement to seek appropriate permissions before searching
private electronic devices or data. Furthermore, when assessing the privacy
risks associated with international cooperation, countries should also factor in
LU

the privacy risks associated with the threat of more frequent cyber attacks. If
cyber attackers can hack into computers and access files with impunity,
allowing law enforcement to collect, review, and share data subject to strict
PN

procedural rules may be preferable.

In sum, the Budapest Convention and other efforts to promote
international cooperation on cybercrime legislation, investigation, and
H

prosecution are promising, insofar as they recognize that cyber threats often
cannot be solved by individual countries acting alone. Ultimately, the
Convention's proposals, such as requiring countries to assist with national

154. See Katz v. United States, 389 U.S. 347, 351 (1967) ("What a person knowingly exposes
to the public, even in his own home or office, is not a subject of Fourth Amendment protection."
(citations omitted)).
155. See, e.g., United States v. King, 55 F.3d 1193, 1196 (6th Cir. 1995) (holding that a
sender's expectation of privacy in a letter "terminates upon delivery").
156. Law enforcement can also obtain consent to electronic searches from infrastructure
providers that own computer equipment relevant to an investigation. See United States v. Matlock, 415
U.S. 164, 171 (1974) (holding that any third party that has joint access or control over premises or
effects can consent to a search even if an absent co-user objects).
157. Recently, the Second Circuit suggested that such overseizure and retention of digital files
may be permissible under the Fourth Amendment. See United States v. Johnson, 824 F.3d 199, 211-15
(2d Cir. 2016) (en banc) (distinguishing digital files from files in a filing cabinet and observing that the
"interspersion [of digital files] throughout a digital storage medium . . may affect the degree to which it
is feasible, in a case involving search pursuant to a warrant, to fully extract and segregate responsive
data from non-responsive data").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.385

220 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

investigations and prosecutions, are largely traditional. By preserving the

"localized, decentralized system of law enforcement we have had for
centuries," the Budapest Convention may not be able to meet the challenge of
punishing and reining in transnational cyber offenses." 8 However, if more
countries continue to ratify the Budapest Convention, if concerns about privacy
can be overcome, and if transnational norm entrepreneurs support States in
implementing and complying with the Convention's provisions, the first major
international cybercrime treaty may yet prove to be an important instrument for
fighting cybercrime. Further, as technology evolves, new protocols can be
added to the Convention to strengthen its effectiveness: for example, the Cloud
Evidence Group is currently preparing an additional protocol on access for
criminal justice purposes to evidence stored on file servers in the cloud. 1 59
Given the traction that the Budapest Convention has already gained, engaging
in diplomatic efforts to bring in new stakeholders and entertaining
compromises on certain human rights provisions may be the best way to
harmonize the international regulatory environment and to promote

LA
accountability through transnational criminal law.

C. InternationalCriminalLaw
IM
While legal harmonization and international cooperation could facilitate
criminal enforcement at the national level, international criminal law offers
SH

another possible accountability mechanism. Prosecution of cybercrimes as

international offenses could take place before the International Criminal Court
(ICC), or before a sui generis international criminal tribunal for cyber offenses.
LU

Presently, the 1IC probably does not have subject-matter jurisdiction

over cyber crimes. The Rome Statute establishes the jurisdiction of the ICC
over four crimes-the crime of genocide, crimes against humanity, war crimes,
PN

and crimes of aggression. 160 Cyber offenses are not specifically recognized
anywhere in the Rome Statute and likely do not fit any of the categories of
crimes the ICC can hear.
H

Some commentators have suggested that cyber attacks could constitute

crimes of aggression. 1 61 As originally drafted, the Rome Statute listed the crime
of aggression in Article 5 as one of the four crimes over which the ICC had
jurisdiction but did not provide a definition of the crime that would enable
prosecutions. 16 2 After the Rome Statute entered into force in 2002, the States

158. THE HISTORY OF INFORMATION SECURITY: A HANDBOOK 717 (Karl de Leeuw & Jan
Bergstra eds., 2007).
159. Cloud Evidence Grp., Cybercrime: Towards a Protocol on Evidence in the Cloud,
COUNCIL OF EUR. (June 8, 2017), http://www.coe.intlen/web/cybercrime/-/cybercrime-towards-a-
protocol-on-evidence-in-the-cloud.
160. Rome Statute of the International Criminal Court art. 5(1), July 17, 1998, 2187 U.N.T.S.
90 [hereinafter Rome Statute].
161. See, e.g., Chance Cammack, The Stuxnet Worm and Potential Prosecution by the
InternationalCriminalCourt Under the Newly Defined Crime ofAggression, 20 TUL. J. INT'L & COMP.
L. 303 (2011).
162. See Rome Statute, supra note 160, art. 5(2) ("The Court shall exercise jurisdiction over the
crime of aggression once a provision is adopted in accordance with articles 121 and 123 defining the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.386

 2018] TransnationalCyber Offenses 221

parties established a Special Working Group on the Crime of Aggression,

charged with drafting a definition of the crime and setting out the conditions
under which the ICC would exercise jurisdiction.163 At a conference in
Kampala in 2010, the States parties adopted a definition and jurisdictional
regime for the crime of aggression. 16 Since then, thirty-four States have
ratified or accepted the Kampala amendments. 16 5 States parties must
additionally activate the Court's jurisdiction over crimes of aggression by a
two-thirds majority.166
Even assuming the ICC's jurisdiction is activated for crimes of
aggression, the definition of the crime of aggression in the Rome Statute
amendment is limited to persons "in a position effectively to exercise control
over or to direct the political or military action of a State."167 By limiting
potential culpability to those with direct political or military control, the so-
called "leadership clause" excludes most perpetrators of transnational cyber
offenses. Cyber offenses rarely occur in the context of a strict chain of
command; most are carried out "by individuals with only tenuous affiliations to

LA
a collective," 6 8 and those collectives may or may not be affiliated with, or
sponsored by, a State. At least one commentator has suggested that, in
exceptional cases, a DDoS attack may meet the leadership clause requirements
IM
insofar as the attacker effectively controls the victim State, such as when
Russian DDoS attackers crippled the Georgian government's ability to act or to
SH

communicate with its own people.1 6 9 Still, in most cases, limiting ICC
jurisdiction to high-level State actors prevents regulation even of cyber
offenses with major international repercussions.
An additional challenge for prosecuting cybercrimes as crimes of
LU

aggression is the list of acts of aggression provided in Article 8 bis of the Rome
Statute, adopted at Kampala.1 7 0 Those actions include an armed invasion,
bombardment, and blockade by the traditional armed forces of another State.
PN

crime and setting out the conditions under which the Court shall exercise jurisdiction with respect to this
H

crime.").
163. See Stefan Barriga, Against the Odds: The Results of the Special Working Group on the
Crime ofAggression, in THE PRINCETON PROCESS ON THE CRIME OF AGGRESSION: MATERIALS OF THE
SPECIAL WORKING GROUP ON THE CRIME OF AGGRESSION, 2003-2009, at 1 (Stefan Barriga et al. eds.,
2009).
164. See generally Claus Kress & Leonie von Holtzendorff, The Kampala Compromise on the
Crime ofAggression, 8 J. INT'L CRIM. JUST. 1179 (2010).
165. Amendments on the Crime ofAggression to the Rome Statute of the InternationalCriminal
Court, U.N. TREATY COLLECTION, http://treaties.un.org/Pages/ViewDetails.aspxsrc=TREATY
&mtdsg~no=XVIII-10-b&chapter-18. The count is current as of November 28, 2017.
166. Rome Statute, supra note 160, art. 15(3)bis (providing that jurisdiction over the crime of
aggression in situations where the case is referred by a State party or by the Prosecutorproprio motu can
be activated by "the same majority of States Parties as is required for the adoption of an amendment to
the Statute"); id. art 15(3)ter (providing that jurisdiction over the crime of aggression in situations where
the case is referred by the Security Council can be activated by "the same majority of States Parties as is
required for the adoption of an amendment to the Statute"); id. art. 121(3) (providing that adoption of an
amendment requires a two-thirds majority).
167. See id. art. 8(1)bis.
168. Ophardt, supranote 20, ¶ 46.
169. Id.T48.
170. Rome Statute, supranote 160, art. 8(2)bis.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.387

 222 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191
'

While the phrasing of the definition suggests that the list is exemplary, rather
than exhaustive, it is not clear whether cybercrime could qualify as an act of
aggression. The enumerated examples all involve the use of armed force, which
transnational cyber offenses typically do not, as noted in Section II.A. Cyber
attacks resulting in physical damage could conceivably count as crimes of
aggression if the list were understood to be merely illustrative, but standard
DDoS attacks that disrupt service and cause even significant economic harm
would not qualify.
Another possibility for ICC jurisdiction might be to treat transnational
cybercrimes as war crimes. Article 8 of the Rome Statute provides jurisdiction
over war crimes and enumerates several categories of war crimes, including
grave beaches of the Geneva Conventions and violations of other laws
71
applicable in international armed conflict. Most relevant to the cyber context,
war crimes include the "extensive destruction and appropriation of property,
not justified by military necessity and carried out unlawfully and wantonly" in
172
violation of the 1949 Geneva Conventions, and attacks on civilian objects

LA
that are not military objectives.1
73
To the extent a cyber attack destroys, rather
than simply interferes with, civilian data and communications, cyber attacks
carried out in the context of armed conflict could conceivably rise to the level
IM
of war crimes. However, it bears emphasizing that war crimes necessarily
entail a breach of international humanitarian law; as the previous Part showed,
SH

international humanitarian law does not apply neatly to cyber operations and,
insofar as it does, very few cyber operations to date qualify as attacks subject to
international humanitarian law. Moreover, Article 22 emphasizes the principle
of nullum crimen sine lege, according to which a person shall not be criminally
LU

liable unless the conduct was clearly criminal. The definition of a crime is to be
strictly construed and interpreted in favor of the defendant and is not to be
extended by analogy.1 74 As a result of this inflexibility, cybercrimes that were
PN

not explicitly contemplated in Article 8 would be unlikely to qualify as war

crimes.175 At least as currently drafted, then, the ICC's Rome Statute offers a
useful model for prosecuting crimes with international effects but would not
H

likely cover transnational cyber offenses.

The Rome Statute could be amended, however, to expand the jurisdiction
of the ICC to cover grave cyber offenses. Another solution would be to create a
new international criminal tribunal with specialized competency in computer
technology.1 7 6 Along these lines, Stein Schjolberg, a former Norwegian judge
and an international expert on cybercrime, has long called for an International
Criminal Tribunal for Cyberspace and has published a Draft United Nations

171. Id. art. 8(2)(a)-(b).

172. Id. art. 8(2)(a)(iv).
173. Id. art. 8(2)(b)(ii).
174. Id. art. 22.
175. See Davis Brown, A Proposalfor an InternationalConvention to Regulate the Use of
Information Systems in Armed Conflict, 47 HARV. INT'L L.J. 179, 212-13 (2006).
176. See, e.g., Stahl, supra note 4, at 272 ("At the very least, the existence of an international
tribunal with universal jurisdiction over acts of cyberaggression would deter such acts and provide a
venue for prosecution where nations otherwise often refuse to prosecute such acts.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.388

 2018] TransnationalCyber Offenses 223

Treaty on an International Criminal Court or Tribunal for Cyberspace. 177

The availability of an international criminal tribunal, whether the ICC or
a specialized tribunal, would mitigate many of the problems of State
jurisdiction, including jurisdiction shopping, conflict of laws difficulties, and
the challenge of cross-border collaboration on evidence-gathering and
enforcement. Recent evidence suggests that international criminal tribunals can
deter some criminal activity, particularly by governments and rebel groups
seeking legitimacy.' 78 Moreover, ICC investigations can expose government
corruption and unwillingness to comply with international standards,
eventually increasing domestic prosecutions in the intermediate term. 179 Thus,
international criminal prosecutions of cyber criminals could help to deter cyber
offenses on multiple levels.
International law offers two possible ways an international criminal
tribunal could obtain jurisdiction over an alleged perpetrator of a transnational
cyber offense: universal jurisdiction and complementarity.

1. UniversalJurisdiction

LA
Universal jurisdiction, recognized for centuries as applicable to piracy
IM
offenses, offers one solution to the problems of territorial jurisdiction when it
comes to criminal liability.180 Rooted in "the accused's attack upon the
international order as a whole," 18' universal jurisdiction enables an
SH

international criminal tribunal (or the courts of any nation) to claim criminal
jurisdiction over an accused, regardless of where the crime occurred. Criminal
law typically requires some sort of nexus between the prosecuting State and the
offense, such as the offense being committed in that State's territory or by a
LU

national of that State. But pirates, considered hostis humani generis-anenemy

of mankind 182 -could historically be prosecuted wherever they were found. In
PN

the modern era, piracy continues to be subject to prosecution by any nation

under the United Nations Convention on the Law of the Sea (UNCLOS), as
H

177. STEIN SCHJOLBERG, THE THIRD PILLAR FOR CYBERSPACE: AN INTERNATIONAL COURT OR
TRIBUNAL FOR CYBERSPACE (9th ed. 2014), http://www.cybercrimelaw.net/documents/140626_
DraftTreatytext.pdf.
178. See, e.g., Hyeran Jo & Beth A. Simmons, Can the International Criminal Court Deter
Atrocity?, 70 INT'L ORG. 443 (2016); Shanay M. Murdock, The International Criminal Court: An
Analysis of the Prevention and Deterrence of Atrocity Crimes (2015) (unpublished manuscript),
http://commons.lib.niu.edu/bitstream/handle/10843/16390/INTL%20301%20%26%20401%20-
%2OICC%20Capstone%2OPaper.pdf.
179. See Geoff Dancy & Florencia Montal, Unintended Positive Complementarity: Why
International Criminal Court Investigations Increase Domestic Human Rights Prosecutions (2015)
(unpublished manuscript), http://www2.tulane.edu/liberal-arts/political-science/upload/Dancy-Montal-
IO-2014.pdf.
180. See Eugene Kontorovich, The Piracy Analogy: Modern Universal Jurisdiction'sHollow
Foundation,45 HARV. INT'L L.J. 183, 184 (2004). Compare RESTATEMENT (SECOND) OF THE FOREIGN
RELATIONS LAW OF THE UNITED STATES § 34 (AM. LAW INST. 1965) (listing piracy as the only
universal crime) with RESTATEMENT (THIRD) OF THE FOREIGN RELATIONS LAW OF THE UNITED STATES
§ 404 (AM. LAW. INST. 1987) (enumerating several universal crimes, including war crimes and
genocide).
181. ROSALYN HIGGINS, PROBLEMS AND PROCESS: INTERNATIONAL LAW AND How WE USE IT
58 (1995) (citation omitted).
182. See 3 EDWARD COKE, INSTITUTES ON THE LAWS OF ENGLAND 113 (1797).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.389

224 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

183
well as under customary international law. Cyber criminals, too, might be
considered hostis humani generis: cyber space can be thought of as the
modem-day "high seas" and transnational cyber offenses the equivalent of
184
pirates' indiscriminate acts of depredation.
Scholars often assume that universal jurisdiction for piracy is justified
185
only because no State has jurisdiction over the high seas. However, the Court
of Appeals for the D.C. Circuit has held that, as Article § 101(c) of UNCLOS,
which criminalizes the facilitation of privacy, does not explicitly mention the
high seas, aiding and abetting piracy does not need to take place on the high
1 86
seas to be illegal under the Convention. Thus, it is not a prerequisite for a
finding of universal jurisdiction that the crime take place outside the territorial
jurisdiction of any country. As applied to the cyber context, the fact that some
countries could have jurisdiction to prosecute a crime should not preclude the
application of universal jurisdiction to transnational cyber offenses.
Perhaps a better justification for universal jurisdiction over piracy is that
it endangers international trade.' Transnational cyber offenses can similarly

LA
threaten international trade, such as when DDoS attacks disable access to major
commercial websites, or when ransomware attacks threaten the destruction of
international corporations' records and files. By the same logic, then, severely
IM
disruptive transnational cyber offenses could, like piracy, be subject to
88
universal jurisdiction.1
SH

The challenge in applying universal jurisdiction to the cyber context is

defining the scope of threats for which universal jurisdiction is authorized. The
scope must be defined narrowly enough to prevent countries like Russia and
China from taking advantage of universal jurisdiction to shut down online
LU
PN

183. United Nations Convention on the Law of the Sea art. 105, openedfor signature Dec. 10,
1982, 1833 U.N.T.S. 397 (entered into force Nov. 16, 1994). Section 404 of the Restatement of Foreign
Relations reflects the consensus of the international community and provides that states can have
jurisdiction over "certain offenses recognized by the community of nations as of universal concern, such
as piracy, slave trade, attacks on or hijacking of aircraft, genocide, war crimes, and perhaps certain acts
H

of terrorism." RESTATEMENT (THIRD) OF THE FOREIGN RELATIONS LAW OF THE U.S. § 404 (AM. LAW
INST. 1987).
184. See Jennifer J. Rho, Blackbeards of the Twenty-First Century: Holding Cybercriminals
Liable under the Alien Tort Statute, 7 Cm. J. INT'L L. 695, 696, 709 (2007).
185. See, e.g., Eugene Kontorovich, A Guantanamo on the Sea: The Difficulty ofProsecuting
Pirates and Terrorists, 98 CAL. L. REv. 243, 253 (2010) (stating that "the international law of piracy
applies only on the 'high seas"').
186. United States v. Ali, 718 F.3d 929, 935-38 (D.C. Cir. 2013). But see id. at 937 (strongly
suggesting that "a facilitative act need not occur on the high seas so long as its predicate offense has"
(emphasis added)).
187. See, e.g., United States v. Yousef, 327 F.3d 56, 104 (2d Cir. 2003) (citing "the threat that
piracy poses to orderly transport and commerce between nations" as a basis for universal jurisdiction for
piracy); Yvonne M. Dutton, Bringing Pirates to Justice: The Case for Including Piracy Within the
Jurisdictionof the InternationalCriminalCourt, 11 CH. J. INT'L L. 197, 204 (2010) ("It is the general
heinousness of piratical acts and the fact that they are directed against ships and persons of many
nationalities-disrupting international trade and commerce-that warrants universal jurisdiction.").
188. See, e.g., Kelly A. Gable, Cyber-Apocalypse Now: Securing the Internet Against
Cyberterrorismand Using Universal Jurisdictionas a Deterrent, 43 VAND. J. TRANSNAT'L L. 57, 116
(2010) ("The application of universal jurisdiction to cyberterrorism fits within the natural evolution of
international criminal law and is a logical and measured response to the threat to international peace and
security posed by cyberterrorism.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.390

 2018] TransnationalCyber Offenses 225

dissent. If the crimes subject to universal jurisdiction could be carefully drawn,

an international criminal tribunal empowered to hear cases against and
ultimately sentence cyber criminals anywhere in the world could prove a
powerful deterrence mechanism.

2. Complementarity

A second basis for jurisdiction over international crimes is

complementarity, upon which the ICC relies. Under the complementarity
principle, domestic courts retain priority in the exercise of jurisdiction; the ICC
may only assert jurisdiction if a domestic court has not already investigated or
prosecuted the case.189 In this way, complementarity is respectful of State
sovereignty and may make States more likely to join an agreement like the
Rome Statute because they can retain control over matters of importance to
them.
Applying the complementarity principle to the prosecution of
cybercrimes before the ICC solves some, but not all, of the problems of

LA
territorial jurisdiction. If a country proved unable, perhaps for lack of technical
capacity, or unwilling to prosecute a case domestically, the case could
IM
potentially be tried before the ICC. A time limit would have to be established
within which the State would be required to commence a prosecution, if it so
chose; if a State failed to take action during that time, a victim State could
SH

request that the Prosecutor of the ICC press charges. Thus, the availability of
an international criminal tribunal with jurisdiction to hear cases involving grave
harm to any member State would solve the problem of States being unwilling
LU

to prosecute or extradite their nationals. Complementarity may also incentivize

countries to adopt and enforce legislation criminalizing transnational cyber
offenses in order to keep cases in their own courts. At the same time,
PN

complementarity fails to address some of the problems of territorial

jurisdiction, including the risk of an Internet actor being subject to the
potentially differing laws of many different countries, without having
H

meaningfully consented to the jurisdiction of those countries.

Even if victim States wanted the ICC to exercise jurisdiction, the ICC's
jurisdiction is largely limited to ratifying States, which can refer cases to the
ICC if the alleged crime is committed by a national of, or on the territory of,
that State.1 90 Precisely what it would mean for a cybercrime to be committed on
a State's territory is not clear. Taking a very broad view of ICC jurisdiction,
according to which the physical routing of attacks would determine whether a
State party to the Rome Statute was the site of a crime,'91 both the primary
State victim and the State whose infrastructure was exploited could provide the
jurisdictional hook. Since transnational cyber offenses are often routed through

189. Rome Statute, supra note 160, pmbl. & arts. 1, 15, 17-19.
190. Id. art. 12. In addition to jurisdiction over the nationals of a State party or over crimes
committed on the territory of a State party, the ICC can also exercise jurisdiction over any individual
when the Security Council refers a case to the Prosecutor under Chapter VII of the Charter of the United
Nations. Id. art. 13(b).
191. See Ophardt, supranote 20, T 74.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.391

226 THE YALE JOURNAL OF INTERNATIONAL LAW [Vol. 43: 191

a large number of territories, 1" the jurisdictional bar could often be overcome.
But taking a narrower view of jurisdiction, crimes with a merely incidental
relationship to a country would not qualify as a crime committed on that
country's territory. Finally, even if the ICC could properly exercise jurisdiction
over a defendant who was not a national of a member State, it could face the
same extradition problems described above.
Clearly, there are significant challenges to prosecuting cyber criminals
under international criminal law.
193
However, international criminal tribunals
are a still-recent development, and a new tribunal could potentially be created
to hear cases of cyberterrorism and other serious cybercrimes that threaten
governmental institutions, cause large economic losses, or substantially
interfere with civilian Internet usage. Were such a tribunal to exist, it would
send a powerful message to the online community and could go a long way
towards ending impunity.

CONCLUSION

LA
In the absence of viable tools to hold cyber attackers responsible,
individuals, States, and businesses may be tempted to resort to retaliation and
IM
cyber-vigilantism. While scholars have long recognized the need for
accountability for cyber wrongs, there has been little agreement as to what
legal framework for accountability is most appropriate. The very fact that
SH

experts have struggled to settle on an appropriate legal framework suggests that

there is no single legal framework that can properly regulate all cyber
hostilities. In the cyber realm, we may encounter conventional crimes properly
subject to domestic criminal law as well as violations that fall under the
LU

international law of armed conflict. Critically, however, the cyber context also
gives rise to a third category of wrongs that do not fit comfortably within either
PN

domestic criminal law or the law of armed conflict: transnational cyber

offenses.
The jurisdictional rules developed for the nineteenth-century world of
H

Westphalian nation-states are in many ways at odds with the network

architecture of modern computing and the inherently cross-border character of
transnational cyber offenses. Regulation and deterrence of transnational cyber
offenses require novel legal solutions. While the elaboration and
implementation of those solutions may seem like a formidable challenge, there
is reason to be cautiously optimistic. Transnational cyber offenses, unlike many
acts that the international community has sought to condemn, harm all
countries; no country is immune from the threat of cyber hostilities. The
WannaCry ransomware attack, to give just one recent example, made clear that
even supposed cybercrime havens like Russia may find themselves victims of

192. Id. T 57.

193. See, e.g., Aviv Cohen, Cyberterrorism: Are We Legally Ready?, 9 J. INT'L Bus. & L. 1, 7,
35-37 (2010) (explaining that cyberterrorism-"the use of computer networks in order to harm human
life or to sabotage critical national infrastructure in a way that may cause harm to human life"-is not
covered by any of the four crimes over which the ICC has jurisdiction).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.392

2018] TransnationalCyber Offenses 227

transnational cyber offenses. As Internet-connected devices proliferate and the

security risks multiply, countries may face both internal and external pressures
to develop and enforce a comprehensive international accountability regime-
to form, as Barlow himself alluded to, a "Social Contract" of the digital
world. 194

LA
IM
SH
LU
PN
H

194. Barlow, supra note 1.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.393

 NOTES

CYBER CRIME 2.0: AN ARGUMENT TO

UPDATE THE UNITED STATES
CRIMINAL CODE TO REFLECT THE
CHANGING NATURE OF CYBER CRIME

LA
CHARLOTTE DECKER*
IM
I. INTRODUCTION
SH

In 1945, two engineers at the University of Pennsylvania invented the

first general-purpose electronic computing device-the Electronic
Numerical Integrator and Computer ("ENIAC").I The ENIAC was capable
LU

of 5000 simple calculations a second, yet it took up the space of an entire

room, "weighed 30 tons, and contained over 18,000 vacuum tubes, 70,000
PN

resistors, and almost 5 million hand-soldered joints."2 This machine cost

over $1 million dollars, equivalent to roughly $9 million today. 3 Over the
next thirty years integrated circuits shrunk, yielding microprocessors able
H

* Class of 2008, University of Southern California Gould School of Law; B.A. History and
Markets/Management 2005, Duke University. I am especially grateful to Brian Hoffstadt for his keen
guidance throughout the writing of this Note, and to the editors and staff of the University of Southern
California Law Review for their hard work. I also would like to thank Gabriel Morgan for fostering a
healthy sense of competition in law school and in life, and my parents and siblings for their support and
encouragement.
I. See Kevin W. Richey, The ENIAC (1997), http://ei.cs.vt.edu/-history/ENlAC.Richey.HTML
for a comprehensive account of the invention of the ENIAC.
2. Mark G. Tratos, Entertainment on the Internet: The Evolution of EntertainmentProduction,
Distribution, Ownership,and Control in the DigitalAge, 862 PLUPAT 127, 155 (2006).
3. See OFFICE OF MGMT. & BUDGET, EXEC. OFFICE OF THE PRESIDENT, BUDGET OF THE
UNITED STATES GOVERNMENT, FISCAL YEAR 2005: HISTORICAL TABLES 184-85 tbl.10.1 (2004),
available at http://www.gpoaccess.gov/usbudget/fy05/sheets/hist I0zl.xls (comparing the GDP Deflator
Index for 1945 and 2007).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.394

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

to perform millions and billions of calculations per second with new

storage media able to hold megabits and gigabits of data. As a result,
computers became smaller, more advanced, and dramatically less
expensive. Still, prior to the late-1980s, these and other computers were
"solely the tool[s] of a few highly trained technocrats." 4 In the mid-1980s,
only 8.2 percent of American households contained computers.5 American
public businesses, universities, and research organizations used only 56,000
large "general purpose" computers and 213,000 smaller "business
computers"; private businesses used another 570,000 "mini-computers"
and 2.4 million desktop computers 6; and 7the federal government employed
between 250,000 and 500,000 computers.
However, in recent years, two things have changed. First, in the early
1990s, the cost of computers began a rapid decline, reaching a point by the
mid-1990s at which the capabilities and prices of personal computers made

LA
them available to the mass market.8 According to the most recent census
data, personal computers can now be found in almost seventy million
IM
American households, or 62 percent of all American homes. 9 These home
computers are not much larger than the average sewing machine of several
SH

decades earlier, yet they are vastly more powerful and complex than
anything envisioned by the creators of the ENIAC.1 ° The average
American has come to rely upon these powerful yet relatively easy to use
LU

computers both to perform various analytical functions and to act as

repositories for information.
PN

The second major development has been the rapid evolution of

networking technologies and declining cost of connectivity, which has set
the stage for the widespread commercialization of the Internet.11 The
H

Internet, like computers, grew out of the Defense Department's advanced

research and was initially a tool of the federal government and certain

4. Dodd S. Griffith, The Computer Fraud and Abuse Act of 1986: A Measured Response to a
Growing Problem, 43 VAND. L. REV. 453,455 (1990).
5. 132 CONG. REC. H3277 (daily ed. June 3, 1986) (statement of Rep. Nelson).
6. Id.
7. See S.REP. NO. 99-432, at 2 (1986), as reprinted in 1986 U.S.C.C.A.N. 2479, 2479.
8. See Tratos, supra note 2, at 156-57.
9. See JENNIFER CHEESEMAN DAY, ALEX JANUS & JESSICA DAVIS, U.S. CENSUS BUREAU,
COMPUTER AND INTERNET USE IN THE UNITED STATES: 2003, at 2 (2005).
10. Indeed, personal computers are able to perform complicated storage, retrieval, and analytical
processes well beyond the capabilities of the technology used to plan, manage, and execute the landing
of men on the moon a bit more than two decades earlier.
11. See Tratos, supra note 2, at 157-59 (discussing the development of a new Internet
backbone).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.395

2008] 0CRACKING THE CODE

academic research institutions.1 2 With the advent of "hypertext markup

language," the lingua franca of Internet browsers and the World Wide
Web, use of the Internet spread rapidly to businesses and homes. It is
estimated that three-quarters of all Americans now have access to the
Internet and spend an average of twelve-and-a-half hours per week
online. 13
These changes in computing and networking have created an
environment in which people increasingly gather in cyberspace to interact
socially and commercially. And, like any other gathering place, such an
environment creates ample chances for the opportunist to prey upon the
unsophisticated, uninformed or naive. Corresponding to the increase of the
use of the Internet by households and businesses, the prevalence of crime in
cyberspace has rapidly increased.

LA
Initially, criminal activity in cyberspace was aimed at governments,
banks, and other organizations that were early adopters of advanced
computing and networking technologies. But now that computers are found
IM
in most homes and almost every business, experts warn there is "likely to
be a greater proliferation in the number and types of businesses that will be
SH

potential victims of cyber-crimes."' 14 The expansion in the class of targets

of computer crime is also coupled with a wholesale growth in the number
15
of people able and willing to commit cyber crimes.
LU

The costs of cyber crime cannot be ignored. Cyber crime costs the
global economy billions of dollars each year, 16 which translates into lost
PN

12. For an interesting read tracing the early prototype of the Internet to its modem incarnation,
see KATIE HAFNER & MATTHEW LYON, WHERE WIZARDS STAY UP LATE: THE ORIGINS OF THE
H

INTERNET (1998).
13. Steven Levy, No Net? We'd Rather Go Without Food, NEWSWEEK, Oct. 11,2004, at 14.
14. Debra Wong Yang & Brian M. Hoffstadt, Countering the Cyber-Crime Threat, 43 AM.
CRIM. L. REV. 201, 203 (2006).
15. Id. at 205. Growth of cyber criminals is occurring on two axes: first, the number of people
who are technologically savvy enough to commit cyber crimes is growing exponentially. Second, a
derivative market in cyber crime appears to be growing as "enablers"...-"persons who use their technical
expertise to create and then sell to others easy-to-use tools"-make it possible for nontechnologically
savvy people to engage in cyber crime. Id.
16. Eric H. Holder, Jr., Deputy Attorney Gen., Remarks at the High-tech Crime Summit (Jan. 12,
2000), available at http://www.cybercrime.gov/dag012.htm. In 2005, "computer-based crimes caused
$14.2 billion in damage to businesses around the globe according to Computer Economics, an Irvine,
California research firm." Cassell Bryan-Low, To Catch Crooks in Cyberspace, FBI Goes Global,
WALL ST. J., Nov. 21, 2006, at Al. In the United States alone, the FBI estimates that cyber crimes cost
companies and consumers $400 billion annually. Kevin Voigt, Gangs Flooding the Web for Prey,
Analysts Say, CNN.cOM, Dec. 20. 2006, http://www.cnn.com/2006fTECH/intemet/
12/20/cybercrime/index.html.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.396

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

jobs, lost taxes, lost innovation, higher costs for consumers,' 7 lost
8
confidence in Internet commerce,1 and stunted global trade. 19
Perhaps the highest and most dangerous cost of cyber crime is the
increased threat to national security. Much of our modem critical
infrastructure is wholly dependant on networked computing-for example
the air traffic control system, the power grid, the water supply systems,
telecommunications networks, the financial sector, and critical government
services such as emergency and national defense services-making it
extraordinarily vulnerable to cybercrime. 20 Indeed, "the prospect of
'information warfare' by foreign militaries against our critical
infrastructure is perhaps the greatest potential cyber threat to our national
security." 2 1 As computer use continues to grow, "cyber attacks on critical
infrastructure or military operations [are] a way to hit what [is perceived]
as America's Achilles heel--our growing dependence on information

LA
22
technology in government and commercial operations."
Still, experts warn the worst is yet to be seen; projections indicate "the
IM
number of Internet-enabled crimes will increase radically over the next few
SH

17. See Holder, supra note 16.

18. The 2000 attacks on well-known Internet sites (eBay, Yahoo, and CNN among others)
contributed to a 258-point drop on the Dow Jones Industrial Average and halted a three-day string of
record-high closings on the NASDAQ composite index. Cyber Attack: Roadblocks to Investigation and
LU

Information Sharing: Hearing Before the S. JudiciarySubcomm. on Tech., Terrorism, and Gov't Info.,
106th Cong. (2000) (statement of Sen. Kyl) [hereinafter Kyl Statement]. See Yang & Hoffstadt, supra
note 14.
PN

19. The weak enforcement mechanisms for protecting globally networked information create "an
inhospitable environment in which to conduct e-business within a country and across national
boundaries.... [which] can create barriers to [digital information] exchange and stunt the growth of
H

[international] e-commerce." MCCONNELL INT'L, CYBER CRIME... AND PUNISHMENT?: ARCHAIC

LAWS THREATEN GLOBAL INFORMATION 3 (2000) [hereinafter MCCONNELL, CYBER CRIME]. Several
reports by McConnell International measured various countries' legislation in their readiness to address
cyber crime in four categories: data-related crimes, network-related crime, crimes of access, and
associated computer-related crimes. Id. According to these reports, thirty-three of the fifty-two
countries surveyed have yet to update their laws to address any type of cyber crime; nine have enacted
legislation to address five or fewer types of cyber crime; and ten countries have updated their laws to
prosecute six to ten types of cyber crime. Id. These findings suggest that few countries are able to
"demonstrate that adequate legal measures had been taken to ensure that that perpetrators of cyber
crime would be held accountable for their actions." Id. at 2. Over half the countries in the McConnell
reports were rated as needing "substantial improvement" to their information security. Id. at 3. See also
MCCONNELL INT'L, RISK E-BUSINESS: SEIZING THE OPPORTUNITY OF GLOBAL E-READINESS (2000).
20. See Fighting Cyber Crime: Efforts by Fed. Law Enforcement: Hearing Before the H. Comm.
on the Judiciary, 107th Cong. (2001) (statement of Michael Chertoff, Assistant Att'y Gen.); Holder,
supranote 16.
21. On Cybercrime: Hearing Before the Subcomm. for the Tech., Terrorism, and Gov 't Info. of
the Sen. Comm. on the Judiciary, 106th Cong. (2000) (statement of Louis J. Freeh, Director, FBI)
[hereinafter Freeh].
22. Id.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.397

2008] CRACKING THE CODE

years." 23 The future of cyber crime presents lower consumer confidence in

Internet security, stunted growth26of e-commerce, 24 stifled trade,25 and the
serious threat of cyber terrorism.
Cyber crime can be divided into two basic types: first, destructive or
intrusive activity aimed at computers (or networks of computers) and the
information contained on them, and second, crimes where computers are
used as a tool for committing other, more traditional, illicit activities
against persons or property. 27 Customarily, cyber crime, like other areas of
criminal law, had been left to the states to regulate as an exercise of their
police power. Expansion of federal criminal jurisdiction is a recent
phenomenon, and largely a product of broad legislative and judicial
interpretation of the Commerce Clause. However, the advent of attacks
against the networks themselves and attempts to steal or destroy the
information on these networks has led to increasing efforts by the federal

LA
government to intervene. By relying upon the Commerce Clause for
authority, Congress has acknowledged the stateless, and indeed global,
IM
nature of the Internet by writing specialized criminal code sections.
As the nature and scale of the risk continue to evolve and grow, the
SH

question of the scope and capabilities of existing criminal law to address

cyber crime becomes more acute. Part II of this Note provides a
background of the evolution of cyber crime and discusses various examples
LU

of criminal activity in cyber space. Part III surveys current criminal law
used to prosecute cyber crime. Part IV examines whether the current
statutory framework for prosecuting cyber crime contains gaps in either its
PN

scope or breadth. Part V addresses how, if at all, these gaps should be

filled.
H

This Note concludes that there are three areas not adequately covered
by current federal criminal law: (1) the $5000 minimum loss threshold of

23. Steven M. Martinez, Acting Assistant Dir., Cyber Div., Remarks at Third Annual Cyber
Security Summit 2005 (Feb. 9, 2005), available at http://www.fbi.gov/pressrel/speeches/
martinez020905.htm.
24. Robert S. Mueller 111,Dir., FBI, Speech before the Info. Tech. Assoc. of Am. Conference on
Combating E-crime (Oct. 31, 2002), available at http://www.fbi.gov/pressrel/ speeches/itaa.htm.
25. See MCCONNELL, CYBER CRIME, supra note 19.
26. See Holder, supra note 16; Mueller, supra note 24.
27. The breakdown of computer crimes into three categories is borrowed from the Legislative
Analysis of the Computer Fraud and Abuse Act of 1996. See Computer Crime and Intellectual Prop.
Section, U.S. Dep't of Justice, Legislative Analysis of the National Information Infrastructure
Protection Act, 2 ELECTRONIC INFO. POL'Y & L. REP. 240 (1997) [hereinafter Legislative Analysis]. A
third category of computer crimes, where the computer is incidental to the crime, will not be discussed,
as it is outside the scope of this Note. These crimes are prosecuted under traditional criminal code
sections (that is, drug trafficking statutes, RICO, etc.).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.398

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

the Computer Fraud and Abuse Act ("CFAA");2 8 (2) exclusions in the
definition of the Controlling the Assault of Non-Solicited Pornography and
Marketing Act of 2003 ("CAN-SPAM Act") for spIM; 29 and (3) the lack of
specialized provisions for preventing or punishing phishing crimes. This
Note concludes with specific recommendations for legislation to close
those gaps.

II.CYBER CRIMES

The term "cyber crime," broadly defined as crimes "perpetrated over

the Internet, typically having to do with online fraud, '30 is generally
thought to describe two main types of Internet-based behaviors: criminal
activity targeting computers and the information stored on computers, and
activities in which a computer is used to facilitate another, more traditional
31
crime.

LA
A. CRIMES AIMED AT THE COMPUTER OR INFORMATION ON THE
IM
COMPUTER

The prevalence of crime in which the computer is the target is in some

SH

ways unremarkable; new technologies often spawn new crimes. In the same
way that the introduction of the automobile in the nineteenth century
created opportunities for criminal mischief targeting the car itself, perhaps
LU

cyber crime is the "natural result" of the introduction of computers into

American society.32 However, unlike the automobile, the cyber
PN

environment provides endless opportunities for criminal mischief, the

boundaries of which extend far beyond the physical scope of a computer
itself. Examples of crimes aimed at computers are: hacking, distributed
H

denial-of-service attacks, extortionate hacking, theft of trade secrets, access

device theft, and wiretap violations. Each of these crimes will be examined
in some detail.

28. 18 U.S.C. § 1030(a)(5) (2000).

29. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) of
2003, 15 U.S.C. §§ 7701-13 (Supp. IV 2004).
30. PCMAG.CoM ENCYCLOPEDIA, http://www.pcmag.com/encyclopediaterm/0%2C2542%2Ct
%3 Dcybercrime&i%3D40628%2C00.asp (last visited July 31, 2008).
31. See Legislative Analysis, supra note 27.
32. Id. See Press Release, FBI (Nov. 20, 2003), available at www.fbi.gov/pressrel/pressrel03/
sweepi 12003.htm (stating that as the computer's role in society continues to grow, criminal
exploitation of the vulnerabilities of computers and information technology for illegal purposes is
expected).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.399

20081 CRACKING THE CODE

1. Hacking
A "hacker" is "[a] computer enthusiast who enjoys learning
everything about a computer system or network and pushing the system to
' 33
its highest possible level of performance through clever programming."
Absent some nefarious intent or use, hacking is not illegal under federal
law. 34 However, hacking can easily migrate from a benign hobby to a
criminal enterprise. In this sense, hacking is defined as the surreptitious
breaking "into the computer, network, servers, or database of another
person or organization."35 When hackers mix with "fraudsters" and
organized crime rings, the tools and effects of hacking can be, and are, used
illegally for financial gain. 3637In this way, hacking has "becom[e] part of the
modern criminal's toolbox."
Until recently, hackers tended to target online information brokers and

LA
manufacturers and distributors of digital media; 38 however, the growth of
the Internet has opened new avenues for hackers, and now any business
IM
that relies on computers and the Internet to conduct its daily affairs is
vulnerable to cyber crime.39 In the past year, between 25 and 50 percent of
American businesses have found some sort of security breach in their
SH

40
computer networks.
Attack tools have become more sophisticated in recent years as they
LU

33. BRYAN PFAFFENBERGER, WEBSTER'S NEW WORD: DICTIONARY OF COMPUTER TERMS 247
(8th ed. 2000). See also Eric J. Sinrod & William P. Reilly, Cyber-Crimes:A PracticalApproach to the
PN

Application of FederalComputer Crime Laws, 16 SANTA CLARA COMPUTER & HIGH TECH. L. J. 177,
181 (2000); Victor Sabadash, What Is Hacking, COMPUTER CRIME RESEARCH CENTER, May 5, 2004,
http://www.crime-research.org/news/05.05.2004/241. Apparently the "Hacker's credo" is:
1. Access to all computers should be unlimited and total.
H

2. All information should be free.

3. Mistrust authority-promote decentralization.
4. Hackers should be judged by their hacking, not bogus criteria such as degrees, age,
race, or position.
5. You can create art and beauty on a computer.
6. Computers can change your life for the better.
Id. (quoting Deb Price & Steve Schmadeke, Hackers Expose Web Weakness: There's No Defense
Against Internet Assaults, Experts Confess, and Attackers Are Elusive, DET. NEWS, Feb. 14, 2000,
at Al).
34' See 18 U.S.C. § 1030 (2000 & Supp. IV 2004).
35. BLACK'S LAW DICTIONARY 730 (8th ed. 2004).
36. Cassell Bryan-Low, Growing Number of Hackers Attack Web Sites for Cash, WALL ST. J.,
Nov. 30, 2004, at Al.
37. Id.
38. Yang & Hoffstadt, supra note 14, at 203-04.
39. Id. at 204-05 (citing Robert Steinberg, Advising Clients About Hacker Insurance, L.A.
LAWYER, Feb. 2003, at 60, for the proposition that most American businesses rely on the Internet and
computers to run their affairs).
40. Id. at 201.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.400

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

have also become easier to use. 4 1 The variety of "do-it-yourself' guides to

hacking on the World Wide Web has made hacking more accessible than
ever for the novice enthusiast.42
The result of hacking-disruption of networks and theft or destruction
of data-presents a profound problem. The effects of such attacks include
the inability of the attacked organization to conduct business, loss of
consumer records, inability to produce products, negative media attention,
forwarding or exposure of private information, 43 embarrassing Web site
defacement, publication of confidential information, as well as harm to
44
individuals at the hacked organization and in the general public.

2. DDoS Attacks
A denial-of-service attack ("DoS") is a relatively primitive technique

LA
that overwhelms the resources of a computer or server and results in the
denial of server access to other legitimate users of the service.4 5 The
attacker denies service by sending a stream of packets to a victim that
IM
either consumes some key resource, thus rendering it unavailable to
legitimate clients, or provides the attacker with unlimited access to the
SH

46
victim machine in order to inflict damage.
A distributed denial-of-service ("DDoS") attack is the natural cyber
progression "in the search for more effective and debilitating denial of
LU

service attacks. 4 7 Instead of using just one computer, in a DDoS attack, a

hacker places a daemon, or small computer program, on a third-party
PN

computer, which then deploys multiple "daemonized" computers of

41. Freeh, supra note 21.

H

42. See, e.g., Charlie Demejian, How to Hack Biometrics, INQUIRER, July 30, 2005,
http://www.theinquirer.netl/en/inquirer/news/2005/07/30/how-to-hack-biometrics; Eric S. Raymond,
How to Become a Hacker (2001), http://www.catb.org/-esr/faqs/hacker-howto.html (last visited July
31, 2008); Hack a Day, http://www.hackaday.com/ (last visited July 31, 2008); HackThisSite.Org,
http://www.hackthissite.org/ (last visited July 31, 2008).
43. The personal details of more than 100 million people have been exposed as a result of
accidents and hacker attacks. See Voigt, supranote 16.
44. DAWN CAPPELLI ET AL., CARNEGIE MELLON UNIV., COMMON SENSE GUIDE TO PREVENTION
AND DETECTION OF INSIDER THREATS 8 (2d ed. 2006), available at http://www.cert.org/archive/pdf/
CommonSenselnsiderThreatsV2.l-l-070118.pdf.
45. An attacker may be able to prevent access to e-mail, web sites, online accounts (banking,
etc.), or other services that rely on an affected computer. CERT Coordination Center, Denial of Service
Attacks, http://www.cert.org/tech-tips/denial-of service.html (last visited July 31, 2008).
46. Three main network exploits are used to overwhelm a system's server, each of which
exploits a weakness in the way computers communicate with one another over the Intemet: SYN Flood
Attacks, UDP Flood Attacks, and ICMP Flood Attacks. For a comprehensive description of each type
of attack, see Sinrod & Reilly, supra note 33, at 190-93.
47. Id. at 194.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.401

2008] CRACKING THE CODE

unsuspecting users (referred to as "zombies") to cause a denial of service to

legitimate users for some time.4 8 A DDoS attack inflicts damage from a
wider base of servers, making it more difficult for the target to block the
attack.49 Unlike hacks, which include a broad universe of attacks against a
single computer, DDoS attacks are generally aimed at Internet Web sites
and designed to overwhelm the pipeline to the Internet. Recent attacks have
been launched for financial gain,50 for political purposes, 5' and as
technological warfare. 52 DoS and DDoS attacks cost American businesses
53
$2.9 billion in the past year.

3. Extortionate Hacking
Black's Law Dictionary defines extortion as "the act or practice of
obtaining something or compelling some action by illegal means, as by
force or coercion." 54 Combined with hacking, computers present a new

LA
55
twist on traditional extortion. IM
48. See Jacqueline Lipton, Mixed Metaphors in Cyberspace: Property in Information and
Information Systems, 35 LOY. U. CHI. L.J. 235, 245 n.41 (2003).
SH

49. Sinrod & Reilly, supra note 33, at 194.

50. See Joris Evers, Hacking for Dollars, CNET NEWS, July 6, 2005, http://news.cnet.com/
Hacking-for-dollars/2100-7349_3-5772238.html.
51. "Hacktivism," hacker (political) activism, has become a popular outlet for political dissent.
LU

Hacktivists launch politically motivated attacks by overloading e-mail or Internet servers with
politically charged messages or crash servers to prove a political point. See Freeh, supra note 21; Sinrod
& Reilly, supra note 33, at 183. An example of hacktivism was an attack in February 2000, when the
now-infamous hacker known as "Mafiaboy" used commonly known techniques to completely disrupt
PN

network operations at eBay, Amazon.com, and CNN.com, as well as five other major commercial
networks to protest the commercialization of the Internet. See Alexander Urbelis, Toward a More
Equitable Prosecution of Cybercrime: Concerning Hackers, Criminals, and the National Security, 29
H

VT. L. REV. 975, 993 (2005). Another example is the U.K.-based Electrohippie Collective who used
DDoS attacks as part of a "sit-in" to protest the World Trade Organization at their summit in Seattle.
See Jelena Mirkovic & Peter Reiher, A Taxonomy of DDoSAttacks and DDoS Defense Mechanisms, 34
COMPUTER COMM. REV. 39 (2004); Dorothy Denning, Cyberwarriors:Activists and Terrorists Turn to
Cyberspace, HARV. INT. REV., Sept. 2001, at 70.
52. See Mudawi Mukhtar Elmusharaf, Cyber Terorism: The New Kind of Terrorism,COMPUTER
CRIME RES. CENTER, Apr. 8, 2004, http://www.crime-research.org/articles/CyberTerrorism
new kindTerrorism.
53. LAWRENCE A. GORDON ET AL., COMPUTER SECURITY INST., CSI/FBI COMPUTER CRIME AND
SECURITY SURVEY 2006, at 15.
54. BLACK'S LAW DICTIONARY 623 (8th ed. 2004).
55. A self proclaimed manifesto of hackers is the following:
Our mission is to help companies to protect their customers' data. There are many skilled
hackers in our team. We can break almost any modem computer system, including online
banks and big online shops. When we get access to such systems we notify their owners about
it. Some companies are ready to cooperate and they get our help. We send them instructions
about how to improve their systems and later we track the process of this improvement. These
companieg care about their customers.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.402

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

Extortionist hackers infiltrate computer systems, and then demand a

ransom by threatening further destruction or damage. Extortionate hacking
can take the form of a hack, as against one computer, or a DDoS attack,
where a user threatens to overwhelm a server unless a high ransom is
paid.56 The targets of such attacks are diverse.57 Extortionists have levied
threats against Michael Bloomberg, the founder of Bloomberg Financial
L.P.; 5 8 business-to-business site Creditcards.com; 59 gambling Web sites
61
prior to Super Bowl weekend; 60 and European financial sites.
Extortionate hacking attacks have forced targeted Web sites offline (and
out of business) for weeks. 62 The security breaches have caused damaging
63
losses of credibility as well as high costs of repair for online businesses.
Additional consequences of extortionate hacking include concerns for
national security. Experts assert that there is little doubt that international

LA
organized crime is involved in extortionate hacking, which has the potential
64
to pose real and serious threats to national information security.
IM
But some Internet sites don't want to cooperate. In this case we notify all their customers
about existing security loopholes. We do it to protect people against further loss of personal
SH

information. This is our mission.

Bob Sullivan, Inside a Net Extortion Ring, MSNBC, June 20, 2006, http://www.msnbc.msn.com/
id/3078571 (quoting no longer existing Web site supporting net-extortion ring).
56. See, e.g., Steven J. Vaughan-Nichols, SCO's MyDoom DDoS Hammering Begins, EWEEK,
Feb. 1, 2004, http://www.eweek.com/c/a/Linux-and-Open-Source/SCOs-MyDoom-DDoS-Hammering-
LU

Begins. The MyDoom virus was estimated to have infected hundreds of thousands of computers
worldwide; the attack on SCO Group was the first large-scale attack that employed the zombie
computers infected with MyDoom to overwhelm the company's webpage. Id.
PN

57. One particularly successful extortionist-hacker, known as "Mr. Zilterio," has, by his own
account, hacked into online companies and financial institutions, stolen data, and demanded extortion
payments from over fifteen companies in the United States and Europe, nine of which he claims have
H

paid him in excess of $150,000. Sullivan, supra note 55.

58. Oleg Zezov was arrested by the FBI for hacking into Bloomberg's computer system, then
threatening that "the financial news service's reputation would be put at risk if he was not paid
$200,000." John Leyden, Bloomberg Extortion, Hacking Case Opens in New York, REGISTER, Feb. 6,
2003, available at http://www.theregister.co.uk/2003/02/06/bloomberg-extortion-hacking__
case- opens. See also Press Release, U.S. Attorney for the S. Dist. of N.Y., Three Kazak Men Arrested
in London for Hacking into Bloomberg L.P.'s Computer System (Aug. 14, 2000), available at
http://www.cybercrime.gov/bloomberg.htm.
59. See Steven Shankland, Company Says Extortion Try Exposes Thousands of Card Numbers,
CNET NEWS, Jan. 2, 2002, http://www.news.com/2102-1017_3-249772.html.
60. Online gaming sites began receiving threats in October 2003 containing demands for money
to prevent DDoS attacks that would shut down their Web site at key times, such as during the Super
Bowl. Jack M. Germain, Global Extortion: Online Gambling and Organized Hacking,
TECHNEWSWORLD, Mar. 23, 2004, http://www.technewsworld.com/story/33171.html.
61. Id.
62. See id.
63. See Shankland, supra note 59 (explaining that the breach of the Creditcards.com system
threatened to expose fifty-five thousand credit card numbers).
64. Id.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.403

2008] CRACKING THE CODE

4. Trade Secret Theft

"Trade secrets" are:
all forms and types of financial, business, scientific, technical, economic,
or engineering information... [that] the owner thereof has taken
reasonable measures to keep ... secret; and the information derives
independent economic value, actual or potential, from not being
generally known to, and65
not being readily ascertainable through proper
means by[] the public.
Theft of a trade secret becomes a cyber crime when the secret is
stolen, appropriated, taken, or carried away by use of computer or the
Internet.6 6 As the power of computer technology has grown in the past two
decades, it has resulted in "increasingly more powerful means for theft and
transfer of trade secret information." 67 For example, "an item of trade

LA
secret information (such as computer source code, a biochemical formula,
or technical schematics) can be as valuable to a company as an entire
IM
factory was even several years ago. Computers now make it extremely easy
to surreptitiously copy and transfer this valuable trade secret
68
SH

information."

5. Access Device Fraud

LU

Access device fraud is the theft of access devices, which generally are
any
card, plate, code, account number, electronic serial number, mobile
PN

identification number, personal identification number, or other

telecommunications service, equipment, or instrument identifier, or other
means of account access that can be used, alone or in conjunction with
H

another access device, to obtain money, goods, services, or 69 any other

thing of value, or that can be used to initiate a transfer of funds.
Access device fraud commonly refers to credit card theft or
"skimming"; however, it also applies to theft of other access devices
including computer passwords, personal identification numbers-or PINs,
used to activate ATMs-long-distance access codes, and the computer

65. 18 U.S.C. § 1839(3) (2000).

66. 18 U.S.C. § 1832(a)(I)-(3) (2000).
67. R. Mark Halligan, The Economic Espionage Act of 1996: The Theft of Trade Secrets Is Now
a Federal Crime, http://my.execpc.com/-mhallign/crime.html (last visited July 31, 2008). See National
Cybercrime Conference: Bio: R. Mark Halligan, http://www.cybercrimeconference.org/bios/
Halligan.html (last visited July 31, 2008) (providing credentials).
68. Halligan, supra note 67.
69. 18 U.S.C. § 1029(e)(1) (2000).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.404

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81i:959

chips in cellular phones that track billing71data. 70 Increasingly, theft of these

devices is being treated as a cyber crime.

6. Wiretap Violations
Federal law criminalizes the manufacture, possession, assembly, or
sale of any device designed "for the purpose of the surreptitious
interception of wire, oral, or electronic communications." 72 As provided by
statute, "electronic communication" means any transfer of "signs, signals,
writing, images, sounds, data, or intelligence of any nature transmitted in
whole or in part by a wire, radio, electromagnetic, photoelectronic, or
photooptical system that affects interstate or foreign commerce." 73 The
growing use of computers has added new dimensions to wiretapping
crimes. Courts have interpreted an74 interception of any electronic
communication to amount to a wiretap.

B. COMPUTER AS THE TOOL

LA
IM
New computer technology can be "used by some of the worst
SH

elements of our society: small-time criminals who can take on a whole new
persona on the Internet; malcontents who can find like-minded hate groups;
and scam artists who think they can escape detection in the anonymity of
the Web. ' 7 5 Such criminals have been able to use computers as instruments
LU

to commit other crimes. Internet fraud is the most prevalent, and the most
costly, of these crimes. 76 Internet fraud refers generally to any type of fraud
PN

scheme that uses components of the Internet-for example, chat rooms, e-

mail, message boards, or Web sites-to "present fraudulent solicitations to
H

70. U.S. Secret Service: Financial Crimes Division, http://www.secretservice.gov/

financial-crimes.shtml (last visited June 23, 2008).
71. See Press Release, U.S. Secret Service, Additional Indictments Announced in Ongoing
Secret Service Network Intrusion Investigation (Aug. 5, 2008), available at
http://www.ustreas.gov/usss/press/GPAI 5-08_Cyberlndictments.Final.pdf.
72. 18 U.SC. § 2512(1)(b) (2000).
73. 18 U.S.C. § 2510(12) (Supp. IV 2002). See United States. v. Herring, 993 F.2d 784, 787-88
(I Ith Cir. 1993).
74. See United States v. Councilman, 418 F.3d 67, 79 (1st Cir. 2005).
75. Mueller, supra note 24.
76. Internet fraud has accounted for between $183.12 million and $2.6 billion in losses annually.
INTERNET CRIME COMPLAINT CTR., IC3 2005 INTERNET CRIME REPORT 8, available at
http://www.ic3.gov/media/annualreport/2005-IC3Report.pdf [hereinafter IC3 REPORT]. See Bob
Sullivan, Online Fraud Costs $2.6 Billion This Year, MSNBC, Nov. 11, 2004,
http://www.msnbc.msn.com/id/6463545; Press Release, Computer Security Institute, Financial Losses
Due to Internet Intrusions, Trade Secret Theft, and Other Cyber Crimes Soar (Mar. 12, 2001), available
at http://www.cryptic.co.uk/PressDocuments/PressArticles/2001-03-12-CSI.pdf (noting an
approximately 40 percent increase from the amount of loss in 2000).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.405

2008] CRA CKING THE CODE

prospective victims, to conduct fraudulent transactions, or to transmit the

proceeds of fraud to financial institutions or to other [sic] connected with
the scheme." 77 Internet fraud takes various forms.

1. Auction Fraud

Internet auction sites present an easy source of possible Internet fraud

victims. 78 Online auction sites are immensely popular, and their popularity
is only growing. 79 The largest, eBay, reported third quarter revenues of
$1.449 billion in 2006, up 31 percent from 2005, and had 212 million
registered users, up 26 percent. 80 However, the popularity of online auction
sites also makes them a target for cyber criminals. Indeed, online auctions
provide an ideal environment for Internet fraud due to the completely
81
anonymous and virtual nature of the transaction.

LA
Types of Internet auction fraud include "fraud due to the
misrepresentation of a product advertised for sale through an Internet
IM
auction site, the non-delivery of an item purchased through an Internet
auction site or a non-payment for goods purchased through an Internet
auction."8 2 Cases of auction fraud often involve the use of a legitimate
SH

online auction site or retail site that purports to offer a high-value item or
items, that, when purchased, either do not exist or are of substantially less
value than advertised (that is, they are counterfeit or altered goods).83
LU

77. Internet Fraud, U.S. Dep't of Justice, http://www.usdoj.gov/criminaVfraud/intemet/ (last

PN

visited July 31, 2008).

78. Fed. Trade Comm'n, Internet Auctions: A Guide for Buyers and Sellers,
http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec07.pdf (last visited July 31, 2008).
79. The total value of e-commerce transactions around the world reached around $3.8 trillion in
H

2003, and was projected to reach over $9 trillion in 2005, and around 18 percent of total global sales in
2006. Mohamed S. Wahab, E-Commerce and Internet Auction Fraud: The E-Bay Community Model,
COMPUTER CRIME RES. CENTER, Apr. 29, 2004, http://www.crime-research.org/articles/Wahab I.
80. Online Auction Fraud: Data Mining Software Fingers Both Perpetrators and Accomplices,
ScL DAILY, Dec. 5, 2006, http://www.sciencedaily.com/releases/2006/12/061205143326.htm.
81. See Alex Tsow, Phishing with Consumer Electronics: Malicious Home Routers 5-6 (May,
22, 2006), http://www.cs.indiana.edu/-atsow/papers/MTWO6-final.pdf.
82. Royal Can. Mounted Police, Online Auction Fraud, http://www.rcmp-
grc.gc.ca/scams/onlinefraude.htm (last visited July 31, 2008).
83. Internet Fraud, supra note 77. An example of a victim of such a crime is "Mark," who was
the highest bidder on eBay for a Toshiba Protrg6 2000 laptop computer. On August 10, 2002, Mark
sent a cashiers check for approximately $1500 to the online seller; by September 1, Mark still had not
seen the computer. See Ina Steiner, eBay Auction Fraud Spawns Vigilantism Trend, AUCTIONBYTES,
Oct. 12, 2002, http://www.auctionbytes.com/cab/abn/y02/mlO/il2/sOl. Other Internet auction crimes
defraud legitimate users by exploiting illegal strategies to mark up prices; "shill bidding," where
fraudulent sellers or their partners, known as "shills," bid on sellers' items to drive up the price, and
"bid shielding," when fraudulent buyers submit very high bids to discourage other bidders from
competing for the same item, then retract their bids so that coconspirators can purchase the item at a

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.406

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

Internet auction fraud accounted for almost two-thirds of the 97,000

complaints referred to law enforcement agencies in 2005 by the Federal
Internet Crime Complaint Center, and auction fraud accounts for the largest
percentage of Internet fraud (62.7 percent). 84 The total dollar loss for
Internet fraud was $183 million in 2005, up from $68 million in 2004.85

2. Spain
"Spam" is unsolicited bulk electronic mail, usually of a commercial
nature.86 While unsolicited and unwelcome letters clog up many e-mail
inboxes, an unwanted e-mail is not necessarily spam. Spam refers to
unsolicited, inappropriate, or irrelevant messages sent through e-mail
systems, often on a mass scale and with a commercial purpose-such as to
attract Internet users to Web sites offering pornography, "get rich quick"

LA
schemes, or fraudulent medical products. 87 Under the technical definition,
an unsolicited bulk e-mail is spam if: "(1) the recipient's personal identity
and context are irrelevant because the message is equally applicable to
IM
many other potential recipients; [and] (2) the recipient has not verifiably
granted deliberate, explicit, and still-revocable permission for it to be
SH

lower price, are prevalent problems on Internet auction sites. See Susan Kuchinskas, EBay Charged
with Shilling, INTERNETNEWS, Feb. 23, 2005, http://www.intemetnews.com/ec-news/article.php/
LU

3485301; Joseph Pelliciotti, Online Auctions Fertile Groundfor Fraud,TIME (Munster, Ill.), May 26,
2003, available at http://www.crime-research.org/news/2003/05/Mess2602.html. Other auction fraud
crimes aim to draw the user off the legitimate site onto an unsecured site, the end goal of which is to
PN

trick consumers into sending money without delivering the item. See Jodie Kirshner, Bitten Bidders,
U.S. NEWS & WORLD REP., June, 8, 2003, at 56. By going off-site, buyers lose any protections the
original site may provide, such as insurance, feedback forms, or guarantees. See, e.g., eBay Privacy
Policy, http://pages.ebay.com/help/policies/privacy-policy.html (last visited Aug. 13, 2008). Examples
H

of this type of crime are "bid siphoning," where bidders are lured off legitimate auction sites by offers
of the "same" item at a lower price, and "second chance offers," where con artists offer losing bidders
of a closed auction a second chance to purchase the item that they lost in the auction. See Pelliciotti,
supra note 83.
84. IC3 REPORT, supra note 76, at 3. See JONATHAN RUSCH, U.S. DEP'T OF JUSTICE, THE RISING
TIDE OF INTERNET FRAUD (2001), available at http://www.cybercrime.gov/usamay2001-l.htm.
85. Press Release, FBI, FBI Intemet Crime Complaint Center Releases Stats (Apr. 6, 2006),
availableat http://www.fbi.gov/pressrel/pressre06/intemetcrimereport.htm.
86. BLACK'S LAW DICTIONARY 1430 (8th ed. 2004). The prevailing theory for the etymology of
the word "spam" refers to a classic skit by Monty Python's Flying Circus. In the skit, a couple in a
restaurant tries in vain to order something that does not contain Spam (the canned meat). As the
waitress lists endless dishes, all of them containing increasing amounts of Spam, a group of Vikings in
the comer begin to sing, "(s]pam span spam spam..." until all useful information is drowned out. H.
Kent Craig, The True Story of How Internet "Spam" Got Its Name,
http://hkentcraig.com/HowlntemetSpamGotltsName.html#pythonskit (last visited July 31, 2008).
87. See Lily Zhang, The CAN-SPAM Act: An Insufficient Response to the Growing Spam
Problem, 20 BERKELEY TECH. L.J. 301, 308 (2005).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.407

2008] CRACKING THE CODE

sent." 88 Spam is widely condemned in the Internet community.89

Approximately 140 million Americans regularly use e-mail.90 Spam
accounts for half of all U.S. e-mail traffic, making it not only "a hair-
pulling annoyance but also an increasing drain on corporate budgets and
possibly a threat to the continued usefulness of the most successful tool of
the computer age." 91 According to Ferris Research, a San Francisco-based
consulting group, the cost of spam to U.S. organizations is at least $17
billion per year.9 2 The annoyance cost of spam to individuals is
incalculable as e-mail users are forced to spend precious time sorting
93
through a sea of junk to find the few legitimate messages.
While the deluge of spam continues, it is perhaps being outpaced by
"spIM. ''94 SpIM refers to the sending of unsolicited commercial messages
through instant messaging programs. 95 In most respects spIM is similar to

LA
spam, and entails similar costs and dangers. Like spam, spIM utilizes the
attention grabbing nature of online messaging systems to entice users to fall
for fraudulent schemes.9 6 However, unlike spam, splMmers can use the
IM
commercial messages to embed malicious code that exploits vulnerabilities
SH

88. The Spamhaus Project, The Definition of Spam, http://www.spamhaus.org/definition.html

(last visited July 31, 2008).
89. The overwhelming presence of unwanted and often offensive e-mail "greatly interferes with
LU

the user's ability to sort out which e-mail messages are 'legitimate' and desired." Jay M. Zitter,
Annotation, Validity Construction, and Application of Federal and State Statutes Regulating
UnsolicitedE-mail or "Spam,'" 10 A.L.R. 6th 1, 1 (2006).
PN

90. See CAN-SPAM ACT OF 2003, S. REP. NO. 108-102, at 2 (2003), as reprinted in 2004
U.S.C.C.A.N. 2348, 2349.
91. Roughly 40 percent of all e-mail was spain in 2003. Jonathan Krim, Spain 's Cost to Business
Escalates, WASH. POST, Mar. 13, 2003, at Al.
H

92. DAVID FERRIS, RICHI JENNINGS & CHRIS WILLIAMS, FERRIS RES., THE GLOBAL ECONOMIC
IMPACT OF SPAM, 2005, at 6 (David Ferris ed., 2005). According to the Ferris Research study, the
annual global cost of spam was $50 billion in 2005, $17 billion of which is attributable to the United
States. Id. The loss is spread between lost productivity, the costs of replacement of powerful servers
and increased bandwidth which companies are forced to buy, the lost time diverted for implementation,
and the cost of providing help-desk support to annoyed users. Id. Spam has become so prevalent that
Inteinet company Commtouch's research lab has created a spam cost calculator including inserts for
number of employees, average annual salary, average daily e-mail per recipient, and average percentage
of spai per e-mail recipient. See Commtouch, Spam Cost Calculator,
http://www.commtouch.com/site/ResearchLab/Calculator.asp (last visited July 31, 2008).
93. Zitter, supra note 89, at 10.
94. See Celeste Biever, Spain Being Rapidly Outpaced by 'Spim,' NEW SCIENTIST, Mar. 26,
2004, http://space.newscientist.com/article/dn4822; Anita Hamilton, You've Got Spim!, TIME, Jan. 25,
2004, http://www.time.com/time/magazine/article/0,9171,582320,00.html.
95. See Eric Zorn, R U Ready for a Plague of Instant Messages?, CHI. TRIB., Aug. 5, 1999, at
NI.
96. Messaging Spam Heads for Your PC (BBC Radio Five Live broadcast Aug. 23, 2004),
available at http://news.bbc.co.uk/2/hi/technology/3581148.stm [hereinafter Radio Broadcast].

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.408

 SOUTHERN CALIFORNIA LAW RE VIEW [Vol. 81:959

in the messaging program or to employ the computer as a "zombie" to

launch malicious attacks on other computers. 97 SpIM presents particularly
invidious pitfalls to the unsuspecting user, as messages "from friends" can
contain links to annoying and 98harmful schemes and even "away messages"
can contain virus-ridden code.
SpIM is growing at an alarming rate. The number of spIM messages
has reached the billions, and is projected to grow at a rate three times that
of spam. 99 According to a survey by the Pew Internet & American Life
Project, one in every two instant-messaging users in the United States has
received some kind of spIM.100 Experts warn that due to the "immediacy of
instant messaging and its growing popularity with businesses and home
users," spIM will likely be the next area of development for those looking
to corrupt the security of the cyber environment.10'

LA
3. Phishing IM
The U.S. Department of Justice defines phishing as the "creation and
use of e-mails and Web sites-designed to look like e-mails and Web sites
of well-known legitimate businesses, financial institutions, and government
SH

agencies-in order to deceive Internet users into disclosing their bank and
financial account information or other personal data such as usernames or
passwords."' 0' A phishing crime often begins with a "spoofed" e-mail-that
LU

appears to be from a trusted source. The e-mail can contain a link taking
the user to a webpage that is visually identical to a trusted source
PN

webpage; 10 3 there "phishers" entice users to enter their passwords, credit

card, or other private information into the false web page, after which
H

97. Biever, supra note 94. If a user activates the code in the instant message, the spimmer can
employ the unsuspecting user's buddy list to send messages to all of their contacts; this impersonation
ability makes spIM particularly dangerous. See Radio Broadcast,supra note 96.
98. See AOL Instant Messenger Online Safety/Security FAQ, http://www.aim.com/help-
faq/security/faq.adp#share (last visited July 31, 2008).
99. See Biever, supra note 94; Linda Stem, Corporate Spim Is No LOL Matter, NEWSWEEK,
May 9, 2005, at 36.
100. EULYNN SHIU & AMANDA LENHART, PEW INTERNET & AM. LIFE PROJECT, How
AMERICANS USE INSTANT MESSAGING 10 (2004), available at
http://www.pewintemet.org/pdfs/PlPInstantmessage-Report.pdf.
101. Will Sturgeon, U.S. Makes First Arrest for Spim, CNET NEWS, Feb. 21, 2005,
http://www.news.com/U.S.+makes+first+arrest+for+spim/2100-7355_3-5584574.html. See also Peter
Griffiths, Internet Criminals to Step Up "Cyberwar" in 2007, REUTERS, Dec. 12, 2006,
http://news.soft32.com/intemet-criminals-to-step-up-cyberwar-in-2007_3015.html.
102. BINATIONAL WORKING GROUP ON CROSS-BORDER MASS MKTG. FRAUD, REPORT ON
PHISHING 3 (2006), http://www.usdoj.gov/opa/report on-phishing.pdf.
103. See 151 CONG. REC. S1796, 1804 (daily ed. Feb. 28, 2005) (statement of Sen. Leahy).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.409

20081 CRACKING THE CODE
10 4
phishers loot the users' accounts or steal their identities.
Original phishing schemes were easily detectible, as they were
frequently laden with typographical, grammatical, and spelling errors, and
contained entirely numerical hyperlinks that indicated the page to which
they linked was not legitimate. 10 5 The e-mails were also often sent
indiscriminately, reaching many users who never interacted with the
business in question, making it easier for users to distinguish a phish from a
legitimate e-mail. However, recent phishing schemes have grown more
sophisticated. Phishing e-mails now tend to be grammatically correct10 6 and
targeted toward known customers of the impersonated business. 10 7 Phishers
have also developed a technique known as "pharming" which masks the
Uniform Resource Locator ("URL") of a fraudulent site as the URL of the
real company's site.1" 8 Phishing crimes are becoming increasingly more
dangerous as identity thieves crawl through networked cyberspace, picking

LA
up personal details to strengthen their "phish."' 0 9 Data suggests that
phishers now have a 5 percent success rate of tricking the unwary user into
IM
falling for the scheme, 110 whereas the response rate for regular spain is
1
0.01 percent. 1
SH

Phishing is a complex crime because it "almost always involves two

separate acts of fraud. The phisher first 'steals' the identity of the business
it is impersonating and then acquires the personal information of the
LU

unwitting customers who fall for the impersonation."' 112 There are therefore
two victims of a phishing scheme: the unsuspecting user who falls for the
phish, and the business whose identity is stolen and copied.
PN

104. See Jennifer Lynch, Note, Identity Theft in Cyberspace: Crime Control Methods and Their
Effectiveness in Combating Phishing Attacks, 20 BERKELEY TECH. L. J. 259, 259 (2005); Editorial,
H

We're Just Phish to Them, MILWAUKEE J. SENTINEL, Mar. 12, 2006, at A 14.
105. See Jefferson Lankford, The PhishingLine, ARIZ. ATT'Y, May 2005, at 14.
106. See ANTI-PHISHING WORKING GROUP, EVOLUTION OF PHISHING ATTACKS 8-9 (2005),
http://www.antiphishing.org/Evolution%20of/o20Phishing%20Attacks.pdf
107. See Lankford, supra note 105; Timothy L. O'Brien, Gone Spear-Phishin'; For a New Breed
of Hackers, This Time It's Personal,N.Y. TIMES, Dec. 4, 2005, at Al (describing a technique known as
"spear fishing," which can be alarmingly specific and accurate)..
108. See generally Lynch, supra note 104, at 269 (describing sophisticated techniques, including
pharming, used by spammers).
109. Griffiths, supra note 101.
110. ANTI-PHISHING WORKING GROUP, PHISHING ACTIVITY TRENDS REPORT (2005),
http://www.antiphishing.org/reports/APWG-Phishing-Activity-Report-January2005.pdf (last visited
Mar. 2007).
111. Laura Sullivan, Internet "Phishing" Scams on the Rise, L.A. TIMES, Mar. 22, 2004, at C2.
112. Robert Louis B. Stevenson, Plugging the "Phishing" Hole: Legislation Versus Technology,
2005 DUKE L. & TECH. REV. 0006, 3, http://www.law.duke.edu/journals/dltr/articles/
2005dltr0006.html.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.410

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

This rapidly growing class of Internet fraud causes both short-term

loss and long-term economic damage," 3 the costs of which will only
increase as the number of new phishing scams continues to climb. 1 4 The
biggest long-term effect is the loss of public trust in the Internet, which in
turn undermines the integrity of e-commerce.1 15 Overall, estimated losses
caused by phishing are in the billions;" 6 in terms of cost to consumers,
117
estimates range from $500 million to $2.4 billion.

4. Other Internet Fraud

Other types of Internet fraud include business opportunity "work at
home" schemes, 118 which require individuals to pay money for the
opportunity to earn money by working at home;" 9 investment schemes; 1
12
121
and identity theft and fraud.

LA
III. CURRENT CYBER CRIME LAW IM
Before the widespread proliferation of computers in American life, the
amount of property susceptible to criminal activity was, to some extent,
limited by the constraints of the physical world; for example, a thief can
SH

113. See 151 CONG. REC. S 1796, 1804 (daily ed. Feb. 28, 2005) (statement of Sen. Leahy).
114. Phishing attacks have increased by an average of 30 percent each month since July 2004.
LU

THE ANTI-PHISHING WORKING GROUP, supra note 110.

115. 151 CONG. REC. S1796, 1804 (daily ed. Feb. 28, 2005) (statement of Sen. Leahy).
116. Id.
PN

117. Good News: "Phishing" Scams Net Only $500 Million, CNET NEWS, Sept. 29, 2004,
http://news.cnet.com/2102-1029-3-5388757.html (summarizing studies from Truste, Inc. and Gartner,
Inc.).
118. See Rusch, supra note 84.
H

119. Intemet Fraud, supra note 77.

120. Id. See, e.g., CHRISTOPHER M.E. PAINTER, U.S. DEP'T OF JUSTICE, TRACING IN INTERNET
FRAUD CASES: PAIRGAIN AND NEI WEBWORLD, (2005), available at http://www.usdoj.gov/
criminal/cybercrime/usamay200l-3.htm; Press Release, SEC, Three Settle SEC Charges in NEI
Webworld Internet Stock Manipulation Case; Two Sentenced to Prison in Related Criminal Prosecution
(Jan. 23, 2001), available at http://www.sec.gov/litigation/litreleases/lr16867.htm. See also Rusch,
supra note 84.
121. Although identity theft has become the fastest growing crime in America, it will not be
discussed in great detail here, except in relation to phishing crimes. For more information on identity
theft see Fighting Identity Theft-the Role of FCRA: Hearing before the H. Subcomm. on Fin. Instits.
and Consumer Credit, 108th Cong. (2003) (statement of Rep. John B. Shadegg). See also SEAN B.
HOAR, U.S. DEP'T OF JUSTICE IDENTITY THEFT: THE CRIME OF THE NEW MILLENNIUM (2001),
available at http://www.cybercrime.gov/usamarch2001_3.htm (applying the statute). Identity theft
"affects as many as 10 million Americans at a price tag of $55 billion to American businesses and
individuals." Cassell Bryan-Low, As Identity Theft Moves Online, Crime Rings Mimic Big Business,
WALL ST. J., July 13, 2005, at Al. Identity theft is particularly costly to individuals because, while
banks typically compensate them for losses, victims still must spend time and money repairing "the
havoc wreaked on their personal records and finances and often end up paying legal fees to do so." Id.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.411

2008] CRACKING THE CODE

only carry so many television sets or rob so many houses before,

inevitably, someone notices. However, as the public eagerly embraced
computers in the 1990s, a new arena for criminal mischief and theft
appeared, the dimensions of which had never before been imagined. As
thieves were able to utilize modem technology to steal or damage
extraordinary amounts of property,122 Congress was forced to search for
legislative solutions that would "prove suitable 123
to the society of computer
users that it foresees in the immediate future."'
Congress was presented with a number of options: rely on laws for
physical property to prosecute computer-based crimes, rely on the states to
prosecute, or pass federal statutes specifically targeting computer-based
crime. Initially, Congress chose the first option, relying primarily on
existing code sections. 1 24 Yet, as computer use expanded, legislators agreed
that greater action was needed. 125 The unique problem and concomitant

LA
threat to public welfare created by the introduction of computers caused
Congress to recognize that the "clear shift to a borderless, incorporeal
IM
environment and the increased risk that information will be stolen and
transported in electronic form" would be impossible 26
to address by relying
on older laws, written to protect physical property.
SH

Over the past two decades, Congress has taken a piecemeal approach
in addressing the ever-evolving cyber environment, passing a slate of new
LU

legislation to combat specific crimes and reworking current legislation to

incorporate other crimes. This approach was intended to enable prosecutors
and law enforcement to "swiftly trace a cyber attack back to its source and
PN

appropriately prosecute"' 127 without having to continually parse and rework

the entire U.S. Code.' 28 Generally, the legislation was intended to permit
prosecutors and legislators to gamer a better understanding of the scope of
H

cyber crime, and to derive more reliable statistics regarding cyber crime to
"better measure existing harms, anticipate trends, and determine the need

122. See Griffith, supra note 4, at 454.

123. Id. at 455 (citing S. REP. No. 99-432, at 2-3 (1986), as reprinted in 1986 U.S.C.C.A.N. 2479,
2479).
124. Prior to the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984,
Congress had relied on the mail and wire fraud statutes to combat computer crime. See Deborah F.
Buckman, Validity, Construction, and Application of Computer Fraud and Abuse Act (18 U.S.C.A. §
1030), 174 A.L.R. Fed. 101, 112 (2001).
125. See Griffith, supra note 4, at 471.
126. Legislative Analysis, supra note 27. See United States v. Brown, 925 F.2d 1301, 1307-09
(10th Cir. 1991) (highlighting the difficulty of prosecuting theft of intellectual property-namely source
code-under current physical property sections).
127. Kyl Statement, supranote 18.
128. LegislativeAnalysis, supra note 27.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.412

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

for further legislative reform." ' 129 This Note does not question Congress's
approach, but offers additional ways to supplement the existing scheme.
As with all criminal law, the specifics of the crime determine which
statutory section is applicable. Criminalizing measures for cyber crime can
be arranged in roughly similar categories as to the crimes they prohibit:
those statutes that are geared toward crimes targeting the computer and
networks, and those geared toward using such systems as an
instrumentality of a crime.

A. CRIMES AGAINST COMPUTERS AND NETWORKS

1. Hacking
The primary statute used to prosecute hacking crimes-including

LA
DDoS attacks and extortionate hacking-is 18 U.S.C. § 1030.130 By
prohibiting unauthorized access to computer systems, this statute enables
prosecutors to pursue crimes that attack computers and networks and the
IM
information contained within them.
SH

The current statute is the result of nearly twenty years of evolving

responses to the cyber crime threat. The statute was first passed in 1984 as
the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984
("1984 Act"). 13' This Act prohibited computer-related activity in only a
LU

few very narrow areas. The 1984 Act made it a felony to knowingly access
a computer without authorization or in excess of authorization to obtain
PN

federal government information, and a misdemeanor to access a computer

without, or in excess of authorization to obtain financial records or in order
132
to use, modify, destroy or disclose federal government information.
H

Although hailed as the first important step in fighting cyber crime, the lack
of clarity in defining key terms, inability to react to changing technology,
and failure to combat noninterstate computer crime ultimately doomed the
success of the 1984 Act.' 3 3
Industry analysts and legislators at the time felt it was necessary to
expand the 1984 Act to protect the growing number of private sector

129. Id.
130. 18 U.S.C. § 1030 (2000 & Supp. IV 2004).
131. Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, ch. 21, 98 Stat.
2190 (codified as amended at 18 U.S.C. § 1030 (2000)).
132. Id.
133. See Griffith, supra note 4, at 466-73 (providing an indepth analysis of the 1984 Act and its
failings).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.413

2008] CRACKING THE CODE

computers used in interstate commerce. Congress attempted to address the

shortcomings with the CFAA, 134 which eliminated ambiguous language,
defined additional terms, restructured the offenses, and expanded the scope
to include new and significant computer crimes. 135 The CFAA sought to
increase the deterrent effect of the statute on cyber criminals by closing
136
loopholes inadvertently created in the 1984 Act.
Computer technology continued its rapid evolution and the CFAA was
forced to evolve alongside it. In recognition of the increase of the
prevalence of computers and networks in the United States and the
attendant opportunities for computer crime, in 1994, Congress broadened
the focus of the CFAA from the technical concept of unauthorized access
to a computer system to a focus on the defendant's harmful intent and
resulting harm.' 37 Congress also reduced the threshold requirement to
$1000 for jurisdiction over crimes of intentional access to a government

LA
computer. 138
In 1996, the statute was substantially reorganized, 139 and again
IM
broadened by two main provisions: first, Congress relaxed the interstate
threshold requirement to a "computer used in interstate commerce or
SH

communications," 140 recognizing the inherently interstate nature of the

134. CFAA, sec. 2, § 1030(a)(l)-(3), (b), (e), 100 Stat. 1213 (codified as amended at 18 U.S.C. §
LU

1030 (2000)).
135. See Joseph B. Tomkins, Jr. & Frederick S. Ansell, Computer Crime: Keeping Up with High
Tech Criminals, CRIM. JUST., Winter 1987, at 30, 32. Specifically, the CFAA raised the criminal intent
PN

standard to "intentionally" from "knowingly" for 18 U.S.C. §1030(a)(2); clarified what the 1984 Act
means by "having accessed a computer with authorization, uses the opportunity such access provides
for purposes to which such authorization does not extend" by replacing it with "exceeds authorized
access"; removed redundant clauses that were covered by 18 U.S.C. §1030(a)(4); and refined the
H

measurement mechanism for calculating fines under the act. CFAA, § 2(a)(1)-(b)(l),(c),(f)(1)-(7), 100
Stat 1213, 1213 (1986).
136. See Griffith, supra note 4, at 484.
137. See 139 CONG. REC. S16421-03 (daily ed. Nov. 19, 1993) (statement of Sen. Leahy). Prior
to the 1994 amendment, amendments in 1989 and 1990 broadened the scope of the CFAA to include
applicability to "institutions," not just "banks" in § 1030(e)(4), Financial Institutions Reform, Recovery,
and Enforcement Act of 1989, Pub. L. No. 101-73, § 962(a)(5)(A)-(C), 103 Stat. 183, 502, and to
include "commonwealth[s]" of the United States alongside "possession[s] or territory of the United
States" in § 1030(e)(3). Crime Control Act of 1990, Pub. L. No. 101-647, § 1205(e), 104 Stat. 4789,
4831.
138. Violent Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, §
290001(b), 108 Stat. 1796, 2097-98.
139. See Economic Espionage Act of 1996, Pub. L. No. 104-294, § 201(2)(A)-(D), 110 Stat.
3488, 3492-93 (codified as amended at 18 U.S.C. §§ 1831-39 (2000)).
140. CFAA, 18 U.S.C. § 1030(a)(5) (Supp. IV 2004). Prior to this amendment, § 1030(e)(2)(A)
read: "which is one of two or more computers use in committing the offense, not all of which are
located in the same state." Economic Espionage Act § 201(4)(A)(iii). Congress also inserted a provision
for crimes committed internationally, including in the Act "a computer located outside the United States

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.414

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

Internet (and perhaps foreseeing the future need not to limit the crime to
only computer-to-computer transmissions); and second, Congress replaced
the phrase "federal interest computer" with the broader phrase "protected
computer" 14 1 to accommodate the growing legion of computers in the home
and workplace.
Congress conceded the changing nature of computers and Internet
technology; as the Senate Report on the 1996 amendments noted:
[a]s intended when the law was originally enacted, the Computer Fraud
and Abuse statute facilitates addressing in a single statute the problem of
computer crime ....As computers continue to proliferate in businesses
and homes, and new forms of computer crimes emerge, Congress must
remain vigilant to ensure that the Computer Fraud and Abuse statute is
up-to-date and provides law enforcement
142
with the necessary legal
framework to fight computer crime.

LA
In its current form,1 43 the CFAA addresses the "interstate transmission
of threats directed against computers and computer networks" and applies
IM
to "any interstate or international transmission of threats against computers,
computer networks, and their data and programs, whether the threat is
SH

received by mail, a telephone call, electronic mail, or through a

computerized message service."144
The CFAA, § 1030(a)(5), is the primary tool used to investigate and
LU

that is used in a manner that affects interstate or foreign commerce or communication of the United
PN

States." Uniting and Strengthening America By Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA Patriot Act) Act of2001, Pub. L. No. 107-56, § 814(d)(1), 115 Stat. 272, 384.
141. See Economic Espionage Act § 201(4)(A)(i); Legislative Analysis, supra note 27. See also
Shaw v. Toshiba Am. Info. Sys., Inc., 91 F. Supp. 2d. 926 (E.D. Tex. 1999). Congress also substituted
H

"any nonpublic computer of a department or agency" for "any computer of a department or agency."
This change helped to better define the scope of this section. § 201(1)(A).
142. National Information Infrastructure Protection Act of 1995, S.REP. No. 104-357, pt. I1, at 5
(1996).
143. The CFAA was further amended in 2001. The 2001 amendments were largely formatting
changes; however, a few important substantive changes were made as well. The definition of damages
was changed to its current meaning from, "any impairment to the integrity or availability of data, a
program, a system, or information." USA Patriot Act § 814(d)(3). The prior law required that the
damages "cause loss aggregating at least $5,000 in value during any I-year period," modify medical
treatment "of one or more individuals," cause "physical injury to any person," or "threate[n] public
health or safety." Economic Espionage Act § 201(2)(A)-(D). While the substantive text of the earlier
Act has been carried over to the current Act in relation to § 1030(a)(4) and (a)(5), this change in 2001
eliminated the monetary minimum for unauthorized access to government computers and extortionate
acts. In the 2001 amendment, Congress also refined the civil action provision of the CFAA, limiting
damages to economic damages only, and creating a safe harbor for manufacturers in that "[n]o action
may be brought under this subsection for the negligent design or manufacture of computer hardware,
computer software, or firmware." USA Patriot Act § 814(e).
144. Legislative Analysis, supra note 27.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.415

2008] CRACKING THE CODE

prosecute hacking crimes.' 45 Subsection 1030(a)(5)(A)(i) applies to anyone

who "knowingly causes the transmission of a program, information, code,
or command, and as a result of such conduct, intentionally causes damage
without authorization, to a protected computer."' 146 This section covers
most hacking crimes. For example, a hacker who infiltrates a system and in
some way damages the system or the data on it faces liability under this
section of the criminal code. Under this subsection, a hacker faces dual
liability in a DDoS attack (to both the "zombie" system and the targeted
system) since the attacker causes the transmission of information, packets,
and code with the intent to harm both systems.
Unintentional, unauthorized access is also covered. Section
1030(a)(5)(A)(ii) creates a felony for unauthorized access that "recklessly"
causes damage to a protected computer. 147 This lower culpability standard
is applicable to hacking crimes in which damage is caused inadvertently. If

LA
a prosecutor is still unable to make a case, § 1030(a)(5)(A)(iii), 148 which
prohibits unauthorized access that negligently causes damage, can be used.
IM
Although it is hard to imagine an example of such negligence, without this
provision, Congress would implicitly condone hacking into a computer or
SH

system so long as no damage occurred. Perhaps, in recognition of the

importance of information on its own without economic damage, Congress
found it necessary to include this provision. Activation of § 1030(a)(5)(i)-
LU

(iii) requires "loss to 1 or more persons during any 1-year period (and, for
purposes of an investigation, prosecution, or other proceeding brought by
the United States only, loss resulting from a related course of conduct
PN

affecting 1 or more other protected computers) aggregating at least $5,000

149
in value."'
H

Section 1030(a)(5) is similar to § 1030(a)(4), which criminalizes the

access and intentionally fraudulent use of a protected computer.' 50 Section
1030(a)(4) is also triggered only if the "conduct furthers the intended fraud
and obtains anything of value" in excess of $5000.15 1 This section is often
employed to prosecute hacking crimes which involve the obtaining or
destruction of some measurable thing.
Sections 1030(a)(4) and 1030(a)(5)(i)-(iii) both require a showing of

145. 18 U.S.C. § 1030(a)(5) (Supp. IV 2004).

146. Id. § 1030(a)(5)(A)(i).
147. Id. § 1030(a)(5)(A)(ii).
148. Id. § 1030(a)(5)(A)(iii).
149. Id. § 1030(a)(5)(B)(i).
150. Id. § 1030(a)(4)-(5) (2000 & Supp. IV 2004)
151. Id. § 1030(a)(4) (2000).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.416

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

damages greater than $5000;152 § 1030(a)(4) requires the value of the thing
obtained in the hack be greater than $5000153 and § 1030(a)(5) requires the
"loss" be greater than $5000.154 Although this damages requirement is
155
important as an element, jurisdictional threshold, and sentencing factor,
prosecutors have found the $5000 loss requirement of § 1030(a)(5) to be
156
both "difficult to establish and an impediment to investigation."
The CFAA provides a broad definition for "damages" that leaves
much ambiguous. The statutory definition is unclear, suggesting only
damage that interferes with the integrity of a computer system.1 57 The
statute does provide specific examples of foreseeable damages, such as "the
cost of responding to an offense, conducting a damage assessment, and
restoring the data, program, system, or information to its condition prior to
the offense, and any revenue lost, cost incurred, or other consequential
' 158
damages incurred because of interruption of service."

LA
The ambiguous parameters of this element of a hacking crime have
forced courts to further interpret the gray areas within damages and loss.
IM
Courts have found loss to refer to the costs that are the "natural and
foreseeable result" of a violator's conduct, including monetary loss for
SH

system destruction, as well as expenses related to restoring data, and

creating a better, more secure system. 15 9 Courts have not required a loss to
be physical damages (in the traditional sense) in order to fall within the
LU

purview of the act; 160 even if no actual physical damage is caused to a data
system, the $5000 threshold may be met if a cost is incurred as a result of a
violation of the CFAA. 161 Examples of losses accepted by the courts to fall
PN

within the parameters of the CFAA are damage assessment and remedial
H

152. While the 2001 amendments to the CFAA allow for contemplation of intangible harms from
unauthorized access to data systems, they still require fact finders to express the harms in economic
terms that total $5000 while failing to suggest how an economic calculation should be conducted.
153. 18 U.S.C. § 1030(a)(4).
154. Id. § 1030(a)(5).
155. Damages are also a major factor in sentencing and are fundamental to restitution. Section
2B1.1 of the U.S. Sentencing Guidelines applies to violations of 18 U.S.C. § 1030; it has a base level
offense of six, and dictates a two to thirty upward adjustment for loss. U.S. SENTENCING COMM'N, 2007
FEDERAL SENTENCING GUIDELINES MANUAL § 2B 1.1 (a)(2)-(b)(l).
156. See Sinrod & Reilly, supra note 33, at 200.
157. 18 U.S.C. § 1030(e)(8) (Supp. IV 2004).
158. Id. § 1030(e)(l 1).
159. See United States v. Middleton, 231 F.3d 1207, 1213 (9th Cir. 2000).
160. 18 U.S.C. § 1030(c)(8)(A) (2000); 18 U.S.C. § 1030(g) (Supp. IV 2004). See In re
DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 524 (S.D.N.Y. 2001).
161. 18 U.S.C. § 1030(e)(8)(A). See EF Cultural Travel BV v. Explorica, Inc., 274 F.3d 577, 584
(lst Cir. 2001).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.417

2008] CRACKING THE CODE

measures, 162 loss of business and goodwill,' 63 and the expense of

technicians' salaries paid to fix the problem.164 However, courts have
1 65
interpreted the CFAA to exclude as compensable loss the lost revenues,
travel costs, 166 and lost competitive advantage a business or individual
67
suffers in the wake of a cyber attack.1
Extortionist hacking is often prosecuted under § 1030(a)(7), which
prohibits "any communication containing any threat to cause damage to a
protected computer" with the "intent to extort from any person any money
or other thing of value" in interstate or foreign commerce. 168 Although the
section requires the intent to extort some thing "of value," unlike §
69
1030(a)(4)-(5), the statute does not specify any threshold value.'
17
Prosecutors often employ this statute in conjunction with the Hobbs Act
if the hacking attack contains a threat of "physical violence to any person
or property," 17' and with 18 U.S.C. § 875 if the intent to extort includes a

LA
72
threat to injure property or reputation.1
Hacking crimes where the target is the U.S. government often fall
IM
under § 1030(a)(1), which protects against intentional access to
government computers in order to obtain confidential or classified
SH

information. 173 This section often works in conjunction with § 1030(a)(3),

which concerns access that interferes with the use or the ability to use a
LU

162. See I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F. Supp. 2d 521, 526
(S.D.N.Y. 2004).
163. See Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 934-35 (9th Cir. 2004).
PN

164. See Middleton, 231 F.3d at 1214 (finding that the hourly wage of bank employee can be
included because it would have cost the bank a similar fee to hire an outside consultant); United States
v. Sablan, 92 F.3d 865, 870 (9th Cir. 1996) (finding that inhouse employees' salaries can be included in
calculation of loss even though they were not paid extra to fix the damages).
H

165. 18 U.S.C. § 1030(a)(5)(B)(i), (g) (Supp. IV 2004). See Nexans Wires S.A. v. Sark-USA, Inc.,
319 F. Supp. 2d 468, 472 (S.D.N.Y. 2004).
166. Nexans Wires S.A. v. Sark-USA, Inc., 166 F. App'x. 559, 563 (2d Cir. 2006). See 18 U.S.C.
§ 1030(e)(l 1).
167. See Civic Ctr. Motors, Ltd., v. Mason St. Import Cars, Ltd., 387 F. Supp. 2d 378, 382
(S.D.N.Y. 2005) (holding that damages here-a competitor gaining an advantage and the original
business wasting its investment in the development and compilation of a database-stemming from
unauthorized access to a business' computer database were not compensable).
168. 18 U.S.C. § 1030(a)(7).
169. Id.
170. Hobbs Act, 18 U.S.C. § 1951 (2000).
171. See id. § 1951(a).
172. See 18 U.S.C. § 875 (2000). The Interstate Nexus requirement is met by the inherently
interstate nature of the Interet medium. Id. § 875(d). It is still unclear in both statutes whether
"'property' includes the unimpaired operation of a computer or the unrestricted access to the data or
programs stored in a computer and its peripheral equipment." LegislativeAnalysis, supra note 27.
173. 18 U.S.C. § 1030(a)(1) (2000).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.418

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

government computer.174 A prosecution under this section requires that a

user "intentionally" access an exclusively government
71 5
computer, but does
not currently require any damages be alleged.
The CFAA's application is not limited to hacking crimes. Section
1030(a)(2) is used to prosecute economic espionage. 176 This section
prohibits intentional access and obtaining of information without, or in
excess of, authorization from a financial institution, the federal
government, or any "protected computer involved in interstate or foreign
communications." 177 This section is primarily concerned with the
protection of information, and can be used to prosecute theft of trade
secrets. 178 The CFAA can also be used in prosecutions for access device
fraud. 179 Although this section of the CFAA has limited application to
hacking crimes, this section can be used in conjunction with § 1029 to
prosecute access device theft.1 80

LA
Criminal acts charged under the CFAA are punishable by up to
twenty-years imprisonment or a fine, or both. The CFAA also provides a
IM
civil remedy. 18 1 Section 1030(g) allows "[a]ny person who suffers damage
or loss by reason of a violation of this section" to bring a civil action
SH

against the violator for injunctive or equitable relief, including

compensatory damages.' 82 A viable civil action requires that the violative
conduct have caused either an excess of $5000 in damages within a year, or
LU

one of the noneconomic damages set forth in § 1030(a)(5)(B)(i)-(v). 183

Standing in a civil action is not limited to the owner of an affected
PN

174. Id. § 1030(a)(3).

175. Id. This was not always the case; the original 1984 Act did require damages of at least $1000
H

to allege the crime. Counterfeit Access Device and Computer Fraud and Abuse Act of 1984, Pub. L.
No. 98-473, ch. 21, 98 Stat. 2190 (codified as amended at 18 U.S.C. § 1030 (2000)).
176. 18 U.S.C. § 1030(a)(2).
177. Id. § 1030(a)(2)(c).
178. See Shurgard Storage Ctrs., Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D.
Wash. 2000) (stating that in the context of a civil action "'[t]he premise of 18 U.S.C. 1030(a)(2) will
remain the protection, for privacy reasons, of computerized credit records and computerized
information relating to customers' relationships with financial institutions"' (citing S. REP. No. 99-432,
at 6 (1986))).
179. Section 1030(a)(6) prohibits knowingly trafficking, that is, to "transfer, or otherwise dispose
of, to another, or obtain control of with intent to transfer or dispose of," 18 U.S.C. § 1029(e)(5), "any
password or similar information through which a computer may be accessed without authorization"
with the intent to defraud. 18 U.S.C. § 1030(a)(6).
180. See discussion infra Part III.A.4.
181. 18 U.S.C. § 1030(g) (Supp. IV 2004). See Fiber Sys. Int'l v. Roehrs, 470 F.3d 1150, 1156
(5th Cir. 2006).
182. 18 U.S.C. § 1030(g).
183. Id. ("Damages for a violation involving only conduct described in subsection (a)(5)(B)(i) are
limited to economic damages.").

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.419

2008] CRACKING THE CODE

computer; the CFAA provides a cause of action against any person who
intentionally accesses a computer and information. 184 If that information
belongs to a person other than the one who owns the computer, that third
85
party has standing to bring a claim.1
A bill to expand coverage of the CFAA is currently pending in
Congress.' 86 This bill would extend the jurisdiction of the
Act to cover not only computers "used in" interstate commerce but also
those "affecting" computers used in interstate commerce; it would also
eliminate the requirement of involving interstate commerce for protected
computers. 187 The proposed bill would also broaden the protected elements
under § 1030(a)(2) and create a crime of "conspiracy" to commit a cyber
crime.1 88 The bill was referred to the Subcommittee on Crime, Terrorism,
and Homeland Security of the House Judiciary Committee in March of
89
2007, and as of July 2008 remains in committee.'

LA
2. DDoS Attacks
IM
DDoS attacks are generally prosecuted under the CFAA. The CFAA is
well suited for the prosecution of DDoS attacks since these sorts of attacks
SH

include unauthorized or excessive access to another computer. Prosecutions

under this statute are still subject to the $5000 threshold requirement for
damages; however, in a DDoS attack these damages are often easier to
LU

allege than in a single hacking crime. For example, a man recently pled
guilty to waging a DDoS attack against elay.190From July through August
2003, Anthony Scott Clark accumulated approximately twenty thousand
PN

"zombie computers" by using a worm program that took advantage of

computer vulnerability in the Windows Operating System.' 9' When
H

instructed to do so, the "zombies" launched DDoS attacks focused on the

nameserver for eBay.com at computers or computer networks connected to
the Internet. As a result, the DDoS attack critically impaired the infected

184. Id.
185. 18 U.S.C. § 1030(a)(2)(C), (g) (2000 & Supp. IV 2004). See Theofel v. Farley-Jones, 359
F.3d 1066, 1078 (9th Cir. 2004).
186. H.R. 836, 110th Cong. (2007).
187. Id. §3.
188. Id. §§2,6.
189. See Status Report, H.R. 836, 110th Cong., http://www.thomas.gov (search "Bill Number" for
"H.R. 836"; then follow "Bill Summary & Status" hyperlink).
190. See Press Release, U.S. Attorney's Office, Man Pleads Guilty to Infecting Thousands of
Computers Using Worm Program then Launching them in Denial of Service Attacks (Dec. 28, 2005),
available at http://www.cybercrime.gov/clarkPlea.htm [hereinafter Man Pleads Guilty].
191. Id. The "zombies" were directed to a password-protected Internet Relay Chat server, where
they connected, logged in, and waited for instructions. Id.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.420

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

computers and eBay.com. 192 Clark pled guilty to 18 U.S.C. §

193
1030(a)(5)(A)(i) and (a)(5)(B)(i), and faces up to ten years in prison.
Because his attack was aimed toward shutting down eBay, a sizeable target,
a case for $5000 in damages could be made relatively easily. If the target
was a smaller site or personal network, the damages may not be quite as
easily alleged.

3. Theft of Trade Secrets

The Economic Espionage Act of 1996 makes theft or misappropriation

of trade secrets a federal crime.' 94 The Act prohibits the wrongful copying
or otherwise controlling of trade secrets with the intent to "benefit any
foreign government, foreign instrumentality or foreign agent," 195 or to
96
benefit economically "anyone other than the owner thereof."' "Trade
secret[s]" include "all types of financial, business, scientific, technical,

LA
economic, or engineering information, whether tangible or intangible, and
regardless of the means by which the information is stored, compiled, or
197
IM
memorialized."'
Prior to the 1996 Act, the criminal sanctions for trade-secret
SH

misappropriation were found under existing statutes; 19 in reality,

regulation of economic espionage was left principally to state legislatures
LU

192. Id.
193. Id.
194. Economic Espionage Act of 1996, 18 U.S.C. §§ 1831-39 (2000).
PN

195. Id. § 1831(a)(1)-(2).

196. Id. § 1832(a)(l)-(2).
197. H.R. REP. No. 104-788, at 3 (1996), as reprinted in 1996 U.S.C.C.A.N. 4021, 4022. For
H

proprietary information to be a trade secret: (1)the owner of the information must "have taken
reasonable measures to keep such information secret," and (2) "the information derives independent
economic value, actual or potential, from not being generally known" to the public, and "not being
readily ascertainable" through legal means. Id. at 2.
198. Prior to the passage of this law, federal authorities relied principally on the Interstate
Transportation of Stolen Property Act (ITSPA), 18 U.S.C. § 2314 (2000), which was passed in the
1930s in an effort to prevent criminals from moving stolen property across state lines to evade local and
state law enforcement. H.R. REP. No. 104-788, at 6. ITSPA relates to physical property--"goods,
wares, or merchandise." 18 U.S.C. § 2314. However, this provision was difficult to apply to Internet
property because it is intangible "intellectual" property that is not by its nature transported from place to
place. 18 U.S.C. § 2314; H.R. REp. No. 104-788, at 4-5. Courts too have been reluctant to extend this
statute to nonphysical property, believing the physical property of "goods, wares or merchandise" to be
a limitation "imposed by the statute itself, and [it] must be observed." United States v. Brown, 925 F.2d
1301, 1308-09 (10th Cir. 1991). Given the limitations of the ITSPA, the government has used other
statutes to prosecute trade secret theft, which have proved somewhat limited in their use. See H.R. REP.
No. 104-788, at 6. For example, charging a crime under the mail or wire fraud statute requires proof
that the mails, or wire radio, or television technology, respectively, were use to commit the crime; this
can present an obstacle in some cases. Id.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.421

20081 CRACKING THE CODE

who passed separate and largely inconsistent laws. 199 While many states
had rarely used civil remedies, only a handful of states had any criminal
laws regarding economic espionage, and of those who did, most created
misdemeanor violations that, as a result, received little attention from state
2 00
prosecutors.
In 1996, Congress recognized two competing trends: on one hand, the
proliferation of computers made intangible assets-the intellectual property
embodied by the computer systems and software and the information
available via the computer and networks-incredibly valuable.20 1 The
increasing prevalence of computers in the home and business made
intangible assets vital to the prosperity of companies. It was expected that
"[a]s the nation move[d] into the high-technology, information age, the
value of these intangible assets [would] only continue to grow." 20 2 Indeed,
whole new businesses, such as Google, have been created from purely

LA
intellectual property associated with the Internet and are now worth
hundreds of billions of dollars. On the other hand, the growth of personal
IM
computers made these important assets vastly easier to misappropriate. As
computers spread in society and the computer technology for the creation
SH

and storage of information advanced, so too did the methods for "rapid and
surreptitious duplications of the information." 20 3 Thus, ironically, "the very
conditions that [made] this proprietary information so much more valuable
[made] it easier to steal. 20 4
LU

The changing way in which intangible assets were created and stored,
as well as the gaps in federal law and the inability of states to cover the
PN

ground, "underscore[d] the importance of developing a systematic

approach to the problem of economic espionage." 2°5 Section 1030(a)(2),
H

which prohibits intentional access and obtaining of information without, or

in excess of, authorization from a financial institution, the federal
government or any "protected computer involved in interstate or foreign
communications," can also be used, alone or in tandem with the Economic
Espionage Act, to prosecute the theft of trade secrets when the access to a

199. See Arnold B. Silverman, The Theft of Trade Secrets Is a Federal Crime, JOM, July 2008, at
63.
200. H.R. REP. NO. 104-788, at 6.
201. Id. at4-5.
202. Id. at 4.
203. Id. at 5. Intangible, intellectual, assets are particularly good targets for theft for a number of
reasons: (1) they cost a great deal of money to develop independently; (2) they are immensely valuable;
and (3) theft of such assets is not bound by physical limitations. Id.
204. Id. at 4-5.
205. Id. at 7.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.422

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959
20 6
protected computer yields confidential proprietary information.

4. Access Device Fraud

The primary statute tailored to access device fraud is 18 U.S.C. §
1029.27 This statute makes it illegal to "knowingly and with intent to
defraud" produce, use, or traffic "in one or more counterfeit access
devices," or traffic in or use "one or more unauthorized access devices
during any one-year period," if by such conduct the thief "obtains anything
of value aggregating $1,000 or more during that period. 20 8
This statute was first enacted in 1984 in response to the growing
importance of credit cards and other access devices, and in recognition of
increasingly sophisticated criminal activity in this area. 20 9 The 1984 statute
was designed to "close the loopholes of already existing legislation"-the

LA
Truth in Lending Act 210 and the Electronic Funds Transfer Act 2' '-which it
did by allowing the aggregation of loss. Section 1029 is somewhat of a
"consequential" statute; it does not criminalize the hack itself, but rather
IM
criminalizes the subsequent use of the fruits of the hack.2 12
SH

The current statute still primarily criminalizes theft of credit and debit
card information and related identity theft; however, as this type of
criminal behavior migrates to the cyber world, this statute is increasingly
LU

used, often in conjunction with 18 U.S.C. § 1030(a)(6), to protect against

the theft of online access devices such as passwords and other online
2 13
information.
PN

206. See COMPUTER CRIME & INTELLECTUAL PROP. SECTION, U.S. DEP'T OF JUSTICE, THEFT OF
COMMERCIAL TRADE SECRETS-18 U.S.C. §§ 1831-1839, at 173-74 (2004), http://www.usdoj.gov/
H

criminal/cybercrime/ipmanual/04ipma.pdf
207. 18 U.S.C. § 1029 (2000).
208. Id. § 1029(a)(1)-(2).
209. H.R. REP. No. 98-130, at 1-4 (1984), as reprintedin 1984 U.S.C.C.A.N. 3689, 3689-90.
210. Truth in Lending Act, 15 U.S.C. §§ 1601-67 (2000).
211. Electronic Funds Transfer Act, 15 U.S.C. § 1693 (2000). See United States v. Ryan, 894 F.2d
355, 357 (10th Cir. 1990). These statutes prohibited "fraudulent use of credit cards and debit
instruments"; however, they were limited by the common requirement of $1000 worth of activity on
each instrument within one year. Id. Industry representatives testified that "organized groups generally
stay just under this amount but use many different counterfeit or stolen cards or debit instruments." Id.
(quoting H. REP. NO. 98-894, at 5 (1984), as reprintedin 1984 U.S.C.C.A.N. 3689, 3691).
212. See 18 U.S.C. § 1029(a)(2).
213. See CHARLES DOYLE, CONG. RESEARCH SERV., CYBERCRIME: A SKETCH OF 18 U.S.C. 1030
AND RELATED FEDERAL CRIMINAL LAWS 4-5 (2008), http://fpc.state.gov/documents/organization/
103707.pdf. a

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.423

2008] CRACKING THE CODE

5. Wiretapping
The original Federal Wiretap Act was enacted in 1968 as part of the
Omnibus Crime Control and Safe Streets Act of 1968 (Title III) "in an
effort to better articulate a balance between the privacy rights of individuals
and the legitimate needs of law enforcement." 2 14 This Act covered only the
intentional interception of wire and oral communications. 215 As other
modes of communication, such as mobile phones, cordless phones, and
data services grew in popularity in the mid-1980s, Congress amended the
original Act with the Electronic Communications and Privacy Act of 1986
("ECPA") to include electronic communications within the original
intended protections of the Federal Wiretap Act.216
Title I of the ECPA defines electronic communications as "any
transfer of signs, signals, writing, images, sounds, data, or intelligence of

LA
any nature transmitted in whole or in part by a wire, radio, electromagnetic,
photoelectronic or photooptical system that affects interstate or foreign
commerce." 217 The ECPA prohibits the intentional and attempted
IM
interception of electronic communications, 2 18 as well as the use of illegally
219
obtained electronic communications.
SH

Title II of the ECPA aims to prevent hackers from obtaining, altering,

or destroying certain stored electronic communications. 220 Specifically,
LU

Title II provides that anyone who "intentionally accesses without

authorization a facility through which an electronic communication service
isprovided; or ...intentionally exceeds an authorization to access that
PN

facility; and thereby obtains, alters, or prevents authorized access to a wire

or electronic communication while it is in electronic storage in such system
H

214. Shana K. Rahavy, The Federal Wiretap Act: The PermissibleScope of Eavesdropping in the
Family Home, 88 J. OF HIGH TECH. L. 87, 87-88 (2003). See Omnibus Crime Control and Safe Streets
Act of 1968, S.REP. No. 90-1097 (1968), as reprinted in 1968 U.S.C.C.A.N. 2112, 2113-15 (current
version at 18 U.S.C. § 2511(1) (2000)).
215. S.REP. No. 90-1097.
216. 18 U.S.C. § 2510 (2000).
217. Id. § 2510(12).
218. 18 U.S.C. § 251 1(l)(a) (2000). See Thomas R. Greenberg, E-mail and Voice Mail: Employee
Privacy and the Federal Wiretap Statute, 44 AM. U. L. REV. 219 (1994). The wiretapping provision was
added to the code in 1968 in response to Supreme Court decisions Berger v. New York, 388 U.S. 41
(1967), and Katz v. United States, 389 U.S. 347 (1967), which found the Fourth Amendment did apply
to searches and seizures of conversations and protected all conversations of an individual as to which he
had a reasonable expectation of privacy. See SENATE COMM. TO STuDY GOV'T OPERATIONS WITH
RESPECT TO INTELLIGENCE ACTIVITIES, U.S. SENATE, FINAL REPORT, BOOK 11(c) (1976).
219. 18 U.S.C. § 251 l(1)(b)-(d).
220. See Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817, 820 (E.D. Mich.
2000).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.424

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

221
shall be punished.,
The ECPA often works in conjunction with the Federal Wiretap
Act, 222 to prosecute computer-related electronic communication violations.
The joint effect of these two statutes has allowed prosecutors the flexibility
necessary to adapt to changing technology. For example, prosecutors
brought a case under the Federal Wiretap Act involving a hardware device
known as a keystroke logger, a device that is attached to a computer-
keyboard cable to record keystrokes. 223 This case, the first in the nation of
this sort, contained an indictment for endeavoring to intercept electronic
communications when the perpetrator placed the keystroke logger on his
employer's computer. 224 This case was dismissed on the basis that the
interception of keystrokes between the keyboard and the central processing
unit ("CPU") did not meet the "interstate or foreign commerce" clause in
the Federal Wiretap Act.225 However, the decision does not speak to

LA
devices that intercept communications between the CPU and the Internet.
The charging of this crime is perhaps an early demonstration of the next
226
IM
frontier of electronic wiretapping.
The USA Patriot Act of 2001 anticipated the changing nature of
SH

wiretapping, and updated the wiretap statute in two ways: first, by adding
felony violations of the computer hacking statute to the list of predicate
offenses for the interception of communications; 227 and second, by
LU

changing the way in which the Federal Wiretap Act and the ECPA apply to
stored voice communications, allowing federal agents to obtain protected
communications under the less demanding procedures of the ECPA rather
PN

that the more demanding wiretap order required by § 2516.228 These

H

221. 18 U.S.C. § 2701(a) (2000).

222. 18 U.S.C.A. § 2516 (West 2008).
223. Press Release, U.S. Att'y for the Cent. Dist. of Cal., Orange County Man Indicted on
Wiretapping Charges for Installing Spy Hardware on Employer's Computer (Mar. 23, 2004), available
at http://www.cybercrime.gov/roppIndict.htm.
224. Id.
225. Kevin Poulsen, Judge Dismisses Keylogger Case, SECURITYFOCUS, Nov. 19, 2004,
http://www.securityfocus.com/news/9978.
226. The dismissal of Ropp's case in the Ninth Circuit came on the heels of a controversial First
Circuit decision that differentiated between e-mails on a computer and e-mail sent over a network, and
decided that in the case of the former, conduct transgressing on the privacy of the e-mail does not
constitute a wiretap. United States v. Councilman, 373 F.3d. 197, 203-04 (1st Cir. 2004). That decision
has since been overturned, leaving unclear the future of the Federal Wiretap Act. See United States v.
Councilman, 418 F.3d. 67, 77-78 (1st Cir. 2005) (en bane).
227. USA Patriot Act of 2001, Pub. L. No. 107-56, § 202, 115 Stat. 272, 278. See 18 U.S.C. §
2516(l)(c) (Supp. IV 2004).
228. § 202; Mark Sherman, Federal Judicial Center, Cyber Crime and Cyber Terrorism, CLOSE-
UP (Fed. Judicial Ctr., Washington, D.C.), Apr. 2002, at 1-2, available at

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.425

2008] CRACKING THE CODE

amendments continue to create flexibility, allowing the statutes to adjust to

evolving computer and electronic technology.

B. COMPUTER AS THE INSTRUMENTALITY

1. Auction Fraud
Although no specific Internet fraud statute currently exists, Internet
fraud is largely prosecuted under mail fraud and wire fraud statutes. The
federal mail fraud statute prohibits "any scheme or artifice to defraud, or
for obtaining money or property by means of false or fraudulent pretenses,
representations, or promises" to utilize the U.S. Postal Service to in any
way further the fraud.229 The federal wire fraud statute, enacted in 1952,
contains nearly identical language to the federal mail fraud statute, and

LA
criminalizes fraudulent schemes that make use of interstate television,
radio, or wire communications. 230 Both statutes have been applied to
"cover not only the full range of consumer frauds, stock frauds, land frauds,
IM
bank frauds, insurance frauds, and commodity frauds, but [also] ...such 23 1
areas as blackmail, counterfeiting, election fraud and bribery."
SH

Frequently the mail and wire fraud statutes have "represented the sole
instrument of justice that could be wielded against the ever-innovative
practitioners of deceit" in areas in which legislators have been slow to
LU

follow the technological advancement.2 32

The federal mail fraud statute is in many ways the preeminent cyber
PN

crime statute for federal prosecutors. Recent applications of the mail fraud
statute reflect an evolving view of the statute as a substantive provision to
combat all fraud, not just mail fraud. This is not a new trend; in the 1970s,
H

federal prosecutors began using the mail fraud statute to attack political
corruption at the federal, state, and local level. 233 Prosecutors proceeded
under the theory that governmental officials who received kickbacks or
other gratuities in connection with their offices engaged in a scheme to
defraud the citizenry. 234 Congress supported this interpretation, and as part

http://www.fjc.gov/public/pdf.nsf/lookup/snocybO2.pdf/$file/snocybO2.pdf.
229. 18 U.S.C. § 1341 (2000).
230. Id. § 1343.
231. Laura A. Eilers & Harvey B. Silikovitz, Mail and Wire Fraud,31 AM. CR1M. L. REV. 703,
703-04 (1994) (quoting Jed. S.Rakoff, The FederalMail FraudStatute (Part1), 18 DUQ. L. REv. 771,
772 (1980)).
232. Id. (quoting Rakoff, supra note 231, at 772).
233. See Daniel J. Hurson, Limiting the Federal Mail FraudStatute-A Legislative Approach, 20
AM. CRIM. L. REv. 423, 429-30 (1983).
234. See Michael C. Bennett, Note, Borre v. United States: An Improper Interpretation of

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.426

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

of the Anti-Drug Abuse Act of 1988,235 added § 1346 to Title 18. This
provision states in its entirety: "[f]or the purposes of this chapter, the term
'scheme or artifice to defraud' includes a scheme or artifice to deprive
236
another of the intangible right of honest services.,
Prosecutors have used the mail and wire fraud statutes "to combat con
artists who prey on individuals through sophisticated programs. 23 7 As
fraud quickly transitions to the Internet, the application of the federal mail
and wire fraud statutes to Internet fraud, including auction frauds, is the
next logical step. Since online purchases in auctions generally involve the
transmission of some thing or good through the mail or wires, these statutes
are adaptable to Internet auction fraud.23 8 When a legitimate purchaser is
defrauded of some good after an online purchase, the online fraudster can
be held criminally liable under the wire and mail fraud statutes. 239 Use of
the mails or wires need not be an essential element of the scheme; rather,

LA
the statute is satisfied if the mailings are incident to an essential aspect of
the scheme. 40 The broad applicability of the statute derives at least some
IM
flexibility from the low intent requirement of a wire or mail fraud crime.
The perpetrator of such a fraud is required only to have acted "with
SH

knowledge that the use of the mails will follow in the ordinary course of
business, or where he could reasonably foresee that use of the mails would
result. It is not necessary to prove the accused.., actually intended the
24 1
LU

mail to be used.,

PropertyRights, 42 DEPAUL L. REV. 1499, 1508 n.70 (1993).

PN

235. Anti-Drug Abuse Act of 1988, Pub. L. No. 100-690, 102 Stat. 4181.
236. 18 U.S.C. § 1346 (2000).
237. Peter J. Henning, Maybe It Should Just Be Called FederalFraud: The Changing Nature of
H

the Mail FraudStatute, 36 B.C. L. REV. 435, 469 (1995).

238. This may not always be the case. As the virtual world gains popularity (9.4 million people
belong to one of 32 virtual worlds currently) purchases made over the Internet may not in the future
ever leave the Internet. Even now "castles" in "Scotland" and American Apparel "tee-shirts" can be
purchased on the Internet to remain on the Internet. See American Apparel's Second Life Press Center,
http://www.americanapparal.net/presscenter/secondlife (last visited July 31, 2008) (virtual store
discontinued). However, as long as the wires are used at some point in the transaction, perhaps to
transfer money from a real bank to an online exchange, there will likely be some plausible argument for
applicability of the mail and wire fraud statutes when an online purchase fails to deliver. For an
interesting discussion of the myriad issues presented by the virtual world, see Viktor Mayer-
Schbnberger & John Crowley, Napster's Second Life?: The Regulatory Challenges of Virtual Worlds,
100 Nw. U. L. REV. 1775 (2006).
239. This is either because the good did not arrive or arrived in a substantially different form than
was promised, if that good was sent by the U.S. Postal Service, or for that matter, FedEx, UPS, or DHL,
or over a wire. See United States v. Sharpe, 438 F.3d 1257, 1259, 1263 (11 th Cir. 2006) (use of FedEx);
United States v. Curry, 461 F.3d 452, 456 (4th Cir. 2006) (use of UPS); United States v. Silvestri, 409
F.3d 1311, 1320 (11 th Cir. 2005) (use of DHL).
240. See Schmuck v. United States., 489 U.S. 705, 710-11 (1989).
241. United States v. Figueroa, 832 F.2d 691, 696-97 (1st Cir. 1987) (citing United States v.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.427

20081 CRACKING THE CODE

2. Spam
The CAN-SPAM Act was signed into law in December 2003.242 Prior
to the passage of the Act, the regulation of spam was left primarily to state
legislatures. States enacted a variety of idiosyncratic measures to stem the
spam problem. 243 However, the sheer volume of spam overwhelmed states'
abilities to regulate. In 2003, the volume of spam was threatening to
overwhelm "not only the average consumer's in-box, but also the network
systems of ISPs, businesses, universities, and other organizations." 244 In
245
response, Congress removed the burden of spam from state legislatures
and passed the CAN-SPAM Act in order to:
(i) prohibit senders of electronic mail (e-mail) for primarily commercial
advertisement or promotional purposes from deceiving intended
recipients or Intemet service providers as to the source or subject matter
of their e-mail messages; (ii) require such e-mail senders to give

LA
recipients an opportunity to decline to receive future commercial e-mail
from them and to honor such requests; ... and (iv) prohibit businesses
IM
from knowingly promoting, or permitting the promotion of, their trade or
business through e-mail
246
transmitted with false or misleading sender or
routing information.
SH

As a result, this law-the first federal statute to address the

increasing volume of unsolicited commercial e-mails--criminalized the use
LU

of spam as a mass marketing tool and broadened the scope of what is

prosecutable. The Act prohibits the intentional sending of spam from a
protected computer without authorization; 247 the use of a protected
PN

24 8
computer to send spam with the intent to deceive recipients of its origin;
H

Contenti, 735 F.2d 628, 631 (1st Cir. 1984)). But see United States v. Smith, 934 F.2d 270, 272-73
(11 th Cir. 1991) (holding that a defendant cannot be convicted based on mailing between insurance
company's offices to approve his payment draft where it was not reasonably foreseeable to defendant
that company would mail draft).
242. CAN-SPAM Act of 2003, 15 U.S.C. §§ 7701-13 (Supp. IV 2004).
243. See Zitter, supra note 89, at 1.
244. CAN-SPAM ACT OF 2003, S. REP. No. 108-102, at 2 (2003), as reprinted in 2004
U.S.C.C.A.N. 2348, 2359. Intemet providers were becoming completely overburdened by the volume
of spam. In 2003 America Online blocked approximately 80 percent of its inbound e-mails as spam,
Microsoft blocked 2.4 billion spam messages per day, and Earthlink reported a 500 percent increase in
spam in the previous eighteen months. Id. at 2-3.
245. The federal law now preempts most state legislation other than those regulating deceptive
practices. See Gordon v. Impulse Mktg. Group, Inc., 375 F. Supp. 2d 1040, 1045-46 (E.D. Wash.
2005).
246. S. REP. No. 108-102, at 1.
247. 15 U.S.C. § 7704(b)(3).
248. Id. § 7704(a)(1)(C).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.428

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

the sending of spain with materially false 250

headings; 249 and the false
representation of origin in a spain message.
The Act defines spain as "any electronic mail message the primary
purpose of which is the commercial advertisement or promotion of a
commercial product or service (including content on an Internet website
operated for a commercial purpose).",25 1 The term "electronic mail 252
message" means, "a message sent to a unique electronic mail address."
An "electronic mail address" is "a destination, commonly expressed as a
string of characters, consisting of a unique user name or mailbox.., and a
reference to an Internet domain ...whether or not displayed, to which an
electronic mail message can be sent or delivered. '253 This definition likely
limits the application of the CAN-SPAM Act to e-mail communications.
Prosecution under this section carries up to a five-year jail sentence, a

LA
fine, or both. 254 The CAN-SPAM Act is often used in conjunction with the
Hobbs Act 255 and the CFAA 256 if the spain crime includes the intent to
extort or to cause damage to a protected computer. SpIM, the new frontier
IM
of spain crimes, is probably not included in the definitions of the CAN-
SPAM Act, and there has been limited success under the CFAA to
SH

257
prosecute this emerging crime.

3. Phishing
LU

There is no specific statute criminalizing phishing. Currently phishing

crimes are charged under a variety of statutes, including the CFAA, the
PN

federal wire fraud statute, the CAN-SPAM Act, and federal trademark
258
law.
H

Phishing is a crime best examined by its component parts. The

249. Id. § 7704(a)(2).

250. Id. § 7704(a)(1).
251. Id. § 7702(2)(A).
252. Id. § 7702(6).
253. Id. § 7702(5).
254. 18 U.S.C. § 1037(b)(l)-(3) (Supp. IV 2004).
255. Hobbs Act, 18 U.S.C. § 1951 (2000).
256. CFAA, 18 U.S.C. § 1030 (2000).
257. See Press Release, U.S. Att'y for the Cent. Dist. of Cal., New York Teen Pleads Guilty to
Making Extortion Threats Against Internet Company (Mar. 22, 2005), available at
http://www.usdoj.gov/criminal/cybercrime/grecoPlea.htm [hereinafter New York Teen Pleads]
(discussing eventual guilty plea by Greco to a violation of the CFAA under § 1030(a)(7), extortionate
hacking).
258. Occasionally phishing crimes are also charged under the Racketeer Influenced and Corrupt
Organizations Act (RICO), 18 U.S.C. §§ 1961-68 (2000), and the access device fraud statute, 18 U.S.C.
§ 1029 (2000).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.429

2008] CRACKING THE CODE

spoofed e-mail that sparks a phishing scam can be prosecuted under the
CAN-SPAM Act. The e-mail, a commercial electronic mail message, "the
primary purpose of which is the commercial advertisement or promotion of
a commercial product or service,"2'59 fits squarely within the definition of
mass mailings prohibited by the act. The overall scheme of fraud that
occurs in inducing unsuspecting users to enter personal information to a
false Web site is generally prosecuted under the federal wire fraud statute,
which prohibits the perpetration of a fraud over the use of wires.2 60 Any
fraud that gives a phisher impermissible access to a protected computer by
stealing a password can also be prosecuted under the CFAA. The copied
Web site or falsified e-mail may be prosecuted under trademark law
prohibiting unlawful infringement on trademarked symbols or other
materials if there is intentional trafficking in that trademark.261
Two phishing cases have recently been charged using a combination

LA
of these statutes. The most recent case involved a sophisticated phishing
scam of spoofed e-mails from America Online's billing department that
IM
prompted users to enter their personal and financial information onto a
phished site.262 The perpetrator was charged and convicted under the CAN-
SH

SPAM Act-the first prosecution under this act-and faced a maximum

101-year jail sentence, although he was later sentenced only to 70
months. 263 A similar scheme, using spoofed e-mails from America Online
and Paypal's billing departments, prompted users to update their billing
LU

information on the threat of cancellation of their accounts. 264 The

perpetrator of this scheme amassed nearly $50,000 from unsuspecting
PN

victims of his phishing scheme.2 65 He was charged and convicted under

two counts of the access device fraud statute and sentenced to four years in
prison for orchestrating a "scheme to defraud consumers of personal
H

'266
financial information via spam e-mail. The disparate charges and
disparity in sentencing perhaps reflects the chaotic nature of phishing

259. 15 U.S.C. § 7702(2)(A) (Supp. IV 2004).

260. 18 U.S.C. § 1343 (2000).
261. See id. § 2320(a).
262. Sharon Gaudin, Phisher Convicted, Faces 101 Years in Prison, INFORMATIONWEEK, Jan. 17,
2007, http://www.informationweek.com/shared/printableArticle.jhtml?articlelD=196901446.
263. See Sharon Gaudin, California Man Gets 6-Year Sentence for Phishing,
INFORMATIONWEEK, June 12, 2007, http://www.informationweek.com/news/internet/showArticle.
jhtml?articlelD= 199903450.
264. Press Release, U.S. Dep't of Justice, Fraudster Sentenced to Nearly Four Years in Prison in
Internet ePhishing Case (May 18, 2004), available at http://www.usdoj.gov/criminal/
cybercrime/hillSenthtm.
265. Id.
266. Id.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.430

 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

prosecutions demanded by the absence of a specialized statute for phishing

schemes.
States have also taken an active role in addressing phishing crimes. In
January 2005, Virginia added phishing to its Computer Crimes Act,
categorizing the use of a computer to obtain personal information "through
the use of material artifice, trickery or deception" as a felony. 267 New
Mexico and New York have enacted similar statutes. 26 8 Washington has
criminalized even attempted phishing.269 In California, the Anti-Phishing
Act of 2005 makes it "unlawful for any person, by means of a Web page,
electronic mail message, or otherwise through use of the Internet, to solicit,
request, or take any action to induce another person to provide identifying
information by representing itself to be a business without the authority or
approval of the business." 270 However, the California statue does not create
a criminal provision for phishing.

LA
IV. ARE THERE ANY GAPS?
IM
Given the changing nature of the Internet and cyber crime, it seems
reasonable to test whether the existing statutory framework of the U.S.
SH

Code provides adequate prosecutorial tools. There appear to be certain

areas of the Code that contain "gaps" in coverage, allowing cyber crimes to
evolve beyond the applicability of the statutes. Specifically, this Note
LU

identifies three important gaps in the existing criminal code: the difficulty
of meeting the $5000 minimum requirement of 18 U.S.C. § 1030 (a)(5), the
PN

definitional element that limits the CAN-SPAM Act's applicability to

spIM, and the lack of a specialized phishing statute. Each gap will be
examined in turn.
H

267. Va. Code Ann. § 18.2-152.5:1 (West 2005). See AOL Sues Over Identity Thefts, Uses New
Law, REUTERS, Feb. 27, 2006, http://today.reuters.com/news/articlebusiness.aspx?type-telecomm
&storylD N27331008&from=business; Larry Greenemeier, States Tell Phishers to Cut Bait or Else,
INFORMATIONWEEK, Apr. 13, 2005, http://www.informationweek.com/news/management/
=
showArticle.jhtml?articlelD 160702186.
268. See N.M. Stat. Ann. § 30-16-24.1 (West 2005); Assemb. 8025-B, 2005 Assemb., Reg.
Session (N.Y. 2005). See also Press Release, N.Y. State Senate Republican Campaign Comm., Senate
Passes Four Identity Theft Bills (June 21, 2005), available at http://www.nysenategop.com/
Committee/News/NewsStory.asp?t=co&id=7.
269. Washington criminalizes both the sending of spoofed e-mails and the creation of fraudulent
Web sites, even lacking consumer fraud by either action. See Wash. Rev. Code Ann. §§ 19.190.010-
19.190.110 (West 2005).
270. Anti-Phishing Act of 2005, Cal. Bus. & Prof. Code §§ 22948-48.3 (West). See also Press
Release, Cal. Dep't of Consumer Affairs, New Laws Will Help Protect Against Identity Theft (Oct. 7,
2005), available at http://www.dca.ca.gov/publications/pressreleases/2005/1007_idtheft.shtml.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.431

2008] CRACKING THE CODE

A. 18 U.S.C. § 1030 (a)(5)

The existence of the $5000 damages threshold in 18 U.S.C. §

1030(a)(5) creates a gap that allows some hacking crimes to continue
unchecked. Prosecutors must allege damages of over $5000 as a
jurisdictional. matter and as an element of the crime in order to invoke
§ 1030(a)(5). This section, along with § 1030(a)(4), is the primary tool used
in the prosecution of hacking crimes against personal and business
computers, yet § 1030(a)(5) is also the only section of the CFAA that
contains a minimum loss threshold.2 71 By contrast, hacking crimes against
government computers require no minimum loss, 272 and threats to hack into
a protected computer, while requiring the intent to extort something 273
of
value, do not require any monetary threshold to prosecute the crime.
The $5000 threshold requirement to prosecute hacking is unique when

LA
compared to analogous crimes in the physical world. Hacking, at its root, is
theft and destruction. Similar crimes such as the sale and transportation of
stolen vehicles, 274 the sale and transportation of livestock,2 75 and the crime
IM
of counterfeiting labels, 276 do not require any monetary threshold in
damages to allege the crime. 277 Indeed, Wesley L. Hsu, Assistant U.S.
SH

Attorney, Deputy Chief of the Cyber and Intellectual Property Crimes

Section in Los Angeles, believes the $5000 threshold requirement of the
CFAA is the only crime with an element defined by278the victim's response
LU

after the completion of the defendant's criminal acts.

The lack of a monetary threshold in certain computer and physical
PN

crime statutes makes the crimes easier to prosecute and broadens the scope
of the statutes. As computers spread and cyber crime evolves, society is
confronted by many hacking crimes that fall within the stated congressional
H

intent to protect individuals "from harm caused by the improper disclosure

271. Section 1030(a)(4) requires the hacked object have value of over $5000, which is much
easier to allege and define than the requirement for "loss." 18 U.S.C. § 1030(a)(4) (2000).
272. Id. § 1030(a)(l)-(2).
273. Id. § 1030(a)(7).
274. Id.§§ 2312-13.
275. Id. §§ 2316-17.
276. Id. § 2318.
277. This is not to overstate the case. Some physical crime statutes do require a monetary
threshold. For example, 18 U.S.C. § 2314, which criminalizes the transportation of stolen goods,
securities, moneys, fraudulent State tax stamps, or articles used in counterfeiting, requires that the
goods transported amount to more than S5000. Id.
278. Interview with Wesley L. Hsu, U.S. Att'y, Deputy Chief of the Cyber and Intellectual Prop.
Crimes Section, in L.A., Cal. (Mar. 20. 2007) (on file with author). For this Note, Hsu expressed his
personal opinions. Hsu's personal opinions do not reflect the opinions of the United States Attorney's
Office or the Department of Justice.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.432

 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

or use of personal information,"279 yet arguably are outside the scope of the
CFAA due to the $5000 threshold. For example, illegal access by computer
to medical records from a hospital or an executive's work produced in a
sensitive merger negotiation would likely not meet the required monetary
threshold since the viewing of sensitive information does not necessarily
cause tangible damages. However, notwithstanding the inability to
demonstrate immediate economic loss, it is clear that unauthorized access
to such confidential information is damaging and can cause immediate and
long-term damage in terms of security, emotional well-being, and
reputation.
Various changes in the CFAA since its original enactment seem to
reflect congressional recognition of the scope of the crime extending
beyond what was initially envisioned in the mid-1980s. It is important to
note that in the early 1980s, when the CFAA was first enacted, the federal

LA
government used twice the number of computers the public used.2 80 As a
result, most hacking crimes occurred on government computers, as those
IM
were the largest group and the ones most vulnerable to attack. It made
sense then that crimes against government computers were the main2 81
target
SH

of the act, and no threshold damages were required to prosecute.

The number of personal computers now far exceeds the computers
employed in government service. As a result, Congress has shifted the
LU

focus of the CFAA away from the exclusive protection of government

computers. For example, in 1996, Congress replaced the phrase "federal
interest computer" to "protected computer" to broaden the group of
PN

computers protected by the act. 28 2 Congress has also shifted away from the
technical concept of unauthorized access to a computer system to a focus
H

on the defendant's harmful intent. 283 It appears that in these actions

Congress has recognized the substantial threat, both tangible and
intangible, posed to private and business computers by cyber criminals.

279. Privacy and the National Information Infrastructure: Principles for Providing and Using
Personal Information, 60 Fed. Reg. 4362-01, 4363 (Jan. 20, 1995) [hereinafter Privacy and National
Information].
280. See CFAA, S. REP. No. 99-432, at 2 (1986), reprintedin 1986 U.S.C.C.A.N. 2479, 2479; 132
CONG. REC. H3277 (daily ed. June 3, 1986) (statement of Rep. Nelson). See also Exec. Order No.
12845, 58 Fed. Reg. 21887 (Apr. 21, 1993) ("[The Federal Government is the largest purchaser of
computer equipment in the world.").
281. In 1994, as hacking crimes were increasing in frequency, Congress reduced the threshold
damages requirement for hacks against government computers. See Violent Crime Control and Law
Enforcement Act of 1994, Pub. L. No. 103-322, § 929001(6), 108 Stat. 1796, 2097-98.
282. Economic Espionage Act of 1996, Pub. L. No. 104-294, § 201(4)(A)(i), 110 Stat. 3488,
34993 (codified as amended at 18 U.S.C. § 1831-39 (2000)).
283. See 139 CONG. REc. S16421-03 (daily ed. Nov. 19, 1993).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.433

2008] CRACKING THE CODE

However, Congress has yet to address the vestigial $5000 threshold

that hinders the prosecution of many hacking crimes. This is problematic
on both a pragmatic and theoretical level. The damages threshold is the
most difficult element to prove beyond a reasonable doubt and the easiest
element to defend against.284 It is inherently difficult to calculate the cost of
a cyber attack given both the murky parameters of the definition of "loss,"
and the inherent difficulty for an attacked organization to know the scope
and extent of an attack at the time of the attack. Later in court, defendants
can pick apart measures taken at the time to cast doubt as to whether the
threshold is met and can suggest that a victim's panic at the time of the
attack implies overspending on remedial measures. Since jurors are
generally not as familiar with computer security and the costs of remedying
and preventing cyber attacks as they are with physical security, they are not
adequately prepared to assess damages in the wake of a cyber attack.

LA
Consequently, the $5000 minimum threshold creates an unreasonably high
barrier to successful federal prosecution.
IM
In effect, Congress has created a dual-threshold test for federal
jurisdiction: in order to prosecute, a hacking crime must meet the
SH

requirement of $5000 in loss or it must reach a special government interest.

For example, if information was viewed and no physical damages wrought
by criminal hacking into U.S. military records,285 NASA computers,2 86 and
private tax return data stored on IRS computers, 287 these hacks would not
LU

fall within the scope of the CFAA if measured only by the loss threshold.
However, as measured by access to a protected computer of federal
PN

interest, hacking into these sources falls within the scope of the CFAA.
This dual threshold creates a wide gap for hacks that meet neither
threshold, but still fall within the area Congress intended to protect by the
H

act.

B. SPIM

The CAN-SPAM Act is the first federal step taken to address the
increasing volume of spain beleaguering e-mail users, yet its application is

284. See Freeh, supra note 21. For a discussion on the difficulties of proving loss see infra Part
V.A.
285. See, e.g., Teens Tapped Computers of U.S. Military, CHI. TRIB., Nov. 21,1991, at C3.
286. See, e.g., Press Release, U.S. Attorney's Office for the Cent. Dist. of Cal., Romanian
Charged with Hacking into Government Computers, Causing Nearly $1.5 Million in Losses (Nov. 30,
2006), available at http://oig.nasa.gov/press/pr2007-C.pdf.
287. See Robert D. Hershey, Jr., I.R.S. Staff is Cited in Snoopings, N.Y. TIMES, July 19, 1994, at

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.434

1000 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

limited. As the nature of communication over the Internet evolves and

moves toward the instantaneous conversational ability of instant
messaging, 288 a possible gap in the statutory coverage appears: the CAN-
SPAM Act probably does not apply to splM.
The Act defines prohibited spam as "any electronic mail message"
with a commercial purpose. 289 An electronic mail message is in turn "a
message sent to a unique electronic mail address" '290 which refers to an
Internet domain name to which e-mail messages can be sent or delivered.2 9'
The definition of spam in this Act likely limits its coverage to e-mail
communications, precluding other spam-like media such as instant
messaging which do not have domain names associated with the messaging
address.
SpIM is a rapidly growing problem. Experts warn that spIM is

LA
growing at three times the rate of spam. 292 In many ways, it is also more
dangerous, as enticing a user to click on a link embedded in an IM is often
easier than it is via e-mail. 293 Despite its dangers, the use of spIM is
IM
difficult to prosecute under the current statutory provisions. The first
prosecution for spIM began in February 2005.294 According to the criminal
SH

complaint, Anthony Greco, an eighteen-year-old New Yorker, created

thousands of accounts on the Internet messaging service MySpace.com and
used the accounts to send over 1.5 million spam messages to unsuspecting
LU

MySpace users. 29 5 Greco then threatened to share his methods for

spamming if MySpace did not assign him an exclusive marketing deal that
PN

would legitimize the messages he sent over the service. 296 Although he was
charged under the CAN-SPAM Act, Greco pled guilty to a violation of the
CFAA, § 1030(a)(7), extortionate hacking. 297 A case under the CAN-
H

SPAM Act would undoubtedly be difficult; by its defining terms, the CAN-
298
SPAM Act requires a criminal act of spam be sent to a domain name.

288. See Biever, supra note 94.

289. 15 U.S.C. § 7702(2)(A) (Supp. IV 2004).
290. Id. § 7702(6).
291. Id. § 7702(5).
292. See Biever, supra note 94.
293. Id.
294. See Press Release, U.S. Attorney for the Cent. Dist. of Cal., New York Spammer Arrested for
Making Threats Against Internet Messaging Company and Sending More Than 1.5 Million Spam
Messages (Feb. 17, 2005), available at http://www.usdoj.gov/criminal/cybercrime/grecoArrest.htm
[hereinafter New York Spammer Arrested].
295. Id.
296. Id.
297. See New York Teen Pleads, supra note 257; Sturgeon, supra note 101.
298. 15 U.S.C. § 7704(a)(1)(A) (Supp. IV 2004).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.435

2008] CRACKING THE CODE

MySpace and other messaging services, such as America Online's AIM

and Microsoft's MSN Messenger, do not link a domain name to their
instant messaging services. And although the sentence was sealed, 299 Greco
most likely served significantly less time, if any at all, under his plea
bargain to extortionate threats. All three of the offenses he was charged
with-violation of CAN-SPAM Act, extortionate threats, and damaging a
protected computer-carried a maximum possible penalty of eighteen years
300
in federal prison.
The Greco case is unlikely to be the last prosecution for splM on the
Internet. Indeed, prosecutors in the case warn this is just the "tip of the
iceberg. This could be a new wave as online communities start up." 30 1 The
gap in the CAN-SPAM Act that limits its applicability to e-mail messaging
only is certain to become a problem as the rate of splM increases over the

LA
coming years.

C. PHISHING
IM
Each act of phishing involves two separate victims: the targeted user
SH

who responds to a phish, and the company whose identity and Web sites
are "spoofed" to create the phish.3 °2 Generally, prosecutors are able to use
the CFAA, the Racketeer Influenced and Corrupt Organizations Act
("RICO"), 303 the federal wire and mail fraud statutes, 3 4 the access device
LU

fraud statute, 30 5 and the CAN-SPAM Act, among others, to prosecute most
elements of a phishing scheme affecting an unsuspecting user. Indeed,
PN

identity theft, fraud, and hacking against the user are well-established
precedent in the cyber crime lexicon. However, existing statutes are not
necessarily applicable to all aspects of the phishing scheme.
H

In particular, prosecutors have difficulty applying existing statutes to

the spoofing of a Web site. In a phishing scheme, an e-mail or Web site is
created to look similar to or the same as that of a real business or source.
Since these creations are done without any access to another computer, the
copying cannot be prosecuted as a "hack" as defined by the CFAA.30 6 Even

299. Spanmer Gets Likely Prison Sentence, FoxNEWS.COM, Oct. 18, 2005,
http://www.foxnews.con/story/0,2933,172629,00.html.
300. See New York Spammer, supra note 294.
301. Sturgeon, supra note 101 (quoting Asst. U.S. Att'y Brian Hoffstadt).
302. See Stevenson, supranote 112, at 3.
303. See 18 U.S.C. §§ 1961-68 (2000).
304. Id.§§ 1341, 1343.
305. Id.§ 1029.
306. There is no definition of"access" provided by the CFAA. In 1977, Senator Ribicoff proposed
an important and visionary bill, the Federal Computer Systems Protection Act, which never got out of

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.436

1002 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

if a spoof of a Web site could be considered "access," the difficulty of

proving tangible damages as a result of the copying would terminally
impair the crime's ability to meet the monetary threshold of the CFAA.3 °7
A prosecution under the federal wire or mail statutes may work but is not a
perfect fit. These statutes presume the existence of an identifiable piece of
property;3" 8 in the case of a spoofed Web site, "identifying a property
interest and then concluding that it was taken can require considerable
creativity." 30 9 A spoofed Web site or e-mail is not an access device, and the
access device fraud statute criminalizes the use of the fruits of the hack, not
the hack itself,310 and would therefore not be applicable. If an e-mail or
spoofed Web site copies and traffics in a trademarked symbol, the phisher
could be prosecuted under federal trademark law, which criminalizes the
intentional trafficking of counterfeit goods or services; 3 11 however, this is
an odd fit to suggest a spoof of a Web site is an "attempt" to offer the

LA
victim services. Lastly, while the e-mail promulgating the link to the Web
site is spain within the technical definition, the spoofed Web site is not.3 12
IM
Because no specialized phishing statute exists, the crime of spoofing a
Web site has been difficult to prosecute. The spoofed company that loses
SH

consumer confidence and perhaps real profits is often left without a legal
redress; the cyber criminal who spoofed its Web site is often beyond the
reach of prosecutors.
LU

committee. PENDER M. MCCARTER, AM. FEDERATION OF INFO. PROCESSING SOc'Y, AFIPS

WASHINGTON REPORT 7 (1977). In the bill he defined "access" as means "to approach, instruct,
PN

communicate with, store data in, retrieve data from, or otherwise make use of any resources of, a
computer, computer system, or computer network." Id. Without more current federal guidance courts
have taken many approaches to define the term. Some courts look to a physical definition, suggesting a
user "accesses" a computer when the user sends a command to that computer instructing it to complete
H

a task. See United States v. Morris, 928 F.2d 504, 510-11 (2d Cir. 1991). Other courts rely on virtual
standard, such that access occurs when a user makes a virtual entrance onto a computer, such as by
using a password. See Trulock v. Freeh, 275 F.3d 391, 409 (4th Cir. 2001). None of these definitions
would include the copying of a webpage or e-mail as prohibited access.
307. 18 U.S.C. § 1030(a)(5)(B)(i) (2000).
308. Id. §§ 1341, 1343.
309. Orin S. Kerr, Cybercrime's Scope: Interpreting "Access" and "Authorization " in Computer
Misuse Statutes, 78 N.Y.U. L. REv. 1596, 1610 (2003). The difficulty in proving harm is also
troublesome to an argument under these statutes; even if a property interest were found, it would be
difficult to demonstrate how a spoof actually deprives the rightful owner of that property: thus,
courts tended to reach results-oriented outcomes. When computer misuse caused harm to a
victim in some way, courts generally concluded that property had in fact been taken and held
the defendants liable. When no appreciable harm resulted, courts tended to find that no
property was taken and hold that the defendants had committed no crime.
Id. at 1611.
310. 18 U.S.C. § 1029 (2000).
311. Id. § 2320.
312. Seeid. § 1037 (Supp. IV2004).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.437

2008] CRACKING THE CODE 1003

V. WHAT SHOULD BE DONE?

Although it is clear that some gaps exist in the federal criminal laws
against cyber crime, it is less clear what remedial measures, if any, should
be taken. It is first necessary that reconciliation be made between the
benefits to be achieved by closing such gaps and the administrative and
procedural costs potentially to be incurred.
Any suggestion to expand federal jurisdiction by extending the scope
of criminalized acts automatically prompts fears of an overreaching federal
government. These sorts of fears are not unique. In the mid-1990s,
Congress's expansion of federal criminal jurisdiction to violent street
crimes prompted a similar federalization debate. 3 13 Critics foresaw the
expansion of federal criminal legislation to entail "dire consequences for
federalism and for the federal criminal justice system," 31 4 fearing that the

LA
expansion of jurisdiction would flood federal courts, impeding their ability
to function. 315 Scholars worried that decisionmaking would be shifted away
IM
from the most "directly accountable levels of government" and that
prosecutors, emboldened by the new federal authority, would charge and
31 6
pursue every case no matter how minor.
SH

This fear has not disappeared in the decade since the last major debate
over the expansion of the federal government's role in the prosecution of
LU

crime. However, a number of things have changed since the mid-1990s.

First, a broad and expansive reading of the Commerce Clause has
substantially expanded federal criminal jurisdiction. In 1995, the Supreme
PN

Court found the Commerce Clause to delegate three broad categories of

activities for Congress to regulate: the use of the "channels of interstate
H

commerce," "the instrumentalities of interstate commerce," and "those

activities that substantially affect interstate commerce."3'17 Much of the
expanded federal criminal jurisdiction has derived from the statement that a
"federal cause of action is in pursuance of Congress's power to regulate
interstate commerce." 318 Correspondingly, the regulation of cyber crime
falls within Congress's constitutional power. Because of the inherently
interstate, and indeed global, nature of the medium, Congress's ability to

313. Harry Litman & Mark D. Greenberg, Dual Prosecutions:A Model for Concurrent Federal
Jurisdiction,543 ANNALS AM. ACAD. OF POL. & Soc. So., 72, 73 (1996).
314. Id. at 74.
315. See Sanford H. Kadish, Comment, The Folly of Overfederalization,46 HASTINGS L.J. 1247,
1249 (1995).
316. Litman & Greenberg, supra note 313, at 74.
317. United States v. Lopez, 514 U.S. 549, 558-59 (1995).
318. United States v. Morrison, 529 U.S. 598, 613 (2000).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.438

1004 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

regulate criminal activity on the Internet falls within the jurisdiction under
both the channels and instrumentality prongs of the United States v. Lopez
jurisdictional query.3 19
Second, the world has changed; computers are now present in two-
thirds of American houses, and nearly 100 percent of Americans between
the ages of twelve and eighteen use the Internet on a daily basis. 32 ° As the
reach of the Internet has expanded to all corners of the country, and indeed
the world, a practical analysis suggests that federal jurisdiction over cyber
crime is the most effective and efficient approach.
Prosecution of cyber crime requires detailed technical knowledge and
understanding of computing and networked technologies, in addition to a
mastery of the complexities of cyber law. The federal government has
already introduced mechanisms for the investigation and prosecution of

LA
cyber crime. For example, in the San Francisco area, which is home to
many technology companies, the U.S. Attorney's office established a unit
IM
exclusively to prosecute computer and intellectual property crimes. Robert
Mueller (as the former U.S. Attorney for the Northern District of
SH

California) saw "a necessity to staff that unit with individuals who were
both talented prosecutors and who understood and could work with the
technology ...[with] computer crimes cases, or hacking and denial of
service cases, or the intellectual property cases .... ,,321 The federal
LU

government has made it a priority to hire specialists, engineers, and

scientists, who have a "bedrock experience so that they start with a
PN

profound understanding of the computer world. 322 The FBI has established
regional computer forensics labs in several cities so that the "interchange of
ideas" can occur between these FBI initiatives and other branches of
H

federal and state government enabling federal prosecutors "to go into a

323
court room and testify with expertise and credibility."
The federal government has also taken steps to improve its ability to
track and fight cyber crimes on a global scale in recognition of the
Internet's capacity to weave communications through service providers in
different states or countries. 324 Crimes committed remotely from anywhere

319. See James K. Robinson, Remarks at the Internet Computer Crime Conf.: Internet as the
Scene of the Crime (May 29-31, 2000) (transcript available at
http://www.cybercrime.gov/roboslo.htm). Arguably, although more attenuated, the use of the Internet is
an activity "that substantially affects interstate commerce." Morrison,529 U.S. at 609.
320. Levy, supra note 13.
321. Mueller, supra note 24.
322. Id.
323. Id.
324. Robinson, supra note 319. Modem cyber crimes are not simple point A to point B

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.439

2008] CRACKING THE CODE 1005

in the world can end up on American computers.3 25 As a result, even

crimes that seem local in nature might require international assistance and
cooperation. This demands federal involvement. To this end, the FBI has
created Cyber Action Teams, groups of approximately twenty-five people
including agents, computer forensic experts and specialists in computer
code, to tackle computer crime issues, 326 and has deployed them in fifty-six
offices around the world, including Iraq and China, to deal with computer
732
intrusions.
Certainly, some states also have created powerful cyber crime task
force units. For example, the California High Technology Crimes Task
Force, comprised of prior existing state-funded regional task forces, is "big
enough and sophisticated enough to undertake the necessary enforcement
measures: long-term surveillance and intelligence gathering, especially on

LA
organized criminal groups; undercover purchases; use of confidential
informants; reverse stings; storefront operations; and other techniques
suited to preventing crime, not just reacting to it."' 32 8 California is perhaps a
IM
unique case due to the concentration of high-tech and information
technology companies in the state; 329 most states have not devoted the
SH

same amount of resources to cyber crime prevention. 330 Whereas the

transactions; even if one computer infects another computer from twenty feet away, the infection could
LU

be routed through providers in New York, Marrakesh, and Rome before accessing the victim's
computer. See id.
325. This includes almost every type of computer related crime, from "violent crime, terrorism,
PN

and drug-trafficking, to the distribution of child pornography and stolen intellectual property, and
attacks on e-commerce merchants." Id.
326. Bryan-Low, supra note 16.
327. Id.
H

328. OHLHAUSEN RESEARCH, INC., CAL. HIGH TECH TASK FORCE COMM., COMBATING HIGH-
TECH CRIME IN CALIFORNIA: THE TASK FORCE APPROACH 19 (1997) [hereinafter HIGH TECH TASK
FORCE].
329. It is important to note that,
[t]he high-technology industry is a vital part of California's economy, employing some
three-quarters of a million Californians ....
The industry produces over half of the state's
total export sales, and its electronics sector alone employs more Californians than any other
manufacturing sector in the state.
But high tech is under serious attack.
HIGH TECH TASK FORCE, supra note 328, at iii.
330. Only fifteen states were up to federal standards by 2003. LEE M. ZEICHNER & ROBERT
ALMOSD, STATE IMPLEMENTATION OF FEDERAL CYBER-SECURITY REQUIREMENTS 4 (2003). However,
some states have taken sizeable steps. North Carolina directed $15.2 million from its reserve savings
account to combat cyber crimes. See Press Release, N.C. Crime Control & Pub. Safety, North
Carolina's Terrorism Preparations Well Underway as One-year Anniversay Approaches (Sept. 9, 2002),
available at http://www.nccrimecontrol.org/newsrels/em/2002/terrorismpreparations.htm. And
Louisiana hired defense contractors to install programs protecting computers in all of its critical state
agencies. See John McMillan, State Has More Tools for Terrorism Response, ADVOCATE (Baton
Rouge, La.), Sept. 7, 2002.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.440

1006 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

federal infrastructure and training mechanisms are already in place, the

costs of improvements in technology and training necessary to upgrade
states' cyber prosecution abilities would be quite high. As a result, a federal
approach is the most efficient, and likely the most effective, approach to
cyber crime regulation.
Both constitutionally and pragmatically, the regulation of cyber crimes
is best left to federal legislators and law enforcement. This Note now looks
to three specific remedies that Congress should undertake to update the
criminal code against the evolving cyber threat.

A. 18 U.S.C. § 1030

It is first important to understand the history of the CFAA before

considering steps to reduce or eliminate the $5000 threshold. Similar to a

LA
divergity-lawsuit threshold, the monetary minimum in the CFAA was
imposed so as to include only "serious" violations in the realm of
IM
prosecutorial fodder, which is consistent with Congress's general intent to
331
limit federal jurisdiction to "cases of substantial computer crimes."
SH

Senator Laxalt, one of the CFAA's sponsors, explained that the monetary
threshold was meant, "first, to distinguish between alterations that should
fairly be treated as misdemeanors and those that should be felonies; and
second, to limit federal jurisdiction to the felonious alterations. Setting a
LU

332
specific loss value is one way to achieve this end.,
However, just as the courts face an awkward problem applying the
PN

amount-in-controversy requirement for diversity jurisdiction, especially in

cases involving intangible damages such as emotional distress or loss of
H

goodwill, the monetary threshold of the CFAA causes a real and substantial
problem due to the difficulties of pleading $5000 in damages. Prosecutors
are fond of using the example of a jimmied lock. If a burglar picks the lock
to. a back door and breaks into a house, it is clear that the minimal cost of
replacing the lock is incidental to the burglary and necessary to remedy the
damages caused. But, what if the owner of the house replaced the lock with
a $200 deadbolt? What if the owner replaces the lock with a high-tech
alarm system for $10,000? The parameters of loss caused by the burglary
are unclear in this situation.

331. In re DoubleClick Inc. Privacy Litig., 154 F. Supp 2d 497, 522 (S.D.N.Y. 2001).
332. 132 CONG, REc. S4072 (daily ed. Apr. 10, 1986) (statement of Sen. Laxalt). See 132 CONG.
REC. S14453-02 (daily ed. Oct. 1, 1986) (statement of Sen. Tribble) ("This bill will assert Federal
jurisdiction over computer crimes only in those cases in which there is a compelling Federal interest.
This reflects my belief and the Judiciary Committee's belief that the States can and should handle most
such crimes, and that Federal jurisdiction in this area should be asserted narrowly.").

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.441

2008] CRACKING THE CODE 1007

The same is true for cyber crimes. Cyber attacks do not usually leave
detailed tracks and specific markers or instructions about how to remedy
problems. Victims of a cyber attack-businesses or individuals-must
assume the worst-case scenario to ascertain the nature of the damage
potentially suffered, including theft of information, corruption of databases
and operating systems, and creation of worms and trapdoors to facilitate
future attacks. Often this requires restoring an environment to a prior
period and then undertaking a painstaking process of testing and
experimentation to determine the nature of the attack and the damage it
caused. Unlike repairing the physical damage from a jimmied lock,
restoration of the integrity of a computing and networking environment
often requires tedious incremental steps of trial and error. This can lead to
high failure rates and huge bills until confidence in the remedy is achieved.
Costs of this process include both the direct costs of time and services

LA
required to restore the environment and the indirect costs imposed upon the
users who must change their day-to-day routines to prevent future attacks.
IM
Under the current statutory scheme, a judge or jury is forced to piece
together a complex set of steps to determine how much of the represented
SH

remedial costs should count toward the loss threshold. Courts have
determined that the monetary loss for system destruction, as well as
expenses related to restoring data, and creating a better, more secure
system, are consistent with the threshold requirement. 333 However, it is
LU

unclear what that includes. A jury is left to decide whether the "expenses
relating to creating a better.., system" are reasonable; 334 for example,
PN

whether loss should include a basic patch and repair job or whether
protection for the system against future attacks with expensive firewalls
should be included in the loss threshold. Juries are not as familiar with the
H

workings and costs of computer and Internet security procedures as they

are with locks and alarm systems, making it especially difficult for them to
assess accurately the legitimacy of postattack measures. According to
prosecutors, "whereas professionals in the field understand that emergency
computer services will cost hundreds of dollars per hour, to a common
juror that rate 'may' seem absurd. Defendants can exploit jurors'
inexperience with this sort of crime to attack the 'reasonableness' of the
335
services rendered.,

333. See United States v. Middleton, 231 F.3d 1207, 1212 (9th Cir. 2000).
334. See id. at 1213 (denying defendant's request of an instruction stating that "[d]amage does not
include expenses relating to creating a better or making a more secure system").
335. Interview with Wesley L. Hsu, supra note 278. This problem is particularly acute where
services are rendered by inhouse employees; "defendants can suggest that in these cases the business
does not actually experience any loss because the employees would receive a salary whether or not an

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.442

1008 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

The problem is compounded by the fact that it is almost impossible to

have accurate records of the true total costs of a cyber attack, since it will
often involve both direct and indirect costs. First, it is a great challenge for
a victim to reconstruct the events following an attack to create a precise
cost analysis. If a business is attacked, it will work as quickly as it can to
restore the integrity of its information lest it lose valuable profits or risk its
relationships with customers, employees, vendors, lenders, and
shareholders. As anyone who has ever struggled with a computer problem
knows, it is hard, after all is said and done, to reconstruct which keystroke
or series of keystrokes, ultimately fixed the problem. Second, the actual
costs-measured in time sheets, programming, invoices, and the like-are
generally tabulated after the event. It is easy for defendants to point to this
unfortunate reality to engage in a lively session of "Monday morning
quarterbacking." It is very easy to say, after the exigency of the attack has

LA
passed, that certain measures were unreasonable.
The gap created by the damages threshold presents a dangerous
IM
loophole for the future of cyber-crime prosecution. In a substantial
proportion of hacking crimes, the criminally culpable conduct is conceded,
SH

but the damages are contested. The prevalence of this situation is likely to
grow in the coming years as information becomes more accessible over the
Internet. Criminal law relies on the deterrence effect of its statutory
provisions; elimination of the $5000 threshold would substantially improve
LU

the deterrent effect and thereby close the gap it unintentionally created.33 6
The difficulties in proving the loss threshold and the systematic
PN

inequity in proving back up the costs associated with an attack suggest that
the $5000 minimum threshold should be eliminated altogether. Although a
H

lower threshold would lower the pleading burden, any sort of statutory
definition-be it $5000, $50, or $500,000--diminishes the impact of the
actual criminal conduct. It is important to keep in mind that,
[t]he risk of harm to individuals or to the public safety posed by breaking
into numerous systems and obtaining root access, with the ability to
destroy the confidentiality or accuracy of crucial-perhaps lifesaving
information-is very real and very serious even if provable monetary
damages never approach the $5,000 mark.337
Indeed, the monetary threshold has "nothing to do with the mens rea or
actus reus of the crime." 338 It thus seems valid to question "why it should

attack occurs." Id.

336. See Yang & Hoffstadt, supra note 14, at 213.
337. Freeh, supra note 21.
338. Interview with Wesley L. Hsu, supra note 278.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.443

2008] CRACKING THE CODE 1009

matter how the victim responded" when a defendant committed the

crime. 339 Elimination of the threshold would not render the statute
overbroad, as the protections built in to the CFAA and the dual threshold
test implicit in the Act would still limit prosecution to only the "serious"
cases.
In the creation of the CFAA, Congress appreciated the delicate
balance between efficient prosecutions and the need to protect privacy and
property rights.340 As a result, Congress built certain protections against
federal prosecution into the CFAA. For example, in order to fall within the
scope of the statute, a user must access a computer either without
authorization or in excess of authorization; 34 1 a user with authorization to
use a computer, even if he causes damage, cannot be prosecuted under this
Act. Moreover, a user must not merely access computers and view data, but
must actually do something with the data; 342 mere onlookers for curiosity's

LA
sake cannot be prosecuted.343 Additionally, courts have carved out an
exception for a "permissible purpose"; even if a user, without
IM
authorization, accesses data and causes damage, if there is a permissible
purpose there can be no prosecution under the CFAA.344 On a pragmatic
SH

339. Id.
340. The question of how much control is appropriate has dominated debate since the passage of
the 1984 Act. Representative William Nelson postured that the conflict between the need for legislation
LU

and the need for protection of rights posed by the introduction of computers in broad society was
analogous to the conflicts posed by gun legislation; "[c]omputers may not commit crimes," he stated,
any more than guns commit crimes. But we have to be realistic-there are people who will
commit crimes with guns if they are readily available, and there are people who will commit
PN

crimes with computers as they become ubiquitous in our society. ...[We cannot] address the
problem of crime by banning either.
132 CONG. REC. H3277 (daily ed. June 3, 1986) (statement of Rep. Nelson). And with great foresight
H

he added "Americans may not now be as attached to their computers as they are to their guns, but I
suspect they will be inseparable before too long." Id.
341. See Int'l Ass'n of Machinists & Aerospace Workers v. Wemer-Masuda, 390 F. Supp. 2d 479,
495 (D. Md. 2005).
342. See 18 U.S.C. § 1030(a)(4) (2000); United States v. Ivanov, 175 F. Supp. 2d 367, 371 (D.
Conn. 2001).
343. See United States v. Czubinski, 106 F.3d 1069, 1076-77 (1st Cir. 1997) (stating that although
IRS employee unquestionably exceeded authorization while browsing a confidential taxpayer file,
because he did not obtain anything of value or use the information in any way, his conviction forwire
fraud and computer fraud was reversed). However, the value of the precedent of this case is slight
because the holding centers mostly around wire fraud. See P.C. Yonkers, Inc. v. Celebrations the Party
& Seasonal Superstore, LLC, 428 F.3d 504, 508-09 (3d Cir. 2005) (holding that former employees
accessing employers' computer system is not illegal absent any evidence of what was viewed or taken).
344. See 18 U.SC. § 1030(a)(2)(A); LeBlanc v. Allstate Ins. Co., No. Civ.A. 99-2724, 2000 WL
825683 (E.D. La. June 22, 2000) (holding that an insurance company is not prohibited from obtaining
credit reports on its insurees in connection with insurance claims investigations); Edge v. Prof'I Claims
Bureau Inc., 64 F. Supp. 2d 115, 118 (E.D.N.Y. 1999) (holding a debt collection agency did not violate
the CFAA when accessing a debt guarantor's credit report on a computer because it was for a

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.444

1010 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

level, "Hsu believes that the elimination of the threshold would not result in
prosecutions where no true federal interest lies because prosecutors must
exercise daily discretion regarding the use of investigative and
prosecutorial resources." 345 Consequently, strong protections against
overeager prosecutors would still exist even absent the $5000 minimum
threshold.
Congress intended that the CFAA would protect individuals "from
346
harm caused by the improper disclosure or use of personal information."
It created essentially two thresholds for federal prosecution to this end: the
$5000 minimum and the special federal interest. Eliminating the $5000
minimum is consistent with this rubric. Within a modem interpretation of
the Commerce Clause, all Internet crime involves a channel of interstate
commerce; this in itself is a special federal interest. 347 Therefore, the
Commerce Clause provides that federal jurisdiction should be triggered by

LA
the inherently interstate nature of the act without the need to rely on a
monetary threshold. Federal prosecution under the power of the Commerce
IM
Clause demands there be a federal interest at stake; protection of the safety
and security of the Internet is certainly in the federal interest.
SH

The $5000 threshold is overly burdensome to that end. When dealing

with information, the litmus test for federal jurisdiction of monetary
amount does not accurately distinguish important from unimportant
LU

information, 348 and therefore renders the statute fatally underinclusive. In

the same way, Congress has amended and created statutory provisions to
adapt to changes in the cyber environment in the past,349 Congress should
PN

remedy the flaw in the cyber criminal code by eliminating the $5000
threshold requirement.
H

Elimination of the threshold minimum would also provide a single

point of reference to prosecutors, 350 which in turn, would give better
understanding of the scope of the problem. Congress intended the CFAA to

"permissible purpose").
345. Interview with Wesley L. Hsu, supra note 278.
346. Privacy and National Information, supra note 279, at 4363.
347. Where a regulated activity has an effect on interstate commerce the government must show
that effect is substantial to trigger Commerce Clause jurisdiction. This is not the case for channels of
interstate commerce; the effect on the channel is enough in itself to justify federal regulation. See
United States v. Lopez, 514 U.S. 549, 558-59 (1995).
348. Legislative Analysis, supra note 27.
349. For example, Congress eliminated the $1000 threshold for hacking crimes on government
computers in 1994 and created the Economic Espionage Act in 1996 to respond to the changing nature
of information technology. See discussion supra Parts III.A. 1, III.A.3.
350. See Privacy and National Information, supra note 279; discussion supra Parts III.A.I,
III.A.3.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.445

2008] CRACKING THE CODE

allow prosecutors to "swiftly trace a cyber attack back to its source and
appropriately prosecute" 351 without the need to continually parse the
criminal code.3 52 In order for law enforcement and federal agencies to
prevent crime in the future, they require a comprehensive database that
compiles accurate data regarding cyber attacks; 353 efficient prosecutions
under one statute would effectively allow the creation of a reliable
database. Partnerships between prosecutors, law enforcement, and industry
facilitated by federal intervention help "develop early awareness of, and a
coordinated, proactive response to, the [cyber] crime problem. The cyber
crime problem is constantly changing, requiring law enforcement to
develop a flexible and dynamically evolving approach as well. 3 54
Consequently, elimination of the threshold provides tools not only to fight
cyber crime currently, but also to predict and improve the tools for fighting
cyber crime in the future.

LA
In 1996, Congressman Leahy declared that "Congress must remain
vigilant to ensure that the Computer Fraud and Abuse statute is up-to-date
IM
and provides law enforcement with the necessary legal framework to fight
computer crime." 355 Over the past two decades, Congress has met that goal
SH

by amending the CFAA to reflect the current state of cyber crime. In 2008,
the state of cyber crime has again changed. As computers continue to
evolve in their methods of creation and storage of valuable information,
Congress must again modernize the criminal provisions to protect this
LU

irreplaceable commodity.
PN

B. SPIM

Instant messaging services are rapidly increasing in popularity and

H

crimes using them are following close behind. Nearly half of all Internet
users use some form of instant messaging. 356 Among teenagers that number
is much higher; "instant messaging has become the digital communication
backbone of teens' daily lives." 357 According to the Pew Report, 75 percent

351. See Kyl Statement, supra note 18.

352. Legislative Analysis, supra note 27.
353. Mueller, supra note 24.
354. The FBI's Cyber Division: Hearing on H.R. 2517 Before the Subcomm. on Cts., the Internet,
and Intellectual Property, 108th Cong. (2003) (statement of Jana D. Monroe, Assistant Dir., FBI Cyber
Div.).
355. S. REP. No. 104-357, pt. 1I,at 5 (1996).
356. SHIt & LENHART, supra note 100, at 3 (noting that 42 percent of Internet users-more than
53 million American adults-report using instant messaging at least once).
357. AMANDA LENHART, MAY MADDEN & PAUL HITLIN, PEW INTERNET & AM. LIFE PROJECT,
TEENS AND TECHNOLOGY iii (2005), available at http://www.pewintemet.org/pdfs/

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.446

1012 SOUTHERN CALIFORNIA LA W REVIEW [Vol. 81:959

of online teenagers, or approximately two-thirds of all American teenagers,

use an instant messenger every day.358 Instant messengers are not only used
for conversation; but also, among teenagers, 50 percent have used an
instant messenger to send a link to an article or clip, 45 percent have sent a
359
photo or document, and 35 percent have sent music or a media file.
The percentage of adults who have ever used instant messaging is
lower-42 percent-but, of those "53 million American adults, 12
[percent]" still use an instant messenger on a daily basis. 36 ° One of the
fastest growth areas for instant messaging is the workplace.3 61 The Radicati
Group, a technology market research firm, "determined that seventy
percent of businesses have employees who use instant messaging, and half
of them use public providers in which the message bypasses the company's
362
own security, archiving, auditing, encryption and logging features."

LA
The growing prevalence of instant messaging in the home and
workplace creates vast opportunities for spammers to target the unwary
instant messenger. Ironically, the federal and industry focus on spam, "has
IM
painted e-mail spammers into a comer like never before and incited them to
find other ways to try and reach our membership online," according to
SH

363
Nicholas Graham, a spokesperson for America Online.
Because many instant messengers do not have a domain name
associated with the program, many spIM crimes cannot be prosecuted
LU

under the CAN-SPAM Act. It is difficult to fill the gap left by the CAN-
SPAM Act with existing legislation due to the difficulty of proving the
PN

crime with these statutes. Instant messaging occurs in real time, meaning it
is instantaneous, unlike e-mail which can sit on a server for any length of
time before delivery. One way to investigate and track spIM would be to
H

monitor instant messages to catch an act of spIM; this would require the
real-time message to be captured while it is being transmitted. This would
violate the Federal Wiretap Act and would hinder the ability to implement
a broad-scale monitoring system. SpIM could be proved circumstantially

PIP_Teens_Tech_July2005web.pdf.
358. Id.
359. Id.
360. SHIU & LENHART, supra note 100, at 3.
361. See generally, Tom Van Riper, Text-message Generation Entering Workplace, MSNBC,
Aug. 30, 2006, http://www.msnbc.msn.com/id/14576541 (describing the increased entry of text-
messaging employees into the workplace).
362. Katherine Flanagan, Instant Message: Legal Problems Are Ahead as Popularity Increases,
HOUSTON Bus. J., Nov. 7, 2003, available at http://houston.bizjoumals.com/houston/stores/2003/11/10/
focus I 5.html.
363. Jenifer Saranow, Angry Over Spam? Get Set for Spim, WALL ST. J., Dec. 31, 2003, at D5.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.447

2008] CRACKING THE CODE 1013

through the messaging service's records or through screen captures of the

splM itself, yet no existing statute is an easy fit for this crime. For example,
the mail and wire fraud statutes, the general catchall provisions for cyber
crime, may be difficult to apply because the danger of splM can be the
overwhelming annoyance to the user and the taxation to the server; this
does not necessarily constitute a fraud or conspiracy to commit a fraud.
Similarly, the CFAA is not applicable to all spIM; without a protected
computer, the current CFAA is not applicable to this crime.
The demographics of instant message users require that spIM be taken
seriously. Teenagers and children, prolific instant messenger users, are easy
targets for splMmers. Businesses also present new and appealing venues to
splMers as gaining access to a business's network opens new sources of
information and avenues of attack.

LA
SpIM is a serious problem and will continue to be so unless there is
some way to effectively prosecute and deter this crime. Because current
statutes are unable to fill the gap in the CAN-SPAM Act, it should be
IM
revised to include spIM. The best solution is the elimination of the domain
name requirement of an electronic communication. This revision would not
SH

unjustifiably broaden the scope of the CAN-SPAM Act or permit

prosecutorial overzealousness. This would also eliminate the need to create
a new statute. The CAN-SPAM Act can adequately reach the elements of a
LU

splM crime provided its definition allows it to reach instant messaging.

Technology has advanced to a point where the government is now forced to
respond to a crime rather than prepare for its attack in the future. SpIM is
PN

here now, and its inclusion in the CAN-SPAM Act is a necessary step to
arm prosecutors and investigators with the essential tools to fight back.
H

C. PHISHING PROVISION

Phishing is a difficult crime to prosecute. Most prosecutions can only

take place after someone has been defrauded. The average spoofed Web
site is online for less than six days, leaving criminals "plenty of time to
cover their tracks" before a prosecution is even considered. 364 Although
quick to come and go, the effects of phishing cannot be ignored; the mere
threats of these attacks undermine consumer confidence in the Intemet,
365
which harms e-commerce and secure transactions.
Currently, many phishing crimes are prosecuted under wire fraud

364. 151 CONG. REC. S1796, 1804 (daily ed. Feb. 28, 2005) (statement of Sen. Leahy).
365. See id.

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.448

1014 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

statutes. However, this is in some ways an inefficient method because it

does not reach all elements of the phishing crime. State measures are also
not sufficiently broad. The jurisdictional roadblocks set by the interstate
nature of phishing crimes limits a state's ability to pursue and prosecute the
crime. 366 Phishing presents a "new enough territory" to merit specificity in
the law without fear of duplicating laws that prohibit fraud and identity
367
theft.
In 2005, Senators Patrick Leahy, Ken Salazar, and Charles Schumer
proposed the Anti-Phishing Act of 2005, which addressed the crimes of
phishing and "pharming." 368 As of April 2008, this proposal has yet to
receive a hearing. The proposed law would impose a fine or imprisonment
or both for a person who "creates or procures the creation of a website or
domain name that represents itself as a legitimate online business, without
the authority or approval of the registered owner of [such] business; and (2)

LA
uses that website or domain name to [solicit] means of identification" from
any person. 369 In addition, the proposed law would impose a fine or
IM
imprisonment for a person who knowingly with the intent to engage in an
activity consisting of fraud or identity theft under Federal or State law
SH

sends an electronic mail message that: "(1) falsely represents itself as being
sent by a legitimate online business;" (2) includes an Internet location tool
referring or linking users to an online location of the World Wide Web that
falsely purports to belong to or be associated with a legitimate online
LU

business; and (3) solicits means of identification from the recipient.37 °

The proposed legislation does not contain a monetary threshold as a
PN

jurisdictional requirement or as an element of the crime because phishing

crimes have two victims: the consumer and the spoofed company. While
H

the consumer's damages are more easily alleged, "the reputational damages
that a business incurs as the result of a phishing scam are often much more
difficult to quantify."'371 A monetary threshold would unnecessarily limit
the class of victims.
This proposed law would close the gap and protect the integrity of the

366. See discussion supra Part ll.B.3.

367. See We're Just Phish to Them, supra note 104.
368. S. 472, 109th Cong. (2005). "Pharming" is a crime that attacks Web browsers and the
Internet's addressing system such that a user could type in a desired Web site in a web browser and be
directed to a phony site with the same result of clicking on a phony link in a phishing attack. 151 CONG.
REC. S1796, 1804 (daily ed. Feb. 28, 2005) (statement of Sen. Leahy).
369. S.472 § 1351(a).
370. S.472 § 1351(b).
371.. Stevenson, supra note 112, 6 (citing Karen Greenstein, Defending Your Brand from E-mail
Spoofs-Powerpoint Slides, 784 PLI/PAT 271, at 279-80 (2004)).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.449

2008] CRACKING THE CODE

Internet by providing a mechanism to charge a phisher for spoofing a Web

site. The proposed legislation would criminalize the sham Web sites that
are the true scene of both phishing and pharming crimes. 372 Moreover, a
specialized statute would strengthen investigators' and prosecutors'
abilities to protect Internet users in two ways. First, a specialized statute
will allow agents to act quickly to investigate a phishing crime immediately
after a Web site has been spoofed, instead of being forced to wait until a
fraud has been committed under the wire and mail fraud statutes. Second,
the specialized statute will allow for coordination of the investigation
between state and federal branches of government, facilitating a faster and
more efficient response to phishing schemes.
This proposal generated support, but little action, since its introduction
in 2005, and died in committee. 373 In February 2008, Senator Olympia
Snow introduced the Anti-Phishing Consumer Protection Act of 2008. This

LA
bill aims to prohibit the "collection of identifying information of
individuals by false, fraudulent, or deceptive means through the
IM
Internet[]... to provide the Federal Trade Commission the necessary
authority to enforce such prohibition, and for other purposes." 374 This bill
SH

was referred to the Congressional Committee on Commerce, Science, and

Transportation in February 2008, where it still remains as of July 2008. 375
Prosecutors' inability to efficiently address this damaging and
376
LU

prevalent crime costs the U.S. economy billions of dollars each year.
Perhaps more damaging is the door it opens to the future of identity theft.
Ideally, cyber law must anticipate the next step in cyber crime rather than
PN

lag behind the curve, and this legislation is a necessary step.

VI. CONCLUSION
H

The evolving cyber environment impacts all aspects of our society and
economy and presents a complex set of challenges for lawmakers. The
Internet is constantly shape shifting, 377 and it is impossible to foresee the

372. 151 CONG. REC. S1796, 1804 (daily ed. Feb. 28, 2005) (statement of Sen. Leahy).
373. See Status Report, S.472, 109th Cong., http://www.thomas.gov (search "Bill Number" for
"S.472"; then follow "Bill Summary & Status" hyperlink).
374. Anti-Phishing Consumer Protection Act of2008, S. 2661, 110th Cong. (2008).
375. See Status Report, S.2661, 110th Cong., http://www.thomas.gov (search "Bill Number" for
"S.2661"; then follow "Bill Summary & Status" hyperlink).
376. Total amount of loss is estimated at various levels from $150 million to $1.2billion each
year. RANDALL JACKSON, GEORGE MASON UNIV. SCHOOL OF LAW, K-12 EDUCATION AND CRITICAL
INFRASTRUCTURE (2005), http://cipp.gmu.edu/research/K- I2EducationCl.php.
377. New opportunities for cyber crime present themselves all the time; instant messaging, mobile
phones, and online communities are likely the foreseeable next victims of cyber crime. See Voight,

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.450

1016 SOUTHERN CALIFORNIA LAW REVIEW [Vol. 81:959

nature and scope of all of the opportunities now and in the future for cyber
criminals. Lawmakers at every level of government will need to watch and
study the nature of our interactions with and via computers and networks
adapting laws to deal with the most pressing risks as they become apparent.
Cyber crime's potential for enormous cost to the U.S. economy, society,
and national defense demands that Congress undertake constant vigilance
and make every effort to develop feasible solutions to new problems. The
elimination of the $5000 threshold requirement in the CFAA, and the
addition to the U.S. Code of provisions for spIM and phishing are
appropriate steps that should be taken now to equip federal prosecutors and
law enforcement with additional tools necessary to stem crime in today's
cyber world.

LA
supra note 16. IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.451

+(,121/,1(
Citation:
Debra Wong Yang; Brian M. Hoffstadt, Countering the
Cyber-Crime Threat, 43 Am. Crim. L. Rev. 201
(2006)

Content downloaded/printed from HeinOnline

Sat Apr 6 05:30:33 2019

-- Your use of this HeinOnline PDF indicates your

LA
acceptance of HeinOnline's Terms and Conditions
of the license agreement available at
https://heinonline.org/HOL/License
IM
SH
-- The search text of this PDF is generated from
uncorrected OCR text.

-- To obtain permission to use this article beyond the scope

LU

of your HeinOnline license, please use:

PN

Copyright Information

Use QR Code reader to send PDF

H

to your smartphone or tablet device

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.452

 ESSAY

Countering the Cyber-Crime Threat

Debra Wong Yangt & Brian M. Hoffstadtft

In these early years of the 21st century, we continue to live in the Information
Age - an age when our economy's greatest assets are not steel and coal, but ideas
and their practical applications.' We have been able to exploit this intellectual
capital more effectively in large part due to the widespread use of computers, /
which has enabled businesses to manipulate their intellectual property with greater
ease and to buy and sell physical products with greater efficiency over the Internet.

LA
Our economy's reliance on computers has created a concomitant vulnerability,
however. A person seeking to harm a business in this day and age does not aim his
attacks at the company's physical assets; instead, he takes aim at its computers.3
IM
Not surprisingly, criminal and other harmful acts aimed at computers - so-called
"cyber-crimes" - are on the rise.4 Recent surveys indicate that anywhere from 25%
SH
to 50% of American businesses have detected some sort of security breach in their
computer networks in the past year.5 The losses caused by these breaches are more
LU

United States Attorney, Central District of California; Chair, Attorney General's Subcommittee on Cyber and
Intellectual Property Crimes, 2005-Present; Member, United States Department of Justice Intellectual Property
Task Force, 2004-Present; Member, President's Corporate Fraud Task Force, 2003-Present. The views expressed
in this Essay are the authors' owjafnd do not necessarily reflect the views of the Justice Department.
PN

tt Assistant United States Attorney, Cyber and Intellectual Property Crimes Section, Central District of
California; Adjunct Professor of Law, University of Southern California Gould School of Law.
1. See, e.g., Kevin P. Kalinich & Kristina McGrath, "Identifying the Business Impact of Network Risks and
Liabilities," ABA Brief 18, 24 (Winter 2004) ("Over 70% of the market capitalization of Fortune 500 companies
H

is attributed to information assets.").

2. See Vincent R. Johnson, Cybersecurity,Identity Theft and the Limits of Tort Liability, 57 S.C. L. REv. 255,
255 (2005) ("In the developed world at the beginning of the 21st century, life is built upon computerized
databases.").
3. See Kalinich & McGrath, supranote 1, at 21 ("[I]n the computer age, one individual performing one solitary
act may create utter havoc with electronic data.").
4. See Michael L. Rustad, Private Enforcement of Cybercrime on the Electronic Frontier, 11 S. CAL.
INTERDisc. L.J. 63, 64 (2001) ("There is a cybercrime wave threatening our information-age economy."). For
purposes of this Essay, we use the term "cyber-crime" to refer to cyber-attacks, whether or not covered by a
criminal statute.
5. The joint survey of 700 United States-based businesses conducted by the Computer Security Institute and
Federal Bureau of Investigation in 2005 revealed that 56% had suffered some form of unauthorized use of
computer systems in the past 12 months, resulting in a loss of approximately $130 million for those 700 entities.
CSI/FBI, Computer Crime and Security Survey 12, 15, publishedat http://i.cmpnet.comgocsi/db-area/pdfs/fbi/
FBI2005.pdf (last viewed Feb. 21, 2006). This percentage includes all unauthorized use (including uses merely
prohibited by company policy), so does not directly reflect the number of intrusions.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.453

 AMERICAN CRiMiNAL LAW REVIEW [Vol. 43:201

pernicious and far reaching than one might initially think. The damage caused by a
single computer intrusion typically entails more than the cost of repairing the
compromised data or system, as news of the intrusion may adversely affect the
company's "market capitalization or consumer confidence." 6 This is one of the
reasons why companies routinely fail to report cyber intrusions, including to the
authorities.7 Despite the absence of precise data, however, most observers agree
that "computer crime causes enormous damage to the United States economy."8
The prevalence and increasing prominence of cyber-crime has not escaped the
notice of the President or the Congress. In 2003, the White House released its
National Strategy to Secure Cyberspace. 9 In 2004, the United States Department of
Justice Task Force on Intellectual Property issued its Report, and detailed the
Justice Department's roadmap for combating crimes involving trade secrets and
other intellectual property often stolen or distributed over computer networks. 10

LA
The Federal Bureau of Investigation has made cyber-crime a top priority."l More
recently, the House of Representatives passed a resolution acknowledging the
"increasing threat of malicious attacks" through computer intrusions. 12 Congress
IM
also enacted the Family Entertainment and Copyright Act of 2005, which made it a
felony to use a computer to upload previously unreleased movies, games and
SH

The 2005 Global Security Survey of more than 50 global financial institutions conducted by Deloitte Touche
LU

revealed that approximately 30% of them (25% of United States businesses) had encountered security breaches in
the past 12 months, down from the 2004 rate of 83%. Deloitte, 2005 Global Security Survey 14, available at
http://www.deloitte.comldtt/research/0,1015,sid%253D2211%2526cid%253D86575,00.htm (last viewed Feb.
21, 2006). The Survey authors surmised that the drop was due to better security at the bigger institutions, which
PN

were the focus of more attacks than the smaller businesses with typically more porous networks. Id.
6. Kalinich & McGrath, supra note 1, at 21 ("[R]eported dollar figures are only part of the financial import
because such figures usually do not take into account the subsequent reduction in market capitalization or
consumer confidence," including such factors as "business prestige, reputation, market share, ability to raise
H

capital, opportunity cost of resources, earnings per share, and market capitalization"); see also CSI/FBI Survey,
supra note 5, at 15 (noting how "implicit losses (such as the lost future sales due to negative media coverage
following a breach) are largely not represented in the [Survey's) loss numbers").
7. Accord Robert Steinberg, "Advising Clients About Hacker Insurance," 25 Los Angeles Lawyer 60
(February 2003) ("Companies continue to notoriously underreport network attacks."); Jane Strachan, "Cybersecu-
rity Obligations," 20 Maine Bar J. 90, 94 (2005) ("In the past, most businesses have been reluctant to tell the
world about security intrusions."); see also Neal Kumar Katyal, DigitalArchitectureAs Crime Control, 112 YALE
L.J. 2261, 2278 (2003) ("Many corporate victims do not report cybercrime to the police because they fear alerting
customers and shareholders to the lack of security.").
8. See, e.g., Katyal, supra note 7, at 2261; see also id. at 2263 ("Today, the damage caused by computer crime
runs in the billions of dollars each year, making it one of the most economically damaging forms of crime in
human history."); Steinberg, supra note 7, at 60 ("The financial losses facing corporate America as a result of
network security breaches are staggering.").
9. The full Report is located at http://www.whitehouse.gov/pcipb/ (last viewed Feb. 21, 2006).
10. The full Report is located at http://www.usdoj.gov/criminal/cybercrime/IPTaskForceReport.pdf (last
viewed Feb. 21, 2006).
11. Cyber-crime is the FBI's third highest priority, behind preventing terrorist attacks and investigating
espionage. See www.fbi.gov/priorities/priorities.htm (last viewed Feb. 22, 2006).
12. H. Res. 491, 109th Cong., 1st Sess. (Oct. 17, 2005).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.454

2006] COUNTERING THE CYBER-CRIME THREAT

software onto the Internet. t 3 Among other bills, Congress is currently considering
legislation that would make it a crime to use a computer to obtain personal
information (such as names, social security numbers or credit card information) 4
and legislation that would make it a crime to place software on a computer with the
intent to use that computer to commit further crimes. 15
Despite this much-needed attention, however, and as we discuss in Part I of this
Essay, the threat of cyber-crime is still likely to grow in the coming years because
of two factors. First, we are seeing an increase in the number of American
businesses that are potential victims of cyber-crime. Second, we are beginning to
see an upsurge in the number of potential perpetrators. A brief sampling of the
cyber-crimes the Justice Department is currently prosecuting demonstrates that
16
this threat is real.
At this time, the debate about how to address this growing threat is still in its

LA
infancy. No consensus has yet emerged. Although, as noted above, the federal
government has increased its efforts to combat cyber-crime, market forces have
remained the primary impetus for sorting out where the burdens and costs of
IM
cyber-crime fall. Thus far, they have fallen largely on the victims of cyber-crime -
that is, American businesses - which have been forced to absorb the burden of
preventing cyber-crime and any subsequent losses stemming from their failure to
SH

do so. It is yet to be seen whether this current arrangement is the best for our
economy. Fortunately, this arrangement is not permanent. It is now - at this early
stage in the debate - when we should ask the twin questions: Where should the
onus of fighting cyber-crime and absorbing its costs lie, and what role should the
LU

various players play in this calculus?

In this Essay, we address these two questions and, in so doing, examine the
possibilities of leaving the burdens of cyber-crime on victim companies, of placing
PN

it upon the software and hardware manufacturers, of expanding the role of

governmental regulation, and of a combination of all three options. We also
propose the considerations that policymakers should examine in choosing among
H

these options. In the end, we postulate that the ultimate response to cyber-crime is
likely to be a three-way synergy of all these options.
I. THE GROWING CYBER-CRIME THREAT

In the coming years, two demographic trends are likely to increase the potential
number of cyber-crimes perpetrated against American businesses. First, there is
likely to be a greater proliferation in the number and types of businesses that will
be potential victims of cyber-crimes. Until the past few years, cyber-criminals

13. Pub. L. No. 109-9, Title I, § 103(a), 119 Stat. 220 (2005).
14. Personal Data Privacy and Security Act of 2005, S. 1789, 109th Cong., 1st Sess. (2005).
15. Internet Spy (I-SPY) Prevention Act of 2005, H.R. 744, 109th Cong., Ist Sess. (2005).
16. See text accompanying infra notes 25-31. This is to say nothing of the efforts of the States and District of
Columbia, many of which independently prosecute cyber-crimes under their police powers.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.455

 AMERicAN CRIMINAL LAW REVIEW [Vol. 43:201

typically targeted one of three types of businesses: information brokers, manufac-

turers and distributors of digital media, and businesses who offered products or
services for sale over the Internet. Information brokers, such as credit reporting
agencies and data aggregators like ChoicePoint or LexisNexis, are ripe targets for
cyber-crime because their databases contain information that provides a treasure
trove for identity thieves. 17 Indeed, several states have already acknowledged the
prevalence of this more traditional form of cyber-crime by statutorily requiring
these database aggregators to report the compromise of information to potential
individual victims.18 The manufacturers and distributors of digital media - most
notably, the motion picture, recording, and software industries - have also long
been the victims of cyber-crime, typically through the illegal copying and online
distribution of their copyrighted content. Each of these industries has resorted to
civil lawsuits against downloaders, uploaders, and those who facilitate the distribu-
tion' 9 and to lobbying Congress for more stringent criminal copyright laws2 0 to

LA
stave off the billions of dollars in losses attributed to digital piracy every year. 1
The final category of more traditional targets of cyber-crime are businesses who
IM
offer their wares for sale over the Internet, and more particularly, on the World
Wide Web, where their websites can be defaced or "knocked offline" by a flood of
malicious Internet traffic.
SH

Cyber-crime is no longer confined to targets in these industries, however. No

matter what its core product or service, nearly every business in today's economy
relies upon computers and computer networks to conduct its daily affairs. 22 It is
likely that many of a company's assets - including its trade secrets 23 - are archived
LU
PN

17. Indeed, the Personal Data Privacy and Security Act of 2005, cited in supra note 14, is designed to thwart
precisely this type of identity theft. Congress has already criminalized identity theft, see 18 U.S.C. § 1028 (2000),
and created a crime of aggravated identity theft carrying a two-year mandatory minimum jail term, see 18 U.S.C.
§ 1028A.
H

18. See Johnson, supranote 2, at 261 n. 29 (collecting citations for mandatory notification statutes).
19. The aftermath of the Supreme Court's recent decision in Grokster v. MGM, 125 S.Ct. 2764 (2005), on
third-party liability for facilitating the unlawful distribution has yet to be fully realized.
20. See, e.g., The No Electronic Theft ("NET"') Act, Pub. L. No. 105-147, 111 Stat. 2678 (1997); Family
Entertainment Copyright Act of 2005, supranote 13.
21. A recent study indicated that the Motion Picture Association suffered approximately $5.4 billion in losses
worldwide due to both online and offline piracy of copyrighted motions pictures in 2005. See http://www.mpaa.orgt
press._releases/2006 02_21_razer.pdf (last viewed Feb. 21, 2006). The recording industry estimates approxi-
mately $4.2 billion in losses annually due to piracy. See http://www.riaa.com/issueslpiracy/default.asp (last
viewed Feb. 21, 2006). Similarly, the entertainment software industry estimates its losses at $3 billion per year, a
figure that does not account for online distribution. See http://www.theesa.com/ip/anti-piracy-faq.php (last
viewed Feb. 21, 2006).
22. Accord Steinberg, supra note 7, at 60 ("The reality is that most companies are reliant on some form of
in-house technology for transacting important company business. Company computers might be shielding key
assets or trade secrets, maintaining or retrieving customer data, providing customer service, or coordinating
widespread business operations."); Kalinich & McGrath, supra note 1, at 18 ("If an entity uses e-mail,
computerized accounting, or electronic procurement or stores electronic data, it has network exposures.").
23. Federal laws protecting trade secrets extend to "all forms and types of financial business, scientific,
technical, or engineering information... if the owner thereof has taken reasonable measures to keep the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.456

2006] COUNTERING THE CYBER-CRIME THREAT

on these computer systems. If the company's computer network is accessible to the

Internet (or, for that matter, to disgruntled or enterprising but disloyal employees),
those assets are subject to cyber-theft. Similarly, companies often store their
customers' names, contact information, and payment information in order to
facilitate electronic transactions (so-called "e-commerce"). This data is also likely
to be stored electronically and, as such, is likely vulnerable to theft or destruction.
As a consequence, as the trend toward increased reliance on computers continues,
nearly every business will become a potential target of cyber-criminals.
The second reason why the threat of cyber-crime may loom larger in the coming
years is that the number of persons capable of committing or directing others to
commit these crimes is likely to increase. Traditionally, the universe of cyber-
criminals has been limited to persons with the technical knowledge - mastery of
computer languages, computer programming, or network architecture - capable of
orchestrating what are technically complex crimes. That universe is expanding

LA
along two axes. 24 On one axis, the number of technically savvy individuals capable
of committing cyber-crimes continues to grow as computers are integrated into our
business culture and personal lives. On the other axis, we are beginning to see
IM
"enablers" - persons who use their technical expertise to create and then sell to
others easy-to-use tools that make it possible for non-technically savvy people to
SH
engage in cyber-crime. This secondary market in "cyber-crime tools" is just
beginning to emerge.
The threat of cyber-crime is not an idle one, as the Justice Department's recent
experience in prosecuting cyber criminals demonstrates. As anticipated, the
LU

victims of cyber-crimes are increasingly diverse - ranging from manufacturers of

computer network products to companies that research floods to online search
engine companies.2 5 This is largely because company insiders familiar with the
PN

company's computer networks and the intellectual property assets stored within
them are the perpetrators. 2 6 Employees and former employees of victim-
H

information secret and the information derives independent economic value from not being generally known to,
and not being readily ascertainable through proper means by, the public." 18 U.S.C. § 1839(3) (2000); see also 18
U.S.C. §§ 1831, 1832 (2000) (setting forth federal criminal liability for trade secret theft). State law also protects
the theft of trade secrets. See, e.g., CAL. PENAL CODE § 499c(b) (2005).
24. See also Johnson, supra note 2, at 257 ("The perpetrators of computer intrusions may be bored juveniles,
disgruntled employees, corporate spies, or organized crime networks, not to mention run-of-the-mill thieves.")
(citation and internal quotations omitted).
25. United States v. Suibin Zhang (N.D. Cal.), reportedin "Silicon Valley Engineer Indicted for Stealing Trade
Secrets and Computer Fraud" (Dec. 22, 2005), available at www.cybercrime.gov/zhanglndict.htm (last viewed
Feb. 14, 2006); United States v. Pok Soeng Kwong (E.D. Tex.), reported in "Piano Man Convicted of Computer
Sabotage" (Nov. 21, 2005), available at www.cybercrime.gov/kwongConvict.htm (last viewed Feb. 14, 2006);
United States v. Laurent Chavet (N.D. Cal.), reported in "Former Altavista Employee Pleads Guilty to Hacking
into Alta Vista Computer Systems" (May 9, 2005), available at www.cybercrime.gov/chavetPlea.htm (last
viewed Feb. 14, 2006).
26. Rustad, supra note 4, at 76 ("One of the greatest threats to the security of client computers is not the hacker,
but the enemy within: trusted company employees, ex-employees, consultants, or other insiders familiar with the
computer network.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.457

 AMERICAN CRIMINAL LAW REVIEW [Vol. 43:201

businesses have launched malicious and harmful computer programs on their

employer's systems (a so-called "employee hack back"), 27 have stolen the compa-
ny's trade secrets,28 or have engaged in extortionate acts by holding the company's
network hostage. 29 Although cyber-crime attacks from skilled outsiders continue
to plague American businesses,3 ° this past year the Department prosecuted the
first-ever cyber-criminal who infected thousands of computers with a malicious
computer program, effectively turned the infected computers into "zombie"
computers capable of responding to any commands, and then sold that "army" of
"zombie" computers - which could be used to attack and harm the computer
systems of others - to the highest bidder. 31 Thus, the secondary market in

27. United States v. Richard Benimeli (N.D. Ohio), reported in "Florida Man Indicted for Causing Damage
and Transmitting Threat to Former Employee's Computer System" (Feb. 7, 2006), available at www.cyber-

LA
crime.gov/benimeliIndict.htm (last viewed Feb. 14, 2006); United States v. William Carl Shea (N.D. Cal.),
reportedin "Federal Jury Convicts Former Technology Manager of Computer Hacking Offense" (Sept. 8, 2005),
available at www.cybercrime.gov/sheaConvict.htm (last viewed Feb. 14, 2006); United States v. Roman
IM
Meydbray (N.D. Cal.), reportedin "Former IT Manager of Silicon Valley Firm Pleads Guilty to Computer Crime
Charges" (June 8, 2005), available at www.cybercrime.gov/meydbrayPlea.htm (last viewed Feb. 14, 2006); see
also Chavet, supra note 25; Kwong, supra note 25.
28. United States v. Adam Platts (C.D. Cal.), reported in "San Fernando Man Arrested on Federal Charges for
SH
E-mailing Company Secrets to Competitors" (Apr. 13, 2005), available at www.usdoj.gov/usao/cac/pr2005/
057.html (last viewed Feb. 22, 2006); see also Zhang, supra note 25.
29. See Beninmeli, supra note 27.
30. United States v. Nicholas Lee Jacobson (C.D. Cal.), reported in "Computer Hacker Who Victimized
T-Mobile Pleads Guilty in Los Angeles Federal Court" (Feb. 15, 2005), available at www.cybercrime.gov/
LU

jacobsenPlea.htm (last viewed Feb. 14, 2006); United States v. Allan Eric Carlson (E.D. Pa.), reported in
"Disgruntled Phillies Fan/Spammer Sent to Prison for Four Years" (July 14, 2005), available at www.cyber-
crime.gov/carlsonSent.htm (last viewed Feb. 14, 2006); United States v. Jerome T. Heckenkamp (N.D. Cal.),
PN

reportedin "Former Computer Science Graduate Student Sentenced for Hacking Major Corporations" (April 25,
2005), available at www.cybercrime.gov/heckenkampSent.htm (last viewed Feb. 14, 2006); United States v. Juju
Jiang (S.D.N.Y.), reported in "Queens Man Sentenced to 27 Months' Imprisonment on Federal Charges of
Computer Damage, Access Device Fraud and Software Piracy" (Feb. 28, 2005), availableat www.cybercrime.gov/
jiangSent.htm (last viewed Feb. 14, 2006).
H

Some cyber-criminals are even installing programs called "key-loggers" which record every keystroke on a
keyboard, thereby potentially capturing passwords and other proprietary information. See United States v. Carlos
Enrique Perez-Melara et al (S.D. Cal.), reported in "Creator and Four Users of Loverspy Spyware Program
Indicted" (Aug. 26, 2005), available at www.cybercrime.gov/perezIndict.htm (last viewed Feb. 14, 2006); see
also Jiang, supra; Sean B. Hoan, "Trends in Cybercrime: The Dark Side of the Internet," Criminal Justice 4, 7
(Fall 2005) (noting how malicious software - called "malware" - "may also insert key-logger programs" onto
computers).
31. Traditionally, the use of multiple "zombie" computers to launch an attack against a particular online target
is referred to as a "distributed denial of service attack." See, e.g., United States v. Anthony Scott Clark (Criminal
Division), reported in "Man Pleads Guilty to Infecting Thousands of Computers Using Worm Program then
Launching them in Denial of Service Attacks" (Dec. 28, 2005), availableat www.cybercrime.gov/clarkPlea.htm
(last viewed Feb. 14, 2006). Late last year, however, the Department initiated prosecution - and ultimately
obtained guilty pleas - from a cyber-criminal who sold his army of "zombie" computers to the highest bidders so
that they could launch attacks against targets of their choosing. See United States v. Jeansen James Ancheta (C.D.
Cal.), reported in "Computer Virus Broker Arrested for Selling Armies of Infected Computers to Hackers and
Spanmers" (Nov. 3, 2005), available at www.usdoj.gov/usao/cac/pr2005/149.html (last viewed Feb. 14, 2006);
see id., reported in "Bot Herder Pleads Guilty to Fraudulent Adware Installs and Selling Zombies to Hackers and
Spanmers" (Jan. 23, 2006), available at www.usdoj.gov/usao/cac/pr2006/007.html (last viewed Feb. 22, 2006).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.458

2006] COUNTERING THE CYBER-CRIME THREAT

cyber-crime tools is just beginning to surface.

As this informal survey indicates, cyber-criminals have already proven them-
selves to be resourceful and innovative as they have continued to invent and
perpetrate new and ever-evolving forms of attacks aimed at computers and the data
they contain. Consequently, it is advisable as a policy matter to contemplate -
sooner rather than later - how best to allocate the burdens of fighting malicious
conduct aimed at computers and how best to distribute the losses associated with
such conduct.

II. ALLOCATING THE BURDENS AND COSTS OF CYBER-CRIME

Because cyber-crime is unlikely to disappear and will likely continue to inflict

substantial losses upon the American economy, it is important to consider who
should be responsible for protecting American industry against cyber-attacks and,

LA
when they nevertheless occur, who should bear the losses associated with such
attacks. Because this burden can, in a very general sense, be allocated among three
different groups - the American businesses who are victimized by cyber-attacks,
IM
the American businesses who manufacture the computer hardware and software
aimed at resisting such attacks, and the government 32 - it is also critical to ask
what role government should play in fighting and addressing how losses from
SH
cyber-attacks should be allocated. In this Part, we briefly consider the policy
outcomes of placing the onus of fighting cyber-attacks on each of these three
groups independently.
LU

A. Placing the Burden upon Victim-Businesses

In this first scenario, the American companies who may be victimized by

PN

cyber-attacks would be responsible for protecting themselves from such attacks

and for suffering the consequences if their efforts are not entirely successful. The
consequences of inadequate computer security would likely be two-fold in this
situation. First, a victim-company would be forced to absorb the losses attributable
H

to any computer intrusion or loss of intellectual property, thereby cutting into its
net profitability. As noted above, this cost is likely to go beyond the simple cost of
replacing any lost data and re-securing its systems; the losses would ostensibly
have a ripple effect that might entail lost opportunities for capitalization and loss of
consumer confidence in the company and its computer security.3 3 Second, the
company might incur additional monetary losses if it is sued civilly for failing to
secure its intellectual property and computer systems.34 We are already seeing

32. Although government involvement would ostensibly entail involvement at both the federal and state
levels, this Essay concentrates on examining possible levels of federal government participation.
33. See supra text accompanying note 6.
34. "Companies also face the risk of third-party claims arising from the companies' failure to maintain proper
network security." Steinberg, supra note 7, at 60.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.459

 AMERICAN CRIMINAL LAW REVIEW [Vol. 43:201

such lawsuits, 35 and law professors and other legal commentators do not all oppose
the expansion of the civil law into this realm. 36 Such lawsuits generally seek relief
under one of two theories: a tort theory involving the breach of a duty of care to
maintain a secure network; or a breach of fiduciary duty to keep data secure.37 This
type of legal liability is arguably aided by the notification laws that require
victim-companies to notify potential plaintiffs of the company's failure to ad-
equately secure the individual plaintiffs' information in the company's database.3 8
The twin consequences of direct losses and exposure to third-party lawsuits
would ostensibly spur businesses who run the risk of being potential victims of
cyber-attacks into taking efforts to protect against these outcomes. Because the
most certain way to avoid consequential losses associated with a cyber-attack is to
prevent the attack in the first place, a system that places the burdens of protecting
against cyber-attacks squarely on the victim-businesses would likely result in
businesses allocating more resources toward securing their networks: purchasing

LA
anti-virus software, installing firewalls around their networks, running computer
programs that monitor and log computer usage, limiting remote access to the
IM
companies' networks, encrypting data stored on the computer network, and
educating employees about the importance of changing passwords and vigilant
computer security.39 Additionally, some insurance companies are now offering
SH

"hacker insurance" that shifts the losses associated with computer intrusions onto
LU

35. See, e.g., Complaint, Parke v. Cardsystems Sol'ns, Inc., No. CGC-05-442624 (Cal. Super. Ct., filed June
27, 2005); Class Action Complaint, Goldberg v. ChoicePoint, Inc., No. BC329115 (Cal. Super. Ct., filed Feb. 18,
2005); see also Johnson, supra note 2, at 261 ("Parties are now litigating cases over the liability of database
PN

possessors.").
36. See Johnson, supranote 2, at 262 ("in a wide range of circumstances, database possessors have (or should
have) a legal obligation to data subjects to exercise reasonable care in safeguarding personal data from
intruders"). Indeed, one commentator has referred to "intellectual property [as] the toxic tort of the coming
H

decades." David W. Opderbeck, Peer-to-PeerNetworks, Technological Evolution and Intellectual Property

Reverse PrivateAttorney General Litigation,20 BERKELEY TECH. L.J. 1685, 1689 (2005).
37. See Johnson, supranote 2, at 280-82 (discussing breach of fiduciary duty as a possible source of liability
for data aggregating businesses to the individuals whose data is included in their databases); Strachan, supra note
7, at 91 (observing that businesses "may have a fiduciary duty to protect [the] information [on their systems] and
therefore to implement adequate security measures").
38. See supra note 18.
39. Laura Garcia-Manrique, "Protect Yourself: Computer Security Tips for Professional Offices," Lawyers PC
22 (Nov. 1, 2004) ("The key to combatting th[e cyber] threat is educating computer users."); Todd Flaming,
"Seven Steps to Better Computer Security," 92 ILL. B.J. 101 (Feb. 2004) (listing system-wide firewall, virus
protection, password security, use of virtual private networks, and employee training as necessary parts of a
company's security program); Ian G. Bassingthwaithe, "Basic Computer Network Security," W. Va. Lawyer 16
(Mar. 2002) (advocating "layered security" program for companies entailing intrusion detection systems,
antivirus software, keeping the operating system current, and relying upon encryption of data); Kalinich &
McGrath, supra note 1, at 26 (advising "physical security" and "digital asset protection," which may include
"elements of encryption for authentication and authorization" of access to a company's computer system);
Strachan, supra note 7, at 93 (opining that encryption of data may be a necessary element to adequate computer
security).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.460

2006] COUNTERING THE CYBER-CRIME THREAT

insurance companies; n° at this time, however, only about 25% of businesses rely
on such insurance4 ' and opt instead to rely solely on "self-insurance ' 4 2 - that is,
taking steps to prevent intrusions in the first place. Victim-companies also have
some limited statutory redress against the cyber-attacker,4 3 although remedy by
way of lawsuit is largely illusory unless the hacker can be positively identified
(which is not always easy to do over cyberspace) and is also not "judgment proof."
All of these potential avenues of redress, however, presuppose that the victim
company has sufficient assets to devote to network security or obtaining indemni-
fication via insurance or litigation for any attacks; businesses that do not would be
forced to run the risk of an attack that could potentially cripple it entirely. As this
Essay suggests, this scenario is largely the one that has emerged by default and
remains in operation today.
B. Placing the Burden upon Hardwareand Software Manufacturers

LA
Were the burden of preventing cyber-crime placed upon the manufacturers of
computer hardware and software, that particular subset of American industry would be
IM
held accountable for flaws in their products later exploited by cyber-criminals and other
attackers who subsequently inflict damage upon victim-businesses using that hardware
or software. This is not the law today. Currently, hardware and software manufacturers
SH
and distributors typically insulate themselves from liability under contract theories by
conditioning use of a product upon acceptance of a licensing agreement that absolves
them of most forms of liability for any design or application defects that may result in
future vulnerabilities in users' computer systems. 44 Hardware and software users are left
LU

to wait for software "patches" that eliminate subsequently discovered product vulnerabili-
ties, with little or no recourse for damage or losses incurred in the interim.45
A policy regime that held software and hardware manufacturers liable for a subclass of
PN

40. Steinberg, supranote 7, at 60 (noting existence of "hacker insurance" and arguing that "hacker insurance
H

may be a nearly indispensable business tool"); Katyal, supra note 7, at 2287-88 (observing the existence of
"hacker insurance").
41. CSI/FBI Computer Crime and Security Survey, supra note 5, at 11 ("[O]nly 25 percent of [survey]
respondents indicated that their organizations use external insurance to help manage cybersecurity risks.").
42. Kalinich & McGrath, supra note 1, at 20.
43. See, e.g., 18 U.S.C. §1030(g) (2000). This provision of the Computer Fraud and Abuse Act creates federal
civil jurisdiction to entertain lawsuits for economic damages and equitable relief in one of five circumstances: (a)
where the company suffered loss exceeding $5,000 within a one-year period; (b) where the cyber-attack involved
the alteration of medical equipment used for examination, diagnosis, treatment or care; (c) where the intrusion
resulted in physical injury to a person; (d) where the intrusion entailed a threat to public health or safety; or (e)
where the intrusion affected a computer system used by a government entity for the administration of justice,
national defense or national security. Id.
44. For a discussion of how software companies issue such licensing agreements, see Michael L. Rustad &
Thomas H. Koeing, The Tort ofNegligent Enablement of Cybercrime, 20 BERKELEY TEcH. L.J. 1553, 1557 (2005).
45. For example, the provision of the Computer Fraud and Abuse Act that authorizes civil actions against those
who commit certain acts of intrusion explicitly precludes resort to the Act to sue software and hardware
manufacturers. See 18 U.S.C. § 1030(g) ("No action may be brought under this subsection for the negligent design
or manufacture of computer hardware, computer software, or firmware.").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.461

 AMERICAN CRIMINAL LAW REVIEW [Vol. 43:201

defects in the design of their products would significantly alter the current allocation of
the burdens of cyber-crime. Adhesion contracts negating liability would no longer be
enforceable. Courts would entertain lawsuits based on tort theories, as some commenta-
tors are currently advocating that they should. 6 Arguably, this new liability would
prompt most manufacturers to replace the current pattern of "release now and patch
later" with a system that favored more extensive "Beta testing" prior to a product's
release to guard against vulnerabilities. To be sure, this type of system would likely mean
that new products would be released less frequently. But this delay may be ameliorated if
some relief from liability were granted for products that complied with published
standards for computer security.47
C. Placing the Burden upon Government
Under this policy, the government would further expand its current role in

LA
regulating cyber-security and prosecuting cyber-criminals. Presently, Congress has
taken a measured and conservative approach to federal involvement using the civil
laws. Congress has tasked federal agencies with developing security guidelines for
IM
certain records stored in computerized databases, but only with respect to the
discrete areas of medical records 48 and records maintained by financial institu-
tions.49 The Federal Trade Commission ("FTC") is also empowered to investigate
SH

and seek civil redress against certain types of unlawful activity occurring over the
Internet and computer systems.50 Additionally, and as noted above,5 1 Congress has
LU

46. In their recent article, Rustad and Koeing advocate a new tort of "negligent enablement of cybercrime" that
would empower the victims of cyber-crime to sue software and hardware manufacturers who release software that
PN

contains vulnerabilities later exploited by cyber-criminals. Rustad & Koeing, supra note 44. In support of their
argument, they argue that "[h]ighly vulnerable software enables intruders to gain privileged access to computer
systems," and that "[s]oftware vendors, not computer users, are in the best position to design software that deters
cyber-criminals." Id. at 1555, 1567.
H

47. For purposes of this discussion, the standards might be erected by a governmental agency analogous to the
Food and Drug Administration or by a private, non-profit entity analogous to Underwriters Laboratories ("UL"),
which sets safety standards for electrical and other appliances. In either event, compliance with security standards
would ostensibly erect a presumption of non-liability.
48. See Health Insurance Portability and Accountability Act ("HIPAA"), Pub. L. No. 104-191, 110 Stat. 2021(1996),
codified at42 U.S.C. §§ 1320d-1320d-8 (2000). The regulations enforcing this statutory mandate are located at 45 C.FR.
§§ 164.500-164.534, §§164.302-164.308 (2006). This law was "designed to protect medical records from computer
intruders who may misuse, misappropriate, or alter them." Rustad & Koeing, supra note 44, at 1595.
49. See Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999), codified at 15 U.S.C. §6801 et
seq. (2000). The relevant interpretive regulations are found at 16 C.F.R. §313.1 et seq. (2006). In a nutshell, this
law "requires that each financial institution secure data, including credit card information, transmitted on the
Internet." Rustad & Koeing, supra note 44, at 1596.
50. The FTC has promulgated regulations aimed at enforcing HIPAA and the Gramm-Leach-Bliley Act. See
supra notes 48-49. The FTC has additional jurisdiction to investigate Interet-related frauds, as part of its
authority to regulate, monitor and prohibit unfair competition. See 15 U.S.C. §45(a)(1) (2000) ("Unfair methods
of competition in or affect commerce, and unfair or deceptive acts or practices in or affecting commerce, are
hereby declared unlawful."); see also www.ftc.gov/bcp/menu-intemet.htm (last viewed Feb. 22, 2006) (describ-
ing the FTC's Internet investigations and advisory notices to consumers and businesses).
51. See 18 U.S.C. § 1030(g) (2000); see also supra note 43.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.462

2006] COUNTERING THE CYBER-CRIME THREAT

opened the federal courts and empowered certain victims of cyber-crimes to bring
civil lawsuits against the perpetrators of cyber-crime.
The government's involvement in criminal prosecution of cyber-crime has also
been steadily increasing. Over the past few decades, Congress has engaged in a
pattern of expanding the ambit of federal criminal jurisdiction over cyber-crimes,
thereby granting prosecutors the tools to investigate and prosecute such acts. The
Computer Fraud and Abuse Act creates several federal felonies involving unautho-
rized access or exceeding authorized access to "protected computers" - that is,
computers "used in interstate or foreign commerce or communication., 5 2 Cur-
rently, the broadest basis for federal jurisdiction - that the victim company suffered
a "loss" of at least $5,000 within a one-year period 53 - has on occasion stymied the
government's ability to bring cases and, more troubling, to obtain convictions of
cyber-criminals who readily admit that they otherwise committed the crimes of
computer intrusion contained in the Act. 54 Similarly, the Electronic Espionage Act

LA
of 1996 makes it a crime, among other things, to "download," "upload," or
otherwise "transmit" or "convey" trade secrets.5 5 Title II of the Omnibus Crime
IM
Control Act of 1968 criminalizes the act of intercepting electronic mail messages
("e-mail") and potentially use of a "keystroke logger" to capture data entered into a
computer.56 The CAN-SPAM Act makes it a crime to send more than a threshold
SH
number of unsolicited, commercial e-mail in a given period of time. 7 The Justice
Department has taken these new tools and made cyber-crime a priority. Since
1990, the Department has established units comprised of specialized federal
prosecutors trained in the law and technology necessary to bring cyber-criminals to
LU

justice in 18 different United States Attorney's Office scattered throughout the

country, as well as creating a specialized unit at Main Justice tasked with
coordinating multi-jurisdictional investigations and advising the Department on
PN

policy matters relevant to cyber-crime.58 In a similar vein, the two most recent
H

52. See 18 U.S.C. §§1030(a), (e)(2).

53. See 18 U.S.C. §1030(a)(5)(B)(i) (requiring proof that there was a "loss to 1 or more persons during any
1-year period... aggregating at least $5,000 in value"); see also 18 U.S.C. §1030(e)(1 1) (defining "loss" as "any
reasonablecost to any victim, including the cost of responding to an offense, conducting a damage assessment,
and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost,
cost incurred, or other consequential damages incurred because of interruption of service") (emphasis added).
54. In United States v. Chad Grant, CR No. 05-112-GAF (C.D. Cal.), two different juries were unable to reach
a verdict in a case charging the defendant with exceeding authorized access to a computer system, and the primary
issue at the trials was whether the victim-company's expenditures met the $5,000 "loss" requirement. Paradoxi-
cally, in United States v. Marinella Amaya, CR 02-812-R (C.D. Cal.) and United States v. Glen Cazenave, CR
02-811 -R (C.D. Cal.), two different juries reached two different verdicts involving the same facts (conviction in
the first case, acquittal in the second), where the sole issue at both trials was whether the victim-company's
expenditures met the $5,000 "loss" requirement.
55. See Pub. L. No. 104-294, 110 Star. 3488 (1996), codified at 18 U.S.C. §1832(a)(2) (2000).
56. See 18 U.S.C. § 2511(1) (2000).
57. See 18 U.S.C. §1037 (2000); see also Pub. L. No. 108-187, 117 Star. 2703 (2003).
58. See Statement of Debra Wong Yang Before the Committee on the Judiciary, United States Senate,
Concerning the Impact of the Supreme Court's Decision in MGM v. Grokster (Sept. 28, 2005), available at

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.463

 AMERICAN CRIMINAL LAW REVIEW [Vol. 43:201

Attorneys General have made protection of intellectual property a top priority,

including those crimes committed using computers. 59 Additionally, the number of
federal prosecutions of cyber-criminals continues to increase.
Despite this greater involvement, the government cannot carry the full responsi-
bility of addressing the cyber-crime threat. Requiring more and more businesses to
comply with civil regulations may help guard against further intrusions within the
regulated industries, but the costs of monitoring and enforcing compliance may be
too great a burden to impose on the subset of regulated businesses and may thus be
passed along as an assimilated cost to all businesses. Civil enforcement actions
against cyber-crime perpetrators, like all civil actions, is only useful if the
defendant can be identified and is not judgment proof or, with respect to
injunctions, recalcitrant. Likewise, criminal prosecutions are limited by the willing-
ness of victim-businesses to report an incident, to cooperate with investigations,
and, if necessary, to testify at trial or sentencing. Prosecutions are also fundamen-

LA
tally constrained by the reach of jurisdictional statutes and by the need to prioritize
the use of finite prosecutorial resources also tasked with investigating complex
IM
organized crime syndicates and fraud schemes, counter-terrorist threats, narcotics
trafficking, and a panoply of other criminal offenses.
SH
In this Part, we have attempted only to provide a brief sketch of how the legal
and economic landscape might look depending on who is tasked with the burdens
of fighting and absorbing the losses from cyber-crime. We next provide a few
thoughts on how to evaluate which incentive structure should be adopted.
LU

III. CRITERIA FOR EVALUATING CYBER-CRIME POLICY

PN

Thus far, we have highlighted two trends that are likely to result in a continued
and arguably greater threat from cyber-crime in the coming years, and have
outlined three possible options for where policymakers might place the burdens of
addressing that mounting threat - on the businesses who are potential victims of
H

cyber-crime, on the manufactures of software and hardware relied upon by

business to protect against cyber-crime, and on government institutions. A compre-
hensive analysis of which of these three options, or which combination thereof, is
most optimal as a matter of public policy is beyond the scope of this Essay. It may
nevertheless be useful to consider how policymakers should evaluate the various
policy options by suggesting the criteria upon which such evaluations should be

http://judiciary.senate.gov/testimony.cfm?id= 1624&witid=4683 (last viewed Feb. 23, 2006). The Department

has also participated in international efforts to educate and deter crimes involving computers and the theft of
intellectual property, including providing training to foreign law enforcement officials and forming public-private
coalitions aimed at monitoring and thwarting such crimes. Id.
59. Report of the Department of Justice Task Force on Intellectual Property, supra note 10; see also "Attorney
General Alberto R. Gonzales Renews Commitment to Justice Department's Intellectual Property Task Force"
(Mar. 9, 2005), availableat www.usdoj.gov/opa/pr/2005/March/05.agI 11 .htm (last viewed Feb. 22, 2006).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.464

 2006] COUNTERING THE CYBER-CRIME THREAT

based.
The first and perhaps most directly relevant consideration is whether the policy
to be adopted will be effective in stemming the tide of cyber-crime. In this
instance, effectiveness refers both to the policy's ability to deter cyber-crime in the
first place and, relatedly, to its ability to minimize the losses to the American
economy as a consequence of undeterred cyber-crime.
Take, for example, the third option outlined above, which relies upon the
government - including prosecutors - to carry a larger burden in fighting
cyber-crime. In examining the efficacy of this option, policymakers should
consider several factors, including both its deterrence-inducing and loss-avoiding
aspects. With respect to deterrence, it is important to ask several questions. First,
are there any "gaps" in the criminal statutes that fail to reach conduct that should
be criminal? For instance, the Criminal Fraud and Abuse Act, as noted above,

LA
contains a $5,000 threshold loss requirement."' Given the absence of such a
requirement in many other federal criminal statutes 61 and the contentiousness of
this element in cases in which the criminally culpable conduct itself is conceded,
IM
policymakers could increase the deterrent effect of the criminal law by eliminating
this requirement and thereby closing the "gap" it inadvertently created. Second, is
the risk of non-detection sufficiently high that cyber-criminals do not fear being
SH
identified and prosecuted? Many activities conducted over the Internet are logged
and, as such, may be later tied to a physical location; however, new technologies
are emerging that enable Internet users to surf anonymously and to confound
efforts at re-constructing the trail of cyber-criminals - even when law enforcement
LU

has obtained proper legal process. In addressing these new technologies, policy-
makers need to balance any First Amendment advantages of this "perfect anonym-
ity" with the need for law enforcement to effectively identify and prosecute
PN

cyber-criminals. 6 2 Third, are the consequences of prosecution and conviction,

including the stigma of conviction and any possible sentence, sufficiently stringent
to deter cyber-criminals? Fourth, to the extent such data exists, do empirical
H

studies indicate that the existence of these criminal laws and their use by
prosecutors actually deter cyber-criminals? 63 With respect to the loss avoidance,

60. See text accompanying supra note 53.

61. See, e.g., 18 U.S.C. §§2312, 2313 (2000) (sale or transportation of stolen vehicles; no monetary threshold
requirement); 18 U.S.C. §§2316, 2317 (2000) (sale or transportation of livestock; no monetary threshold
requirement); 18 U.S.C. § 2318 (2000) (trafficking in counterfeit labels; no monetary threshold requirement).
62. Outside the cyber-context, the Fourth Amendment protects against intrusions into reasonable expectations
of privacy, which under the plain text of the Amendment itself entails freedom from government intrusion absent
judicial process. See U.S. Const. amend. IV. In this regard, the Fourth Amendment still renders persons
accountable for their acts. As such, it does not guarantee anonymity, which by definition defies accountability.
See, e.g., Katyal, supra note 7, at 2269 (arguing that "[o]ne of the main reasons why crime is pervasive on the
Internet is anonymity," and noting how programs that log Internet activity "could deter crime ex ante").
63. At least one commentator has noted that the recording industry's civil lawsuits against persons who
illegally download music have not deterred such behavior in any significant way. See Opderbeck, supra note 36,
at 1722.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.465

 AMERICAN CRIMINAL LAW REVIEW [Vol. 43:201

policymakers should ask whether criminals are required by statute to pay restitu-
tion to victims of their crimes and, as a practical matter, whether the restitution
actually paid offsets the losses sustained as a result of the criminal conduct.
Aside from the effectiveness of a particular option, a second factor policymak-
ers should consider is whether the sector of the society burdened by the option has
the resources to carry that burden. If, for example, policymakers seek to place a
greater responsibility upon the manufacturers of software and hardware to better
ensure that their product is not vulnerable to cyber-attacks, it would be important
to assess whether those manufacturers have the wherewithal to undertake this
burden - either by passing along the additional cost to their customers or through
protection from liability should their products comply with published cyber-
security standards. Similarly, policymakers contemplating a greater role for
governmental rule-making and prosecution would need to address whether there

LA
are sufficient regulators and prosecutors to handle any additional duties placed
upon them.
A third consideration is whether the adopted policy is consistent with the general
IM
population's views about cyber-crime, or whether any gap between the policy and
public opinion is likely to be reduced by the new policy. If, for example, the public
views certain types of cyber-crimes (such as defacing a company's website) as
SH

little more than cyber-vandalism and therefore as harmless, policymakers will

need to consider whether efforts to prosecute more such cases will result in
verdicts of acquittal based on jury nullification.6 5 Policymakers need to be mindful
LU

that members of the public, and the businesses that they operate, will need to be
supportive of any new policy. Although societal norms can be shaped by legisla-
tive action, the gap between the current norms and desire norms should not be too
PN

great.
A fourth, and closely related, factor is whether there exists the "political will" to
enact and enforce whatever new policy is deemed the most advantageous in light
of the three broad policy criteria set forth above. No matter how theoretically
H

sound a policy might be, if it is not feasible politically, it is of little value.

IV. CONCLUSION

Despite the unique technologies that make the Internet and the Information Age
a reality, policymakers do not write on a blank slate. Crime is a persistent problem,
and policymakers have fashioned policies to combat it and reduce its costs to
society for centuries. It may accordingly be helpful to look to non-cyber analogies
in determining the proper ingredients to be combined together in a thoughtful

64. In federal prosecutions, restitution is mandatory. See 18 U.S.C. § 3663A (2000).

65. For years now, many commentators and practitioners have noted the "gap" between the societal norm that
digital piracy for personal use is acceptable and the practice of industry groups of bringing civil lawsuits against
those who download for personal use. See, e.g., Opderbeck, supra note 36, at 1714.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.466

2006] COUNTERING THE CYBER-CRIME THREAT

policy against cyber-crime.

For example, policymakers could look to public policy regarding fire damage as
a possible analogy. As with cyber-crimes, businesses can be victimized by fires -
both inadvertent and intentional - and can suffer losses as a result. Moreover, fire is
similar to Internet viruses and other malicious software insofar as neither is easily
contained and may spread from one location to another unless halted. Right now,
the burden of preventing fires and reducing the business losses attributable to fire
does not rest solely on the potential victims of fire damage. Instead, it is divided
among the business owners who are responsible for taking actions to minimize the
risk of fire (and the insurers who insist upon such measures before insuring against
fire damage); the manufacturers of smoke detectors, fire extinguishers, and alarms
designed to alert the authorities; and governmental fire marshals who conduct
regular inspections and prosecutors who investigate and prosecute arsonists.

LA
Policymakers might consider how a sharing of burdens in a similar fashion would
translate into the realm of protecting against cyber-crime.
We believe that the optimal policy solution to combating the ballooning
IM
cyber-crime trend is likely to involve a collaborative effort of American business,
software and hardware manufacturers, and government. Government involvement
is essential to coordinate and assist with the international aspects of cyber-crime, to
SH

facilitate standardized security protocols and unfair practices over the Internet, and
to prosecute persons who commit the acts legislatures deem harmful enough to
make criminal. Private industry would likely share the remaining burden -
LU

divided, as policymakers see fit, between the software and hardware industries
who are in a centralized position to improve the effectiveness of products aimed at
security, and the potential victim-businesses who are able to monitor and update
PN

those products and train and monitor their employees regarding cyber-security.
Whatever balance is ultimately struck will depend in large part upon the input of
industry representatives, large and small businesses, computer experts, govern-
ment regulators, prosecutors and defense lawyers, and members of the general
H

public. As the cyber-crime threat continues to grow, so too will the impetus and
need for further policymaking. Participating in this debate sooner rather than later
will enable policymakers to reach the optimal result and, one can hope, ensure the
vitality of the American and world economies in the face of cyber-crime.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.467

 LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.468

 AN ADAPTIVE APPROACH FOR AN
EVOLVING CRIME: THE CASE FOR AN
INTERNATIONAL CYBER COURT AND
PENAL CODE
INTRODUCTION

bestowed
T echnological innovation over the last half-century has
revolutionary advantages upon humanity. Yet for all its brilliant
progress, technology's constant state of development has also cultivated
an evolving criminal field capable of inflicting unprecedented damage:
cybercrime. To date, legislative efforts to fight the numerous forms of
cybercrime, from localized mischief-making to highly destructive acts of

LA
cyberterrorism, have been largely inefficient and regularly outpaced by
dynamic criminal tactics' and the mutations of cyberspace itself. As long
IM
as the global community continues to take insufficient action to address
the threats posed by cybercriminals, the risk of a catastrophic cyberat-
tack-with the potential to eradicate vast quantities of private records,
SH

dismantle corporate activities, and suspend entire governments-will

persistently increase.2
Cybercriminals have been regarded as a serious threat to governments
and state security since the dawn of the digital age, costing the global
LU

community billions of dollars each year. 3 Today, cybercriminals are

playing a more prominent role in geopolitical affairs than ever before as
they increasingly direct their focus to nontraditional targets in new and
PN

novel ways. In late August 2011, for example, a group of hackers suc-
cessfully impersonated Google, the popular search engine and e-mail
provider, and used their disguise to snoop on Internet users. 4 In an unre-
H

lated case from the latter half of 2011, a ruthless Mexican crime syndi-
cate, Los Zetas, found itself in the crosshairs of Anonymous, a well-

1. See, e.g., Christopher E. Lentz, Comment, A State's Duty to Prevent and Respond
to CyberterroristActs, 10 CHI. J. INT'L L. 799, 799-801 (2010); Kelly A. Gable, Cyber-
Apocalypse Now: Securing The Internet Against Cyberterrorism and Using Universal
Jurisdictionas a Deterrent,43 VAND. J. TRANSNAT'L L. 57, 60-66 (2010).
2. See, e.g., Charlotte Decker, Note, Cyber Crime 2.0: An Argument to Update the
United States Criminal Code to Reflect the ChangingNature of Cyber Crime, 81 S. CAL.
L. REV. 959, 960-61 (2008).
3. Id. at 961-62; see generally Gable, supra note 1, at 59-66.
4. The targeted e-mail accounts belonged to people living in Iran. Neither the pur-
pose of the attack, nor its focus on Iranian e-mail accounts, is clear. Somini Sengupta, In
Latest Breach, Hackers Impersonate Google to Snoop on Users in Iran, N.Y. TIMES,
Aug. 31, 2011, at B4.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.469

 1140 BROOK. J INT'L L. [Vol. 37:3

known collective of hackers from across the globe.5 After Los Zetas ap-
parently kidnapped one of their hackers, Anonymous-which had ille-
gally accessed confidential NATO documents only months before 6
released a video on YouTube, the popular video sharing website, in
which a masked figure criticized Los Zetas for its criminal behavior and
pledged to release the identities of one hundred of Los Zetas' major con-
tacts.7 The Anonymous member was released within days.
In addition to individuals and collectives perpetrating such novel cy-
berattacks, sovereign governments are engaging in potentially illegal on-
line behavior with greater regularity. In November 2011, the United
States accused China and Russia of using proxy computers and dispersed
Internet routers in other countries to spy on Americans over the Internet.9
The United States itself has admitted to considering the use of cyberat-

LA
tacks during its involvement in 2011's Libyan revolutiono and may have
utilized a computer worm to target uranium-enriching centrifuges in Ira-
nian nuclear facilities." Cybercriminals acting as government agents in
IM
such scenarios may be able to cause more widespread damage, and pre-
sent even more challenging legal and logistical hurdles for law enforce-
SH
ment officials, than isolated actors.
As hackers' capabilities and resources continue to grow, and as more
government operations increasingly occur online,12 the scope of a single
LU

5. Damien Cave, After a Kidnapping,Hackers Take On a Ruthless Mexican Crime

Syndicate, N.Y. TIMES, Nov. 1, 2011, at A6.
PN

6. Hackers Gain Access to NATO Data, N.Y. TIMES, July 22, 2011, at A7.
7. Cave, supra note 5, at A6.
8. Paul Wagenseil, Anonymous wins victory in drug cartelfight, MsNBC.coM (Nov.
4, 2011, 5:28 PM),
H

http://www.msnbc.msn.com/id/45169382/ns/technologyand-science-
security/t/anonymous-wins-victory-drug-cartel-fight/#.T2eVnXjs620.
9. Thom Shanker, In Blunt Report to Congress, U.S. Accuses China and Russia of
Internet Spying, N.Y. TIMES, Nov. 4, 2011, at A4; see also Richard A. Clarke, Op-Ed.,
How China Steals Our Secrets, N.Y. TIMES, Apr. 3, 2012, at A27 (providing an overview
of Congressional efforts to address cybercrime and noting that "Robet S. Mueller III, the
director of the F.B.I., said cyberattacks would soon replace terrorism as the agency's No.
1 concern as foreign hackers, particularly from China, pentrate American firms' comput-
ers and steal huge amounts of valuable data and intellectual property").
10. Eric Schmitt & Thom Shanker, U.S. Debated Cyberwarfare in Attack Plan on
Libya, N.Y. TIMES, Oct. 17, 2011, at Al.
11. Michael Totty, The First Virus. . ., WALL ST. J., Sept. 26, 2011, at R2; Tom Gjel-
ten, Security Expert: U.S. 'Leading Force' Behind Stuxnet, NPR (Sept. 26, 2011),
http://www.npr.org/2011/09/26/140789306/security-expert-u-s-leading-force-behind-
stuxnet.
12. See, e.g., Vivek Kundra, Op-Ed., Tight Budget? Look to the 'Cloud', N.Y. TIMES,
Aug. 31, 2011, at A27.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.470

 2012] CASE FOR ANINT'L CYBER COURT & PENAL CODE 1141

cyberattack's damage becomes increasingly daunting. Though the United

States to date has managed to weather most of the cybercrimes perpe-
trated against it with relatively modest damage, other less fortunate na-
tions provide ominous examples of what could be in store for the global
community. In 2007, for one example, Estonia was effectively shut down
for three weeks by a series of relatively simple cyberattacks that targeted
government, media, and business websites.' 3 Estonia made itself particu-
larly vulnerable by being at the vanguard of adopting online processes-
the government opted to conduct most of its operations over the Internet
while individual Estonians conducted much of their personal affairs, in-
cluding more than ninety-eight percent of their private banking, online.14
Despite Estonia's stark example of the risks associated with taking state
business online, the number of nations adopting Internet-based opera-

LA
tions continues to grow. s
Owing perhaps to the ever-expanding list of potential targets, the fre-
quency of cybercrimes is increasing. The U.S. Department of Homeland
IM
Security announced that there were eighty-six reported attacks on critical
infrastructure computer systems in the United States between October
SH
2011 and February 2012, an increase of seventy-five attacks from the
same time-span the previous year.' 6 These attacks were just a small part
of the more than 50,000 cyberattacks reported to the agency since Octo-
ber 201 .'"
LU

Due to the uniquely global dimensions of cybercrime and the world's

growing reliance on technology, the international community needs to
adopt an international penal code for cybercrime and vest jurisdiction
PN

over this unique body of law in an international criminal court or tribu-

nal. Such a code is necessary to provide a uniform set of definitions,
norms, and standards, and to effectively regulate a crime-evolving fast-
H

er than many legislatures can operate-that knows no territorial bounda-

ries.
This Note seeks to examine the justification for this new approach and
to evaluate the inherent difficulties in regulating cybercrime through tra-
ditional criminal systems.' 8 Part I, in sections A and B, considers the de-

13. Lentz, supra note 1, at 799-800; Gable, supranote 1, at 61.

14. Gable, supra note 1, at 61.
15. See, e.g., Kundra,supra note 12, at A27.
16. Michael S. Schmidt, New Interest in Hacking as Threat to Security, N.Y. TIMES,
Mar. 13, 2012, at Al6.
17. Id. The article also notes that a total of 10,000 attacks were reported the previous
year. Id
18. This Note will not discuss the important role that self-governance plays in Inter-
net-based activities as it is focusing primarily on criminal activity intended to cause harm.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.471

 1142 BROOK J INT'L L. [Vol. 37:3

velopment of cybercrime and the current methods of combating it. Part

I.C considers the historical use of universal jurisdiction and its applica-
bility to cybercrime. Part I.D presents a brief survey of the strengths,
weaknesses, and purposes of the International Criminal Court ("ICC"),
which provides the most promising model for an international cyber-
crime court. Part II evaluates three proposals for tackling cybercrime at
an international level: extending universal jurisdiction to encompass cy-
berspace, using traditional treaty law to bind states to domestic incorpo-
ration of international cybercrime codes, and finally, the preferred ap-
proach of adopting an international penal code under the jurisdiction of
an international court or tribunal.

I: THE EVOLVING LANDSCAPE OF CYBERCRIME

LA
Over the past fifty years, technological advancements have radically
changed both personal and professional business activities.' 9 Since its
invention in the late 1940s, the computer has come to play such a domi-
IM
nant role in human culture that it may now be hard to imagine a world
without its existence.20 Springboarding off of the computer came the in-
SH
vention of the Internet and other networks that linked computers and
computer systems together from around the globe. 2' Though capabilities
to create worldwide computer networks like the Internet had been avail-
able since the 1960s, it was not until the end of the Cold War, when the
LU

United States government became less concerned about potential security

vulnerabilities, that the Internet became widely available for public use.22
Over the last fifteen to twenty years, the use and accessibility of the In-
PN

ternet have proliferated and web access has become a common feature of
23
mainframe computers, tablet computers, cell phones, and other portable
H

For a thorough discussion of property rights, self-regulation in cyberspace, and additional

important issues relating to cyberlaw, see generally Nicolas Suzor, The Role of the Rule
of Law in Virtual Communities, 25 BERKELEY TECH. L.J. 1817 (2010). See also generally
Paul Schiff Berman, Cyberspace and the State Action Debate: The Cultural Value of
Applying ConstitutionalNorms to "Private" Regulation, 71 U. COLO. L. REv. 1263
(2000); Henry H. Perritt, Jr., Towards A Hybrid Regulatory Scheme for the Internet, 2001
U. CH. LEGAL F. 215.
19. See, e.g., Decker, supra note 2, at 961.
20. Gable, supra note 1, at 67. Gable's article provides a helpful overview of the
technological developments of both the computer and the Internet. See generally id.
21. Id. at 68.
22. Id. at 68-69.
23. One of the major factors in the proliferation of the Internet has been declining
costs of both personal computers and connectivity. Decker, supra note 2, at 960. The
increase in availability, coupled with the unparalleled rapidity of technological advance-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.472

 2012] CASE FOR ANINT'L CYBER COURT& PENAL CODE 1143

electronics like music players. 24 Today, mobile devices provide regular

Internet access to as many users as stationary computers. 25
Recently, a practice known as "cloud computing" has developed in
which information is stored and accessed entirely through the Internet
and other computer networks. 26 Businesses have shifted toward increas-
ing reliance on cloud computing for the efficiency it can add in storing
records, interfacing with customers, and cutting information technology
infrastructure costs by eschewing the need to purchase and maintain req-
uisite hardware. 2 7 Many individuals use cloud computing every day sim-
ply by accessing their e-mail or social networking websites; Google's
popular e-mail system, "Gmail," and Facebook, the popular social net-
working site, are two primary examples of cloud computing products
targeted toward the masses. 2 8 As with businesses, individuals often use

LA
cloud e-mail accounts because access is available on any computer and
there is essentially no technological upkeep necessary-an individual
does not have to download new software packages or upgrade computer
IM
hardware to keep e-mails up to date. 29 The allure of cloud computing has
led to a rapidly expanding use of the practice across many sectors, in-
SH
cluding government.30

ment, has led to Internet access for an estimated seventy-five percent of Americans. Id. at
LU

961.
24. Gable, supra note 1, at 68-69.
25. David J. Goldstone & Daniel B. Reagan, Social Networking, Mobile Devices, and
PN

the Cloud: The Newest FrontiersofPrivacy Law, 55-SUM B. B.J. 17, 21 (2011).
26. Id. at 21. The exact definition of cloud computing is imprecise, though one clear
component is that a user does not own any of the technology involved in operation. The
National Institute of Standards & Technology defines it as a
H

"model for enabling convenient, on-demand network access to a shared pool of

configurable computing resources . . . that can be rapidly provisioned and re-
leased with minimal management effort or service provider interaction." Essen-
tially, users store or share their information on the Internet and third-party pro-
viders maintain that information on remote servers owned or operated by the
provider.
Ilana R. Kattan, Note, Cloudy Privacy Protections: Why the Stored Communications Act
Fails to Protectthe Privacy of Communications Stored in the Cloud, 13 VAND. J. ENT. &
TECH. L. 617, 620-21 (2011) (internal citation omitted).
27. Id. at 622.
28. Id. at 618; see also Goldstone & Reagan, supra note 25, at 17.
29. Goldstone & Reagan, supra note 25, at 17.
30. Id. at 18. In a New York Times op-ed, Vivek Kundra, the Chief Information Offi-
cer for President Obama's administration from 2009-2011, promoted the administration's
push into cloud technology. He writes that, "shortly after the Obama administration took
office, we instituted a 'Cloud First' policy, which advocates the adoption of cloud serv-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.473

 1144 BROOK. J. INT'L L. [Vol. 37:3

These advancements have ushered in an era of unprecedented effi-

ciency and speed in both personal and business-related Internet activity,
but they have also created a user dependency on service providers to
maintain and protect personal data.3 As more personal information is
conveyed over the Internet and stored in the cloud, everything from in-
formation on bank accounts to federal infrastructure, from personal e-
mail to private photos, is increasingly vulnerable to cyberattack. 32 As a
result, nearly every person could be victim to a cyberattack, whether they
are individual Internet surfers, non-computer-using customers of Inter-
net-using companies, or even citizens of cloud-embracing national gov-
ernments. 33 Accordingly, governments strive to keep pace with techno-
logical advancements and to protect individuals, businesses, and them-
selves from cybercrime. However, these efforts have not always been

LA
sufficient to stem the tide of cybercrime proliferation.3 4

A. Definition of Cybercrime IM
One of the primary obstacles in combating cybercrime is defining it.
No internationally recognized legal definition exists, though there are
SH
functional definitions that focus on general offense categories.35 Cyber-
crime is, therefore, most accurately defined as crimes that are perpetrated
over the Internet and that generally fall into two categories: first, those
that target computers and information stored on computers, and second,
LU

those that use a computer to facilitate another crime.

PN

ices by government agencies and mandates the transition of at least three projects for
every agency to the cloud by next summer [2012]." Kundra, supra note 12, at A27.
H

31. Kattan, supra note 26, at 623.

32. See, e.g., Gable, supra note 1, at 68.
33. Id. at 59-63.
34. See id. at 74-77. See generally Haley Plourde-Cole, Note, Back to Katz: Reason-
able Expectations of Privacy in the Facebook Age, 38 FORDHAM URB. L.J. 571 (2010);
Miriam F. Miquelon-Weismann, The Convention on Cybercrime: A Harmonized Imple-
mentation of InternationalPenalLaw: What Prospectsfor ProceduralDue Process?, 23
J. MARSHALL J. COMPUTER & INFO. L. 329 (2005).
35. Miquelon-Weismann, supra note 34, at 330-31 (drawing the functional defintions
from a 1990 document produced by the UN Centre for International Crime Prevention,
now integrated into the UN Office on Drugs and Crime); Eighth United Nations Congress
on the Prevention of Crime and the Treatment of Offenders, Havana, Cuba, Aug. 27-
Sept. 7, 1990, InternationalReview of Criminal Policy-UnitedNations Manual on the
Prevention and Control of Computer Related Crime 20-26, available at
http://www.uncjin.org/8th.pdf.
36. Decker, supra note 2, at 964; Neal Kumar Katyal, CriminalLaw in Cyberspace,
149 U. PA. L. REV. 1003, 1017 (2001).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.474

 2012] CASE FOR AN INT'L CYBER COURT & PENAL CODE 1145

When a cybercriminal targets a computer, (or, increasingly, someone's

mobile device 3 7) the computer may be victimized in ways analogous to
many other traditional crimes, not unlike a person who is assaulted
while walking down a street or a house that is vandalized. Alternatively,
the computer may be subjected to crimes that are unique to computers of
the Internet era. 39 There are many crimes that fall into the latter category,
though the average computer user may not be aware of the distinctions
among all of them.
Most of these crimes utilize specific programs to damage software.40
Viruses, perhaps the most well-known examples of malicious software
(sometimes called "malware"4 1), are programs that modify other com-
puter programs and can spread from one computer to another whenever a
file is transmitted between them, be it via the Internet, traditional disk, or

LA
other means. 42 While viruses generally require human direction before
travelling from one host computer to another, some can self-replicate and
transfer themselves. 43 These self-replicating programs are called
IM
"worms."
Today, viruses and worms often infect a computer through the user's e-
mail. Unsolicited bulk e-mails from commercial parties, usually with no
SH

preexisting relationship to the recipient, are known as "spam" and are

often the vehicle cybercriminals use to distribute their malicious soft-
LU

37. See, for example, Nick Bilton, Android Is No. 1 Target of Mobile Hackers,
PN

N.Y.TIMES (Aug. 25, 2011, 9:39 AM), http://bits.blogs.nytimes.com/2011/08/25/android-

number-one-target-by-mobile-hackers-report-says/?ref-anonymousinternetgroup, dis-
cussing hackers' preference for targeting phones that use Google's Android platform
because of Google's lax screening procedures for new mobile applications.
H

38. Eric J. Sinrod & William P. Reilly, Cyber-Crimes: A PracticalApproach to the

Application of Federal Computer Crime Laws, 16 SANTA CLARA COMPUTER & HIGH
TECH. L.J. 177, 187-88 (2000).
39. Dominic Carucci, David Overhuls & Nicholas Soares, Computer Crimes, 48 AM.
CRIM. L. REv. 375, 378 (2011). The article further differentiates between a computer
being the object of a crime and the subject of a crime. Generally, a computer is an object
of a crime when its hardware or its software is stolen. A computer is generally the subject
of a crime in when it is targeted in other ways, including those listed above the line here.
Id.
40. See id.
41. Id. at 379.
42. Id Carucci, Overhuls, and Soares provide an extensive description of the varying
kinds of malicious software that is highly informative and provides the foundation for
much of the information located herein.
43. Sinrod & Reilly, supra note 38, at 221.
44. Carucci, Overhuls & Soares, supra note 39, at 379-80; Katyal, supra note 36, at
1024-25.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.475

 1146 BROOK J INT'L L. [Vol. 37:3

ware. 45 This can be similar to a "Trojan horse," a program that has a le-
gitimate function but also contains hidden malicious coding.46 Where
spain is a specific e-mail crime, though, a Trojan horse can come from
any type of file or program, such as word processors or music files.4 7
Some malicious software programs, known as "logic bombs," may be
designed to activate malicious programs upon the occurrence of a spe-
cific event or on a specific date, while remaining dormant in the mean-
*48
time.
Entire computer networks can be specifically targeted by additional
kinds of malicious programs. "Sniffers" are programs that monitor and
analyze network data and can be used to acquire confidential information
including passwords, credit card numbers, and more. 4 9 "Web Bots" or
"spiders" are similar, although they go the extra step of creating search-

LA
able indexes of the data passing through the network, often overwhelm-
ing that targeted network with requests for information.50 Whether
through the use of spiders or merely as a mischievous end in itself, many
IM
cybercriminals target websites or networks with "denial of service at-
tacks," which debilitate sites by sending overwhelming numbers of sim-
SH
ple requests for connectivity. 5 '
It is important to note that each of the malicious software programs
listed above has the potential to be used constructively.52 For example, a
virus could be designed to repair glitchy software while a sniffer could
LU

be used as a network security program.53 However, cybercriminals are

particularly adept at utilizing these programs to wreak havoc. 54 One im-
portant factor in the success of these cybercrimes is the cybercriminal's
PN

ability to use someone else's computer as an agent from which the cy-
H

45. Carucci, Overhuls & Soares, supra note 39, at 379.

46. Katyal, supra note 36, at 1026.
47. Carucci, Overhuls & Soares, supra note 39, at 380.
48. Id.
49. Id.
50. Id.
51. Id. at 380-81; Katyal, supra note 36, at 1026-27.
52. See, e.g., Geoffrey A. North, Carnivore in Cyberspace: Extending the Electronic
Communications Privacy Act's Framework to Carnivore Surveillance, 28 RUTGERS
COMPUTER & TECH. L.J. 155, 162-63 (2002) (describing the FBI's use of a sniffer pro-
gram called Carnivore to monitor a suspect's e-mail and Internet activity). Use of these
devices by law enforcement has led to numerous debates regarding legal limits on Inter-
net users' reasonable expectations of privacy, both in the U.S. and internationally. See
Plourde-Cole, supra note 34; Kattan, supra note 26, passim.
53. See, e.g., Carucci, Overhuls & Soares, supra note 39, at 380.
54. See, e.g., Lentz, supra note 1, at 800.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.476

 2012] CASE FOR AN INT'L CYBER COURT & PENAL CODE 1147

bercriminal may then perpetrate more crimes with greater anonymity.55

For example, one hacker could use a sniffer to track the e-mail addresses
of thousands of employees in a particular company and then send each
employee spam containing a self-replicating worm program designed to
corrupt the user's computer in a number of different ways. Alternatively,
a hacker could track each of the employees' e-mail account passwords,
transcribing them into a spider-created database. Using these passwords,
the hacker would then be able to deliver a denial of service attack to the
company's network by overloading the system with requests to log into
each e-mail account simultaneously. Such tactics can make policing the
Internet and other networks exceptionally challenging. 6
The second major category of cybercrime uses a computer to facilitate
57
a separate, more traditional crime. Cybercriminals often utilize one or

LA
more of the corrupting programs discussed above to glean information
from potential victims or to disable security programs in furtherance of
committing underlying, non-computer-related crimes. Generally, there
IM
are four types of underlying crimes: identity theft or extortion, theft of
intellectual property, fraud, and the possession or distribution of child
SH
pornography. 59 While these four crimes typically have straightforward
statutory definitions, there are a number of areas, particularly those fo-
cusing on national security, where it remains unclear whether the use of a
computer has led to, or alone constituted, a crime. 60 The confusion stems
LU

in equal part from the frequently evolving technological landscape and

from the lack of uniformity in cybercrime statutes between international
bodies.6 1
PN

B. Legislation and Enforcement

Cybercrime poses unique challenges to law enforcement officials due
H

to three major factors: first, the lack of territorial jurisdictional bounda-

55. Carucci, Overhuls & Soares, supra note 39, at 381.

56. Id. at 377. Katyal relates a specific denial of service attack, perpetrated by a fif-
teen-year-old Canadian citizen in 2000, which underscores the daunting and complex
nature of these crimes. The hacker shut down some of the most popular websites, includ-
ing Amazon.com, CNN.com, Yahoo!, and others, by utilizing remote computers to or-
chestrate the attack, as well as three "dummy" websites, making it very difficult for law
enforcement to trace the attack. The FBI only learned of the hacker's identity after he
began bragging about the success of his cybercrime in Internet chartrooms. Katyal, supra
note 36, at 1027. For further discussion, see infra Part I.B of this Note.
57. Carucci, Overhuls & Soares, supra note 39, at 378.
5 8. Id.
59. Id. at 381; Decker, supra note 2, at 967-96.
60. See, e.g., Decker, supra note 2, at 962.
61. See, e.g., Gable, supra note 1, at 98, 100-04.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.477

 1148 BROOK. J INT'L L. [Vol. 37:3

ries in cyberspace; second, the lack of uniform cybercrime statutes

around the world; and third, the rapid and ongoing evolution of cyber-
crime. 62 Cybercriminals will continue to outpace law enforcement efforts
if states do not tackle each of these interrelating factors.63

1. General Challenges
One of the most unique features about cybercrime is that it operates in
a nonphysical realm that is free from territorial boundaries. As men-
tioned in Part I.A, cybercriminals have the capability of targeting com-
puters or networks anywhere in the world and may use third party com-
puters or networks, located in wholly different locations from either
themselves or their targets, as instruments.6 5 Any country that is trying to
prosecute a cybercriminal will find itself forced to contend with the fact

LA
that even a local hacker may have used, perhaps even inadvertently, In-
ternet connections in other countries to perpetrate a local cybercrime.
Additionally, the cybercriminal may reside in a country with conflicting,
IM
or nonexistent, cybercrime statutes.
A notable example of this kind of enforcement challenge occurred in
SH
early 2000, when hackers used stolen credit card information to extort
money from several American banks.67 Upon investigation, the Federal
Bureau of Investigation ("FBI") identified the suspected hackers as two
68
Russian nationals living in Russia. However, the United States did not
LU

have a mutual legal assistance treaty ("MLAT") with Russia that would
have allowed for the countries to extradite the suspects to the United
States.6 9 The FBI eventually tricked the hackers into coming to the
PN

United States under false pretenses, monitored their computer activity

during their time in America, and then used the information gleaned from
H

62. See Susan W. Brenner & Joseph J. Schwerha, IV, TransnationalEvidence Gath-
ering and Local Prosecutionof International Cybercrime, 20 J. MARSHALL J. COMPUTER
& INFO. L. 347, 369-75 (2002); Decker, supra note 2; Miquelon-Weismann, supra note
34; Amalie M. Weber, The Council of Europe's Convention on Cybercrime, 18
BERKELEY TECH. L.J. 425, 446 (2003).
63. Gable, supra note 1, at 98.
64. Miquelon-Weismann, supra note 34, at 334; Carucci, Overhuls & Soares, supra
note 39, at 417.
65. Carucci, Overhuls & Soares, supranote 39, at 417.
66. Miquelon-Weismann, supra note 34, at 335; Carucci, Overhuls & Soares, supra
note 39, at 417.
67. Weber, supra note 62, at 427-28.
68. Id
69. Id

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.478

 2012] CASE FOR ANINT'L CYBER COURT & PENAL CODE 1149

watching the suspects' online movements to arrest them. 70 Any efforts to

limit these kinds of transnational law enforcement obstacles will neces-
sarily rely heavily on the existence of shared statutory definitions of cy-
bercrime terminology and the existence of domestic laws in each partici-
pating country that will allow for international cooperation. 7'
Establishing such cooperative relationships can be a herculean task as
the definitions for cybercriminal statutes vary from state to state in both
substance and semantics.72 This challenge has two components. First,
translators struggle to accurately maintain the same meaning of a statu-
tory definition or phrase in each state's official language.73 Second, the
connotative definition of a crime may vary significantly from one culture
to the next. 74
A recent event in Iran provided an illuminating example of the ever-

LA
present variances in legal doctrine. Iranian security forces arrested, and
in some instances physically beat up, seventeen young men and women
who participated in a squirt-gun fight that had been organized on Face-
IM
book. In a statement that might seem absurd to Western sensibilities,
one of Iran's lawmakers stated that Iranian security forces had to "stop
the spreading of these morally corrupt actions," referring to simple
SH

squirt-gun fights. 7 6 Though Internet-based activities played a secondary

role to the "criminal" acts of these Facebook users, this episode reveals
the challenges in identifying uniform definitions for cybercrimes. A gov-
LU

ernment that is deeply conservative, ideologically extreme, or facing

popular unrest may be more likely to consider a cybercrime that which is
PN

70. Id. Weber explains that the two cybercriminals attacked American banks and
credit card businesses repeatedly, broke into secured files, and extracted credit card and
merchant identification numbers. They used this information to demand that their victims
H

pay for "security 'consulting services,"' which resulted in large damages for the victims.
The FBI, after having its request for assistance snubbed by Russian authorities, used a
ruse in which it made the Russian hackers false job offers. While the hackers were in the
United States for their "interviews," the FBI used its own software to monitor the hack-
ers' communications with their computer servers in Russia to learn their passwords and
online identification information, and then accessed the hackers' own files to acquire
sufficient proof to make an arrest. Id.
71. See, e.g., Jennifer J. Rho, Comment, Blackbeards of the Twenty-First Century:
Holding CybercriminalsLiable under the Alien Tort Statute, 7 CHI. J. INT'L L. 695, 710
(2007).
72. Miquelon-Weismann, supra note 34, at 353.
73. Id.
74. Lama Abu-Odeh, A Radical Rejection of Universal Jurisdiction, 116 YALE L.J.
(Pocket Part) 393, 394 (2007).
75. Farnaz Fassibi, Iran's Wet Blankets Put a Damper on Water-Park Fun, WALL ST.
J., Aug. 31, 2011, at Al.
7 6. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.479

 1150 BROOK. J INT'L L. [Vol. 37:3

innocuous in many other countries, such as using social media to orga-

nize rallies or protests.77 Such a discrepancy can, in turn, affect interna-
tional cooperation. A state may refuse to extradite, investigate, or pro-
vide any other kind of assistance to another nation if the two disagree
over what modes of online conduct are criminal.
In some instances, states will be incapable of effective international
cooperation because statutory and treaty law often lags far behind what is
needed to effectively combat cybercrime.7 9 States may lack the re-
80
sources, technology, or procedures to effectively regulate cyberspace.
Even in technologically advanced countries like the United States, which
have taken a more active stance on legislating against cybercrime, differ-
ences of opinion about how best to legislate are abundant.8 1 For example,
juveniles or first time cybercriminals-committing only minor acts of

LA
mischief-may find themselves prosecuted under highly punitive statutes
that were intended to deter large scale cybercrimes.82 A more ubiquitous
challenge lies in the time-consuming nature of legislative processes,
IM
which hamstring states' ability to prosecute cybercrime whenever a new
technology spawns a new form of crime.83 Treaties and MLATs are sub-
84
SH
ject to similar obstructions, perhaps to an even greater degree.
These three major impediments-jurisdictional disputes, lack of uni-
form definitions, and the gradual pace of legislation and treaty forma-
LU

77. See Abu-Odeh, supra note 74, at 394; see also H. Brian Holland, The Failure of
the Rule of Law in Cyberspace?: Reorienting the Normative Debates on Borders and
PN

TerritorialSovereignty, 24 J. MARSHALL J. COMPUTER & INFO. L. 1, 32 (2005). Indeed,

several countries have issued bans on social media and specific technologies, particularly
in times of political turmoil. Syria, for example, banned certain Facebook features fol-
lowing the Tunisian revolution that launched the "Arab Spring" in 2011. Khaled Yacoub
H

Oweis, Syria tightens Internet ban after Tunis unrest-users, REUTERS (Jan. 26, 2011,
11:40 PM), http://in.reuters.com/article/2011/01/26/idlNIndia-54427520110126. Simi-
larly, the Democratic Republic of the Congo banned text-messaging after a disputed elec-
tion led to voter outrage and calls for organized protest. Thomas Hubert, DR Congo elec-
tion: Deaf anger at ban on texting, BBC NEWS (Dec. 14, 2011, 2:14 PM),
http://www.bbc.co.uk/news/world-africa-16187051. Even more recently, an Egyptian
court made it a crime for Egyptians to view Internet pornography. Amro Hassan, Court
bans Internet pornography in Egypt, L.A. TIMES: WORLD Now BLOG (Mar. 29, 2012,
7:09 AM), http://latimesblogs.latimes.com/world-now/2012/03/court-bans-intemet-porn-
in-egypt.html.
78. Brenner & Schwerha, supra note 62, at 357-58.
79. Miquelon-Weismann, supra note 34, at 335.
80. Weber, supra note 62, at 427-28.
81. Decker, supra note 2, at 976-77.
82. Carucci, Overhuls & Soares, supra note 39, at 378-79.
83. See Miquelon-Weismann, supra note 34, at 335.
84. Weber, supranote 62, at 443.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.480

 2012] CASE FORANINT'L CYBER COURT& PENAL CODE 1151

tion-can stymie states' effective cybercrime prevention either individu-

ally or in conjunction with each other. To date, cybercrime prevention
efforts have failed to sufficiently tackle all three factors simultaneously,
resulting in a patchwork of cybercrime statutes that leaves gaps for cy-
bercriminals to utilize as "safe data havens." 85 Nevertheless, states have
made significant efforts to create anti-cybercrime laws.

2. Preventative Efforts in the United States

In the United States, the first federal laws criminalizing unauthorized
access to computers were passed in 1984.86 The original set of laws com-
prised several provisions within the Comprehensive Crime Control Act, a
general crime statute.87 Over the next two and a half decades, the com-
puter crime provisions were expanded and recodified five times, most

LA
recently in 2008, resulting in what is now known as the Computer Fraud
and Abuse Act ("CFAA")." The CFAA protects computers used in inter-
state or foreign commerce or communications by prohibiting seven acts
IM
of computer-related crime. 89 Because the law has sought to keep up with
the quick clip of cybercrime's development, each of the five major ex-
SH
pansions of the CFAA has significantly broadened the scope and juris-
diction of the statute. 90 Though several Circuit Courts have narrowed the
application of the law, and despite a required threshold of $5,000 in
damage,91 some legal scholars argue that the CFAA has become danger-
LU

ously broad in that it potentially grants the United States government

jurisdiction over every Internet-connected computer in the world. 92 Oth-
PN

85. Miquelon-Weismann, supra note 34, at 336.

86. Orin S. Kerr, Vagueness Challenges to the Computer Fraudand Abuse Act, 94
MINN. L. REV. 1561, 1561 (2010). Kerr's article provides a detailed and comprehensive
H

legislative history of the Computer Fraud and Abuse Act, carefully examining each of the
major amendments to the bill over the last quarter century. Id.
87. Id.
88. Fraud and Related Activity in Connection with Computers, 18 U.S.C. § 1030
(2006) (effective Sept. 26, 2008); see Kerr, supra note 86, at 1561-71; see also Carucci,
Overhuls & Soares, supra note 39, at 392-96.
89. Carucci, Overhuls & Soares, supra note 39, at 392-94. The seven specific acts
that CFAA prohibits, which are discussed in more detail in Carucci, Overhuls, and
Soares's articles are generally 1) accessing and/or transmitting computer files without
authorization; 2) obtaining private information without authorization; 3) intentionally
accessing a government computer without authorization; 4) accessing a protected com-
puter with intent to defraud; 5) knowingly, recklessly or negligently damaging a pro-
tected computer through hacking; 6) knowingly trafficking in passwords with intent to
defraud; and 7) transmitting a threat to cause damage or to extort something of value. Id.
90. Kerr, supra note 86, at 1561.
91. Carucci, Overhuls & Soares, supra note 39, at 395.
92. See generally Kerr, supra note 86, at 1561.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.481

 1152 BROOK J. INT'L L. [Vol. 37:3

ers, however, warn that CFAA is still not broad enough to sufficiently
combat cybercrime because of its inapplicability to as-yet-undeveloped
forms of cybercrime and because of its minimum monetary require-
ment.93 These contrasting views reveal one of the major tensions in legis-
lating against cybercrime, namely the balancing of individual users' pri-
vacy rights with the public's interest in maintaining cybersecurity. 94
The United States has complemented the CFAA with a slate of addi-
tional statutes designed to target more specific cybercrimes.9 5 Among
these are the Control the Assault of Non-Solicited Pornography and
Marketing Act of 2003 ("CAN-SPAM"), which focuses primarily on
curtailing spam; the Electronic Communications Privacy Act ("ECPA")
and Stored Communications Act ("SCA"), which protect, among other
private data, e-mail accounts, voicemail accounts, and television signals;

LA
and various copyright, fraud, child pornography, identity theft, and even
cyber-bullying statutes. 9 6 This body of law, taken together, seeks to ad-
dress four basic needs created by cybercrime: "protection of privacy,
IM
prosecution of economic crimes, protection of intellectual property and
procedural provisions to aid in the prosecution of computer crimes."9 7
Other countries have tried to employ differing approaches to combat-
SH

ing cybercrime, but with little success. 98 Germany and France initially
tried to hold Internet Service Providers ("ISPs") liable for the content
they were transmitting, while Cuba has simply limited Internet access to
200,000 citizens. 99 Yet most industrialized countries are now adopting
LU

statutes, similar to the CFAA, that target unauthorized access to comput-

ers and private information by focusing on the four needs identified in
PN

93. See, e.g., Decker, supra note 2, at 1010.

H

94. See generally Kattan, supra note 26, passim; Goldstone & Reagan, supra note 25,
passim; Plourde-Cole,supra note 34, passim.
95. Carucci, Overhuls & Soares, supranote 39, at 396-410.
96. Id.; see also Control the Assault of Non-Solicited Pornography and Marketing
Act of 2003, Pub. L. No. 108-187, 117 Stat 2699 (2003) (codified at 15 U.S.C. §§ 7701-
7713 and 18 U.S.C. § 1937 (2006)); Electronic Communications Privacy Act of 1986,
Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended at 18 U.S.C. §§ 2510-
2521,2701-2710,3121-3126(2006)).
97. Carucci, Overhuls & Soares, supranote 39, at 418.
98. Id. at 417-18.
99. Id. However, Cuba has been unsuccessful in completely restricting Internet ac-
cess. This is primarily because those who have been permitted access, typically doctors
or academics, often sell their access information on the black market. Cuba and the inter-
net: Wired, at last, ECON. (Mar. 3, 2011), http://www.economist.com/node/18285798.
However, the Cuban government may be embracing a different approach to limiting In-
ternet access, given that Venezuela recently spent seventy million dollars to connect a
1,000-mile fiber-optic cable between itself and the island in March 2011. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.482

 2012] CASE FOR ANINT'L CYBER COURT & PENAL CODE 1153

the U.S. statutes listed above.'oo One of the ongoing challenges facing all
countries, though, is the procedural and logistical challenges that stem
from pursuing cybercriminals who operate in a world free from jurisdic-
tional boundaries.10

3. Europe's Convention on Cybercrime

The Council of Europe's Convention on Cybercrime ("the Conven-
tion") marks the most ambitious international effort to combat cyber-
crime to date.102 The Convention was drafted in 2001 in an effort to ad-
dress those specific jurisdictional challenges that came about with the
evolution of the Internet and to facilitate greater cooperation between
nations fighting cybercrime. 0 3 It entered into force in January 2004 and,
as of April 2012, the Convention had been ratified by thirty-three coun-

LA
tries, including the United States.1
Each signatory to the Convention agrees to three obligations: first, to
criminalize certain computer-related conduct by statute; second, to estab-
IM
lish investigative and electronic-evidence gathering procedures; and
third, to assist in broad, international efforts to prosecute cybercriminals,
including cooperation with fugitive extradition efforts.'0o In addition to
SH

laying out suggested norms and standards for domestic cybercrime laws
and MLATs between party states, the Convention provides uniform defi-
nitions of at least four terms indelibly linked to cybercrime: "computer
LU

system," "computer data," "service provider," and "traffic data." 06

In this way, the Convention has made important progress in addressing
many of the challenges that plague cybercrime prevention. 0 7 The four
PN

definitions listed at the outset of the Convention mark some progress in

H

100. Id. at 418.

101. Miquelon-Weismann, supra note 34, at 335; Weber, supra note 62, at 425.
102. See, e.g., Gable, supra note 1, at 93.
103. Weber, supra note 62, at 425-26.
104. Convention on Cybercrime, COUNCIL OF EUROPE,
http://www.conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=
01/11/2011 &CL=ENG (last updated Jan. 1, 2011) [hereinafter Cybercrime, COUNCIL OF
EUROPE].
105. Miquelon-Weismann, supra note 34, at 329-30.
106. Council of Europe, Convention on Cybercrime, Nov. 23, 2001, E.T.S. No. 185
[hereinafter Convention on Cybercrime]. These definitions, listed at the beginning of the
convention, were drafted as a direct result of the United Nation's identification of "uni-
formity in law and consensus over definitional terms as two of the impediments that had
to be overcome in order to achieve meaningful cooperation and successful enforcement."
Miquelon-Weismann, supra note 34, at 338.
107. See generally Miquelon-Weismann, supra note 34; Weber, supra note 62, at 445-
46.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.483

 1154 BROOK. J. INT'L L. [Vol. 37:3

unifying terms across languages.108 Similarly, the document calls for par-
ties to the Convention to criminalize four categories of crime and lists
nine specific actions that should be criminalized. 0 9 Both of these provi-
sions streamline cooperation and enforcement processes, as do the addi-
tional provisions that call for signatories to establish a minimum set of
standardized legal procedures and to coordinate with each other by
means of MLATs and other agreements. 0
Perhaps the most important feature of the Convention, and the reason
for its growing list of participants,"' is that it allows participating states
to retain a sense of total sovereignty.1 2 All of the obligations placed on
signatories require only the creation of domestic law, not subjugation to
extraterritorial legislation,' 13 and while MLATs come with ratification of
the Convention, they do not supersede preexisting treaties.114 Further-

LA
more, parties to the convention have the right to make reservations that
limit their adherence to certain provisions or MLATs.n 5 National gov-
ernments find the Convention's deference to their own sovereignty reas-
IM
suring and may be drawn toward it, and future treaties on cybercrime,
because of this." 6
However, the Convention still falls far short of addressing all of the
SH

challenges of fighting international cybercrime. At a fundamental level,

108. Miquelon-Weismann, supra note 34, at 338.

LU

109. Weber, supra note 62, at 431. The first category of crimes focuses on protecting
privacy rights and specifically proscribes illegal access, illegal interception, data interfer-
ence, system interference, and misuse of devices. The second category outlaws fraud and
PN

forgery. The third category centers on content-related crimes, namely child pornography-
related offenses. The fourth category deals with copyright protections, as well as supple-
mental provisions relating to all of the aforementioned activities, such as corporate liabil-
ity standards and laws that forbid the aiding and abetting of cybercrime. Id.
H

I 10. Weber, supra note 62, at 433-34.

111. As of December 1, 2011, the following countries had ratified the Convention:
Albania, Armenia, Azerbaijan, Bosnia and Herzegovina, Bulgaria, Croatia, Cyprus,
Denmark, Estonia, Finland, France, Germany, Hungary, Iceland, Italy, Latvia, Lithuania,
Moldova, Montenegro, the Netherlands, Norway, Poland, Portugal, Romania, Serbia,
Slovakia, Slovenia, Spain, Switzerland, the former Yugoslav Republic of Macedonia,
Ukraine, United Kingdom, and the United States. Cybercrime, COUNCIL OF EUROPE, su-
pra note 104.
112. Weber, supra note 62, at 442.
113. Convention on Cybercrime, supra note 106.
114. Weber, supra note 62, at 441-42.
115. Id. at 443.
116. Miquelon-Weismann, supra note 34, at 354; see also David J. Scheffer, Staying
the Course with the International Criminal Court, 35 CORNELL INT'L L.J. 47, 59-60
(2002) (describing how the incorporation of the complementarity principle played a ma-
jor role in convincing the Clinton administration to sign the Rome Statute by addressing
fears of forfeited sovereignty).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.484

 2012] CASE FOR ANINT'L CYBER COURT & PENAL CODE 1155

the Convention's deference to national sovereignty prevents the treaty

from adequately addressing one of the three major challenges of fighting
cybercrime listed earlier: obstructive jurisdictional boundaries." 7 Be-
cause not every state in the world is a party to the Convention, and be-
cause signatories can water down their own commitment through the use
of reservations, safe data havens for cybercriminals will continue to exist
throughout the world." 8 Furthermore, the treaty's reliance on local legis-
lation undermines the Convention's progress in harmonizing terminology
and criminal statutes-a party to the Convention may simply not meet its
obligation to criminalize each of the listed actions, thereby reducing the
efficacy of the treaty." 9 The reasons for not enacting a particular law
may vary, but the fact remains that the Convention offers no enforceable
standards to which participating parties must conform.120

LA
The Convention has two other significant weaknesses. First, it fails to
provide uniform procedural rules regarding privacy and other due proc-
ess rights for cybercrime suspects. 12 ' Even with mutual assistance be-
IM
tween two Convention signatories, where both have met all of the obliga-
tions laid out by the treaty, there may still be a conflict when one of those
two states has more invasive cyber search and seizure statutes than the
SH

other.12 2 The potential-indeed likelihood-of such discrepancies does

much to subvert the sense of cooperation the Convention is designed to
foster, as participating countries will balk at full participation in the
LU

treaty if they are not guaranteed what they consider fair treatment for
their citizens by other states.123 Second, the Convention, like all treaties,
is more difficult to amend than domestic legislation and therefore is still
PN

subject to another one of the major obstacles of cybercrime prevention-

obsolescence in the face of a rapidly changing environment.' 24
For these reasons, the Convention marks the best effort to date to com-
bat cybercrime yet still falls short of establishing the necessary legal
H

tools and authority to overcome the three major obstacles of traditional

territorial jurisdiction, disharmonious definitions of cybercrime terms,
and rapid technological advancement.125 Due to the ever-growing threat

117. Miquelon-Weismann, supra note 34, at 359; Weber, supra note 62, at 443.
118. Weber, supra note 62, at 443-44.
119. Id. at 442-43.
120. Miquelon-Weismann, supra note 34, at 353-54.
121. Id. at 340-41.
122. Id.; see also Brenner & Schwerha, supra note 62, at 350.
123. Miquelon-Weismann, supra note 34, at 360.
124. Weber, supra note 62, at 443.
125. Id. at 445-46. See generally Miquelon-Weismann, supra note 34.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.485

 1156 BROOK. J. INT'L L. [Vol. 37:3

that cybercrime poses to international security, though, law enforcement

agencies are bridging many of the legal gaps at an operational level. 126

4. The Growing Role of Multinational Task Forces

Whether working through informal, mutually beneficial relationships
or through formal mechanisms like Interpol and MLATs, law enforce-
ment agencies are finding methods to work together in order to prosecute
cybercriminals to a greater, though still limited, extent than the Conven-
tion allows.12 7 At a hearing before the United States House Financial
Services Committee's Subcommittee on Financial Institutions and Con-
sumer Credit in September 2011, an assistant director of the FBI's Cyber
Division testified that strategic discussions between the United States
and major allies have "resulted in increased operational coordination on

LA
intrusion activity and cyber threat investigations."l28 He added that the
United States "currently [has] FBI agents embedded full-time in five for-
eign police agencies to assist with cyber investigations," and that the FBI
IM
has "trained foreign enforcement officers from more than [forty] nations
in cyber investigative techniques over the past two years." 2 9 Similarly,
the U.S. Secret Service operates twenty-three offices abroad1 3 0 and de-
SH

ploys 1,400 agents trained in its Electronic Crimes Special Agent Pro-
gram throughout the world.131 When testifying to the United States Sen-
ate Committee on the Judiciary, a Deputy Special Agent in Charge of the
LU

Secret Service's Criminal Investigative Division endorsed such multina-

tional field work and said that "the personal relationships that have been
established in those countries [where the Secret Service operates offices]
PN

are often the crucial element to the successful investigation and prosecu-
tion of suspects abroad." 3 2 In addition to multinational task forces, law
H

126. Decker, supra note 2, at 1005. See also Brenner & Schwerha, supra note 62, at
394, which, written just before the initial development of multinational task forces, calls
for just such an integration of law enforcement efforts as an important tool in fighting
cybercrime.
127. See generally Brenner & Schwerha, supra note 62; Carucci, Overhuls & Soares,
supra note 39, at 419.
128. Cyber Security: Threats to the Financial Sector: Hearing Before H. Fin. Serv.
Comm. Subcomm. on Fin. Insts. & Consumer Credit, 112th Cong. 8 (2011) (statement of
Gordon M. Snow, Assistant Director, Cyber Division, Federal Bureau of Investigation).
129. Id.
130. Cybercrime: Updating the Computer Fraudand Abuse Act to Protect Cyberspace
and Combat Emerging Threats: Hearing Before the S. Comm. on the Judiciary, 112th
Cong. 4 (2011) (statement of Pablo A. Martinez, Deputy Special Agent in Charge, Crim-
inal Division, U.S. Secret Service).
131. Id
132. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.486

 2012] CASE FOR ANINT'L CYBER COURT & PENAL CODE 1157

enforcement agencies are increasingly turning to private and nonprofit

corporations, particularly those that have international copyright en-
forcement programs, for assistance in combating cybercrime.133
These collaborative efforts exemplify the most promising methods to
prevent and prosecute cybercrime. The increased flexibility, rapid re-
sponse capabilities, and diverse populations within multinational task
forces make them better equipped to overcome the three major obstacles
of international cybercrime than treaties or any other regulatory mecha-
nism. Yet their efforts are still restricted by the red tape of jurisdictional
limits and mercurial relations between states.

C. UniversalJurisdiction
One innovative approach toward combating cybercrime calls for grant-

LA
ing every nation the right to prosecute cybercriminals under a universal
jurisdiction theory.134 Such an approach offers immediate benefits as a
powerful deterrent and as a means to reduce many of the restrictions that
IM
stem from traditional territorial jurisdiction.'35 It is helpful, then, to
briefly explore the historical usage of this rare legal principle.
SH
Universal jurisdiction grants any state the right to prescribe, adjudicate,
and enforce a law against a person regardless of that person's nationality,
the nationality of any victim, or the location at which the crime was
committed.' 36 Incumbent upon extending jurisdiction to such an expan-
LU

133. Id. Carucci, Overhuls, and Soares provide only one example of a private organiza-
tion working with law enforcement agencies, a software industry trade group called the
PN

Business Software Alliance, but they refer to multiple unnamed groups, as well. Carucci,
Overhuls & Soares, supra note 39, at 419.
134. See, e.g., Gable, supra note 1, at 104-17.
H

135. See generally id.; Rho, supra note 71, at 709-10.

136. M. Cherif Bassiouni, Universal Jurisdictionfor International Crimes: Historical
Perspectives and ContemporaryPractice,42 VA. J. INT'L L. 81, 89 (2001). Kenneth C.
Randall offers a more detailed definition of universal jurisdiction by describing jurisdic-
tion in this way:
[it] refers to a state's legitimate assertion of authority to affect legal interests.
Jurisdiction may describe a state's authority to make its law applicable to cer-
tain actors, events, or things (legislative jurisdiction [sometimes called "pre-
scriptive jurisdiction"]); a state's authority to subject certain actors or things to
the processes of its judicial or administrative tribunals (adjudicatory jurisdic-
tion); or a state's authority to compel certain actors to comply with its laws and
to redress noncompliance (enforcement jurisdiction). A state may not legally
assert legislative, adjudicatory, or enforcement jurisdiction over all persons and
things within the state's power and control.
Kenneth C. Randall, Universal Jurisdiction under International Law, 66 TEX. L. REV.
785, 786 (1988).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.487

 1158 BROOK. J. INT'L L. [Vol. 37:3

sive degree is the belief that allowing a state the authority to prescribe
and adjudicate a certain crime, or set of crimes, on behalf of the interna-
tional community is instrumental in preserving world order.13 7
For the most part, universal jurisdiction stems from customary law and
not from treaties between nations.'3 Because customary law is, gener-
ally, a set of rules and norms that affects every state-and creates a sense
of legal obligation on all states to conform to that set of rules-universal
jurisdiction, when applied to a specific crime, governs the entire commu-
nity of nations regardless of any country's express willingness to be
bound by it.139
One of the major obstructions to the expansive use of this legal tool is
that states must voluntarily relinquish some sovereign power.140 Because
states are hesitant to give up any jurisdictional power, the global com-

LA
munity must unquestionably consider a crime worthy of universal juris-
diction before such broad prosecutorial authority will be enforced. Since
the middle of the twentieth century, the "heinousness principle" has been
IM
the standard used to justify universal jurisdiction over crimes that are
"profoundly despised throughout the world."'41
Unsurprisingly, universal jurisdiction is rarely applied.142 The first, and
SH

to date most prominent example of universal jurisdiction was the global

137. Bassiouni, supra note 136, at 88.

LU

138. Anthony J. Colangelo, Constitutional Limits on ExtraterritorialJurisdiction:

Terrorism and the Intersection of National and InternationalLaw, 48 HARV. INT'L L.J.
121, 132 (2007).
139. Id. at 130-32. Colangelo provides a more detailed definition of customary inter-
PN

national law and describes it as being made up of

two components: (i) a general state practice, and (ii) a belief or intent to act
with legal purpose, or what is often called opinio juris. Customary law is uni-
H

versal in its application and is therefore theoretically binding on all states ....
By contrast, [treaty law] results from formal agreements among states and
binds only those states parties to the treaty.
Id at 131.
140. Eugene Kontorovich, The PiracyAnalogy: Modern Universal Jurisdiction'sHol-
low Foundation, 45 HARV. INT'L L.J. 183, 184-85 (2004); see also Christopher Harding,
The Internationaland European Control of Crime, in RENEGOTIATING WESTPHALIA 183,
190 (Christopher Harding & C.L. Lim eds., 1999) (noting that the rise in international
criminal prevention efforts in Europe toward the end of the twentieth century is "to some
extent associated with the weakening of the state structure"); see also Christopher Hard-
ing & C.L. Lim, The Significance of Westphalia: An Archaeology of the International
Legal Order, in RENEGOTIATING WESTPHALIA, supra, at 1, 8 (questioning why states
would "contrary to their own immediate self-interest, [accept] a limitation of their own
sovereignty" by recognizing international human rights).
141. Kontorovich, supra note 140, at 205; see also Gable, supra note 1, at 108.
142. See, e.g., Bassiouni,supra note 136, at 82.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.488

 2012] CASE FOR AN INT'L CYBER COURT& PENAL CODE 1159

prosecution of piracy 4 3 that began in earnest in the seventeenth cen-

tury.'" Any nation was allowed to try and execute pirates caught on the
high seas regardless of the nationality of the vessel the pirates chose to
attack or the original nationality of the pirates.14 5 Though piracy was
governed by universal jurisdiction before the advent of the heinousness
principle, any state that prosecuted pirates was nevertheless considered to
be preserving world order on behalf of the international community. 4 6
The crime of piracy easily lent itself to universal jurisdiction for two
interrelated reasons. First, the high seas were extraterritorial spaces that
most nations valued as a "global commons" essential for commerce.147
As a general rule, each state's jurisdiction on the high seas was limited to
its own citizens and its own vessels.148 Thus, in order to adequately pro-
tect the communal safety of the high seas, an exception was made to the

LA
usual jurisdictional rules and states were allowed uniquely broad author-
ity when prosecuting pirates.149 Second, pirates voluntarily eschewed
their own nationalities and disregarded the laws of all nations, thus mak-
IM
ing pirates, in the truest sense, outlaws.150 As the influential, eighteenth
century British jurist William Blackstone wrote, a pirate "'declare[ed]
war against all mankind' and thus 'all mankind must declare war against
SH

him. ',as
For centuries, piracy stood alone as the only crime that was governed
by universal jurisdiction. Slowly, slave trading became the second. 152It
LU

143. Gable notes, "although there does not seem to be a definitive definition of piracy,
it [is generally] defined as an act committed by non-state actors aboard a vessel on the
PN

high seas or outside of any state's jurisdiction." Gable, supra note 1, at 108. Kontorvich
offers a more specific definition, stating that while each nation has different statutory
descriptions, "the crime of piracy consists of nothing more than robbery at sea." Kon-
H

torovich, supra note 140, at 191.

144. Kontorovich, supra note 140, at 190.
145. Id.; Colangelo,supra note 138, at 144-45; Randall, supra note 136, at 791-98.
146. James D. Fry, Comment, Terrorism as a Crime againstHumanity and Genocide:
The Backdoor to Universal Jurisdiction,7 UCLA J. INT'L L. & FOREIGN AFF. 169, 175
(2002).
147. Kontorovich, supra note 140, at 190.
148. Randall, supra note 136, at 793.
149. Id.
150. Colangelo,supra note 138, at 144-45; Randall, supra note 136, at 791.
151. Colangelo, supra note 138, at 144. In the famous U.S. Court of Appeals for the
Second Circuit case Filartigav. Peiha-Irala,the court adopted similar language to Black-
stone when discussing the act of torture, conforming to the practice of linking crimes
newly held to be under universal jurisdiction to piracy. 630 F.2d 876, 890 (2d Cir. 1980).
The court held that "the torturer has become like the pirate and slave trader before him
hostis humani generis, an enemy of all mankind." Id.
152. Bassiouni, supra note 136, at 112.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.489

 1160 BROOK. J. INT'L L. [Vol. 37:3

was during the aftermath of World War II, though, that the heinousness
principle came into effect and that universal jurisdiction was extended
over a slate of new crimes, including genocide, war crimes, and crimes
against humanity.153 There exist additional crimes, like the hijacking of
planes, which have been universally condemned but have not yet reached
an accepted status under customary law to be governed by universal ju-
risdiction. 154
Proponents of expanding the usage of universal jurisdiction emphasize
its power to prevent crimes through its immense scope and applicability
to potential criminals all over the world.' In almost every instance
where a theorist seeks to justify extending universal jurisdiction over a
new crime, the basis for the extension is the crime's similarity to pi-
racy.'56 Currently, the crime (or class of crimes) that appears to enjoy the

LA
most popular justification for universal jurisdiction, and which is most
successfully analogized to piracy, is terrorism,1 57 though even it stands a
slim chance of facing true universal prosecution. IM
Any expansion of universal jurisdiction is met with persuasive oppo-
nents. Critics rightly challenge a number of factors, aside from the sacri-
fice of state sovereignty,' 58 which will be discussed in some detail in Part
SH

II.A of this Note. However, one standout criticism regarding universal

LU

153. Kontorovich, supra note 140, at 194, 204-05; see also Randall, supra note 136, at
800.
154. Bassiouni, supra note 136, at 115-34.
PN

155. Gable, supra note 1, at 108.

156. Kontorovich, supra note 140, at 204-06.
157. Colengelo writes,
Like pirates, terrorists, and in particular al Qaeda and those like al Qaeda, also
H

have opted out of the "law of society": they "acknowledge obedience to no

government whatever and act in defiance of all law," such as the law distin-
guishing between military and civilian targets . . . and their acts potentially tar-
get all states . . . . [B]y "throwing off his national character" in committing his
illegal acts of war, the terrorist has, like the pirate, exposed himself to the en-
forcement jurisdiction of all states. He too wages a lawless war under the color
of no state's authority.
Colangelo, supra note 138, at 145 (internal citations and punctuation omitted). Many
theorists suggest that universal jurisdiction should be applied to a wider array of legal
fields, such as drug-related crimes. See, e.g., Anne H. Geraghty, Universal Jurisdiction
and Drug Trafficking: A Toolfor Fighting One of the World's Most Pervasive Problems,
16 FLA. J. INT'L L. 371 (2004). Other scholars have pushed for universal regulation to
cover specific, more controversial issues like in vitro fertilization and embryonic regula-
tion. See, e.g., Sherylynn Fiandaca, Comment, In Vitro Fertilizationsand Embryos: The
Need for InternationalGuidelines, 8 ALB. L.J. SCI. & TECH. 337, 395 (1998).
158. See, e.g., Kontorovich, supra note 140; Abu-Odeh, supra note 74.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.490

 2012] CASE FOR AN INT'L CYBER COURT & PENAL CODE 1161

jurisdiction over cybercrime, discussed above, is the unresolved set of

limitations that stem from a lack of a unified set of cybercrime defini-
tions.15 9 Universal jurisdiction proponents point out that even piracy
lacks specific international definitions. 16 0 Theorists on both side of the
debate of universal jurisdiction note, under different lines of argument,
the troubling fact that if the same acts that generally satisfy the elements
of piracy are committed under the auspices of a sovereign state, they are
considered acts of privateering, an act neither subject to universal juris-
diction nor universally condemned. 161
Still, because cybercrime is a uniquely global problem, the debate over
whether it should be globally prosecuted via universal jurisdiction be-
comes a fundamentally important question. As this Note will explore
more fully in Part II.A, expanding universal jurisdiction to some degree

LA
over cybercrime will be an important element of any effective preventa-
tive legislation.

D. The ICC
IM
One relatively recent development in international criminal law has
SH
been the establishment of the ICC.162 Though this institution is still in its
infancy, its creation has been a landmark development in international
criminal law.1 63 Given the global nature of cybercrime, there can be little
doubt that international judicial bodies of some form will play at least a
LU

limited role in the prevention and prosecution of cybercrime.' Any

practical solution to the growing threat of cybercrime should therefore
include a role for a judicial body similar in design to the ICC.
PN

Representatives from a majority of the world's countries, gathered at

the United Nations Diplomatic Conference of Plenipotentiaries in 1998,
outlined the structure and powers of the ICC in what is now known as the
H

159. See, e.g., Abu-Odeh, supra note 74, at 394.

160. See Gable, supra note 1, at 108; see also Kontorovich,supra note 140, at 191.
161. Kontorovich, supra note 140, at 218-22; Colangelo, supra note 138, at 145.
162. See generally Remigius Oraeki Chibueze, The International Criminal Court:
Bottlenecks to Individual Criminal Liability in the Rome Statute, 12 ANN. SURV. INT'L &
COMP. L. 185 (2006); James F. Alexander, The International Criminal Court and the
Prevention ofAtrocities: Predictingthe Court'sImpact, 54 VILL. L. REV. 1 (2009).
163. See, for example, Chibueze, supra note 162, at 187, stating that the creation of the
ICC "was one of the remarkable achievements of the twentieth century."
164. See, e.g., Miquelon-Weismann, supra note 34, at 360-61 (advocating for the pas-
sage of a proposed "Treaty to Establish a Constitution for Europe," which would improve
upon the Convention on Cybercrime by providing "for the right to an effective remedy
and to a fair trial, presumption of innocence and right of defense, principles of legality
and proportionality of criminal offenses and penalties, and the prohibition against double
jeopardy").

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.491

 1162 BROOK. J INT'L L. [Vol. 37:3

Rome Statute. 165 The Rome Statute calls for a court that would have ju-
risdiction over "the most serious crimes of concern to the international
community"l 66 -including genocide, war crimes, and crimes against
humanity-and that would be situated in The Hague, the Netherlands. 16 7
The treaty entered into force and established the ICC in 2002, with 121
countries participating as of July 1, 2012.161
The idea of an international criminal court was not entirely a novel one
when the Rome Statute was drafted. 169 Beginning with the Nuremburg
Trials after World War II, which criminally prosecuted high-ranking Na-
zi officials for atrocities, the international community has moved steadily
in the direction of holding individuals liable for violations of internation-
al laws (where before only state-actors might have been held liable for
acts of genocide or war crimes). 170 The trend continued throughout the

LA
twentieth century, resulting in the creation of specific international crim-
inal tribunals, modeled to an extent on the Nuremburg Trials, for
atrocities committed in association with the conflicts in Yugoslavia and
IM
Rwanda. These tribunals were generally ad hoc, rendering jurisdiction
172
over only a specific country or over a specific series of events. Es-
tablishing a permanent court with potential jurisdiction over all countries
SH

was, in many ways, a natural next step.17 3

Because the potentially universal reach of the ICC was a concern for
many of the parties involved in drafting the Rome Statute, they reached a
LU

series of compromises that limited the ICC's jurisdiction in at least three

significant ways. 174 First, the ICC may only exercise its jurisdiction in a
particular matter if one or more of the parties has consented, either
PN

through ratification of the Rome Statute or by being a citizen (over the

165. Chibueze, supra note 162, at 185; Alexander, supra note 162, at 2-3.
H

166. Statute of the International Criminal Court, July 17, 1998, 2187 U.N.T.S. 90
[hereinafter Rome Statute].
167. Alexander, supra note 162, at 2.
168. ICC at a Glance, INT'L CRIMINAL COURT, http://www.icc-
cpi.int/Menus/ICC/About+the+Court/ICC+at+a+glance/ (last visited Apr. 24, 2012).
169. See Johan D. ven der Vyver, Personaland TerritorialJurisdiction of the Interna-
tional CriminalCourt, 14 EMORY INT'L L. REV. 1, 4-9 (2000).
170. Id. at 4-9.
171. These tribunals were officially titled the International Criminal Tribunal for the
Former Yugoslavia ("ICTY") and the International Criminal Tribunal for Rwanda
("ICTR"). IAN BROWNLIE, PRINCIPLES OF PUBLIC INTERNATIONAL LAW 569-71 (6th ed.
2003). As of late 2008, the ICTY had rendered judgments in sixty-seven cases and was
proceeding on forty-five more; the ICTR had judged thirty-seven with thirty-seven addi-
tional cases in progress. Alexander, supra note 162, at 12-13.
172. Alexander, supra note 162, at 12.
173. See id. at 2-3.
174. ven der Vyver, supra note 169, at 2, 60-65.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.492

 2012] CASE FOR ANINT'L CYBER COURT & PENAL CODE 1163

age of eighteen) of a state over which the ICC held previously-vested

authority by treaty.175 Second, and perhaps most importantly, the ICC
must adhere to a policy of complementarity, meaning that it must remain
a court of last resort that only reviews an issue if no preexisting domestic
legal organism can, or will, hear it.' 76 Last, the United Nations Security
Council retains the power to request that the ICC defer any investigation
or prosecution for one year, a request that may be renewed for additional
year-long intervals. 7 7
The ICC has the potential to be an extremely effective criminal deter-
rent and prosecutorial mechanism. 7 8 However, proponents of the ICC
worry that its power is diluted though treaty compromises to a point of
being nearly moot.179 The restrictions, listed above, on its ability to hold
jurisdiction over various claims and issues put damaging limits on the

LA
court's purposes, they argue. so The notion of complementarity, in par-
ticular, may allow states to protect their own nationals from ICC prose-
cution by retaining domestic jurisdiction,18 and the Security Council's
IM
effective blocking power allows states that are not party to the Rome
Statute, including the United States, to prevent the court from reaching
SH
certain individuals.182 These jurisdictional handcuffs reveal the major
weakness of the ICC: its reliance on states for enforcement and valid-
ity. 83 The ICC lacks police or military forces, let alone its own source of
funding, and so it cannot apprehend suspects or enforce its own orders. 184
LU

It is therefore subject to the political whims of a state when requesting

that state arrest or surrender a defendant. 8 5 The ICC may also be unable
to functionally assist a weak state that seeks assistance in corralling crim-
PN

inals within its borders.1 86

175. Rome Statute, supra note 166.

H

176. Alexander, supra note 162, at 19; ven der Vyver, supra note 169, at 66-71.
177. Chibueze, supra note 162, at 199-200.
178. Alexander, supra note 162, at 19; ven der Vyver, supra note 169, at 9-10.
179. Chibueze, supra note 162, at 187; Jack Goldsmith, The Self-Defeating Interna-
tional Criminal Court, 70 U. CHI. L. REV. 89, 91-92 (2003).
180. See generally Chibueze, supra note 162.
181. Complementarity provides a comfort to states participating in the Rome Statute
similar to the deference to national sovereignty featured in the Cybercrime Convention.
Complementarity certainly played a key role in garnering enough support to ratify the
Rome Statute from the earliest stages of its inception. See JANN K. KLEFFNER,
COMPLEMENTARITY IN THE ROME STATUTE AND NATIONAL CRIMINAL JURISDICTIONs 79-
80 (2008).
182. Chibueze, supra note 162, at 217-18.
183. Alexander, supra note 162, at 11.
184. Id.
185. Id.
186. Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.493

 1164 BROOK J INT'L L. [Vol. 37:3

Ultimately, the success or failure of the ICC has yet to be seen. 187 Too
little time has passed for any substantive analyses to be made about the
court's effectiveness-to date only fifteen cases have been brought to the
court188 and the court reached its first verdict in March 2012.189 For the
ICC to have a long-term effect, the international community needs to
demonstrate a stronger consensus in support of the court's legitimacy and
the barriers to its operation need to be removed.190

II: THREE APPROACHES TO TACKLING CYBERCRIME ON AN

INTERNATIONAL LEVEL
The application and prosecution of criminal law in the international
arena always presents practical challenges.191 The issues of national sov-
ereignty, multinational cooperation, and a lack of enforcement mecha-

LA
nisms, discussed in Part I of this Note, are just the beginning of the list of
issues that plague any international efforts to regulate crime. Though cy-
bercrime is uniquely suited to international regulation, many of these
IM
same historical obstacles continue to exist. 19 2
An analysis of three distinct approaches to international regulation of
SH
cybercrime can highlight the way the international community's percep-
tion of international regulation-particularly with regard to international
courts-should evolve. The first approach calls for universal jurisdiction
over cybercrime. The second approach relies on states' domestic ratifica-
LU

tion of cybercrime statutes that are drafted by international bodies. The

third approach is the most radical, and yet the most pragmatic, calling for
PN

187. See id. at 55.

188. All Cases, INT'L CRIMINAL COURT, http://www.icc-
cpi.int/Menus/ICC/Situations+and+Cases/Cases/ (last visited Mar. 18, 2012); Alexander,
H

supra note 162, at 15.

189. Marlise Simons, Congolese Rebel Convicted of Using Child Soldiers, N.Y. TIMES,
Mar. 15, 2012, at A12. The ICC found Thomas Lubanga guilty of "recruiting and enlist-
ing boys and girls under the age of 15 and using them in war." Id. This first conviction
was not an overwhelming success for the court, though. The three-year trial was "halting
[and] arduous," ending with the three judges, two of whom wrote dissenting opinions,
harshly criticizing the prosecution for having been "negligent and ha[ving] delegated
investigations to unreliable paid go-betweens who had encouraged witnesses to give false
testimony." Id.
190. Alexander, supra note 162, at 27. Though there have been critics of the ICC from
the outset, a significant group of anti-ICC scholars and practitioners point to its slow start
as evidence that the court, by its very structure, is incapable of effectively prosecuting
international crimes. See, e.g., Elena Baylis, Reassessingthe Role ofInternationalCrimi-
nal Law: Rebuilding National Courts through TransnationalNetworks, 50 B.C. L. REV.
1, passim (2009); Goldsmith, supra note 179, passim.
191. See, e.g., ven der Vyver, supra note 169, at 8.
192. See generally Holland, supra note 77.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.494

 2012] CASE FOR AN INT'L CYBER COURT& PENAL CODE 1165

an international penal code for cybercrime regulated by an international

court and enforced by multinational task forces. As may often be the case
with a technology-based issue, traditional legal tactics, including the first
two approaches to cybercrime discussed here, are quickly becoming an-
tiquated and fail to meet challenges posed by a dynamic, expansive, and
rapidly mutating species of crime.19 3

A. UniversalJurisdictionfor Cybercrime
Extending universal jurisdiction over cyberspace and cybercrime can
be very attractive at first glance, though careful examination reveals that
it fails to address many of the problems presented by cybercrime and, if
applied, may create new areas of concern.
In her article "Cyber-Apocalypse Now: Securing The Internet Against

LA
Cyberterrorism and Using Universal Jurisdiction as a Deterrent," Kelly
A. Gable forcefully lays out the value of universal jurisdiction over cy-
bercrime, with particular focus on the major crimes that may be labeled
IM
terrorist acts. 195 The pivotal value of universal jurisdiction, as she argues,
is in its impact as a deterrent.' 96 Physical prevention being nearly impos-
SH
sible for multiple logistical and practical reasons,19 7 deterrence becomes
the most viable solution to the challenge of would-be cybercriminals.' 98
Universal jurisdiction alone, she argues, can provide the level of deter-
rence necessary because its broad reach can surmount many of the prac-
LU

tical challenges of locating, and then prosecuting, cybercriminals by po-

tentially stripping cybercriminals of any data safe-havens.1 99
Yet the very broadness of universal jurisdiction makes it a controver-
PN

sial approach to any crime.200 Though, as mentioned in Part .B of this

Note, its application has expanded significantly since the end of World
H

193. David R. Johnson & David Post, Law and Borders-The Rise of Law in Cyber-
space, 48 STAN. L. REV. 1367, passim (1996); Weber, supra note 62, at 443, 446.
194. See, e.g., Gable, supra note 1, at 105; Rho, supra note 71, at 699.
195. "Roughly defined, cyberterrorism refers to efforts by terrorists to use the Internet
to hijack computer systems, bring down the international financial system, or commit
analogous terrorist actions in cyberspace . .. Depending on his or her goal, a hacker could
just easily be a cyberterrorist as a cybercriminal." Gable, supra note 1, at 62-63.
196. Id. at 105.
197. These reasons include, among others, the political, religious and ideological na-
ture of the criminal's motives, along with challenges pinpointing, geographically, a "loca-
tion" of a crime that may utilize multiple computer systems in multiple countries. Id. at
100-05.
198. Id. at 105.
199. Id.
200. Kontorovich, supra note 140, at 184.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.495

 1166 BROOK. J. INTI L. [Vol. 37:3

War 11,201 the international community has identified compelling reasons

to be cautious in allowing its proliferation. 2 02 Specifically, two sets of
hurdles arise when considering the application of universal jurisdiction to
cybercrime: first, proponents must justify the use of such unusually ex-
pansive prosecutorial power to the international community, and second,
they must address the many practical implications in actually pursuing
cybercriminals without regard for territorial boundaries.20 3
At the outset, proponents of applying universal jurisdiction to cyber-
crime must first persuade the international community that the crimes
have reached a level of heinousness on par with other crimes granted
such an unusual international distinction, such as genocide or crimes
against humanity.204 "Heinous" crimes, as discussed, are generally de-
fined in vague terms, such as those crimes that are "shocking to the con-

LA
science." 20 5 Gable successfully argues that the very extreme acts of cy-
berterrorism-those that are of such a scale that entire financial or na-
tional security systems may be dismantled-may meet this standard. 20 6
IM
However, any crime that falls short of this conscience-shocking standard
may present difficult questions over whether the crime in question truly
warrants being subject to universal jurisdiction. 207 This dilemma also
SH

brings up the corollary practical concerns regarding the need for uniform
terminology and definitions discussed earlier. 208
Most proponents of universal jurisdiction for cybercrime draw the
LU

209
common analogies to piracy as a method of justification, suggesting
that the Internet is like the high seas-a valuable "global commons" es-
sential for commerce. For many of the reasons discussed in Part I.C,
PN

however, the historic crime of piracy on the high seas may fail to provide
an accurate analogy for cybercrime. States were more comfortable with
universal jurisdiction for piracy because pirates were readily identifiable
H

as nonstate actors and because their impact was limited to one ship at a

201. See Fry,supra note 146, at 176.

202. See, e.g., Bassiouni, supra note 136, at 82.
203. See, e.g., Abu-Odeh, supra note 74, at 394. Abu-Odeh, a universal jurisdiction
skeptic, suggests that universally prosecuted laws are likely to be promulgated by coun-
tries that are either economically or militarily powerful. She questions the impact of such
laws, which she suggests would be pro-Israel, and their correlating procedures on Pales-
tinians. Id.
204. See, e.g., Kontorovich, supra note 140, at 205-06.
205. Id. at 206.
206. Gable, supra note 1, at 118.
207. See, e.g., Kontorovich, supra note 140, at 206-07.
208. See supra Parts .B & I.C.
209. See, e.g., Gable, supra note 1, at 116; Kontorovich, supra note 140, at 184.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.496

 2012] CASE FOR AN INT'L CYBER COURT& PENAL CODE 1167

time.2 10 Pirates, put simply, did not present the kind of identification and
capture challenges posed by today's frequently anonymous cybercrimi-
nals, nor were they capable of dismantling entire countries through their
plundering.211 Unlike a physical capture on the high seas, law enforce-
ment agencies may have to contend with cybercriminals hiding out in a
host country while their criminal presence is manifested only on the
"high seas" of the Internet.212 Furthermore, the piracy analogy again rais-
es the question of uniform definitions, as highlighted by the example of
privateering.213 Because neither the heinousness standard nor the piracy
analogy provide decisive justification for universal jurisdiction, it is
unlikely that the international community will be easily convinced that
cybercrime meets historical standards for expanding this broad prosecu-
torial power.

LA
Assuming that universal jurisdiction could be justified, though, the
questions of terminology and definition become pivotal.214 Genocide, for
example, may be able to pass muster as a crime worthy of universal ju-
IM
risdiction because it is universally understood and definable in every lan-
215
guage without substantial controversy. Yet cybercrime, or cyberter-
SH
rorism, can present challenges by being more controversial in definition.
The term "terrorism," alone, may not be easily defined as it lacks mean-
ing in any uniform legal sense. 16 The adage of "one man's terrorist is
another man's freedom fighter" highlights the subjectivity of the defini-
LU

tion of terrorism217 and, as the Iranian squirt-gun fight episode demon-

strated, the same subjectivity may apply to cybercrime, generally. 218
Norming these standards and defining exactly what constitutes cyber-
PN

crimes or acts of cyberterrorism-something eminently important to the

enforcement of universal jurisdiction-will not be an easy task. There is
strong probability that those definitions and norms would be generated
H

210. Rho, supra note 71, at 715.

211. See Kontorovich, supra note 140, at 204-07, 210.
212. Rho, supra note 71, at 705.
213. Kontorovich, supra note 140, at 210-23.
214. Miquelon-Weismann, supra note 34, at 338.
215. See, e.g., Bassiouni, supra note 136, at 120.
216. Fry, supra note 146, at 182.
217. Id. Gable makes an unconvincing response to this argument, simply calling the
adage absurd for its inapplicability to crimes such as genocide and stressing that it "has
outlived its usefulness." Gable, supra note 1, at 114.
218. Lentz notes that the rapid pace of the cyberspace's evolution will guarantee that
any "workable definition [of cyberterrorism] would quickly grow stale." Lentz, supra
note 1, at 809-10. He suggests that while large, catastrophic terrorist acts might be easily
and universally identifiable, midlevel attacks require some kind of agreement, presuma-
bly based on an international consensus, to identify them as "terrorist acts." Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.497

 1168 BROOK. J INT'L L. [Vol. 37:3

by the world's more affluent countries, therefore reflecting a limited le-

gal perspective. 2 19 This kind of political orientation in the actual prosecu-
tion of cybercrimes marks an additional concern about the practicality of
simply extending jurisdiction beyond territorial borders.
Procedural concerns constitute yet another set of challenges. Even pre-
suming that universal jurisdiction allows for one country to prosecute an
identifiable defendant under a clear set of cybercrime statutes, current
domestic court structures may not be equipped to handle the unique
scope of such cases. 22 0 A cybercriminal may attack a global network with
a virus that can self-replicate and adapt to various computer systems and
programs,221 making the nature and temporal extent of the harm difficult
to specify with precision. In the event of such an attack, there may be
millions of victims located just within the prosecuting nation's bounda-

LA
222
ries, not to mention the number of victims that could be affected
worldwide on an ongoing basis. Such a vast and complicated case could
overwhelm a nation's judicial resources and few procedural mechanisms
IM
exist that could effectively control the scope and complexity of these le-
gal actions.223
SH
On balance, providing states with universal jurisdiction is impractical
as a sole solution to combating cybercrime, though it is an approach that
acknowledges many important realities. Gable successfully presents the
importance of deterrence in preventing the attacks of would-be cyber-
LU

criminals and correctly suggests that universal jurisdiction has a role to

play in the larger efforts to combat cybercrime. 22 4
PN

B. DomesticAdoption of InternationalStatutes
The creation of broad, multinational treaties-premised on traditional
notions of territorial sovereignty-provides a less radical solution to
H

dealing with cybercrime on an international level, though the very struc-

ture of such an approach threatens to limit its practicability. 2 25 The Con-
vention on Cybercrime provides a model for this tactic and highlights the

219. Abu-Odeh, supra note 74, at 394. Abu-Odeh suggests that an important concern
stems from the application of universal jurisdiction to the Israeli-Palestinian conflict. She
predicts that universal jurisdiction would lead to widespread prosecution of "Palestinian
Terrorism" but less vociferous prosecution of "Israeli Terrorism" because of Israel's
influence with more affluent countries. Id.
220. Rho, supra note 71, at 715.
221. Id.
222. Id.
223. Id.
224. Gable, supra note 1, at 118.
225. See generally Miquelon-Weismann, supra note 34; Weber, supra note 62, passim.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.498

 2012] CASE FOR ANINT'L CYBER COURT & PENAL CODE 1169

important strengths and inherent weaknesses in relying on treaties to ad-

226
dress transnational cybercrime.
Multinational treaties can go far in making the initial strides of estab-
lishing norms and creating customary international law. 2 27 Moreover,
they can facilitate the domestic internalization of rules among participat-
ing states while still allowing each state to retain sovereignty.228 At the
most fundamental level, such treaties (building primarily off of the Cy-
bercrime Convention and UN Security Council resolutions against terror-
ism and other grave criminal acts) can articulate the existence of state
duties to prevent and respond to cybercrime.22 9 Without treaties to lead
the way on these fronts, nations may struggle to identify the proper ave-
nues through which they can combat cybercrimes that touch so many
different jurisdictions and actors.230

LA
Yet the value of treaties that rely on domestic legislation is limited to
these first normative steps. As discussed in Part I.B, such treaties bind
only member parties, who may still exert nonuniform efforts to com-
IM
ply. 23 1 For example, both Nation A and Nation B might criminalize the
same cyberactivity in line with a cybercrime treaty to which they are
SH
both members, but they may vary in their approach to computer monitor-
ing measures.232 Alternatively, Nation A might move rapidly to enact
universally agreed upon legal standards but will have the effectiveness of
their efforts frustrated by a slower moving legislature in Nation B233 In-
LU

consistencies such as these will keep cooperation between member states

problematic, particularly with regard to evidence sharing or extradition
234
provisions.
PN

Furthermore, a treaty that is too deferential to the sovereignty of par-

ticipating states is unlikely to resolve important jurisdictional dilem-
H

226. Miquelon-Weismann, supra note 34, at 334-35.

227. Weber, supra note 62, at 445.
228. See, e.g., Miquelon-Weismann, supra note 34, at 340-41.
229. Lentz, supra note 1, at 816.
230. Jennifer J. Rho provides one example of the way the United States might fight
international cybercrime on its own. She suggests that the Alien Tort Statute, 28 U.S.C. §
1350 (2006), might serve as the legal vehicle to prosecute claims, but concedes that this
approach is limited in that it relies either on treaty law or customary international law for
standing and generally may not apply for criminal prosecutions. She suggests, ultimately,
that the "Convention on Cybercrime's approach may be the best path to take." Rho, supra
note 71, at 717.
231. Weber, supra note 62, at 443-44.
232. Miquelon-Weismann, supra note 34, at 340-41.
233. Weber, supra note 62, at 428.
234. Lentz, supra note 1, at 820-22.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.499

 1170 BROOK. J. INT'L L. [Vol. 37:3

mas. 23 5 The Convention on Cybercrime, for example, is silent on the

proper course of action when more than one country in the treaty has a
236
valid jurisdictional claim over a particular act of cybercrime.
Ultimately, for such treaties to be successful they require universal par-
ticipation and binding provisions regarding the rules and procedures to
237
which states should adhere in passing their own legislation. However,
states would undoubtedly balk at such a powerful treaty and, even if they
agreed to sign and ratify it, would undermine the treaty's value through
the insertion of numerous reservations that exempted them from the most
stringent provisions.238 A multinational treaty, then, will play an impor-
tant role in mounting an initial international effort to fighting cybercrime,
but it will fail if it relies entirely on domestic action for enforcement.

LA
C. Vesting Jurisdictionin an InternationalCourt
The most promising method of preventing and prosecuting cybercrime
marries the use of universal jurisdiction and multinational treaties, but
IM
goes the extra step of vesting jurisdiction over an international penal
code on cybercrime in an international judicial body. By vesting jurisdic-
SH
tion over cybercrime in a court modeled after the ICC, the international
community can ensure that the authority of articulating definitions and
standards will rest within single entity that can adapt in tandem with this
ever-evolving field of crime.
LU

The Convention on Cybercrime, with its efforts to create a short list of

universal definitions and its growing list of member parties, provides an
important starting point in formulating an international penal code for
PN

cybercrime. In her article, "The Council of Europe's Convention on Cy-

bercrime," Amalie M. Weber articulates the values of establishing such a
code: "It could be changed more easily as technology develops . . . states
H

could better maintain consistency between their own legislative schemes

and the model code [and, finally,] the process of developing such a mod-
el code might yield superior solutions to the jurisdictional problems per-
meating cybercrime legislation."239 A detailed and specific penal code for
cybercrime would also alleviate many of the definitional discrepancies
that currently limit effective cooperation between various enforcement
agencies and would help web users know more precisely what response
their actions are likely to bring from regulators worldwide.240

235. Miquelon-Weismann, supra note 34, at 327.

236. Id. at 327.
237. Weber, supra note 62, at 444.
238. Id. at 441.
239. Id. at 445.
240. Holland, supra note 77, at 32.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.500

 2012] CASE FOR AN INT'L CYBER COURT& PENAL CODE 1171

An international penal code would require an extraterritorial regulatory

power for enforcement and review.241 Because cyberspace exists without
regard to territorial boundaries, universal jurisdiction proponents are cor-
rect to view the web as akin to the high seas. Unlike the high seas,
though, this is a unique and dynamic realm that requires its own system
of legal rules and regulatory processes that can evolve along with the
space itself.242 The potential scope of harm in cyberspace, as mentioned
earlier, far exceeds the amount of harm that a single pirate ship might
cause on the seas.243 Thus, tasking individual nations with the duty to
regulate cybercrime through universal jurisdiction may fail to address the
potentially global implications of a single crime and the potentially com-
peting interests of different states in prosecuting that crime. Moreover, a
single state, as discussed earlier, may be overwhelmed by the sheer vol-

LA
ume of victims, the complexity of the issues, or other procedural hurdles
unique to a major cybercrime.244
The structure of the ICC serves as an ideal template for an international
IM
court or tribunal holding jurisdiction over cybercrime for at least four
compelling reasons. First, the ICC's potential to reach various criminal
SH
actors is already internationally (though admittedly not universally) sanc-
tioned. As long as either a cybercriminal or that criminal's victims are
citizens of a country that is party to the Rome Statute, the ICC may have
jurisdiction over the matter.245 The international community's landmark
LU

creation of the ICC, with its novel jurisdictional scope and structure,
suggests that the creation of a similar court focused on cybercrime is not
too far-fetched.
PN

Second, a complementarity provision and a focus on only the most se-

rious international crimes, again modeled on the ICC, will ensure that
states may continue to exercise jurisdiction over less major cybercrimes
H

or those that only affect domestic actors. An international cybercrime

court would exercise jurisdiction over only those cases that affect global
classes of victims (those with populations that are enormous, dispersed

241. Id. at 9.
242. Holland, supra note 77, at 8 (providing an illuminating and comprehensive sum-
mary of the views of professors David R. Johnson and David Post, who articulated the
unique view of cyberspace as essentially its own territory, and the competing arguments
of Jack L. Goldsmith, who challenges their assertions that traditional jurisdictional
boundaries are inadequate for effective regulation of cyberspace); see also Johnson &
Post, supra note 193, passim.
243. See supra Part II.A.
244. Id
245. Chibueze, supra note 162, at 187.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.501

 1172 BROOK. J INT'L L. [Vol. 37:3

across multiple nations, or both), truly heinous crimes or terrorist acts, or

even impermissible cyberattacks between states.
Third, an international cybercrime court, much like the Supreme Court
in the United States, would have the ability to provide authoritative and
final interpretations over the international penal code and thus could
quickly adapt the law when necessitated by technological advancements.
Should a cybercriminal utilize a new technology to perpetrate a harmful
act in an as-yet inconceivable manner, the court would play the critical
role of interpreting the international cyber penal laws to evaluate whether
the criminal's actions fall within the international community's defini-
tions of illegal conduct. Moreover, the international can be structured to
be more liberal with regard to the procedural and privacy rights of defen-
dants than many national court systems,246 again increasing the likeli-

LA
hood of state participation in an international cybercrime court.
Finally, the rulings of such a court would benefit from the preexisting
multinational cybercrime task forces, which will be able to act as the
IM
court's otherwise-lacking enforcement mechanism.
The proposal's benefits reveal themselves when considered against a
SH
hypothetical situation in which, for example, a cybercriminal, in viola-
tion of one of the international cyber penal laws, launches a malicious
Trojan Horse through individuals' Facebook accounts. If the cybercrimi-
nal was an American, and substantially all of the victims were also
LU

Americans, then American courts would exercise jurisdiction over the

case. However, in the more likely case that the class of victims contained
individuals-including corporations and other organizational groups-
PN

from various countries, the international court would exercise jurisdic-

tion over the matter. Multinational law enforcement teams would coordi-
nate the investigation into the precise extent and nature of the harm and
H

would locate, arrest, and detain the criminal. A scenario in which one
country accuses another of cyberespionage or a coordinated cyberattack
provides a second helpful hypothetical. Before the states escalate to
armed conflict, the international court would have the opportunity to rule
on whether the actions of the accused nation constituted a violation of the
international penal laws and then propose a solution.
Of course, vesting jurisdiction over cybercrime in an international cy-
bercrime court or tribunal would still present a host of challenges. The
creation of such a court would surely mirror and perhaps surpass the cur-
rent hurdles the ICC faces in terms of speed, relevance, and authority

246. Harding, supra note 140, at 206. Harding notes that "protective rules [such as
double jeopardy] have of course a variable application and resilience at the national level
... but are increasingly capable of being invoked at the international level." Id.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.502

 2012] CASE FOR ANINT'L CYBER COURT & PENAL CODE 1173

mentioned in Part I.D above. Beyond these initial challenges, implement-

ing this Note's proposal would face at least three specific obstacles. First,
states will be hesitant to sacrifice sovereignty to an international body.
Some optimists may argue that placing the power to regulate cybercrime
in an international court would not necessarily be an extreme act because
the regulatory participation of non-state and multi-state entities, in addi-
tion to transnational common law-making, may already be blurring the
traditional boundaries of jurisdiction.24 However, giving an international
cybercrime court complete regulatory power would be a truly unprece-
dented shift in international law and will be a hard pill for many sover-
eign states to swallow. Second, significant efforts would be required to
draft both an international penal code and an international treaty creating
an international court or tribunal with specific power of review over cy-

LA
bercrimes. As discussed above, the lack of uniformity in cybercrime
definitions and the sluggish nature of treaty-making guarantee that pro-
ducing such documents will be exceptionally difficult. Finally, the new
IM
international court will be reliant on independent states to provide en-
forcement and funding, requiring a mechanism to ensure cooperation
between states.248 Though state enforcement agencies are increasingly
SH

working together via multinational taskforces to combat cybercrime,

binding them to such efforts may, again, run counter to states' traditional
notions of sovereignty.
LU

Still, there is ample support for the belief that a specialized cybercrime
court could serve as the most effective answer to cybercrime. The United
States may have already blazed the trail in recent years by creating fed-
PN

eral courts with specialized jurisdiction, most notably the United State
Court of Appeals for the Federal Circuit, which holds exclusive appellate
249
review over almost all patent cases in country. Congress created the
H

Federal Circuit and granted it review over the nation's patent appeals in
large part to harmonize the widely divergent approaches to patent law
that had evolved in different regions of the United States. 250 By allowing
a court to specialize in one area of the law, particularly one that is based
on complex and predominantly nonlegal underlying concepts, its judges

247. Paul Schiff Berman, The Globalization ofJurisdiction, 151 U. PA. L. REV. 311,
534-35 (2002).
248. Weber, supra note 62, at 445.
249. RICHARD A. POSNER, THE FEDERAL COURTS: CHALLENGE AND REFORM 6 (1996).
Additional specialized courts in the United States include, among others, the Court of
International Trade, the United States Tax Court, and the United States Court of Military
Appeals. 13 CHARLES ALAN WRIGHT ET AL., FEDERAL PRACTICE AND PROCEDURE § 3508
(3d ed. Supp. 2011).
250. POSNER, supra note 249, at 252-53.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.503

 1174 BROOK. J INT'L L. [Vol. 37:3

can develop an expertise that will be more likely to result in consistent

and practical rulings. 2 5 1 The success of the Federal Circuit in promulgat-
ing a consistent judicial gloss for patent law is likely to be repeated by a
cybercrime court. The probable emergence, and then prominence, of
"technocratic" judges 252 on a cybercrime court may also alleviate con-
cerns about the courts' inherent biases toward one kind of legal system or
set of policies, 253 reduce the chances that judges with no technical savvy
will permit overly intrusive search and seizure practices, and perhaps
even position it to hear civil cases254 in addition to criminal.
The ever-evolving and growing threat of cybercrime may serve as a
catalyst that pushes the international community to break away from its
traditional hesitancy to sacrifice state sovereignty to international organi-
zations. Conceivably, a truly global cyberattack of unprecedented, but

LA
plausibly catastrophic, proportions could usher in a rapid global response
that could result in an international cybercrime court gaining jurisdiction
over an international cyber penal code. States should act responsibly to
IM
take decisive action on this issue before such a cyberattack occurs.
SH
CONCLUSION
Cybercrime is a new and rapidly evolving form of crime that is
uniquely suited to international regulation and multinational enforce-
ment. Though universal jurisdiction and treaty-based approaches may be
LU

effective in combating cybercriminals to a certain extent, such efforts

PN

251. Edward K. Cheng, The Myth of the GeneralistJudge, 61 STAN. L. REV. 519, 549
(2008).
252. In his article exploring the policy-making role of ICC judges, Jared Wessel notes,
specifically within the realm of humanitarian law, that "the line between the administra-
H

tive technocrat and the public international legal mind becomes blurred, if not irrelevant"
because of the role technocratic bodies have played in addressing global political issues
like terrorism. Jared Wessel, JudicialPolicy-Makingat the InternationalCriminal Court:
An Institutional Guide to Analyzing International Adjudication, 44 COLUM. J.
TRANSNAT'L L. 377, 439-40 (2006).
253. Such biases in international courts may derive from the nationality ofjudges, their
personal philosophical approach to the role of international adjudicatory bodies, or from
the political realities that stem from their court's reliance on the cooperation and support
of the sovereign governments they may be presiding over. See Jacob Katz Cogan, Inter-
nationalCriminal Courts and FairTrials: Difficulties and Prospects,27 YALE J. INT'L L.
115, 135-36 (2002).
S11l,
254. While this Note is focused primarily on criminal law, Moritz Keller provides an
interesting analysis of the role the International Court of Justice can play in handling
Internet-based civil cases, with a particular focus on international e-commerce laws. See
generally Moritz Keller, Lessons for The Hague: Internet Jurisdiction in Contract and
Tort Cases in the European Community and the United States, 23 J. MARSHALL J.
COMPUTER & INFO. L. 1 (2004).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.504

 2012] CASE FOR AN INT'L CYBER COURT & PENAL CODE 1175

will be most effective in the context of establishing an international cy-

bercrime penal code and vesting jurisdiction over that body of law in an
international cybercrime court. While this solution admittedly faces
daunting challenges, the preexisting and growing presence of multina-
tional taskforces lends an enforcement mechanism that has heretofore
been absent in most international courts-an exception to the norm that
makes placing authority in a new international court at once more feasi-
ble and, therefore, potentially objectionable to sovereign states. Anything
short of this level of action, however, will continue to leave the world in
an ever-more precarious position in which cybercriminals threaten to
harm individuals, cripple global economies, and disable entire nations.

Nicholas W. Cade*

LA
IM
SH
LU
PN
H

* B.A., Colby College (2008); M.S.T., Pace University (2010); J.D., Brooklyn Law
School (expected 2013); Editor-in-Chief, Brooklyn Journal of InternationalLaw (2012-
2013). I owe a special tribute to all of the teachers and professors who played a role in
my education and personal growth; whether directly or indirectly, they have each made
profound contributions to this Note. I would also like to thank the staff of the Brooklyn
Journal of InternationalLaw for their assistance in preparing this Note for publication.
Finally, for her unwavering faith and unending support, I dedicate this Note to Christina
Evriviades. All errors or omissions are my own.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.505

 LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.506

 Cyber Crime:
A Growing Problem
Dr Rita Esen*
Abstract The openness of the global network has given rise to a need to
protect Internet users against criminal activities online. The escalating
incidents of cyber crime have moved lawmakers in different systems to
focus on these new and growing problems as they seek to put in place legal
procedures and frameworks to combat Internet-related offences. The
global nature of cyber crime has moved various governments and inter-
national organisations to promulgate laws and adopt international agree-
ments that will combat Internet crimes. These steps are being taken to give
Internet users confidence by ensuring certainty in the legal requirements
relating to the use of the global network.

For electronic commerce to experience the level of growth that has been
predicted, security of electronic information is vital. By security' of

LA
electronic information is meant the protection of availability, confidenti-
ality and integrity of information in cyberspace. Availability is the char-
IM
acteristic which makes such information accessible and usable in the
required manner. Confidentiality is the characteristic which renders the
data inaccessible by unauthorised persons and entities. Integrity pre-
SH

serves the accuracy of the information and provides the assurance that
electronic data has not been altered.
It has, however, been recognised that although the Internet offers
LU

consumers greater access to information and opportunities, it provides

criminals with a new channel for committing fraud. Although the
concept of 'cyber crime' has not yet been given a generally accepted
PN

definition, it conveys illegal activities largely or completely performed

using a computer connected to the Internet. In today's digital age it is
difficult to detect and tackle Internet crime as the law has found it
H

difficult to keep pace with technology.2 This lawlessness on the Internet

may lead to lack of trust in electronic commerce on the part of con-
sumers and businesses.
In this open global network threats to electronic information security
can arise from internal and external sources. Internal manipulation of
electronic data by disgruntled employees and consultants is rampant.
These groups of people, who normally have valid access to their com-
pany's systems, may take steps to disrupt its business operations or steal
proprietary, sensitive or financial information. As insiders know how

* E-commerce Law Consultant, e-Business Centre, University of Northumbria.

1 The Trade and Industry Select Committee in its 10th Report of July 1999 predicted
that business-to-business e-commerce worldwide will increase from $43 billion in
1998 to $300 billion by 2002; the International Data Corporation has predicted that
e-commerce between businesses and consumers would grow from $7 billion
worldwide in 1998 to $80 billion in 2002.
2 'Internet Crime Causes Problems For Law Enforcers', 12 December 1999, Reuters,
at www.infowar.com/law/99/law-where it is stated that fighting cyber crimes is
limited by national legal constraints as the legal system depends on physical
evidence.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.507
The Journal of Criminal Law

their systems work, their attacks are easier, more frequent and some-
times more damaging than external attacks. At times unintentional
damage to massive amounts of data could result from inadequate train-
ing or negligence of employees. Apart from disruptions caused by em-
ployees, external groups and individuals who obtain unauthorised
access to computer systems could commit crimes which could do serious
harm to large amounts of data and the organisational viability of a
corporate system.
This article focuses on the growth of cyber crime and the challenges
facing law enforcement agencies in combating this category of crime. It
also highlights the initiatives of different governments and international
organisations in addressing this growing problem.

Some examples of cyber crime

Criminal activities on the Internet are in different forms, most of which
concern obtaining unauthorised access to computer systems, manipulat-
ing and using confidential information. The following are some exam-

LA
ples of crime committed on the open network. IM
Hacking
Hackers are those who hunger for details about computer systems and
SH

use devious or even illegal means to satisfy their curiosity. By using

software tools, hackers can break into computers to steal data, plant
viruses or work any other mischief. Manipulation and disruption of
electronic information by hackers through access to voice-mail, e-mails
LU

and long-distance telephone connections are costing companies more

than $1 billion every year.'
In September 1999, for example, hackers broke into and vandalised
PN

the websites of Nasdaq and the American Stock Exchange which was
referred to as 'a bold electronic affront to the world's financial markets'. 4
It has been noted, however, that although hackers are causing tremen-
H

dous damage, online companies are often reluctant to report attacks by

hackers for fear of discouraging business and encouraging other hackers
to take their turn. 5

Software piracy
The advent of powerful, inexpensive computers together with easy
access to information on the Web has brought about illegal copying and
distribution of software on the Internet. Computer software companies
have, as a result, suffered at the hands of pirates who copy software
without authorisation and sell the copied software for significantly
lower prices.' The ease of distributing copyright work in the current
3 W. Roush, 'Hackers: Taking a Byte Out of Computer Crime' at
www.techreview.com/articieslapr95/Roush.html.
4 'Hackers Vandalise Nasdaq Website', Financial Times, 16 September 1999 at 6.
5 P.Ross, 'Congress Set To Crack Down On Hackers', 27 October 2000, CNET News at
news.cnct.com/news.html.
6 P.Taylor, 'Software Pirates Boom on the Internet', Financial Times, 2 February 1999.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.508
 Cyber Crime: A Growigq Problem

digital age exposes Internet users to the risks of fraudulent software

purchases. In addition, Internet software piracy may work as a drain on
national economies as the reduced prices of the pirated software may
bring about loss of national income. Apart from the issue of national
economies, digital piracy also infringes owners' economic and moral
rights.'

Child pornography
Despite its various benefits, the Internet has provided paedophiles with
a new tool. This medium is now being used by child pornographers to
lure and prey on children by distributing materials through online chat
rooms. This crime may be more difficult to detect when it is done on the
Internet as paedophiles may use sophisticated encryption to hide their
activities. An example is the September 1998 incident when 180 mem-
bers of an Internet pornography ring were arrested after an inter-
national police operation involving 12 countries. This massive collective
arrest, which included seven British men, cracked down on what was

LA
known as the 'Wonderland Club'."
The US government has already taken steps to address this problem in
its jurisdiction. In July 2001 the US Senate enacted the Cybermolesters
IM
Enforcement Act 2001, which provides for the effective punishment of
online child molesters. Section 3 of the Act specifically authorises the
SH

interception of communications in the investigation of sexual crimes

against children.'

Passwordsniffers
LU

Password sniffers are programs that monitor and record the names and
password of Internet users as they log on to the network. The programs
work by collecting bytes of the computer that is being monitored by the
PN

installer of the sniffer. When a network user types in a user name and a
password, the sniffer collects the information and passes it on to the
installer. With the use of this information the installer logs on to the
H

system, has access to restricted documents and can manipulate informa-

tion held therein.'0 An active sniffer can detect hundreds of passwords in
a matter of hours, directing them to a computer where they can be used
for unauthorised intrusions.

Denial-of-service attacks
This is an attack by an intruder which prevents a computer user or
owner access to the services available on his system. It may involve
sending large amounts of traffic to a website which blocks it, preventing
users from gaining access and making it inaccessible to the outside

7 M. Stone, 'Actors Urge Stronger Online Piracy Protection', 13 December 2000,

Newsbytes. Stone reports how Hong Kong actress Maggie Cheung called for
worldwide protection against digital piracy.
8 R. Barry, 'Seven Britons Guilty over Child Porn Ring' at www.ZDNet.uk.
9 An overview of this Act can be found at http://frwebgate.accessgpogov
10 For an explanation of the functioning of password sniffers, see G. Turnbull,
'Cybercrimes, Crackers and Password Sniffers', 21 June 1999, PA News at
www.infowar.com/law/99/law.html.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.509
The Journal of Criminal Law

world. This kind of attack can bring down an enterprise's network thus
causing disruption and damage." In February 2000, the US networked
world realised the disruption that can be caused by this sort of attack
when cyber criminals blocked services to and from major US companies
such as eBay, Amazon.com, CNN.com and Yahoo.

Computer fraud
Apart from hardware and software crimes, fraud perpetrators are also
into marketing scams. Statistics show that such scams are targeted at
older consumers. 2 Marketing and telecommunications advances in the
information age have, therefore, given con artists and fraud promoters a
worldwide target. Fraudulent prize promoters are disguising themselves
as legitimate businesses and advertising businesses that are non-
existent. These conmen package their scams in styles that resemble
prominent businesses, thus deceiving and defrauding the public.' 3
Internet-based scams on consumers have included pyramid schemes
which are multi-level marketing programmes and provide financial

LA
incentives to recruit new distributors. Pyramids compensate distributors
almost exclusively for recruiting other distributors. The schemes are
fraudulent as the pyramid collapses when new distributors cannot be
IM
recruited and most people lose their money.
Another consumer fraud on the Internet is cyber piracy. Online
SH

pirates are now selling counterfeit goods on the Internet at an alarming

rate. The UK Minister, alerted the attention of the public to this new and
growing online crime when he stated:
LU

It is extremely important that we help consumers to become more aware of

the consequences
4
of their actions when they . . . purchase these illegal
products. '
PN

In an attempt to tackle the growing problem of Internet fraud, the US

Federal Trade Commission (FTC) organised 'surf days' in 1997 to iden-
tify and close down websites that were involved in deceptive practices.
H

In April 1997, a 'Business Opportunity Surf Day' uncovered several

hundreds of Internet sites which made suspicious earning claims for
start-up businesses. After sending e-mails to them the FTC staff dis-
covered that nearly 23 per cent of the sites had removed their deceptive
claims. In November of the same year 168 websites were identified as
promoting pyramid schemes in the US and after warning from the FTC
most of those sites were removed.

I I See S. Gold, 'Denial of Service Attacks Planned for Christmas', 17 November 2000,
Newsbytes. Gold warns managers of major websites to be beware of this kind of
attack and to take steps to prepare for it, so that any resulting damage is reduced to
the minimum.
12 An American Association of Retired Persons (AARP) survey of citizens aged 50
years or over undertaken in 1996 revealed that 5 per cent of respondents received
calls from telemarketers at least once a week. See also K. Landreth, Tele-scams
Exposed: How Telemarketers Target the Elderly: Hearing Before the Senate Special Committee
on Aging, 104th US Congress, 2nd Session, 31 March 1996.
13 See Committee on Government Operations, The Scourge of Telemarketing Fraud: What
Can Be Done Against It? (1998) at www.ftc.gov/report/Fraud.htm.
14 J. Lyons, 'Forum to Tackle Internet Pirates', 24 November 1999, PA News.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.510
272
 Cyber Crime: A Growing Problem

Legal regulation of cyber crime

Recognition of increasing unauthorised access to computer systems by
criminals in the late 1980s was highlighted by the case of Gold." In that
case, the defendant who gained unauthorised access into and used a
computer network by entering a number and password on a keyboard
was indicted for forgery under the Forgery and Counterfeiting Act 1981.
The House of Lords held that an offence had not been committed under
this Act as it could not be said that the password and number had been
'recorded or stored' within the meaning of s. 8(l)(d) of the 1981 Act.
This provision requires that information should be stored for some
appreciable time, and should not be a momentary use, as was the case in
Gold.
The decision in Gold was regarded as generally unsatisfactory, espe-
cially by those working in the computer industry. This led to the publica-
tion by the Law Commission of Law Com. Working Paper No. 110,
Computer Misuse (1988). This working paper examined the scope of the
law regarding computer misuse and made proposals for changes in the

LA
area of computer crime. In 1990 a Bill on computer crime was steered
through Parliament and resulted in the Computer Misuse Act 1990.
IM
Among other things the Act addresses the situation found in Gold
above by making the mere fact of obtaining unauthorised access the
basis of liability. To this effect s. 1 of the 1990 Act provides:
SH

(1) A person is guilty of an offence if-

(a) he causes a computer to perform any function with intent to
secure access to any program or data held in any computer;
LU

(b) the access he intends to secure is unauthorised; and

(c) he knows at the time when he causes the computer to perform the
function that that is the case.
PN

Breach of this provision can be punished by a term of imprisonment not

exceeding six months or a fine of up to £5,000, or both.
This provision is, however, very broad in that it makes the commis-
H

sion of a computer offence dependent on causing a computer to perform

a function with the intention of securing access to a program or data
in a computer. The effect of s. I of the 1990 Act is to criminalise any act
of a user which causes a computer to display or transmit information
without authority to do so. Section 17 of the 1990 Act defines authority
as being the entitlement to control access or have the consent of the
person that has such control.
In Attorney-General'sReference (No. I of1991)16 the respondent, without
authorisation, accessed a supplier's computer and used it to obtain
discounts on goods purchased by him from the supplier contrary to
s. 2(1) of the 1990 Act. By so doing he secured unauthorised access to
the computer, in contravention of s. 1(1) of the 1990 Act, with intent to
commit a further offence of false accounting. The trial judge held that
the wording of s. 1 required the use of a second computer. Overruling
the judgment of the trial court, the Court of Appeal held that the
15 [1988] 2 WLR 984.
16 FOR
119921PRIVATE
3 WLR 432.
CIRCULATION ONLYHPNLU SHIMLA Page No.511
The Journal of Criminal Law

provisions of s. l(1)(a) of the 1990 Act could be contravened with the

use of one computer. The court emphasised that the wording of this
subsection:
causes a computer to perform any function with intent to secure access to
any program or data held in any computer
does not imply the use of two computers. According to the Court of
Appeal, the offence had been committed, given the plain and ordinary
meaning of s. 1(1), even if one computer was used.
In order to address the issues of conspiracy and attempt, s. 2 of the
Computer Misuse Act 1990 provides:
(1) A person is guilty of an offence under this section if he commits an
offence under section 1 above ('the unauthorised access offence') with
intent-
(a) to commit an offence to which this section applies; or
(b) to facilitate the commission of such an offence (whether by himself
or by any other person);
and the offence he intends to commit or facilitate is referred to below in this

LA
section as the further offence.
In Re Allison,17 Mr Allison was arrested upon a provisional warrant
IM
under the Extradition Act 1989 at the request of the US government and
was charged with conspiring with Joan Ojomo, an employee of
SH

American Express:
1. to secure unauthorised access to the American Express computer
system with intent to commit theft;
LU

2. to secure unauthorised access to the American express computer

system with intent to commit forgery; and
3. to cause unauthorised modifications of the contents of the
PN

American Express computer system.

The Bow Street Stipendiary Magistrate committed Mr Allison on the
H

third charge but declined to commit him on the first two charges on
the ground that the employee had been authorised to control access
to the computer in accordance with the definition of 'authorised' in
s. 17(5) of the 1990 Act. This reasoning was later upheld in the Divi-
sional Court.
The US government brought judicial review proceedings challenging
the decision that there had not been a conspiracy to commit offences
falling within s. 2 of the Computer Misuse Act 1990 as alleged in the first
and second charges. The Divisional Court dismissed the judicial review
proceedings and upheld the magistrate's decision. An appeal by the US
government to the House of Lords was allowed on the ground that
authority to access one piece of data on a computer system should not be
treated as authority to access other pieces of data 'of the same kind'. The
House of Lords emphasised that the relevant person, Joan Ojomo, did
not have authority to access the data that she used in the particular

17 R v Bow Street Metropolitan Stipendiary Magistrate, ex p. United States (No. 2); sub nom
Re Allison 11999] 4 All ER 1.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.512
 Cyber Crime: A Growing Problem

instance. Their Lordships held that she did not have a blanket authorisa-
tion to access any account or file not specifically assigned to her to work
on. Any access by her to an account which was not so authorised would
constitute an unauthorised access under s. 1 (1) of the 1990 Act.
The ease with which electronic data can be manipulated and altered
shows the vulnerable situation of Internet users. Where electronic
information is deleted or modified, the whole or a part of those data may
never be retrieved and this may turn out to be a costly experience. To
address the problem of data modification, s. 3 of the Computer Misuse
Act 1990 states:
(1) A person is guilty of an offence if-
(a) he does any act which causes an unauthorised modification of the
contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the
requisite knowledge.
Modification in this context consists of alteration of, addition to or
deletion of any part of a piece of electronic data.

LA
In Maxwell-King, 8 the defendant had unlawfully incited a third party
to commit an offence by supplying that party with a device which was
used to cause unauthorised modification of electronic data after access-
IM
ing a computer. The Court of Appeal held that an offence had been
committed under s. 3 of the Computer Misuse Act 1990 although it was
SH

not serious enough to merit a term of imprisonment. The court substi-

tuted a community service order for the custodial sentence of four
months' imprisonment that had been imposed.
LU

Regulation of Investigatory Powers Act 2000

PN

The Regulation of Investigatory Powers Act 2000 was promulgated to

ensure that the UK's law enforcement authorities and security agencies
have sufficient powers to intercept communications taking place via the
H

Internet so that they discharge their responsibilities effectively.

The provisions of the 2000 Act cover four main areas:
1. the interception of communications;
2. intrusive surveillance;
3. the use of covert human intelligence sources;
4. access to and compulsory disclosure of encrypted data.
Key features of the Act in this context are that it:
(a) authorises the government to demand that Internet Service Pro-
viders (ISPs) access their customers' communications in secret;
(b) permits the government to require ISPs to fit equipment that
enables the ISPs to perform surveillance. Although the govern-
ment will contribute to the cost of fitting the equipment, there is
concern that this could lead to the government requiring ISPs to
install 'back doors' into their systems for the purposes of monitor-
ing electronic communications;

18 The Times (2 January 2001).

FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.513
The Journal of Criminal Law

(c) authorises the government to access Internet traffic data for the
purpose of national security and detection of crime among other
things;
(d) enables the Secretary of State to serve interception warrants to
perform mass surveillance;
(e) makes it illegal for data obtained by surveillance to be used as
evidence in legal proceedings.
Interception involves the modification of, monitoring of or the inter-
ference with a telecommunication system by the use of a mechanism
that makes all or some of the contents of the transmission available to
another person. Where the interceptor has reasonable grounds under
the Act for intercepting, the interception will be deemed lawful. To be
able to intercept a communication, application must be made by a
person specified in s. 6(2) of the Act for an interception warrant.

Interception warrants

LA
The Secretary of State may grant an interception warrant to the police,
security services or the Commissioners of Customs and Excise. Before
issuing an interception warrant, the Secretary of State must believe that
IM
it is necessary:
(a) in the interests of national security;
SH

(b) for the purpose of preventing or detecting serious crime;

(c) for the purpose of safeguarding the economic well-being of the United
Kingdom; or
(d) for the purpose, in circumstances appearing to the Secretary of State to
LU

be equivalent to those in which he would issue a warrant by virtue of

paragraph (b) of giving effect to the provisions of any international
mutual assistance agreement."
PN

The warrant issued must be proportionate to what is sought to be

achieved by the interception. Failure to comply with a requirement to
H

provide the necessary assistance in implementing an interception war-

rant is a criminal offence under s. 11 (7) of the 2000 Act. Under s. 11 (8)
the Secretary of State may take civil proceedings for an injunction or
specific performance against a person who fails to provide assistance in
accordance with an interception warrant.
An ISP is obliged under s. 12 to give assistance in the implementation
of interception warrants. To this effect s. 12(1) provides:
(1) The Secretary of State may by order provide for the imposition by
him on persons who-
(a) are providing public postal services or public telecommunications
services; or
(b) are proposing to do so,
of such obligations as it appears to him reasonable to impose for the
purpose of securing that it is and remains practicable for requirements to
provide assistance in relation to interception warrants to be imposed and
complied with.

19 FOR
Regulation of Investigatory
PRIVATE CIRCULATIONPowers ONLY
Act 2000,
HPNLUs. 5(3).
SHIMLA Page No.514
 Cyber Crime: A Growing Problem

Under the 2000 Act, law enforcement officials may, in special circum-
stances, require delivery of encryption keys in order to decrypt protected
information. This makes the UK the first G-8 country to allow State
access to encryption keys and has, therefore, been criticised as having
the potential to undermine corporate security systems. The Code of
Practice on the investigation of electronic data protected by encryption
provides that such special circumstances will vary from case to case.
Where there are no special circumstances, law enforcement will only be
entitled to the delivery-up of the decrypted material rather than the key
itself.
Where the ISP incurs costs in the process of giving such assistance, the
ISP is entitled to a fair contribution to the costs incurred. 20 Such con-
tribution may be for costs incurred in providing interceptory capabilities
required under the Act. This may include the cost of decryption of
encrypted materials and the cost of providing the key to the Secretary of
State.

LA
Disclosure of encrypted materials
The Regulation of Investigatory Powers Act 2000 gives recognition to
IM
the fact that the use of encryption may provide a weapon to criminals by
enabling them to communicate with minimum risk of discovery. A
disclosure notice may be served on a person where there is reasonable
SH

belief that the person has a key to encrypted information which is

necessary for law enforcement.2
A direction may be given by a chief officer of police or a Commis-
LU

sioner of Customs and Excise or a person of or above the rank of a

brigadier to the effect that a specific communication cannot be read
without the disclosure of a key. Failure to comply with a disclosure order
PN

given on the basis of such a direction may result in a criminal offence

punishable by up to two years' imprisonment.
H

The role of encryption in cyber crime

Encryption, which is the process of disguising a message in a manner
that hides its substance and original form, is useful for providing confi-
dentiality and security of electronic information. With the growing need
for security in the digital world, encryption is used in most modern-day
electronic transactions to secure the authenticity, integrity and non-
repudiation of electronic data. 2
Under existing laws, the various law enforcement agencies, when
authorised, are entitled to conduct searches as criminals often keep
records of their activities, which may be critical to the investigation of a
crime. Such paper trails lead to searches and seizures of appropriate

20 Ibid. s. 14.
21 Ibid. s. 49.
22 To this effect, Kirk has stated that encryption is vital in digital communications
where electronic information is to be kept private and secured: E. Kirk, 'Encryption
and Competition in the Information Society' (1999) 1 IPQ 37 at 38.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.515
The Journalof Criminal Law

evidence. These agencies, therefore, have the legal tools to collect evi-
dence for the purpose of criminal prosecutions. Various governments
have asserted, however, that in today's digital world, the use of encryp-
tion has presented a significant problem to law enforcement agencies, so
that even where a law enforcement group has obtained the legal author-
isation, access to the required information may be impossible if it23has
been encrypted and the group does not have the key to decrypt it.
To emphasise this point the US FBI Director, Louis Freeh, has cited
two instances in which encrypted files posed problems to law enforce-
ment. The first instance was a terrorist case in the Philippines involving
a plan to blow up US airliners.24 The second was the 'Innocent Images'
child pornography case of 1995 in which encrypted images prevented
the grand jury from obtaining access to the necessary information. 2'
These various incidents have resulted in calls to review the tools legally
available to law enforcement agencies in order to give them access to a
suspect's electronic data.
It has been argued that without the ability to recover encryption keys

LA
law enforcement authorities will not be in a position to conduct in-
vestigations of criminal activities. This would require that keys be com-
pulsorily stored with a third party recovery agent to which law
IM
enforcement groups would have access if permitted by a court order or
any other recognised legal authority. Various systems, especially those of
SH

the UK and the USA, have put forward crime prevention as the main
reason why the government needs to have access to encryption key
systems. In 1996, the UK government proposed to introduce the licens-
ing of Trusted Third Parties (TTPs) to hold copies of encryption keys.
LU

T'rPs were to be trustworthy commercial organisations that can provide

various information security-related services to enable transactions to be
PN

conducted securely. The proposed TrPs were to act as a central reposi-

tory which would provide authorised law enforcement agencies with
access to a client's private encryption keys.26 The matter of access to
H

encrypted materials by law enforcement officers in the UK is now

regulated by the Regulation of Investigatory Powers Act 2000 (see
above).
In the USA, the government has introduced the 'key escrow' device27
under which the government requires all encryption systems to deposit
a key with an agency with which the government can unlock encrypted
communications. To this effect it has devised the 'clipper chip' for
telephones and the 'capstone chip' for e-mail and file encryption. The

23 Decryption is the reverse of encryption and consists of the transformation of

encrypted data back to its intelligible form.
24 See P. Shenon, 'World Trade Center Suspect Linked to Plan to Blow Up 2 Planes',
New York Times, 26 March 1995 at 37,
25 K. Swisher, 'On-Line Child Pornography Charged as 12 Are Arrested', Washington
Post, 4 September 1995 at 1.
26 Y. Akdeniz, 'No Chance for Key Recovery: Encryption and International Principles
of Human and Political Rights' at http://webjcli.ncl.ac.uk.
27 'Key escrow' is a mechanism by which a master key to each encryption device is
held in a central repository for release to authorised law enforcement agencies
when necessary.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.516
 Cyber Crime: A Growing Problem

aim of these devices is to ensure that the development of strong encryp-

tion technology does not compromise the US government's ability to
conduct uninhibited surveillance and law enforcement activities. 28 Use
of these chips, however, remains v'oluntary and those wanting to en-
crypt can do so only if the software or hardware products are not
exported out of the US. -
Encryption key recovery will have its own disadvantages. The most
prominent one being that the centralisation of keys or the storage of
master keys may make it much easier for criminals to have unauthorised
access to such keys. According to a scientific report, the critical role of
encryption in preventing crime and protecting national security has
been overlooked by governments that support the introduction of key
recovery as an electronic means of surveillance in law enforcement.3

International initiatives against cyber crimes

Although no figures exist for Internet crime it has been noted that cyber

LA
criminals are attacking online users like 'locusts'." There have even
been assertions that Internet crimes are growing more rapidly than
IM
legitimate use of the network." As this new class of crime is rapidly
growing, businesses and other Internet users are generally lacking in the
knowledge and expertise required to tackle this emerging problem.
SH

The security of electronic information has become an international

issue as the use of such information often crosses national boundaries. 3
Unlike perpetrators of traditional crimes who need to be at the actual
LU

scene to commit a crime, cyber criminals are not hampered by distance.

This new class of criminals does not need passports or visas to go through
national checkpoints, a situation giving rise to the question whether
PN

existing national laws are sufficient to combat cyber crimes.

Lawmakers in different systems are now focusing on these new and
growing problems as they attempt to put in place legal procedures and
H

frameworks to combat Internet-related crimes. 4 The overall aim is to

give Internet users confidence by ensuring certainty in the legal require-
ments on the use of the global network. The steps are being taken in the

28 See J. Markoff, 'Clinton Proposes Initiative on the Scrambling of Data', New York
7imes, 13 July 1996 at 34.
29 A.M. Froomkin, 'It Came from Planet Clipper: The Battle over Cryptographic Key
'Escrow"' (1996) U Chi L Forum 15.
30 G.A. Keyworth II and D. E. Colton, The Computer Revolution, Encryption and True
Threats to National Security (Progress and Freedom Foundation, June 1996).
31 Sara Ledwith, 'Internet Crime Causes Problems for Law Enforcers', 9 December
1999 at www.infowar.com.
32 David Osler, 'U.K.: Web Crime Outstrips Legal Use of Internet', Lloyds List, 9
December 1999.
33 D. Brunnstrom, 'Computer Crime Makes Global Cooperation Vital', 8 November
1999, Reuters. Brunnstrom states that with today's information technology borders
between countries and jurisdictional boundaries between police agencies have less
importance. He calls for international coordination taking advantage of the
phenomenon of globalisation.
34 See 'China Lawmakers Urge Law on Internet Crimes', 5 March 1999, Reuters;
'Britain to Crack Down on Internet Porn', 27 August 1999, Reuters.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.517
The Journal of Criminal Law

hope that clear and predictable rules should instill confidence in con-
sumers and encourage the growth of electronic commerce.
The use of individual national laws to fight Internet-facilitated crimes
has proved difficult due to the issue of dual criminality. Dual criminality
is a situation where one country's laws criminalise a particular act while
another country's laws do not. Where this occurs, the cooperation of the
two countries will be impeded as they do not have similar laws prohibit-
ing the particular conduct. This inherent problem in criminal law gives
rise to a need for an international consensus on which cyber activities
should be criminalised.
It has been recognised that law enforcement agencies need to be
aware of the global challenges inherent in the Internet and the need for
international cooperation if there is to be a crackdown on cyber crime,"
In recognition of the international character of these crimes and the
anonymous nature of the perpetrators, international initiatives are
under way to create a global legal framework to fight cyber crime. Some
of these are summarised below.

LA
Draft Convention on Cyber Crime
After final approval by the appropriate committee, the Convention on
IM
Cyber Crime will be open for signature by the Council of Europe
members and non-Member States which have participated in the draft-
SH

ing. This Convention requires party States to consider computer crimes

when either reviewing or proposing domestic legislation. It addresses
issues such as search and seizure, encryption, electronic evidence, juris-
diction, choice of law and international cooperation.
LU

Group of Eight (G-8)

PN

The G-8 Heads of State 36 at their 1996 summit in Paris adopted some
recommendations to fight international crimes and computer-related
crimes were specifically addressed. To implement these recommenda-
H

tions and enhance the ability of law enforcement agencies in combating

Internet-related crimes, a G-8 sub-group on high-tech crime was
formed.
One of the most important efforts of this sub-group was the hosting of
an international computer crime training conference in November 1998
for G-8 law enforcement officials. It has also reviewed G-8 legal systems
as they relate to high-tech crimes in order to fill gaps in existing
legislation. The sub-group has established a network of high-tech points
of contact for law enforcement in each of the G-8 countries and a
number of non-G-8 countries. This network has enabled the production
of timely evidence across borders for the purpose of preventing Internet
crimes and prosecuting cyber criminals.
35 FBI, 'Computer Crime Makes Global Cooperation Vital', 8 November 2000, Reuters.
The article states that this millennium will require international cooperation at
unprecedented levels.
36 The G-8 comprising of industrial nations, namely the USA, the UK, Germany,
France, Italy, Canada, Japan and Russia, was formed in 1975 at an Economic
Summit in France.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.518
 Cyber Crime: A Growing Problem

Organisationfor Economic Cooperation and Development (OECD)

The OECD has developed Guidelines for Consumer Protection in the
context of electronic commerce which were adopted by the OECD
Council in December 1999. Although these Guidelines are not legally
binding, they symbolise some international consensus among the OECD
Member States. The Guidelines require that consumers should enjoy the
same level of protection and privacy in electronic commerce as available
to them in other forms of commerce.
The Guidelines call for fairness in marketing practices, disclosure
processes for confirming transactions, secure payment mechanisms and
appropriate dispute resolution procedures. In 2000 the OECD made calls
for stronger worldwide Internet regulation to fight the rise in cyber
crime. 17

UK National Hi-tech Crime Unit

In recognition of the lack of investigative capability on cyber crime, the
UK has set up a National Hi-tech Crime Unit. The Unit, which was

LA
launched in April 2001, is a coordinated response to cyber crime based
on a partnership of law enforcement agencies, IT and the business
IM
world. The National Hi-tech Crime Unit comprises of four main divi-
sions-Investigations, Intelligence, Support and Forensic Retrieval. The
aims of the Unit include:
SH

1. To bring to justice or disrupt those responsible for serious and

organised crime.
2. To provide support and cooperate with police forces in the preven-
LU

tion and detection of serious crime.

3. To work in partnership with other law enforcement agencies in the
PN

detection and prevention of serious crime.

The Unit will provide consultation to local forces and other agencies
while liaising with government on policy issues. In setting up the Unit,
H

the UK government is taking steps to ensure a safe and secure online

environment for Internet users in the UK. According to the Home Office
the government's aim is to 'make the UK one of the best and safest
places in the world to conduct and engage in e-commerce'. The Unit will
also provide a 24-hour international hotline to receive information on
potential attacks by cyber criminals.

US Internet Fraud Complaint Centre

In the USA great strides have been taken by the government to combat
cyber crime. The identification and investigation of Internet-related
crimes is now assisted by the establishment of the Internet Fraud Com-
plaint Centre (IFCC). The IFCC is a partnership between the Federal
Bureau of Investigation (FBI) and the National White Collar Crime
Centre (NW3C).

37 C. Grande, 'Global Web Crime Agency Mooted', FinancialTimes, 18 October 2000 at

12.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.519
The Journal of Criminal Law

The IFCC was set up for the purpose of providing law enforcement
agencies with a 'one-stop-shopping' means of identifying and referring
Internet fraud schemes to the right channel for prosecution. The IFCC is
able to fulfil this purpose by:

(a) receiving online complaints of fraud;

(b) analysing such complaints to identify particular schemes and
general crime trends in Internet fraud; and
(c) referring potential Internet fraud schemes to law enforcement.

The IFCC, therefore, acts as a central repository for Internet fraud

complaints and constitutes a reporting mechanism which alerts the
authorities to suspected cyber criminals.

Other organisations

In addition to the above-mentioned international initiatives, there are

LA
other multilateral organisations which function to help enforcement
authorities fight cross-border Internet crimes. Individual governments
are also combating cyber crime on a national basis.
IM
The Mexico-US-Canada Health Care Fraud Task Force, which is an
alliance between the three named governments, provides education and
SH

shares information on health care fraud. The International Chamber of

Commerce also held a conference in December 1999 on cyber crime,
highlighting the complexity of this category of crimes and the difficulties
encountered by law enforcement agencies in tracking down those re-
LU

sponsible for them. 3"

In the UK there have been serious efforts to eradicate child porno-
graphy and to this effect a voluntary body-the Internet Watch Founda-
PN

tion-was set up to monitor websites and discussion groups which deal

in child pornography and, where necessary, to close them down. The UK
Serious Fraud Office is an independent government department, which
H

was established to investigate and prosecute serious and complex fraud.

Its responsibilities comprise the investigation of individuals and groups
who deceive investors and members of the public and its remit includes
active investigation of Internet fraud."
In March 2001 the San Francisco Computer Security Institute gave a
report of its annual Computer Crime and Security Survey. This report
highlighted the increasing vulnerability associated with transacting
online and the challenges that law enforcement faces in this area.4' In
July 2001 when Telecommunications Ministers from Malaysia, Indo-
nesia, the Philippines, Singapore, Thailand and Vietnam held the first
ASEAN Telecommunications Ministers' Meeting in Kuala Lumpur, the

38 See Conference Report. Alliance Against Commercial Cyber Crime, 7 December 1999 at
www.iccwbo.org/home/conferences/reports.
39 Polly Spencer, 'U.K.: Fraud Squad Cracks Down on Free ISP', 16 December 1999 at
www.thestandard.com.
40 Computer Society Institute, 'Financial Losses Due to Internet Intrusions, Trade
Secrets, Theft and Other Cyber Crime Soar', 12 March 2001, at www.gocsi.com.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.520
 Cyber Crime: A Growing Problem

Malaysian Prime Minister Dr Mahathir strongly indicated that the rising

incidents of cyber crime must be given greater attention by nations.4'
In India recognition of the threat from computer crimes moved the
Indian Central Bureau Investigation (CBI) to organise a national semi-
nar on computer-related crime.42 In China, after nearly 100 cases of
computer hacking were uncovered, there have been calls for legislation
to combat Internet crimes. 4 1 In Australia, the Federal Bureau of
Investigation (FBI) has established a special crimes unit to target Inter-
net fraudsters and money launderers. Having recognised that Internet
crime is universal, the Australian FBI has linked up with enforcement
agencies in other countries to coordinate investigations of cyber
crimes. 44

Conclusion
There have been numerous reported incidents of crime on the Internet.
Cyber criminals can destroy cyber property by breaking into company

LA
computers and maliciously manipulating private information. By so
doing they violate the confidentiality and integrity of data and computer
systems. They gain access to such systems, eavesdrop on information
IM
traffic, re-route the information and in some cases corrupt or erase
critical data files. These attacks are often launched on hundreds of
SH

computers at a time each of which would have been hacked in order to

render them responsive to the illegal actions of the perpetrators.
As the Internet continues to challenge traditional concepts of ter-
ritorial jurisdiction, criminals on this open network pose problems to
LU

legislators, law enforcement agencies and the courts throughout the

world. The ability of national authorities to police cyber crime is highly
questionable as this class of criminals is not restricted by geographical
PN

borders. It is hoped that the attempts made by international policy-

makers and organisations to form global alliances will work to reduce, or
better still, eradicate crime in cyberspace.
H

41 See Joint Press Statement, First Asean Telecommunications Ministers' Meeting

13-14 July 2001, Kuala Lumpur, Malaysia at www.aseansec.org/newdata. The
acronym ASEAN refers to the Association of Southeast Asian Nations,
42 'India: New Laws Needed to Check Computer Crimes', 25 February 1999, Asia
Pulse Pte Ltd.
43 'China Lawmakers Urge Law on Internet Crime'. 5 March 1999, at
www.infowar.com.
44 G. Lekakis and M. Mossopi, 'Australia: Global Crackdown On Cyber Crime', 20
September 1999, Australian Financial Review.
FOR PRIVATE CIRCULATION ONLYHPNLU SHIMLA Page No.521
 NEW CRIMES UNDER THE INFORMATION TECHNOLOGY (AMENDMENT) ACT

Amlan Mohanty

I. INTRODUCTION

On December 22, 2008, the Information Technology (Amendment) Act, 2008 was passed by the
Lok Sabha with almost no discussion whatsoever. The Bill had been introduced in 2006 and in
the wake of the terrorist attacks in Mumbai on November 26, 2008, the Act was passed as a
reactionary measure. The fact that the Bill was not discussed prior to it being passed is clear in
its drafting. In some places, apart from being just poorly drafted, it is also vague and criminalises
offences without defining the scope of the activity that could classify as criminal.

The Bill was passed by the Rajya Sabha on December 23, 2008, and received Presidential assent
in early 2009. However, even after this, the Act did not come into force until October 26, 2009,

LA
when it was notified by the Central Government. The Act though passed in such a rush did not
come into effect until a year later. This time could have been used to discuss the Bill and address

IM
the various problems with it.

This essay looks at the new offences introduced by the Amendment Act as a legislative response
SH
to the increasing threat of cyber crime in India today, and analyses these offences in light of
similar provisions in other jurisdictions. The essay first looks at the jurisprudential basis for
criminalisation of activities over the internet. In this section, the essay looks at self-regulation as
an adequate means of policing the internet and whether government intervention and
LU

criminalisation of cyberspace activities is necessary. The section concludes with a brief

framework which is used in the analysis of the provisions in the rest of the essay. Various new
offences introduced by the Act have then been studied section-wise, using the framework as
PN

explained in the first section. The scope of this essay is thus limited to the new crimes introduced
by the amendment and determining the adequacy of the legislative response to the growing need
for a legislation that brings within its fold emerging forms of cyber crime. The essay concludes
H

by looking at the various problems that the Amendment Act poses in light of bad drafting and
lack of understanding in this area.

II. REGULATION OF CYBERSPACE

A. Need for regulation of cyberspace activities

A good starting point for an illuminated argumentation on the criminalisation of activities in

cyberspace is the aspect of regulation of these activities itself and associated questions of its
desirability, necessity and feasibility. The rhetoric of the cyber libertarians, seeking self-
regulation of the internet, while challenging perceived essentialities for any kind of regulation,
like territorial boundaries, real relationships and notions of property, is firmly grounded on the
assertion that cyberspace is capable of being regulated through the creation of institutions and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.522

mechanisms for the regulation of conduct in cyberspace through the formulation of community
based rules that are constituted, decreed and enforced by its participants without necessitating
state intervention. On the other hand, those demanding government regulation stress on the
inadequacy of such a system to combat instances of grievous criminality. A closer look at the
contentions of both parties provides an academic space for a discussion on the criminalisation
of cyberspace activities and a canvas to contextualise the nature of offences introduced by the
amendment.

The cornerstone of the self-regulation theory is that the absence of government involvement in
regulatory mechanisms does not result in cyberanarchy and suggests that the application of
geographically based conceptions of legal regulation to cyberspace activities makes no sense at
all, and further, that cyberspace participants are better positioned than the government to design a
comprehensive set of rules that are cheaper to enforce and are practically sound. The justification
for such an idealistic viewpoint is buttressed by moral considerations often expressed by the

LA
participants of cyberspace who unequivocally express their objections to being disciplined by
orders of the government and declare the space that they have created for themselves to be

IM
independent of the tyrannies of government order.

B. Need for criminalisation of offences in cyberspace

SH
To highlight the limitations of self-regulation, or the opposite parties' contentions in this case,
would be to make a case for the criminalisation of offences in cyberspace through State
intervention, a position several scholars have taken with the advent of serious offences and
LU

increasing criminality on the internet such as paedophilia, cyber frauds, data theft, impersonation
and cyber terrorism. The typical self-regulation punishment model is centred on banishment
from the group, a procedure for social control that appears lenient and lacking in deterrence
PN

value as opposed to criminal sanctions imposed by the State to deter any destructive or anti-
social conduct in cyberspace. It appears that the stream of anti-governmentalism has been laid
to rest in view of the fact that the internet has quite simply become too mainstream, and being
H

the preferred platform for electronic commerce, the need for governmental regulation cannot be
ignored. Perhaps the greatest argument in favour of criminalising unlawful conduct on the
internet is its distinctiveness from territorial crime. The very fact that cyber crimes are easier to
learn how to commit, require fewer resources relative to the potential damage caused, can be
committed in a jurisdiction without being physically present in it and the fact that they are often
not clearly illegal 10 make criminalisation of such conduct not only important, but essential. The
conclusion that must be reached is that the State must step in with some level of regulation of
cyberspace.

C. Types of offences to be criminalised

An analysis of the new crimes introduced by the IT (Amendment) Act on the touchstone of
cyberspace conduct sought to be criminalised by statutes and conventions around the world

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.523

would help in determining the suitability and stringency of the new sections in the Indian
scenario.

There are essentially four main types of conduct that a domestic legislation should penalise - (1)
offences against the confidentiality, integrity and availability of computer data and systems, (2)
computer-related offences with the intention to defraud, (3) content related offences, and (4)
offences related to infringements of copyright and related rights. 12 In order to acquire a
jurisprudential understanding of cyber crimes in general, and to gain a critical insight into the
nature of offences introduced by the amendment and whether they serve the function expected of
them, it is important to comprehend why these particular forms of conduct are criminalised
across jurisdictions. Further, it is also essential to understand the range of unlawful conduct that
involves computers. With the first, second and fourth type of conduct, private individuals may
not be able to detect and proceed against the perpetrators and it therefore falls upon the State to
intervene and impose criminal sanctions. It is necessary to criminalise acts falling within the

LA
third category as they are offences that shock the conscience of society and threaten public
morality.

IM
III. @@@0@@@, 2008

Having erected a framework for comparative scrutiny of the Information Technology Act, 2000
SH
(hereinafter, "IT Act") with cyber crime legislative standards across the world, it is plainly
visible that the IT (Amendment) Act, 2008 (hereinafter "ITAA") was introduced to tackle
unresolved cyberspace issues such as internet fraud, pornography, data theft, phishing etc., that
LU

were not explicitly covered under the old legislation but are at the heart of internet activity,
nevertheless.

A. An overview of changes under section 66 and 67

PN

Under the old act, criminal offences were specified under Sections 65, 1366 14 and 67 15 of
Chapter XI ("Offences"). The provisions were broad in scope and encompassed typical cyber
H

crimes without specificities, a possible explanation for 175 out of the 190 cases in total being
booked under Section 66 and 67 of the IT Act, 2000. 16 With the introduction of new offences
under the Amendment Act, there are a host of differentiated ffences that have criminal penalties
attached to them. The new offences range from sending of offensive messages, hardware and
password theft to voyeurism, pornography and cyber terrorism, which have been inserted
through amendments to Section 66 and 67 of the IT Act, 2000 and form the focus of this paper.
In addition, the civil wrongs set out under S.43 of the IT Act have now been qualified as criminal
offences under the ITAA 2008, if committed dishonestly or fraudulently.

B. Critical analysis of the new offences introduced by the Amendment Act

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.524

(i) Sending of Offensive Messages (S.66A)

The introduction of S.66A18

to the IT Act, 2000 unarguably expands the scope of the act to deal with instances of cyber
stalking, threat mails, spam and phishing mails, with an attempt to strengthen the law and
circumscribe aspects of unlawful cyber conduct that were left untouched under the old
legislation, but a few flagrant issues do emerge on closer inspection of the provision.

The wording in this section has an element of ambiguity in the phrase 'menacing character',
which though perceptibly intended to protect against instances of threat mails or cyber stalking,
is too broadly articulated to serve as an effective tool to combat the said offence. While the term
'grossly offensive' does find mention in similarly purposed legislations, the word 'menacing
character' is conspicuously absent from statutes used by governments to combat instances of

LA
cyber stalking and threat mails, 19 which is of assistive value in the assertion that the phrase is
misplaced. The expected ineffectiveness of S.66A(a) may be illustrated by the simple example of
an employer using a mildly harsh tone in an e-mail correspondence with his employee in order to

IM
censure him, declaring possible termination if the employee's indolence continues, or a friend
remarking to another in jest, that he will 'beat him up' if he fails to get tickets to the movie they
had planned to watch the following weekend. In both cases, one may trace elements of 'menace',
SH
so to speak, when it evidently does not exist. Neither does the legislation speak of circumstances
where there is reciprocity of sentiments.
LU

(ii) Theft of Computer Resource (S.66B)

PN

The relevant section to be analysed in this regard is S.66B 20 of the Amendment Act, which
appears to deal with situations where there has been theft of a 'computer resource' or
'communication device'. Under this section, an individual who receives a stolen computer,
H

cellphone or any other electronic device fitting the definitions contained within the Act maybe
imprisoned for up to three years. Using this section, the police may tackle the growing menace of
trading and purchase of stolen laptops and mobile phones, with the caveat of a potentially
adverse result ensuing wherein purchasers of second hand phones may be considered suspects or
wrongfully charged under this section.

There may be an allegation of redundancy of this section given the pre- existence of a criminal
provision for 'dishonestly receiving stolen property’ with identical phraseology and punishment,
but such an accusation may be displaced if one exercises scrutiny over the relevant definitions.
'Computer resource' has been defined to include 'data', thus markedly different from the IPC
provision, the significant implication being that an electronic document, CD or text message
containing stolen information may be brought within the umbrella of 'computer resource'. In

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.525

terms of technological significance, this can be extended to include theft of digital signals of TV
transmissions.

Interestingly and more importantly, one finds that this section is in consonance with the
statements of objects and reasons of the IT Act, 2000 and ITAA, 2008 as it stresses on the need
to protect e-commerce and e-transactions involving informational exchange and electronic data
exchange.With the introduction of S.66B, and the criminalisation of stolen information
transmission and retention, there is a crucial deterrent factor attached to illegitimate or illegal
data exchanges which is the primary focus of the IT Act itself. The immediate focus of the
Amendment Act, inter alia, is the prevention of cyber and computer crimes and utilising the
framework laid down previously in this paper and the identification of unlawful cyberspace
conduct, it is also known that offences against the availability of computer data and systems
(including the 'misuse of devices' with respect to sale, procurement, import and distribution)
must be criminalised and the section succeeds in doing so.

LA
(iii) Identity Theft and Impersonation (S. 66C and S. 66D)

IM
An examination of identity theft protection laws for internet users indicates that the harm sought
to be prevented is not radically different from the territorial crime of the same nature. The basic
nature of the crime involves the use of identifying information of someone to represent oneself
SH
as the individual for fraudulent purposes, essentially, the wrongful appropriation of one's identity
by another. While familiar traditional crimes of identity theft would include forgeries featuring
credit cards, thefts and making of false statements, online versions of the same crime merely
LU

involve the use of computers with similar consequences, for example, logging into someone's
account and making a defamatory statement, online shopping using someone else's credit card
etc.
PN

Prior to the amendment act, the crime of identity theft was forcibly brought under S.66 within the
ambit of 'hacking', which presupposes that there was an infiltration of a computer resource
involving 'alteration, deletion or destruction' of the information residing therein, facilitating the
H

crime of identity theft. However, under the new provision, S.66C, the means by which the
identifying information is accessed is discounted and only the act of making fraudulent or
dishonest use of the information itself is criminalised. The benefit of separating the two
offences cannot be overemphasised, given that a separate criminal provision exists for extraction
of such data through fraudulent means.

While S.66C deals with deceitful use of passwords, electronic signatures and the like, S.66D
involves use of a 'communication device' or 'computer resource' as a means of impersonation,
which in effect, entails the use of computers, cellphones and PDA's for fraudulent purposes.
While the former provision includes intangible but unique identifiers and symbols attached to
individuals, the latter envisages instances where the offender has physical access to someone
else's personal devices. However, in the absence of a clear definition of 'unique identification

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.526

feature' and the advent of new forms of cyber crime such as SMS spoofing, there may exist grey
areas relating to identity theft, such as the misuse of cellphone numbers, which, in the strict
sense, may not be consistent with the idea of a 'unique' identification feature of an individual,
and not fitting the definition of 'computer resource' or 'communication device' under S.2(1)(k)
and (ha), may lie outside the scope of both, S.66C and S.66D, which is a serious concern for
cyber crime officials.

A comparative analysis of the punishment stipulated under these provisions with identity theft
provisions of other jurisdictions may be attempted to critically examine the nature of punishment
under the Amendment Act. One must acknowledge the fact that similar legislations have
different degrees of punishment based on the nature of crime committed subsequent to the
identity theft taking place, a provision that could have been transplanted into the Indian
legislation to make it more comprehensive, instead of having a uniform punishment of three
years for the crime of identity theft. So, for example, if the crime involves drug trafficking, or is

LA
a violent crime, the punishment is lesser 34 than if the offence is committed to facilitate an act of
domestic terrorism.

IM
It may also depend on the value of goods or money accumulated over a period of time as a result
of the identity theft and may also vary based on the number of identifying markers stolen.
SH
(iv) Voyeurism (S. 66E)

Based on the theoretical framework laid down earlier, the offence of voyeurism would locate
itself under the heading 'content-related offences' and based on the subject of the crime, may be
LU

slotted into the category of crimes against individuals, specifically, against their person. While
the Expert Committee's Report made a recommendation for imprisonment for a period of one
year and fine not exceeding rupees two lakh, the Amendment Act prescribes imprisonment for a
PN

period of three years but similar fine of rupees two lakh. However, it does not make mention of
compensation to the victim which was explicitly recommended by the Expert Committee, to the
tune of rupees twenty five lakhs.
H

The issue that immediately springs up on an analysis of the provision is whether it is appropriate
to refer to the wrongful conduct represented in the section as 'voyeurism' in the literal sense since
'observation' of the 'private area' of persons is not criminalised. While this is understandable if
one assumes the circumstances under which the offence was introduced in the Bill as not
requiring such a provision, since it was not observation as such, which was the concern at the
time, but rather, capturing, transmitting and publishing the image of private parts of an
individual.

However, on glossing over the Standing Committee's Report, it is clear that it acknowledges the
emergence of new forms of computer misuse and is concerned with situations of 'video
voyeurism'. Based on these considerations, it is absurd to exclude from the purview of the
section, the 'observation' of private areas of a person. To reinforce this assertion, we may divert

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.527

our attention to similar criminal legislations, which do include 'observation' within the section,
such the Sexual Offences Act, 2003 of the United Kingdom and the Canada Criminal Code. It is
also relevant to note that these statutes include viewing of 'private acts' besides 'private areas' of
persons, which has been ignored in the Amendment Act. Finally, the observation that may be
made, taking into account cyberlaw jurisprudence and the nature of acts that the IT Act seeks to
criminalise, is that viewing of such images or videos through online streaming on a website such
as YouTube or downloading and viewing on a communication device or computer resource as
defined under the Act should also have been specified as illegal within this particular section.

(v) Cyber Terrorism (S.66F)

Perhaps the most contentious issue in relation to the Amendment Act is that of cyber terrorism,

LA
which is essentially the convergence of terrorism and cyberspace. Terrorism, by itself is not a
new phenomenon, but with the development of modern technologies, the creation of laws
specifically dealing with the same or related acts, conducted through the medium of cyberspace,

IM
was imminent.

An analysis of this section can be fractioned into the first and second clause, the subject matter of
SH
each being considerably dissimilar with their own particular complications. The section is
comprehensive in that sub-clause (A) first enumerates the methods by which the act is
committed, the wrongful conduct, as it were, 45 and then proceeds to describe the potential
damage that may be caused by such acts. However, in the portion describing the likely damage,
LU

the definition is restricted to cases linked to destruction of property or death of individuals. 46

While the clause also speaks of damage to essential supplies and critical information
infrastructure, there is no mention of damage to private property. Using the generally accepted
PN

definition of cyber terrorism, it is clear that damage need not be restricted to property
belonging to the government. So long as it induces fear in the minds of people, it may be
regarded as terrorism.
H

Also, being a provision specific to cyber terrorism, it is surprising that the term 'virtual
properties', belonging to both the government or private citizens, has not been used anywhere in
the section.

In the second sub-clause, predominantly dealing with access to sensitive information, data and
computer databases (possibly belonging to the military), there is no explicit mention of specific
cyber-related activities or offences, which may have provided additional clarity as to the manner
in which the penetrated data or information may be used to imperil the security of the State.
For example, the data may be used to locate sensitive targets, private bank accounts may be used
to fund terrorist programmes and terrorist propaganda may involve dissemination of confidential
data divulging military capabilities of the State in question. It is obligatory for the definition to
cover acts involving the internet such as money settlement through internet banking, use of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.528

internet channels to communicate terrorist plans across countries, hacking and defacement of
governmental and non-governmental websites, virus and trojan attacks aimed at secure
infrastructural and cyber assets of the country etc. What is undesirable is to have an overlap of
functional definitions between the IT Act, the IPC and the Unlawful Activities Prevention Act as
this will only create ambiguities and loopholes that will aid the terrorists eventually. Thus, the
section does not seem comprehensive enough to cover most unlawful conduct on the internet that
would typically be associated with cyber terrorism.

In an effort to analyse and contrast this section with similar criminal provisions across territorial
jurisdictions, we may divert our attention to the issue of punishment prescribed under the section
and whether the section is devised in a manner that exhibits recognition of international
developments in cyber crime, especially in relation to cyber terrorism.

Considering the content of the law, there does not appear to be widespread discrepancies with

LA
cyber terrorism-centred legislations across the world taking cognisance of the fact that there is an
increasing use of computers to facilitate attacks of terrorism, and that 'it is safer and more
convenient to conduct disruptive activities from a remote location over the Internet than it is

IM
driving planes into buildings'. As regards penalties, imprisonment for life appears to be the norm
across jurisdictions and uniformly the harshest amongst all internet- related crimes.
SH
It is inconceivable to think that the cyber terrorism provision in the IT Act will lie stagnant in the
years to come, given the dynamic nature of terrorist activity, which is bound to traverse yet
unforeseen criminal territories, but it is discomforting to see that the first legislation addressing
LU

the incidence of cyber terrorism falls drastically short in terms of comprehensiveness, clarity
and particularity.

(vi) Sexually Explicit Content and Child Pornography (S.67A and S.67B)
PN

Without entering into complicated questions of internet content regulation and obscenity on the
internet, an analysis strictly of the provisions of the amendment Act reveals the section dealing
H

with sexually explicit content, S.67A, a sub-section of S.67, which was present prior to the
Amendment Act, to be well drafted and clearly defined. The terms used in the section such as
'publishes', 'transmits' have been previously defined in the act, assisting interpretation of the
section to a considerable extent. In terms of penalties, compared to S.67, S.67A has an enhanced
imprisonment term as well as fine for both first and subsequent convictions. Since the offence of
obscenity is not a new addition to the list of offences, it has been excluded from the scope of this
paper.

C. The Void for Vagueness Doctrine

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.529

In order to support the view that an absence of clarity in criminal statutes is indeed a ground for
protest, the researcher would like to briefly examine the Doctrine of Void for Vagueness,
indigenous to the American legal system, having been derived from the due process clauses of
the Fifth and Fourteenth Amendments to the U.S. Constitution. The basis of the doctrine is
uncertainty and lack of specificity and the philosophy underlying the principle appears to be
quite simple - no one may be required at peril of life, liberty, or property to speculate as to the
meaning of a penal law. Thus, if it is found that a reasonably prudent man is unable to determine
by himself the nature of the punishment, the prohibited conduct as envisaged under the statute,
and what class of persons the law seeks to regulate, for lack of definiteness, the law may be
regarded as 'void for vagueness'. The objective of a criminal statute is fairly simple, allowing
citizens to organise the affairs of their lives with the knowledge of acts that are forbidden by the
law, and the negation of this should logically be considered an infirmity of the legal system.

The researcher has used the example of this doctrine to buttress the argument that a criminal

LA
statute must be drafted with precision, leaving no room for ambiguity, particularly with reference
to phrases that enumerate classes of persons, acts constituting an offence or a generic term that

IM
may be susceptible to multiple interpretations. Thus, for example, the phrase 'gangster' when
used in a penal statute, may render the statute void, since the phrase is open to wide-ranging
interpretations, both by the court and the enforcing agencies.
SH
While there exist several such instances, the author would like to limit the illustrations to this one
specific case, merely to demonstrate the fact that mere uncertainty in a single phrase of a hastily
drafted statute could render the law unconstitutional and void, thereby necessitating precaution in
LU

the framing of penal statutes that are bound to affect a majority of citizens, as is certainly the
case with a statute regulating activities on the internet in a country as large as ours.
PN

IV. CONCLUSION

The Information Technology (Amendment) Act, 2008 serves as a suitable case study for an
analysis of the legislative exercise of law and policy formulation in the field of cyber crime
H

legislation, revealing quite emphatically the need for carefully worded provisions, foresight in
the drafting process and imagination with respect to explanations to particular sections. The
inadequacies of the legislation and the resultant realistically anticipated problems reinforce the
notion that criminal legislations cannot be left open to broad interpretations, especially with
regard to internet regulations, considering the fact that cyberspace provides certain liberties in
action that make it easier to transgress laws, and with such characteristics inherent to the
environment, any regulatory mechanism or legislative measure must seek to be comprehensive,
clear and narrow in interpretive scope.

While the purpose of the Information Technology (Amendment) Act was to address increasing
trends of cyber crime and in effect, make it difficult to be a cyber criminal, the irony rests in
the fact that what the Amendment Act eventually has created is a situation wherein it perhaps,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.530

isn't 'easier to be a criminal', but rather, 'easier to be classified as a criminal'. The danger, in both
cases, cannot be overemphasized.

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.531

 NLSIU Bangalore - Indian Journal of Law and Technology

2010

Article

BALANCING ONLINE PRIVACY IN INDIA

Apar Gupta

I. INTRODUCTION

With the decision in Naz Foundation v. Government of N.C.T there is a growing feeling that
privacy rights of individuals are gaining recognition in the Indian legal landscape. What is
interesting about the High Court decision reading down section 377 of the Indian Penal Code and

LA
decriminalizing homosexual activity is the hesitation of the Union Government to appeal against
the verdict in the Supreme Court. till date, the Union Government remains absent from the list of
the 14 appellants appealing the decision. Here it seems counterintuitive that a government which

IM
is ostensibly hesitant to challenge a court decision expanding liberal notions of individual rights
would pass a law greatly curtailing online privacy. Hence, a casual reading of the recently
introduced sections 69 and 69B of the Information Technology Act, 2000 would take an
SH
observer by surprise. Comparatively viewed, the absence of a challenge to the Naz Foundation
decision will seem less than an accident and nothing more than serendipity.

The provisions which have been introduced by a recent amendment have vested state
LU

functionaries with the powers to intercept, monitor and decrypt information, block access to
websites and monitor or collect traffic data. Prior to this amendment, there was a vacuum in
Indian law where interception and monitoring in relation to internet communications was
PN

being carried out under the general provisions of the Indian Telegraph Act, 1885. The recent
amendment did not go unnoticed with one commentator noting that the provisions are "far more
intrusive than the Indian Telegraph Act of 1885, which was drafted to protect the interests of the
H

British Raj." Others chimed in with Orwellian brooding. Though a well-articulated defence of
such a position was found lacking, the principal contention advanced was premised on the claim
that the provisions for intrusion, ipso jure constituted a breach of the right to online privacy.

This article does not merely proceed on the premise that the very existence of the legal sanction
results in a breach of privacy. This article is geared towards a realist conception of privacy rights
and ds not posit them in an overly broad or moralistic hue. It does not quibble over the definition
or the underlying jurisprudence of the right but however, proceeds to analyse the likely harms
which may be caused due to a breach. It also studies the protections which have been made
against gathering and dissemination of information, towards the broader goal of reviewing
internet privacy laws in India. To this purpose, Part II utilizes two popular taxonomies adopted
to reach a level of certainty for the potential injury which may be caused by the amendments. It

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.532

compares Indian court rulings on privacy rights to the taxonomy of privacy harms. From this we
gain knowledge of the types of privacy injuries which have been protected by law in India. An
insight is also gained into the general approach of the courts in granting relief in cases involving
questions of privacy law. Part III, then examines sections 69 and 69B which provide the power
to issue directions for intercepting data and monitoring and storing information respectively.
These sections are analysed against the regulations made under section 5(2) of the Telegraph
Act. A quick review demonstrates that sections 69 and 69B provide for adequate safeguards
when viewed against the standards set by precedent. Part IV contends that even with these
safeguards and procedures, the protection of privacy rights is inadequate in view of the inherent
lack of incentive to observe procedure and the nature of internet communications. The types of
harms caused due to the new measures as well as the lack of incentive to observe the procedure
presents a real and present danger to the right to privacy. The final part of the article tersely
suggests that ex-ante ex-parte court orders are a standard that should be explored in relation to

LA
breach of privacy in internet communications.

II. THE RIGHT TO PRIVACY RECENTLY

IM
A. THE TAXONOMY OF PRIVACY

It is obligatory to cite the seminal twenty seven page article authored by Warren and Brandis
SH
which developed the modern contours of the tort of privacy. The article sparked a renaissance of
legal scholarship and subsequently neighbouring theories were devised to defend the right to
privacy. Much ink and paper have been sacrificed to etch out the development of the right to
LU

privacy, and it is outside the scope of the present article to present each of them. For the purposes
of the present article, I utilize the taxonomies of privacy harms developed by two influential
thinkers. The first is the one proposed by Prosser, according to whom four distinct torts flow
PN

from a breach of privacy: (a) intrusion upon a person's solitude or seclusion or into his affairs;
(b) public disclosure of embarrassing facts of a person's private life; (c) publicity which places an
individual in false light in public eyes; and (d) appropriation to a person's advantage of another's
H

name or likeness. This four tort classification has received acceptance, being adopted by the First
Restatement of Torts and different state legislatures and courts across the United States.

The second taxonomy devised by Daniel J. Solove is of a more recent origin and has become the
popular norm to gauge the types of privacy harms in the internet age. The author categorises the
privacy harms as falling into four distinct categories: (a) information collection, (b)
information processing, (c) information dissemination, and (d) invasion. The author further
breaks down these broad classifications into sub-categories to address each form of harm which
is being caused to the right to privacy. The first category of information collection consists of
surveillance and interrogation. The next category is information processing which involves
taking the information gathered and making sense out of the raw facts for any probable use
which has been classified by the author into aggregation, identification, insecurity, secondary use
and exclusion. The third category is concerned with the dissemination of the information and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.533

it consists of the breach of confidentiality, disclosure, exposure, increased accessibility,
blackmail, appropriation and distortion. The final category is concerned with invasion which the
author defines as concerning invasive acts that disturb one's tranquillity or solitude without
concerning information. These classifications shall be used throughout this article to get a
sense of the privacy harms which are inflicted by the powers which are vested under sections 69
and 69B.

B. LIMITED RECOGNITION OF HARMS

Contrary to the communal notions of Indian society, courts have often had the occasion to touch
upon the various aspects of the right to privacy. This has been necessitated by the absence of any
general enactment granting the right to privacy. Though other countries may join India on this
position, India, till recently, remained one of the few not to have any created sector specific laws
relating to technology. However, this has not stopped citizens from approaching courts and

LA
alleging breach of privacy. These were often complaints against unwanted state intrusion,
thereby giving the Indian Supreme Court occasion to constitutionalise the tort of privacy reading
it under an expansive interpretation of the right to life. Hence, in the absence of a general law

IM
governing privacy, the law of privacy in India has been developed through precedent. The
classifications presented above are of little use without putting them in the context of privacy
SH
law recognized and enforced in India.

The Indian Supreme Court's decision in Gobind, reintroduced the right to privacy into the Indian
legal system. The constitutional holding that frequent domiciliary visits by the police without a
LU

reasonable cause infringed upon the petitioners' right to privacy firmly established the right for
citizens of the country. This form of breach of privacy has remained most popularly contested by
litigants and guarded by courts. Hence both Prosser's and Solove's first classifications of privacy
PN

harms find reflection in Indian law. The law developed in cases of 'intrusion upon a person's
solitude or seclusion' and ' information collection' has been applied across the spectrum of
privacy harms.
H

The second classification proposed by Solove is absent from precedent. Indian courts have not
had the occasion to adjudicate upon issues of information processing as it seems to have not
been averred. Persons when alleging a breach of their privacy are more concerned with the
interception and the dissemination of private information and seem to have glossed over
agitating about their rights against information processing. Moreover, it seems that courts have
held that any information existing in the public domain can be processed and then published.
Here, the moment the information leaves the absolute control of the person, the information
can be used by another.

Disclosure is one aspect where courts have zealously guarded the right to privacy. Claims for
unauthorized disclosure breaching a right to privacy have more often than not been entertained
by courts. There also exist legislative provisions which grant privacy in a specified class or

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.534

people or circumstances. Here courts seemed to have recognized the right arising from a
relationship between the parties where information is shared by a person voluntarily; however it
is done with another only in the bounds of the bilateral relationship. Hence, the second
classification suggested by Prosser and the third classification suggested by Solove find
recognition in Indian law. However, the discrete harms which are classified by Solove are yet
to evolve or be appreciated by Indian Courts. Courts generally examine (a) the existence of a
person's right to privacy; (b) the conduct of another causing a breach into the privacy; and (c)
whether such a breach is legally permissible. This is a limited appreciation of evolving new types
or subcategories of harms for applying distinct judicial norms. Hence, there is no effective rule
creation appreciating the differing nature of privacy harms. To conclude the Indian legal system
has yet to give recognition to most harms flowing from breaches of privacy and broadly
recognizes only the harms arising from information gathering and disclosure.

III. ONLINE PRIVACY: PAST, PRESENT AND ABSENT

LA
A. INFORMATION GATHERING

IM
1. General rules for information gathering

The ever increasing reach of the internet was belatedly realized by the Indian legislature in 2001
SH
and it has been playing a game of catch up ever since However, regulations pertaining to privacy
were largely absent from the statute. In a telling analogy of legislative lethargy one finds that
rule for interception of telecommunications were only framed in 1999 after the Supreme Court
decision in PUCL v. Union of India. These rules provide the blueprint for the interference with
LU

privacy rights for 'intrusion upon a person's solitude or seclusion' and 'information
collection.'These rules are the close mirrors to the rules which have recently been enacted under
sections 69 and 69B.
PN

The rules for interception of telecommunications have been framed under section 5(2) of the
Telegraph Act which provides that when (a) public emergency; or (b) public safety situation
H

exists, then an order may be made to issue directions for interception. These rules effectively
authorize high ranking public functionaries to issue directions for the interception of messages.
To safeguard against a blanket infraction of civil liberties, the section itself provides for several
safeguards. There are documentary formalities with which the officials have to comply. These
are essentially the recording of reasons in the nature of (a) interests of sovereignty and integrity
of India; (b) the security of the state; (c) friendly relations with foreign states; (d) public order;
and (e) incitement to the commission of an offence.

There are several safeguards which have been added by the regulations to augment the section
under Rule 419-A of the Indian Telegraph Rules. These are firstly in the nature of providing
more specifics to the documentary formalities such as providing the particulars of the officer
directing the interception and the maintenance of records. Secondly, there is limited regulatory
oversight which has been built up in the section in the form of a review committee. Thirdly, the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.535

final safeguard is an automatic expiry on the interception direction on ninety days being
completed.

In public law cases, especially involving the first taxonomy of 'intrusion upon a person's solitude'
or ' information gathering,' the approach adopted by courts has been one of applying the
constitutional doctrines developed under Articles 14, 19 and 21. These doctrines permit the
judiciary to strike down a statute which is deemed unreasonable or which does not have any
connection to the object of the legislation; yet there has been hesitation on the part of the courts
to do so. The protection which has been afforded to individuals has been restricted to a strict
adherence to the procedural safeguards in law. The courts have termed the right to privacy as,
'too broad and moralistic.' They have shied away from substantively limiting the power of the
state and have rather insisted on procedures being adhered to. This trend is exposed by the
celebrated case of PUCL v. Union of India where the Supreme Court laid down procedural
safeguards in the form of directions to check warrantless telephone tapping. Recent precedent

LA
further evidences this trend. In a case relating to the constitutional validity of telephone tapping
provisions of MCOCA, the Supreme Court has held that the provisions prescribe adequate

IM
procedural safeguards. Again in a case dealing with the powers of the CBI, Justice Sinha has
remarked that it would be desirable for them to evolve safeguards.
SH
Section 69 of the Information Technology Act, 2000

After much discontentment and debate, the Information Technology Act, 2000 received its first
major amendment in 2008. The Amendment Act sought to rectify the many deficiencies which
LU

had been noticed with the application of the enactment. The amendment sought to make the
Information Technology Act, 2000 a self-sufficient act with respect to internet behaviour.
Hence the legislature introduced section 69. Section 69 is titled the "power to issue directions for
PN

interception or monitoring or decryption of any information through any computer resource."

The section mirrors section 5(2) of the Telegraph Act, containing the same limitations on the
exercise of the power to issue directions. It contains a similar structure adhering to the
H

constitutional limitations as prescribed in PUCL, where the direction may only be issued when a)
public emergency; or (b) public safety situations exist. It also contains the requirement of
recording reasons for issuing the direction and mentioning the 5 classes of events as contained in
section 5(2). It does not cause surprise that the recent regulations prescribed under section 69(2)
for providing the procedure for issuing directions also broadly follow Rule 419-A. They mirror
most of the procedural safeguards of documentary adherence, oversight and automatic expiry.

3. Section 66E of the Information Technology Act, 2000

Curiously the amendment also brings forward a section titled "punishment for violation of
privacy." Though, the title of the section is worded broadly it seeks to apply only to capturing an
"image of the private area of a person", "under circumstances violating the privacy of the
person." The circumstances violating the privacy of a person are when such person has a

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.536

reasonable expectation that (a) he or she could disrobe in privacy without being concerned that
an image of his/her private area was being captured; or (b) any part of his/her private area
would not be visible to the public, whether such person is in a public or a private place.

B. INFORMATION PROCESSING

Though styling itself to be concerned properly with the processing of information, section 69B
is a hybrid between information gathering and processing. The section is titled "power to
authorize to monitor or collect traffic data or information through any computer resource for
cyber security." The section's objectives are essentially better internet management with the
specific mandate of "enhancing cyber security and for identification, analysis and prevention
of intrusion or spread of computer contaminant." Towards this goal the section allows for issuing
directions to "monitor and collect traffic data or information generated, transmitted, received
or stored in any computer resource." review of the regulations formed under the section make it

LA
clear that the harms which will be incurred are in the nature of information processing, such as
aggregation and identification. The section provides similar safeguards as found in section 69,
but the conditions for exercise of the power are entirely different. Due to this, the reasons which

IM
have to be recorded are not on the high thresholds which are set under section 69. These are the
reasons which have been enunciated under the PUCL case. Hence, there lies an argument against
SH
the constitutionality of the section as the regulations formed under it clearly contemplate
independent directions to monitor data, which as a technical pre-requisite necessarily requires
interception.
LU

C. INFORMATION DISCLOSURE/DISSEMINATION

1. Conventional treatment of information disclosure/dissemination

PN

What further complicates the mix of privacy injuries is the nature of the information.
Information which lies at the root of privacy in all cases is not the same. It deals with different
scope of human activities and a breach into the privacy of each incurs a different grade of harm.
H

The law of information disclosure has developed most with respect to the freedom of press.
Here, claims have often been made that the publication of facts harms the privacy of person in
society. These claims are often intertwined with the law of defamation, when the person
disputes the veracity of the information sought to be disclosed. Then there are cases where
examining the information for which a breach is complained against arise from a fiduciary
relationship. Irrespective of the doctrinal origins arising from tort or from Part III of the
Constitution, Courts generally adopt a methodology to judge such cases. Courts gauge (a) the
source of the information, such as fiduciary relationships e.g. doctor-patient, matrimonial, and
bank-customer, and (b) the contents of the information, e.g. presence of the AIDS virus, a
spouse's infidelity, and failure to pay debts. Here, courts balance the countervailing arguments for
public benefit which may arise from the disclosure. Courts, hence, may allow the disclosure
when it concerns a person infected with the AIDS virus whose prospective marriage will likely

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.537

result in the communication of the virus; the issue of the legitimacy of a child for which a
divorced husband will be liable to pay maintenance and the steps to be taken by a bank to
recover debts from a wilful defaulter. Recently, an impressive body of law has also developed
in relation to the recently enacted Right to Information Act, 2005.

2. Protection against online dissemination

Pre-amendment, the Information Technology Act provided a shade of privacy protection to

guard against unwarranted disclosure. These were provisions in the nature of prohibition of
disclosure of information gathered in the course of performance of functions mandated under
the Act. Continuing this approach, the amendment added several sections which seek to guard
against the disclosure of information which is gathered in the course of their functions. These
include section 43A for compensation which a body corporate will be liable to pay for the failure
to protect 'sensitive personal data or information.' Even the regulations which have been

LA
framed under sections 69 and 69B provide for stringent sanctions against the disclosure of
information which is gathered by intermediaries and persons employed by them. What is
interesting is that these regulations go beyond the regulations on telecommunications insofar as

IM
providing for affirmative duties on intermediaries as well as penal sanctions for non-adherence.
These are mostly in the nature of protecting strict confidentiality with the data and provide for
SH
penal sanctions. The second area where the dissemination of information is prohibited pertains
to obscene materials and paedophilia. These are not analyzed for the causal ingredient since for
the prohibition it is the existence of 'obscenity' and not a breach of privacy that is vital. Hence,
they cannot be properly considered as legislative measures to protect the privacy harms of
LU

information dissemination.

IV. THE LIMITATIONS OF THE PRESENT PRIVACY REGIME

PN

A. DESIGN DEFECTS IN THE PRESENT SURVEILLANCE REGIME

1. Lack of incentive, a lack of procedure

H

There are several inherent problems in the application of the present legal regime. A review of
court decisions has demonstrated that even though courts apply due process, they have heavily
relied upon first framing strict procedures and have demanded an adherence to them to gauge the
legality of telephone tapping. In all probability, the same approach will be adopted towards
online surveillance.

The most obvious criticism which may be levelled against 'the privacy through procedure
argument' will be that people will simply not comply with such procedure. Such a counter will
posit that bureaucrats and police officials put in charge of the safeguards will hardly be sticklers
for procedures. Their primary job will be policing and not securing the privacy of citizens.
Hence, they will bring an institutional bias to their function. The counter finds its logical end by
making a lack of incentive argument. It states that the authorities will bring to the job an

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.538

unabated enthusiasm to secure a conviction and will view the safeguards provided in the statute
as hurdles to their goals. A review of the decisions will show that courts have without hesitance
convicted offenders on evidence gathered by improper procedure when such procedure is often
held not mandatory. The deficiency in observing the safeguards for telephone tapping has been
held by the Supreme Court to not affect the admissibility of the evidence. The Court held that -

In regard to the first aspect, two infirmities are pointed out in the relevant orders authorizing
and confirming the interception of specified telephone numbers. It is not shown by the
prosecution that the Joint Director, Intelligence Bureau who authorized the interception, holds
the rank of Joint Secretary to the Government of India. Secondly, the confirmation orders passed
by the Home Secretary (contained in volume 7 of lower Court record, Page 447 etc.) would
indicate that the confirmation was prospective. We are distressed to note that the confirmation
orders should be passed by a senior officer of the Government of India in such a careless manner,
that too, in an important case of this nature. However, these deficiencies or inadequacies do not,

LA
in our view, preclude the admission of intercepted telephonic communication in evidence. It is to
be noted that unlike the proviso to Section 45 of POTA, Section 5 of the Telegraph Act or Rule

IM
419A ds not deal with any rule of evidence. The non-compliance or inadequate compliance with
the provisions of the Telegraph Act ds not per se affect the admissibility.
SH
Hence, when the function is exercised with a bias towards conviction and there is a lack of
incentive, these procedures will be routinely flouted. It cannot be said that the mere vesting of
this discretion will lead to a presumption that it will be exercised with an evil eye and an unequal
hand. However, the regulations are designed in a manner where there is a deep seated bias
LU

towards securing conviction with or without an adherence to procedure.

2. Absence of an effective injury discovery and redressal system

PN

The problem of the non-adherence to procedure is compounded by the absence of an effective

legal measure to discover the privacy harm, until the information is publicly distributed making
the subject aware of the infraction. This seems necessary as a notification may cause the
H

concealment of the information which is sought to be gathered. However, this problem is

acute. I anticipate that the paucity of precedent challenging unwarranted intrusion can be
attributed to the non-disclosure. The limited precedent at hand is in cases where an offence is
alleged against a person and the information gathered through surveillance is presented in
court. The limited empirical evidence suggests that unwarranted surveillance is a common
occurrence. The PUCL case itself arose out of statistics of a study presented by the Central
Bureau of Investigation which stated the high degree of warrantless eavesdropping on
conversations of politicians. A more recent case which touched media headlines was when the
leader of a major political party complained that his phone was being tapped illegally.

Even in the unlikely event that an ordinary person suspects that he is under electronic
surveillance, his remedies are onerous to enforce. The Courts in their magnanimity may entertain

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.539

(a) a writ proceeding under Article 226 or 32 of the Constitution of India for judicial review of
the police action and for appropriate relief; (b) criminal action against the officers responsible for
criminal trespass subject to other provisions of Code of Criminal Procedure, 1973; (c) damages
in tort by filing a civil suit; and (d) appropriate compensation in a public law jurisdiction from
the Court of judicial review under Article 226 or 32 of the Constitution. These remedies may
look attractive, however, they take substantial time, effort, money and lawyering to enforce.
Hence relying on litigation to cure privacy breaches will be ineffective.

B. A DEEPER CUT AT PRIVACY

The above defects are essentially inherent design defects in the provisions granting legal sanction
for surveillance and may apply equally across all mediums of expression such as letters,
telecommunications and internet communications. However, there are certain harms which
accrue uniquely towards internet communications. This section analyses these unique harms

LA
which are not found present in other mediums and represent a higher degree of privacy harms.

The internet as an interactive medium provides persons with a wide range of applications suited

IM
to cater to every information need. These may be through the mediums of text or audio-video;
however it is this broad range of applications it provides, which makes harms of interception,
processing or disclosure cut much deeper. The cross synergies of these applications cause a
SH
deeper level of harm than with conventional telephone tapping. Moreover, a person accessing the
internet often does so within the privacy of his own home and expects a reasonable level of
privacy. The communications when not with a human party are for the satisfaction of his or her
LU

own desires and curiosities. A person may divulge more information to a computer than to
another person. This may be mundane and embarrassing as a music aficionado occasionally
listening to bubble gum pop or as serious and damaging as a mentally ill person researching on
PN

alternate methods of treatment. Hence internet communications are inherently intimate and
concern the core of the privacy of the person.

Internet communications are a reflection of a person's thought, intent and motive. To this effect
H

the statement by John Battelle makes for chilling reading, "[l]ink by link, click by click, search is
building possibly the most lasting, ponderous, and significant cultural artifact in the history of
humankind: the database of intentions." Hence, applying the same standards which have been set
for telephone tapping would be a gross simplification of the problems which are posed by
privacy harms in internet communications.

C. ABSENCE OF WIDE DATA PROTECTION STANDARDS

1. Limited protection against private privacy risks

As highlighted above, the current privacy regime is designed to protect the civil liberties of
citizens against the state. In such a set-up the protection which is afforded against private entities
is the limited to the non-performance of functions which they perform when under directions of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.540

state entities. Such an approach ignores the fundamental economics of the internet economy,
where the state is a marginal player, and users' search habits are concentrated in a few online
service providers. Here from the moment the basic access starts, a user usually logs onto a search
engine or/and email service provider. Often both of these are operated by the same conglomerate,
such as Yahoo!-Yahoo! mail, Google-Gmail, Bing-Hotmail. This is not a slippery slope or an
argument in anticipation. These companies' basic revenue model is devised on the basis of
serving contextual advertisements to support their services. The use of such information can
lead to a host of privacy harms. For e.g., the inventor of the internet itself has expressed concern
that searching for books on cancer could result in increased health insurance premiums because
companies can track consumer activity and then sell this information to the insurance
industry.

2. Non-recognition of the harm of information processing

LA
The current privacy regime is also limited in the respect that it does not afford any protection
against several harms which are incurred. These are most glaring with respect to the complete
non-recognition of important harms caused by information processing. An unprecedented

IM
amount of personal data is available online and when aggregated a persons life becomes
'transparent' over time. Increasing the level of privacy harm is the fact that the data is stored in
SH
vast private databases by a few conglomerates due to the concentrated nature of the online
service industry. However, when this data may be seen non-contextually it may lead to incorrect
inferences being drawn, e.g. a person's search query logs may be entirely for the purposes of
research and not a personal medical condition. What is most worrying is that a person whose
LU

data is being gathered does not have any notice causing a harm of exclusion. This is exclusion in
information processing and not information gathering hence, there should not be any reason
for such exclusion. Here, it is not out of place to heed the EU Law on Privacy which contains a
PN

basic prohibition against databases. Then there is also the probable harm of secondary use, where
the information gathered will be used for purposes other than for which it was gathered. For a
robust privacy regime more rules need to be prescribed to safeguard against harms to privacy
H

which are uniquely occurring in internet communications.

V. CONCLUSION

Privacy advocates have to reconcile to the fact that their government has the right to intercept
and monitor data in a specified set of circumstances. This is more pronounced given the current
climate in which the sceptre of terrorism is haunting most countries. Once, an agreement on that
premise is achieved; the circumstances for interception and monitoring as well as the safeguards
to check the potential abuse are the next logical step. Without an effective design for incentives,
checks or balances such procedures are cursory at best.

The provisions which have recently been made under the regulations are imperfect however they
are not defective. They require refinement and substantiation and not whole scale repudiation.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.541

The best alternative keeping in view the procedural approach towards information gathering
would be to mandate ex-ante ex-parte court orders. These orders may arise out of in-camera
proceedings where a state counsel can provide particulars of the intrusion as well as the
information which is sought. Such orders will cure the inherent defects in the system since they
cleanly remove the inherent bias of the functionaries.

This will be a pragmatic and convenient compromise which will not mark a substantial shift in
the present procedure driven approach. Such procedural safeguards are essential for internet
communications since, as highlighted above, the level of the breach of privacy is higher than
conventional invasions of privacy. At the same time the same safeguards which apply to section
69 should be applied to section 69B. Information aggregation and monitoring necessarily
requires interception. Above and beyond this there is a clear causation of privacy harms which
necessitate that the safeguards evolved by the PUCL Court under Article 21 for the 'right to
privacy' are inserted in the section. To provide a robust protection of privacy rights regulations

LA
also have to be made regulating the role of private parties as to information processing.

The amendments without further refinement create Bentham's panopticon. Encountered by issues

IM
of privacy on online communications, the legislature faces a tenuous task to take vital policy
decisions. It finds itself in the position of a trapeze artist, where it cannot keep walking the tight
SH
rope, it has to take a call, tip over to totalitarian tendencies or embrace a newfound liberal
conception. Obviously, only one of these choices affords a safety net to privacy.
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.542

 Justice K. S. Puttaswamy (Retired) and another

Union of India and Others

(2017) 10 SCC 1

A.K. Sikri, J.

It is better to be unique than the best. Because, being the best makes you the number one, but
being unique makes you the only one.

2. 'Unique makes you the only one' is the central message of Aadhaar, which is on the altar

LA
facing constitutional challenge in these petitions. 'Aadhaar' which means, in English, 'foundation'
or 'base', has become the most talked about expression in recent years, not only in India but in
many other countries and international bodies. A word from Hindi dictionary has assumed

IM
secondary significance. Today, mention of the word 'Aadhaar' would not lead a listener to the
dictionary meaning of this word. Instead, every person on the very mentioning of this word
SH
'Aadhaar' would associate it with the card that is issued to a person from where he/she can be
identified. It is described as an 'Unique Identity' and the authority which enrols a person and at
whose behest the Aadhaar Card is issued is known as Unique Identification Authority of India
(hereinafter referred to as 'UIDAI' or 'Authority'). It is described as unique for various reasons.
LU

UIDAI claims that not only it is a foolproof method of identifying a person, it is also an
instrument whereby a person can enter into any transaction without needing any other document
in support. It has become a symbol of digital economy and has enabled multiple avenues for a
PN

common man. Aadhaar scheme, which was conceptualised in the year 2006 and launched in the
year 2009 with the creation of UIDAI, has secured the enrolment of almost 1.1 billion people in
this country. Its use is spreading like wildfire, which is the result of robust and aggressive
H

campaigning done by the Government, governmental agencies and other such bodies. In this way
it has virtually become a household symbol. The Government boasts of multiple benefits of
Aadhaar.

3. At the same time, the very scheme of Aadhaar and the architecture built thereupon has
received scathing criticism from a section of the society. According to them, Aadhaar is a serious
invasion into the right to privacy of persons and it has the tendency to lead to a surveillance state
where each individual can be kept under surveillance by creating his/her life profile and
movement as well on his/her use of Aadhaar. There has been no other subject matter in recent
past which has evoked the kind of intensive and heated debate wherein both sides, for and
against, argue so passionately in support of their respective conviction. The petitioners in these
petitions belong to the latter category who apprehend the totalitarian state if Aadhaar project is

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.543

allowed to continue. They are demanding scrapping and demolition of the entire Aadhaar
structure which, according to them, is anathema to the democratic principles and rule of law,
which is the bedrock of the Indian Constitution. The petitioners have challenged the Aadhaar
project which took off by way of administrative action in the year 2009. Even after Aadhaar got
a shield of statutory cover, challenge persists as the very enactment known as Aadhaar (Targeted
Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (hereinafter referred
to as the 'Aadhaar Act') is challenged as constitutionally impermissible. The wide range of issues
involved in this case is evident from the fact that it took almost four months for the parties to
finish their arguments in these cases, and the Court witnessed highly skilled, suave, brilliant and
intellectual advocacy, with the traces of passions as well.

4. The issue has generated heated public debate as well. Even outside the Court, there are groups
advocating in favour of the Aadhaar scheme and those who are stoutly opposing the same.
Interestingly, it is not only the commoners who belong to either of the two groups but

LA
intelligentsia is also equally divided. There have been number of articles, interviews for
discourses in favour of or against Aadhaar. Those in favour see Aadhaar project as ushering the

IM
nation into a regime of good governance, advancing socio-economic rights, economic prosperity
etc. and in the process they claim that it may make the nation a world leader. Mr. K.K.
Venugopal, learned Attorney General for India, referred to the commendations by certain
SH
international bodies, including the World Bank. We clarify that we have not been influenced by
such views expressed either in favour or against Aadhaar. Those opposing Aadhaar are
apprehensive that it may excessively intrude into the privacy of citizenry and has the tendency to
create a totalitarian state, which would impinge upon the democratic and constitutional values.
LU

Some such opinions of various persons/bodies were referred to during the arguments.
Notwithstanding the passions, emotions, annoyance, despair, ecstasy, euphoria, coupled with
PN

rhetoric, exhibited by both sides in equal measure during the arguments, this Court while giving
its judgment on the issues involved is required to have a posture of calmness coupled with
objective examination of the issues on the touchstone of the constitutional provisions.
H

5. Initiative in spearheading the attack on the Aadhaar structure was taken by the petitioners,
namely, Justice K.S. Puttaswamy (Retd.) and Mr. Pravesh Khanna, by filing Writ Petition (Civil)
No. 494 of 2012. At that time, Aadhaar scheme was not under legislative umbrella. In the writ
petition the scheme has primarily been challenged on the ground that it violates fundamental
rights of the innumerable citizens of India, namely, right to privacy falling under Article 21 of
the Constitution of India. Few others joined the race by filing connected petitions. Series of
orders were passed in this petition from time to time, some of which would be referred to by us
at the appropriate stage. In 2016, with the passing of the Aadhaar Act, these very petitioners filed
another writ petition challenging the vires of the Act. Here again, some more writ petitions have
been filed with the same objective. All these writ petitions were clubbed together. There are
number of interventions as well by various individuals, groups, NGOs, etc., some opposing the
petitions and some supporting the Aadhaar scheme.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.544

xx xx xx

43. To sum up broadly, the Authority is established under the Act as a statutory body which is
given the task of developing the policy, procedure and system for issuing Aadhaar numbers to
individuals and also to perform authentication thereof as per the provisions of the Act. For the
purpose of enrolment and assigning Aadhaar numbers, enrolling agencies are recruited by the
Authority. All the residents in India are eligible to obtain an Aadhaar number. To enable a
resident to get Aadhaar number, he is required to submit demographic as well as biometric
information i.e., apart from giving information relating to name, date of birth and address,
biometric information in the form of photograph, fingerprint, iris scan is also to be provided.
Aadhaar number given to a particular person is treated as unique number as it cannot be
reassigned to any other individual.

44. In this whole process, any resident seeking to obtain an Aadhaar number is, in the first

LA
instance, required to submit her demographic information and biometric information at the time
of enrolment. She, thus, parts with her photograph, fingerprint and iris scan at that stage by
giving the same to the enrolling agency, which may be a private body/person. Likewise, every

IM
time when such Aadhaar holder intends to receive a subsidy, benefit or service and goes to
specified/designated agency or person for that purpose, she would be giving her biometric
SH
information to that requesting entity, which, in turn, shall get the same authenticated from the
Authority before providing a subsidy, benefit or service. Whenever request is received for
authentication by the Authority, record of such a request is kept and stored in the CIDR. At the
same time, provisions for protection of such information/data have been made, as indicated
LU

above. Aadhaar number can also be used for purposes other than stated in the Act i.e. purposes
other than provided under Section 7 of the Act, as mentioned in Section 57 of the Act, which
permit the State or anybody corporate or person, pursuant to any law, for the time being in force,
PN

or any contract to this effect, to use the Aadhaar number for establishing the identity of an
individual. It can be used as a proof of identity, like other identity proofs such as PAN card,
ration card, driving licence, passport etc.
H

45. Piercing into the aforesaid Aadhaar programme and its formation/structure under the
Aadhaar Act, foundational arguments are that it is a grave risk to the rights and liberties of the
citizens of this country which are secured by the Constitution of India. It militates against the
constitutional abiding values and its foundational morality and has the potential to enable an
intrusive state to become a surveillance state on the basis of information that is collected in
respect of each individual by creation of a joint electronic mesh. In this manner, the Act strikes at
the very privacy of each individual thereby offending the right to privacy which is elevated and
given the status of fundamental right by tracing it to Articles 14, 19 and 21 of the Constitution of
India by a nine Judge Bench judgment of this Court in K.S. Puttaswamy & Anr. v. Union of
India & Ors.(2017) 10 SCC 1. Most of the counsel appearing for different petitioners (though not
all) conceded that there cannot be a serious dispute insofar as allotment of Aadhaar number, for
the purpose of unique identification of the residents, is concerned. However, apprehensions have

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.545

been expressed about the manner in which the Scheme has been rolled out and implemented. The
entire edifice of the aforesaid projection is based on the premise that it forces a person, who
intends to enrol for Aadhaar, to part with his core information namely biometric information in
the form of fingerprints and iris scan. These are to be given to the enrolment agency in the first
instance which is a private body and, thus, there is risk of misuse of this vital information
pertaining to an individual. Further, it is argued that the most delicate and fragile part,
susceptible to misuse, is the authentication process which is to be carried out each time the
holder of Aadhaar number wants to establish her identity. At that stage, not only the individual
parts with the biometric information again with the RE (which may again be a private agency as
well), the purpose for which such a person approaches the RE would also be known i.e. the
nature of transaction which is supposed to be undertaken by the said person at that time. Such
information relating to different transactions of a person across the life of the citizen is connected
to a central database. This record may enable the State to profile citizens, track their movements,

LA
assess their habits and silently influence their behaviour. Over a period of time, the profiling
would enable the State to stifle dissent and influence political decision making. It may also
enable the State to act as a surveillant state and there is a propensity for it to become a

IM
totalitarian state. It is stressed that at its core, Aadhaar alters the relationship between the citizen
and the State. It diminishes the status of the citizen. Rights freely exercised, liberties freely
SH
enjoyed, entitlements granted by the Constitution and laws are all made conditional, on a
compulsory barter. The barter compels the citizen to give up her biometrics 'voluntarily', allow
her biometrics and demographic information to be stored by the State and private operators and
then used for a process termed 'authentication'.
LU

To put it in nutshell, provisions of the Aadhaar Act are perceived by the petitioners as giving
away of vital information about the residents to the State not only in the form of biometrics but
PN

also about the movement as well as varied kinds of transactions which a resident would enter
into from time to time. The threat is in the form of profiling the citizens by the State on the one
hand and also misuse thereof by private agencies whether it is enrolling agency or requesting
agency or even private bodies mentioned in Section 57 of the Act. In essence, it is stated that not
H

only data of aforesaid nature is stored by the CIDR, which has the threat of being leaked, it can
also be misused by non-State actors. In other words, it is sought to be highlighted that there is no
assurance of any data protection at any level.

xx xx xx

46. The respondents, on the other hand, have attempted to shake the very foundation of the
aforesaid structure of the petitioners' case. They argue that in the first instance, minimal
biometric information of the applicant, who intends to have Aadhaar number, is obtained which
is also stored in CIDR for the purpose of authentication. Secondly, no other information is
stored. It is emphasised that there is no data collection in respect of religion, caste, tribe,
language records of entitlement, income or medical history of the applicant at the time of
Aadhaar enrolment. Thirdly, the Authority also claimed that the entire Aadhaar enrolment eco-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.546

system is full proof inasmuch as within few seconds of the biometrics having been collected by
the enrolling agency, the said information gets transmitted the Authorities/CIDR, that too in an
encrypted form, and goes out of the reach of the enrolling agency. Same is the situation at the
time of authentication as biometric information does not remain with the requesting agency.
Fourthly, while undertaking the authentication process, the Authority simply matches the
biometrics and no other information is received or stored in respect of purpose, location or nature
or transaction etc. Therefore, the question of profiling does not arise at all.

48. It was asserted with all vehemence that while doing the aforesaid authentication, no other
information is collected or stored by the Authority/CIDR, specifically pointing that:

(a) The Authority does not collect purpose, location or details of transaction. Thus, it is purpose
blind.

LA
(b) The information collected as aforesaid remains in silos.

(c) Merging of silos is prohibited.

IM
(d) The RE is provided answer only in Yes or No about the authentication of the person
concerned.
SH
(e) The authentication process is not exposed to the internet world.

(f) Security measures as per the provisions of Section 29(3) read with Section 38(g) as well as
Regulation 17(1) (d) of the Authentication Regulations are strictly followed and adhere to.
LU

(i) Privacy is ensured by the very design of Aadhaar which was conceived by the Authority from
very inception and is now even incarnated in the Aadhaar Act because : (a) it is backed by
PN

minimal data, federated databases, optimal ignorance; and (b) there is no transaction/pooling data
coupled with the fact that resident authorised access to identity data is available.

(ii) Aadhaar is designed for inclusion inasmuch as: (a) there is flexibility of demographic data,
H

multi-modal biometrics, and flexible processes; (b) DDSVP Committee by Dr. V.N. Vittal,
former CVC; and (c) Biometric design and Standards Committee by Dr. Gairola, Former DG,
NIC.

(iii) All security numbers are followed which can be seen from:

(a) PKI-2048 encryption from the time of capture, (b) adoption of best-in-class security standards
and practices, and (c) strong audit and traceability as well as fraud detection.

50. It was explained that the security and data privacy is ensured in the following way:

(i) The data sent to ABIS is completely anonymised. The ABIS systems do not have access to
resident's demographic information as they are only sent biometric information of a resident with

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.547

a reference number and asked to de-duplicate. The de-duplication result with the reference
number is mapped back to the correct enrolment number by the Authorities own enrolment
server.

(ii) The ABIS providers only provide their software and services. The data is stored in UIDAI
storage and it never leaves the secure premises.

(iii) The ABIS providers do not store the biometric images (source). They only store template for
the purpose of de-duplication (with reference number).

(iv) The encrypted enrolment packet sent by the enrolment client software to the CIDR is
decrypted by the enrolment server but the decrypted packet is never stored.

(v) The original biometric images of fingerprints, iris and face are archived and stored offline.
Hence, they cannot be accessed through an online network.

LA
(vi) The biometric system provides high accuracy of over 99.86%. The mixed biometric have
been adopted only t enhance the accuracy and to reduce the errors which may arise on account of

IM
some residents either not having biometrics or not having some particular biometric.

51. Above all, there is an oversight by Technology and Architecture Review Board (TARB) and
SH
Security Review Committee. This Board and Committee consists of very high profiled officers.

(7) What are the total number of biometric De-duplication rejections that have taken place till
date? In case an enrolment is rejected either for: (a) duplicate enrolment and (b) other technical
LU

reason under Regulation 14 of the Aadhaar Enrolment Regulations, what happens to the data
packet that contains the stored biometric and demographic information?
PN

Ans.: The total number of biometric de-duplication rejections that have taken place are 6.91
crores as on March 21, 2018. These figures do not pertain to the number of unique individuals
who have been denied Aadhaar enrolment resulting in no Aadhaar issued to them. This figure
H

merely pertains to the number of applications which have been identified by the Aadhaar de-
duplication system as having matching biometrics to an existing Aadhaar number holder. The
biometric de-duplication system is designed to identify as duplicate those cases where any one of
the biometrics (ten fingers and two irises) match. However, very often it is found that all the
biometrics match. It is highly improbable for the biometrics to match unless the same person has
applied again. There are a number of reasons why the same person might apply more than once.
For instance, many individuals innocently apply for enrolment multiple times because of the
delay in getting their Aadhaar cards due to postal delays, loss or destruction of their cards or
confusion about how the system works. Each time one applies for Aadhaar, the system identifies
her as a new enrolment but when it recognises that the individual's biometrics match with already
those in the database, thereafter further checks, including manual check through experienced
personnels, are done. After that exercise, if it is found that the person is already registered, it

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.548

rejects the enrolment application. One of their main reasons for rejection is that multiple people
would put their biometric details like fingerprints for Aadhaar generation either as a fraudulent
exercise or by mistake, which also would get rejected. There were many fakes and frauds in the
earlier systems and several reports have found that almost 50% of the subsidies were getting
pilfered away by fakes and duplicates in the system. Then, there would also be several such
people who may have tried to defraud the Aadhaar enrolment system as well but failed get
multiple Aadhaar numbers due to the stringent Aadhaar de-duplication process. Thus, the mere
fact that 6.23 crore enrolments have been rejected as biometric duplicates does not mean that
6.23 crore people have been denied an Aadhaar number as has been alleged by the petitioners.
Any genuine person who does not have an Aadhaar number and whose enrolment has been
rejected can always apply again for enrolment. It is worth noting that none of the de-duplication
rejects have come forward to lodge complaints either with the Authority or with the Government
about denial of Aadhaar number. None of them have even approached any Court of law.

LA
Evidently, the genuine residents have got themselves re-enrolled and the rest are those who were
trying to reach the Aadhaar system by fraudulent means. That explains why no one has
approached a court of law complaining denial of Aadhaar number. All the enrolment packets

IM
received by UIDAI (accepted/rejected) are archived in the CIDR irrespective of its status.
SH
UIDAI takes responsibility in creating and implementing standards, ensuring matching systems
installed in CIDR work as they are designed to do, and providing options to Aadhaar holders in
terms of controlling their identity (such as updating their data, locking their biometrics, etc.) and
LU

accessing their own authentication records. One of the key goals of Aadhaar is to issue a unique
identity for the residents of India. Hence, each enrolment is biometrically de-duplicated against
all (1.2 billion) residents to issue the Aadhaar number (or Unique Identity).
PN

Section 4 of Aadhaar lays down the properties of an Aadhaar number. Sub-section (3) of Section
4 reads as under:
H

"(3) An Aadhaar number, in physical or electronic form subject to authentication and other
conditions, as may be specified by regulations, may be accepted as proof of identity of the
Aadhaar number holder for any purpose."

The requesting entities are at liberty to use any or multiple of authentication mode available
under Regulation 4 of Aadhaar (Authentication) Regulation, 2016 as per their requirements and
needs of security etc.

(b) The biometric authentication is based on a probabilistic match of the biometric captured
during authentication and the record stored with CIDR.

Ans.: Biometric authentication is based on 1:1 matching and, therefore, in that sense it is not
probabilistic. If biometrics are captured it will lead to successful authentication. If biometrics are

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.549

not well captured during authentication or an impostor tries authentication, it will lead to
authentication failure. Aadhaar Proof of Concept studies show that a vast majority of residents
(>98%) can successfully authenticate using biometric modalities such fingerprints and/or iris.

However, the Aadhaar Act and Regulations provides that an Aadhaar number holder cannot be
denied service due to the failure of Aadhaar authentication. Hence, all Aadhaar applications must
implement exception processes.

(d) As per the Aadhaar Act, an Aadhaar number is issued to a resident who has been residing in
India for at least 182 days in the preceding 12 months. An Aadhaar number is issued to an
individual for life and may be omitted/deactivated in case of violation of prescribed guidelines
only. Ineligibility of a person to retain an Aadhaar number owing to become non-resident may be
treated as a ground for deactivation of Aadhaar number and Regulation 28(l)(f) of the Aadhaar
Enrolment Regulations. This is in keeping with Section 31(1) and (3) of the Aadhaar Act

LA
wherein it is an obligation on an Aadhaar number holder to inform the UIDAI of changes in
demographic information and for the Authority to make the necessary alteration.

IM
(8) Please confirm the Points Of Service (POS) biometric readers are capable of storing
biometric information.
SH
Ans.: UIDAI has mandated use of Registered Devices (RD) for all authentication requests. With
RDs, biometric data is signed within the device/RD service using the provider key to ensure it is
indeed captured live. The device provider RD service encrypts the PID block before returning to
the host application. This RD service encapsulates the biometric capture, signing and encryption
LU

of biometrics all within it. Therefore, introduction of RD in Aadhaar authentication system rules
out any possibility of use of stored biometric and replay of biometrics captured from other
source. Requesting entities are not legally allowed to store biometrics captured for Aadhaar
PN

authentication under Regulation 17(1)(a) of the Authentication Regulations.

(9) Referring to slide/page 13, please confirm that the architecture under the Aadhaar Act
H

includes: (i) authentication user agencies (e.g. Kerala Dairy Farmers Welfare Fund Board);

(ii) authentication service agencies (e.g. Airtel); and (iii) CIDR. Ans.: UIDAI appoints
Requesting Entities (AUA/KUA) and Authentication Service Agency (ASA) as per Regulation
12 of Authentication Regulations. List of Requesting Entitles (AUA/KUA) and Authentication
Service Agency appointed by UIDAI is available on UIDAI's website. An AUA/KUA can do
authentication on behalf of other entities under Regulation 15 and Regulation 16.

(10) Please confirm that one or more entitles in the Aadhaar architecture described in the
previous paragraph record the date and time of the authentication, the client IP, the device ID and
purpose of authentication.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.550

Ans.: UIDAI does not ask requesting entities to maintain any logs related to IP address of the
device, GPS coordinates of the device and purpose of authentication. However, AUAs like
banks, telecom etc., in order to ensure that their systems are secure, frauds are managed, they
may store additional information as per their requirement under their respective laws to secure
their system. Section 32(3) of the Aadhaar Act specifically prevents the UIDAI from either by
itself or through any entity under its control to keep or maintain any information about the
purpose of authentication.

Requesting entities are mandated to maintain following logs as per Regulation 18 of the
Authentication Regulations. These are:

(i) the Aadhaar number against which authentication is sought;

(ii) specified parameters of authentication request submitted;

LA
(iii) specified parameters received as authentication response;

(iv) the record of disclosure of information to the Aadhaar number holder at the time of

IM
authentication; and

(v) record of consent of the Aadhaar number holder for authentication, but shall not, in any
SH
event, retain the PID information.

Further, even if a requesting entity captures any other data as per their own requirement, UIDAI
will only audit the authentication logs maintained by the requesting entity as per Regulation
LU

18(1) of the Authentication Regulations.

ASAs are not permitted to maintain any logs related to IP address of the device, GPS coordinates
PN

of the device etc. ASAs are mandated to maintain logs as per Regulation 20 of the
Authentication Regulations:

(i) identity of the requesting entity;

H

(ii) parameters of authentication request submitted; and

(iii) parameters received as authentication response.

Provided that no Aadhaar number, PID information, device identity related data and e-KYC
response data, where applicable, shall be retained.

(11) Referring to slide/page 7 and 14, please confirm that 'traceability' features enable UIDAI to
track the specific device and its location from where each and every authentication takes place.

Ans.: UIDAI gets the AUA code, ASA code, unique device code, registered device code used for
authentication. UIDAI does not get any information related to the IP address or the GPS location
from where authentication is performed as these parameters are not part of authentication (v2.0)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.551

and e-KYC (v2.1) API UIDAI would only know from which device the authentication has
happened, through which AUA/ASA etc. This is what the slides meant by traceability. UIDAI
does not receive any information about at what location the authentication device is deployed, its
IP address and its operator and the purpose of authentication. Further, the UIDAI or any entity
under its control is statutorily barred from collecting, keeping or maintaining any information
about the purpose of authentication under Section 32(3) of the Aadhaar Act.

Gist of the challenge to the Aadhaar Scheme as well as the Act:

58. The petitioners accept that the case at hand is unique, simply because of the reason that the
programme challenged here is itself without precedent. According to them, no democratic
society has adopted a programme that is similar in its command and sweep. The case is about a
new technology that the Government seeks to deploy and a new architecture of governance that
it seeks to build on this technology. The petitioners are discrediting the Government's claim that

LA
biometric technology employed and the Aadhaar Act is greatly beneficial. As per the petitioners,
this is an inroad into the rights and liberties of the citizens which the Constitution of India
guarantees. It is intrusive in nature. At its core, Aadhaar alters the relationship between the

IM
citizen and the State. It diminishes the status of the citizens. Rights freely exercised, liberties
freely enjoyed, entitlements granted by the Constitution and laws are all made conditional, on a
SH
compulsory barter. The barter compels the citizens to give up their biometrics 'voluntarily', allow
their biometrics and demographic information to be stored by the State and private operators and
then used for a process termed 'authentication'. According to them, by the very scheme of the Act
and the way it operates, it has propensity to cause 'civil death' of an individual by simply
LU

switching of Aadhaar of that person. It is the submission of the petitioners that the Constitution
balances rights of individuals against State interest. The Aadhaar completely upsets this balance
and skews the relationship between the citizen and the State enabling the State to totally
PN

dominate the individual. 62. The project creates the architecture for pervasive surveillance and
unless the project is stopped, it will lead to an Orwellian State where every move of the citizen is
constantly tracked and recorded by the State. The architecture of the project comprises a Central
H

Identities Data Repository (CIDR) which stores and maintains authentication transaction data.
The authentication record comprises the time of authentication and the identity of the requesting
entity. Based on this architecture it is possible for the State to track down the location of the
person seeking authentication. Since the requesting entity is also identified, the activity that the
citizen is engaging in is also known.

Violation of Fundamental Right to Privacy:

63. The fundamental right to privacy is breached by the Aadhaar project and the Aadhaar Act in
numerous ways. Privacy is a concomitant of the right of the individual to exercise control over
his or her personality. It finds an origin in the notion that there are certain rights which are
natural to or inherent in a human being. Natural rights are inalienable because they are
inseparable from the human personality. The human element in life is impossible to conceive

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.552

without the existence of natural rights. In 1690, John Locke had in his Second Treatise of
Government observed that the lives, liberties and estates of individuals are as a matter of
fundamental natural law, a private preserve. The idea of a private preserve was to create barriers
from outside interference. In 1765, William Blackstone in his Commentaries on the Laws of
England spoke of a "natural liberty". There were, in his view, absolute rights which were vested
in the individual by the immutable laws of nature. These absolute rights were divided into rights
of personal security, personal liberty and property. The right of personal security involved a legal
and uninterrupted enjoyment of life, limbs, body, health and reputation by an
individual.Following are the illustrations given by the petitioners:

(a) Between 2009-10 and July 2016 the project violated the right to privacy with respect to
personal demographic as well as biometric information collected, stored and shared as there was
no law authorising these actions.

LA
(b) During both the pre-Act and post-Act periods, the project continues to violate the right to
privacy by requiring individuals to part with demographic as well as biometric information to
private enrolling agencies.

IM
(c) By enabling private entities to use the Aadhaar authentication platform, the citizen's right to
informational privacy is violated inasmuch as the citizen is compelled to 'report' his/her actions
SH
to the State.

(d) Even where a person is availing of a subsidy, benefit or service from the State, mandatory
authentication through the Aadhaar platform (without an option to the citizen to use an
LU

alternative mode of identification) violates the right to informational privacy.

(e) With Aadhaar being made compulsory for holding a bank account, operating a cell phone,
PN

having a valid PAN, holding mutual funds, securing admission to school, taking a board
examination, etc. the citizen has no option but to obtain Aadhaar. Compelling the citizen to part
with biometric information violates individual autonomy and dignity.
H

(f) In a digital society an individual has the right to protect himself by controlling the
dissemination of personal information, including biometric information. Compelling an
individual to establish his identity by planting her biometric at multiple points of service violates
privacy involving the person.

(g) The seeding of Aadhaar in distinct databases enables the content of information about an
individual that is stored in different silos to be aggregated. This enables the State to build
complete profiles of individuals violating privacy through the convergence of data.

Limited Government:

64. A fundamental feature of the Constitution is the sovereignty of the people with limited
Government authority. The Constitution limits governmental authority in various ways, amongst

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.553

them Fundamental Rights, the distribution of powers amongst organs of the State and the
ultimate check by way of judicial review. The Aadhaar project is destructive of the limited
Government. The Constitution is not about the power of the State, but about the limits on the
power of the State. Post Aadhaar, the State will completely dominate the citizen and alter the
relationship between citizen and the State. The features of a totalitarian state is seen from:

(a) A person cannot conduct routine activities such as operating a bank account, holding an
investment in mutual funds, receiving government pension, receiving scholarship, receiving food
rations, operating a mobile phone without the State knowing about these activities.

(b) The State can build a profile of the individual based on the trial of authentication from which
the nature of the citizen's activity can be determined.

(c) By disabling Aadhaar the State can cause civil death of the person.

LA
(d) By making Aadhaar compulsory for other activities such as air travel, rail travel, directorship
in companies, services and benefits extended by the State Governments and Municipal

IM
Corporations, etc. there will be virtually no zone of activity left where the citizen is not under the
gaze of the State. This will have a chilling effect on the citizen.
SH
(e) In such a society, there is little or no personal autonomy. The State is pervasive, and dignity
of the individual stands extinguished.

(f) This is an inversion of the accountability in the Right to Information age: instead of the State
LU

being transparent to the citizen, it is the citizen who is rendered transparent to the State.

Unreliability of Biometrics and Exclusion:

PN

67. The foundation of the project, i.e. biometrics, is an unreliable and untested technology.
Moreover, biometric exceptions severely erode reliability. The biometric authentication system
works on a probabilistic model. Consequently, entitlements are reduced from certainty to a
H

chance delivery where the biometrics match. Across the country several persons are losing out
on their entitlements, for say food rations, because of a biometric mismatch resulting in them
being excluded from various welfare schemes. The project is not an 'identity' project but an
'identification' exercise. Unless the biometrics work, a person in flesh and blood, does not exist
for the State.

Illegal Object:

68. It is submitted before us that the objective of creating a single pervasive identification over
time is itself illegal. There are several facets to the illegality and amongst them is the very
negation of an individual citizen's freedom to identify through different means. The coercive
foundation of the impugned Act is in substance an illegal objective that renders the statute ultra
vires Article 14 of the Constitution of India.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.554

Democracy, Identity and Choice:

69. A citizen or resident in a democratic society has a choice to identify himself/herself through
different modes in the course of his/her interactions generally in society as well as his/her
interactions with the State. Mandating identification by only one highly intrusive mode is
excessive, disproportionate and violates Articles 14, 19 and 21.

Contours of Right to Privacy:

81. It stands established, with conclusive determination of the nine Judge Bench judgment of this
Court in K.S. Puttaswamy that right to privacy is a fundamental right. The majority judgment
authored by Dr. D.Y. Chandrachud, J. (on behalf of three other Judges) and five concurring
judgments of other five Judges have declared, in no uncertain terms and most authoritatively,
right to privacy to be a fundamental right. This judgment also discusses in detail the scope and

LA
ambit of right to privacy. The relevant passages in this behalf have been reproduced above while
taking note of the submissions of the learned counsel for the petitioners as well as respondents.
One interesting phenomenon that is discerned from the respective submissions on either side is

IM
that both sides have placed strong reliance on different passages from this very judgment to
support their respective stances. A close reading of this judgment brings about the following
features:
SH
(i) Privacy has always been a natural right: The correct position in this behalf has been
established by a number of judgments starting from Gobind v. State of M.P. (1975) 2 SCC 148
1975 Indlaw SC 629 Various opinions conclude that:
LU

(a) privacy is a concomitant of the right of the individual to exercise control over his or her
personality.
PN

(b) Privacy is the necessary condition precedent to the enjoyment of any of the guarantees in Part
III.
H

(c) The fundamental right to privacy would cover at least three aspects - (i) intrusion with an
individual's physical body, (ii) informational privacy, and (iii) privacy of choice.

(d) One aspect of privacy is the right to control the dissemination of personal information. And
that every individual should have a right to be able to control exercise over his/her own life and
image as portrayed in the world and to control commercial use of his/her identity.

Following passages from different opinions reflect the aforesaid proposition:

Dr. D.Y. Chandrachud, J.:

318. Life and personal liberty are inalienable rights. These are rights which are inseparable from
a dignified human existence. The dignity of the individual, equality between human beings and
the quest for liberty are the foundational pillars of the Indian Constitution.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.555

S.A. Bobde, J. :

415. Therefore, privacy is the necessary condition precedent to the enjoyment of any of the
guarantees in Part III. As a result, when it is claimed by rights bearers before constitutional
courts, a right to privacy may be situated not only in Article 21, but also simultaneously in any of
the other guarantees in Part III. In the current state of things, Articles 19(1), 20(3), 25, 28 and 29
are all rights helped up and made meaningful by the exercise of privacy. This is not an
exhaustive list. Future developments in technology and social ordering may well reveal that there
are yet more constitutional sites in which a privacy right inheres that are not at present evident to
us.

R.F. Nariman, J. :

521. In the Indian context, a fundamental right to privacy would cover at least the following

LA
three aspects:

- Privacy that involves the person i.e. when there is some invasion by the State of a person's

IM
rights relatable to his physical body, such as the right to move freely;

- Informational privacy which does not deal with a person's body but deals with a person's mind,
SH
and therefore recognises that an individual may have control over the dissemination of material
that is personal to him. Unauthorised use of such information may, therefore lead to infringement
of this right; and
LU

- The privacy of choice, which protects an individual's autonomy over fundamental personal
choices.

For instance, we can ground physical privacy or privacy relating to the body in Articles 19(1)(d)
PN

and (e) read with Article 21; ground personal information privacy under Article 21; and the
privacy of choice in Articles 19(1)(a) to (c), 20(3), 21 and 25. The argument based on "privacy"
being a vague and nebulous concept need not, therefore, detain us.
H

xx xx xx

532. The learned counsel for the petitioners also referred to another important aspect of the right
to privacy. According to the learned counsel for the petitioner this right is a natural law right
which is inalienable. Indeed, the reference order itself, in para 12, refers to this aspect of the
fundamental right contained. It was, therefore, argued before us that given the international
conventions referred to hereinabove and the fact that this right inheres in every individual by
virtue of his being a human being, such right is not conferred by the Constitution but is only
recognised and given the status of being fundamental. There is no doubt that the petitioners are
correct in this submission. However, one important roadblock in the way needs to be got over.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.556

620. I had earlier adverted to an aspect of privacy - the right to control dissemination of personal
information. The boundaries that people establish from others in society are not only physical but
also informational. There are different kinds of boundaries in respect to different relations.
Privacy assists in preventing awkward social situations and reducing social frictions. Most of the
information about individuals can fall under the phrase "none of your business". On information
being shared voluntarily, the same may be said to be in confidence and any breach of
confidentiality is a breach of the trust. This is more so in the professional relationships such as
with doctors and lawyers which requires an element of candour in disclosure of information. An
individual has the right to control one's life while submitting personal data for various facilities
and services. It is but essential that the individual knows as to what the data is being used for
with the ability to correct and amend it. The hallmark of freedom in a democracy is having the
autonomy and control over our lives which becomes impossible, if important decisions are made
in secret without our awareness or participation. [Daniel Solove, "10 Reasons Why Privacy

LA
Matters" published on 20-1-2014 <https://www.teachprivacy.com/10-reasons-privacy-matters/>.]

xx xx xx

IM
625. Every individual should have a right to be able to exercise control over his/her own life and
image as portrayed to the world and to control commercial use of his/her identity. This also
SH
means that an individual may be permitted to prevent others from using his image, name and
other aspects of his/her personal life and identity for commercial purposes without his/her
consent. [The Second Circuit's decision in Haelan Laboratories Inc. v. Topps Chewing Gum Inc.,
202 F 2d 866 (2d Cir 1953) penned by Jerome Frank, J. defined the right to publicity as "the
LU

right to grant the exclusive privilege of publishing his picture".]"

xx xx xx
PN

646. If the individual permits someone to enter the house it does not mean that others can enter
the house. The only check and balance is that it should not harm the other individual or affect his
or her rights. This applies both to the physical form and to technology. In an era where there are
H

wide, varied, social and cultural norms and more so in a country like ours which prides itself on
its diversity, privacy is one of the most important rights to be protected both against State and
non-State actors and be recognised as a fundamental right. How it thereafter works out in its
inter-play with other fundamental rights and when such restrictions would become necessary
would depend on the factual matrix of each case. That it may give rise to more litigation can
hardly be the reason not to recognise this important, natural, primordial right as a fundamental
right."

(ii) The sanctity of privacy lies in its functional relationship with dignity: Privacy ensures that a
human being can lead a life of dignity by securing the inner recesses of the human personality
from unwanted intrusions. While the legitimate expectation of privacy may vary from intimate
zone to the private zone and from the private to the public arena, it is important to underscore

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.557

that privacy is not lost or surrendered merely because the individual is in a public place. Further,
privacy is a postulate of dignity itself. Also, privacy concerns arise when the State seeks to
intrude into the body and the mind of the citizen. This aspect is discussed in the following
manner:

Dr. D.Y. Chandrachud, J. :

127. The submission that recognising the right to privacy is an exercise which would require a
constitutional amendment and cannot be a matter of judicial interpretation is not an acceptable
doctrinal position. The argument assumes that the right to privacy is independent of the liberties
guaranteed by Part III of the Constitution. There lies the error. The right to privacy is an element
of human dignity. The sanctity of privacy lies in its functional relationship with dignity. Privacy
ensures that a human being can lead a life of dignity by securing the inner recesses of the human
personality from unwanted intrusion. Privacy recognises the autonomy of the individual and the

LA
right of every person to make essential choices which affect the course of life. In doing so
privacy recognises that living a life of dignity is essential for a human being to fulfill the liberties
and freedoms which are the cornerstone of the Constitution. To recognise the value of privacy as

IM
a constitutional entitlement and interest is not to fashion a new fundamental right by a process of
amendment through judicial fiat. Neither are the Judges nor is the process of judicial review
SH
entrusted with the constitutional responsibility to amend the Constitution. But judicial review
certainly has the task before it of determining the nature and extent of the freedoms available to
each person under the fabric of those constitutional guarantees which are protected. Courts have
traditionally discharged that function and in the context of Article 21 itself, as we have already
LU

noted, a panoply of protections governing different facets of a dignified existence has been held
to fall within the protection of Article 21.
PN

xx xx xx

297. What, then, does privacy postulate? Privacy postulates the reservation of a private space for
the individual, described as the right to be let alone. The concept is founded on the autonomy of
H

the individual. The ability of an individual to make choices lies at the core of the human
personality. The notion of privacy enables the individual to assert and control the human element
which is inseparable from the personality of the individual. The inviolable nature of the human
personality is manifested in the ability to make decisions on matters intimate to human life. The
autonomy of the individual is associated over matters which can be kept private. These are
concerns over which there is a legitimate expectation of privacy. The body and the mind are
inseparable elements of the human personality. The integrity of the body and the sanctity of the
mind can exist on the foundation that each individual possesses an inalienable ability and right to
preserve a private space in which the human personality can develop. Without the ability to make
choices, the inviolability of the personality would be in doubt. Recognising a zone of privacy is
but an acknowledgment that each individual must be entitled to chart and pursue the course of
development of personality. Hence privacy is a postulate of human dignity itself. Thoughts and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.558

behavioural patterns which are intimate to an individual are entitled to a zone of privacy where
one is free of social expectations. In that zone of privacy, an individual is not judged by others.
Privacy enables each individual to take crucial decisions which find expression in the human
personality. It enables individuals to preserve their beliefs, thoughts, expressions, ideas,
ideologies, preferences and choices against societal demands of homogeneity. Privacy is an
intrinsic recognition of heterogeneity, of the right of the individual to be different and to stand
against the tide of conformity in creating a zone of solitude. Privacy protects the individual from
the searching glare of publicity in matters which are personal to his or her life. Privacy attaches
to the person and not to the place where it is associated. Privacy constitutes the foundation of all
liberty because it is in privacy that the individual can decide how liberty is best exercised.
Individual dignity and privacy are inextricably linked in a pattern woven out of a thread of
diversity into the fabric of a plural culture.

xx xx xx

LA
322. Privacy is the constitutional core of human dignity. Privacy has both a normative and
descriptive function. At a normative level privacy subserves those eternal values upon which the

IM
guarantees of life, liberty and freedom are founded. At a descriptive level, privacy postulates a
bundle of entitlements and interests which lie at the foundation of ordered liberty.
SH
323. Privacy includes at its core the preservation of personal intimacies, the sanctity of family
life, marriage, procreation, the home and sexual orientation. Privacy also connotes a right to be
left alone. Privacy safeguards individual autonomy and recognises the ability of the individual to
LU

control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to
privacy. Privacy protects heterogeneity and recognises the plurality and diversity of our culture.
While the legitimate expectation of privacy may vary from the intimate zone to the private zone
PN

and from the private to the public arenas, it is important to underscore that privacy is not lost or
surrendered merely because the individual is in a public place. Privacy attaches to the person
since it is an essential facet of the dignity of the human being.
H

S.A. Bobde, J. :

407. Undoubtedly, privacy exists, as the foregoing demonstrates, as a verifiable fact in all
civilised societies. But privacy does not stop at being merely a descriptive claim. It also
embodies a normative one. The normative case for privacy is intuitively simple. Nature has
clothed man, amongst other things, with dignity and liberty so that he may be free to do what he
will consistent with the freedom of another and to develop his faculties to the fullest measure
necessary to live in happiness and peace. The Constitution, through its Part III, enumerates many
of these freedoms and their corresponding rights as fundamental rights. Privacy is an essential
condition for the exercise of most of these freedoms. Ex facie, every right which is integral to the
constitutional rights to dignity, life, personal liberty and freedom, as indeed the right to privacy
is, must itself be regarded as a fundamental right.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.559

408. Though he did not use the name of "privacy", it is clear that it is what J.S. Mill took to be
indispensable to the existence of the general reservoir of liberty that democracies are expected to
reserve to their citizens. In the introduction to his seminal On Liberty (1859), he characterised
freedom in the following way:

"This, then, is the appropriate region of human liberty. It comprises, first, the inward domain of
consciousness; demanding liberty of conscience, in the most comprehensive sense; liberty of
thought and feeling; absolute freedom of opinion and sentiment on all subjects, practical or
speculative, scientific, moral, or theological. The liberty of expressing and publishing opinions
may seem to fall under a different principle, since it belongs to that part of the conduct of an
individual which concerns other people; but, being almost of as much importance as the liberty
of thought itself, and resting in great part on the same reasons, is practically inseparable from it.
Secondly, the principle requires liberty of tastes and pursuits; of framing the plan of our life to
suit our own character; of doing as we like, subject to such consequences as may follow: without

LA
impediment from our fellow creatures, so long as what we do does not harm them, even though
they should think our conduct foolish, perverse, or wrong. Thirdly, from this liberty of each

IM
individual, follows the liberty, within the same limits, of combination among individuals;
freedom to unite, for any purpose not involving harm to others: the persons combining being
supposed to be of full age, and not forced or deceived.
SH
409. The first and natural home for a right to privacy is in Article 21 at the very heart of
"personal liberty" and life itself. Liberty and privacy are integrally connected in a way that
privacy is often the basic condition necessary for exercise of the right of personal liberty. There
LU

are innumerable activities which are virtually incapable of being performed at all and in many
cases with dignity unless an individual is left alone or is otherwise empowered to ensure his or
her privacy. Birth and death are events when privacy is required for ensuring dignity amongst all
PN

civilised people. Privacy is thus one of those rights "instrumentally required if one is to enjoy"
[Laurence H. Tribe and Michael C. Dorf, "Levels of Generality in the Definition of Rights", 57
U CHI L REV 1057 (1990) at p. 1068.] rights specified and enumerated in the constitutional text.
H

410. This Court has endorsed the view that "life" must mean "something more than mere animal
existence" [Munn v. Illinois, 1876 SCC OnLine US SC 4 : 24 L Ed 77 : 94 US 113 (1877) (Per
Field, J.) as cited in Kharak Singh, (1964) 1 SCR 332 1962 Indlaw SC 577 at pp. 347-48] on a
number of occasions, beginning with the Constitution Bench in Sunil Batra (1) v. Delhi Admn.
[Sunil Batra v. Delhi Admn., (1978) 4 SCC 494 1978 Indlaw SC 289 : 1979 SCC (Cri) 155]
Sunil Batra [Sunil Batra v. Delhi Admn., (1978) 4 SCC 494 1978 Indlaw SC 289 : 1979 SCC
(Cri) 155] connected this view of Article 21 to the constitutional value of dignity. In numerous
cases, including Francis Coralie Mullin v. UT of Delhi [Francis Coralie Mullin v. UT of Delhi,
(1981) 1 SCC 608 1981 Indlaw SC 117 : 1981 SCC (Cri) 212], this Court has viewed liberty as
closely linked to dignity. Their relationship to the effect of taking into the protection of "life" the
protection of "faculties of thinking and feeling", and of temporary and permanent impairments to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.560

those faculties. In Francis Coralie Mullin[Francis Coralie Mullin v. UT of Delhi, (1981) 1 SCC
608 1981 Indlaw SC 117 : 1981 SCC (Cri) 212], Bhagwati, J. opined as follows:

"7. Now obviously, the right to life enshrined in Article 21 cannot be restricted to mere animal
existence. It means something much more than just physical survival. In Kharak Singh v. State of
U.P. [Kharak Singh v. State of U.P., AIR 1963 SC 1295 1962 Indlaw SC 577 : (1963) 2 Cri LJ
329 : (1964) 1 SCR 332 1962 Indlaw SC 577], Subba Rao, J. quoted with approval the following
passage from the judgment of Field, J. in Munn v. Illinois [Munn v. Illinois, 1876 SCC OnLine
US SC 4 : 24 L Ed 77 : 94 US 113 (1877)] to emphasise the quality of life covered by Article 21:
(Kharak Singh case [Kharak Singh v. State of U.P., AIR 1963 SC 1295 1962 Indlaw SC 577 :
(1963) 2 Cri LJ 329 : (1964) 1 SCR 332 1962 Indlaw SC 577], AIR p. 1301, para 15)

15. ... "By the term "life" as here used something more is meant than mere animal existence. The
inhibition against its deprivation extends to all those limbs and faculties by which life is enjoyed.

LA
The provision equally prohibits the mutilation of the body or amputation of an arm or leg or the
putting out of an eye or the destruction of any other organ of the body through which the soul
communicates with the outer world." '

IM
and this passage was again accepted as laying down the correct law by the Constitution Bench of
this Court in the first Sunil Batra case [Sunil Batra v. Delhi Admn., (1978) 4 SCC 494 1978
SH
Indlaw SC 289 : 1979 SCC (Cri) 155]. Every limb or faculty through which life is enjoyed is
thus protected by Article 21 and a fortiori, this would include the faculties of thinking and
feeling. Now deprivation which is inhibited by Article 21 may be total or partial, neither any
LU

limb or faculty can be totally destroyed nor can it be partially damaged. Moreover it is every
kind of deprivation that is hit by Article 21, whether such deprivation be permanent or temporary
and, furthermore, deprivation is not an act which is complete once and for all: it is a continuing
PN

act and so long as it lasts, it must be in accordance with procedure established by law. It is
therefore clear that any act which damages or injures or interferes with the use of, any limb or
faculty of a person, either permanently or even temporarily, would be within the inhibition of
H

Article 21."

(emphasis supplied)

Privacy is, therefore, necessary in both its mental and physical aspects as an enabler of
guaranteed freedoms.

411. It is difficult to see how dignity-whose constitutional significance is acknowledged both by

the Preamble and by this Court in its exposition of Article 21, among other rights-can be assured
to the individual without privacy. Both dignity and privacy are intimately intertwined and are
natural conditions for the birth and death of individuals, and for many significant events in life
between these events. Necessarily, then, the right to privacy is an integral part of both "life" and
"personal liberty" under Article 21, and is intended to enable the rights bearer to develop her

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.561

potential to the fullest extent made possible only in consonance with the constitutional values
expressed in the Preamble as well as across Part III.

618.1. In Robertson and Nicol on Media Law [Geoffrey Robertson, QC and Andrew Nicol, QC,
Media Law, 5th Edn., p. 265.] it was observed:

"Individuals have a psychological need to preserve an intrusion-free zone for their personality
and family and suffer anguish and stress when that zone is violated. Democratic societies must
protect privacy as part of their facilitation of individual freedom, and offer some legal support for
the individual choice as to what aspects of intimate personal life the citizen is prepared to share
with others. This freedom in other words springs from the same source as freedom of expression:
a liberty that enhances individual life in a democratic community."

618.2. Lord Nicholls and Lord Hoffmann in their opinion in Naomi Campbell case[Campbell v.

LA
MGN Ltd., (2004) 2 AC 457 : (2004) 2 WLR 1232 : (2004) UKHL 22 (HL)] recognised the
importance of the protection of privacy. Lord Hoffman opined as under: (AC p. 472 H & 473 A-
D, paras 50-51)

IM
"50. What human rights law has done is to identify private information as something worth
protecting as an aspect of human autonomy and dignity. And this recognition has raised
SH
inescapably the question of why it should be worth protecting against the state but not against a
private person. There may of course be justifications for the publication of private information
by private persons which would not be available to the state - I have particularly in mind the
position of the media, to which I shall return in a moment - but I can see no logical ground for
LU

saying that a person should have less protection against a private individual than he would have
against the state for the publication of personal information for which there is no justification.
Nor, it appears, have any of the other Judges who have considered the matter.
PN

51. The result of these developments has been a shift in the centre of gravity of the action for
breach of confidence when it is used as a remedy for the unjustified publication of personal
H

information. ... Instead of the cause of action being based upon the duty of good faith applicable
to confidential personal information and trade secrets alike, it focuses upon the protection of
human autonomy and dignity - the right to control the dissemination of information about one's
private life and the right to the esteem and respect of other people."

618.3. Lord Nicholls opined as under: (Naomi Campbell case [Campbell v. MGN Ltd., (2004) 2
AC 457 : (2004) 2 WLR 1232 : (2004) UKHL 22 (HL)], AC p. 464 D-F, para 12)

"12. The present case concerns one aspect of invasion of privacy: wrongful disclosure of private
information. The case involves the familiar competition between freedom of expression and
respect for an individual's privacy. Both are vitally important rights. Neither has precedence over
the other. The importance of freedom of expression has been stressed often and eloquently, the
importance of privacy less so. But it, too, lies at the heart of liberty in a modern state. A proper

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.562

degree of privacy is essential for the well-being and development of an individual. And restraints
imposed on government to pry into the lives of the citizen go to the essence of a democratic
state: see La Forest J. in R. v. Dyment [R. v. Dyment, 1988 SCC OnLine Can SC 86 : (1988) 2
SCR 417], SCC OnLine Can SC para 17 : SCR p. 426."

619. Privacy is also the key to freedom of thought. A person has a right to think. The thoughts
are sometimes translated into speech but confined to the person to whom it is made. For
example, one may want to criticise someone but not share the criticism with the world.

373. Concerns of privacy arise when the State seeks to intrude into the body of subjects. [Skinner
v. Oklahoma, 1942 SCC OnLine US SC 125 : 86 L Ed 1655 : 316 US 535 (1942)"20. There are
limits to the extent to which a legislatively represented majority may conduct biological
experiments at the expense of the dignity and personality and natural powers of a minority-even
those who have been guilty of what the majority defines as crimes." (SCC OnLine US SC para

LA
20)-Jackson, J.] Corporeal punishments were not unknown to India, their abolition is of a recent
vintage. Forced feeding of certain persons by the State raises concerns of privacy. An
individual's rights to refuse life prolonging medical treatment or terminate his life is another

IM
freedom which falls within the zone of the right to privacy. I am conscious of the fact that the
issue is pending before this Court. But in various other jurisdictions, there is a huge debate on
SH
those issues though it is still a grey area. [For the legal debate in this area in US, See Chapter
15.11 of American Constitutional Law by Laurence H. Tribe, 2nd Edn.] A woman's freedom of
choice whether to bear a child or abort her pregnancy are areas which fall in the realm of
privacy. Similarly, the freedom to choose either to work or not and the freedom to choose the
LU

nature of the work are areas of private decision-making process. The right to travel freely within
the country or go abroad is an area falling within the right to privacy. The text of our
Constitution recognised the freedom to travel throughout the country under Article 19(1)(d). This
PN

Court has already recognised that such a right takes within its sweep the right to travel abroad.
[Maneka Gandhi v. Union of India, (1978) 1 SCC 248 1978 Indlaw SC 212] A person's freedom
to choose the place of his residence once again is a part of his right to privacy [Williams v. Fears,
H

1900 SCC OnLine US SC 211 : 45 L Ed 186 : 179 US 270 (1900)-"8. Undoubtedly the right of
locomotion, the right to remove from one place to another according to inclination, is an attribute
of personal liberty...." (SCC OnLine US SC para 8)] recognised by the Constitution of India
under Article 19(1)(e) though the predominant purpose of enumerating the abovementioned two
freedoms in Article 19(1) is to disable both the federal and State Governments from creating
barriers which are incompatible with the federal nature of our country and its Constitution. The
choice of appearance and apparel are also aspects of the right to privacy. The freedom of certain
groups of subjects to determine their appearance and apparel (such as keeping long hair and
wearing a turban) are protected not as a part of the right to privacy but as a part of their religious
belief. Such a freedom need not necessarily be based on religious beliefs falling under Article 25.
Informational traces are also an area which is the subject-matter of huge debate in various
jurisdictions falling within the realm of the right to privacy, such data is as personal as that of the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.563

choice of appearance and apparel. Telephone tapping and internet hacking by State, of personal
data is another area which falls within the realm of privacy. The instant reference arises out of
such an attempt by the Union of India to collect biometric data regarding all the residents of this
country. The above mentioned are some of the areas where some interest of privacy exists. The
examples given above indicate to some extent the nature and scope of the right to privacy.

374. I do not think that anybody in this country would like to have the officers of the State
intruding into their homes or private property at will or soldiers quartered in their houses without
their consent. I do not think that anybody would like to be told by the State as to what they
should eat or how they should dress or whom they should be associated with either in their
personal, social or political life. Freedom of social and political association is guaranteed to
citizens under Article 19(1)(c). Personal association is still a doubtful area. [The High Court of
A.P. held that Article 19(1) (c) would take within its sweep the matrimonial association in T.
Sareetha v. T. Venkata Subbaiah, 1983 SCC OnLine AP 90 : AIR 1983 AP 356. However, this

LA
case was later overruled by this Court in Saroj Rani v. Sudarshan Kumar Chadha, (1984) 4 SCC
90 1984 Indlaw SC 319: AIR 1984 SC 1562 1984 Indlaw SC 319.] The decision-making process

IM
regarding the freedom of association, freedoms of travel and residence are purely private and fall
within the realm of the right to privacy. It is one of the most intimate decisions.
SH
375. All liberal democracies believe that the State should not have unqualified authority to
intrude into certain aspects of human life and that the authority should be limited by parameters
constitutionally fixed. Fundamental rights are the only constitutional firewall to prevent State's
interference with those core freedoms constituting liberty of a human being. The right to privacy
LU

is certainly one of the core freedoms which is to be defended. It is part of liberty within the
meaning of that expression in Article 21.
PN

376. I am in complete agreement with the conclusions recorded by my learned Brothers in this
regard."

(iii) Privacy is intrinsic to freedom, liberty and dignity: The right to privacy is inherent to the
H

liberties guaranteed by Part-III of the Constitution and privacy is an element of human dignity.
The fundamental right to privacy derives from Part-III of the Constitution and recognition of this
right does not require a constitutional amendment. Privacy is more than merely a derivative
constitutional right. It is the necessary basis of rights guaranteed in the text of the Constitution.
Discussion in this behalf is captured in the following passages:

Dr. D.Y. Chandrachud, J. :

127. The submission that recognising the right to privacy is an exercise which would require a
constitutional amendment and cannot be a matter of judicial interpretation is not an acceptable
doctrinal position. The argument assumes that the right to privacy is independent of the liberties
guaranteed by Part III of the Constitution. There lies the error. The right to privacy is an element
of human dignity. The sanctity of privacy lies in its functional relationship with dignity. Privacy

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.564

ensures that a human being can lead a life of dignity by securing the inner recesses of the human
personality from unwanted intrusion. Privacy recognises the autonomy of the individual and the
right of every person to make essential choices which affect the course of life. In doing so
privacy recognises that living a life of dignity is essential for a human being to fulfill the liberties
and freedoms which are the cornerstone of the Constitution. To recognise the value of privacy as
a constitutional entitlement and interest is not to fashion a new fundamental right by a process of
amendment through judicial fiat. Neither are the Judges nor is the process of judicial review
entrusted with the constitutional responsibility to amend the Constitution. But judicial review
certainly has the task before it of determining the nature and extent of the freedoms available to
each person under the fabric of those constitutional guarantees which are protected. Courts have
traditionally discharged that function and in the context of Article 21 itself, as we have already
noted, a panoply of protections governing different facets of a dignified existence has been held
to fall within the protection of Article 21.

LA
Dr. D.Y. Chandrachud, J.:

326. Privacy has both positive and negative content. The negative content restrains the State

IM
from committing an intrusion upon the life and personal liberty of a citizen. Its positive content
imposes an obligation on the State to take all necessary measures to protect the privacy of the
SH
individual."

(v) Informational Privacy is a facet of right to privacy: The old adage that 'knowledge is power'
has stark implications for the position of individual where data is ubiquitous, an all-
LU

encompassing presence. Every transaction of an individual user leaves electronic tracks without
her knowledge. Individually these information silos may seem inconsequential. In aggregation,
information provides a picture of the beings. The challenges which big data poses to privacy
PN

emanate from both State and non-State entities. This proposition is described in the following
manner:

Dr. D.Y. Chandrachud, J.:

H

300. Ours is an age of information. Information is knowledge. The old adage that "knowledge is
power" has stark implications for the position of the individual where data is ubiquitous, an all-
encompassing presence. Technology has made life fundamentally interconnected. The internet
has become all-pervasive as individuals spend more and more time online each day of their lives.
Individuals connect with others and use the internet as a means of communication. The internet
is used to carry on business and to buy goods and services. Individuals browse the web in search
of information, to send e-mails, use instant messaging services and to download movies. Online
purchases have become an efficient substitute for the daily visit to the neighbouring store. Online
banking has redefined relationships between bankers and customers. Online trading has created a
new platform for the market in securities. Online music has refashioned the radio. Online books
have opened up a new universe for the bibliophile. The old-fashioned travel agent has been

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.565

rendered redundant by web portals which provide everything from restaurants to rest houses,
airline tickets to art galleries, museum tickets to music shows. These are but a few of the reasons
people access the internet each day of their lives. Yet every transaction of an individual user and
every site that she visits, leaves electronic tracks generally without her knowledge. These
electronic tracks contain powerful means of information which provide knowledge of the sort of
person that the user is and her interests [See Francois Nawrot, Katarzyna Syska and Przemyslaw
Switalski, "Horizontal Application of Fundamental Rights - Right to Privacy on the Internet", 9th
Annual European Constitutionalism Seminar (May 2010), University of Warsaw, available at
<http://en.zpc.wpia.uw.edu.pl/wp-content/uploads/2010/04/9_Horizontal_Application_of_Fun
damental_Rights.pdf>.]. Individually, these information silos may seem inconsequential. In
aggregation, they disclose the nature of the personality: food habits, language, health, hobbies,
sexual preferences, friendships, ways of dress and political affiliation. In aggregation,
information provides a picture of the being: of things which matter and those that do not, of

LA
things to be disclosed and those best hidden.

xx xx xx

IM
304. Data mining processes together with knowledge discovery can be combined to create facts
about individuals. Metadata and the internet of things have the ability to redefine human
SH
existence in ways which are yet fully to be perceived. This, as Christina Moniodis states in her
illuminating article, results in the creation of new knowledge about individuals; something which
even she or he did not possess. This poses serious issues for the Court. In an age of rapidly
evolving technology it is impossible for a Judge to conceive of all the possible uses of
LU

information or its consequences:

"... The creation of new knowledge complicates data privacy law as it involves information the
PN

individual did not possess and could not disclose, knowingly or otherwise. In addition, as our
State becomes an "information State" through increasing reliance on information-such that
information is described as the "lifeblood that sustains political, social, and business decisions. It
H

becomes impossible to conceptualize all of the possible uses of information and resulting harms.
Such a situation poses a challenge for courts who are effectively asked to anticipate and remedy
invisible, evolving harms." [Christina P. Moniodis, "Moving from Nixon to NASA: Privacy's
Second Strand - A Right to Informational Privacy", Yale Journal of Law and Technology (2012),
Vol. 15 (1), at p. 154.]

The contemporary age has been aptly regarded as "an era of ubiquitous data veillance, or the
systematic monitoring of citizen's communications or actions through the use of information
technology" [Yvonne McDermott, "Conceptualizing the Right to Data Protection in an Era of
Big Data", Big Data and Society (2017), at p. 1.]. It is also an age of "big data" or the collection
of data sets. These data sets are capable of being searched; they have linkages with other data
sets; and are marked by their exhaustive scope and the permanency of collection. [Id, at pp. 1 and
4.] The challenges which big data poses to privacy interests emanate from State and non-State

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.566

entities. Users of wearable devices and social media networks may not conceive of themselves as
having volunteered data but their activities of use and engagement result in the generation of vast
amounts of data about individual lifestyles, choices and preferences. Yvonne McDermott speaks
about the quantified self in eloquent terms:

"... The rise in the so-called 'quantified self', or the self-tracking of biological, environmental,
physical, or behavioural information through tracking devices, Internet-of-things devices, social
network data and other means (?Swan.2013) may result in information being gathered not just
about the individual user, but about people around them as well. Thus, a solely consent-based
model does not entirely ensure the protection of one's data, especially when data collected for
one purpose can be repurposed for another." [Id, at p. 4.]

xx xx xx

LA
328. Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of
information can originate not only from the State but from non-State actors as well. We
commend to the Union Government the need to examine and put into place a robust regime for

IM
data protection. The creation of such a regime requires a careful and sensitive balance between
individual interests and legitimate concerns of the State. The legitimate aims of the State would
include for instance protecting national security, preventing and investigating crime, encouraging
SH
innovation and the spread of knowledge, and preventing the dissipation of social welfare
benefits. These are matters of policy to be considered by the Union Government while designing
a carefully structured regime for the protection of the data. Since the Union Government has
LU

informed the Court that it has constituted a Committee chaired by Hon'ble Shri Justice B.N.
Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with
appropriately by the Union Government having due regard to what has been set out in this
PN

judgment.

S.K. Kaul, J.:

H

585. The growth and development of technology has created new instruments for the possible
invasion of privacy by the State, including through surveillance, profiling and data collection and
processing. Surveillance is not new, but technology has permitted surveillance in ways that are
unimaginable. Edward Snowden shocked the world with his disclosures about global
surveillance. States are utilising technology in the most imaginative ways particularly in view of
increasing global terrorist attacks and heightened public safety concerns. One such technique
being adopted by the States is "profiling". The European Union Regulation of 2016 [Regulation
No. (EU) 2016/679 of the European Parliament and of the Council of 27-4-2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive No. 95/46/EC (General Data Protection
Regulation).] on data privacy defines "profiling" as any form of automated processing of
personal data consisting of the use of personal data to evaluate certain personal aspects relating

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.567

to a natural person, in particular to analyse or predict aspects concerning that natural person's
performance at work, economic situation, health, personal preferences, interests, reliability,
behaviour, location or movements [Regulation No. (EU) 2016/679 of the European Parliament
and of the Council of 27-4-2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive No.
95/46/EC (General Data Protection Regulation).]. Such profiling can result in discrimination
based on religion, ethnicity and caste. However, "profiling" can also be used to further public
interest and for the benefit of national security.

586. The security environment, not only in our country, but throughout the world makes the
safety of persons and the State a matter to be balanced against this right to privacy.

587. The capacity of non-State actors to invade the home and privacy has also been enhanced.
Technological development has facilitated journalism that is more intrusive than ever before.

LA
588. Further, in this digital age, individuals are constantly generating valuable data which can be
used by non-State actors to track their moves, choices and preferences. Data is generated not just

IM
by active sharing of information, but also passively, with every click on the "world wide web".
We are stated to be creating an equal amount of information every other day, as humanity
created from the beginning of recorded history to the year 2003 - enabled by the "world wide
SH
web". [Michael L. Rustad, SannaKulevska, "Reconceptualizing the right to be forgotten to
enable transatlantic data flow", (2015) 28 Harv JL & Tech 349.]

589. Recently, it was pointed out that " "Uber", the world's largest taxi company, owns no
LU

vehicles. "Facebook", the world's most popular media owner, creates no content. "Alibaba", the
most valuable retailer, has no inventory. And "Airbnb", the world's largest accommodation
provider, owns no real estate. Something interesting is happening." [Tom Goodwin "The Battle
PN

is for Customer Interface", https://techcrunch.com/2015/03/03/in-the-age-of-disintermediation-

the-battle-is-all-for-the-customer-interface/.] "Uber" knows our whereabouts and the places we
frequent. "Facebook" at the least, knows who we are friends with. "Alibaba" knows our shopping
H

habits. "Airbnb" knows where we are travelling to. Social network providers, search engines, e-
mail service providers, messaging applications are all further examples of non-State actors that
have extensive knowledge of our movements, financial transactions, conversations - both
personal and professional, health, mental state, interest, travel locations, fares and shopping
habits. As we move towards becoming a digital economy and increase our reliance on internet-
based services, we are creating deeper and deeper digital footprints - passively and actively.

590. These digital footprints and extensive data can be analysed computationally to reveal
patterns, trends, and associations, especially relating to human behaviour and interactions and
hence, is valuable information. This is the age of "big data". The advancement in technology has
created not just new forms of data, but also new methods of analysing the data and has led to the
discovery of new uses for data. The algorithms are more effective and the computational power

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.568

has magnified exponentially. A large number of people would like to keep such search history
private, but it rarely remains private, and is collected, sold and analysed for purposes such as
targeted advertising. Of course, "big data" can also be used to further public interest. There may
be cases where collection and processing of big data is legitimate and proportionate, despite
being invasive of privacy otherwise.

591. Knowledge about a person gives a power over that person. The personal data collected is
capable of effecting representations, influencing decision-making processes and shaping
behaviour. It can be used as a tool to exercise control over us like the "big brother" State
exercised. This can have a stultifying effect on the expression of dissent and difference of
opinion, which no democracy can afford.

592. Thus, there is an unprecedented need for regulation regarding the extent to which such
information can be stored, processed and used by non-State actors. There is also a need for

LA
protection of such information from the State. Our Government was successful in compelling
Blackberry to give to it the ability to intercept data sent over Blackberry devices. While such
interception may be desirable and permissible in order to ensure national security, it cannot be

IM
unregulated. [Kadhim Shubber, "Blackberry gives Indian Government ability to intercept
messages" published by Wired on 11-7-2013 <http://www.wired.co.uk/article/blackberry-
SH
india>.]

593. The concept of "invasion of privacy" is not the early conventional thought process of
"poking ones nose in another person's affairs". It is not so simplistic. In today's world, privacy is
LU

a limit on the Government's power as well as the power of private sector entities. [Daniel Solove,
"10 Reasons Why Privacy Matters" published on 20-1-2014 https://www.teachprivacy.com/10-
reasons-privacy-matters/.]
PN

594. George Orwell created a fictional State in Nineteen Eighty-Four. Today, it can be a reality.
The technological development today can enable not only the State, but also big corporations and
private entities to be the "big brother".
H

xx xx xx

629. The right of an individual to exercise control over his personal data and to be able to control
his/her own life would also encompass his right to control his existence on the internet. Needless
to say that this would not be an absolute right. The existence of such a right does not imply that a
criminal can obliterate his past, but that there are variant degrees of mistakes, small and big, and
it cannot be said that a person should be profiled to the nth extent for all and sundry to know.

630. A high school teacher was fired after posting on her Facebook page that she was "so not
looking forward to another [school] year" since the school district's residents were "arrogant and
snobby". A flight attendant was fired for posting suggestive photos of herself in the company's
uniform. [Patricia Sanchez Abril, "Blurred Boundaries: Social Media Privacy and the Twenty-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.569

First-Century Employee", 49 Am Bus LJ 63 at p. 69 (2012).] In the pre-digital era, such
incidents would have never occurred. People could then make mistakes and embarrass
themselves, with the comfort that the information will be typically forgotten over time.

631. The impact of the digital age results in information on the internet being permanent.
Humans forget, but the internet does not forget and does not let humans forget. Any endeavour to
remove information from the internet does not result in its absolute obliteration. The footprints
remain. It is thus, said that in the digital world preservation is the norm and forgetting a struggle
[Ravi Antani, "THE RESISTANCE OF MEMORY: COULD THE EUROPEAN UNION'S
RIGHT TO BE FORGOTTEN EXIST IN THE UNITED STATES?", 30 Berkeley Tech LJ 1173
(2015).].

632. The technology results almost in a sort of a permanent storage in some way or the other
making it difficult to begin life again giving up past mistakes. People are not static, they change

LA
and grow through their lives. They evolve. They make mistakes. But they are entitled to re-
invent themselves and reform and correct their mistakes. It is privacy which nurtures this ability
and removes the shackles of unadvisable things which may have been done in the past.

IM
633. Children around the world create perpetual digital footprints on social network websites on
a 24/7 basis as they learn their "ABCs": Apple, Bluetooth and chat followed by download, e-
SH
mail, Facebook, Google, Hotmail and Instagram. [Michael L. Rustad, SannaKulevska,
"Reconceptualizing the right to be forgotten to enable transatlantic data flow", (2015) 28 Harv JL
& Tech 349.] They should not be subjected to the consequences of their childish mistakes and
LU

naivety, their entire life. Privacy of children will require special protection not just in the context
of the virtual world, but also the real world.

634. People change and an individual should be able to determine the path of his life and not be
PN

stuck only on a path of which he/she treaded initially. An individual should have the capacity to
change his/her beliefs and evolve as a person. Individuals should not live in fear that the views
they expressed will forever be associated with them and thus refrain from expressing themselves.
H

635. Whereas this right to control dissemination of personal information in the physical and
virtual space should not amount to a right of total eraser of history, this right, as a part of the
larger right to privacy, has to be balanced against other fundamental rights like the freedom of
expression, or freedom of media, fundamental to a democratic society.

636. Thus, the European Union Regulation of 2016 [Regulation No. (EU) 2016/679 of the
European Parliament and of the Council of 27-4-2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and repealing
Directive No. 95/46/EC (General Data Protection Regulation).] has recognised what has been
termed as "the right to be forgotten". This does not mean that all aspects of earlier existence are
to be obliterated, as some may have a social ramification. If we were to recognise a similar right,
it would only mean that an individual who is no longer desirous of his personal data to be

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.570

processed or stored, should be able to remove it from the system where the personal
data/information is no longer necessary, relevant, or is incorrect and serves no legitimate interest.
Such a right cannot be exercised where the information/data is necessary, for exercising the right
of freedom of expression and information, for compliance with legal obligations, for the
performance of a task carried out in public interest, on the grounds of public interest in the area
of public health, for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
Such justifications would be valid in all cases of breach of privacy, including breaches of data
privacy."

(vi) Right to privacy cannot be impinged without a just, fair and reasonable law: It has to fulfill
the test of proportionality i.e. (i) existence of a law; (ii) must serve a legitimate State aim; and
(iii) proportionality.

LA
"Dr. D.Y. Chandrachud, J. :

310. While it intervenes to protect legitimate State interests, the State must nevertheless put into

IM
place a robust regime that ensures the fulfilment of a threefold requirement. These three
requirements apply to all restraints on privacy (not just informational privacy). They emanate
from the procedural and content-based mandate of Article 21. The first requirement that there
SH
must be a law in existence to justify an encroachment on privacy is an express requirement of
Article 21. For, no person can be deprived of his life or personal liberty except in accordance
with the procedure established by law. The existence of law is an essential requirement. Second,
LU

the requirement of a need, in terms of a legitimate State aim, ensures that the nature and content
of the law which imposes the restriction falls within the zone of reasonableness mandated by
Article 14, which is a guarantee against arbitrary State action. The pursuit of a legitimate State
PN

aim ensures that the law does not suffer from manifest arbitrariness. Legitimacy, as a postulate,
involves a value judgment. Judicial review does not reappreciate or second guess the value
judgment of the legislature but is for deciding whether the aim which is sought to be pursued
H

suffers from palpable or manifest arbitrariness. The third requirement ensures that the means
which are adopted by the legislature are proportional to the object and needs sought to be
fulfilled by the law. Proportionality is an essential facet of the guarantee against arbitrary State
action because it ensures that the nature and quality of the encroachment on the right is not
disproportionate to the purpose of the law. Hence, the threefold requirement for a valid law
arises out of the mutual interdependence between the fundamental guarantees against
arbitrariness on the one hand and the protection of life and personal liberty, on the other. The
right to privacy, which is an intrinsic part of the right to life and liberty, and the freedoms
embodied in Part III is subject to the same restraints which apply to those freedoms.

311. Apart from national security, the State may have justifiable reasons for the collection and
storage of data. In a social welfare State, the Government embarks upon programmes which
provide benefits to impoverished and marginalised sections of society. There is a vital State

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.571

interest in ensuring that scarce public resources are not dissipated by the diversion of resources
to persons who do not qualify as recipients. Allocation of resources for human development is
coupled with a legitimate concern that the utilisation of resources should not be siphoned away
for extraneous purposes. Data mining with the object of ensuring that resources are properly
deployed to legitimate beneficiaries is a valid ground for the State to insist on the collection of
authentic data. But, the data which the State has collected has to be utilised for legitimate
purposes of the State and ought not to be utilised unauthorisedly for extraneous purposes. This
will ensure that the legitimate concerns of the State are duly safeguarded while, at the same time,
protecting privacy concerns. Prevention and investigation of crime and protection of the revenue
are among the legitimate aims of the State. Digital platforms are a vital tool of ensuring good
governance in a social welfare State. Information technology-legitimately deployed is a powerful
enabler in the spread of innovation and knowledge.

312. A distinction has been made in contemporary literature between anonymity on one hand and

LA
privacy on the other. [See in this connection, Jeffrey M. Skopek, "Reasonable Expectations of
Anonymity", Virginia Law Review (2015), Vol. 101, at pp. 691-762.] Both anonymity and

IM
privacy prevent others from gaining access to pieces of personal information yet they do so in
opposite ways. Privacy involves hiding information whereas anonymity involves hiding what
makes it personal. An unauthorised parting of the medical records of an individual which have
SH
been furnished to a hospital will amount to an invasion of privacy. On the other hand, the State
may assert a legitimate interest in analysing data borne from hospital records to understand and
deal with a public health epidemic such as malaria or dengue to obviate a serious impact on the
population. If the State preserves the anonymity of the individual it could legitimately assert a
LU

valid State interest in the preservation of public health to design appropriate policy interventions
on the basis of the data available to it.
PN

313. Privacy has been held to be an intrinsic element of the right to life and personal liberty
under Article 21 and as a constitutional value which is embodied in the fundamental freedoms
embedded in Part III of the Constitution. Like the right to life and liberty, privacy is not absolute.
H

The limitations which operate on the right to life and personal liberty would operate on the right
to privacy. Any curtailment or deprivation of that right would have to take place under a regime
of law. The procedure established by law must be fair, just and reasonable. The law which
provides for the curtailment of the right must also be subject to constitutional safeguards.

xx xx xx

325. Like other rights which form part of the fundamental freedoms protected by Part III,
including the right to life and personal liberty under Article 21, privacy is not an absolute right.
A law which encroaches upon privacy will have to withstand the touchstone of permissible
restrictions on fundamental rights. In the context of Article 21 an invasion of privacy must be
justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. The
law must also be valid with reference to the encroachment on life and personal liberty under

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.572

Article 21. An invasion of life or personal liberty must meet the threefold requirement of (i)
legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate State
aim; and (iii) proportionality which ensures a rational nexus between the objects and the means
adopted to achieve them.

S.A. Bobde, J. :

426. There is no doubt that privacy is integral to the several fundamental rights recognised by
Part III of the Constitution and must be regarded as a fundamental right itself. The relationship
between the right to privacy and the particular fundamental right (or rights) involved would
depend on the action interdicted by a particular law. At a minimum, since privacy is always
integrated with personal liberty, the constitutionality of the law which is alleged to have invaded
into a rights bearer's privacy must be tested by the same standards by which a law which invades
personal liberty under Article 21 is liable to be tested. Under Article 21, the standard test at

LA
present is the rationality review expressed in Maneka Gandhi case [Maneka Gandhi v. Union of
India, (1978) 1 SCC 248 1978 Indlaw SC 212]. This requires that any procedure by which the
State interferes with an Article 21 right to be "fair, just and reasonable, not fanciful, oppressive

IM
or arbitrary" [Maneka Gandhi v. Union of India, (1978) 1 SCC 248 1978 Indlaw SC 212 at p.
323, para 48].
SH
R.F. Nariman, J. :

526. But this is not to say that such a right is absolute. This right is subject to reasonable
regulations made by the State to protect legitimate State interests or public interest. However,
LU

when it comes to restrictions on this right, the drill of various articles to which the right relates
must be scrupulously followed. For example, if the restraint on privacy is over fundamental
personal choices that an individual is to make, State action can be restrained under Article 21
PN

read with Article 14 if it is arbitrary and unreasonable; and under Article 21 read with Article
19(1) (a) only if it relates to the subjects mentioned in Article 19(2) and the tests laid down by
this Court for such legislation or subordinate legislation to pass muster under the said article.
H

Each of the tests evolved by this Court, qua legislation or executive action, under Article 21 read
with Article 14; or Article 21 read with Article 19(1)(a) in the aforesaid examples must be met in
order that State action pass muster. In the ultimate analysis, the balancing act that is to be carried
out between individual, societal and State interests must be left to the training and expertise of
the judicial mind.

S.K. Kaul, J. :

638. The concerns expressed on behalf of the petitioners arising from the possibility of the State
infringing the right to privacy can be met by the test suggested for limiting the discretion of the
State:

"(i) The action must be sanctioned by law;

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.573

(ii) The proposed action must be necessary in a democratic society for a legitimate aim;

(iii) The extent of such interference must be proportionate to the need for such interference;

(iv) There must be procedural guarantees against abuse of such interference."

Chelameswar, J.:

377. It goes without saying that no legal right can be absolute. Every right has limitations. This
aspect of the matter is conceded at the Bar. Therefore, even a fundamental right to privacy has
limitations. The limitations are to be identified on case-to-case basis depending upon the nature
of the privacy interest claimed. There are different standards of review to test infractions of
fundamental rights. While the concept of reasonableness overarches Part III, it operates
differently across Articles (even if only slightly differently across some of them). Having
emphatically interpreted the Constitution's liberty guarantee to contain a fundamental right to

LA
privacy, it is necessary for me to outline the manner in which such a right to privacy can be
limited. I only do this to indicate the direction of the debate as the nature of limitation is not at

IM
issue here.

378. To begin with, the options canvassed for limiting the right to privacy include an Article 14
SH
type reasonableness enquiry [A challenge under Article 14 can be made if there is an
unreasonable classification and/or if the impugned measure is arbitrary. The classification is
unreasonable if there is no intelligible differentia justifying the classification and if the
classification has no rational nexus with the objective sought to be achieved. Arbitrariness,
LU

which was first explained at para 85 of E.P. Royappa v. State of T.N., (1974) 4 SCC 3 1973
Indlaw SC 66 : 1974 SCC (L&S) 165 : AIR 1974 SC 555 1973 Indlaw SC 66, is very simply the
lack of any reasoning.]; limitation as per the express provisions of Article 19; a just, fair and
PN

reasonable basis (that is, substantive due process) for limitation per Article 21; and finally, a just,
fair and reasonable standard per Article 21 plus the amorphous standard of "compelling State
interest". The last of these four options is the highest standard of scrutiny [A tiered level of
H

scrutiny was indicated in what came to be known as the most famous footnote in constitutional
law, that is, fn 4 in United States v. Carolene Products Co., 1938 SCC OnLine US SC 93 : 82 L
Ed 1234 : 304 US 144 (1938). Depending on the graveness of the right at stake, the court adopts
a correspondingly rigorous standard of scrutiny.] that a court can adopt. It is from this menu that
a standard of review for limiting the right to privacy needs to be chosen.

379. At the very outset, if a privacy claim specifically flows only from one of the expressly
enumerated provisions under Article 19, then the standard of review would be as expressly
provided under Article 19. However, the possibility of a privacy claim being entirely traceable to
rights other than Article 21 is bleak. Without discounting that possibility, it needs to be noted
that Article 21 is the bedrock of the privacy guarantee. If the spirit of liberty permeates every
claim of privacy, it is difficult, if not impossible, to imagine that any standard of limitation other

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.574

than the one under Article 21 applies. It is for this reason that I will restrict the available options
to the latter two from the above described four.

380. The just, fair and reasonable standard of review under Article 21 needs no elaboration. It
has also most commonly been used in cases dealing with a privacy claim hitherto. [District
Registrar and Collector v. Canara Bank, (2005) 1 SCC 496 2004 Indlaw SC 975 : AIR 2005 SC
186 2004 Indlaw SC 975], [State of Maharashtra v. Bharat Shanti Lal Shah, (2008) 13 SCC 5
2008 Indlaw SC 1418] Gobind [Gobind v. State of M.P., (1975) 2 SCC 148 1975 Indlaw SC 629
: 1975 SCC (Cri) 468] resorted to the compelling State interest standard in addition to the Article
21 reasonableness enquiry. From the United States, where the terminology of "compelling State
interest" originated, a strict standard of scrutiny comprises two things-a "compelling State
interest" and a requirement of "narrow tailoring" (narrow tailoring means that the law must be
narrowly framed to achieve the objective). As a term, "compelling State interest" does not have
definite contours in the US. Hence, it is critical that this standard be adopted with some clarity as

LA
to when and in what types of privacy claims it is to be used. Only in privacy claims which
deserve the strictest scrutiny is the standard of compelling State interest to be used. As for others,

IM
the just, fair and reasonable standard under Article 21 will apply. When the compelling State
interest standard is to be employed, must depend upon the context of concrete cases. However,
this discussion sets the ground rules within which a limitation for the right to privacy is to be
SH
found."

82. In view of the aforesaid detailed discussion in all the opinions penned by six Hon'ble Judges,
it stands established, without any pale of doubt, that privacy has now been treated as part of
LU

fundamental rights. The Court has held, in no uncertain terms, that privacy has always been a
natural right which gives an individual freedom to exercise control over his or her personality.
The judgment further affirms three aspects of the fundamental right to privacy, namely:
PN

(i) intrusion with an individual's physical body;

(ii) informational privacy; and

H

(iii) privacy of choice.

83. As succinctly put by Nariman, J. first aspect involves the person himself/herself and guards a
person's rights relatable to his/her physical body thereby controlling the uncalled invasion by the
State. Insofar as the second aspect, namely, informational privacy is concerned, it does not deal
with a person's body but deals with a person's mind. In this manner, it protects a person by giving
her control over the dissemination of material that is personal to her and disallowing
unauthorised use of such information by the State. Third aspect of privacy relates to individual's
autonomy by protecting her fundamental personal choices. These aspects have functional
connection and relationship with dignity. In this sense, privacy is a postulate of human dignity
itself. Human dignity has a constitutional value and its significance is acknowledged by the
Preamble. Further, by catena of judgments, human dignity is treated as a fundamental right and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.575

as a facet not only of Article 21 but that of right to equality (Article 14) and also part of bouquet
of freedoms stipulated in Article 19. Therefore, privacy as a right is intrinsic of freedom, liberty
and dignity. Viewed in this manner, one can trace positive and negative contents of privacy. The
negative content restricts the State from committing an intrusion upon the life and personal
liberty of a citizen. Its positive content imposes an obligation on the State to take all necessary
measures to protect the privacy of the individual.

84. A brief summation of the judgment on privacy would indicate that privacy is treated as
fundamental right. It is predicated on the basis that privacy is a postulate of dignity and the
concept of dignity can be traced to the preamble of the Constitution as well as Article 21 thereof.
Further, privacy is considered as a subset of personal liberty thereby accepting the minority
opinion in Kharak Singh v. State of U.P. & Ors.AIR 1963 SC 1295 1962 Indlaw SC 577 Another
significant jurisprudential development of this judgment is that right to privacy as a fundamental
right is not limited to Article 21. On the contrary, privacy resonates through the entirety of Part

LA
III of the Constitution which pertains to fundamental rights and, in particular, Articles 14, 19 and
21. Privacy is also recognised as a natural right which inheres in individuals and is, thus,

IM
inalienable. In developing the aforesaid concepts, the Court has been receptive to the principles
in international law and international instruments. It is a recognition of the fact that certain
human rights cannot be confined within the bounds of geographical location of a nation but have
SH
universal application. In the process, the Court accepts the concept of universalisation of human
rights, including the right to privacy as a human right and the good practices in developing and
understanding such rights in other countries have been welcomed. In this hue, it can also be
remarked that comparative law has played a very significant role in shaping the aforesaid
LU

judgment on privacy in Indian context, notwithstanding the fact that such comparative law has
only a persuasive value.
PN

85. The whole process of reasoning contained in different opinions of the Hon'ble Judges would,
thus, reflect that the argument that it is difficult to precisely define the common denominator of
privacy, was rejected. While doing so, the Court referred to various approaches in formulating
H

privacy See the analysis of this judgment by the Centre for Internet and Society, https://cis-
india.org/internet-governance/blog/the-fundamental-right-to-privacy-an-analysis. An astute and
sagacious analysis of the judgment by the Centre for Internet and Society brings about the
following approaches which contributed to formulating the following right to privacy:

(a) Classifying privacy on the basis of 'harms', thereby adopting the approach conceptualised by
Daniel Solove. In his book, Understanding Privacy Daniel Solove, Understanding Privacy,
Cambridge, Massachusetts: Harvard University Press, 2008, Daniel Solove makes a case for
privacy being a family resemblance concept.

(b) Classifying privacy on the basis of 'interests': Gary Bostwick's taxonomy of privacy is among
the most prominent amongst the scholarship that sub-areas within the right to privacy protect
different 'interests' or 'justifications'. This taxonomy is adopted in Chelameswar, J.'s definition of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.576

'privacy' and includes the three interests of privacy of repose, privacy of sanctuary and privacy of
intimate decision. Repose is the 'right to be let alone', sanctuary is the interest which prevents
others from knowing, seeing and hearing thus keeping information within the private zone, and
finally, privacy of intimate decision protects the freedom to act autonomously.

(c) Classifying privacy as an 'aggregation of rights': This approach in classifying privacy as a

right, as highlighted above, is not limited to one particular provision in the Chapter of
Fundamental Rights under the Constitution but is associated with amalgam of different but
connected rights. In formulating this principle, the Court has referred to scholars like Roger
Clarke, Anita Allen etc. It has led to the recognition of private spaces or zones as protected under
the right to privacy (thereby extending the ambit and scope of spatial privacy), informational
privacy and decisional autonomy.

86. The important question that arises, which is directly involved in these cases, is:

LA
What is the scope of the right to privacy and in what circumstances such a right can be limited?

IM
87. Concededly, fundamental rights are not absolute. The Constitution itself permits State to
impose reasonable restrictions on these rights under certain circumstances. Thus, extent and
scope of the right to privacy and how and when it can be limited by the State actions is also to be
SH
discerned. As noted above, Nariman, J. has led the path by observing that "when it comes to
restrictions on this right, the drill of various Articles to which the right relates must be
scrupulously followed". Therefore, examination has to be from the point of view of Articles 14,
19 and 21 for the reason that right to privacy is treated as having intimate connection to various
LU

rights in Part III and is not merely related to Article 21. Looked from this angle, the action of the
State will have to be tested on the touchstone of Article 14. This judgment clarifies that the
'classification' test adopted earlier has to be expanded and instead the law/action is to be tested
PN

on the ground of 'manifest arbitrariness'. This aspect has already been discussed in detail under
the caption 'Scope of Judicial Review' above. When it comes to examining the 'restrictions' as per
the provisions of Article 19 of the Constitution, the judgment proceeds to clarify that a law
H

which impacts dignity and liberty under Article 21, as well as having chilling effects on free
speech which is protected by Article 19(1)(a), must satisfy the standards of judicial review under
both provisions. Therefore, such restriction must satisfy the test of judicial review under: (i) one
of the eight grounds mentioned under Article 19(2); and (ii) the restriction should be reasonable.
This Court has applied multiple standards to determine reasonableness, including proximity,
arbitrariness, and proportionality. Further, the reasonable restrictions must be in the interests of:
(i) the sovereignty and integrity of India, (ii) the security of the State, (iii) friendly relations with
foreign States, (iv) public order, (v) decency or morality or (vi) in relation to contempt of court,
(vii) defamation or (viii) incitement to an offence.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.577

88. The judgment further lays down that in the context of Article 21, the test to be applied while
examining a particular provision is the 'just, fair and reasonable test' thereby bringing notion of
proportionality.

89. The petitioners have sought to build their case on the aforesaid parameters of privacy and
have submitted that this right of privacy, which is now recognised as a fundamental right, stands
violated by the very fabric contained in the scheme of Aadhaar. It is sought to be highlighted that
the data which is collected by the State, particularly with the authentication of each transaction
entered into by an individual, can be assimilated to construct a profile of such an individual and
it particularly violates informational privacy. No doubt, there can be reasonable restrictions on
this right, which is conceded by the petitioners. It is, however, argued that right to privacy cannot
be impinged without a just, fair and reasonable law. Therefore, in the first instance, any intrusion
into the privacy of a person has to be backed by a law. Further, such a law, to be valid, has to
pass the test of legitimate aim which it should serve and also proportionality i.e. proportionate to

LA
the need for such interference. Not only this, the law in question must also provide procedural
guarantees against abuse of such interference.

IM
90. At the same time, it can also be deduced from the reading of the aforesaid judgment that the
reasonable expectation of privacy may vary from the intimate zone to the private zone and from
SH
the private zone to the public arena. Further, privacy is not lost or surrendered merely because
the individual is in a public place. For example, if a person was to post on Facebook vital
information about himself, the same being in public domain, he would not be entitled to claim
privacy right. This aspect is highlighted by some of the Hon'ble Judges as under:
LU

Dr. D.Y. Chandrachud, J.:

"297. What, then, does privacy postulate? Privacy postulates the reservation of a private space
PN

for the individual, described as the right to be let alone. The concept is founded on the autonomy
of the individual. The ability of an individual to make choices lies at the core of the human
personality. The notion of privacy enables the individual to assert and control the human element
H

which is inseparable from the personality of the individual. The inviolable nature of the human
personality is manifested in the ability to make decisions on matters intimate to human life. The
autonomy of the individual is associated over matters which can be kept private. These are
concerns over which there is a legitimate expectation of privacy. The body and the mind are
inseparable elements of the human personality. The integrity of the body and the sanctity of the
mind can exist on the foundation that each individual possesses an inalienable ability and right to
preserve a private space in which the human personality can develop. Without the ability to make
choices, the inviolability of the personality would be in doubt. Recognising a zone of privacy is
but an acknowledgment that each individual must be entitled to chart and pursue the course of
development of personality. Hence privacy is a postulate of human dignity itself. Thoughts and
behavioural patterns which are intimate to an individual are entitled to a zone of privacy where
one is free of social expectations. In that zone of privacy, an individual is not judged by others.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.578

Privacy enables each individual to take crucial decisions which find expression in the human
personality. It enables individuals to preserve their beliefs, thoughts, expressions, ideas,
ideologies, preferences and choices against societal demands of homogeneity. Privacy is an
intrinsic recognition of heterogeneity, of the right of the individual to be different and to stand
against the tide of conformity in creating a zone of solitude. Privacy protects the individual from
the searching glare of publicity in matters which are personal to his or her life. Privacy attaches
to the person and not to the place where it is associated. Privacy constitutes the foundation of all
liberty because it is in privacy that the individual can decide how liberty is best exercised.
Individual dignity and privacy are inextricably linked in a pattern woven out of a thread of
diversity into the fabric of a plural culture.

xx xx xx

299. Privacy represents the core of the human personality and recognises the ability of each

LA
individual to make choices and to take decisions governing matters intimate and personal. Yet, it
is necessary to acknowledge that individuals live in communities and work in communities.
Their personalities affect and, in turn are shaped by their social environment. The individual is

IM
not a hermit. The lives of individuals are as much a social phenomenon. In their interactions with
others, individuals are constantly engaged in behavioural patterns and in relationships impacting
SH
on the rest of society. Equally, the life of the individual is being consistently shaped by cultural
and social values imbibed from living in the community. This state of flux which represents a
constant evolution of individual personhood in the relationship with the rest of society provides
the rationale for reserving to the individual a zone of repose. The lives which individuals lead as
LU

members of society engender a reasonable expectation of privacy. The notion of a reasonable

expectation of privacy has elements both of a subjective and objective nature. Privacy at a
subjective level is a reflection of those areas where an individual desires to be left alone. On an
PN

objective plane, privacy is defined by those constitutional values which shape the content of the
protected zone where the individual ought to be left alone. The notion that there must exist a
reasonable expectation of privacy ensures that while on the one hand, the individual has a
H

protected zone of privacy, yet on the other, the exercise of individual choices is subject to the
rights of others to lead orderly lives. For instance, an individual who possesses a plot of land
may decide to build upon it subject to zoning regulations. If the building bye-laws define the area
upon which construction can be raised or the height of the boundary wall around the property,
the right to privacy of the individual is conditioned by regulations designed to protect the
interests of the community in planned spaces. Hence while the individual is entitled to a zone of
privacy, its extent is based not only on the subjective expectation of the individual but on an
objective principle which defines a reasonable expectation.

xx xx xx

307. The sphere of privacy stretches at one end to those intimate matters to which a reasonable
expectation of privacy may attach. It expresses a right to be left alone. A broader connotation

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.579

which has emerged in academic literature of a comparatively recent origin is related to the
protection of one's identity. Data protection relates closely with the latter sphere. Data such as
medical information would be a category to which a reasonable expectation of privacy attaches.
There may be other data which falls outside the reasonable expectation paradigm. Apart from
safeguarding privacy, data protection regimes seek to protect the autonomy of the individual.
This is evident from the emphasis in the European data protection regime on the centrality of
consent. Related to the issue of consent is the requirement of transparency which requires a
disclosure by the data recipient of information pertaining to data transfer and use."

S.A. Bobde, J:

"421. Shri Rakesh Dwivedi, appearing for the State of Gujarat, while referring to several
judgments of the Supreme Court of the United States, submitted that only those privacy claims
which involve a "reasonable expectation of privacy" be recognised as protected by the

LA
fundamental right. It is not necessary for the purpose of this case to deal with the particular
instances of privacy claims which are to be recognised as implicating a fundamental right.
Indeed, it would be premature to do so. The scope and ambit of a constitutional protection of

IM
privacy can only be revealed to us on a case-by-case basis."

91. Though Nariman, J. did not subscribe to the aforesaid view in totality, however, His Lordship
SH
has also given an example that if a person has to post on Facebook vital information, the same
being in public domain, she would not be entitled to the claim of privacy right.

92. We would also like to reproduce following discussion, in the opinion authored by Nariman,
LU

J., giving the guidance as to how a law has to be tested when it is challenged on the ground that it
violates the fundamental right to privacy:
PN

"...Statutory provisions that deal with aspects of privacy would continue to be tested on the
ground that they would violate the fundamental right to privacy, and would not be struck down,
if it is found on a balancing test that the social or public interest and the reasonableness of the
H

restrictions would outweigh the particular aspect of privacy claimed. If this is so, then statutes
which would enable the State to contractually obtain information about persons would pass
muster in given circumstances, provided they safeguard the individual right to privacy as well. A
simple example would suffice. If a person was to paste on Facebook vital information about
himself/herself, such information, being in the public domain, could not possibly be claimed as a
privacy right after such disclosure. But, in pursuance of a statutory requirement, if certain details
need to be given for the statutory purpose concerned, then such details would certainly affect the
right to privacy, but would on a balance, pass muster as the State action concerned has sufficient
inbuilt safeguards to protect this right-viz. the fact that such information cannot be disseminated
to anyone else, save on compelling grounds of public interest."

93. One important comment which needs to be made at this stage relates to the standard of
judicial review while examining the validity of a particular law that allegedly infringes right to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.580

privacy. The question is as to whether the Court is to apply 'strict scrutiny' standard or the 'just,
fair and reasonableness' standard. In the privacy judgment, different observations are made by
different Hon'ble Judges and the aforesaid aspect is not determined authoritatively, may be for
the reason that the Bench was deciding the reference on the issue as to whether right to privacy is
a fundamental right or not and, in the process, it was called upon to decide the specific questions
referred to it. We have dealt with this aspect at the appropriate stage.

Dr. D.Y. Chandrachud, J.:

326. Privacy has both positive and negative content. The negative content restrains the State
from committing an intrusion upon the life and personal liberty of a citizen. Its positive content
imposes an obligation on the State to take all necessary measures to protect the privacy of the
individual."

LA
(v) Informational Privacy is a facet of right to privacy: The old adage that 'knowledge is power'
has stark implications for the position of individual where data is ubiquitous, an all-
encompassing presence. Every transaction of an individual user leaves electronic tracks without

IM
her knowledge. Individually these information silos may seem inconsequential. In aggregation,
information provides a picture of the beings. The challenges which big data poses to privacy
emanate from both State and non-State entities. This proposition is described in the following
SH
manner:

Dr. D.Y. Chandrachud, J.:

LU

300. Ours is an age of information. Information is knowledge. The old adage that "knowledge is
power" has stark implications for the position of the individual where data is ubiquitous, an all-
encompassing presence. Technology has made life fundamentally interconnected. The internet
PN

has become all-pervasive as individuals spend more and more time online each day of their lives.
Individuals connect with others and use the internet as a means of communication. The internet
is used to carry on business and to buy goods and services. Individuals browse the web in search
H

of information, to send e-mails, use instant messaging services and to download movies. Online
purchases have become an efficient substitute for the daily visit to the neighbouring store. Online
banking has redefined relationships between bankers and customers. Online trading has created a
new platform for the market in securities. Online music has refashioned the radio. Online books
have opened up a new universe for the bibliophile. The old-fashioned travel agent has been
rendered redundant by web portals which provide everything from restaurants to rest houses,
airline tickets to art galleries, museum tickets to music shows. These are but a few of the reasons
people access the internet each day of their lives. Yet every transaction of an individual user and
every site that she visits, leaves electronic tracks generally without her knowledge. These
electronic tracks contain powerful means of information which provide knowledge of the sort of
person that the user is and her interests [See Francois Nawrot, Katarzyna Syska and Przemyslaw
Switalski, "Horizontal Application of Fundamental Rights - Right to Privacy on the Internet", 9th

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.581

Annual European Constitutionalism Seminar (May 2010), University of Warsaw, available at
<http://en.zpc.wpia.uw.edu.pl/wp-content/uploads/2010/04/9_Horizontal_Application_of_Fun
damental_Rights.pdf>.]. Individually, these information silos may seem inconsequential. In
aggregation, they disclose the nature of the personality: food habits, language, health, hobbies,
sexual preferences, friendships, ways of dress and political affiliation. In aggregation,
information provides a picture of the being: of things which matter and those that do not, of
things to be disclosed and those best hidden.

xx xx xx

304. Data mining processes together with knowledge discovery can be combined to create facts
about individuals. Metadata and the internet of things have the ability to redefine human
existence in ways which are yet fully to be perceived. This, as Christina Moniodis states in her
illuminating article, results in the creation of new knowledge about individuals; something which

LA
even she or he did not possess. This poses serious issues for the Court. In an age of rapidly
evolving technology it is impossible for a Judge to conceive of all the possible uses of
information or its consequences:

IM
"... The creation of new knowledge complicates data privacy law as it involves information the
individual did not possess and could not disclose, knowingly or otherwise. In addition, as our
SH
State becomes an "information State" through increasing reliance on information-such that
information is described as the "lifeblood that sustains political, social, and business decisions. It
becomes impossible to conceptualize all of the possible uses of information and resulting harms.
LU

Such a situation poses a challenge for courts who are effectively asked to anticipate and remedy
invisible, evolving harms." [Christina P. Moniodis, "Moving from Nixon to NASA: Privacy's
Second Strand - A Right to Informational Privacy", Yale Journal of Law and Technology (2012),
PN

Vol. 15 (1), at p. 154.]

The contemporary age has been aptly regarded as "an era of ubiquitous dataveillance, or the
systematic monitoring of citizen's communications or actions through the use of information
H

technology" [Yvonne McDermott, "Conceptualizing the Right to Data Protection in an Era of

Big Data", Big Data and Society (2017), at p. 1.]. It is also an age of "big data" or the collection
of data sets. These data sets are capable of being searched; they have linkages with other data
sets; and are marked by their exhaustive scope and the permanency of collection. [Id, at pp. 1 and
4.] The challenges which big data poses to privacy interests emanate from State and non-State
entities. Users of wearable devices and social media networks may not conceive of themselves as
having volunteered data but their activities of use and engagement result in the generation of vast
amounts of data about individual lifestyles, choices and preferences. Yvonne McDermott speaks
about the quantified self in eloquent terms:

"... The rise in the so-called 'quantified self', or the self-tracking of biological, environmental,
physical, or behavioural information through tracking devices, Internet-of-things devices, social

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.582

network data and other means (?Swan.2013) may result in information being gathered not just
about the individual user, but about people around them as well. Thus, a solely consent-based
model does not entirely ensure the protection of one's data, especially when data collected for
one purpose can be repurposed for another." [Id, at p. 4.]

xx xx xx

328. Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of
information can originate not only from the State but from non-State actors as well. We
commend to the Union Government the need to examine and put into place a robust regime for
data protection. The creation of such a regime requires a careful and sensitive balance between
individual interests and legitimate concerns of the State. The legitimate aims of the State would
include for instance protecting national security, preventing and investigating crime, encouraging
innovation and the spread of knowledge, and preventing the dissipation of social welfare

LA
benefits. These are matters of policy to be considered by the Union Government while designing
a carefully structured regime for the protection of the data. Since the Union Government has
informed the Court that it has constituted a Committee chaired by Hon'ble Shri Justice B.N.

IM
Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with
appropriately by the Union Government having due regard to what has been set out in this
SH
judgment.

S.K. Kaul, J.:

585. The growth and development of technology has created new instruments for the possible
LU

invasion of privacy by the State, including through surveillance, profiling and data collection and
processing. Surveillance is not new, but technology has permitted surveillance in ways that are
unimaginable. Edward Snowden shocked the world with his disclosures about global
PN

surveillance. States are utilising technology in the most imaginative ways particularly in view of
increasing global terrorist attacks and heightened public safety concerns. One such technique
being adopted by the States is "profiling". The European Union Regulation of 2016 [Regulation
H

No. (EU) 2016/679 of the European Parliament and of the Council of 27-4-2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive No. 95/46/EC (General Data Protection
Regulation).] on data privacy defines "profiling" as any form of automated processing of
personal data consisting of the use of personal data to evaluate certain personal aspects relating
to a natural person, in particular to analyse or predict aspects concerning that natural person's
performance at work, economic situation, health, personal preferences, interests, reliability,
behaviour, location or movements [Regulation No. (EU) 2016/679 of the European Parliament
and of the Council of 27-4-2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and repealing Directive No.
95/46/EC (General Data Protection Regulation).]. Such profiling can result in discrimination

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.583

based on religion, ethnicity and caste. However, "profiling" can also be used to further public
interest and for the benefit of national security.

586. The security environment, not only in our country, but throughout the world makes the
safety of persons and the State a matter to be balanced against this right to privacy.

587. The capacity of non-State actors to invade the home and privacy has also been enhanced.
Technological development has facilitated journalism that is more intrusive than ever before.

588. Further, in this digital age, individuals are constantly generating valuable data which can be
used by non-State actors to track their moves, choices and preferences. Data is generated not just
by active sharing of information, but also passively, with every click on the "world wide web".
We are stated to be creating an equal amount of information every other day, as humanity
created from the beginning of recorded history to the year 2003 - enabled by the "world wide

LA
web". [Michael L. Rustad, SannaKulevska, "Reconceptualizing the right to be forgotten to
enable transatlantic data flow", (2015) 28 Harv JL & Tech 349.]

IM
589. Recently, it was pointed out that " "Uber", the world's largest taxi company, owns no
vehicles. "Facebook", the world's most popular media owner, creates no content. "Alibaba", the
most valuable retailer, has no inventory. And "Airbnb", the world's largest accommodation
SH
provider, owns no real estate. Something interesting is happening." [Tom Goodwin "The Battle
is for Customer Interface", https://techcrunch.com/2015/03/03/in-the-age-of-disintermediation-
the-battle-is-all-for-the-customer-interface/.] "Uber" knows our whereabouts and the places we
frequent. "Facebook" at the least, knows who we are friends with. "Alibaba" knows our shopping
LU

habits. "Airbnb" knows where we are travelling to. Social network providers, search engines, e-
mail service providers, messaging applications are all further examples of non-State actors that
have extensive knowledge of our movements, financial transactions, conversations - both
PN

personal and professional, health, mental state, interest, travel locations, fares and shopping
habits. As we move towards becoming a digital economy and increase our reliance on internet-
based services, we are creating deeper and deeper digital footprints - passively and actively.
H

590. These digital footprints and extensive data can be analysed computationally to reveal
patterns, trends, and associations, especially relating to human behaviour and interactions and
hence, is valuable information. This is the age of "big data". The advancement in technology has
created not just new forms of data, but also new methods of analysing the data and has led to the
discovery of new uses for data. The algorithms are more effective and the computational power
has magnified exponentially. A large number of people would like to keep such search history
private, but it rarely remains private, and is collected, sold and analysed for purposes such as
targeted advertising. Of course, "big data" can also be used to further public interest. There may
be cases where collection and processing of big data is legitimate and proportionate, despite
being invasive of privacy otherwise.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.584

591. Knowledge about a person gives a power over that person. The personal data collected is
capable of effecting representations, influencing decision-making processes and shaping
behaviour. It can be used as a tool to exercise control over us like the "big brother" State
exercised. This can have a stultifying effect on the expression of dissent and difference of
opinion, which no democracy can afford.

592. Thus, there is an unprecedented need for regulation regarding the extent to which such
information can be stored, processed and used by non-State actors. There is also a need for
protection of such information from the State. Our Government was successful in compelling
Blackberry to give to it the ability to intercept data sent over Blackberry devices. While such
interception may be desirable and permissible in order to ensure national security, it cannot be
unregulated. [Kadhim Shubber, "Blackberry gives Indian Government ability to intercept
messages" published by Wired on 11-7-2013 <http://www.wired.co.uk/article/blackberry-
india>.]

LA
593. The concept of "invasion of privacy" is not the early conventional thought process of
"poking ones nose in another person's affairs". It is not so simplistic. In today's world, privacy is

IM
a limit on the Government's power as well as the power of private sector entities. [Daniel Solove,
"10 Reasons Why Privacy Matters" published on 20-1-2014 https://www.teachprivacy.com/10-
SH
reasons-privacy-matters/.]

594. George Orwell created a fictional State in Nineteen Eighty-Four. Today, it can be a reality.
The technological development today can enable not only the State, but also big corporations and
LU

private entities to be the "big brother".

xx xx xx
PN

629. The right of an individual to exercise control over his personal data and to be able to control
his/her own life would also encompass his right to control his existence on the internet. Needless
to say that this would not be an absolute right. The existence of such a right does not imply that a
H

criminal can obliterate his past, but that there are variant degrees of mistakes, small and big, and
it cannot be said that a person should be profiled to the nth extent for all and sundry to know.

630. A high school teacher was fired after posting on her Facebook page that she was "so not
looking forward to another [school] year" since the school district's residents were "arrogant and
snobby". A flight attendant was fired for posting suggestive photos of herself in the company's
uniform. [Patricia Sanchez Abril, "Blurred Boundaries: Social Media Privacy and the Twenty-
First-Century Employee", 49 Am Bus LJ 63 at p. 69 (2012).] In the pre-digital era, such
incidents would have never occurred. People could then make mistakes and embarrass
themselves, with the comfort that the information will be typically forgotten over time.

631. The impact of the digital age results in information on the internet being permanent.
Humans forget, but the internet does not forget and does not let humans forget. Any endeavour to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.585

remove information from the internet does not result in its absolute obliteration. The footprints
remain. It is thus, said that in the digital world preservation is the norm and forgetting a struggle
[Ravi Antani, "THE RESISTANCE OF MEMORY : COULD THE EUROPEAN UNION'S
RIGHT TO BE FORGOTTEN EXIST IN THE UNITED STATES?", 30 Berkeley Tech LJ 1173
(2015).].

632. The technology results almost in a sort of a permanent storage in some way or the other
making it difficult to begin life again giving up past mistakes. People are not static, they change
and grow through their lives. They evolve. They make mistakes. But they are entitled to re-
invent themselves and reform and correct their mistakes. It is privacy which nurtures this ability
and removes the shackles of unadvisable things which may have been done in the past.

633. Children around the world create perpetual digital footprints on social network websites on
a 24/7 basis as they learn their "ABCs": Apple, Bluetooth and chat followed by download, e-

LA
mail, Facebook, Google, Hotmail and Instagram. [Michael L. Rustad, SannaKulevska,
"Reconceptualizing the right to be forgotten to enable transatlantic data flow", (2015) 28 Harv JL
& Tech 349.] They should not be subjected to the consequences of their childish mistakes and

IM
naivety, their entire life. Privacy of children will require special protection not just in the context
of the virtual world, but also the real world.
SH
634. People change and an individual should be able to determine the path of his life and not be
stuck only on a path of which he/she treaded initially. An individual should have the capacity to
change his/her beliefs and evolve as a person. Individuals should not live in fear that the views
LU

they expressed will forever be associated with them and thus refrain from expressing themselves.

635. Whereas this right to control dissemination of personal information in the physical and
virtual space should not amount to a right of total eraser of history, this right, as a part of the
PN

larger right to privacy, has to be balanced against other fundamental rights like the freedom of
expression, or freedom of media, fundamental to a democratic society.
H

636. Thus, the European Union Regulation of 2016 [Regulation No. (EU) 2016/679 of the
European Parliament and of the Council of 27-4-2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and repealing
Directive No. 95/46/EC (General Data Protection Regulation).] has recognised what has been
termed as "the right to be forgotten". This does not mean that all aspects of earlier existence are
to be obliterated, as some may have a social ramification. If we were to recognise a similar right,
it would only mean that an individual who is no longer desirous of his personal data to be
processed or stored, should be able to remove it from the system where the personal
data/information is no longer necessary, relevant, or is incorrect and serves no legitimate interest.
Such a right cannot be exercised where the information/data is necessary, for exercising the right
of freedom of expression and information, for compliance with legal obligations, for the
performance of a task carried out in public interest, on the grounds of public interest in the area

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.586

of public health, for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
Such justifications would be valid in all cases of breach of privacy, including breaches of data
privacy."

(vi) Right to privacy cannot be impinged without a just, fair and reasonable law: It has to fulfill
the test of proportionality i.e. (i) existence of a law; (ii) must serve a legitimate State aim; and
(iii) proportionality.

"Dr. D.Y. Chandrachud, J. :

310. While it intervenes to protect legitimate State interests, the State must nevertheless put into
place a robust regime that ensures the fulfilment of a threefold requirement. These three
requirements apply to all restraints on privacy (not just informational privacy). They emanate

LA
from the procedural and content-based mandate of Article 21. The first requirement that there
must be a law in existence to justify an encroachment on privacy is an express requirement of
Article 21. For, no person can be deprived of his life or personal liberty except in accordance

IM
with the procedure established by law. The existence of law is an essential requirement. Second,
the requirement of a need, in terms of a legitimate State aim, ensures that the nature and content
of the law which imposes the restriction falls within the zone of reasonableness mandated by
SH
Article 14, which is a guarantee against arbitrary State action. The pursuit of a legitimate State
aim ensures that the law does not suffer from manifest arbitrariness. Legitimacy, as a postulate,
involves a value judgment. Judicial review does not reappreciate or second guess the value
LU

judgment of the legislature but is for deciding whether the aim which is sought to be pursued
suffers from palpable or manifest arbitrariness. The third requirement ensures that the means
which are adopted by the legislature are proportional to the object and needs sought to be
PN

fulfilled by the law. Proportionality is an essential facet of the guarantee against arbitrary State
action because it ensures that the nature and quality of the encroachment on the right is not
disproportionate to the purpose of the law. Hence, the threefold requirement for a valid law
H

arises out of the mutual interdependence between the fundamental guarantees against
arbitrariness on the one hand and the protection of life and personal liberty, on the other. The
right to privacy, which is an intrinsic part of the right to life and liberty, and the freedoms
embodied in Part III is subject to the same restraints which apply to those freedoms.

311. Apart from national security, the State may have justifiable reasons for the collection and
storage of data. In a social welfare State, the Government embarks upon programmes which
provide benefits to impoverished and marginalised sections of society. There is a vital State
interest in ensuring that scarce public resources are not dissipated by the diversion of resources
to persons who do not qualify as recipients. Allocation of resources for human development is
coupled with a legitimate concern that the utilisation of resources should not be siphoned away
for extraneous purposes. Data mining with the object of ensuring that resources are properly
deployed to legitimate beneficiaries is a valid ground for the State to insist on the collection of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.587

authentic data. But, the data which the State has collected has to be utilised for legitimate
purposes of the State and ought not to be utilised unauthorisedly for extraneous purposes. This
will ensure that the legitimate concerns of the State are duly safeguarded while, at the same time,
protecting privacy concerns. Prevention and investigation of crime and protection of the revenue
are among the legitimate aims of the State. Digital platforms are a vital tool of ensuring good
governance in a social welfare State. Information technology-legitimately deployed is a powerful
enabler in the spread of innovation and knowledge.

312. A distinction has been made in contemporary literature between anonymity on one hand and
privacy on the other. [See in this connection, Jeffrey M. Skopek, "Reasonable Expectations of
Anonymity", Virginia Law Review (2015), Vol. 101, at pp. 691-762.] Both anonymity and
privacy prevent others from gaining access to pieces of personal information yet they do so in
opposite ways. Privacy involves hiding information whereas anonymity involves hiding what
makes it personal. An unauthorised parting of the medical records of an individual which have

LA
been furnished to a hospital will amount to an invasion of privacy. On the other hand, the State
may assert a legitimate interest in analysing data borne from hospital records to understand and

IM
deal with a public health epidemic such as malaria or dengue to obviate a serious impact on the
population. If the State preserves the anonymity of the individual it could legitimately assert a
valid State interest in the preservation of public health to design appropriate policy interventions
SH
on the basis of the data available to it.

313. Privacy has been held to be an intrinsic element of the right to life and personal liberty
under Article 21 and as a constitutional value which is embodied in the fundamental freedoms
LU

embedded in Part III of the Constitution. Like the right to life and liberty, privacy is not absolute.
The limitations which operate on the right to life and personal liberty would operate on the right
to privacy. Any curtailment or deprivation of that right would have to take place under a regime
PN

of law. The procedure established by law must be fair, just and reasonable. The law which
provides for the curtailment of the right must also be subject to constitutional safeguards.
H

xx xx xx

325. Like other rights which form part of the fundamental freedoms protected by Part III,
including the right to life and personal liberty under Article 21, privacy is not an absolute right.
A law which encroaches upon privacy will have to withstand the touchstone of permissible
restrictions on fundamental rights. In the context of Article 21 an invasion of privacy must be
justified on the basis of a law which stipulates a procedure which is fair, just and reasonable. The
law must also be valid with reference to the encroachment on life and personal liberty under
Article 21. An invasion of life or personal liberty must meet the threefold requirement of (i)
legality, which postulates the existence of law; (ii) need, defined in terms of a legitimate State
aim; and (iii) proportionality which ensures a rational nexus between the objects and the means
adopted to achieve them.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.588

S.A. Bobde, J. :

426. There is no doubt that privacy is integral to the several fundamental rights recognised by
Part III of the Constitution and must be regarded as a fundamental right itself. The relationship
between the right to privacy and the particular fundamental right (or rights) involved would
depend on the action interdicted by a particular law. At a minimum, since privacy is always
integrated with personal liberty, the constitutionality of the law which is alleged to have invaded
into a rights bearer's privacy must be tested by the same standards by which a law which invades
personal liberty under Article 21 is liable to be tested. Under Article 21, the standard test at
present is the rationality review expressed in Maneka Gandhi case [Maneka Gandhi v. Union of
India, (1978) 1 SCC 248 1978 Indlaw SC 212]. This requires that any procedure by which the
State interferes with an Article 21 right to be "fair, just and reasonable, not fanciful, oppressive
or arbitrary" [Maneka Gandhi v. Union of India, (1978) 1 SCC 248 1978 Indlaw SC 212 at p.
323, para 48].

LA
R.F. Nariman, J. :

IM
526. But this is not to say that such a right is absolute. This right is subject to reasonable
regulations made by the State to protect legitimate State interests or public interest. However,
when it comes to restrictions on this right, the drill of various articles to which the right relates
SH
must be scrupulously followed. For example, if the restraint on privacy is over fundamental
personal choices that an individual is to make, State action can be restrained under Article 21
read with Article 14 if it is arbitrary and unreasonable; and under Article 21 read with Article
LU

19(1) (a) only if it relates to the subjects mentioned in Article 19(2) and the tests laid down by
this Court for such legislation or subordinate legislation to pass muster under the said article.
Each of the tests evolved by this Court, qua legislation or executive action, under Article 21 read
PN

with Article 14; or Article 21 read with Article 19(1)(a) in the aforesaid examples must be met in
order that State action pass muster. In the ultimate analysis, the balancing act that is to be carried
out between individual, societal and State interests must be left to the training and expertise of
H

the judicial mind.

S.K. Kaul, J. :

638. The concerns expressed on behalf of the petitioners arising from the possibility of the State
infringing the right to privacy can be met by the test suggested for limiting the discretion of the
State:

"(i) The action must be sanctioned by law;

(ii) The proposed action must be necessary in a democratic society for a legitimate aim;

(iii) The extent of such interference must be proportionate to the need for such interference;

(iv) There must be procedural guarantees against abuse of such interference."

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.589

Chelameswar, J.:

377. It goes without saying that no legal right can be absolute. Every right has limitations. This
aspect of the matter is conceded at the Bar. Therefore, even a fundamental right to privacy has
limitations. The limitations are to be identified on case-to-case basis depending upon the nature
of the privacy interest claimed. There are different standards of review to test infractions of
fundamental rights. While the concept of reasonableness overarches Part III, it operates
differently across Articles (even if only slightly differently across some of them). Having
emphatically interpreted the Constitution's liberty guarantee to contain a fundamental right to
privacy, it is necessary for me to outline the manner in which such a right to privacy can be
limited. I only do this to indicate the direction of the debate as the nature of limitation is not at
issue here.

378. To begin with, the options canvassed for limiting the right to privacy include an Article 14

LA
type reasonableness enquiry [A challenge under Article 14 can be made if there is an
unreasonable classification and/or if the impugned measure is arbitrary. The classification is
unreasonable if there is no intelligible differentia justifying the classification and if the

IM
classification has no rational nexus with the objective sought to be achieved. Arbitrariness,
which was first explained at para 85 of E.P. Royappa v. State of T.N., (1974) 4 SCC 3 1973
SH
Indlaw SC 66 : 1974 SCC (L&S) 165 : AIR 1974 SC 555 1973 Indlaw SC 66, is very simply the
lack of any reasoning.]; limitation as per the express provisions of Article 19; a just, fair and
reasonable basis (that is, substantive due process) for limitation per Article 21; and finally, a just,
fair and reasonable standard per Article 21 plus the amorphous standard of "compelling State
LU

interest". The last of these four options is the highest standard of scrutiny [A tiered level of
scrutiny was indicated in what came to be known as the most famous footnote in constitutional
law, that is, fn 4 in United States v. Carolene Products Co., 1938 SCC OnLine US SC 93 : 82 L
PN

Ed 1234 : 304 US 144 (1938). Depending on the graveness of the right at stake, the court adopts
a correspondingly rigorous standard of scrutiny.] that a court can adopt. It is from this menu that
a standard of review for limiting the right to privacy needs to be chosen.
H

379. At the very outset, if a privacy claim specifically flows only from one of the expressly
enumerated provisions under Article 19, then the standard of review would be as expressly
provided under Article 19. However, the possibility of a privacy claim being entirely traceable to
rights other than Article 21 is bleak. Without discounting that possibility, it needs to be noted
that Article 21 is the bedrock of the privacy guarantee. If the spirit of liberty permeates every
claim of privacy, it is difficult, if not impossible, to imagine that any standard of limitation other
than the one under Article 21 applies. It is for this reason that I will restrict the available options
to the latter two from the above described four.

380. The just, fair and reasonable standard of review under Article 21 needs no elaboration. It
has also most commonly been used in cases dealing with a privacy claim hitherto. [District
Registrar and Collector v. Canara Bank, (2005) 1 SCC 496 2004 Indlaw SC 975 : AIR 2005 SC

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.590

186 2004 Indlaw SC 975], [State of Maharashtra v. Bharat Shanti Lal Shah, (2008) 13 SCC 5
2008 Indlaw SC 1418] Gobind [Gobind v. State of M.P., (1975) 2 SCC 148 1975 Indlaw SC 629
: 1975 SCC (Cri) 468] resorted to the compelling State interest standard in addition to the Article
21 reasonableness enquiry. From the United States, where the terminology of "compelling State
interest" originated, a strict standard of scrutiny comprises two things-a "compelling State
interest" and a requirement of "narrow tailoring" (narrow tailoring means that the law must be
narrowly framed to achieve the objective). As a term, "compelling State interest" does not have
definite contours in the US. Hence, it is critical that this standard be adopted with some clarity as
to when and in what types of privacy claimsit is to be used. Only in privacy claims which
deserve the strictest scrutiny is the standard of compelling State interest to be used. As for others,
the just, fair and reasonable standard under Article 21 will apply. When the compelling State
interest standard is to be employed, must depend upon the context of concrete cases. However,
this discussion sets the ground rules within which a limitation for the right to privacy is to be

LA
found."

82. In view of the aforesaid detailed discussion in all the opinions penned by six Hon'ble Judges,

IM
it stands established, without any pale of doubt, that privacy has now been treated as part of
fundamental rights. The Court has held, in no uncertain terms, that privacy has always been a
natural right which gives an individual freedom to exercise control over his or her personality.
SH
The judgment further affirms three aspects of the fundamental right to privacy, namely:

(i) intrusion with an individual's physical body;

LU

(ii) informational privacy; and

(iii) privacy of choice.

PN

83. As succinctly put by Nariman, J. first aspect involves the person himself/herself and guards a
person's rights relatable to his/her physical body thereby controlling the uncalled invasion by the
State. Insofar as the second aspect, namely, informational privacy is concerned, it does not deal
H

with a person's body but deals with a person's mind. In this manner, it protects a person by giving
her control over the dissemination of material that is personal to her and disallowing
unauthorised use of such information by the State. Third aspect of privacy relates to individual's
autonomy by protecting her fundamental personal choices. These aspects have functional
connection and relationship with dignity. In this sense, privacy is a postulate of human dignity
itself. Human dignity has a constitutional value and its significance is acknowledged by the
Preamble. Further, by catena of judgments, human dignity is treated as a fundamental right and
as a facet not only of Article 21 but that of right to equality (Article 14) and also part of bouquet
of freedoms stipulated in Article 19. Therefore, privacy as a right is intrinsic of freedom, liberty
and dignity. Viewed in this manner, one can trace positive and negative contents of privacy. The
negative content restricts the State from committing an intrusion upon the life and personal

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.591

liberty of a citizen. Its positive content imposes an obligation on the State to take all necessary
measures to protect the privacy of the individual.

84. A brief summation of the judgment on privacy would indicate that privacy is treated as
fundamental right. It is predicated on the basis that privacy is a postulate of dignity and the
concept of dignity can be traced to the preamble of the Constitution as well as Article 21 thereof.
Further, privacy is considered as a subset of personal liberty thereby accepting the minority
opinion in Kharak Singh v. State of U.P. & Ors.AIR 1963 SC 1295 1962 Indlaw SC 577 Another
significant jurisprudential development of this judgment is that right to privacy as a fundamental
right is not limited to Article 21. On the contrary, privacy resonates through the entirety of Part
III of the Constitution which pertains to fundamental rights and, in particular, Articles 14, 19 and
21. Privacy is also recognised as a natural right which inheres in individuals and is, thus,
inalienable. In developing the aforesaid concepts, the Court has been receptive to the principles
in international law and international instruments. It is a recognition of the fact that certain

LA
human rights cannot be confined within the bounds of geographical location of a nation but have
universal application. In the process, the Court accepts the concept of universalisation of human

IM
rights, including the right to privacy as a human right and the good practices in developing and
understanding such rights in other countries have been welcomed. In this hue, it can also be
remarked that comparative law has played a very significant role in shaping the aforesaid
SH
judgment on privacy in Indian context, notwithstanding the fact that such comparative law has
only a persuasive value.

85. The whole process of reasoning contained in different opinions of the Hon'ble Judges would,
LU

thus, reflect that the argument that it is difficult to precisely define the common denominator of
privacy, was rejected. While doing so, the Court referred to various approaches in formulating
privacy See the analysis of this judgment by the Centre for Internet and Society, https://cis-
PN

india.org/internet-governance/blog/the-fundamental-right-to-privacy-an-analysis. An astute and

sagacious analysis of the judgment by the Centre for Internet and Society brings about the
following approaches which contributed to formulating the following right to privacy:
H

(a) Classifying privacy on the basis of 'harms', thereby adopting the approach conceptualised by
Daniel Solove. In his book, Understanding Privacy Daniel Solove, Understanding Privacy,
Cambridge, Massachusetts: Harvard University Press, 2008, Daniel Solove makes a case for
privacy being a family resemblance concept.

(b) Classifying privacy on the basis of 'interests': Gary Bostwick's taxonomy of privacy is among
the most prominent amongst the scholarship that sub-areas within the right to privacy protect
different 'interests' or 'justifications'. This taxonomy is adopted in Chelameswar, J.'s definition of
'privacy' and includes the three interests of privacy of repose, privacy of sanctuary and privacy of
intimate decision. Repose is the 'right to be let alone', sanctuary is the interest which prevents
others from knowing, seeing and hearing thus keeping information within the private zone, and
finally, privacy of intimate decision protects the freedom to act autonomously.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.592

(c) Classifying privacy as an 'aggregation of rights': This approach in classifying privacy as a
right, as highlighted above, is not limited to one particular provision in the Chapter of
Fundamental Rights under the Constitution but is associated with amalgam of different but
connected rights. In formulating this principle, the Court has referred to scholars like Roger
Clarke, Anita Allen etc. It has led to the recognition of private spaces or zones as protected under
the right to privacy (thereby extending the ambit and scope of spatial privacy), informational
privacy and decisional autonomy.

86. The important question that arises, which is directly involved in these cases, is:

What is the scope of the right to privacy and in what circumstances such a right can be limited?

87. Concededly, fundamental rights are not absolute. The Constitution itself permits State to
impose reasonable restrictions on these rights under certain circumstances. Thus, extent and

LA
scope of the right to privacy and how and when it can be limited by the State actions is also to be
discerned. As noted above, Nariman, J. has led the path by observing that "when it comes to
restrictions on this right, the drill of various Articles to which the right relates must be

IM
scrupulously followed". Therefore, examination has to be from the point of view of Articles 14,
19 and 21 for the reason that right to privacy is treated as having intimate connection to various
rights in Part III and is not merely related to Article 21. Looked from this angle, the action of the
SH
State will have to be tested on the touchstone of Article 14. This judgment clarifies that the
'classification' test adopted earlier has to be expanded and instead the law/action is to be tested
on the ground of 'manifest arbitrariness'. This aspect has already been discussed in detail under
LU

the caption 'Scope of Judicial Review' above. When it comes to examining the 'restrictions' as per
the provisions of Article 19 of the Constitution, the judgment proceeds to clarify that a law
which impacts dignity and liberty under Article 21, as well as having chilling effects on free
PN

speech which is protected by Article 19(1)(a), must satisfy the standards of judicial review under
both provisions. Therefore, such restriction must satisfy the test of judicial review under: (i) one
of the eight grounds mentioned under Article 19(2); and (ii) the restriction should be reasonable.
H

This Court has applied multiple standards to determine reasonableness, including proximity,
arbitrariness, and proportionality. Further, the reasonable restrictions must be in the interests of:
(i) the sovereignty and integrity of India, (ii) the security of the State, (iii) friendly relations with
foreign States, (iv) public order, (v) decency or morality or (vi) in relation to contempt of court,
(vii) defamation or (viii) incitement to an offence.

88. The judgment further lays down that in the context of Article 21, the test to be applied while
examining a particular provision is the 'just, fair and reasonable test' thereby bringing notion of
proportionality.

89. The petitioners have sought to build their case on the aforesaid parameters of privacy and
have submitted that this right of privacy, which is now recognised as a fundamental right, stands
violated by the very fabric contained in the scheme of Aadhaar. It is sought to be highlighted that

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.593

the data which is collected by the State, particularly with the authentication of each transaction
entered into by an individual, can be assimilated to construct a profile of such an individual and
it particularly violates informational privacy. No doubt, there can be reasonable restrictions on
this right, which is conceded by the petitioners. It is, however, argued that right to privacy cannot
be impinged without a just, fair and reasonable law. Therefore, in the first instance, any intrusion
into the privacy of a person has to be backed by a law. Further, such a law, to be valid, has to
pass the test of legitimate aim which it should serve and also proportionality i.e. proportionate to
the need for such interference. Not only this, the law in question must also provide procedural
guarantees against abuse of such interference.

90. At the same time, it can also be deduced from the reading of the aforesaid judgment that the
reasonable expectation of privacy may vary from the intimate zone to the private zone and from
the private zone to the public arena. Further, privacy is not lost or surrendered merely because
the individual is in a public place. For example, if a person was to post on Facebook vital

LA
information about himself, the same being in public domain, he would not be entitled to claim
privacy right. This aspect is highlighted by some of the Hon'ble Judges as under:

IM
Dr. D.Y. Chandrachud, J.:

"297. What, then, does privacy postulate? Privacy postulates the reservation of a private space
SH
for the individual, described as the right to be let alone. The concept is founded on the autonomy
of the individual. The ability of an individual to make choices lies at the core of the human
personality. The notion of privacy enables the individual to assert and control the human element
LU

which is inseparable from the personality of the individual. The inviolable nature of the human
personality is manifested in the ability to make decisions on matters intimate to human life. The
autonomy of the individual is associated over matters which can be kept private. These are
PN

concerns over which there is a legitimate expectation of privacy. The body and the mind are
inseparable elements of the human personality. The integrity of the body and the sanctity of the
mind can exist on the foundation that each individual possesses an inalienable ability and right to
H

preserve a private space in which the human personality can develop. Without the ability to make
choices, the inviolability of the personality would be in doubt. Recognising a zone of privacy is
but an acknowledgment that each individual must be entitled to chart and pursue the course of
development of personality. Hence privacy is a postulate of human dignity itself. Thoughts and
behavioural patterns which are intimate to an individual are entitled to a zone of privacy where
one is free of social expectations. In that zone of privacy, an individual is not judged by others.
Privacy enables each individual to take crucial decisions which find expression in the human
personality. It enables individuals to preserve their beliefs, thoughts, expressions, ideas,
ideologies, preferences and choices against societal demands of homogeneity. Privacy is an
intrinsic recognition of heterogeneity, of the right of the individual to be different and to stand
against the tide of conformity in creating a zone of solitude. Privacy protects the individual from
the searching glare of publicity in matters which are personal to his or her life. Privacy attaches
to the person and not to the place where it is associated. Privacy constitutes the foundation of all

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.594

liberty because it is in privacy that the individual can decide how liberty is best exercised.
Individual dignity and privacy are inextricably linked in a pattern woven out of a thread of
diversity into the fabric of a plural culture.

xx xx xx

299. Privacy represents the core of the human personality and recognises the ability of each
individual to make choices and to take decisions governing matters intimate and personal. Yet, it
is necessary to acknowledge that individuals live in communities and work in communities.
Their personalities affect and, in turn are shaped by their social environment. The individual is
not a hermit. The lives of individuals are as much a social phenomenon. In their interactions with
others, individuals are constantly engaged in behavioural patterns and in relationships impacting
on the rest of society. Equally, the life of the individual is being consistently shaped by cultural
and social values imbibed from living in the community. This state of flux which represents a

LA
constant evolution of individual personhood in the relationship with the rest of society provides
the rationale for reserving to the individual a zone of repose. The lives which individuals lead as
members of society engender a reasonable expectation of privacy. The notion of a reasonable

IM
expectation of privacy has elements both of a subjective and objective nature. Privacy at a
subjective level is a reflection of those areas where an individual desires to be left alone. On an
SH
objective plane, privacy is defined by those constitutional values which shape the content of the
protected zone where the individual ought to be left alone. The notion that there must exist a
reasonable expectation of privacy ensures that while on the one hand, the individual has a
protected zone of privacy, yet on the other, the exercise of individual choices is subject to the
LU

rights of others to lead orderly lives. For instance, an individual who possesses a plot of land
may decide to build upon it subject to zoning regulations. If the building bye-laws define the area
upon which construction can be raised or the height of the boundary wall around the property,
PN

the right to privacy of the individual is conditioned by regulations designed to protect the
interests of the community in planned spaces. Hence while the individual is entitled to a zone of
privacy, its extent is based not only on the subjective expectation of the individual but on an
H

objective principle which defines a reasonable expectation.

xx xx xx

307. The sphere of privacy stretches at one end to those intimate matters to which a reasonable
expectation of privacy may attach. It expresses a right to be left alone. A broader connotation
which has emerged in academic literature of a comparatively recent origin is related to the
protection of one's identity. Data protection relates closely with the latter sphere. Data such as
medical information would be a category to which a reasonable expectation of privacy attaches.
There may be other data which falls outside the reasonable expectation paradigm. Apart from
safeguarding privacy, data protection regimes seek to protect the autonomy of the individual.
This is evident from the emphasis in the European data protection regime on the centrality of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.595

consent. Related to the issue of consent is the requirement of transparency which requires a
disclosure by the data recipient of information pertaining to data transfer and use."

S.A. Bobde, J:

"421. Shri Rakesh Dwivedi, appearing for the State of Gujarat, while referring to several
judgments of the Supreme Court of the United States, submitted that only those privacy claims
which involve a "reasonable expectation of privacy" be recognised as protected by the
fundamental right. It is not necessary for the purpose of this case to deal with the particular
instances of privacy claims which are to be recognised as implicating a fundamental right.
Indeed, it would be premature to do so. The scope and ambit of a constitutional protection of
privacy can only be revealed to us on a case-by-case basis."

91. Though Nariman, J. did not subscribe to the aforesaid view in totality, however, His Lordship

LA
has also given an example that if a person has to post on Facebook vital information, the same
being in public domain, she would not be entitled to the claim of privacy right.

IM
92. We would also like to reproduce following discussion, in the opinion authored by Nariman,
J., giving the guidance as to how a law has to be tested when it is challenged on the ground that it
violates the fundamental right to privacy:
SH
"...Statutory provisions that deal with aspects of privacy would continue to be tested on the
ground that they would violate the fundamental right to privacy, and would not be struck down,
if it is found on a balancing test that the social or public interest and the reasonableness of the
LU

restrictions would outweigh the particular aspect of privacy claimed. If this is so, then statutes
which would enable the State to contractually obtain information about persons would pass
muster in given circumstances, provided they safeguard the individual right to privacy as well. A
PN

simple example would suffice. If a person was to paste on Facebook vital information about
himself/herself, such information, being in the public domain, could not possibly be claimed as a
privacy right after such disclosure. But, in pursuance of a statutory requirement, if certain details
H

need to be given for the statutory purpose concerned, then such details would certainly affect the
right to privacy, but would on a balance, pass muster as the State action concerned has sufficient
inbuilt safeguards to protect this right-viz. the fact that such information cannot be disseminated
to anyone else, save on compelling grounds of public interest."

130. It was submitted that Aadhaar project creates the architecture of a 'cradle to grave'
surveillance state and society. This means that it enables the State to profile citizens, track their
movements, assess their habits and silently influence their behaviour throughout their lives. Over
time, the profiling enables the State to stifle dissent and influence political decision making. The
architecture of the project comprises a Central Identities Data Repository which stores and
maintains authentication transaction data. The authentication record comprises the time of
authentication and the identity of the requesting entity. The UIDAI and the Authentication
Service Agency (ASA) is permitted to store this authentication record for 2 + 5 years (as per

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.596

Regulations 20 and 26/27 of the Authentication Regulations). Based on this architecture it is
possible for the State to track down the location of the person seeking authentication. Since the
requesting entity is also identified, the activity that the citizen is engaging in is also known.
(Sections 2(d), 2(h), 8, 10, 32 of the Act read with Regulations 18, 20, 26 of the Aadhaar
(Authentication) Regulation, 2016).

131. According to the petitioners, the Authority has the following information (according to the
document on technical specification of Aadhaar registered devices published by the Authority in
February 2017) - Aadhaar number, name of Aadhaar holder, whether authentication failed or was
successful, reason for such failure, requesting entities' Internet Protocol (IP) address, date and
time of authentication, device ID and its unique ID of authentication device which can be used to
locate the individual.

132. Authentication of Aadhaar number enables tracking, tagging and profiling of individuals as

LA
the IP Address of the authentication device gives an idea of its geographical location
(determinable within the range of 2 kilometres), country, city, region, pin code/zip code). Mr.
Divan submits that an individual is on an electronic leash, tethered to a central data repository

IM
that has the architecture to track all activities of an individual. The Aadhaar Act creates a
database of all Indian residents and citizens with their core biometric information, demographic
SH
information and meta data. In light of the enormous potential of information, concentration of
information in a single entity, i.e., the Authority, enabling easier access to aggregated
information puts the State in a position to wield enormous power. Given that with advancements
in technology, such information can affect every aspect of an individual's personal, professional,
LU

religious and social life, such power is a threat to individual freedoms guaranteed under Articles
19(1)(a) to 19(1)(g) of the Constitution and other fundamental rights guaranteed under Article 21
(Right to informational privacy) and Article 25 of the Constitution. It was submitted that the
PN

Aadhaar Act treats the entire populace of the country as potential criminals ignoring the
necessity to balance the State's mandate of protection against crime with the right to personal
bodily integrity which is envisaged under Article 21 read with Article 20(3) of the Constitution.
H

It does not require the collection of data to have a nexus with a crime. Mr. Sibal submits that in
the decision in Selvi & Ors. v. State of Karnataka (2010) 7 SCC 263 2010 Indlaw SC 340, this
Court has held:

"The theory of interrelationship of rights mandates that the right against self-incrimination
should also be read as a component of "personal liberty" under Article 21. Hence, our
understanding of the "right to privacy" should account for its intersection with Article 20(3)"

133. It is argued that the Aadhaar Act, therefore, violates the right to protection from self-
incrimination, and the right to privacy and personal dignity/bodily integrity under Article 20(3)
and Article 21.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.597

134. It was argued that the Constitution of India repudiates mass surveillance as enabled by
Aadhaar and the project ought to be struck down on this ground alone. There is no question of
balancing or justification in case of surveillance architecture.

150. It is clear that the argument of the petitioners is that on the basis of the data available with
the Authority, there can be a profiling of an individual which may make the surveillance state.
And such a mass surveillance is not permitted by the Constitution of India. The entire foofaraw
about the Aadhaar architecture is the so-called enormous information that would be available to
the Government on using Aadhaar card by residents. Two issues arise from the respective
arguments of the parties:

(a) whether the architecture of the Aadhaar project enables the Sate to create a regime of
surveillance?; and

LA
(b) whether there are adequate provisions for data protection?

151. Insofar as issue (a) above is concerned, after going through the various aspects of the

IM
Aadhaar project, the provisions of the Aadhaar Act and the manner in which it operates, it is
difficult to accept the argument of the petitioners. The respondents have explained that the
enrolment and authentication processes are strongly regulated so that data is secure. The
SH
enrolment agency, which collects the biometric and demographic of the individuals during
enrolment, is appointed either by UIDAI or by a Registrar [Section 2(s)]. The Registrars are
appointed through MoUs or agreements for enrolment and are to abide by a code of conduct and
processes, policies and guidelines issued by the Authority. They are responsible for the process
LU

of enrolment. Categories of persons eligible for appointment are limited by the Regulations. The
agency employs a certified supervisor, an operator and a verifier under Enrolment and Update
Regulations. Registrars and the enrolling agencies are obliged to use the software provided or
PN

authorized by UIDAI for enrolment purpose. The standard software has security features as
specified by the Authority. All equipment used is as per the specification issued by the
Authority. The Registrars are prohibited from using the information collected for any purpose
H

other than uploading the information to CIDR. Sub-contracting of enrolment function is not
allowed. The Code of Conduct contains specific directions for following the confidentiality,
privacy and security protocols and submission of periodic reports of enrolment. Not only there
are directions prohibiting manipulation and fraudulent practices but the Act contains penal
provisions for such violations in Chapter VII of the Regulations. The enrolment agencies are
empanelled by the Authority. They are given an enrolling agency code using which the Registrar
can onboard such agency to the CIDR. The enrolment data is uploaded to the Central Identities
Data Repository (CIDR) certified equipment and software with a digital signature of the
Registrar/enrolling agency. The data is encrypted immediately upon capture. The decryption key
is with the UIDAI solely. Section 2(ze) of the Information Technology Act, 2000 (hereinafter
referred to as the 'IT Act') which defines 'secure systems' and Section 2(w) of the Act, which
defines 'intermediaries' apply to the process. Authentication only becomes available through the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.598

Authentication Service Agency (ASA). They are regulated by the Aadhaar (Authentication)
Regulations, 2016. Their role and responsibilities are provided by Regulation 19 of the
Authentication Regulations. They are to use certified devices. The equipment or software has to
be duly registered with or approved or certified by the Authority/agency. The systems and
operations are audited by information system auditor. The requesting entities pass the encrypted
data to the CIDR through the ASA and the response (Yes/No authentication or e-KYC
information) also takes the same route back. The server of the ASA has to perform basic
compliance and completeness checks on the authentication data packet before forwarding it to
the CIDR. The Act prohibits sharing and disclosure of core biometric data under Section 8 and
29. Other identity information is shared with requesting entity (AUAs and KUAs) only for the
limited purpose of authentication. The data is transferred from the requesting entity to the ASA
to the CIDR in an encrypted manner through a leased line circuitry using secure Protocols
(Regulation 9 of the Authentication Regulations). The storage of data templates is in safely

LA
located servers with no public internet inlet/outlet, and offline storage of original encrypted data
(PID blocks). There are safety and security provisions such as audit by Information Systems
Auditor. Requesting entities are appointed through agreement. They can enter into agreement

IM
with sub-AUA or sub-KUA with permission of the UIDAI. Whatever identity information is
obtained by the requesting entity is based on a specific consent of the Aadhaar number holder.
SH
The e-KYC data shared with the requesting entity can only be after prior consent of the Aadhaar
holder. Such data cannot be shared and has to be stored in encrypted form. The biometric
information used is not permitted to be stored. Only the logs of authentication transactions are
maintained for a short period. Full identity information is never transmitted back to the
LU

requesting entity. There is a statutory bar from sharing biometric information (Section
29(1)(a)/Section 29(4)). Data centres of ASA, requesting entities and CIDR should be within the
territory of India. There are various other provisions for monitoring, auditing, inspection, limits
PN

on data sharing, data protection, punishments etc., grievance redressal mechanism, suspension
and termination of services, etc. so that all actions the entities involved in the process are
regulated. Regulation 3(i) & (j) of Aadhaar (Data Security) Regulation, 2016 enables partitioning
H

of CIDR network into zones based on risk and trust and other security measures. CIDR being a
computer resource is notified to be a "Protected System" under Section 70 of the IT Act by the
Central Government on December 11, 2015. Anyone trying to unlawfully gain access into this
system is liable to be punished with 10 years imprisonment and fine. The storage involves end to
end encryption, logical partitioning, firewalling and anonymisation of decrypted biometric data.
Breaches of penalty are made punitive by Chapter VII of the Act. Biometric information is
deemed to be an "electronic record", and "Sensitive personal data or information" under the IT
Act. There are further guards under the Aadhaar (Data Security) Regulations, 2016.

152. That apart, we have recorded in detail the powerpoint presentation that was given by Dr.
Ajay Bhushan Pandey, CEO of the Authority, which brings out the following salient features:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.599

(a) During the enrolment process, minimal biometric data in the form of iris and fingerprints is
collected. The Authority does not collect purpose, location or details of transaction. Thus, it is
purpose blind. The information collected, as aforesaid, remains in silos. Merging of silos is
prohibited. The requesting agency is provided answer only in 'Yes' or 'No' about the
authentication of the person concerned. The authentication process is not exposed to the Internet
world. Security measures, as per the provisions of Section 29(3) read with Section 38(g) as well
as Regulation 17(1)(d) of the Authentication Regulations are strictly followed and adhered to.

(b) There are sufficient authentication security measures taken as well, as demonstrated in Slides
14, 28 and 29 of the presentation.

(c) The Authority has sufficient defence mechanism, as explained in Slide 30. It has even taken
appropriate protection measures as demonstrated in Slide 31.

LA
(d) There is an oversight by Technology and Architecture Review Board (TARB) and Security
Review Committee.

IM
(e) During authentication no information about the nature of transaction etc. is obtained.

(f) The Authority has mandated use of Registered Devices (RD) for all authentication requests.
SH
With these, biometric data is signed within the device/RD service using the provider key to
ensure it is indeed captured live. The device provider RD service encrypts the PID block before
returning to the host application. This RD service encapsulates the biometric capture, signing and
encryption of biometrics all within it. Therefore, introduction of RD in Aadhaar authentication
LU

system rules out any possibility of use of stored biometric and replay of biometrics captured
from other source. Requesting entities are not legally allowed to store biometrics captured for
Aadhaar authentication under Regulation 17(1)(a) of the Authentication Regulations.
PN

(g) The Authority gets the AUA code, ASA code, unique device code, registered device code
used for authentication. It does not get any information related to the IP address or the GPS
H

location from where authentication is performed as these parameters are not part of
authentication (v2.0) and e-KYC (v2.1) API. The Authority would only know from which device
the authentication has happened, through which AUA/ASA etc. It does not receive any
information about at what location the authentication device is deployed, its IP address and its
operator and the purpose of authentication. Further, the authority or any entity under its control is
statutorily barred from collecting, keeping or maintaining any information about the purpose of
authentication under Section 32(3) of the Aadhaar Act.

153. After going through the Aadhaar structure, as demonstrated by the respondents in the
powerpoint presentation from the provisions of the Aadhaar Act and the machinery which the
Authority has created for data protection, we are of the view that it is very difficult to create
profile of a person simply on the basis of biometric and demographic information stored in
CIDR. Insofar as authentication is concerned, the respondents rightly pointed out that there are

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.600

sufficient safeguard mechanisms. To recapitulate, it was specifically submitted that there were
security technologies in place (slide 28 of Dr. Pandey's presentation), 24/7 security monitoring,
data leak prevention, vulnerability management programme and independent audits (slide 29) as
well as the Authority's defence mechanism (slide 30). It was further pointed out that the
Authority has taken appropriate pro-active protection measures, which included disaster recovery
plan, data backup and availability and media response plan (slide 31). The respondents also
pointed out that all security principles are followed inasmuch as: (a) there is PKI-2048
encryption from the time of capture, meaning thereby, as soon as data is given at the time of
enrolment, there is an end to end encryption thereof and it is transmitted to the Authority in
encrypted form. The said encryption is almost foolproof and it is virtually impossible to decipher
the same; (b) adoption of best-in-class security standards and practices; and (c) strong audit and
traceability as well as fraud detection. Above all, there is an oversight of Technology and
Architecture Review Board (TARB) and Security Review Committee. This Board and

LA
Committee consist of very high profiled officers. Therefore, the Act has endeavoured to provide
safeguards. We may also take on record responsible statements of the learned Attorney General
and Mr. Dwivedi who appeared for UIDAI that no State would be interested in any mass

IM
surveillance of 1.2 Billion people of the country or even the overwhelming majority of officers
and employees or professionals. The very idea of mass surveillance by State which pursues what
SH
an ANH does all the time and based on Aadhaar is an absurdity and an impossibility. According
to them, the petitioners submission is based on too many imaginary possibilities, viz.:

(i) Aadhaar makes it possible for the State to obtain identity information of all ANH. It is
possible that UIDAI would share identity information/authentication records in CIDR
LU

notwithstanding statutory prohibition and punitive injunctions in the Act. It is possible that the
State would unleash its investigators to surveil a sizeable section of the ANH, if not all based on
PN

the authentication records. It is submitted that given the architecture of the Aadhaar Act, there
are no such possibilities and in any event, submission based on imaginary possibility do not
provide any basis for questioning the validity of Aadhaar Act. (ii) None of the writ petitions set
forth specific facts and even allegations that any Aadhaar number holder is being subjected to
H

surveillance by UIDAI or the Union/States. The emphasis during the argument was only on the
possibility of surveillance based on electronic track trails and authentication records. It was
asserted that there are tools in the market for track back. The entire case was speculative and
conjectural. In Clapper, Director of National Intelligence v. Amnesty International USA, the
majority judgment did not approve the submissions in the context of Foreign Intelligence
Surveillance Act and one of the reason was that the allegations were conjectural and speculative.
There were no facts pleaded on the basis of which the asserted threat could be fairly traced to.
However, we have not deliberated on this argument.

154. Issue (b) relates to data protection. According to the petitioners there is no data protection
and there is a likelihood of misuse of data/personal information of the individuals.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.601

155. The question to be determined is whether the safeguards provided for the protection of
personal biometric data in the Aadhaar Act and Rules are sufficient. The crucial tasks that the
Court needs to undertake are - (i) to discuss the significance of data in the world of technology
and its impact; (ii) to determine the magnitude of protection that should be accorded to
collection, storage and use of sensitive biometric data, so that they can qualify as proportionate;
and (iii) to determine whether the Aadhaar Act and Rules provide such data protection, thereby
obviating any possibility of surveillance.

(i) Significance of Data:

156. Alvin Toffler in his illuminating article titled 'What will our future be like?' has presented
mind boggling ideas. Toffler traces the transition - from agriculture society to industry society to
knowledge based society. If we go back to the beginnings of time, agriculture was the prime
source and the entire mankind was based on agriculture. 350 years later with the invention of

LA
steam engines came the industrialized age and now what we are living through is the third
gigantic wave, which is way more powerful than industrialized age. An age that is based on
knowledge. Toffler emphasises that in today's society the only thing that leads to creation of

IM
wealth is knowledge. Unlike the past wherein economics was described as the science of the
allocation of scarce resources, today we are primarily dependent on knowledge and that is not a
SH
scarce resource. Times are changing, we can no longer trust the straight line projection. His view
is that we are going from a society which is more and more uniform to a highly de-massified
society. Knowledge is power. We are in the era of information. Probably what Toffler is hinting
is that access to this vast reservoir of information is available in digital world. Information is
LU

available online, at the touch of a button. With this, however, we usher into the regime of data.

157. In a recent speech by Mr. Benjamin Netanyahu, Prime Minister of Israel, while talking
PN

about innovation and entrepreneurship, he brought out an interesting phenomenon in the world of
free market principles, i.e. in the era of globalisation, in the following words:

"Look at the ten leading companies in 2006, five energy companies, one IT company Microsoft
H

and a mere ten years later, in 2016, a blink of an eye, in historical terms, its completely reversed,
five IT companies one energy company left. The true wealth is in innovation - you know these
companies - Apple, Google, Microsoft, Amazon, Facebook."

158. He adds by making a significant statement as the reason behind this change:

"...there is a reason something is going on, it's a great change - you want to hear a jargan - it's a
one sentence, this is a terrible sentence, but I have no other way to say, it's a confluence of big
data, connectivity and artificial intelligence. Ok, you get that? You know what that does - it
revolutionises old industries and it creates entirely new industries, so here is an old industry that
Israel was always great in - Agriculture. We are always good in agriculture but now we have
precision agriculture. You know what that is? See that drone in the sky is connected to a big
database and there is sensor at the field and in the field there is drip irrigation and drip

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.602

fertilization and now we can target with this technology the water that we give, the fertilizer that
we give down to the individual plant that needs it. That's precision agriculture, that's Israel.
Unbelievable."

159. This brings us to the world of data - big data. It has its own advantages of tremendous
nature. It is making life of people easier. People can connect with each other even when they are
located at places far away from each other. Not only they can converse with each other but can
even see each other while talking. There is a wealth of information available on different
networks to which they can easily access and satisfy their quest for knowledge within seconds by
getting an answer. People can move from one place to the other with the aid of Global
Positioning System (GPS). They can hear music and watch movies on their handy gadgets,
including smart cellphones. We are in the age of digital economy which has enabled multiple
avenues for a common man. Internet access is becoming cheaper by the day, which can be
accessed not only through the medium of desktop computers or laptops and even other handy

LA
gadgets like smart phones. Electronic transactions like online shopping, bill payments,
movie/train/air ticket bookings, funds transfer, e-wallet payments, online banking and online

IM
insurance etc. are happening with extreme ease at the touch of a finger. Such tasks can be
undertaken sitting in drawing rooms. Even while travelling from one place to the other in their
car, they can indulge in all the aforesaid activities. In that sense, technology has made their life
SH
so easy.

160. However, there is another side to do as well, like any coin which has two sides. The use of
such technologies is at the cost of giving away personal information, which is in the realm of
LU

privacy. In order to connect with such technologies and avail their benefits, the users are parting
with their biometric information like fingerprints and iris as well as demographic information
like their names, parentage, family members, their age, even personal information like their sex,
PN

blood group or even the ailments they are suffering from. Not only this, use of aforesaid facilities
on net or any portal like Apple, Google, Facebook etc. involves tracking their movements,
including the nature of activities, like the kind of shopping, the places from where shopping is
H

done, the actual money spent thereon, the nature of movies watched etc. All this data is there
with the companies in respect of its users which may even turn into metadata. In fact, cases after
cases are reported where such data of users is parted with various purposes. Interestingly, for
using such facilities, people knowingly and willingly, are ready to part with their vital personal
information. Every transaction on a digital platform is linked with some form of sensitive
personal information. It can be an individual's user name, password, account number, PAN
number, biometric details, e-mail ID, debit/credit card number, CVV number and transaction
OTP etc.

161. These have raised concerns about the privacy and protection of data, which has become a
matter of great concern. Problem is not limited to data localisation but has become extra-
territorial. There are issues of cross-border transfers of personal data, regulation whereof is again
a big challenge with which various opinions are grappling. There are even talks of convergence

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.603

of regulatory regime in this behalf so that uniform approach is adopted in providing a legal
ecosystem to regulate cross-border data transfer. Asian Business Law Institute (ABLI), in
collaboration with Singapore Academy of Law (SAL) has, after undertaking in-depth study,
compiled 14 country reports in their respective jurisdictions on the regulation of cross-border
data transfer and data localisation in Asia.

162. In the aforesaid scenario, interesting issue is posed by the respondents, viz., when so much
personal information about people is already available in public domain, how can there be an
expectancy of data privacy. That aspect is dealt with while discussing the issue of privacy. Here,
we are concerned with data protection under Aadhaar that is available with the State. As pointed
out above, even in respect of private players, the data protection has become a matter of serious
concern. When it comes to the State or the instrumentality of the State, the matter has to be taken
with all seriousness, on the touchstone of constitutionalism and the concept of limited
Government.

LA
(ii) Law on Data Protection:

IM
163. In order to determine this aspect, i.e. the nature and magnitude of data protection that is
required to enable legal collection and use of biometric data, reliance can be placed on - (a)
various existing legislations - both in India and across the world; and (b) case law including the
SH
judgment in K.S. Puttaswamy.

(a) Legislation in India:

LU

(i) Information Technology Act, 2000

The only existing legislation covering data protection related to biometric information are
PN

Section 43A and Section 72A of the IT Act and the Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
(hereinafter "Sensitive Personal Data Rules"). Although the IT Act and Rules do not determine
H

the constitutionality of use of biometric data and information by the Aadhaar Act and Rules, they
are instructive in determining the safeguards that must be taken to collect biometric information
A challenge to the Aadhaar project for violation of IT Act and Rules has been filed in the Delhi
High Court in the matter of Shamnad Basheer v UIDAI and Ors. Therefore, we are not dealing
with this aspect, nor does it arise for consideration in these proceedings.

164. Following are the provisions which cover biometric information under the IT Act:

Section 43A of the IT Act attaches liability to a body corporate, which is possessing, handling
and dealing with any 'sensitive personal information or data' and is negligent in implementing
and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any
person. 'Sensitive personal information or data' is defined under Rule 3 of the Sensitive Personal
Data Rules to include information relating to biometric data. Section 43A reads as follows:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.604

"43A.Compensation for failure to protect data. -Where a body corporate, possessing, dealing or
handling any sensitive personal data or information in a computer resource which it owns,
controls or operates, is negligent in implementing and maintaining reasonable security practices
and procedures and thereby causes wrongful loss or wrongful gain to any person, such body
corporate shall be liable to pay damages by way of compensation to the person so affected.

Explanation. -For the purposes of this section,-

(i) "body corporate" means any company and includes a firm, sole proprietorship or other
association of individuals engaged in commercial or professional activities;

(ii) "reasonable security practices and procedures" means security practices and procedures
designed to protect such information from unauthorised access, damage, use, modification,
disclosure or impairment, as may be specified in an agreement between the parties or as may be

LA
specified in any law for the time being in force and in the absence of such agreement or any law,
such reasonable security practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it may deem fit;

IM
(iii) "sensitive personal data or information" means such personal information as may be
prescribed by the Central Government in consultation with such professional bodies or
SH
associations as it may deem fit.]"

165. Similarly, Section 72A of the IT Act makes intentional disclosure of 'personal information'
obtained under a contract, without consent of the parties concerned and in breach of a lawful
LU

contract, punishable with imprisonment and fine. Rule 2(i) of the Sensitive Personal Data Rules
define "personal information" to mean any information that relates to a natural person, which,
either directly or indirectly, in combination with other information available or likely to be
PN

available with a body corporate, is capable of identifying such person. Thus, biometrics will
form a part of "personal information". The Section reads as under-
H

"72A. Punishment for disclosure of information in breach of lawful contract - Save as otherwise
provided in this Act or any other law for the time being in force, any person including an
intermediary who, while providing services under the terms of lawful contract, has secured
access to any material containing personal information about another person, with the intent to
cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the
consent of the person concerned, or in breach of a lawful contract, such material to any other
person, shall be punished with imprisonment for a term which may extend to three years, or with
fine which may extend to five lakh rupees, or with both."

166. The Sensitive Personal Data Rules provide for additional requirements on commercial and
business entities (body corporates as defined under Section 43A of the IT Act) relating to the
collection and disclosure of sensitive personal data (including biometric information). The

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.605

crucial requirements, which are indicative of the principles for data protection that India adheres
to, inter alia include:

(i) The body corporate or any person who on behalf of body corporate collects, receives,
possesses, stores, deals or handle information of provider of information, shall provide a privacy
policy for handling of or dealing in personal information including sensitive personal data or
information and ensure that the same are available for view.

(ii) Body corporate or any person on its behalf shall obtain consent in writing from the provider
of the sensitive personal data or information regarding purpose of usage before collection of such
information.

(iii) Body corporate or any person on its behalf shall not collect sensitive personal data or
information unless - (a) the information is collected for a lawful purpose connected with a

LA
function or activity of the body corporate or any person on its behalf; and (b) the collection of the
sensitive personal data or information is considered necessary for that purpose

IM
(iv) The person concerned has the knowledge of - (a) the fact that the information is being
collected; (b) the purpose for which the information is being collected; (c) the intended recipients
of the information; and (d) name and address of the agency collecting and retaining the
SH
information.

(v) Body corporate or any person on its behalf holding sensitive personal data or information
shall not retain that information for longer than is required for the purposes for which the
LU

information may lawfully be used or is otherwise required under any other law for the time being
in force.
PN

(vi) Information collected shall be used for the purpose for which it has been collected.

(vii) Body corporate or any person on its behalf shall, prior to the collection of information,
including sensitive personal data or information, provide an option to the provider of the
H

information to not to provide the data or information sought to be collected.

(viii) Body corporate shall address any discrepancies and grievances of their provider of the
information with respect to processing of information in a time bound manner.

(ix) Disclosure of sensitive personal data or information by body corporate to any third party
shall require prior permission from the provider of such information, who has provided such
information under lawful contract or otherwise, unless such disclosure has been agreed to in the
contract between the body corporate and provider of information, or where the disclosure is
necessary for compliance of a legal obligation.

(x) A body corporate or a person on its behalf shall comply with reasonable security practices
and procedure i.e. implement such security practices and standards and have a comprehensive

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.606

documented information security programme and information security policies that contain
managerial, technical, operational and physical security control measures that are commensurate
with the information assets being protected with the nature of business. In the event of an
information security breach, the body corporate or a person on its behalf shall be required to
demonstrate, as and when called upon to do so by the agency mandated under the law, that they
have implemented security control measures as per their documented information security
programme and information security policies.

The above substantive and procedural safeguards are required for legal collection, storage and
use of biometric information under the IT Act. They indicate the rigour with which such
processes need to be carried out.

Position in other countries:

LA
(a) EUGDPR (European Union General Data Protection Regulation) Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal data and on the free movement of such data,

IM
and repealing Directive 95/46/EC (General Data Protection Regulation)

EUGDPR which was enacted by the EU in 2016 came into force on May 25, 2018 replacing the
SH
Data Protection Directive of 1995. It is an exhaustive and comprehensive legal framework that is
aimed at protection of natural persons from the processing of personal data and their right to
informational privacy. It deals with all kinds of processing of personal data while delineating
rights of data subjects and obligations of data processors in detail. The following fundamental
LU

principles of data collection, processing, storage and use reflect the proportionality principle
underpinning the EUGDPR -
PN

(i) the personal data shall be processed lawfully, fairly, and in a transparent manner in relation to
the data subject (principle of lawfulness, fairness, and transparency);
H

(ii) the personal data must be collected for specified, explicit, and legitimate purposes (principle
of purpose limitation);

(iii) processing must also be adequate, relevant, and limited to what is necessary (principle of
data minimization) as well as accurate and, where necessary, kept up to date (principle of
accuracy);

(iv) data is to be kept in a form that permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed (principle of storage
limitation);

(v) data processing must be secure (principle of integrity and confidentiality); and

(vi) data controller is to be held responsible (principle of accountability).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.607

167. The EUGDPR under Article 9 prohibits the collection of biometric data unless except in
few circumstances which include (but are not limited to) -

(a) there is an explicit consent by the party whose data is being collected. The consent should be
freely given, which is clearly distinguishable in an intelligible and easily accessible form, using
clear and plain language. This consent can be withdrawn at any time without affecting the
actions prior to the withdrawal;

(b) processing is necessary for the purposes of carrying out the obligations and exercising
specific rights of the controller or of the data subject in the field of employment and social
security and social protection law;

(c) processing relates to personal data which is manifestly made public by the data subject; and

(d) processing is necessary for reasons of substantial public interest, and it shall be proportionate

LA
to the aim pursued, respect the essence of the right to data protection and provide for suitable and
specific measures to safeguard the fundamental rights and the interests of the data subject.

IM
168. The Regulation also institutes rights of the data subject (the person whose data is collected),
subject to exceptions, which include the data subject's right of access to information about the
SH
purpose of collection of data, details of data controller and subsequent use and transfer of data,
the data subject's right to rectification of data, right to erasure or right to be forgotten, the data
subject's right to restriction of processing, the right to be informed, the right to data portability
and the data subject's right to object to illegitimate use of data.
LU

(b) Biometric Privacy Act in the United States of America

169. Some States in the United States of America have laws regulating collection and use of
PN

biometric information. Illinois has passed Biometric Information Privacy Act (740 ILCS 14/1 or
BIPA) in 2008. Texas has also codified the law for capture of use of biometric identifier (Tex.
Bus. & Com. Code Ann. (Section) 503.001) in 2009. The Governor of the Washington State
H

signed into law House Bill 1493 ("H.B. 1493") on May 16, 2017, which sets forth requirements
for businesses who collect and use biometric identifiers for commercial purposes. BIPA, Illinois,
for example makes it unlawful for private entities to collect, store, or use biometric information,
such as retina/iris scans, voice scans, face scans, or fingerprints, without first obtaining
individual consent for such activities. BIPA also requires that covered entities take specific
precautions to secure the information.

(b) Case Laws:

170. In K.S. Puttaswamy's judgment, all the Judges highlighted the importance of informational
privacy in the age of easy access, transfer, storage and mining of data. The means of aggregation
and analysis of data of individuals through various tools are explained. Chandrachud, J. observed
that with the increasing ubiquity of electronic devices, information can be accessed, stored and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.608

disseminated without notice to the individual. Metadata and data mining make the individual's
personal information subject to private companies and the state. In this background, His
Lordship discusses the necessity of a data protection regime for safeguarding privacy and
protecting the autonomy of the individual. The following observations in the conclusion of the
judgment are worth quoting:

"328. Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of
information can originate not only from the state but from non-state actors as well. We commend
to the Union Government the need to examine and put into place a robust regime for data
protection. The creation of such a regime requires a careful and sensitive balance between
individual interests and legitimate concerns of the state. The legitimate aims of the state would
include for instance protecting national security, preventing and investigating crime, encouraging
innovation and the spread of knowledge, and preventing the dissipation of social welfare
benefits. These are matters of policy to be considered by the Union government while designing

LA
a carefully structured regime for the protection of the data. Since the Union government has
informed the Court that it has constituted a Committee chaired by Hon'ble Shri Justice B N

IM
Srikrishna, former Judge of this Court, for that purpose, the matter shall be dealt with
appropriately by the Union government having due regard to what has been set out in this
judgment."
SH
171. S.K. Kaul, J. cited the European Union General Data Protection Regulations Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of
LU

such data, and repealing Directive 95/46/EC (General Data Protection Regulation) to highlight
the importance of data protection and the circumstances in which restrictions on the right to
privacy may be justifiable subject to the principle of proportionality. These include balance
PN

against other fundamental rights, legitimate national security interest, public interest including
scientific or historical research purposes or statistical purposes, criminal offences, tax purposes,
etc.
H

172. There are numerous case laws - both American and European - presented by the petitioners
and the respondents with respect to the collection, storage and use of biometric data which have
been taken note of above. They are illustrative of the method and safeguards required to satisfy
the proportionality principle while dealing with biometric data. The first set of cases cited by the
petitioners are cases from European Human Rights Courts.

173. The European Human Rights legislations have both explicitly and through case laws
recognized the right to informational privacy and data protection. The EU Charter of
Fundamental Rights states in Article 7 that 'everyone has the right to respect for his or her private
and family life, home and communications' and in Article 8 it grants a fundamental right to
protection of personal data. The first article of the EU Charter affirms the right to respect and
protection of human dignity. The ECHR also recognises the right to respect for private and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.609

family life, home and his correspondence which have been read to include protection of right to
control over personal biometric information.

174. As pointed out above as well, a prominent case which addresses the question of storage of
biometric data, i.e. whether storage and retention of DNA samples and fingerprints violates
Article 8 of the ECHR, is S and Marper S and Marper v. United Kingdom [2008] ECHR 1581. In
this case, the storing of DNA profiles and cellular samples of any person arrested in the United
Kingdom was challenged before the ECtHR. Even if the individual was never charged or if
criminal proceedings were discontinued or if the person was later acquitted of any crime, their
DNA profile could nevertheless be kept permanently on record without their consent.

175. In a unanimous verdict, the seventeen-judge bench held that there had been a violation of
Article 8 of the ECHR. Fingerprints, DNA profiles and cellular samples, constituted personal
data and their retention was capable of affecting private life of an individual. The retention of

LA
such data without consent, thus, constitutes violation of Article 8 as they relate to identified and
identifiable individuals. It held that:

IM
"84. ...fingerprints objectively contain unique information about the individual concerned
allowing his or her identification with precision in a wide range of circumstances. They are thus
capable of affecting his or her private life and retention of this information without the consent of
SH
the individual concerned cannot be regarded as neutral or insignificant."

176. It articulated the proportionality principle in the following words:

LU

"101. An interference will be considered "necessary in a democratic society" for a legitimate aim
if it answers a "pressing social need" and, in particular, if it is proportionate to the legitimate aim
pursued and if the reasons adduced by the national authorities to justify it are "relevant and
PN

sufficient

xx xx xx
H

The protection of personal data is of fundamental importance to a person's enjoyment of his or

her right to respect for private and family life, as guaranteed by Article 8 of the Convention. The
domestic law must afford appropriate safeguards to prevent any such use of personal data as may
be inconsistent with the guarantees of this Article. The need for such safeguards is all the greater
where the protection of personal data undergoing automatic processing is concerned, not least
when such data are used for police purposes. The domestic law should notably ensure that such
data are relevant and not excessive in relation to the purposes for which they are stored; and
preserved in a form which permits identification of the data subjects for no longer than is
required for the purpose for which those data are stored ... The domestic law must also afford
adequate guarantees that retained personal data was efficiently protected from misuse and
abuse."

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.610

177. The issue in the case according to the Court was whether the retention of the fingerprints
and DNA data of the applicants, as persons who had been suspected but not convicted of certain
criminal offences, was justified under Article 8 of the Convention.

178. The Court held that such invasion of privacy was not proportionate as it was not "necessary
in a democratic society" as it did not fulfill any pressing social need. The blanket and
indiscriminate nature of retention of data was excessive and did not strike a balance between
private and public interest. It held:

"125. the blanket and indiscriminate nature of the powers of retention of the fingerprints, cellular
samples and DNA profiles of persons suspected but not convicted of offences, as applied in the
case of the present applicants, fails to strike a fair balance between the competing public and
private interests and that the respondent State has overstepped any acceptable margin of
appreciation in this regard. Accordingly, the retention at issue constitutes a disproportionate

LA
interference with the applicants' right to respect for private life and cannot be regarded as
necessary in a democratic society. This conclusion obviates the need for the Court to consider the
applicants' criticism regarding the adequacy of certain particular safeguards, such as too broad an

IM
access to the personal data concerned and insufficient protection against the misuse or abuse of
such data."
SH
179. The two crucial aspects of the case that need to be kept in mind are - First, in that case, the
fingerprints were collected for criminal purposes and without the consent of the individual to
whom the fingerprints belonged. Second, the fingerprints were to be stored indefinitely without
LU

the consent of the individual and that the individual did not have an option to seek deletion.
These aspects were vital for the Court to decide that the retention violated the citizen's right to
privacy.
PN

180. Similarly, in the Digital Ireland case Digital Rights Ireland Ltd v Minister for
Communication, Marine and Natural Resources [2014] All ER (D) 66 (Apr), the European
Parliament and the Council of the European Union adopted Directive 2006/24/EC (Directive),
H

which regulated Internet Service Providers' storage of telecommunications data. It could be used
to retain data which was generated or processed in connection with the provision of publicly
available electronic communications services or of public communications network, for the
purpose of fighting serious crime in the European Union. The data included data necessary to
trace and identify the source of communication and its destination, to identify the date, time
duration, type of communication, IP address, telephone number and other fields. The Court of
Justice of European Court (CJEU) evaluated the compatibility of the Directive with Articles 7
and 8 of the Charter and declared the Directive to be invalid.

181. According to the CJEU, the Directive interfered with the right to respect for private life
under Article 7 and with the right to the protection of personal data under Article 8 of the Charter
of Fundamental Rights of the European Union. It allowed very precise conclusion to be drawn

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.611

concerning the private lives of the persons whose data had been retained, such as habits of
everyday life, permanent or temporary places of residence, daily and other movements, activities
carried out, social relationships and so on. The invasion of right was not proportionate to the
legitimate aim pursued for the following reasons:

(i) Absence of limitation of data retention pertaining to a particular time period and/or a
particular geographical zone and/or to a circle of particular persons likely to be involved.

(ii) Absence of objective criterion, substantive and procedural conditions to determine the limits
of access of the competent national authorities to the data and their subsequent use for the
purposes of prevention, detection or criminal prosecutions. There was no prior review carried out
by a court or by an independent administrative body whose decision sought to limit access to the
data and their use to what is strictly necessary for attaining the objective pursued.

LA
(iii) Absence of distinction being made between the categories of data collected based on their
possible usefulness.

IM
(iv) Period of retention i.e. 6 months was very long being not based on an objective criterion.

(v) Absence of rules to protect data retained against the risk of abuse and against any unlawful
SH
access and use of that data.

(vi) Directive does not require the data in question to be retained within the European Union.

182. In Tele2 Sverige AB vs. Post-och telestyrelsen Tele2 Sverige AB v. Post-och telestyrelsen
LU

and Secretary of State for the Home Department v. Tom Watson, Peter Brice, Geoffrey Lewis,
Joined Cases C-203/15 and C-698/15, 2016, the CJEU was seized with the issue as to whether in
light of Digital Rights Ireland, a national law which required a provider of electronic
PN

communications services to retain meta-data (name, address, telephone number and IP address)
regarding users/subscribers for the purpose of fighting crime was contrary to Article 7, 8 and 11
of the EU Charter. The CJEU struck down the provision allowing collection of such meta data on
H

grounds of lack of purpose limitation, data differentiation, data protection, prior review by a
court or administrative authority and consent, amongst other grounds. It held:

"103. While the effectiveness of the fight against serious crime, in particular organised crime and
terrorism (...) cannot in itself justify that national legislation providing for the general and
indiscriminate retention of all traffic and location data should be considered to be necessary for
the purposes of that fight.

xx xx xx

105. Second, national legislation (...) provides for no differentiation, limitation or exception
according to the objective pursued. It is comprehensive in that it affects all persons using
electronic communication services, even though those persons are not, even indirectly, in a

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.612

situation that is liable to give rise to criminal proceedings. It therefore applies even to persons for
whom there is no evidence capable of suggesting that their conduct might have a link, even an
indirect or remote one, with serious criminal offences. Further, it does not provide for any
exception, and consequently it applies even to persons whose communications are subject,
according to rules of national law, to the obligation of professional secrecy.

xx xx xx

if it is to be ensured that data retention is limited to what is strictly necessary, it must be observed
that, while those conditions may vary according to the nature of the measures taken for the
purposes of prevention, investigation, detection and prosecution of serious crime, the retention of
data must continue nonetheless to meet objective criteria, that establish a connection between the
data to be retained and the objective pursued. In particular, such conditions must be shown to be
such as actually to circumscribe, in practice, the extent of that measure and, thus, the public

LA
affected."

183. With respect to measures for data security and data protection the court held :

IM
"122. Those provisions require those providers to take appropriate technical and organisational
measures to ensure the effective protection of retained data against risks of misuse and against
SH
any unlawful access to that data. Given the quantity of retained data, the sensitivity of that data
and the risk of unlawful access to it, the providers of electronic communications services must,
in order to ensure the full integrity and confidentiality of that data, guarantee a particularly high
level of protection and security by means of appropriate technical and organisational measures.
LU

In particular, the national legislation must make provision for the data to be retained within the
European Union and for the irreversible destruction of the data at the end of the data retention
period."
PN

184. In BVerfG 2.03. 2010, 1 BvR 256 / 08, 1 BvR 263 / 08, 1 BvR 586 / 08, the German
Constitutional Court rendered on March 02, 2010 a decision by which provisions of the data
H

retention legislation adopted for, inter alia, the prevention of crime were rendered void because
of lack of criteria for rendering the data retention proportional.

185. In Maximillian Schrems v. Data Protection Commissioner [2016] 2 W.L.R. 873, the CJEU
struck down the transatlantic US-EU Safe Harbor agreement that enabled companies to transfer
data from Europe to the United States on the ground that there was not an adequate level of
safeguard to protect the data. It held that the U.S. authorities could access the data beyond what
was strictly necessary and proportionate to the protection of national security. The subject had no
administrative or judicial means of accessing, rectifying or erasing their data.

186. In Szabo and Vissy v. Hungary Eur. Ct. H.R. 2016, the ECtHR held unanimously that there
had been a violation of Article 8 (right to respect for private and family life, the home and
correspondence) of the European Convention on Human Rights. The case concerned Hungarian

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.613

legislation on secret anti-terrorist surveillance introduced in 2011. The court held that the
legislation in question did not have sufficient safeguards to avoid abuse. Notably, the scope of
the measures could include virtually anyone in Hungary, with new technologies enabling the
Government to intercept masses of data easily concerning even persons outside the original
range of operation. Furthermore, the ordering of such measures was taking place entirely within
the realm of the executive and without an assessment of whether interception of communications
was strictly necessary. There were no effective remedial measures in place, let alone judicial
ones. The court held:

"77. ... Rule of law implies, inter alia, that an interference by the executive authorities with an
individual right should be subject to an effective control which should normally be assured by
the judiciary, at least in the last resort..."

187. Thus, it is evident from various case laws cited above, that data collection, usage and

LA
storage (including biometric data) in Europe requires adherence to the principles of consent,
purpose and storage limitation, data differentiation, data exception, data minimization,
substantive and procedural fairness and safeguards, transparency, data protection and security.

IM
Only by such strict observance of the above principles can the State successfully discharge the
burden of proportionality while affecting the privacy rights of its citizens.
SH
188. The jurisprudence with respect to collection, use and retention of biometric information in
the United States differs from the EU. In the US context, there is no comprehensive data
protection regime. This is because of the federal system of American government, there are
LU

multiple levels of law enforcement-federal, state, and local. Different states have differing
standards for informational privacy. Moreover, the U.S. has a sectoral approach to privacy, i.e.
laws and regulations related to data differ in different sectors such as health sector or student
PN

sector. In most cases, however, the Fourth Amendment which prohibits "unreasonable searches
and seizures" by the government has been read by courts to envisage various levels data
protection.
H

189. At this juncture, we are not entering the debate as to whether the jurisprudence developed in
United States is to be preferred or E.U. approach would be more suitable. Fact remains that
importance to data protection in processing the data of the citizens is an accepted norm.

190. Observance of this fundamental principle is necessary to prevent a disproportionate

infringement of the Fundamental Right of Privacy of a citizen. The question which now needs to
be addressed is whether the Aadhaar Act and Rules incorporate these principles of data
protection. We have already taken note of the provisions in the Act, which relate to data
protection. However, a detailed analysis of the provisions of the Act needs to be undertaken for
this purpose having regard to the principles that have emerged from case law in other jurisdiction
and noted in paragraph 187 above.

Data Minimisation:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.614

191. The petitioners have argued that the Act enables data collection indiscriminately regarding
all aspects of a person (biometrics, demographic details, authentication records, meta-data related
to transaction) even though such data has no nexus to the purported object of subsidies, thus
violating the principle of data minimization. The data collected is sufficient to indicate religion,
class, social status, income, education and intimate personal details. Under Section 32 of the Act,
authentication records are stored in the central database in the manner prescribed under the
Regulations. Regulation 26 of the Authentication Regulations requires UIDAI to store
"authentication transaction data" consisting of: (a) authentication request data received including
PID block; (b) authentication response data sent; (c) meta data related to the transaction; and (d)
any authentication server side configurations as necessary. The authentication record affords
access to information that can be used and analyzed to systematically track or profile an
individual and her activities.

192. As per the respondents, Aadhaar involves minimal identity information for effective

LA
authentication. Four types of information collected for providing Aadhaar:

(i) Mandatory demographic information comprising name, date of birth, address and gender

IM
[Section 2(k) read with Regulation 4(1) of the Aadhaar (Enrolment and Update) Regulations,
2016];
SH
(ii) Optional demographic information [Section 2(k) read with Regulation 4(2) of the Aadhaar
(Enrolment and Update) Regulations, 2016];

(iii) Non-core biometric information comprising photograph;

LU

(iv) Core biometric information comprising finger print and iris scan.
PN

193. Demographic information, both mandatory and optional, and photographs does not raise a
reasonable expectation of privacy under Article 21 unless under special circumstances such as
juveniles in conflict of law or a rape victim's identity. Today, all global ID cards contain
H

photographs for identification alongwith address, date of birth, gender etc. The demographic
information is readily provided by individuals globally for disclosing identity while relating with
others and while seeking benefits whether provided by government or by private entities, be it
registration for citizenship, elections, passports, marriage or enrolment in educational
institutions. Email ids and phone numbers are also available in public domain, For example in
telephone directories. Aadhaar Act only uses demographic information which are not sensitive
and where no reasonable expectation of privacy exists - name, date of birth, address, gender,
mobile number and e mail address. Section 2(k) specifically provides that Regulations cannot
include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical
history. Thus, sensitive information specifically stand excluded.

194. We find that Section 32 (3) of the Aadhaar Act specifically prohibits the authority from
collecting, storing or maintaining, either directly or indirectly any information about the purpose

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.615

of authentication. The proviso to Regulation 26 of Authentication Regulations is also to the same
effect.

195. Thus, the principle of data minimization is largely followed.

196. With this, we advert to some other provisions, challenge whereof is based on threat to
security of the data. These are Section 2(c), Section 2(g) and Section 2(h) read with Section 10 of
the Aadhaar Act. Section 2(c) pertains to authentication. It is a process by which Aadhaar
number along with demographic information or biometric information of an individual is
submitted to the CIDR for its verification. On submission thereof, the CIDR verifies the
correctness or lack of it. CIDR is defined in Section 2(h). Section 10 lays down that the
Authority may engage one or more entities to establish or maintain the CIDR and to perform any
other functions as may be specified by regulations.

LA
197. Insofar as authentication process is concerned, that has already been taken note of above.
The manner in which it is explained by the respondent authority, that may not pose much of a
problem. As noted earlier, while seeking authentication, neither the location of the person whose

IM
identity is to be verified nor the purpose for which authentication of such identity is needed,
comes to the knowledge of the Authority and, therefore, such data collected by the Authority.
Therefore, the threat to real time surveillance and profiling may be far-fetched. The respondents
SH
have explained that Section 2(d) defines "authentication record" to mean the record of the time of
authentication, identity of the RE and the response provided by the authority", Regulation 26 (a)
to (d) does not go beyond the scope of Section 2(d). None of the four clauses of Regulation 26
LU

entitle the authority to store data about the purpose for which authentication is being done. The
device can therefore only tell the authority the identity of the RE, the PID, the time and nature of
response, the code of the device and the authentication server side configurations. Identity of the
PN

RE does not include details of the organization which is seeking authentication as an RE

provides authentication service to large number of government organizations who have
agreements with it. Such a mechanism preventing the authority from tracking the nature of
H

activity for which the authentication was required. To illustrate nic.in is an RE which provides
authentication service to large number of Government organisations who have agreements with
it. The authentication record would only contain information about the identity about the RE. It
will give information only about the RE (nic.in) and not about the organisation which is
requiring authentication through the RE. In most cases the authentication is one time. Mr.
Dwivedi has also explained that yet again, there may be organisations, which have branches in
different part of India. Assuming Apollo Hospital (although in fact it is not an RE) has five
branches in India. If Apollo Hospital seeks authentication as an RE, the authentication record
will merely tell the identity of Apollo Hospital and its device code, but it will not indicate which
branch of Apollo was seeking authentication and from which part of the country. Further,
assuming that the Indira Gandhi International Airport is an RE and there is requirement of
authentication at the point of entry and/or exit. All that the record will show that the ANH has
entered the airport at a particular time but it will not show by which plane he is flying and to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.616

what destination. At the time of exit, it will only show that the person has exited the airport at a
particular time. It will not show from which flight he has arrived and from which destination and
at what time he has arrived or with whom he travelled.

198. However, other apprehension of the petitioners is that storing of data for a period of seven
years as per Regulations 20 and 26/27 of the Aadhaar (Authentication) Regulations, 2016 is too
long a period. We may reproduce Regulations 26 and 27 of the Aadhaar (Authentication)
Regulations, 2016 hereunder:

"26. Storage and Maintenance of Authentication Transaction Data - (1) The Authority shall store
and maintain authentication transaction data, which shall contain the following information:-

(a) authentication request data received including PID block;

(b) authentication response data sent;

LA
(c) meta data related to the transaction;

IM
(d) any authentication server side configurations as necessary:

Provided that the Authority shall not, in any case, store the purpose of authentication.
SH
27. Duration of storage - (1) Authentication transaction data shall be retained by the Authority
for a period of 6 months, and thereafter archived for a period of five years.

(2) Upon expiry of the period of five years specified in sub-regulation (1), the authentication
LU

transaction data shall be deleted except when such authentication transaction data are required to
be maintained by a court or in connection with any pending dispute."
PN

199. It is also submitted that Section 10 which authorises the Authority to engage one or more
entities, which may be private entities, to establish and maintain CIDR is a serious threat to
privacy and it even amounts to compromise on national sovereignty and security. Insofar as first
H

argument is concerned, there appears to be some force in that. If authentication is the only
purpose, we fail to understand why this authentication record is needed to be kept for a period of
2+5 years. No satisfactory explanation in this behalf was given.

200. Insofar as information regarding metadata is concerned, we may note that the respondents
distinguished between three types of meta-data technical, business and process metadata. Process
metadata describes the results of various operations such as logs key data, start time, end time,
CPU seconds used, disk reads, disk writes, and rows processed. This data is valuable for
purposes of authenticating transaction, troubleshooting, security, compliance and monitoring and
improving performance. They submit that the metadata contemplated under this Regulation is
Process metadata.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.617

201. However, metadata is not defined in the Aadhaar Act. In common parlance, it is understood
as information about data, example whereof was given by Mr. Sibal that the text of a message
exchanged between two persons would be the data itself. However, surrounding circumstances
like when the message was sent; from whom and to whom the message was sent; and location
from which the message was sent would include meta data. As noted above, Mr. Dwivedi had
tried to explain it away by stating that there are three types of meta data, namely, technical,
business and process meta data. According to him, meta data under the Aadhaar Act refers to
only process meta data. In support, he had referred to Section 2(d) of the Aadhaar Act which
defines 'authentication record' to mean the record of the time of authentication, identity of
requesting entity and the response provided by the Authority. He, thus, submitted that Regulation
26 would not go beyond Section 2(d). However, aforesaid explanation that meta data refers to
process data only does not find specific mention. There is, thus, need to amend Regulation 26 to
restrict it to process meta data, and to exclude other type of meta data specifically.

LA
Purpose Limitation:

202. As per the petitioners, there is no purpose limitation. Identity information collected for one

IM
purpose under the Act can be used for any other (new) purpose. Definition of "benefit" (Section
2(f)) and "service" (Section 2(w)) and "subsidy" (Section 2(x)), to which the personal data
SH
collected is supposed to be applied is not identifiable. It is open to the executive to notify that
any advantage, gift, reward, relief, payment, provision, facility, utility or any other assistance
aid, support, grant subvention, or appropriation may be made conditional on Aadhaar
Authentication. Moreover, under Section 57, the State, a body corporate or any person can avail
LU

authentication facility and access information under CIDR. This creates an open ended and
unspecified set of laws and contracts for which Aadhaar can be used and defeats the principle of
informed consent at the time of enrolment and purpose limitation.
PN

203. Respondents controvert the aforesaid submission by arguing that there is purpose limitation
under the Aadhaar Act as purpose of use of biometric data in the CIDR is limited to
H

authentication for identification. The Aadhaar holder is made aware of such use of the Aadhaar
card at the time of enrolment. The enrolling agency is obliged under the Enrolment Regulations
to inform the individual about the manner in which the information shall be used, the nature of
recipients with whom the information is to be shared during authentication; and the existence of
a right to access information, the procedure for making request for such access and details of the
person/department to whom request can be made. This information to individual is the basis for
his consent for enrolment.

204. As per the respondents, Section 57 is not an enabling provision which allows Aadhaar to be
used for purposes other than Section 7, but is a limiting provision. It limits its use by State, Body
Corporate or a person by requiring it to be sanctioned by any law in force or any contract and
making the use subject to the proviso to Section 57. The proviso requires the use of Aadhaar
under this Section to be subject to procedure and obligations under Section 8 and Chapter VI of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.618

penalties. Section 8(2)(a) requires Requesting Entities (RE) (parties authorized to carry out
authentication under Section 57) to obtain the consent of an individual before collecting her
identity information for the purposes of authentication in such manner as may be specified by
regulations. Section 8(3) enables this consent to be informed consent by requiring that an
individual submitting her identity information for authentication shall be informed of the nature
and the use of the information that may be shared upon authentication and the alternatives to
submission of identity information to the requesting entity. This aspect is discussed in detail at a
later stage, as it touches upon privacy aspects as well. Suffice it is to mention here that we have
found some portion of Section 57 as offending and declared that unconstitutional.

Insofar as Sections 2(f), (w) and (x) are concerned, these provisions are discussed at a later stage
See paragraphs 320 to 322. We would like to mention here that we have read down these
provisions. The aforesaid measure would sub serve the purpose limitation as well.

LA
Time Period for Data Retention:

205. We have touched upon this aspect hereinabove. According to petitioners, the data is allowed

IM
to be retained for an unreasonable long period of time. Regulation 27 of the Authentication
Regulations requires the UIDAI to retain the "authentication transaction data" (which includes
the meta data) for a period of 6 months and to archive the same for a period of 5 years thereafter.
SH
Regulation 18(3) and 20(3) allow Requesting entities (RE) and Authentication Service Agencies
to retain the authentication logs for a period of 2 years and then archive them for 5 years. It is
required to be deleted only after 7 years unless retained by a court. The right of the citizen to
LU

erasure of data or right to be forgotten is severely affected by such regulation. There is no

provision to delete the biometric information in any eventuality once a person is enrolled.

We do not find any reason for archiving the authentication transaction data for a period of five
PN

years. Retention of this data for a period of six months is more than sufficient after which it
needs to be deleted except when such authentication transaction data are required to be
maintained by a Court or in connection with any pending dispute. Regulations 26 and 27 shall,
H

therefore, be amended accordingly.

Data Protection and Security:

206. Petitioners argued that there are not enough safeguards for data protection and security in
the Act. Section 28 of the Act which addresses security and confidentiality of information is
vague and fails to lay down any standard of data security or prescribe any cogent measures
which are to be taken to prevent data breaches. Section 54 empowers UIDAI to make regulations
related to various data management processes, security protocol and other technology
safeguards. The Aadhaar (Data Security) Regulations, 2016 passed by UIDAI under Section 54,
vest in the authority discretion to specify "an information security policy" (Regulation 3). This
leads to excessive delegation. Alternatively, it has not been subject to parliamentary oversight
which Regulations under Section 54 require. Further, the CIDR central database, unlike the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.619

ASAs and REs (under Authentication Regulation 22(1)), are not required to be located in data
centres. The personal data is accessible by private entities such as AUAs and KUAs and other
private entities such as banks, insurance companies and telecom service providers. There have
been numerous data breaches in the Aadhaar system. These establish its vulnerability. There are
not enough safeguards from data hack and data leak. The data is being used by private parties to
build comprehensive databases containing information and profiles of individuals. Thus the
project also lacks transparency of data and its use.

207. The Respondents contend that strong measures for data protection and security, taken at all
stages of data collection, transfer, storage and use.

After deliberating over respective contentions, we are of the opinion that the following
explanation furnished by the respondents on various facets ensures data protection and security
to a considerable extent:

LA
(a) CIDR

IM
208. Regulation 3(i) & (j) of Aadhaar (Data Security) Regulation 2016 enables partitioning of
CIDR network into zones based on risk and trust and other security measures. CIDR being a
computer resource is notified to be a "Protected System" under Section 70 of the IT Act, 2000 by
SH
the Central Government on 11.12.2015. Anyone trying to unlawfully gain access into this system
is liable to be punished with 10 years imprisonment and fine. The storage involves end to end
encryption, logical partitioning, firewalling and anonymisation of decrypted biometric data.
Breaches of penalty are made punitive by Chapter VII of the Act. Biometric information is
LU

deemed to be an "electronic record", and "Sensitive personal data or information" under the IT
Act, 2000. There are further guards under The Aadhaar (Data Security)Regulation, 2016.
PN

(b) Requesting Entities (AUA and KUA)

209. Other identity information is shared with Requesting Entity (AUAs and KUAs) only for the
H

limited purpose of authentication. The data is transferred from the RE to the ASA
(Authentication Service Agency) to the CIDR in an encrypted manner through a leased line
circuitry using secure Protocols (Regulation 9 of the Authentication Regulations). The storage of
data templates is in safely located servers with no public internet inlet/outlet, and offline storage
of original encrypted data (PID blocks). There are safety and security provisions such as audit by
Information Systems Auditor. REs are appointed through agreement. REs can enter into
agreement with sub-AUA or sub-KUA with permission of the of UIDAI. Whatever identity
information is obtained by the requesting entity is based on a specific consent of the Aadhaar
number holder. The e-KYC data shared with the RE can only be after prior consent of the
Aadhaar holder. Such data cannot be shared and has to be stored in encrypted form. The
biometric information used is not permitted to be stored only the logs of authentication
transactions are maintained for a short period. Full identity information is never transmitted back

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.620

to RE. There is a statutory bar from sharing Biometric information [Section 29(1)(a)/ Section
29(4)]. The Data centres of ASA, REs and CIDR should be within the territory of India.

(c) Enrolment Agencies and Registrars

210. The enrolment and Authentication processes are strongly regulated so that data is secure.
The Enrolment agency, which collects the biometric and demographic of the individuals during
enrolment, is appointed either by UIDAI or by a Registrar [Section 2(s)]. The registrar are
appointed through MoUs or agreements for enrolment and are to abide by a code of conduct and
processes, policies and guidelines issued by the authority. They are responsible for the process of
enrolment. Categories of persons eligible for appointment are limited by the Regulations. The
agency employees a certified supervisor, an operator and a verifier under Enrolment and Update
Regulations. Registrars, enrolling agencies are obliged to use the software provided or authorized
by UIDAI for enrolment purpose. The standard software has security features as specified by

LA
Authority. All equipment used are as per the specification issued by the authority. The Registrars
are prohibited from using the information collected for any purpose other than uploading the
information to CIDR. Sub-contracting of enrolment function is not allowed. The Code of

IM
Conduct contains specific directions for following the confidentiality, privacy and security
protocols and submission of periodic reports of enrolment. Not only there are directions
SH
prohibiting manipulation and fraudulent practices but the Act contains penal provisions for such
violations in Chapter VII of the Regulations. The enrolment agencies are empanelled by the
authority. They are given an enrolling agency code using which the Registrar can onboard such
agency to the CIDR. The enrolment data is uploaded to the Central Identities Data Repository
LU

(CIDR) certified equipment and software with a digital signature of the registrar/enrolling
agency. The data is encrypted immediately upon capture. The decryption key is with the UIDAI
solely. Section 2(ze) of the IT Act, which defines 'secure systems' and Section 2(w) of the Act,
PN

which defines 'intermediaries' apply to the process.

(d) Authentication Service Agency

H

211. Authentication only becomes available through the Authentication Service Agency (ASA).
They are regulated by the Aadhaar (Authentication) Regulations, 2016. Their role and
responsibilities are provided by Authentication Regulation 19. They are to use certified devices,
equipment, or software are duly registered with or approved or certified by the Authority/agency.
The systems and operations are audited by information system auditor. The REs pass the
encrypted data to the CIDR through the ASA and the response (Yes/No authentication or e-KYC
information) also takes the same route back. The server of the ASA has to perform basic
compliance and completeness checks on the authentication data packet before forwarding it to
the CIDR.

(e) Hacking

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.621

212. As far as hacking is concerned, the respondents submit that the authority has involved
adequate firewalling and other safety features. The biometric data stored in the CIDR is stored
offline. Only templates are online. So far there has been no incidence of hacking. However, the
authority is conscious of the hackers and it constantly updates itself to safe guard the data.

It may, however, be mentioned that of late certain reports have appeared in newspapers to the
effect that some people could hack the website of CIDR, though it is emphatically denied by the
UIDAI. Since there are only newspapers reports to this effect which appeared after the
conclusion of hearing in these cases and, therefore, parties could not be heard on this aspect, we
leave this aspect of the matter at that with a hope that CIDR would find out the ways and means
to curb any such tendency.

(f) Biometric Solution Providers

LA
213. With respect to foreign companies owning software, Respondents submit that UIDAI has
entered into licensing agreements with foreign biometric solution providers (BSP) for software.
Even thought the source code of the software are retained by the BSP as it constitutes their

IM
Intellectual property, the data in the server rooms is secure as the software operates automatically
and the biometric data is stored offline. There is no opportunity available to BSP to extract data
as they have no access to it.
SH
Substantive, Procedural or Judicial Safeguards:

214. Another grievance of the petitioners is that the Act lacks any substantive, procedural or
LU

judicial safeguards against misuse of individual data. Section 23(2)(k) which allows sharing
information of Aadhaar holders, in such manner as may be specified by regulations. This means
individual's identity information can be shared with the government. This may include
PN

demographic and core biometric information, include aspects such as DNA profiles, handwriting,
voice-print etc., (in the future). Subsequent linkage with various state and non-state actors that
interact with such individual may enable UIDAI to share greater information. The police can
H

easily gain access to all biometric information, bank accounts of the individual, all mobile
phones, and meta data associated with any associated linkages, information relating to all mutual
funds, policies etc., information relating to travel by air or by rail by such person and so on.

215. In other cases of collection of information of this kind under other laws, there are
exhaustive legal procedures. For example, Section 73 of the Indian Evidence Act, 1872 which
allows the taking of handwriting samples only if necessary "for the purposes of any (specific)
investigation", or in order to compare writing or signature that appears in relation to the facts of a
particular case. Section 53 of the Cr.PC allows medical examination of a person arrested on a
charge of committing an offence if reasonable grounds exist for believing that an examination of
his person will afford evidence as to the commission of the offence. Similarly provisions in
various other statutes such as of the Foreign Exchange Regulation Act, 1973 (Sections 34-48);
the Prevention of Money-Laundering Act, 2002 (Sections 17-19); the Narcotic Drugs and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.622

Psychotropic Substances Act, 1985 (Sections 41-42) and the Customs Act, 1962 (Chapter 13)
which allow for search, seizure or even arrest, and thereby provide access to personal
information also bear a nexus with a particular crime under investigation.

216. As per the petitioners, the Investigating Agency can presently access fingerprints, only
limited to cases of citizens who were arrested on the reasonable basis of having committed a
crime, or were convicted of a crime, as per provisions of the Identification of Prisoners Act. In
all such circumstances, not only are there adequate safeguards-such as permission from the
Magistrate that collection is necessary for the purpose of investigation, but persons accused of an
offence presently can claim protection under Article 20(3), thereby making it incumbent upon
the investigating agency to obtain such information in accordance with law, as described above.
Further, unlike the Aadhaar Act, present day criminal statutes contain provisions for destruction
of some kinds of core biometric data obtained [Section 7 of the Identification of Prisoners Act,
1920]. No such safeguards exist under the Aadhaar Act.

LA
217. It is also argued that Section 33(2), which permits disclosure of identity information and
authentication records under direction of an officer not below the rank of Jt. Secretary to Central

IM
Government in the interest of national security, has no provision for judicial review. The
Oversight Committee does not have a judicial member.
SH
218. Respondents submitted that Section 29 of the Aadhaar Act provides protection against
disclosure of core biometric information. The biometric information cannot shared with anyone
for any reason whatsoever; or used for any purpose other than generation of Aadhaar numbers
LU

and authentication under this Act. Section 8 ensure that the during authentication, biometric
information of an individual is only used for submission to the Central Identities Data
Repository.
PN

219. We are of the view that most of the apprehensions of the petitioners stand assuaged with the
treatment which is given by us to some of the provisions. Some of these are already discussed
above and some provisions are debated in the next issue. Summary thereof, however, can be
H

given hereunder:

(a) Authentication records are not to be kept beyond a period of six months, as stipulated in
Regulation 27(1) of the Authentication Regulations. This provision which permits records to be
archived for a period of five years is held to be bad in law.

(b) Metabase relating to transaction, as provided in Regulation 26 of the aforesaid Regulations in

the present form, is held to be impermissible, which needs suitable amendment.

(c) Section 33 of the Aadhaar Act is read down by clarifying that an individual, whose
information is sought to be released, shall be afforded an opportunity of hearing.

(d) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.623

(e) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual
to seek authentication is held to be unconstitutional.

(f) We have also impressed upon the respondents, as the discussion hereinafter would reveal, to
bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N.
Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed
appropriate.

220. With the removal of the aforesaid provisions from the statute and the Rules, coupled with
the statement of the Authority on affidavit that there is no record of any transactions carried out
by the individuals which is even known (and, therefore, no question of the same being retained
by the Authority), most of the apprehensions of the petitioners are taken care of. At the same
time, we may remind ourselves of the judgment in G. Sundarrajan v. Union of India & Ors.
(2013) 6 SCC 620 2013 Indlaw SC 290. In that case, the Court noted the safety and security risk

LA
in the setting up of the nuclear power plant in the backdrop of Fukushima disaster and Bhopal
Gas tragedy. Yet, keeping in view the importance of generation of nuclear energy, the Court
observed that a balance should be struck between production of nuclear energy which was of

IM
extreme importance for the economic growth, alleviation of poverty, generation of employment,
and the smaller violation to right to life under Article 21. It took note of the opinion of experts
SH
committee and observed that 'adequate safety measure' have been taken. It noted huge
expenditure of money running into crores and observed 'apprehension however legitimate it may
be, cannot override the justification of the project. Nobody on this earth can predict what would
happen in future and to a larger extent we have to leave it to the destiny. But once the
LU

justification test is satisfied, the apprehension test is bound to fail. Apprehension is something we
anticipate with anxiety or fear, a fearful anticipation, which may vary from person to person'.
The Court also held that 'nuclear power plant is being established not to negate right to life but to
PN

protect the right to life guaranteed under Article 21 of the Constitution. No doubt, the Court took
a view that this interest of people needed to be respected for their human dignity which was
divinity. However, it was also stressed that generation of nuclear energy was a nuclear necessity
H

and the project was for larger public benefit and consequently, individual interest or smaller
public interest must yield. In such a situation, necessity for 'adequate care, caution, and
monitoring at every stage' and 'constant vigil' was emphasised. Safety and security was read into
Article 21. Acknowledging that proportionality of risk may not be 'zero', regard being had to the
nature's unpredictability, the Court ruled that all efforts must be made to avoid disaster by
observing the highest degree of constant alertness. In the directions of the Court, it was observed
that 'maintaining safety is an ongoing process not only at the design level but also during the
operation'. In the present case as well, we have come to the conclusion that Aadhaar Act is a
beneficial legislation which is aimed at empowering millions of people in this country. The
justification of this project has been taken note of in detail, which the subsequent discussion shall
also demonstrate. In such a scenario only on apprehension, the project cannot be shelved. At the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.624

same time, data protection and data safety is also to be ensured to avoid even the remote
possibility of data profiling or data leakage.

221. Notwithstanding the statutory provision discussed above, we are of the view that there is a
need for a proper legislative mechanism for data protection. The Government is not unmindful of
this essential requirement. During the arguments it was stated by Mr. K.K. Venugopal, learned
Attorney General, that an expert committee heading by Justice B.N. Srikrishna (Retd.) was
constituted which was looking into the matter. The said Committee has since given its report.

222. In this behalf, it may be worthwhile to mention that one of the first comprehensive reports
on data protection and informational privacy was prepared by the Group of Experts "Report of
the Group of Experts on Privacy" (16 October, 2012), Government of India, available at
http://planningcommission.nic.in/reports/genrep/rep-privacy.pdf constituted by the Planning
Commission of India under the Chairmanship of Retd. Justice A.P. Shah, which submitted a

LA
report on 16 October, 2012. The five salient features of this report were expected to serve as a
conceptual foundation for legislation protecting privacy. The framework suggested by the expert
group was based on five salient features: (i) Technological neutrality and interoperability with

IM
international standards; (ii) Multi-Dimensional privacy; (iii) Horizontal applicability to state and
non-state entities; (iv) Conformity with privacy principles; and (v) A co-regulatory enforcement
SH
regime.

223. The Union Government, on 31 July 2017, had constituted a committee chaired by Retd.
Justice B N Srikrishna, former Judge of the Supreme Court of India to review data protection
LU

norms in the country and to make recommendations. The Committee recently released its report
and the first draft of the Personal Data Protection Bill, 2018 which comprehensively addresses
the processing of personal data where such data has been collected, disclosed, shared or
PN

otherwise processed within the territory of India. The bill has incorporated provisions and
principles from the Europe's General Data Protection Regulation (EUGDPR).

224. The Draft Bill replaces the traditional concepts of data controller i.e. the entity which
H

processes data and data subject i.e. the natural person whose data is being collected, with data
'fiduciary' and data 'principal'. It aims to create a trust-based relationship between the two.

225. The Bill largely incorporates data protection principles from the EUGDPR and EU data
protection jurisprudence, including fair and reasonable processing of data, purpose limitation,
collection limitation, lawful processing, storage limitation, data quality and accountability. The
Draft bill and the report cull out rights and obligations of the data fiduciary and data controller
respectively. These rights include the right to access and correction, the right to data portability
and right to be forgotten - a right to prevent or restrict disclosure of personal data by a fiduciary.
Most importantly, consent has been given a crucial status in the draft data protection law. Thus, a
primary basis for processing of personal data must be individual consent. This consent is
required to be free, informed, specific, clear and, in an important addition, capable of being

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.625

withdrawn. The Authority under the Bill is obligated and empowered to ensure protection of data
from misuse and compromise.

226. Processing of biometric data, classified as 'Sensitive Personal Data' (SPD), by the data
fiduciary mandates additional safeguards (mentioned under Chapter IV of the Bill). For example,
the data fiduciary is required to undertake Data Protection Impact Assessment under the
provisions of the Bill. The Draft Bill allows processing of biometric data for the exercise of any
function of the State authorised by law for the provision of any service or benefit to the data
principal. Special provisions to protect sensitive and personal data of children also exist. For
example, Data fiduciaries shall be barred from profiling, tracking, or behavioural monitoring of,
or targeted advertising directed at, children and undertaking any other processing of personal
data that can cause significant harm to the child.

227. For security of data and protection of breach, the Draft Bill has separate provisions which

LA
require use of methods such as de-identification and encryption and other steps necessary to
protect the integrity of personal data and to prevent misuse, unauthorised access to, modification,
disclosure or destruction of personal data. The data fiduciary is required to immediately notify

IM
the Authority of any personal data breach relating to any personal data processed by the data
fiduciary where such breach is likely to cause harm to any data principal. It also incorporates a
SH
provision for Grievance Redressal.

228. The Draft Bill creates several exceptions and exemptions for processing data by the State.
These are situations where rights and obligations of data principals and data fiduciaries may not
LU

apply in totality. Such situations include national security, prevention of crime, allocation of
resources for human development, protection of revenue, etc. The committee asserts that such
exceptions have been envisaged in the Puttaswamy judgement as legitimate interests of the state
PN

and satisfy the proportionality test.

229. The Srikrishna Committee Report and the Draft Data Protection Bill are the first articulation
of a data protection law in our country. They have incorporated many of the progressive data
H

protection principles inspired by the EUGDPR. There may be indeed be scope for further fine
tuning of this law through a consultative process, however, we are not far away from a
comprehensive data protection regime which entrenches informational and data privacy within
our laws and legal system. We hope that there would be a robust statutory regime in place in near
future.

230. The aforesaid discussion leads us to hold that the protection that there is going to be a
surveillance state created by the Aadhaar project is not well founded, and in any case, taken care
of by the diffluence exercise carried out with the striking down certain offending provisions in
their present form.

Privacy:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.626

Whether Aadhaar Act violates right to privacy and is unconstitutional on this ground?

(This issue is considered in the context of Section 7 and Section 8 of the Act.)

231. The petitioners submit that right to privacy and dignity and individual autonomy have been
established by various cases. In Gobind v. State of M.P.(1975) 2 SCC 148 1975 Indlaw SC 629,
this Court held:

"the significance of man's spiritual nature, of his feelings and of his intellect and that only a part
of the pain, pleasure, satisfaction of life can be found in material things and therefore they must
be deemed to have conferred upon the individual as against the Government, a sphere where he
should be let alone.

xx xx xx

LA
24. Any right to privacy must encompass and protect the personal intimacies of the home, the
family, marriage, motherhood, procreation and child rearing. This catalogue approach to the
question is obviously not as instructive as it does not give analytical picture of the distinctive

IM
characteristics of the right of privacy. Perhaps, the only suggestion that can be offered as
unifying principle underlying the concept has been the assertion that a claimed right must be a
SH
fundamental right implicit in the concept of ordered liberty.

25. Rights and freedoms of citizens are set forth in the Constitution in order to guarantee that the
individual, his personality, and those things stamped with his personality shall be free from
LU

official interference except where a reasonable basis for intrusion exists. "Liberty against
Government" a phrase coined by Professor Corwin expresses this idea forcefully. In this sense,
many of the fundamental rights of citizens can be described as contributing to the right to
PN

privacy.

26. As Ely says:

H

"There is nothing to prevent one from using the word 'privacy' to mean the freedom to live one's
life without governmental interference. But the Court obviously does not so use the term. Nor
could it, for such a right is at stake in every case."

232. To recapitulate briefly, the judgment of K.S. Puttaswamy has affirmed the following -

(i) privacy has always been a natural right, and the correct position has been established by a
number of judgments starting from Gobind. Privacy is a concomitant of the right of the
individual to exercise control over his or her personality. Equally, privacy is the necessary
condition precedent to the enjoyment of any of the guarantees in Part III. The fundamental right
to privacy would cover at least three aspects-(i) intrusion with an individual's physical body, (ii)
informational privacy and (iii) privacy of choice. Further, one aspect of privacy is the right to
control the dissemination of personal information. Every individual should have a right to be

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.627

able to control exercise over his/her own life and image as portrayed in the world and to control
commercial use of his/her identity.

(ii) The sanctity of privacy lies in its functional relationship with dignity. Privacy ensures that a
human being can lead a life of dignity by securing the inner recesses of the human personality
from unwanted intrusions. While the legitimate expectation of privacy may vary from intimate
zone to the private zone and from the private to the public arena, it is important to underscore
that privacy is not lost or surrendered merely because the individual is in a public place. Privacy
is a postulate of dignity itself. Privacy concerns arise when the State seeks to intrude into the
body and the mind of the citizen.

(iii) Privacy as intrinsic to freedom, liberty and dignity. The right to privacy is inherent to the
liberties guaranteed by Part-III of the Constitution and privacy is an element of human dignity.
The fundamental right to privacy derives from Part-III of the Constitution and recognition of this

LA
right does not require a constitutional amendment. Privacy is more than merely a derivative
constitutional right. It is the necessary basis of rights guaranteed in the text of the Constitution.

IM
(iv) Privacy has both positive and negative content. The negative content restrains the State from
committing an intrusion upon the life and personal liberty of a citizen. Its positive content
imposes an obligation on the State to take all necessary measures to protect the privacy of the
SH
individual.

(v) Informational Privacy is a facet of right to privacy. The old adage that 'knowledge is power'
has stark implications for the position of individual where data is ubiquitous, an all-
LU

encompassing presence. Every transaction of an individual user leaves electronic tracks, without
her knowledge. Individually these information silos may seem inconsequential. In aggregation,
information provides a picture of the beings. The challenges which big data poses to privacy
PN

emanate from both State and non-State entities.

(vi) Right to privacy cannot be impinged without a just, fair and reasonable law. It has to fulfil
H

the test of proportionality i.e. (i) existence of a law (ii) must serve a legitimate State aim and (iii)
proportionate.

233. We have also remarked, in paragraph 85 above, the taxonomy of privacy, namely, on the
basis of 'harms', 'interest' and 'aggregation of rights'. We have also discussed the scope of right to
privacy with reference to the cases at hand and the circumstances in which such a right can be
limited. In the process, we have also taken note of the passage from the judgment rendered by
Nariman, J. in K.S. Puttaswamy stating the manner in which law has to be tested when it is
challenged on the ground that it violates the fundamental right to privacy. Keeping in mind all
these considerations and parameters, we proceed to deal with the argument on right to privacy.

234. It is argued that the Aadhaar project, during the pre-Act period (2009/10 - July, 2016),
violated the Right to Privacy with respect to personal demographic as well as biometric

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.628

information collected, stored and shared as there was no law authorizing these actions. In a
digital society an individual has the right to protect herself by controlling the dissemination of
such personal information. Compelling an individual to establish her identity by planting her
biometric at multiple points of service violates privacy involving the person. The seeding of
Aadhaar in distinct data bases enables the content of information about an individual that is
stored in different silos to be aggregated. This enables the State to build complete profiles of
individuals violating privacy through the convergence of data.

235. It is also contended that the citizen's right to informational privacy is violated by
authentication under the Aadhaar Act inasmuch as the citizen is compelled to 'report' her actions
to the State. Even where a person is availing of a subsidy, benefit or service from the State under
Section 7 of the Act, mandatory authentication through the Aadhaar platform (without an option
to the citizen to use an alternative mode of identification) violates the right to informational
privacy. An individual's rights and entitlements cannot be made dependent upon an invasion of

LA
his or her bodily integrity and his or her private information which the individual may not be
willing to share with the State. The bargain underlying section 7 is an unconscionable,

IM
unconstitutional bargain. Section 7 is against the constitutional morality contained in both Part
III as well the Part IV of the Constitution of India.
SH
236. It was also highlighted that today the fastest growing businesses are network orchestrators,
the likes of Facebook and Uber, which recreate a network of peers in which participants interact
and share value in creation. The most important assets for these network orchestrators is
information. Although, individuals share information with these entities, such information is
LU

scattered, not concentrated in a single authority or aggregated. If information, collected in

different silos is aggregated and centralized, it can afford easy access to a person's complete
profile, including her social groups, proclivities, habits, inclinations, tastes etc. The entity that
PN

holds the key to such information would then be in an extremely powerful position, especially if
such entity is the State. Since informational privacy is a part of Right to Privacy, it had to be
saved. The peittioners pointed out that the significance of information being aggregated was
H

noted by Hon'ble Court in K.S. Puttaswamy as follows:

"300 ...Yet every transaction of an individual user and every site that she visits, leaves electronic
tracks generally without her knowledge. These electronic tracks contain powerful means of
information which provide knowledge of the sort of person that the user is and her interests.
Individually, these information silos may seem inconsequential. In aggregation, they disclose the
nature of the personality: food habits, language, health, hobbies, sexual preferences, friendships,
ways of dress and political affiliation. In aggregation, information provides a picture of the
being: of things which matter and those that don't, of things to be disclosed and those best
hidden...

xx xx x

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.629

687. Privacy concerns relating to the Aadhaar project have been the subject of wide ranging
deliberation. Biometric data offers strong evidence of one's identity since it represents relatively
unique biological characteristics which distinguish one person from another. As biometric data
can be usually linked to only one individual it acts as a powerful, unique identifier that brings
together disparate pieces of personal information about an individual. As a relatively unique
identifier, biometric data not only allows individuals to be tracked, but it also creates the
potential for the collection of an individual's information and its incorporation into a
comprehensive profile. Central databases, data matching/linking and profiling are technical
factors that facilitate 'function creep' (the slippery slope according to which information can be
used for functions other than that for which it was collected). Privacy advocates believe that any
identification scheme can be carried out with a hidden agenda and that the slippery slope effect
can be relevant to several factors such as motivations of governments and business, and on the
existence of safeguards. The special nature of biometric data makes function creep more likely

LA
and even attractive. The legal measures possible to control function creep are still limited.
However, there are several ways in which function creep can be curtailed. They include (i)
limiting the amount of data that is collected for any stated purpose; (ii) enabling regulation to

IM
limit technological access to the system; (iii) concerted debates with all stakeholders and public
participation; (iv) dispersion of multiple enablers for a system; and (v) enabling choices for user
SH
participation.

688. This Court held in Puttaswamy that a reasonable expectation of privacy requires that data
collection must not violate the autonomy of an individual. The Court has held consent,
transparency, and control over information as the cornerstones over which the fundamentals of
LU

informational privacy stand. The Court had made it clear that an individual has the right to
prevent others from using his or her image, name and other aspects of personal life and identity
PN

for commercial purposes without consent. An Aadhaar number is a unique attribute of an

individual. It embodies unique information associated with an individual. The manner in which it
is to be used has to be dependent on the consent of the individual.
H

689. Section 57 of the Aadhaar Act allows the use of an Aadhaar number for establishing the
identity of an individual "for any purpose" by the state, private entities and persons. Allowing
private entities to use Aadhaar numbers will lead to commercial exploitation of an individual's
personal data without his/her consent and could lead to individual profiling. The contention is
that Section 57 fails to meet the requirements set out in the Puttaswamy judgment.

In this regard, reference must be drawn to a 2010 policy paper. A group of officers was created
by the Government of India to develop a framework for a privacy legislation that would balance
the need for privacy protection with security and sectoral interests, and respond to the need for
domain legislation on the subject. An approach paper for the legal framework for a proposed
legislation on privacy was prepared by the group and was uploaded on the website of the
Government of India. The paper noted the repercussions of having a project based on a database
of unique individual IDs:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.630

"Data privacy and the need to protect personal information is almost never a concern when data
is stored in a decentralized manner. However, all this is likely to change with the implementation
of the UID Project. One of the inevitable consequences of the UID Project will be that the UID
Number will unify multiple databases. As more and more agencies of the government sign on to
the UID Project, the UID Number will become the common thread that links all those databases
together. Over time, private enterprise could also adopt the UID Number as an identifier for the
purposes of the delivery of their services or even for enrolment as a customer...Once this
happens, the separation of data that currently exists between multiple databases will vanish...

Such a vast interlinked public information database is unprecedented in India. It is imperative

that appropriate steps be taken to protect personal data before the vast government storehouses of
private data are linked up and the threat of data security breach becomes real." Government of
India, Approach Paper for a Legislation on Privacy (2010), available at
http://www.prsindia.org/uploads/media/UID/aproach_paper.pdf

LA
The Paper highlighted the potential of exploitation that the UID project possessed. The potential
was that the UID data could be used directly or indirectly by market forces for commercial

IM
exploitation as well as for intrusions by the State into citizens' privacy. The Paper contained an
incisive observation in regard to the exploitation of citizens' data by private entities:
SH
"Similarly, the private sector entities such as banks, telecom companies, hospitals etc are
collecting vast amount of private or personal information about individuals. There is tremendous
scope for both commercial exploitation of this information without the consent/knowledge of the
LU

individual consent and also for embarrassing an individual whose personal particulars can be
made public by any of these private entities. The IT Act does provide some safeguards against
disclosure of data / information stored electronically, but there is no legislation for protecting the
PN

privacy of individuals for all information that may be available with private entities

In view of the above, privacy of individual is to be protected both with reference to the actions of
Government as well as private sector entities." Ibid
H

The Paper highlighted the need for a stringent privacy protection mechanism, which could
prevent individual data from commercial exploitation as well as individual profiling.

690. Reference must also be drawn to Chapter V of the National Identification Authority of India
Bill, 2010, which provided for the constitution of an Identity Review Committee. The proposed
Committee was to be entrusted to carry out the function of ascertaining the extent and pattern of
usage of Aadhaar numbers across the country. The Committee was required to prepare a report
annually in relation to the extent and pattern of usage of the Aadhaar numbers along with its
recommendations thereon and submit it to the Central Government. The idea behind the
establishment of such a Committee was to limit the extent to which Aadhaar numbers could be
used. These provisions have not been included in the Aadhaar Act, 2016. Instead, the Act allows

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.631

the use of Aadhaar number for any purpose by the State as well as private entities. This is a clear
case of overbreadth and an instance of manifest arbitrariness.

691. Section 57 indicates that the legislature has travelled far beyond its stated object of ensuring
targeted delivery of social welfare benefits. Allowing the Aadhaar platform for use by private
entities overreaches the purpose of enacting the law. It leaves bare the commercial exploitation
of citizens data even in purported exercise of contractual clauses. This will result in a violation of
privacy and profiling of citizens.

An article titled "Privacy and Security of Aadhaar: A Computer Science Perspective" Shweta
Agrawal, Subhashis Banerjee, and Subodh Sharma, Privacy and Security of Aadhaar: A
Computer Science Perspective, Economic & Political Weekly (16 September 2017), Vol. 52,
available at https://www.epw.in/journal/2017/37/special-articles/privacy-and-security-
aadhaar.html underlines the risk of profiling and identification that is possible by the use of

LA
Aadhaar numbers. It states:

"The Aadhaar number is at the heart of the Aadhaar scheme and is one of the biggest causes of

IM
concern. Recall that the Aadhaar number is a single unique identifier that must function across
multiple domains. Given that the Aadhaar number must necessarily be disclosed for obtaining
services, it becomes publicly available, not only electronically but also often in human readable
SH
forms as well, thereby increasing the risk that service providers and other interested parties may
be able to profile users across multiple service domains. Once the Aadhaar number of an
individual is (inevitably) known, that individual may be identified without consent across
LU

domains, leading to multiple breaches in privacy."

706. Section 7 of the Aadhaar Act makes it mandatory for an individual to undergo
authentication or furnish proof of possession of an Aadhaar number in order to avail a subsidy,
PN

benefit or service, which incurs expenditure from the Consolidated Fund of India. In the Aadhaar
based Biometric Authentication, the Aadhaar number and biometric information submitted by an
Aadhaar number holder are matched with the biometric information stored in the CIDR. This
H

may be fingerprints-based or iris-based authentication or other biometric modalities based on

biometric information stored in the CIDR. UIDAI, Aadhaar Authentication, available at
https://uidai.gov.in/authentication.html

It has been submitted that failure of the authentication process results in denial of a subsidy,
benefit or service contemplated under Section 7 of the Act. It has been contended that non-
enrolment in the Aadhaar scheme and non-linking of the Aadhaar number with the benefit,
subsidy or service causes exclusion of eligible beneficiaries. It is the submission of the
petitioners that authentication of biometrics is faulty, as biometrics are probabilistic in nature. It
is the case of the petitioners that Aadhaar based biometric authentication often results in errors
and thus leads to exclusion of individuals from subsidies, benefits and services provided under
Section 7. Across the country, it has been urged, several persons are losing out on welfare

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.632

entitlements because of a biometric mis-match. Mr Divan has argued in his written submissions,
that "the project is not an 'identity' project but 'identification' exercise and unless the biometrics
work, a person in flesh and blood, does not exist for the state".

In order to deal with this contention, it is necessary to understand whether biometrics

authentication can result in errors in matching. People are identified by three basic means: "by
something they know, something they have, or something they are". United States General
Accounting Office, Technology Assessment: Using Biometrics for Border Security (2002),
available at http://www.gao.gov/new.items/d03174.pdf. Biometrics fall within the last category,
and, as such, should presumably be less susceptible to being copied or forged. However, various
factors can reduce the probability of accurate human identification, and this increases the
probability of a mismatch. Human fallibility can produce errors. Jeremy Wickins, The ethics of
biometrics: the risk of social exclusion from the widespread use of electronic identification,
Science & Engineering Ethics (2007), at pages 45-54

LA
707. In the United States of America, the National Academy of Science published a report in
2010 on biometrics titled "Biometric Recognition: Challenges & Opportunities" Biometric

IM
Recognition: Challenges & Opportunities (Joseph N. Pato and Lynette I. Millett eds.), National
Academy of Science-United States of America (2010), available at
SH
https://www.nap.edu/read/12720/chapter/1. The report was based on a study carried out by
several reputed scientists and researchers under the aegis of the National Research Council, the
National Academy of Engineering and the Institute of Medicine. This report highlights the nature
of biometrics as follows:
LU

"Biometric recognition systems are inherently probabilistic and their performance needs to be
assessed within the context of this fundamental and critical characteristic. Biometric recognition
PN

involves matching, within a tolerance of approximation, of observed biometric traits against

previously collected data for a subject. Approximate matching is required due to the variations in
biological attributes and behaviors both within and between persons." Ibid, at page 3 (Emphasis
H

supplied)

The report also took note of how changes in an individual's biometrics may occur due to a
number of factors:

"Biometric characteristics and the information captured by biometric systems can be affected by
changes in age, environment, disease, stress, occupational factors, training and prompting,
intentional alterations, socio-cultural aspects of the situation in which the presentations occurs,
changes in human interface with the system, and so on. As a result, each interaction of the
individual with the system (at enrolment, identification and so on) will be associated with
different biometric information. Individuals attempting to thwart recognition for one reason or
another also contribute to the inherent uncertainty in biometric systems." Ibid (Emphasis
supplied)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.633

The report had also stated that biometrics can result in exclusion of people if it is used for
claiming entitlement to a benefit:

"When used in contexts where individuals are claiming enrollment or entitlement to a benefit,
biometric systems could disenfranchise people who are unable to participate for physical, social,
or cultural reasons. For these reasons, the use of biometrics-especially in applications driven by
public policy, where the affected population may have little alternative to participation-merits
careful oversight and public discussion to anticipate and minimize detrimental societal and
individual effects and to avoid violating privacy and due process rights.

Social, cultural, and legal issues can affect a system's acceptance by users, its performance, or
the decisions on whether to use it in the first place-so it is best to consider these explicitly in
system design. Clearly, the behavior of those being enrolled and recognized can influence the
accuracy and effectiveness of virtually any biometric system, and user behavior can be affected

LA
by the social, cultural, or legal context. Likewise, the acceptability of a biometric system depends
on the social and cultural values of the participant populations." Ibid, at pages 10-11 (Emphasis
supplied)

IM
The report underlines that the relationship between an individual's biometric traits and data
records has the potential to cause disenfranchisement, when a section of the population is
SH
excluded from the benefits of positive claim systems. The report thus states that:

"Policies and interfaces to handle error conditions such as failure to enroll or be recognized
should be designed to gracefully avoid violating the dignity, privacy, or due process rights of the
LU

participants." (Emphasis supplied)

708. Els Kindt in a comprehensive research titled "Privacy and Data Protection Issues of
PN

Biometric Applications: A Comparative Legal Analysis" Els J. Kindt, Privacy and Data
Protection Issues of Biometric Applications: A Comparative Legal Analysis, Springer (2013),
deals with the nature of biometrics. The book notes that error rates in biometric systems lead to a
H

situation where entitled data subjects will be falsely rejected from the process of database
matching. This will adversely affect the rights of individuals. It has been observed that:

"The error rates imply also that the system will allow impostors. This is equally important
because the security of biometric systems should be questioned in case of high false accept rates.
This element should be given sufficient weight in the decision to implement a biometric system
for security purposes...

Other tests clearly indicated increased error rates for young persons, in case of aging, in
particular for face and for disabled persons. Individuals with health problems may also be falsely
rejected or no longer be recognized, although they were previously enrolled. In some cases,
(non-)enrolment will be a significant problem. It is clear that these data subjects need additional
protection." Ibid, at page 363

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.634

The book underlines the risk inherent in the limited accuracy of biometrics. Ibid

709. A recently published book titled "Automating Inequality: How High-Tech Tools Profile,
Police, and Punish the Poor" Virginia Eubanks, Automating Inequality: How High-Tech Tools
Profile, Police, and Punish the Poor, St. Martin's Press (2018), authored by Virginia Eubanks,
deals with the impact of data mining, policy algorithms, and predictive risk models on economic
inequality and democracy in America. Eubanks outlines the impacts of automated decision-
making on public services in the USA through three case studies relating to welfare provision,
homelessness and child protection services. Eubanks looks at these three areas in three different
parts of the United States: Indiana, Los Angeles and Pittsburgh, to examine what technological
automation has done in determining benefits and the problems it causes. The author records that
in Indiana, one million applications for health care, food stamps, and cash benefits in three years
were denied, because a new authentication system interpreted any application mistake as "failure
to cooperate". In Los Angeles, an algorithm calculates the comparative vulnerability of

LA
thousands of homeless people so as to prioritize them for an inadequate pool of housing
resources. In Pittsburgh, child services use an algorithm to predict future behaviour. Statistics are

IM
used to predict which children might be future victims of abuse or neglect. Eubanks shows how
algorithms have taken over for human interaction and understanding. She has argued that
automated decision-making is much wider in reach and is likely to have repercussions unknown
SH
to non-digital mechanisms, such as nineteenth-century poorhouses in America. Poorhouses were
tax-supported residential institutions to which people were required to go if they could not
support themselves. Tommy L. Gardner, Spending Your Way to the Poorhouse, Authorhouse
(2004), at page 221 People who could not support themselves (and their families) were put up for
LU

bid at public auction. The person who got the contract (which was for a specific time-frame) got
the use of the labour of the poor individual(s) for free in return for feeding, clothing, housing and
PN

providing health care for the individual and his/her family. The practice was a form of indentured
servitude and hardly had any recourse for protection against abuse. Eubanks considers the
technology based decision-making for poverty management as the extension of the poorhouses
of the 19th century:
H

"America's poor and working-class people have long been subject to invasive surveillance,
midnight raids, and punitive public policy that increase the stigma and hardship of poverty.
During the nineteenth century, they were quarantined in county poorhouses. During the twentieth
century, they were investigated by caseworkers, treated like criminals on trial. Today, we have
forged what I call a digital poorhouse from databases, algorithms, and risk models. It promises to
eclipse the reach and repercussions of everything that came before.

Like earlier technological innovations in poverty management, digital tracking and automated
decision-making hide poverty from the professional middle-class public and give the nation the
ethical distance it needs to make inhuman choices: who gets food and who starves, who has
housing and who remains homeless, and which families are broken by the state. The digital
poorhouse is a part of a long American tradition. We manage the individual poor in order to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.635

escape our shared responsibility for eradicating poverty." Virginia Eubanks, Automating
Inequality: How High-Tech Tools Profile, Police, and Punish the Poor, St. Martin's Press (2018),
at pages 12-13

The author further remarks:

"While poorhouses have been physically demolished, their legacy remains alive and well in the
automated decision-making systems that encage and entrap today's poor. For all their high-tech
polish, our modern systems of poverty management - automated decision-making, data mining,
and predictive analysis - retain a remarkable kinship with the poorhouses of the past. Our new
digital tools spring from punitive, moralistic views of poverty and create a system of high-tech
containment and investigation. The digital poorhouse deters the poor from accessing public
resources; polices their labor, spending, sexuality, and parenting; tries to predict their future
behavior; and punishes and criminalizes those who do not comply with its dictates. In the

LA
process, it creates ever-finer moral distinctions between the 'deserving' and 'undeserving' poor,
categorizations that rationalize our national failure to care for one another." Ibid, at page 16
(Emphasis supplied)

IM
Eubanks builds the argument that automated decision-making technology does not act as a
facilitator for welfare schemes for the poor and only acts as a gatekeeper:
SH
"New high-tech tools allow for more precise measuring and tracking, better sharing of
information, and increased visibility of targeted populations. In a system dedicated to supporting
poor and working-class people's self-determination, such diligence would guarantee that they
LU

attain all the benefits they are entitled to by law. In that context, integrated data and modernized
administration would not necessarily result in bad outcomes for poor communities. But
automated decision-making in our current welfare system acts a lot like older, atavistic forms of
PN

punishment and containment. It filters and diverts. It is a gatekeeper, not a facilitator." Ibid, at
pages 81-82
H

The crux of the book is reflected in the following extract:

"We all live in the digital poorhouse. We have always lived in the world we built for the poor.
We create a society that has no use for the disabled or the elderly, and then are cast aside when
we are hurt or grow old. We measure human worth based only on the ability to earn a wage, and
suffer in a world that undervalues care and community. We base our economy on exploiting the
labor of racial and ethnic minorities, and watch lasting inequities snuff out human potential. We
see the world as inevitably riven by bloody competition and are left unable to recognize the
many ways we cooperate and lift each other up.

But only the poor lived in the common dorms of the county poorhouse. Only the poor were put
under the diagnostic microscope of scientific clarity. Today, we all live among the digital traps
we have laid for the destitute." Ibid, at page 188 (Emphasis supplied)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.636

Automating Inequality demonstrates the problems with authentication and algorithmic
technology and indicates that the system, which was intended to provide assistance for the short
term and help people out of poverty, has become a system to perpetuate poverty and injustice.

710. Errors in biometrics matching imply that an individual will not be considered a part of the
biometrics database. If a benefit or service is subject to the matching of biometrics, then any
mismatch would result in a denial of that benefit or service. Exclusion based on technological
errors, with no fault of the individual, is a violation of dignity. The fate of individuals cannot be
left to the vulnerabilities of technological algorithms or devices. 'To live is to live with dignity'.
Puttaswamy, at para 119 Arbitrary exclusion from entitled benefits or subsidies is a violation of
dignity. If any such project has to survive, then it has to be ensured that individual dignity is
protected. These concerns have to be addressed.

As mentioned earlier, concerns regarding the application of biometrics in the Aadhaar project

LA
were discussed in 2009 by the Biometrics Standards Committee of UIDAI UIDAI Committee on
Biometrics, Biometrics Design Standards For UID Applications, at page 4, which was of the
view that the large magnitude of the Aadhaar project raised uncertainty about the accuracy of

IM
biometrics. Ibid The Strategy Overview UIDAI, UIDAI Strategy Overview, (2010), available at
http://www.prsindia.org/uploads/media/UID/UIDAI%20STRATEGY%20OVERVIEW.pdf
SH
published by UIDAI, in 2010, had discussed the risks associated with biometrics perceived by
UIDAI itself. Under the heading of 'Project Risk', the overview stated the UID project does face
certain risks in its implementation, which have to be addressed through its architecture and in the
design of its incentives. It stated:
LU

"(1) Adoption Risks: There will have to be sufficient, early demand from residents for the UID
number. Without critical mass among key demographic groups (the rural and the poor) the
PN

number will not be successful in the long term. To ensure this, the UIDAI will have to model de-
duplication and authentication to be both effective and viable for participating agencies and
service providers...
H

(3) Enrolment Risks: The project will have to be carefully designed to address risks of low
enrolment - such as creating sufficient touch points in rural areas, enabling and motivating
Registrars, ensuring that documentary requirements don't derail enrolment in disadvantaged
communities - as well as managing difficulties in address verification, name standards, lack of
information on date of birth, and hard to record fingerprints.

(4) Risks of Scale: The project will have to handle records that approach one billion in number.
This creates significant risks in biometric de-duplication as well as in administration, storage,
and continued expansion of infrastructure.

(5) Technology risks: Technology is a key part of the UID program, and this is the first time in
the world that storage, authentication and de-duplication of biometrics are being attempted on
this scale. The authority will have to address the risks carefully - by choosing the right

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.637

technology in the architecture, biometrics, and data management tools; managing obsolescence
and data quality; designing the transaction services model and innovating towards the best
possible result.

(6) Privacy and security risks: The UIDAI will have to ensure that resident data is not shared or
compromised." Ibid, at page 38 (Emphasis supplied)

Technological error would result in authentication failures. The concerns raised by UIDAI ought
to have been resolved before the implementation of the Aadhaar project. Poor connectivity in
rural India was a major concern. The majority of the Indian population lives in rural areas. Even
a small percentage of error results in a population of crores being affected. Denial of subsidies
and benefits to them due to the infirmities of biometric technology is a threat to good governance
and social parity.

LA
711. The issue of exclusion needs to be considered at three different levels:

(i) before the implementation of the Aadhaar Act, when biometrics were being used since 2009;

IM
(ii) under the provisions of the Act; and (iii) at the practical level during the implementation of
the Aadhaar programme.
SH
Before the enactment of the Aadhaar Act in 2016, the Standing Committee on Finance, which
examined the NIA Bill, was concerned about the impact of Aadhaar on marginalized sections of
society. Since the availing of subsidies and benefits was to depend upon Aadhaar based
authentication, any error in the authentication would result in a denial of the benefits of social
LU

security schemes for the marginalized. In 2011, the report of the Standing Committee noted,
thus:
PN

"The full or near full coverage of marginalized sections for issuing Aadhaar numbers could not
be achieved mainly owing to two reasons viz. (i) the UIDAI doesn't have the statistical data
relating to them; and (ii) estimated failure of biometrics is expected to be as high as 15% due to a
H

large chunk of population being dependent on manual labour." Forty-Second Report of the
Standing Committee on Finance (2011), available at
http://www.prsindia.org/uploads/media/UID/uid%20report.pdf, at page 30 (Emphasis supplied)

The Economic Survey 2016-17 has adverted to authentication failures while discussing the
concept of Universal Basic Income (UBI). The Survey, which is an official document of the
Union government, states that UBI is premised on the idea that a just society needs to guarantee
to each individual a minimum income which they can count on, and which provides the
necessary material foundation for a life with access to basic goods and a life of dignity.
Government of India, Economic Survey 2016-17, available at
https://www.thehinducentre.com/multimedia/archive/03193/Economic_Survey_20_3193543a.pd
f, at page 173 UBI was to be implemented by providing cash transfers (for availing benefits of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.638

social security schemes) to the bank accounts of beneficiaries. The implementation of UBI was
to be undertaken through what is described as the JAM trinity:

Jan-Dhan Bank Accounts, Aadhaar data and Mobile phones. However, the Survey noted that
while Aadhaar is designed to solve the identification problem, it cannot solve the "targeting
problem" on its own. The Survey emphasized the need to build state capacity and that "the state
will still have to enhance its capacities to provide a whole range of public goods".Ibid, at page
174 The Survey has recorded the statistics of authentication failures of Aadhaar in several
regions of the country:

"While Aadhaar coverage speed has been exemplary, with over a billion Aadhaar cards being
distributed, some states report authentication failures: estimates include 49 percent failure rates
for Jharkhand, 6 percent for Gujarat, 5 percent for Krishna District in Andhra Pradesh and 37
percent for Rajasthan. Failure to identify genuine beneficiaries results in exclusion errors." Ibid,

LA
at page 194

No failure rate in the provision of social welfare benefits can be regarded as acceptable. Basic

IM
entitlements in matters such as foodgrain, can brook no error. To deny food is to lead a family to
destitution, malnutrition and even death.
SH
712. A recent Office Memorandum dated 19 December 2017 issued by the Cabinet Secretariat of
the Union government Office Memorandum dated 19 December 2017, available at
https://dbtbharat.gov.in/data/om/Office%20Memorandum_Aadhaar.pdf acknowledges that the
Aadhaar enrolment process has not been completed and that infrastructure constraints are
LU

capable of posing difficulties in online authentication. The Memorandum provides that those
beneficiaries who do not possess Aadhaar, shall be provided a subsidy, benefit or service based
on alternate identification documents as contemplated by Section 7 of the Aadhaar Act. It also
PN

requires efforts to be made to ensure that all beneficiaries are facilitated to get enrolment under
the Aadhaar programme. The Memorandum creates a mechanism for availing subsidies, benefits
or services in cases where Aadhaar authentication fails:
H

(i) Departments and Bank Branches may make provisions for IRIS scanners along with
fingerprint scanners wherever feasible;

(ii) In cases of failure due to lack of connectivity, offline authentication systems such as QR code
based coupons, Mobile based OTP or TOTP may be explored; and

(iii) In all cases where online authentication is not feasible, the benefit/service may be provided
on the basis of possession of Aadhaar, after duly recording the transaction in a register, to be
reviewed and audited periodically.

The figures from the Economic Survey of India indicate that there are millions of eligible
beneficiaries across India who have suffered financial exclusion. The Cabinet Secretariat has

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.639

pro-actively acknowledged the need to address matters of exclusion by implementing alternate
modalities, apart from those set out in Section 7. Options (i) and (ii) above were to be
implemented in future. This exercise should have been undertaken by the government in
advance. Problems have to be anticipated when a project is on the drawing board, not after
severe deprivations have been caused by the denial of social welfare benefits.

713. Exclusion of citizens from availing benefits of social security schemes because of failures
or errors in Aadhaar based biometric authentication has also been documented in research studies
and academic writings published by members of civil society, including Reetika Khera and Jean
Dreze. Similar testimonies have been recorded in affidavits submitted before this Court by civil
society activists. Hearing the voices of civil society must be an integral part of the structural
design of a project, such as Aadhaar. In the absence of a credible mechanism to receive and
respond to feed-back, the state has to depend on its own personnel who may not always provide
reliable and candid assessments of performance and failure.

LA
714. ABBA (Aadhaar based biometric authentication) refers to the practice of installing a Point
of Sale (PoS) machine equipped with a fingerprint reader and authenticating a person each time

IM
she accesses her entitlements. Reetika Khera, Impact of Aadhaar on Welfare Programmes,
Economic & Political Weekly, Vol. 52 (16 December 2017), available at
SH
https://www.epw.in/journal/2017/50/special-articles/impact-aadhaar-welfare-programmes.html
Dreze has stated that for successful authentication in PDS outlets, several technologies need to
work simultaneously. Jean Dreze, Dark clouds over the PDS, The Hindu (10 September 2016),
available at https://www.thehindu.com/opinion/lead/Dark-clouds-over-the-
LU

PDS/article14631030.ece These are Anmol Somanchi, Srujana Bej, and Mrityunjay Pandey,
Well Done ABBA? Aadhaar and the Public Distribution System in Hyderabad, Economic &
Political Weekly (18 February 2017), Vol. 52, available at
PN

https://www.epw.in/journal/2017/7/web-exclusives/well-done-abba.html:

(a) Seeding of Aadhaar numbers: An eligible individual can become a beneficiary and access the
H

PDS system only if her Aadhaar number is correctly seeded onto the PDS database and added to
the household ration card;

(b) Point of Sale (PoS) machines: The process at the PDS outlet is dependent on the PoS
machine. If it malfunctions, no transaction can be made. The first step in the process requires the
dealer to enter the ration card number of the beneficiary's household onto the PoS machine;

(c) Internet connection: Successful working of the PoS machine depends on internet connectivity
as verification of the ration card number and the beneficiary's biometric fingerprint is carried out
over the internet;

(d) Remote Aadhaar servers: Remote Aadhaar servers verify the ration card number and initiate
fingerprint authentication; and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.640

(e) Fingerprint recognition software: The beneficiary proves her identity by submitting to
fingerprint recognition in the PoS machine. Upon verification, the PoS machine indicates that the
beneficiary is genuine and that foodgrains can be distributed to her household.

The above procedure requires that at the time of purchase of PDS grains each month, any one
person listed on the ration card needs to authenticate themselves. Similarly, for pensions, elderly
persons must go to the point of delivery to authenticate themselves. Reetika Khera has observed
that since ABBA on PoS machines is currently a monthly activity, so each of its associated
technologies (correct Aadhaar-seeding, mobile connectivity, electricity, functional PoS machines
and UIDAI servers and fingerprint recognition) needs to work for a person to get their
entitlement. Reetika Khera, Impact of Aadhaar on Welfare Programmes, Economic & Political
Weekly, Vol. 52 (16 December 2017), available at https://www.epw.in/journal/2017/50/special-
articles/impact-aadhaar-welfare-programmes.html Dreze has referred to the above procedure as
"a wholly inappropriate technology for rural India" Jean Dreze, Dark clouds over the PDS, The

LA
Hindu (10 September 2016), available at https://www.thehindu.com/opinion/lead/Dark-clouds-
over-the-PDS/article14631030.ece. Network failures and other glitches routinely disable this sort

IM
of technology. Dreze has further observed that in villages with poor connectivity, it is a "recipe
for chaos". Ibid
SH
715. A government-commissioned sample study Society for Social Audit, Accountability and
Transparency, FP Shops Left Over Beneficiaries Report, available at
http://www.socialaudit.ap.gov.in/SocialAudit/LoadDocument?docName=Fair%20Price%20Wor
k%20%20Shops%20(Ration%20Card%20Holders)%20-
LU

%20Beneficiaries%20Report.pdf&type=application. See also Aadhaar-based projects failing the

poor, says Andhra govt study, Hindustan Times (7 October 2015), available at
https://www.hindustantimes.com/india/aadhaar-based-projects-failing-the-poor-says-andhra-
PN

govt-study/story-7MFBCeJcfl85Lc5zztON6L.html in Andhra Pradesh to ascertain the efficiency

of Aadhaar-based social programmes in the case of subsidised grains indicated that technical
deficiencies are depriving the poor of their access to food. The study was commissioned by the
H

state government after it was found that 22% of the PDS beneficiaries did not take the ration in
the month of May 2015. The sample study, which covered five PDS outlets in three districts,
found that half of the beneficiaries of PDS in the surveyed areas could not access their ration
quota due to glitches, lack of training and mismatches linked to Aadhaar. In the survey, a
majority of beneficiaries reported fingerprint mismatches and the inability of fair-price shop
owners to operate point-of-sale (POS) devices correctly as major hurdles. Aadhaar numbers did
not match with ration card numbers in many cases.

Another survey Anmol Somanchi, Srujana Bej, and Mrityunjay Pandey, Well Done ABBA?
Aadhaar and the Public Distribution System in Hyderabad, Economic & Political Weekly, Vol.
52 (18 February 2017), available at https://www.epw.in/journal/2017/7/web-exclusives/well-
done-abba.html of 80 households conducted in Hyderabad finds that despite the introduction of
technology-intensive authentication and payment systems, a significant number of those

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.641

vulnerable and dependent on Public Distribution System (PDS) for food grains are failing to
realise their right to food. The survey revealed that among 80 surveyed households, 89%
reported receiving full entitlements at correct prices even before the introduction of Aadhaar-
based biometric authentication (ABBA). In contrast, 10% of households were excluded due to
authentication failures due to reported errors with one or more of its five technological
components.

716. An article titled "Aadhaar and Food Security in Jharkhand: Pain without Gain?" Jean Dreze,
Nazar Khalid, Reetika Khera, and Anmol Somanchi, Aadhaar and Food Security in Jharkhand:
Pain without Gain?, Economic & Political Weekly, Vol. 52 (16 December 2017)., based on a
household survey in rural Jharkhand, examines various issues related to compulsory ABBA for
availing PDS benefits. The article notes the impact of PDS on the lives of the rural poor, who
visit the ration shop every month. In "their fragile and uncertain lives", the PDS provides a
"modicum of food and economic security". The article notes that in ABBA, the failure of

LA
authentication results in denial of food from ration shops. The household is unable to get food
rations for no fault of its own. The article comes to the conclusion that the imposition of ABBA

IM
on the PDS in Jharkhand is a case of "pain without gain", as it has led to serious problems of
exclusion (particularly for vulnerable groups such as widows, the elderly and manual workers).
The article further notes that ABBA has neither failed to reduce quantity fraud (which is the
SH
main form of PDS corruption in Jharkhand), nor has it helped to address other critical
shortcomings of the PDS in Jharkhand, such as the problem of missing names in ration cards, the
identification of Antyodaya (poorest of the poor) households, or the arbitrary power of private
dealers. The article identifies poor internet connectivity as one of the reasons for authentication
LU

failures and eventual exclusion:

"Sporadic internet connectivity is another major hurdle. Sometimes, light rain is enough to
PN

disrupt connectivity or the electricity supply. Every step in the ABBA process-ration card
verification, biometric authentication, electronic upload of transactions, updating NFSA
[National Food Security Act] lists and entitlements on the PoS Ibid, at page 51. The article states:
H

"[PoS] is a handheld device installed at every PDS outlet ("ration shop") and connected to the
Internet. The list of ration cards attached to that outlet, and their respective entitlements, are
stored in the PoS machine and updated every month. When a cardholder turns ups, the PoS
machine first "authenticates" her by matching her fingerprints with the biometric data stored
against her Aadhaar number in the Central Identities Data Repository (CIDR). The machine then
generates a receipt with the person's entitlements, which are also audible from a recorded
message... The transaction details are also supposed to be entered by the dealer in the person's
ration card." [Point of Sale] machine-depends on internet connectivity. Further, even with stable
connectivity, biometric authentication is not always easy. Biometric failures are especially
common for two groups: the elderly, and manual labourers. Both are particularly vulnerable to
food insecurity." Ibid, at page 55

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.642

The article regards the denial of basic services to the poor due to failure of ABBA as a form of
grave injustice:

"Imposing a technology that does not work on people who depend on it for their survival is a
grave injustice." Ibid, at page 58 (Emphasis supplied)

As we have noted in an earlier part of this judgment, even the Economic Survey of India 2016-17
found a 49% failure rate for beneficiaries in Jharkhand and 37% in Rajasthan. Those at the
receiving end are the poorest of the poor.

Reetika Khera looks at the impact of Aadhaar-integration with security schemes (primarily in
MGNREGA, PDS and social security pensions). Reetika Khera, Impact of Aadhaar on Welfare
Programmes, Economic & Political Weekly, Vol. 52 (16 December 2017), available at
https://www.epw.in/journal/2017/50/special-articles/impact-aadhaar-welfare-programmes.html

LA
The author also discusses briefly the impact of Aadhaar on liquefied petroleum gas (LPG)
subsidy and the application of Aadhaar in the mid-day meal (MDM) scheme. In coming to its
conclusions, the article has relied upon quantitative data from primary field studies, secondary

IM
data from government portals, figures obtained through queries made under the Right to
Information (RTI) Act, and responses to questions in Parliament. In Khera's words, Aadhaar is
becoming a "tool of exclusion":
SH
"Savings or exclusion? The government claimed that Aadhaar integration saved 399 crore up to
31 December 2016 (GoI 2017c). At a given level of benefits, a reduction in government
expenditure in any particular transfer scheme can be on two counts: removal of ghosts and
LU

duplicates ("efficiency"); and a fall in the number of genuine beneficiaries ("shrinkage"), for
instance, if they do not link their Aadhaar numbers when required. Across welfare schemes, the
government has been treating any reduction in expenditure as "savings," even when it comes
PN

from shrinkage. This is true for SSP [social security pension] as well. For instance, in Rajasthan,
pensioners were "mistakenly" recorded as dead and this was presented as Aadhaar-enabled
savings (Yadav 2016f). In Jharkhand too, pensioners' names have been deleted because they did
H

not complete Aadhaar-seeding formalities or pensions stopped due to seeding errors (Sen 2017a).
Studying 100 pensioners, selected from 10 randomly-selected villages from five blocks of
Ranchi district in February 2017, Biswas (2017) finds that 84% of her respondents receive
pensions but irregularity in payments was a big issue. The remaining 16% were not receiving it
due to Aadhaar-related issues." Ibid, at page 66

Puja Awasthi documents the plight of individuals suffering from leprosy, who have been denied
pensions due to not being able to get enrolled into the Aadhaar system. Leprosy can damage
fingerprints and thus make an individual incapable of providing biometrics. Awasthi's article
Puja Awasthi, Good enough to vote, not enough for Aadhaar, People's Archive of Rural India,
available at https://ruralindiaonline.org/articles/good-enough-to-vote-not-enough-for-aadhaar

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.643

notes that Aadhaar is capable of causing a denial of benefits or services to 86,000 citizens, who
suffer from leprosy.

These writings show how in most cases, an authentication failure means that the
individual/household was denied the benefit of a social security programme for no fault of their
own. Some have gone hungry. Some reportedly lost their lives. Yet another Aadhaar-linked
death? Denied rations for 4 months, Jharkhand woman dies of hunger, Scroll (3 Feb. 2018),
available at: https://scroll.in/article/867352/yet-another-aadhaar-linked-death-jharkhand-woman-
dies-of-hunger-after-denial-of-rations; Denied food because she did not have Aadhaar-linked
ration card, Jharkhand girl dies of starvation, Scroll (16 Oct 2017), available at:
https://scroll.in/article/854225/denied-food-because-she-did-not-have-aadhaar-linked-ration-
card-jharkhand-girl-dies-of-starvation

717. A person's biometrics change over time. For persons, who are engaged in manual labour,

LA
and persons who are disabled or aged, fingerprints actually cannot be captured by biometric
devices. The material which has been relied upon in this segment originates from government's
official documents as well as from distinguished academics and researchers from civil society.

IM
There exist serious issues of financial exclusion. Pensions for the aged particularly in cases
where a pension is earned for past service - are not charity or doles. They constitute legal
SH
entitlements. For an old age pensioner, vicissitudes of time and age obliterate fingerprints. Hard
manual labour severely impacts upon fingerprints. The elderly, the disabled and the young are
the most vulnerable and a denial of social welfare entitlements verily results in a deprivation of
the right to life. Should the scholarship of a girl child or a mid-day meal for the young be made
LU

to depend on the uncertainties of biometric matches? Our quest for technology should not be
oblivious to the country's real problems: social exclusion, impoverishment and marginalisation.
The Aadhaar project suffers from crucial design flaws which impact upon its structural probity.
PN

Structural design in delivering welfare entitlements must be compliant with structural due
process, to be in accord with Articles 14 and 21. The Aadhaar project has failed to account for
and remedy the flaws in its framework and design which lead to serious issues of exclusion.
H

Dignity and rights of individuals cannot be based on algorithms or probabilities. Constitutional

guarantees cannot be subject to the vicissitudes of technology.

718. Structural due process imposes requirements on public institutions and projects at the macro
level. Structural due process requires that the delivery of social welfare benefits must be
effective and timely. Those who are eligible for the benefits must not face exclusion. Procedures
for the disbursal of benefits must not be oppressive. They must be capable of compliance both by
those who disburse and by those who receive the benefits. Deployment of technology must factor
in the available of technological resources in every part of the coverage area and the prevailing
levels of literacy and awareness. Above all, the design of the project will be compliant with
structural due process only if it is responsive to deficiencies, accountable to the beneficiaries and
places the burden of ensuring that the benefits reach the marginalised on the state and its
agencies.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.644

753. The Respondents submit that the collection of biometrics prior to the Aadhaar Act was
adequately safeguarded by the provisions of the Information Technology Act 2000; specifically
those provisions, which were inserted or amended by the Information Technology (Amendment)
Act, 2008.

Section 43A of the Act provides for compensation for failure to protect data:

"Where a body corporate, possessing, dealing or handling any sensitive personal data or
information in a computer resource which it owns, controls or operates, is negligent in
implementing and maintaining reasonable security practices and procedures and thereby causes
wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages
by way of compensation to the person so affected.

Explanation: For the purposes of this section,-

LA
(i) "body corporate" means any company and includes a firm, sole proprietorship or other
association of individuals engaged in commercial or professional activities;

IM
(ii) "reasonable security practices and procedures" means security practices and procedures
designed to protect such information from unauthorised access, damage, use, modification,
SH
disclosure or impairment, as may be specified in an agreement between the parties or as may be
specified in any law for the time being in force and in the absence of such agreement or any law,
such reasonable security practices and procedures, as may be prescribed by the Central
Government in consultation with such professional bodies or associations as it may deem fit.
LU

(iii) "sensitive personal data or information" means such personal information as may be
prescribed by the Central Government in consultation with such professional bodies or
PN

associations as it may deem fit."

(Emphasis supplied)
H

754. Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and
Sensitive Personal Data or Information) Rules, 2011 made by the Central government under
Section 43A, defines "sensitive personal data or information":

"Sensitive personal data or information of a person means such personal information which
consists of information relating to;-

(i) password;

(ii) financial information such as Bank account or credit card or debit card or other payment
instrument details ;

(iii) physical, physiological and mental health condition;

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.645

(iv) sexual orientation;

(v) medical records and history;

(vi) Biometric information;

(vii) any detail relating to the above clauses as provided to body corporate for providing service;
and

(viii) any of the information received under above clauses by body corporate for processing,
stored or processed under lawful contract or otherwise.

Provided that, any information that is freely available or accessible in public domain or furnished
under the Right to Information Act, 2005 or any other law for the time being in force shall not be
regarded as sensitive personal data or information for the purposes of these rules."

LA
Section 66C provides a punishment for identity theft:

"66C. Punishment for identity theft.-

IM
Whoever, fraudulently Section 25, Indian Penal Code states: ""Fraudulently".-A person is said to
SH
do a thing fraudulently if he does that thing with intent to defraud but not otherwise" or
dishonestly Section 24, Indian Penal Code states: ""Dishonestly"- Whoever does anything with
the intention of causing wrongful gain to one person or wrongful loss to another person, is said to
do that thing "dishonestly" make use of the electronic signature, password or any other unique
LU

identification feature of any other person, shall be punished with imprisonment of either
description for a term which may extend to three years and shall also be liable to fine which may
extend to rupees one lakh." (Emphasis supplied)
PN

Section 66E provides for punishment for the violation of the privacy of an individual:

"Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area
H

of any person without his or her consent, under circumstances violating the privacy of that
person, shall be punished with imprisonment which may extend to three years or with fine not
exceeding two lakh rupees, or with both."

The explanation to the Section provides that "transmit" means to electronically send a visual
image with the intent that it be viewed by a person or persons. "Capture", with respect to an
image, has been defined to mean videotaping, photographing, filming or recording by any
means. "Private area" means the "naked or undergarment clad genitals, pubic area, buttocks or
female breast." "Publishes" has been defined as reproduction in the printed or electronic form
and making it available for public.

Section 72A provides for punishment for disclosure of information in breach of a lawful
contract:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.646

"Save as otherwise provided in this Act or any other law for the time being in force, any person
including an intermediary who, while providing services under the terms of lawful contract, has
secured access to any material containing personal information about another person, with the
intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses,
without the consent of the person concerned, or in breach of a lawful contract, such material to
any other person shall be punished with imprisonment for a term which may extend to three
years, or with a fine which may extend to five lakh rupees, or with both." (Emphasis supplied)

Section 43A applies only to bodies corporate and has no application to government or to its
departments. Explanation (i) defines body corporate to mean any company and to include a firm,
sole proprietorship or other association of individuals engaged in professional or commercial
activities. Personal information leaked or lost by government agencies will not be covered under
Section 43A. The scope of Section 66E is limited. It only deals with the privacy of the "private
area" of any person. It does not deal with informational privacy. The scope of Section 72A is

LA
also limited. It only penalises acts of disclosing personal information about a person obtained
while providing services under a lawful contract. Section 66C deals with identity theft and

IM
punishes the dishonest or fraudulent use of the unique identification feature of a person. The
Information Technology Act also does not penalise unauthorised access to the Central Identities
Data Repository. Many of the safeguards which were introduced by the Aadhaar Act were not
SH
comprehended in the provisions of the Information Technology Act. Indeed, it was the absence
of those safeguards in the Information Technology Act which required their introduction in the
Aadhaar Act. Hence, the Attorney General is not correct in submitting that India operated under
a regime of comprehensive safeguards governing biometric data during the period when the
LU

Aadhaar project was governed by an executive notification, in the absence of a legislative

framework. The absence of a legislative framework rendered the collection of biometric data
PN

vulnerable to serious violations of privacy. There are two distinct facets here. First, the absence
of a legislative framework for the Aadhaar project between 2009 and 2016 left the biometric data
of millions of Indian citizens bereft of the kind of protection which a law, as envisaged in
Puttaswamy, must provide to comprehensively protect and enforce the right to privacy. Second,
H

the notification of 2009 does not authorise the collection of biometric data. Consequently, the
validation of actions taken under the 2009 notification by Section 59 does not save the collection
of biometric data prior to the enforcement of the Act. Privacy is of paramount importance. No
invasion of privacy can be allowed without proper, adequate and stringent safeguards providing
not only penalties for misuse or loss of one's personal information, but also for protection of that
person.

755. The Respondents have relied upon several judgments where this Court has upheld
validating statutes, which, they contend, are similar to Section 59. The first decision which needs
to be discussed is the judgment of the Constitution Bench in West Ramnad, which dealt with a
validating statute of the Madras Legislature. Act 43 of 1949 of the Madras Legislature which
sought to acquire electricity undertakings in the state was struck down for want of legislative

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.647

competence. In the meantime, the Constitution came into force, and under the Seventh Schedule,
the State acquired legislative competence. A fresh law was enacted in 1954. Section 24 sought to
validate actions done and taken under the 1949 Act. Section 24 provided thus:

"Orders made, decisions or directions given, notifications issued, proceedings taken and acts or
things done, in relation to any undertaking taken over, if they would have been validly made,
given, issued, taken or done, had the Madras Electricity Supply Undertakings (Acquisition) Act
1949 (Madras Act 43 of 1949), and the rules made thereunder been in force on the date on which
the said orders, decisions or directions, notifications, proceeding, acts or things were made,
given, issued, taken or done are hereby declared to have been validly made, given, issued, taken
or done, as the case may be, except to the extent to which the said orders, decisions, directions,
notifications, proceedings, acts or things are repugnant to the provisions of this Act." (Emphasis
supplied)

LA
Section 24 was held to be a provision, which saved and validated actions validly taken under the
provisions of the earlier Act, which was invalid from the inception. Justice Gajendragadkar,
speaking for the Court, interpreted Section 24 thus:

IM
"12. The first part of the section deals, inter alia, with notifications which have been validly
issued under the relevant provisions of the earlier Act and it means that if the earlier Act had
SH
been valid at the relevant time, it ought to appear that the notifications in question could have
been and had in fact been made properly under the said Act. In other words, before any
notification can claim the benefit of Section 24, it must be shown that it was issued properly
LU

under the relevant provisions of the earlier Act, assuming that the said provisions were
themselves valid and in force at that time. The second part of the section provides that the
notifications covered by the first part are declared by this Act to have been validly issued; the
PN

expression "hereby declared" clearly means "declared by this Act" and that shows that the
notifications covered by the first part would be treated as issued under the relevant provisions of
the Act and would be treated as validly issued under the said provisions. The third part of the
H

section provides that the statutory declaration about the validity of the issue of the notification
would be subject to this exception that the said notification should not be inconsistent with or
repugnant to the provisions of the Act. In other words, the effect of this section is that if a
notification had been issued properly under the provisions of the earlier Act and its validity could
not have been impeached if the said provisions were themselves valid, it would be deemed to
have been validly issued under the provisions of the Act, provided, of course, it is not
inconsistent with the other provisions of the Act. The section is not very happily worded, but on
its fair and reasonable construction, there can be no doubt about its meaning or effect."
(Emphasis supplied)

868. Shri Dwivedi submits that security and data privacy is ensured in the following manner:-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.648

(i) The data sent to ABIS is completely anonymised. The ABIS systems do not have access to
resident's demographic information as they are only sent biometric information of a resident with
a reference number and asked to de-duplicate. The de-duplication result with the reference
number is mapped back to the correct enrolment number by the Authorities own enrolment
server.

(ii) The ABIS providers only provide their software and services. The data is stored in UIDAI
storage and it never leaves the secure premises.

(iii) The ABIS providers do not store the biometric images (source). They only store template for
the purposes of de-duplication (with reference number).

(iv) The encrypted enrolment packet sent by the enrolment client software to the CIDR is
decrypted by the enrolment server but the decrypted packet is never stored.

LA
(v) The original biometric images of fingerprints, iris and face are archived and stored offline.
Hence, they cannot be accessed through an online network.

IM
(vi) The biometric system provides high accuracy of over 99.86%. The mixed biometric have
been adopted only to enhance the accuracy and to reduce the errors which may arise on account
SH
of some residents either not having biometrics or not having some particular biometric.

869. Biometrics are being used for unique identification in e-passports by 120 countries. Out of
these many countries use fingerprints and/or iris scans. Additionally 19 European Countries have
LU

smart National Identity cards having chips containing biometric information. A number of
African and Asian countries are also using biometrics for identification. The ECHR and ECJ
have not declared the use of biometrics or the collection and storage of data for the said purpose
PN

to be violative of Human Rights. It has infact been upheld in the context of passports, by the
ECJ.

870. On the submissions that de-duplication/authentication software has been received from
H

three foreign suppliers and since the source code of the algorithm is with the foreign suppliers,
therefore, they can easily obtain the data in the CIDR merely by manipulation of the algorithm,
Shri Dwivedi submits that foreign biometric solution providers only provide the software, the
server and hardware belongs to UIDAI. So far the software is concerned UIDAI uses the
software as licensee. There is no free access to the server room which is wholly secured by
security guards. The enrolment data packet, after being received in the data center, is decrypted
for a short duration to enable extraction of minutiae and preparation of templates. Once the
template is prepared the entire biometric data is stored offline under the complete control of the
UIDAI officials.

871. It is correct that the source code for the algorithms provided are retained by the BSPs which
constitutes the intellectual property right of the BSP, however, it does not introduce any

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.649

insecurity of data in the CIDR as the softwares operate automatically in the servers located in the
server rooms and also because the software functions only on the basis of the templates whilst
the biometric data is stored offline.

876. By virtue of Section 56 and 61 of the Aadhaar Act, 2016, the provisions of IT Act, 2000 are
applicable except where it is inconsistent with Aadhaar Act. The regular regime under the IT Act
with all its provisions for punishment and penalty are attracted since the biometric information is
an electronic record and the data is sensitive personal data or information as defined in the IT
Act, 2000. On submission of the petitioner that there is no mechanism for raising any grievance,
Shri Dwivedi submits that UIDAI has set up grievance redressal cell as contemplated under
Section 23(1)(s) of the Act. Any ANH can make a complaint for redressal of grievance.

877. The petitioner's submission that Aadhaar Act enables the State to put the entire population
of the country in an electronic leash and to track them all the time and it has converted itself as

LA
the State into a totalitarian State, it is submitted that none of the four clauses of Regulation 26
entitle the authority to store data about the purpose for which authentication is being done.
Section 32(3) of the Aadhaar Act specifically prohibits the authority from collecting, storing or

IM
maintaining, whether directly or indirectly any information about the purpose of authentication .
The proviso to Regulation 26 is also to the same effect. Here, "the purpose of authentication"
SH
means the nature of activity being conducted by ANH in relation to which the authentication is
required and is being done.

878. It is submitted that the devices which are used for the purpose of authentication are not
LU

geared or designed to record the nature of the activity being done by the ANH which necessitates
authentication. The device can only tell the authority about the time of authentication, the
identity of the RE, the PID, the time and nature of response, the code of the device and the
PN

authentication server side configurations. Hence, with the aid of authentication record it is not
possible for the UIDAI to track the nature of activity being engaged into by the ANH. In fact, in
overwhelming majority of cases the authentication record would not enable the authority to
H

know even the place/location where the activity is performed by the ANH. The reason is that
there are about 350 number of REs. The REs alone can authenticate with the help of CIDR and
this is done by them through the ASA. In a large number of cases, the organizations requiring
authentication would be doing so through some RE with whom they have some agreements. To
illustrate nic.in is an RE which provides authentication service to large number of government
organizations who have agreements with it. The authentication record would only contain
information about the identity about the RE. It will give information only about the RE(nic.in)
and not about the organization which is requiring authentication through the RE. In most cases
the authentication is one time.

879. It is submitted that biometrics is being increasingly resorted to for identification purposes
by many countries. At least 19 countries in Europe are using biometric smart cards where data is
stored in the chip. These smart cards are similar to the smart cards which were used under the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.650

2006 Act in U.K. The important difference lies in the extent of data of the individual which is
stored in the smart card. The European cards unlike the UK, do not store 50 categories of data
which was being stored in the UK card that came to be abolished in 2010 by the Repealing Act,
2010. In some European countries the smart cards are issued in a decentralized manner, as in
Germany. But in some other countries the smart cards are issued in a centralized manner. In
either case, the State is possessed of all the information which is stored in the chip of the smart
card, though it may not involve authentication. These smart cards are considered to be property
of the State and the State can require the production of the smart card for identification at any
time. Estonia is considered to be a pioneer and leader in the field of the use of biometrics and it
has a centralized data base.

880. It is submitted that the architecture of the Aadhaar Act does not lead to any real possibility,
proximate or remote of mass surveillance in real time by the State. This is not an Act for
empowering surveillance by the State. It merely empowers the State to ensure proper delivery of

LA
welfare measures mandated by Directive Principles of State Policy(Part IV of the Constitution)
which actually enliven the Fundamental Rights under Article 14, 19 and 21 of the Constitution

IM
for a vast majority of the poor and down trodden in the country and thereby to bring about their
comprehensive emancipation. It seeks to ensure, justice, social, economic and political for the
little Indians.
SH
881. Responding on the arguments raised by the petitioner on Section 47 of the Act, it is
submitted that Section 47 has rationale. The offences and penalties under Chapter VII are all
intended to maintain the purity and integrity of CIDR which has been established of the ANH.
LU

Secondly, the entire enrolment, storage in CIDR and authentication exercise is so vast and that
any breach can be handled with efficiency and effectively only by UIDAI. There are similar
enactments which contain similar provisions which have been upheld by this Court. An
PN

individual can make a complaint to UIDAI directly or through grievance redressal cell. The
authority would be obliged to examine the complaints and to lodge the complaint in the Court as
per Section 47. Additionally, the individual is generally likely to have a complaint of identity
H

theft, cheating or disclosure. In such a situation he can always invoke the provisions of Sections
66C, 66D and 72A of the IT Act, 2000. The said offences carry identical penalties.

932. The biometric information which are obtained for Aadhaar enrolment are photographs,
fingerprints and iris scan, which are least intrusion in physical autonomy of an individual. U.S.
Supreme Court in John Davis Vs. State of Mississippi, 394 US 721 (1969), indicated that
Fingerprinting involves none of the probing into an individual's private life and thoughts that
marks an interrogation or search. The physical process by which the fingerprints are taken does
not require information beyond the object and purpose. Therefore, it does not readily offend
those principles of dignity and privacy, which are fundamental to each legislation of due process.
One of the apprehension, which was expressed by petitioners that since as per definition of
biometric information contained in Section 2(g), further, biological attributes of an individual
may be specified by regulations, which may be more intrusive. Section 2(g) use the word "such

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.651

biological attributes". Thus, applying the principles of ejusdem generis, the biological attributes
can be added by the regulations, has to be akin to one those mentioned in Section 2(g), i.e.
photographs, fingerprints and iris scan. In event, such biological attributes is added by
regulations, it is always open to challenge by appropriate proceedings but the mere fact that by
regulations any such biometric attributes can be added, there is no reason to accept the
contention that biological attributes, which can be added may be disproportionate to the objective
of the Act. Biometric information, thus, which is to be obtained for enrolment are not
disproportionate nor the provisions of Aadhaar Act requiring demographic and biometric
information can be said to be not passing three-fold test as laid down in Puttaswamy (supra)
case. We, thus, answer Issue Nos. 1 and 2 in following manner:-

Ans.1 and 2:- (i) requirement under Aadhaar Act to give one's demographic and biometric
information does not violate fundamental right of privacy.

LA
(ii) The provisions of Aadhaar Act requiring demographic and biometric information from a
resident for Aadhaar Number pass three-fold test as laid down in Puttaswamy (supra) case, hence
cannot be said to be unconstitutional.

ISSUE NOS. 3,4 AND 5

AND SURVEILLACE. IM
COLLECTION, STORAGE, RETENTION, USE, SHARING
SH
933. The Aadhaar Act provides complete architecture beginning with enrolment. The enrolment
means process to collect demographic and biometric information from individuals by enroling
agencies. The enroling agencies have to set up enrolment centers and have to function in
LU

accordance with the procedure specified by UIDAI. Section 8 contemplates for authentication for
Aadhaar number which authentication was done by authority. When a request is made for
identification by any requesting entity in respect to biometric or demographic information of
PN

Aadhaar number holder, the authority may engage one or more entities to establish and maintain
central identity data repository. Section 28 provides for the security and confidentiality of
information which is to the following effect:
H

28. (1) The Authority shall ensure the security of identity information and authentication records
of individuals.

(2) Subject to the provisions of this Act, the Authority shall ensure confidentiality of identity
information and authentication records of individuals.

(3) The Authority shall take all necessary measures to ensure that the information in the
possession or control of the Authority, including information stored in the Central Identities Data
Repository, is secured and protected against access, use or disclosure not permitted under this
Act or regulations made thereunder, and against accidental or intentional destruction, loss or
damage.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.652

(4) Without prejudice to sub-sections (1) and (2), the Authority shall-

(a) adopt and implement appropriate technical and organisational security measures;

(b) ensure that the agencies, consultants, advisors or other persons appointed or engaged for
performing any function of the Authority under this Act, have in place appropriate technical and
organisational security measures for the information; and

(c) ensure that the agreements or arrangements entered into with such agencies, consultants,
advisors or other persons, impose obligations equivalent to those imposed on the Authority under
this Act, and require such agencies, consultants, advisors and other persons to act only on
instructions from the Authority.

(5) Notwithstanding anything contained in any other law for the time being in force, and save as
otherwise provided in this Act, the Authority or any of its officers or other employees or any

LA
agency that maintains the Central Identities Data Repository shall not, whether during his service
or thereafter, reveal any information stored in the Central Identities Data Repository or

IM
authentication record to anyone:

Provided that an Aadhaar number holder may request the Authority to provide access to his
SH
identity information excluding his core biometric information in such manner as may be
specified by regulations.

934. The Act contains specific provision providing that no core biometric information collected
LU

under the Act is shared to anyone for any reason whatsoever or use for any purpose other than
generation of Aadhaar number or authentication under this Act. The statute creates injunction for
requesting entity to use identity information data for any purpose other than that specified to the
PN

individual at the time for submitting any identification. Section 29 provides for not sharing
information collected or created under this Act, which is to the following effect:

"29. (1) No core biometric information, collected or created under this Act, shall be-
H

(a) shared with anyone for any reason whatsoever; or

(b) used for any purpose other than generation of Aadhaar numbers and authentication under this
Act.

(2) The identity information, other than core biometric information, collected or created under
this Act may be shared only in accordance with the provisions of this Act and in such manner as
may be specified by regulations.

(3) No identity information available with a requesting entity shall be-

(a) used for any purpose, other than that specified to the individual at the time of submitting any
identity information for authentication; or Security and confidentiality of information.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.653

(b) disclosed further, except with the prior consent of the individual to whom such information
relates.

(4) No Aadhaar number or core biometric information collected or created under this Act in
respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for
the purposes as may be specified by regulations."

935. Section 30 itself contemplates that biometric information are sensitive personal data or
information. There are strict conditions envisaged in Section 33 for disclosure of information.
The disclosure of information is contemplated only on two contingencies. Firstly, when an order
is passed by a Court not inferior to that of District Judge and secondly when the disclosure is
made in the interest of national security in pursuance of a direction of the officer not below the
rank of Joint Secretary to the Government of India.

LA
936. Chapter VII of the Act deals with the offences and penalties for impersonation at the time of
enrolment penalty for disclosing identity information is provided under Sections 34 to 37.
Section 38 provides for penalty who accesses or secures access to the Central Identities Data

IM
Repository. Section 39 provides for penalty who uses or tampers with the data in the Central
Identities Data Repository. Section 40 provides for penalty whoever, being a requesting entity,
uses the identity information of an individual in contravention of sub-section (3) of section 8.
SH
Section 41 deals with penalty for non-compliance by an enrolling agency or requesting entity.
Section 42 deals with general penalty. Section 42 is as follows:

"42. Whoever commits an offence under this Act or any rules or regulations made thereunder for
LU

which no specific penalty is provided elsewhere than this section, shall be punishable with
imprisonment for a term which may extend to one year or with a fine which may extend to
twenty-five thousand rupees or, in the case of a company, with a fine which may extend to one
PN

lakh rupees, or with both."

937. Regulations have been framed under the Act, namely, (1) The Aadhaar (Enrolment and
H

Update) Regulations, 2016, (2) The Aadhaar (Authentication) Regulations, 2016, (3) The
Aadhaar (Data Security) Regulations, 2016 and (4) The Aadhaar (Sharing of Information)
Regulations, 2016.

938. We have already noticed the detailed submissions of learned counsel for UIDAI. Following
are the measures by which Security Data of privacy is ensured. The security and data privacy is
ensured in the following manner:-

i. The data sent to ABIS is completely anonymised. The ABIS systems do not have access to
resident's demographic information as they are only sent biometric information of a resident with
a reference number and asked to de-duplicate. The de-duplication result with the reference
number is mapped back to the correct enrolment number by the Authorities own enrolment
server.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.654

ii. The ABIS providers only provide their software and services. The data is stored in UIDAI
storage and it never leaves the secure premises.

iii. The ABIS providers do not store the biometric images (source). They only store template for
the purpose of de-duplication (with reference number)

iv. The encrypted enrolment packet sent by the enrolment client software to the CIDRis
decrypted by the enrolment server but the decrypted packet is never stored.

v. The original biometric images of fingerprints, iris and face are archived and stored offline.
Hence, they cannot be accessed through an online network.

vi. The biometric system provides high accuracy of over 99.86%. The mixed biometric have
been adopted only to enhance the accuracy and to reduce the errors which may arise on account
of some residents either not having biometrics or not having some particular biometric.

LA
939. After the enrolment and allotting an Aadhaar number to individual the main function of the
authority is authentication of an Aadhaar number holder as and when request is made by the

IM
requesting agency. The authentication facility provided by the authority is under Section 3 of the
Authentication Regulations, 2016 which is to the following effect:
SH
"3. Types of Authentication.-

There shall be two types of authentication facilities provided by the Authority, namely-
LU

(i) Yes/No authentication facility, which may be carried out using any of the modes specified in
regulation 4(2); and
PN

(ii) e-KYC authentication facility, which may be carried out only using OTP and/or biometric
authentication modes as specified in regulation 4(2)."

940. Various modes of authentication are provided in Regulation 4 of Authentication

H

Regulations 2016, which are: Demographic authentification; One time pin-based authentication;
Biometric-based authentification and Multi-factor authentification. A requesting entity may
choose suitable mode of authentication for particular function or business function as per its
requirement.

941. Regulation 7 provides for capturing biometric information by requesting entity which is to
the following effect:

"7. Capturing of biometric information by requesting entity.-

(1) A requesting entity shall capture the biometric information of the Aadhaar number holder
using certified biometric devices as per the processes and specifications laid down by the
Authority.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.655

(2) A requesting entity shall necessarily encrypt and secure the biometric data at the time of
capture as per the specifications laid down by the Authority.

(3) For optimum results in capturing of biometric information, a requesting entity shall adopt the
processes as may be specified by the Authority from time to time for this purpose."

942. Regulation 9 deals with process of sending authentification requests. Sub-Regulation (1) of
Regulation 9 contends the safe method of transmission of the authentication requests.

943. The Aadhaar (Data Security) Regulations, 2016 contain detail provisions to ensuring data
security. Regulation 3 deals with measures for ensuring information security. Regulation 5
provides security obligations of the agencies, consultants, advisors and other service providers
engaged by the Authority for discharging any function relating to its processes.

944. The Aadhaar (Sharing of Information) Regulations, 2016 also contain provisions providing

LA
for restrictions on sharing identity information. Sub-Regulation (1) of Regulation 3 provides that
core biometric information collected by the Authority under the Act shall not be shared with

IM
anyone for any reason whatsoever.

945. Sharing of Information Regulations, 2016 also contain various other restrictions. Regulation
SH
6 contains restrictions on sharing, circulating or publishing of Aadhaar number which is to the
following effect:

"6. Restrictions on sharing, circulating or publishing of Aadhaar number. -

LU

(1) The Aadhaar number of an individual shall not be published, displayed or posted publicly by
any person or entity or agency.
PN

(2) Any individual, entity or agency, which is in possession of Aadhaar number(s) of Aadhaar
number holders, shall ensure security and confidentiality of the Aadhaar numbers and of any
record or database containing the Aadhaar numbers.
H

(3) Without prejudice to sub-regulations (1) and (2), no entity, including a requesting entity,
which is in possession of the Aadhaar number of an Aadhaar number holder, shall make public
any database or record containing the Aadhaar numbers of individuals, unless the Aadhaar
numbers have been redacted or blacked out through appropriate means, both in print and
electronic form.

(4) No entity, including a requesting entity, shall require an individual to transmit his Aadhaar
number over the Internet unless such transmission is secure and the Aadhaar number is
transmitted in encrypted form except where transmission is required for correction of errors or
redressal of grievances.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.656

(5) No entity, including a requesting entity, shall retain Aadhaar numbers or any document or
database containing Aadhaar numbers for longer than is necessary for the purpose specified to
the Aadhaar number holder at the time of obtaining consent."

946. The scheme of the Aadhaar Act indicates that all parts of the entire process beginning from
enrolment of a resident for allocation of Aadhaar number are statutory regulated.

947. The Authentication Regulations, 2016 also limit the period for retention of logs by
requesting entity. Regulation 18(1) which is relevant in this context is as follows:

"18. Maintenance of logs by requesting entity.-

(1) A requesting entity shall maintain logs of the authentication transactions processed by it,
containing the following transaction details, namely:-

LA
(a) the Aadhaar number against which authentication is sought;

(b) specified parameters of authentication request submitted;

IM
(c) specified parameters received as authentication response;
SH
(d) the record of disclosure of information to the Aadhaar number holder at the time of
authentication; and

(e) record of consent of the Aadhaar number holder for authentication, but shall not, in any
event, retain the PID information."
LU

948. The residents' information in CIDR are also permitted to be updated as per provisions of the
Aadhaar (Enrolment and Update) Regulations, 2016. An over view of the entire scheme of
PN

functions under the Aadhaar Act and Regulations made thereunder indicate that after enrolment
of resident, his informations including biometric information are retained in CIDR though in
encrypted form. The major function of the authority under Aadhaar Act is authentication of
H

identity of Aadhaar number holder as and when requests are made by requesting agency,
retention of authentication data of requesting agencies are retained for limited period as noted
above. There are ample safeguards for security and data privacy in the mechanism which is at
place as on date as noted above.

949. Shri Shyam Divan, learned senior counsel appearing for the petitioners has passionately
submitted that entire process of authentication as is clear from actual working of the Aadhaar
programme reveals that Aadhaar Act enables the State to put the entire population of the country
in an electronic leash and they are tracked 24 hours and 7 days. He submits that putting the entire
population under surveillance is nothing but converting the State into a totalitarian State.
Elaborating his submission, Shri Divan submits that process of authentication creates
authentication records of (1) time of authentication, (2) identity of the requesting entity. Both
requesting entity and UIDAI have authentication transactions data which record the technical

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.657

details of transactions. The devices which are used by the requesting entities have IP address
which enables knowledge about geographical information of Aadhaar number holder with
knowledge of his location, details of transaction, every person can be tracked and by aggregating
the relevant data the entire population is put on constant surveillance. Aadhaar programme
endeavours all time mass surveillance by the State which is undemocratic and violates the
fundamental rights of individual.

950. The meta data regarding authentication transactions which are stored with the authority are
potent enough to note each and every transaction of resident and to track his activities is nothing
but surveillance. Regulation 26 of Authentication Regulations, 2016 provides storage of meta
data related to the transaction. Regulation 26 which is relevant is as follows:

"26. Storage and Maintenance of Authentication Transaction Data. - (1) The Authority shall store
and maintain authentication transaction data, which shall contain the following information:-

LA
(a) authentication request data received including PID block;

IM
(b) authentication response data sent;

(c) meta data related to the transaction;

SH
(d) any authentication server side configurations as necessary Provided that the Authority shall
not, in any case, store the purpose of authentication."

951. We may first notice as to what is meta data which is referred to in Regulation 26 above. The
LU

UIDAI receives the requests for authentication of ANH. The request for authentication received
by requesting agency does not contain any information as to the purpose of authentication neither
requesting agency nor UIDAI has any record pertaining to purpose for which authentication has
PN

been sought by Aadhaar number holder. The meta data referred to in Regulation 26(c) is only
limited technical meta data.
H

952. Shri Kapil Sibal had submitted that CIDR holds the entire Aadhaar database retained by
CIDR. It has become a soft target for internal/external/indigenous/foreign attacks and single
point of failure. Shri Sibal has referred to a RBI report which states:

"Thanks to Aadhaar, for the first time in the history of India, there is now a readily available
single target for cyber criminals as well as India's external enemies. In a few years, attacking
UIDAI data can potentially cripple Indian businesses and administration in ways that were
inconceivable a few years ago. The loss to the economy and citizens in case of such an attack is
bound to be incalculable."

953. He has further submitted that a digital world is far more susceptible to manipulation than
the physical world. No legislation can or should allow an individual's personal data to be put at
risk, in the absence of a technologically assured and safe environment. Such level of assurance is

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.658

impossible to obtain in the digital space. Biometric, core biometric and demographic information
of an individual, once part of the digital world is irretrievable: a genie out of the bottle that
cannot be put back. The digital world is a vehicle to benefit the information economy. A move
from an information economy to creating an architecture for an information polity has far
reaching consequences impacting the most personal rights, protected by the right to privacy. The
technology acquired by the UIDAI has also been criticised by the Opaque Foreign Technologies.

954. The above submissions have been strongly refuted by learned Attorney General and learned
counsel appearing for the UIDAI. It is submitted by the respondents that the above submissions
regarding mass surveillance have been made on misconception regarding actual operation of the
entire process.

955. The meta data which is aggregation of authentication transactions does not contain any
detail of actual transaction done by ANH. In the event, in a period of 30 days, 30 requesting

LA
agencies, may be one or different, have requested for authentication the UIDAI has only the
recipient of demographic/biometric of ANH authentication without any information regarding
purposes of authentication. Thus, even if authentication details are aggregated, there is no

IM
information with the UIDAI regarding purpose of authentication nor authentication leaves for
any trail so as to keep any track by UiDAI to know the nature of transaction or to keep any kind
SH
of surveillance as alleged. Section 32 sub-section (3) of the Aadhaar Act specifically prohibits
the authority from collecting or maintaining either directly or indirectly any information for the
purpose of authentication.
LU

956. Proviso to Regulation 26 is also to the same effect i.e. provided that the authority shall not,
in any case, store the purpose of authentication.

957. Elaborating on CIDR, Shri Dwivedi submits that CIDR is a centralised database which
PN

contains all Aadhaar numbers issued with corresponding demographic and biometric
information. It is a "Protected System" notified under Section 70 of Information Technology Act,
2000. The storage involves end to end encryption, logical partitioning, fire walling and
H

anonymisation of decrypted biometric data. The encryption system follows a private key/public
model and the private key is available only with UIDAI at the processing location. Hence even if
data packets are lost or stolen the biometric information regarding the same cannot be accessed.
At the CIDR there is multi-layer technological security to afford protection from hacking, and
there is also deployment of armed forces to prevent unauthorised physical access into the CIDR
Area. Additionally entry is electronically controlled. There are CIDR at two location already and
some other locations are likely to be set up to ensure that data is not lost even in the remote
eventuality of a disaster. The CIDR is centrally managed. The templates of finger prints and iris
data are generated in ISO format and the same along with demographic data and photo are stored
securely in the authentication server database. This database is used for authentication in the
manner provided in Aadhaar (Authentication) Regulation 2016.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.659

958. In view of above, the apprehension raised by Shri Kapil Sibal that CIDR is a soft target is
misplaced.

959. To support his submission, Shri Shyam Divan, learned counsel for the petitioner has placed
reliance on judgment of the United States Supreme Court in United States vs. Antoine Jones, 132
S.Ct. 945 (2012).

960. A large number of foreign judgments touching various aspects of accumulation of data,
retention of data, surveillance, has been cited by both the parties to support their respective stand.
It is necessary to have an over view of the opinion expressed by various Courts in other countries
of the world. The present age being the age of technology and information, the issues pertaining
to storage and retention of personal data in different contexts have come up before several Courts
of different countries which also need to be noted.

LA
961. The petitioners have relied on European Court, Human Rights in S. and Marper vs. The
United Kingdom, 2008 (48)EHRR 50. The applicants, S and Marper had submitted two
applications against the United Kingdom, Great Britain and Northern Ireland under Article 34 of

IM
the Convention for the Protection of Human Rights and Fundamental Freedoms (the
Convention). The applicants complained that the authorities had continued to retain their
fingerprints and cellular samples and DNA profiles after the criminal proceedings against them
SH
had ended with an acquittal or had been discontinued. The applicants had applied for judicial
review of the police decisions not to destroy the fingerprints and samples which application was
rejected. The Court of appeal upheld the decision of the Administrative Court. The House of
LU

Lords had also dismissed the appeal on 22 nd July, 2004. The House of Lords had taken the view
that the mere retention of fingerprints and DNA samples did not constitute an interference with
the right to respect for private life but stated that, if he were wrong in that view, he regarded any
PN

interference as very modest indeed.

998. This Court again in the same proceeding passed another judgment on 16.03.2012 PUCL vs.
Union of India, (2013) 14 SCC 368 in which following was stated in paragraphs 2 and 4:
H

"2. There seems to be a general consensus that computerisation is going to help the public
distribution system in the country in a big way. In the affidavit it is stated that the Department of
Food and Public Distribution has been pursuing the States to undertake special drive to eliminate
bogus/duplicate ration cards and as a result, 209.55 lakh ration cards have been eliminated since
2006 and the annual saving of foodgrain subsidy has worked out to about Rs. 8200 crores per
annum. It is further mentioned in the affidavit that end-to-end computerisation of public
distribution system comprises creation and management of digitised beneficiary database
including biometric identification of the beneficiaries, supply chain management of TPDS
commodities till fair price shops.

4. In the affidavit it is further mentioned that the Government of India has set up a task force
under the Chairmanship of Mr Nandan Nilekani, Chairman, UIDAI, to recommend, amongst

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.660

others, an IT strategy for the public distribution system. We request Mr Nandan Nilekani to
suggest us ways and means by which computerisation process of the public distribution system
can be expedited. Let a brief report/affidavit be filed by Mr Nandan Nilekani within four weeks
from today."

1021. The ground to challenge Section 29 is that it permits sharing of identity information. It is
submitted that sharing of identity information is breach of Right of Privacy. Section 29 is a
provision, which contains restrictions on sharing information as is clear from the heading of the
section. Section 29 sub-section (1) contains prohibition on sharing of any core biometric
information collected or created under this Act. Section 29 for ready reference is extracted as
below:-

29. Restriction on sharing information. (1) No core biometric information, collected or created
under this Act, shall be-

LA
(a) shared with anyone for any reason whatsoever; or

IM
(b) used for any purpose other than generation of Aadhaar numbers and authentication under this
Act.
SH
(2) The identity information, other than core biometric information, collected or created under
this Act may be shared only in accordance with the provisions of this Act and in such manner as
may be specified by regulations.
LU

(3) No identity information available with a requesting entity shall be-

(a) used for any purpose, other than that specified to the individual at the time of submitting any
identity information for authentication; or
PN

(b) disclosed further, except with the prior consent of the individual to whom such information
relates.
H

(4) No Aadhaar number or core biometric information collected or created under this Act in
respect of an Aadhaar number holder shall be published, displayed or posted publicly, except for
the purposes as may be specified by regulations.

1022. Sub-section (2) permits sharing of identity information, other than core biometric
information, only in accordance with the provisions of this Act and in such manner as may be
specified by regulations. Further sub-section (3) prohibits requesting entity to use identity
information for any purpose other than that specified to the individual or to disclose any
information without the consent of individual. Sub-section (4) provides that no Aadhaar number
or core biometric information shall be published, displayed or posted publicly, except for the
purposes as may be specified by regulations. The attack on Section 29 that it permits sharing of
information is thus wholly misconceived. The objective of the Act is to protect the information

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.661

and privacy of an individual and so the Section is not liable to be struck down on the specious
ground that it permits sharing of the information. Further sub-section (3) engraft a provision of
sharing identity information by requesting entity with consent of the individual. When a person
consents about sharing of his identity information, he cannot complain breach of Privacy Right.
Petitioners take exception of provision of sub-section(2), which permits identity information
other than core biometric information to be shared in accordance with the provisions of this Act
and in such manner as may be specified by the regulations. When an Act or Regulation regulates
and controls sharing of the information, the provision is regulatory and has been engrafted to
protect individual's Privacy Right. The Aadhaar (Sharing of Information) Regulations, 2016
again contains in Chapter II - Restrictions on sharing of identity information. Regulation 3 is
restriction on Authority. Regulation 4 is restriction on requesting entity. Regulation 5 fixes
responsibility of any agency or entity other than requesting entity with respect to Aadhaar
number. Regulation 6 provides restriction on sharing, circulating or publishing of Aadhaar

LA
number.

1023. We, thus, conclude that the provision of Section 29 and the Sharing Regulations contains a

IM
restriction and cannot be in any manner be held to violate any of the constitutional rights of a
person. Objective of the Act is to put restrictions on the sharing information, which also is a
legitimate State aim. The provision under Section 29 which permits sharing of identity
SH
information except core biometric information in accordance with the Act and Regulations
cannot be said to be disproportionate nor unreasonable. Legislature can very well enumerates
circumstances and conditions where sharing of information becomes necessary. One of the
circumstances where sharing of the information is specifically engrafted in sub-section(2) of
LU

Section 33, which provides that nothing contained in sub-section (3) of Section 29 shall apply in
respect of any disclosure of information, including identity information or authentication records,
PN

made in the interest of national security in pursuance of a direction of an officer not below the
rank of Joint Secretary to the Government of India. Thus, the circumstances which can
contemplate for sharing information is reasonable and proportionate.
H

1046. The Information Technology Act, 2000 defines electronic record in Section 2(t) which is
to the following effect:-

"Section 2(t)- "electronic record" means data, record or data generated, image or sound stored,
received or sent in an electronic form or micro film or computer generated micro fiche;"

1047. The demographic and biometric information which is collected for enrolment of the
resident in electronic data as defined in Section 2(t) of Information Technology Act and
expressly stated in Section 30 of Aadhaar Act. Chapter 11 of the Information Technology Act
defines offences. Section 66C, Section 66D and Section 72 of the Information Technology Act
defines offences and provides for penalty, which is to the following effect:-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.662

"66C. Punishment for identity theft-Whoever, fraudulently or dishonestly make use of the
electronic signature, password or any other unique identification feature of any other person,
shall be punished with imprisonment of either description for a term which may extend to three
years and shall also be liable to fine which may extend to rupees one lakh.

66D. Punishment for cheating by personation by using computer resource-Whoever, by means

for any communication device or computer resource cheats by personating, shall be punished
with imprisonment of either description for a term which may extend to three years and shall also
be liable to fine which may extend to one lakh rupees.

72. Penalty for breach of confidentiality and privacy - Save as otherwise provided in this Act or
any other law for the time being in force, if any person who, in pursuance of any of the powers
conferred under this Act, rules or regulations made thereunder, has secured access to any
electronic record, book, register, correspondence, information, document or other material

LA
without the consent of the person concerned discloses such electronic record, book, register,
correspondence, information, document or other material to any other person shall be punished
with imprisonment for a term which may extend to two years, or with fine which may extend to

IM
one lakh rupees, or with both."

1048. With regard to an offence which falls within the definition of 'offences' a victim can
SH
always file complaint or lodge an F.I.R.. Section 46 of the Aadhaar Act clearly provides that the
penalties under the Aadhaar Act shall not interfere with other punishments. Section 46 is as
follows:
LU

"46. Penalties not to interfere with other punishments. - No penalty imposed under this Act shall
prevent the imposition of any other penalty or punishment under any other law for the time being
in force."
PN

125. By making use of the technology, a method is sought to be devised, in the form of Aadhaar,
whereby identity of a person is ascertained in a flawless manner without giving any leeway to
H

any individual to resort to dubious practices of showing multiple identities or fictitious identities.
That is why it is given the nomenclature "unique identity". It is aimed at securing advantages on
different levels some of which are described, in brief, below:

125.3. Aadhaar or UID, which has come to be known as the most advanced and sophisticated
infrastructure, may facilitate law-enforcement agencies to take care of problem of terrorism to
some extent and may also be helpful in checking the crime and also help investigating agencies
in cracking the crimes. No doubt, going by the aforesaid, and may be some other similarly valid
considerations, it is the intention of the Government to give fillip to Aadhaar movement and
encourage the people of this country to enrol themselves under the Aadhaar Scheme."

1157. In Paragraphs 122 to 125 of Binoy Viswam, it has also been observed that the measures
taken may go a long way to check and minimise the malaise of black money.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.663

1158. Dr. Justice D.Y. Chandrachud in Puttaswamy case in Paragraph 311 has stated:-

"311. .........Prevention and investigation of crime and protection of the revenue are among the
legitimate aims of the State. Digital platforms are a vital tool of ensuring good governance in a
social welfare State. Information technology - legitimately deployed is a powerful enabler in the
spread of innovation and knowledge."

1159. In Puttaswamy case, Justice Sanjay Kishan Kaul has noted the European Union General
Data Protection Regulation and observed that restrictions on the right to privacy may be
justifiable on the ground of regulation of taxes and financial institutions. In Paragraph 640,
Justice Kaul has held:-

"640. It would be useful to turn to the European Union Regulation of 2016. Restrictions of the
right to privacy may be justifiable in the following circumstances subject to the principle of

LA
proportionality:

(a) Other fundamental rights: The right to privacy must be considered in relation to its function

IM
in society and be balanced against other fundamental rights.

(b) Legitimate national security interest.

SH
(c) Public interest including scientific or historical research purposes or statistical purposes.

(d) Criminal offences: The need of the competent authorities for prevention investigation,
prosecution of criminal offences including safeguards against threat to public security;
LU

(e) The unidentifiable data: The information does not relate to identified or identifiable natural
person but remains anonymous. The European Union Regulation of 2016 refers to
PN

"pseudonymisation" which means the processing of personal data in such a manner that the
personal data can no longer be attributed to a specific data subject without the use of additional
information, provided that such additional information is kept separately and is subject to
H

technical and organisational measures to ensure that the personal data are not attributed to an
identified or identifiable natural person;

"Having considered the matter, we are of the view that the balance of interest would be best
served, till the matter is finally decided by a larger Bench if the Union of India or the UIDA
proceed in the following manner:-

1. The Union of India shall give wide publicity in the electronic and print media including radio
and television networks that it is not mandatory for a citizen to obtain an Aadhaar card;

2. The production of an Aadhaar card will not be condition for obtaining any benefits otherwise
due to a citizen;

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.664

3. The Unique Identification Number or the Aadhaar card will not be used by the respondents for
any purpose other than the PDS Scheme and in particular for the purpose of distribution of
foodgrains, etc. and cooking fuel, such as kerosene. The Aadhaar card may also be used for the
purpose of the LPG Distribution Scheme;

4. The information about an individual obtained by the Unique Identification Authority of India
while issuing an Aadhaar card shall not be used for any other purpose, save as above, except as
may be directed by a Court for the purpose of criminal investigation."

By subsequent order of 15.10.2015, some more Schemes were included.

1167. It is submitted that the Central Government and the State Government issued various
notifications numbering 139, requiring Aadhaar authentication for various benefits, subsidies and
schemes. The issuance of such orders is in breach of above Interim Orders passed by this Court.

LA
1169. We have noticed that the Writ Petition (C) No. 494 of 2012 was filed at the time when
Aadhaar Scheme was being implemented on the basis of executive's instructions dated

IM
28.01.2009. In the Writ Petition filed prior to enactment of Act, 2016, challenge to Aadhaar
Scheme was founded on following:-
SH
i. The requirement of making Aadhaar mandatory for availing benefits under various social
service schemes by way of an executive order and

ii. Concerns regarding the right to privacy of the individuals, which emanated on account of
LU

collection of biometric data under the Aadhaar scheme, which is without any legislative backing.

1170. Aadhaar Act, 2016 gives legislative backing to the Aadhaar Scheme. The Act contains
specific provisions prohibiting disclosure of core biometric information collected in Aadhaar
PN

enrolment. It is submitted that Schemes notified under Section 7 of the Act were on the strength
of Aadhaar enactment and cannot be said to be a violation of interim orders of this Court. The
submission that interim orders directed the Aadhaar to be voluntary, it is submitted by the
H

respondent that consent was obtained from individuals, who came for enrolment under the
Aadhaar Act. It is submitted that all those, who were enrolled under the Statutory Scheme dated
28.01.2009, the consent was given by the individuals in verifying their informations.

CONCLUSIONS:-

1173. In view of above discussions, we arrive at following conclusions:-

(1) The requirement under Aadhaar Act to give one's demographic and biometric information
does not violate fundamental right of privacy.

(2) The provisions of Aadhaar Act requiring demographic and biometric information from a
resident for Aadhaar Number pass three-fold test as laid down in Puttaswamy (supra) case, hence
cannot be said to be unconstitutional.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.665

(3) Collection of data, its storage and use does not violate fundamental Right of Privacy.

(4) Aadhaar Act does not create architecture for pervasive surveillance.

(5) Aadhaar Act and Regulations provides protection and safety of the data received from
individuals.

(7) The State while enlivening right to food, right to shelter etc. envisaged under Article 21
cannot encroach upon the right of privacy of beneficiaries nor can former be given precedence
over the latter.

(17) Section 139-AA does not breach fundamental Right of Privacy as per Privacy Judgment in
Puttaswamy case.

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.666

HIGH COURT OF AUSTRALIA

GLEESON CJ,

Dow Jones & Company Inc.

LA
v

IM
Gutnick

[2002] HCA 56
SH

ORDER
LU

Appeal dismissed with costs.

PN

On appeal from the Supreme Court of Victoria

GLEESON CJ, McHUGH, GUMMOW AND HAYNE JJ. The appellant, Dow Jones &
H

Company Inc ("Dow Jones"), prints and publishes theWall Street Journalnewspaper and
Barron'smagazine. Since 1996, Dow Jones has operated WSJ.com, a subscription news site on
the World Wide Web. Those who pay an annual fee (set, at the times relevant to these
proceedings, at $US59, or $US29 if they are subscribers to the printed editions of either theWall
Street Journal or Barron's) may have access to the information to be found at WSJ.com. Those
who have not paid a subscription may also have access if they register, giving a user name and a
password. The information at WSJ.com includes Barron's Online in which the text and pictures
published in the current printed edition of Barron'smagazine are reproduced. The edition of
Barron's Onlinefor 28 October 2000 (and the equivalent edition of the magazine which bore the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.667

date 30 October 2000) contained an article entitled "Unholy Gains" in which several references
were made to the respondent, Mr Joseph Gutnick. Mr Gutnick contends that part of the article
defamed him. He has brought an action in the Supreme Court of Victoria against Dow Jones
claiming damages for defamation. Mr Gutnick lives in Victoria. He has his business headquarters
there. Although he conducts business outside Australia, including in the United States of
America, and has made significant contributions to charities in the United States and Israel,
much of his social and business life could be said to be focused in Victoria

The originating process in the action which Mr Gutnick brought against Dow Jones was served
on it outside Australia. The writ recorded that service was effected in reliance upon two of the
provisions of the Supreme Court (General Civil Procedure) Rules 1996 (Vic) ("the Victorian

LA
Rules") (rr 7.01(1)(i) and 7.01(1)(j)) providing for service of process outside Australia. Under
those Rules, the scheme of which is broadly similar to that considered in Agar v Hyde[1], a

IM
plaintiff may serve originating process without first obtaining the leave of the Court. If the
defendant does not submit to the jurisdiction by filing an unconditional appearance, the plaintiff
SH
must obtain leave to proceed[2], demonstrating that the originating process makes claims of a
kind which one or more of the paragraphs of r 7.01(1) mention. If the defendant wishes to
contend that the Court should decline to exercise its jurisdiction or should set aside service, the
LU

defendant may enter a conditional appearance and apply for either or both of two forms of order
- an order staying further proceedings in the matter or an order setting aside service of the
PN

originating process.

The principal issue debated in the appeal to this Court was where was the material of which
H

Mr Gutnick complained published? Was it published in Victoria? The answer to these questions
was said to affect, even determine, whether proceedings in the Supreme Court of Victoria
should, as Dow Jones contended, be stayed on the ground that that Court was a clearly
inappropriate forum for determination of the action[3]. The procedural steps which give rise to
that issue can be described as follows.

The proceedings below

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.668

Dow Jones entered a conditional appearance to the process served upon it. It applied to a Judge
of the Supreme Court of Victoria (Hedigan J) for an order that service of the writ and statement
of claim be set aside or an order that further proceedings in the matter be permanently stayed.

In the course of the proceedings before the primary judge, Mr Gutnick proffered an undertaking
to sue in no place other than Victoria in respect of the matters which founded his proceeding.
The primary judge recorded in his reasons that Mr Gutnick "seeks to have his Victorian
reputation vindicated by the courts of the State in which he lives [and that he] is indifferent to the
other substantial parts of the article and desires only that the attack on his reputation in Victoria
as a money-launderer should be repelled and his reputation re-established". A deal of evidence
was led before the primary judge seeking to establish the way in which, and the place at which,

LA
information found at a website like WSJ.com is published. It will be necessary to say something
more about what that evidence revealed. His Honour concluded that the statements of which

IM
Mr Gutnick sought to complain were "published in the State of Victoria when downloaded by
Dow Jones subscribers who had met Dow Jones's payment and performance conditions and by
SH
the use of their passwords". He rejected Dow Jones's contention that the publication of the article
in Barron's Onlineoccurred at the servers maintained by Dow Jones in New Jersey in the United
States. Being therefore of the opinion that the defamation of which Mr Gutnick complained had
LU

occurred in Victoria, Hedigan J concluded that Victoria was not a clearly inappropriate forum for
trial of the proceeding and dismissed Dow Jones's application.
PN

Dow Jones sought leave to appeal to the Court of Appeal of Victoria but that Court
(Buchanan JA and O'Bryan AJA) refused leave to appeal, holding that the decision at first
H

instance was plainly correct. By special leave, Dow Jones now appeals to this Court. The appeal
to this Court should be dismissed.

Undisputed principles

Argument of the appeal proceeded from an acceptance, by both parties, of certain principles.
First, it is now established that an Australian court will decline, on the ground of forum non
conveniens, to exercise jurisdiction which has been regularly invoked by a plaintiff, whether by
personal service or under relevant long-arm jurisdiction provisions, only when it is shown that
the forum whose jurisdiction is invoked by the plaintiff is clearly inappropriate[4]. Secondly, it is

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.669

now established that in trying an action for tort in which the parties or the events have some
connection with a jurisdiction outside Australia, the choice of law rule to be applied is that
matters of substance are governed by the law of the place of commission of the tort. Neither
party sought to challenge either proposition. Rather, argument focused upon where was the place
of publication of the statements of which Mr. Gutnick complained. Dow Jones contended that the
statements were published in New Jersey and that it was, therefore, the law of that jurisdiction
which would govern all questions of substance in the proceeding. This was said to have two
consequences: first, that the claims made in the originating process were not of a kind mentioned
in any of the relevant paragraphs of r 7.01(1) of the Victorian Rules and, secondly, that because
the law governing questions of substance was not Victorian law, Victoria was a clearly

LA
inappropriate forum for the trial of the proceeding.

"Jurisdiction" and "publishing"

IM
Two of the terms that must be used in considering the questions that arise in this matter are terms
SH
that can give rise to difficulty. "Jurisdiction", as was pointed out in Lipohar v The Queen, is a
generic term that is used in a variety of senses. In the present matter there are two distinct senses
in which it is used - first, as referring to the amenability of a defendant to process in such a way
LU

as will give a court authority to decide the controversy which that process seeks to agitate and,
secondly, as referring to a particular territorial or law area or law district.
PN

"Publishing" and its cognate words is also a term that gives rise to difficulty. As counsel for the
interveners pointed out it may be useful, when considering wheresomething is published to
H

distinguish between the (publisher's) act of publication and the fact of publication (to a third
party), but even that distinction may not suffice to reveal all the considerations relevant to
locating the place of the tort of defamation.

WSJ.com

Since so much was made in argument, both in this Court and in the courts below, of what was
said to be the unusual features of publication on the Internet and the World Wide Web, it is
necessary to say something about what the evidence revealed about those matters. For present
purposes, it is convenient to adopt what was said in that evidence without diverting to consider
what qualification to, or amplification of, that evidence might be necessary to give a complete

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.670

and entirely accurate description of the Internet or the World Wide Web. (There was, for
example, no evidence adduced that revealed what electronic impulses pass or what electronic
events happen in the course of passing or storing information on the Internet.)

One witness called by Dow Jones, Dr Clarke, described the Internet as "a telecommunications
network that links other telecommunication networks". In his opinion, it is unlike any technology
that has preceded it. The key differences identified by Dr Clarke included that the Internet
"enables inter-communication using multiple data-formats ... among an unprecedented number of
people using an unprecedented number of devices [and] among people and devices without
geographic limitation".

LA
The World Wide Web is but one particular service available over the Internet. It enables a
document to be stored in such a way on one computer connected to the Internet that a person

IM
using another computer connected to the Internet can request and receive a copy of the
document. As Dr Clarke said, the terms conventionally used to refer to the materials that are
SH
transmitted in this way are a "document" or a "web page" and a collection of web pages is
usually referred to as a "web site". A computer that makes documents available runs software
that is referred to as a "web server"; a computer that requests and receives documents runs
LU

software that is referred to as a "web browser".

The originator of a document wishing to make it available on the World Wide Web arranges for
PN

it to be placed in a storage area managed by a web server. This process is conventionally referred
to as "uploading". A person wishing to have access to that document must issue a request to the
H

relevant server nominating the location of the web page identified by its "uniform resource
locator (URL)". When the server delivers the document in response to the request the process is
conventionally referred to as "downloading".

Dow Jones has its editorial offices for Barron's, Barron's Onlineand WSJ.com in the city of New
York. Material for publication in Barron'sor Barron's Online, once prepared by its author, is
transferred to a computer located in the editorial offices in New York city. From there it is
transferred either directly to computers at Dow Jones's premises at South Brunswick, New
Jersey, or via an intermediate site operated by Dow Jones at Harborside, New Jersey. It is then

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.671

loaded onto six servers maintained by Dow Jones at its South Brunswick premises. Dow Jones's
contention

The principal burden of the argument advanced by Dow Jones on the hearing of the appeal in
this Court was that articles published on Barron's Onlinewere published in South Brunswick,
New Jersey, when they became available on the servers which it maintained at that place.

In the courts below, much weight appears to have been placed by Dow Jones on the contention
that a relevant distinction was to be drawn between the apparently passive role played by a
person placing material on a web server from which the would-be reader had actively to seek the
material by use of a web browser and the (comparatively) active role played by a publisher of a

LA
widely circulated newspaper or a widely disseminated radio or television broadcast. In this
Court, these arguments, though not abandoned, were given less prominence than policy

IM
arguments based on what was said to be the desirability of there being but a single law governing
the conduct of a person who chooses to make material available on the World Wide Web.
SH
Dow Jones submitted that it was preferable that the publisher of material on the World Wide
Web be able to govern its conduct according only to the law of the place where it maintained its
web servers, unless that place was merely adventitious or opportunistic. Those who, by leave,
LU

intervened in support of Dow Jones[8]generally supported this contention. The alternative, so the
argument went, was that a publisher would be bound to take account of the law of every country
PN

on earth, for there were no boundaries which a publisher could effectively draw to prevent
anyone, anywhere, downloading the information it put on its web server.
H

The rule propounded by Dow Jones may have a greater appearance of certainty than it would
have in fact. "Adventitious" and "opportunistic" are words likely to produce considerable debate.
Does a publisher's decision to have a server in a country where the costs of operation are low, or
the benefits offered for setting up business are high, warrant either of these descriptions? Does a
publisher's decision to have servers in two, widely separated, states or even countries warrant
either description, or is it simply a prudent business decision to provide security and continuity
of service? How is the user to know which server dealt with a particular request? Is the fact that
one rather than the other server met the request "adventitious"?

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.672

To the extent that the suggested rule would require reference only to the law of the place in
which the server is located, it is a rule that would evidently be convenient to the party putting
material on a web server. But that does not conclude debate. The convenience of one party is
important to it, but how would such a rule fit with other, no less relevant, considerations? In
particular, how would it fit with the nature of the competing rights and interests which an action
for defamation must accommodate?

It is necessary to begin by making the obvious point that the law of defamation seeks to strike a
balance between, on the one hand, society's interest in freedom of speech and the free exchange
of information and ideas (whether or not that information and those ideas find favour with any
particular part of society) and, on the other hand, an individual's interest in maintaining his or her

LA
reputation in society free from unwarranted slur or damage. The way in which those interests are
balanced differs from society to society. In some cases, for example as between the States in

IM
Australia, the differences in substantive law might be said to be differences of detail rather than
substance, although even then it may be doubted that this is an accurate characterisation of the
SH
effect of the differences in the defamation laws of the Australian States. Whether or not that is
so, comparing the law of defamation in different countries can reveal differences going well
beyond matters of detail lying at the edge of debate.
LU

It follows that identifying the law which is to govern questions of substance, in an action for
PN

defamation where there is some foreign element, may have substantial consequences for the
resolution of the proceeding. No less importantly, those who would seek to order their affairs in a
way that will minimise the chance of being sued for defamation must be able to be confident in
H

predicting what law will govern their conduct. But certainty does not necessarily mean
singularity. What is important is that publishers can act with confidence, not that they be able to
act according to a single legal system, even if that system might, in some sense, be described as
their "home" legal system. Activities that have effects beyond the jurisdiction in which they are
done may properly be the concern of the legal systems in each place. In considering where the
tort of defamation occurs it is important to recognise the purposes served by the law regarding
the conduct as tortious: purposes that are not confined to regulating publishers any more than
they are confined to promoting free speech.

Defamation

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.673

The tort of defamation, at least as understood in Australia, focuses upon publications causing
damage to reputation. It is a tort of strict liability, in the sense that a defendant may be liable
even though no injury to reputation was intended and the defendant acted with reasonable care.
Yet a publication made in the ordinary course of a business such as that of bookseller or news
vendor, which the defendant shows to have been made in circumstances where the defendant did
not know or suspect and, using reasonable diligence, would not have known or suspected was
defamatory, will be held not to amount to publication of a libel. There is, nonetheless, obvious
force in pointing to the need for the publisher to be able to identify, in advance, by what law of
defamation the publication may be judged. But it is a tort concerned with damage to reputation
and it is that damage which founds the cause of action. Perhaps, as Pollock said in 1887, the law

LA
went "wrong from the beginning in making the damage and not the insult the cause of action" for
slander but it is now too late to deny that damage by publication is the focus of the law. "It is the

IM
publication, not the composition of a libel, which is the actionable wrong."

Harm to reputation is done when a defamatory publication is comprehended by the reader, the
SH
listener, or the observer. Until then, no harm is done by it. This being so it would be wrong to
treat publication as if it were a unilateral act on the part of the publisher alone. It is not. It is a
bilateral act - in which the publisher makes it available and a third party has it available for his or
LU

her comprehension.
PN

The bilateral nature of publication underpins the long-established common law rule that every
communication of defamatory matter founds a separate cause of action. That rule has found
reflection from time to time in various ways in State legislation and it would be a large step now
H

to depart from it.

If the place in which the publisher acts and the place in which the publication is presented in
comprehensible form are in two different jurisdictions, where is the tort of defamation
committed? That question is not to be answered by an uncritical application of some general rule
that intentional torts are committed where the tortfeasor acts[16]or that they are committed in the
place where the last event necessary to make the actor liable takes place[17]. Nor does it require
an uncritical adoption of what has come to be known in the United States as the "single
publication" rule, a rule which has been rejected by the Court of Appeal of New South Wales in
McLean v David Syme & Co Ltd.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.674

Single publication rule

Some 27 States of the United States, including California, Illinois, New York, Pennsylvania and
Texas, by legislation[19]or by judicial decision have adopted what is identified as the single
publication rule[20]. That rule is set out in §577A of the Restatement of Torts, 2d, (1977), which
is headed "Single and Multiple Publications", and reads:

"(1) Except as stated in Subsections (2) and (3), each of several communications to a third person
by the same defamer is a separate publication. (2) A single communication heard at the same
time by two or more third persons is a single publication.

(3) Any one edition of a book or newspaper, or any one radio or television broadcast, exhibition

LA
of a motion picture or similar aggregate communication is a single publication.

IM
(4) As to any single publication,

(a) only one action for damages can be maintained;

SH
(b) all damages suffered in all jurisdictions can be recovered in the one action; and

(c) a judgment for or against the plaintiff upon the merits of any action for damages bars any
LU

other action for damages between the same parties in all jurisdictions."

In Firth v State of New York[21], the New York Court of Appeals decided that the one-year
PN

statute of limitation in New York runs from the first posting of defamatory matter upon an
Internet site and that the single publication rule applies to that first posting.
H

To trace, comprehensively, the origins of the so-called single publication rule, as it has come to
be understood in the United States, may neither be possible nor productive. It is, however, useful
to notice some of the more important steps that have been taken in its development. Treating
each sale of a defamatory book or newspaper as a separate publication giving rise to a separate
cause of action might be thought to present difficulties of pleading and proof. Following early
English authority holding that separate counts alleging each sale need not be pleaded in the
declaration[22], American courts accepted that, where the defamatory matter was published in a
book or newspaper, each publication need not be pleaded separately[23]. Similarly, proof of
general distribution of a newspaper was accepted as sufficient proof of there having been a

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.675

number of separate publications. It was against this background that there emerged, at least in
some American States by the late nineteenth century, the rule that a plaintiff could bring only
one action against a defendant to recover damages for all the publications that had by then been
made of an offending publication. The expression "one publication" or, later, "single publication"
was first commonly used in this context.

In the early decades of the twentieth century, the single publication rule came to be coupled with
statements to the effect that the place of that single publication was the place where the
newspaper or magazine was published. The source of this added proposition was given as a case
of prosecution for criminal libel where the question was that raised by the Sixth Amendment to
the United States Constitution and its reference to the "state or district wherein the crime shall

LA
have been committed". Despite this difference in the context in which the question of location
arose, the statement that the place of publication was where the newspaper or magazine was

IM
published was sometimes taken as stating an element of (or at least a consequence of) the single
publication rule applied to civil defamation suits.
SH
This single publication rule was understood as having consequences for the application of
statutes of limitation which, in many States in the United States, provided only a short time
LU

before action for defamation was statute barred. The time of the "single publication" was fixed as
the time of the first publication, it being thought that "[I]f the bar of the statute of limitations can
PN

be lifted by [later sales] we may no longer term it a 'statute of repose' which makes effective a
purpose which the Legislature has conceived to be imperative".
H

It was not until the middle of the twentieth century and the advent of widely disseminated mass
media of communication (radio and nationally distributed newspapers and magazines) that
choice of law problems were identified. In some cases, the law of the forum was applied without
any explicit recognition of the possible application of some other law. But then, by a process of
what was understood as logical extension of the single publication rule, the choice of law to be
applied came to be understood as largely affected by, perhaps even to be determined by, the
proposition that only one action could be brought in respect of the alleged defamation, and that
the place of publication was where the person publishing the words had acted.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.676

For present purposes, what it is important to notice is that what began as a term describing a rule
that all causes of action for widely circulated defamation should be litigated in one trial, and that
each publication need not be separately pleaded and proved, came to be understood as affecting,
even determining, the choice of law to be applied in deciding the action. To reason in that way
confuses two separate questions: one about how to prevent multiplicity of suits and vexation of
parties, and the other about what law must be applied to determine substantive questions arising
in an action in which there are foreign elements.

Clearly, the common law favours the resolution of particular disputes between parties by the
bringing of a single action rather than successive proceedings. The principles of res judicata[36],
issue estoppel[37], and what has come to be known as Anshun estoppel[38], all find their roots in

LA
that policy. The application of that policy to cases in which the plaintiff complains about the
publication of defamatory material to many people in many places may well lead to the

IM
conclusion that a plaintiff may not bring more than one action in respect of any of those
publications that have occurred before the proceeding is instituted or even, perhaps, before trial
SH
of the proceeding is complete. Effect can be given to that policy by the application of well-
established principles preventing vexation by separate suits or, after judgment, by application of
the equally well-established principles about preclusion, including principles of Anshun estoppel.
LU

Conversely, where a plaintiff brings one action, account can properly be taken of the fact that
there have been publications outside the jurisdiction and it would be open to the defendant to
PN

raise, and rely on, any benefit it may seek to say flows from applicable foreign law. If some of
the publications of which complaint is or could be made are publications that have occurred
H

outside Australia, or if action has been instituted outside Australia in respect of publications
made in this country, or overseas, there is no evident reason why the questions thus presented are
not to be answered according to the established principles just mentioned. The application of
these principles, however, says nothing about questions of jurisdiction or choice of law. In
particular, the application of these principles does not require that a single place of publication be
identified in every defamation case no matter how widely the defamatory material is
disseminated.

Publications within Australia, but in different States or Territories, may require consideration of
additional principles. Although the choice of law to be made in such a case is again the law of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.677

the place of the tort, questions of full faith and credit or other constitutional questions may well
arise. It is unnecessary to pursue those matters further at the moment and we return to cases in
which there are international rather than solely international aspects.

Widely disseminated publications

In the course of argument much emphasis was given to the fact that the advent of the World
Wide Web is a considerable technological advance. So it is. But the problem of widely
disseminated communications is much older than the Internet and the World Wide Web. The law
has had to grapple with such cases ever since newspapers and magazines came to be distributed
to large numbers of people over wide geographic areas. Radio and television presented the same

LA
kind of problem as was presented by widespread dissemination of printed material, although
international transmission of material was made easier by the advent of electronic means of

IM
communication.

It was suggested that the World Wide Web was different from radio and television because the
SH
radio or television broadcaster could decide how far the signal was to be broadcast. It must be
recognised, however, that satellite broadcasting now permits very wide dissemination of radio
and television and it may, therefore, be doubted that it is right to say that the World Wide Web
LU

has a uniquely broad reach. It is no more or less ubiquitous than some television services. In the
end, pointing to the breadth or depth of reach of particular forms of communication may tend to
PN

obscure one basic fact. However broad may be the reach of any particular means of
communication, those who make information accessible by a particular method do so knowing of
H

the reach that their information may have. In particular, those who post information on the World
Wide Web do so knowing that the information they make available is available to all and sundry
without any geographic restriction.

Because publication is an act or event to which there are at least two parties, the publisher and a
person to whom material is published, publication to numerous persons may have as many
territorial connections as there are those to whom particular words are published. It is only if one
starts from a premise that the publication of particular words is necessarily a singularevent which
is to be located by reference only to the conduct of the publisher that it would be right to attach

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.678

no significance to the territorial connections provided by the several places in which the
publication is available for comprehension.

Other territorial connections may also be identified. In the present case, Dow Jones began the
process of making material available at WSJ.com by transmitting it from a computer located in
New York city. For all that is known, the author of the article may have composed it in another
State. Dow Jones is a Delaware corporation. Consideration has been given to these and indeed
other bases of territorial connection in identifying the law that might properly be held to govern
an action for defamation where the applicable choice of law rule was what came to be known as
the proper law of the tort.

LA
Many of these territorial connections are irrelevant to the inquiry which the Australian common
law choice of law rule requires by its reference to the law of the place of the tort. In that context,

IM
it is defamation's concern with reputation, and the significance to be given to damage (as being
of the gist of the action) that require rejection of Dow Jones's contention that publication is
SH
necessarily a singular event located by reference only to the publisher's conduct. Australian
common law choice of law rules do not require locating the place of publication of defamatory
material as being necessarily, and only, the place of the publisher's conduct (in this case, being
LU

Dow Jones uploading the allegedly defamatory material onto its servers in New Jersey).

Reference to decisions such as Jackson v Spittall, Distillers Co (Biochemicals) Ltd v Thompson

PN

and Voth v Manildra Flour Mills Pty Ltd show that locating the place of commission of a tort is
not always easy. Attempts to apply a single rule of location (such as a rule that intentional torts
H

are committed where the tort feasor acts, or that torts are committed in the place where the last
event necessary to make the actor liable has taken place) have proved unsatisfactory if only
because the rules pay insufficient regard to the different kinds of tortious claims that may be
made. Especially is that so in cases of omission. In the end the question is "where in substance
did this cause of action arise"? In cases, like trespass or negligence, where some quality of the
defendant's conduct is critical, it will usually be very important to look to where the defendant
acted, not to where the consequences of the conduct were felt.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.679

In defamation, the same considerations that require rejection of locating the tort by reference
only to the publisher's conduct, lead to the conclusion that, ordinarily, defamation is to be located
at the place where the damage to reputation occurs. Ordinarily that will be where the material
which is alleged to be defamatory is available in comprehensible form assuming, of course, that
the person defamed has in that place a reputation which is thereby damaged. It is only when the
material is in comprehensible form that the damage to reputation is done and it is damage to
reputation which is the principal focus of defamation, not any quality of the defendant's conduct.
In the case of material on the World Wide Web, it is not available in comprehensible form until
downloaded on to the computer of a person who has used a web browser to pull the material
from the web server. It is where that person downloads the material that the damage to reputation

LA
may be done. Ordinarily then, that will be the place where the tort of defamation is committed.

Set aside service or stay proceedings?

IM
It is convenient to deal at this point with Dow Jones's contentions that service of the originating
SH
process in the proceeding brought by Mr Gutnick should be set aside, and that further
proceedings should be stayed on the ground that Victoria was a clearly inappropriate forum for
trial of the action.
LU

Rule 7.01(1) of the Victorian Rules provided that:

PN

"(1) Originating process may be served out of Australia without order of the Court where - ...

(i) the proceeding is founded on a tort committed within Victoria;

H

(j) the proceeding is brought in respect of damage suffered wholly or partly in Victoria and
caused by a tortious act or omission wherever occurring".

Because Mr Gutnick alleged that he suffered damage in Victoria as a result of the publication
made in Victoria when the Barron's Onlinearticle was comprehensible to a reader, r 7.01(1)(j)
was plainly engaged. Mr Gutnick's proceeding was brought in respect of damage alleged to have
been suffered at least partly in Victoria and alleged to have been caused by a tortious act or
omission. As r 7.01(1)(j) makes plain, that paragraph of the rule has operation wherever the
tortious act or omission is alleged to have occurred.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.680

It matters not, in this case, whether par (i) of the rule applied. It follows from the fact that par (j)
was satisfied that the jurisdiction of the Supreme Court of Victoria was regularly invoked by
service of the proceeding on Dow Jones. Was Victoria, nevertheless, a clearly inappropriate
forum? Dow Jones contended that Victoria was a clearly inappropriate forum because the
substantive issues to be tried would be governed by the laws of one of the States of the United
States. Although reluctant, at first, to identify whether the state whose laws applied was New
Jersey or New York, in the end Dow Jones submitted that the defamation had occurred in New
Jersey and that the substantive issues in the proceeding were, therefore, to be governed by the
law of that State.

As has been noted earlier, Mr Gutnick has sought to confine his claim in the Supreme Court of

LA
Victoria to the damage he alleges was caused to his reputation in Victoriaas a consequence of the
publication that occurred in that State. The place of commission of the tort for which Mr Gutnick

IM
sues is then readily located as Victoria. That is where the damage to his reputation of which he
complains in this action is alleged to have occurred, for it is there that the publications of which
SH
he complains were comprehensible by readers. It is his reputation in that State, and only that
State, which he seeks to vindicate. It follows, of course, that substantive issues arising in the
action would fall to be determined according to the law of Victoria. But it also follows that
LU

Mr Gutnick's claim was thereafter a claim for damages for a tort committed in Victoria, not a
claim for damages for a tort committed outside the jurisdiction. There is no reason to conclude
PN

that the primary judge erred in the exercise of his discretion to refuse to stay the proceeding.

Actions for publications in several places

H

More difficult questions may arise if complaint were to be made for an injury to reputation which
is said to have occurred as a result of publications of defamatory material in a number of places.
For the reasons given earlier, in resolving those difficulties, it may be necessary to distinguish
between cases where the complaint is confined to publications made in Australia, but in different
States and Territories, and cases where publication is alleged to have occurred outside Australia,
either with or without publication within Australia. Several kinds of difficulty may arise and
each requires separate identification and consideration, even if the treatment of one may have
consequences for some other aspect of the matter.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.681

First, there may be some question whether the forum chosen by the plaintiff is clearly
inappropriate. If there is more than one action brought, questions of vexation may arise and be
litigated either by application for stay of proceedings or application for anti-suit injunction.

Secondly, a case in which it is alleged that the publisher's conduct has all occurred outside the
jurisdiction of the forum may invite attention to whether the reasonableness of the publisher's
conduct should be given any significance in deciding whether it has a defence to the claim made.
In particular, it may invite attention to whether the reasonableness of the publisher's conduct
should be judged according to all the circumstances relevant to its conduct, including where that

LA
conduct took place, and what rules about defamation applied in that place or those places.
Consideration of those issues may suggest that some development of the common law defences

IM
in defamation is necessary or appropriate to recognise that the publisher may have acted
reasonably before publishing the material of which complaint is made. Some comparison might
SH
be made in this regard with the common law developing by recognising a defence of innocent
dissemination to deal with the position of the vendor of a newspaper and to respond to the
emergence of new arrangements for disseminating information like the circulating library.
LU

In considering any of these matters, it should go without saying that it is of the first importance
to identify the precise difficulty that must be addressed. In particular, in cases where the
PN

publisher of material which is said to be defamatory has acted in one or more of the United
States, any action that is brought in an Australian court in respect of publications that were made
H

in America, would, in applying the law of the place of commission of the tort, have to give effect
to the rather different balance that has been struck in the United States between freedom of
speech and the individual's interest in reputation. Furthermore, it may well be that the resolution
of a claim for publications made in one or more of the United States would be affected by the
application by the law of the relevant state of a form of the single publication rule.

Three other matters should be mentioned. In considering what further development of the
common law defences to defamation may be thought desirable, due weight must be given to the
fact that a claim for damage to reputation will warrant an award of substantial damages only if
the plaintiff has a reputation in the place where the publication is made. Further, plaintiffs are

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.682

unlikely to sue for defamation published outside the forum unless a judgment obtained in the
action would be of real value to the plaintiff. The value that a judgment would have may be
much affected by whether it can be enforced in a place where the defendant has assets.

Finally, if the two considerations just mentioned are not thought to limit the scale of the problem
confronting those who would make information available on the World Wide Web, the spectre
which Dow Jones sought to conjure up in the present appeal, of a publisher forced to consider
every article it publishes on the World Wide Web against the defamation laws of every country
from Afghanistan to Zimbabwe is seen to be unreal when it is recalled that in all except the most
unusual of cases, identifying the person about whom material is to be published will readily
identify the defamation law to which that person may resort.

LA
The appeal should be dismissed with costs.

IM
GAUDRON J. I agree with Gleeson CJ, McHugh, Gummow and Hayne JJ, for the reasons their
Honours give, that the appeal in this matter should be dismissed. I also agree with their Honours'
SH
observations under the heading "Actions for publications in several places". In respect of one
aspect of those observations, I would wish to add some comments of my own.
LU

Much of the argument in the present case was concerned with the possibility of several actions
being brought in several different jurisdictions in respect of the same defamatory matter.
PN

Seemingly, it was to overcome that possibility that the "single publication" rule was adopted in
several of the American States. That rule has been described as "a legal fiction which deems a
widely disseminated communication ... to be a single communication regardless of the number of
H

people to whom, or the number of states in which, it is circulated."

It may be accurate to apply the description "legal fiction" to a rule that deems multiple
publications to be a single publication. However, it is not apparent that the single publication rule
set out in § 577A of the Restatement ofTorts, 2d, (1977) deems that to be the case. Rather, as
stated, the rule selects "single publication" as a device to define the circumstances in which a
plaintiff can be prevented from bringing more than one action.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.683

For many years it has been usual in this country for defamation plaintiffs to bring a single action
in respect of nationwide or multi-state publications. Gorton v Australian Broadcasting
Commission is an example of that practice. In an action of that kind, the ordinary choice of law
rules apply so that, in respect of each State or Territory in which the material was published, it is
open to the parties to rely on the law of that State or Territory.

It may be that the practice exemplified in Gorton v Australian Broadcasting Commission is not
simply a practice but the necessary consequence of the principle that underlies the decision in
Port of Melbourne Authority v Anshun Pty Ltd. In that case it was held that the Port of
Melbourne Authority was estopped from maintaining a separate action under a contract of
indemnity by reason that the claim for indemnity could have been pursued in earlier proceedings

LA
brought by an injured workman against the parties to the contract and, in which proceedings, the
contracting parties claimed contribution against each other as tortfeasors.

IM
In Anshun, the estoppel was said to arise, not because of res judicata or issue estoppel, as those
SH
concepts are traditionally understood, but because the claim for indemnity was "a defence to
[the] claim [for contribution] in the first action ... [and] so closely connected with the subject
matter of that action that it was to be expected that it would be relied upon as a defence to that
LU

claim and as a basis for recovery". In this regard, the estoppel was seen to be an aspect of "the
extended principle expressed by Sir James Wigram VC in Henderson v Henderson".
PN

It was said in Henderson v Henderson that:

"where a given matter becomes the subject of litigation in, and of adjudication by, a Court of
H

competent jurisdiction, the Court requires the parties to that litigation to bring forward their
whole case, and will not (except under special circumstances) permit the same parties to open the
same subject of litigation in respect of matter which might have been brought forward as part of
the subject in contest, but which was not brought forward, only because they have, from
negligence, inadvertence, or even accident, omitted part of their case."

For present purposes, it is unnecessary to explore the circumstances in which an estoppel will be
held to arise in consequence of a failure to raise a matter in earlier proceedings. Rather, it is
important to note that the principle as stated in Henderson v Henderson stems from the nature of
judicial power. The purpose of judicial power is the final determination of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.684

justiciablecontroversies and such controversies are not finally determined unless all issues
involved in a controversy are submitted for determination or, if they are not, are treated as no
longer in issue.

If a plaintiff complains of multiple and simultaneous publications by a defendant of the same

defamatory matter there is, in essence, a single controversy between them, notwithstanding that
the plaintiff may have several causes of action governed by the laws of different jurisdictions.
Accordingly, if, in such a case, an issue arises as to whether an Australian court is a clearly
inappropriate forum, a very significant consideration will be whether that court can determine the
whole controversy and, if it cannot, whether the whole controversy can be determined by a court
of another jurisdiction.

LA
As the respondent has limited his controversy with the appellant to the publication of defamatory

IM
matter in Victoria, the controversy is one that can be determined in its entirety by the Supreme
Court of that State and there can be no question of multiple suits in different jurisdictions.
SH
KIRBY J. Lord Bingham of Cornhill recently wrote that, in its impact on the law of defamation,
the Internet will require "almost every concept and rule in the field ... to be reconsidered in the
light of this unique medium of instant worldwide communication. "This appeal enlivens such a
LU

reconsideration.
PN

The facts are set out in other reasons. Essentially, Dow Jones & Company Inc, a corporation
registered in the United States of America ("the appellant"), published material on the Internet
that was allegedly defamatory of Mr Gutnick ("the respondent") who sued in the Supreme Court
H

of Victoria to recover damages to vindicate his reputation.

The issues of jurisdiction, applicable law and forum

History of the proceedings: Hedigan J ("the primary judge") dismissed a summons by which the
appellant had sought an order for the stay or dismissal of proceedings brought against it by the
respondent. This appeal comes from the refusal of the Court of Appeal of the Supreme Court of
Victoria to grant leave to the appellant to appeal from the judgment of the primary judge. The
Court of Appeal concluded that the decision was not attended by sufficient doubt to warrant its

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.685

intervention. It confirmed the judgment of the primary judge. The attention of this Court has
therefore been addressed to that judge's reasons.

Three issues: The appeal concerns issues that commonly arise where a non-resident foreign party
seeks a stay, or the setting aside, of process that brings it involuntarily before an Australian
court:

(1) The jurisdiction of the Australian court to decide the action;

(2) If jurisdiction exists, the law that will apply, in accordance with the principles of private
international law, in the exercise of such jurisdiction; and

LA
(3) Having regard to the resolution of those questions, whether the proceedings should be stayed,
or the process set aside, on the ground that the Australian jurisdiction selected by the plaintiff is

IM
an inconvenient forum when compared to another jurisdiction propounded by the resisting party.

The arguments of the parties: Although these three issues are separate and distinct, they are
SH
closely related. One vital question, relevant to the answer to each issue, is where the cause of
action, identified by the respondent, arose. The respondent sues for defamation by the appellant.
He submits that the essential elements of the tort of defamation are: (1) publication; (2) in a form
LU

comprehended by a third party; (3) causing damage to the plaintiff which, in the case of proof of
publication of defamatory matter, is presumed[69]. Upon this basis the respondent asserts that
PN

his proceedings were "founded on a tort committed within Victoria".

If Victoria is identified as the place of the tort, that finding would provide a strong foundation to
H

support the jurisdiction of the Supreme Court of Victoria; and to sustain a conclusion that the law
to be applied to the proceedings, as framed, is the law of Victoria. These conclusions would, in
turn, provide the respondent with powerful arguments to resist the contention that the
proceedings should be stayed, or set aside, on inconvenient forum grounds.

It is unsurprising that the thrust of the appellant's argument was that this Court should re-
examine the common law of defamation in Australia so as to reformulate its elements, either
generally or specifically, for the law as it applies to publication on the Internet. In particular, the
appellant urged this Court to re-express the common law so as to abolish the "primitive" rule,
that every publication of defamatory material constitutes a new and separate tort. At least in

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.686

respect of publications appearing on the Internet, the appellant submitted that the Court should
express the common law to treat defamation as "one global tort (rather than a multiple wrong
committed by every single publication and every internet hit)"

If the common law were re-expressed in this way, the appellant's argument proceeded, the
"publication" in this case had occurred, and the tort had been completed, in the United States.
Specifically, this had occurred in the State of New Jersey where the matter complained of was
uploaded on the appellant's website or in the State of New York where it was composed and
finally edited.

Practical considerations: Behind these arguments of legal authority, principle and policy lay the

LA
forensic advantages perceived by the respective parties. That is not unusual. Nor is it in any way
reprehensible. But it should be recognised at the outset. The respondent was entitled to regard the

IM
law of defamation in Victoria as more favourable to his interests than the law in the United
States. The latter is greatly influenced by the jurisprudence of the First Amendment to the
SH
Constitutionof that country. That jurisprudence is more favourable to the appellant. The
jockeying over the issues in this appeal is thus not concerned only with large questions of law.
For the parties, the stakes are more basic and more urgent.
LU

Reformulation of the common law of Australia

PN

Reasons for restraint: The responsibilities of this Court extend to the re-expression of the
common law of Australia. However, the Court is bound by the Constitution. No principle of the
common law may be inconsistent with its language or implications[80]. Nor may the common
H

law be inconsistent with valid applicable legislation, whether federal, State or of a Territory. In
re-expressing the common law from time to time, regard may be had to the general developments
of statute law.

Sometimes, asked to reformulate an established principle of the common law, this Court will
decline the invitation, considering that any alteration of the law should be left to the legislature.
Factors relevant to such decisions have included the effect on competing interests that should be
consulted before any alteration of the law[83]; the existence of significant economic implications
of any change; the enactment of legislation evidencing parliamentary attention to the subject; the
perceived undesirability of imposing retrospective liability, especially criminal liability, on

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.687

persons; and the desirability, in particular cases, of not making any change until after intensive
analysis of social data and public consultation, facilities typically unavailable to a court. The
fundamental restraint upon substantial judicial innovation in the expression of the law is imposed
by the character of a court's functions as such and an acceptance that, under the Constitution,
major legal changes in the Australian Commonwealth are the responsibility of the other branches
of government, not of the courts.

Reasons for action: Despite these expressions of restraint, important reformulations of the
common law have been made by this Court, including in recent times[89]. Some of these have
had very great significance. They have reversed long held notions of common law principle.
Sometimes they have been stimulated by contemporary perceptions of the requirements of

LA
fundamental human rights[90]. In the present case, in support of its arguments, the appellant
invoked the "revolutionary" features of the technology that supplies the Internet. It submitted that

IM
those features permitted, and required, a reconsideration of the law governing the elements of the
tort of defamation.
SH
The features of the Internet and the World Wide Web

The Internet: The history of the Internet, its ubiquity, universality and utility have been described
LU

in the reasons of many courts in the United Kingdom, the United States, Canada, Australia and
elsewhere. In the expert evidence before the primary judge in this case, there was no relevant
PN

dispute about the main features of the Internet and of the World Wide Web specifically. Some
additional evidence relevant to those features was placed before this Court, without objection, in
H

support of the application of a number of organisations which were granted leave to intervene.
Although the supporting affidavits were not part of the record in the appeal, and cannot be so
treated, most of the features of the Internet there described confirm the evidence given at trial.
They are, in any case, readily ascertainable from standard works that describe the Internet's basic
elements.

It is important to consider these features because they afford the foothold for the appellant's
argument that the Internet is such a new and different medium of human communication that it
demands a radical reconceptualisation of the applicable common law, specifically with respect to
the tort of defamation.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.688

It has been estimated that, by the end of 2002, the number of Internet users will reach 655
million. The number continues to grow exponentially. It is estimated that in some countries, the
number of users doubles every six months. The Internet is essentially a decentralised, self-
maintained telecommunications network. It is made up of inter-linking small networks from all
parts of the world. It is ubiquitous, borderless, global and ambient in its nature. Hence the term
"cyberspace". This is a word that recognises that the interrelationships created by the Internet
exist outside conventional geographic boundaries and comprise a single interconnected body of
data, potentially amounting to a single body of knowledge. The Internet is accessible in virtually
all places on Earth where access can be obtained either by wire connection or by wireless
(including satellite) links. Effectively, the only constraint on access to the Internet is possession

LA
of the means of securing connection to a telecommunications system and possession of the basic
hardware.

IM
The World Wide Web: The Web is a forum consisting of millions of individual "sites". Each site
contains information provided by, or to, the creator of that site. When a publisher of information
SH
and opinion wishes to make its content available on the Web, it commonly does so by creating a
"website" and "posting" information to that site. Such a website is a collection of electronic
messages maintained on a type of computer known as a "web server". Typically, this is
LU

controlled either by the publisher concerned or by a third party contracted by the publisher to
provide "web hosting" services.
PN

An Internet user may access the information maintained on a website provided the user knows,
or can ascertain, the Internet address of the relevant website. By entering that address into the
H

user's web browser, the user will be directed to that website. Once the user locates the website in
this way, the user may be required to take additional steps to access information stored on the
web server associated with the website. Thus, to post an article to a website, a publisher must
prepare a version in digital (computer readable) format. Such an article becomes part of the
digital collection of data known as a web page. Such a web page is transmitted to a web server.
It, along with the other web pages, comprises the website.

By posting information on a website, the publisher makes the content available to anyone,
anywhere, having access to the Web. However, accessibility will depend on whether there is
open access (under which any web user can access the site); subscription access (under which

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.689

only web users who register, and commonly pay, for the service can secure access); combination
access (where only a portion of a site may be accessed after registration and/or payment of a fee)
and restricted access (access limited to specified users authorised by the website operator to view
the website, eg employees of a particular company).

Difficulty of controlling access: The nature of the Web makes it impossible to ensure with
complete effectiveness the isolation of any geographic area on the Earth's surface from access to
a particular website. Visitors to a website automatically reveal their Internet Provider ("IP")
address. This is a numerical code that identifies every computer that logs onto the Internet. The
visitor may also disclose certain information about the type of browser and computer that the
visitor uses. The IP addresses of users are generally assigned to them by an Internet Service

LA
Provider ("ISP"). The user's IP address will remain the same whenever and wherever the user
"surfs" the Web. But some ISPs do not assign a permanent IP address. Instead, they assign a new

IM
IP address every time a user logs onto the Web. Because of these features, there is presently no
effective way for a website operator to determine, in every case, the geographic origin of the
SH
Internet user seeking access to the website.

For similar reasons, with respect to subscription accounts, checking the issuing location of a
LU

credit card provided by a user would not afford a universally reliable means of ascertaining the
geographic location of a user seeking access to a website. Thus, even assuming that a geographic
PN

restriction could be introduced isolating Australia (and hence Victoria) by reference to the origin
of the visitor's credit card, a resident of Australia with a credit card issued by a United States
bank, would be able to access sites that might be denied to an Australian resident with an
H

Australian credit card, although both users were physically located in Australia.

In addition to these difficulties of controlling access to a website by reference to geographic,

national and subnational boundaries, the Internet has recently witnessed a rapid growth of
technologies ("anonymising technologies") that enable Internet users to mask their identities (and
locations). By reason of these developments, the provision of cost effective, practical and reliable
identity verification systems, that could afford a universally reliable recognition of the point of
origin of an Internet user, has not emerged. This is why the nature of Internet technology itself
makes it virtually impossible, or prohibitively difficult, cumbersome and costly, to prevent the
content of a given website from being accessed in specific legal jurisdictions when an Internet

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.690

user in such jurisdictions seeks to do so. In effect, once information is posted on the Internet, it is
usually accessible to all Internet users everywhere in the world. Even if the correct jurisdiction of
an Internet user could be ascertained accurately, there is presently no adequate technology that
would enable non-subscription content providers to isolate and exclude all access to all users in
specified jurisdictions.

These special features of the Internet present peculiar difficulties for the legal regulation of its
content and, specifically, for the exclusion of access in defined jurisdictions. Such difficulties
may have a bearing on the question of whether a particular jurisdiction has an advantage in
regulating content published and accessed on the Internet. This does not mean (and no party
before the Court suggested) that the Internet is, or should be, a law-free zone. However, in

LA
considering what the law, and specifically the common law of Australia, should say in relation to
the contents of the Internet, particularly with respect to allegedly defamatory material on a

IM
website, the appellant argued that regard had to be taken of these elementary practical features of
the technology.
SH
Novel features of the Web: The crucial attributes, so it was said, include the explosion in the
availability of readily accessible information to hundreds of millions of people everywhere, with
LU

the consequent enhancement of human knowledge, and the beneficial contribution to human
freedom and access to information about the world's peoples and their diverse lives and
PN

viewpoints that the Internet makes available, thereby contributing to human understanding. It
was argued that the law should generally facilitate and encourage such advances, not attempt to
restrict or impede them by inconsistent and ineffective, or only partly effective, interventions, for
H

fear of interrupting the benefit that the Internet has already brought and the greater benefits that
its continued expansion promises.

This Court has made reference to the fact that modern development in mass communications and
particularly the electronic media may influence the continued relevance or reformulation of
established legal principles[102]. The appellant contested the respondent's suggestion that the
Internet was merely the latest of many technologies that have enhanced the spread of
information. It submitted that the Internet involved a quantum leap of technological capacity and

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.691

the ubiquitous availability of information that demanded a root and branch revision of some of
the earlier legal rules in order to take into account the Internet's special features.

The appellant accepted that it was requesting this Court to take a large step in re-expressing the
principles of the common law. However, it argued that the Court should seek a bold solution
because of the revolutionary character of the technology that had produced the need to do so.
Because the common law adapts even to radically different environments, this Court was asked
to be no less bold than the technologists who had invented and developed the Internet. We were
reminded of Judge Learned Hand's observation:

"The respect all men feel in some measure for customary law lies deep in their nature; we accept

LA
the verdict of the past until the need for change cries out loudly enough to force upon us a choice
between the comforts of further inertia and the irksomeness of action."

IM
In Theophanous v Herald and Weekly Times Limited, Brennan J, citing these remarks, noticed
that some judges "find the call to reform more urgent". In the context of the development of the
SH
Internet, the unique features that I have described and the many beneficial advantages which I
acknowledge, I am one of those to whom Brennan J referred.
LU

The idea that this Court should solve the present problem by reference to judicial remarks in
England in a case, decided more than a hundred and fifty years ago, involving the conduct of the
PN

manservant of a Duke, despatched to procure a back issue of a newspaper of minuscule

circulation[105], is not immediately appealing to me. The genius of the common law derives
from its capacity to adapt the principles of past decisions, by analogical reasoning, to the
H

resolution of entirely new and unforeseen problems. When the new problem is as novel, complex
and global as that presented by the Internet in this appeal, a greater sense of legal imagination
may be required than is ordinarily called for. Yet the question remains whether it can be
provided, conformably with established law and with the limited functions of a court under the
Australian constitution to develop and re-express the law.

Jurisdiction: the Victorian Supreme Court Rules

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.692

The applicable Rule of Court: It is convenient now to deal with an issue of construction that lies
at the threshold and concerns the applicability of the Supreme Court Rules of Victoria ("SCR")
invoked by the respondent to establish jurisdiction, given that his process was served on a
foreign corporation out of Australia which had no apparent presence or assets in this country.
The relevant rule, r 7.01, is set out in other reasons.

Upon one available interpretation, r 7.01 applies in the present case wherever it might be held
that the tort of defamation has occurred. If this is a good argument it is unnecessary, in resolving
the first issue (jurisdiction), to address any of the foregoing large questions about the Internet. If
the respondent's point on the construction of the nominated rule is valid, he has demonstrated
jurisdiction in any case. This conclusion would get the respondent over the first hurdle.

LA
The primary judge held that the respondent had established jurisdiction of the Supreme Court of

IM
Victoria on each of the two provisions of r 7.01(1) upon which he relied, namely pars (i) and (j).
Each of those paragraphs was referred to in the endorsement on the originating process. The
SH
primary judge held that the proceeding "was founded on a tort committed within Victoria and
alternatively the proceeding is brought in respect of damage suffered wholly or partly in Victoria
caused by a tortious act and omission occurring in New Jersey".
LU

The first relevant ground on which the appellant challenged the primary judge's assumption of
jurisdiction concerned the interpretation of the cited rule. The appellant disputed that the tort for
PN

which it was being sued had been committed in Victoria within par (i). This argument enlivened
its call for a departure from previous expressions of the common law on the basis of the lack of
H

locality of the Internet. But if the primary judge is correct and par (j) also applies, there is no
need, for the purposes of the jurisdiction issue, to embark on the exploration of such novel
questions. Jurisdiction will be established.

The parties' arguments: The appellant's argument took two steps. The first was that, in judging
the meaning of par (j), it is necessary to classify the claim of the party filing the originating
process, ie the respondent. As pleaded, his claim was solely that the tort of defamation alleged
had been committed in Victoria. Originally this claim was made only by virtue of the Internet
publication. Subsequently it relied, in addition, on evidence that five copies of the journal,
containing the matter complained of, had been sold on news stands in Victoria.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.693

The primary judge gave the respondent leave to amend his statement of claim to add a new cause
of action based on the publication of Barron'smagazine in Victoria. However, in his reasons on
the jurisdiction issue, the judge concluded that the issue of jurisdiction could be decided without
reference to the alleged publication of the printed versions in Victoria. He said that any such
publication was minimal and that his decision on the argument of Internet publication would, in
substance, conclude the issue of the court's jurisdiction. It is appropriate for this Court to proceed
on the same basis.

The second step in the appellant's argument was that par (j) did not, as a matter of construction,
extend to torts that had occurred in Victoria. It was submitted that this was so because the
paragraph was not necessary in order to afford jurisdiction over local torts. That had already been

LA
achieved by par (i). It followed, according to the appellant, that par (j) related only to a case
where the pleaded cause of action was alleged to be a wholly foreign tort. It was submitted that

IM
this construction was reinforced by the history of the revision of the SCR, of their origins and
adoption and of the consecutive appearance within r 7.01(1) of pars (i) and (j).
SH
Conclusion: I reject this submission. It involves reading pars (i) and (j) too narrowly when those
paragraphs are viewed in context. Each of them affords "long-arm" jurisdiction to the Supreme
LU

Court of Victoria based on specified, and different, factual premises. Whereas par (i) addresses
attention to the propounded foundation of the proceeding in question, par (j) is not concerned, as
PN

such, with the pleading of the tort. It is concerned with the characterisation of the proceedings as
brought "in respect of damage suffered wholly or partly in Victoria". Whatever else is in doubt, it
is uncontested that the respondent's proceedings alleged that the respondent had suffered damage
H

in Victoria. Once this is shown, the only question to be answered, to attract par (j), is whether
such damage was "caused by a tortious act or omission wherever occurring". The language used
requires nothing more than "damage" caused by a tort. For the purpose of par (j), the place of the
occurrence of the tort (whether in Victoria, New Jersey or anywhere else) is irrelevant. Because
it is irrelevant, it is an issue that does not have to be resolved in order to determine whether
r 7.01(1)(j) attaches to the respondent's originating process.

It might be complained that "long-arm" rules such as that in r 7.01(1)(j), providing jurisdiction
based upon the mere happening of damage within a jurisdiction, conflicts with the ordinary
principle of public international law obliging a substantial and bona fide connection between the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.694

subject matter of a dispute and the source of jurisdiction of a national court over its resolution.
The validity of the relevant rule has not been challenged in the present proceedings. The rule in
question in this case has overseas equivalents. The law in the United States itself contains many
provisions for long-arm jurisdiction.

It follows from my analysis that the primary judge was correct to decide the first issue
(jurisdiction) in favour of the respondent. Having found jurisdiction on the basis of par (j), it was
strictly unnecessary to decide whether another basis for jurisdiction was established under par (i).
The appellant's appeal against this part of the primary judge's reasoning fails.

As a result of this conclusion, the respondent enjoys the advantage of properly constituted

LA
proceedings in an Australian court. The objections that the appellant is not present in this
country, has no office or assets here (as I would be prepared to infer); has only minimal

IM
commercial interest in the sale of Barron'smagazine or online services in Victoria or to
Australians; and publishes them principally for the benefit of, and sale to, United States readers,
SH
are considerations irrelevant to the issue of jurisdiction once the propounded long-arm rule is
found valid and applicable.

It remains to decide whether the foregoing considerations, or any of them (and any other
LU

considerations) are relevant to the remaining issues which are presented in these proceedings:
First, the appropriate identification of the place of the tort and consequently the applicable law;
PN

and secondly, whether the primary judge's discretion miscarried on the issue of the
appropriateness or otherwise of the Victorian forum for the determination of the cause of action.
H

For the resolution of those issues, it is now necessary to address in more detail the appellant's
submission that the conventional requirements of the law of defamation should be altered to
recognise that the publication of the allegedly defamatory material on the Internet, and therefore
the tort of defamation, occurred in this case in New Jersey (or New York) in the United States.

Choice of law: the law of the place of the wrong

jurisdiction and applicable law: The decision that the Victorian Court has jurisdiction over the
parties does not resolve the law that such a Court must apply. The distinction between
jurisdiction and choice of law is repeatedly made in decisions of this Court. It has insisted that
such issues be kept separate and distinct[114]. A court may have jurisdiction, but it may equally

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.695

be bound by the applicable rules of private international law to exercise its jurisdiction by giving
effect to the law of a foreign jurisdiction. Where necessary, this is done by receiving evidence to
prove what that foreign law is. The mere fact that foreign law is applicable, and must be proved,
does not, of itself, decide the third (convenient forum) issue. In Regie National des Usines
Renault SA v Zhang, this Court held that "[a]n Australian court cannot be a clearly inappropriate
forum merely by virtue of the circumstance that the choice of law rules which apply in the forum
require its courts to apply foreign law as the lex causae."

The majority in Zhang agreed that the principle, earlier accepted in John Pfeiffer Pty Ltd v
Rogerson with respect to intra-Australian torts, extended equally to "international torts". This
was so, despite the absence, in the case of international torts, of the federal consideration that had

LA
encouraged this Court in Pfeiffer to abandon the "double actionability" rule in Phillips v Eyre
and to depart from local decisions that had applied that rule.

IM
The rule for the ascertainment of the applicable law is therefore that it is the law where the tort
SH
was committed (lex loci delicti). In Zhang, I acknowledged that it will sometimes be "debatable
as to where precisely the 'wrong' occurred". Neither Pfeiffer nor Zhang dealt precisely with the
issue raised by the present proceedings. Here, depending upon the identification of the elements
LU

of the tort alleged by the respondent, they could be categorised as referring to an Australian tort,
an international tort, or both. The present is a case where each party urges the contrary locus.
PN

The parties' arguments: The respondent, invoking what he asserted to be "hundreds of years" of
defamation law, submitted that the conclusion of the primary judge was correct. This was so
H

because of two basic principles:

First, that each publication of defamatory material represents a separate tort for which a plaintiff
could sue and this rule applies to publications on the Internet as much as to those in any other
medium; and

. Secondly, that the "publication" for the purposes of the law of defamation did not occur when
the offending words were written, committed to digital form, "uploaded" or otherwise processed
(in the United States). Potentiality to harm, reasonable expectations that this would be a
consequence and even an intention to have that result were not enough. For defamation, it was
necessary that the plaintiff's reputation should be damaged in fact. Relevantly to the impugned

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.696

material and the tort as pleaded, this had happened at the time and place the matter complained
of was received and comprehended by a person (other than the publisher and the plaintiff) in
Victoria, ie when the material sued for appeared on the appellant's website and was
"downloaded" (or when the hard copies of the magazine distributed in Victoria were acquired
and read)

For its part, the appellant, supported by the interveners, invited this Court to reformulate, at least
in the context of publications on the Internet, the legal ingredients of the tort of defamation; and
to adopt, at least in respect of such publications, a single publication rule expressed in terms of
the place of "uploading". Alternatively, the appellant argued the place of the wrong for choice of
law purposes should be ascertained by reference to where in substance the cause of action rose.

LA
If that question were asked in the present case, the appellant suggested that the answer would be
New Jersey (or New York), not Victoria.

IM
Interrelationship of issues: The interrelationship of the three issues in the appeal can be seen
SH
immediately. Each of the foregoing submissions would be relevant to the jurisdiction issue (if
jurisdiction were determined only by whether a tort had been committed within Victoria). It is
only because of the wider criterion of jurisdiction contained in r 7.01(1)(j) of the SCR that such
LU

arguments are not determinative of the jurisdiction issue in this case. However, they are clearly
relevant for the choice of law issue. And this, in turn, is important for the convenient forum issue
PN

and, in a sense, foreshadows that issue.

Defamation and the Internet: a new paradigm?

H

A novel development: The fundamental premise of the appellant's arguments concerning the
reformulation of the applicable rules of defamation depended on the technological features of the
Internet. According to the appellant, those features were sufficiently different from pre-existing
technology to demand a substantial reconsideration of the relevant law that had been stated in a
different context in earlier times. If a more general revision were thought inappropriate or
unnecessary, the task should at least be undertaken for any allegedly defamatory imputations
published on the Internet.

I accept that a number of arguments support this proposition. Involved in responding to it are
important questions of legal principle and policy. The proposition cannot be answered by an

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.697

enquiry limited to expressions of past law. When a radically new situation is presented to the law
it is sometimes necessary to think outside the square. In the present case, this involves a
reflection upon the features of the Internet that are said to require a new and distinctive legal
approach.

First, the Internet is global. As such, it knows no geographic boundaries. Its basic lack of locality
suggests the need for a formulation of new legal rules to address the absence of congruence
between cyberspace and the boundaries and laws of any given jurisdiction. There are precedents
for development of such new legal rules. The Law Merchant (lex mercatoria) arose in medieval

LA
times out of the general custom of the merchants of many nations in Europe. It emerged to
respond to the growth of transnational trade. The rules of the common law of England adapted to

IM
the Law Merchant. They did so out of necessity and commonsense.

Effective legal responses: The general principle of public international law obliging comity in
SH
legal dealings between states suggests that arguably, with respect to the legal consequences of
the Internet, no jurisdiction should ordinarily impose its laws on the conduct of persons in other
jurisdictions in preference to the laws that would ordinarily govern such conduct where it occurs.
LU

At least this should be so unless the former jurisdiction can demonstrate that it has a stronger
interest in the resolution of the dispute in question than the latter. In conformity with this
PN

approach, the advent of the Internet suggests a need to adopt new principles, or to strengthen old
ones, in responding to questions of forum or choice of law that identify, by reference to the
H

conduct that is to be influenced, the place that has the strongest connection with, or is in the best
position to control or regulate, such conduct. Normally, the laws of such a place are those most
likely to be effective in securing the objectives of law, such as here, the protection of the right to
free expression and access to information and the defence of reputation.

Effectiveness of remedies: Any suggestion that there can be no effective remedy for the tort of
defamation (or other civil wrongs) committed by the use of the Internet (or that such wrongs
must simply be tolerated as the price to be paid for the advantages of the medium) is self-
evidently unacceptable. Instruments of international human rights law recognise the right of
"[e]veryone ... to hold opinions without interference" and to enjoy "the right to freedom of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.698

expression ... [including] freedom to seek, receive and impart information and ideas of all kinds,
regardless of frontiers ... through any ... media of his choice". However, such instruments also
recognise that those rights carry "duties and responsibilities". They may therefore "be subject to
certain restrictions, but these shall only be such as are provided by law and are necessary ... [f]or
respect of the rights or reputations of others".

The International Covenant of Civil and Political Rights also provides that "[n]o one shall be
subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence,
nor to unlawful attacks on his honour and reputation". And that "[e]veryone has the right to the
protection of the law against such interference or attacks". Accordingly, any development of the
common law of Australia, consistent with such principles, should provide effective legal

LA
protection for the honour, reputation and personal privacy of individuals. To the extent that our
law does not do so, Australia, like other nations so obliged, is rendered accountable to the

IM
relevant treaty body for such default.
SH
The law in different jurisdictions, reflecting local legal and cultural norms, commonly strikes
different balances between rights to information and expression and the protection of individual
reputation, honour and privacy. These disparities suggest the need for a clear and single rule to
LU

govern the conduct in question according to pre-established norms. If it is to be effective, such a

rule must be readily ascertainable. To tell a person uploading potentially defamatory material
PN

onto a website that such conduct will render that person potentially liable to proceedings in
courts of every legal jurisdiction where the subject enjoys a reputation, may have undesirable
consequences. Depending on the publisher and the place of its assets, it might freeze publication
H

or censor it or try to restrict access to it in certain countries so as to comply with the most
restrictive defamation laws that could apply. Or it could result in the adoption of locational
stratagems in an attempt to avoid liability.

A new rule for a unique technology: In response to the suggestion that similar questions have
existed at least since telegraph and international shortwave radio and that such potential liability
is a commonplace in the world of global television distributed by satellite, the appellant pointed
to the peculiarities of Internet publication. Viewed in one way, the Internet is not simply an
extension of past communications technology. It is a new means of creating continuous
relationships in a manner that could not previously have been contemplated. According to this

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.699

view, the Internet is too flexible a structure to be controlled by a myriad of national laws,
purportedly applied with no more justification than is provided by the content of such laws,
usually devised long before the Internet arrived. For stored information, accessible in
cyberspace, the new technology was said to demand a new approach. This would be true as much
for the law of taxation, commercial transactions and other areas, as for the law of defamation.

The urgency of a new rule: To wait for legislatures or multilateral international agreement to
provide solutions to the legal problems presented by the Internet would abandon those problems
to "agonizingly slow" processes of lawmaking. Accordingly, courts throughout the world are
urged to address the immediate need to piece together gradually a coherent transnational law
appropriate to the "digital millennium". The alternative, in practice, could be an institutional

LA
failure to provide effective laws in harmony, as the Internet itself is, with contemporary civil
society - national and international. The new laws would need to respect the entitlement of each

IM
legal regime not to enforce foreign legal rules contrary to binding local law or important
elements of local public policy. But within such constraints, the common law would adapt itself
SH
to the central features of the Internet, namely its global, ubiquitous and reactive characteristics.
In the face of such characteristics, simply to apply old rules, created on the assumptions of
geographical boundaries, would encourage an inappropriate and usually ineffective grab for
LU

extra-territorial jurisdiction.
PN

The adoption of a single publication rule, expressed in terms of the place of uploading of
material on the Internet might, in this case, favour the jurisdiction of the courts and the law of the
United States. However, it would not always be so. Thus, if the liability propounded concerned
H

an Australian who had uploaded material on the Internet within Australia, had taken pains to
conform to Australian defamation law but was sued for defamation in some other jurisdiction
whose defamation laws were more restrictive than Australia's, respect for the single global
publication rule, if it became internationally accepted, could help reduce the risks of legal
uncertainty and the excessive assertion of national laws.

Enforceability of judgments: Any rule adopted with respect to publication of defamatory matter
on the Internet must eventually face the practical question concerning the enforceability of a
judgment recovered in such proceedings. The balance that is struck between freedom of
expression and access to information and protection of individual reputation, honour and privacy

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.700

tends to be a subject about which divergent views exist in the laws of different countries.
Sometimes such laws are reinforced by domestic constitutional provisions. A judgment of a
country's courts, recovered in defamation proceedings, may be enforced against any property of a
foreign judgment debtor that exists within the jurisdiction. But if it is necessary to enforce the
judgment in another jurisdiction, the difficulty or impossibility of such enforcement may amount
to a practical reason for providing relief to the objecting foreign party on one or more of the
grounds of objection raised in this case.

By reference to these and like considerations, the appellant submitted that this Court should look
afresh at the common law of defamation. It argued that we, as one of the first final courts asked
to consider this problem, should adjust previously stated law to the new technological and legal

LA
realities. The adoption of a simple universal rule apt to the new medium, to the effectiveness of
law as an influence upon publishing conduct and realistic about the prospects of recovery upon

IM
judgments against foreign defendants, was the approach that the appellant invited this Court to
take.
SH
Reasons for declining an Internet-specific single publication rule

Limits to judicial innovation: The foregoing considerations present a persuasive argument for the
LU

formulation of a new rule of the common law that is particular to the publication of allegedly
defamatory matter on the Internet. For myself, I do not regard them as mere slogans. They
PN

present a serious legal issue for decision. Judges have adapted the common law to new
technology in the past. The rules of private international law have emerged as a result of, and
H

remain alive to, changes in the means of trans-border communication between people. The
Internet's potential impact on human affairs continues to expand and is already enormous. Later
judges, in a position to do so, can sometimes reformulate the law in order to keep it relevant and
just. Specifically they may re-express judge-made rules that suit earlier times and different
technologies. For a number of reasons I have concluded that this Court would not be justified to
change the rules of the Australian common law as would be necessary in this case to respond to
the submissions of the appellant.

First, a starting point for the consideration of the submission must be an acceptance that the
principles of defamation law invoked by the respondent are settled and of long standing. Those

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.701

principles are: (1) that damage to reputation is essential for the existence of the tort of
defamation; (2) that mere composition and writing of words is not enough to constitute the tort;
those words must be communicated to a third party who comprehends them; (3) that each time
there is such a communication, the plaintiff has a new cause of action; and (4) that a publisher is
liable for publication in a particular jurisdiction where that is the intended or natural and
probable consequence of its acts. Where rules such as these are deeply entrenched in the
common law and relate to the basic features of the cause of action propounded, their alteration
risks taking the judge beyond the proper limits of the judicial function.

Rules should be technology-neutral: Whilst the Internet does indeed present many novel
technological features, it also shares many characteristics with earlier technologies that have

LA
rapidly expanded the speed and quantity of information distribution throughout the world. I refer
to newspapers distributed (and sometimes printed) internationally; syndicated telegraph and wire

IM
reports of news and opinion; newsreels and film distributed internationally; newspaper articles
and photographs reproduced instantaneously by international telefacsimile; radio, including
SH
shortwave radio; syndicated television programmes; motion pictures; videos and digitalised
images; television transmission; and cable television and satellite broadcasting. Generally
speaking, it is undesirable to express a rule of the common law in terms of a particular
LU

technology. Doing so presents problems where that technology is itself overtaken by fresh
developments. It can scarcely be supposed that the full potential of the Internet has yet been
PN

realised. The next phase in the global distribution of information cannot be predicted. A legal
rule expressed in terms of the Internet might very soon be out of date.
H

The need for legislative reform: There are special difficulties in achieving judicial reform of the
multiple publication rule in Australian law, even if one were convinced that it should be
reformed to meet the technological characteristics of the Internet. Legislation in at least one
Australian State is expressed in terms that assume the existence of the multiple publication rule.

In Australian Broadcasting Corporation v Waterhouse, Samuels JA stated his opinion that a

single publication rule could only be introduced throughout Australia by statute. Whilst that
remark was not essential to his Honour's reasoning, was made before the particular features of
the Internet were known and does not bind this Court, it reflects the recognition of a judge with
much experience in defamation law of the limits that exist on judicial alteration of basic

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.702

principles to fit the apparent needs of a new technology. Because of such limits other means have
been adopted within Australia to reduce the inconvenience of the multiple publication rule.
Some, or all, of these would be available in the case of an Internet publication to reduce the
suggested inconvenience of that rule.

The defects of the multiple publication rule have been considered by the Australian Law Reform
Commission ("ALRC"). In successive reports, the ALRC has proposed different solutions to the
problem. In its report on defamation law, the ALRC recommended legislation to abrogate the
rule. However, its recommendations have not so far been enacted. Whilst this is not necessarily a
reason for this Court to stay its hand, it is appropriate to recall that in a parliamentary democracy
such as that established by the Australian Constitution, this is a reason for caution in judicial

LA
alteration of basic and long held legal rules. Such caution is reinforced by the consideration that
recently, when invited to do so, the House of Lords rejected the global theory of defamation

IM
liability. One of the reasons of the majority was that any such change would be incompatible
with the long established principle in the Duke of Brunswick's Case which, by inference, their
SH
Lordships felt to be beyond judicial repair.

There are a number of difficulties that would have to be ironed out before the settled rules of
LU

defamation law that I have mentioned could be modified in respect of publication of allegedly
defamatory material on the Internet.
PN

Take for example the suggestion that, before proof of damage or comprehension by anyone
(apart from the author), the place and law of "publication" was fixed by the jurisdiction in which
H

the text was first uploaded (as the appellant proposed) or in which the publisher last exercised
control over dissemination (as the interveners proposed). The respondent complained that either
of these rules, if substituted for the present law, would lead to "chaos". Even allowing for an
advocate's overstatement, there are indeed difficulties. Publishers could easily locate the
uploading of harmful data in a chosen place in an attempt to insulate themselves from
defamation liability. They might choose places with defamation laws favourable to publishing
interests. Just as books are now frequently printed in developing countries, the place of
uploading of materials onto the Internet might bear little or no relationship to the place where the
communication was composed, edited or had its major impact.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.703

As if to recognise this problem, the appellant postulated various exceptions to its criterion of the
place of uploading. These included exceptions for "adventitious or opportunistic" conduct; or
conduct that "targeted" a particular place; or which existed where the website was "promoted".
Apart from raising the question of whether the appellant's own publications would, in this case,
fall within exceptions of the latter kind, it will be observed that we are already involved in
overthrowing established legal rules for new ones that would require great precision in the
formulation of detailed exceptions if a satisfactory judicial reformulation were to be achieved.

The uploading approach would also oblige a plaintiff to discover matters of conduct normally
exclusively within the knowledge of the persons involved in processing the data. The plaintiff
would have to find such facts in advance of the commencement of the proceedings. There are

LA
many similar practical problems. However, I have said enough to show that the propounded
reformulation presents many complex questions. They are not appropriate for solution in judicial

IM
proceedings addressed to deciding a controversy between particular parties mainly or only
interested in the outcome of their own dispute.
SH
Attractions of alternative formulations: A connected issue demands consideration. If the place of
uploading were adopted as the place of publication which also governs the choice of applicable
LU

law, the consequence would often be, effectively, that the law would assign the place of the
wrong for the tort of defamation to the United States. Because of the vastly disproportionate
PN

location of webservers in the United States when compared to virtually all other countries
(including Australia) this would necessarily have the result, in many cases, of extending the
application of a law of the United States (and possibly the jurisdiction and forum of its courts) to
H

defamation proceedings brought by Australian and other foreign citizens in respect of local
damage to their reputations by publication on the Internet. Because the purpose of the tort of
defamation (as much in the United States as in Australia) is to provide vindication to redress the
injury done to a person's reputation, it would be small comfort to the person wronged to subject
him or her to the law (and possibly the jurisdiction of the courts) of a place of uploading, when
any decision so made would depend upon a law reflecting different values and applied in courts
unable to afford vindication in the place where it matters most.

At least in the case of the publication of materials potentially damaging to the reputation and
honour of an individual, it does not seem unreasonable, in principle, to oblige a publisher to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.704

consider the law of the jurisdiction of that person's habitual residence. In its review of this
subject, the ALRC expressed the opinion that "[i]n the case of defamation of a natural person,
the law to be applied would normally be that of the place where the person was ordinarily
resident". In its subsequent report on choice of law, the ALRC concluded that "residence is the
best option for a choice of law rule for defamation". The ALRC went on to recommend that it
was "unnecessary to qualify residence as 'usual' or 'habitual' for the purposes of this rule, since to
do so might take the rule further away from the place of loss of reputation".

In his reasons in Australian Broadcasting Corporation v Waterhouse[166], proposing the need

for legislative reform of defamation law within Australia, Samuels JA suggested much the same.
He said that the criterion of the habitual residence of the subject of the publication would present

LA
an objective criterion. It would discourage forum shopping. It would also give "effect to the
expectations of the parties" on the basis that the place of residence would be where "[a] plaintiff

IM
will generally suffer most harm". His Honour's analysis shows how deeply embedded in the
concept of the tort of defamation are the ideas of proof of damage to reputation; comprehension
SH
of the matter complained of; and acknowledgment that the sting is felt each time a publication is
repeated.
LU

When this point is reached it is natural, and proper, for a court such as this to refuse the
invitation to re-express the common law, even if persuasive criticism of the present law has been
PN

advanced, as I think it has. Although the ALRC's reports proposing relevant reforms have not
been implemented, it is not true to suggest that the parliaments of Australia have neglected
regulation of liability for particular aspects of Internet content. Further, while the
H

recommendations of the ALRC may provide guidance to the identification of the place of the tort
of defamation for choice of law purposes in light of this Court's decisions in Pfeifferand Zhang,
they do not assist the argument of the appellant. International developments, involving
multilateral negotiations, must also be considered if there is to be any chance of the adoption of a
uniform approach suitable to the world-wide technology, as the appellant urged. In other
sensitive areas of the law requiring international agreement, the Australian Parliament has
recently moved with proper speed to implement the emerging international consensus.

Change exceeds the judicial function: Although, therefore, the appellant (and interveners) have
established real defects in the current Australian law of defamation as it applies to publications

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.705

on the Internet, their respective solutions for altering the elements of the tort and expressing it in
terms of conduct substantially in the control of the publisher or its agents (and out of the control
of the plaintiff whose reputation is alleged to have been damaged) are too simplistic.

It would exceed the judicial function to re-express the common law on such a subject in such
ways. This is a subject of law reform requiring the evaluation of many interests and
considerations that a court could not be sure to cover. Subject to what follows, I, like the other
members of this Court, do not think that a single publication rule should be adopted in terms of
the place of uploading as the place of publication of allegedly defamatory material on the
Internet, which would also govern the choice of applicable law.

LA
The place of the wrong and the applicable law

The applicable test: The appellant then submitted that, even if a single publication rule were not

IM
adopted for defamatory publications on the Internet by reference to its special features, the result
that it sought still followed from an existing principle of Australian private international law
SH
concerning the place of wrongs that have connections with two or more jurisdictions. In
particular, the appellant argued that, in such circumstances, the applicable test obliged a court to
look "over the series of events constituting [the tort] and ask the question, where in substance did
LU

this cause of action arise?"

PN

The issue of the test for localising a tort, particularly in situations such as the present where the
cause of action has connection with more than one jurisdiction, did not need to be resolved by
this Court either in Pfeifferor in Zhang. Simply adopting the law of the place of the wrong as the
H

applicable law in international tort claims does not answer that question. It is not the end of the
inquiry, it is merely the beginning. It leads immediately to the additional question of identifying
the place of the wrong. In Pfeiffer, all of the elements of the cause of action were in the same
place. In Zhang, some elements occurred in France (design and manufacture of the motor car)
while some in New Caledonia (the accident itself), however both these jurisdictions were
governed by French law. While the law of the place of the wrong was adopted as a simple rule
which can be applied with certainty and predictability, this appeal illustrates the fact that much
controversy can exist in relation to the proper identification of where the place of the wrong is.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.706

The parties' arguments: The appellant urged that the test from Distillers Co (Biochemicals) Ltd v
Thompson provided the correct approach to resolving the foregoing issue. This was so because it
was said to involve a process of judicial evaluation of factors that the parties could not easily
manipulate, and therefore it could be said to avoid many of the problems discerned in the
alternative criteria propounded, such as the place of uploading on the Internet or the place of the
last exercise of control by the publisher.

The judgment for the Privy Council in Distillers, on appeal from New South Wales, before all
such Australian appeals were finally abolished in 1986, was delivered by Lord Pearson. After
examining a number of alternative ways of answering "where in substance did the cause of
action arise", his Lordship expressed a preference for identifying the locality of the tort as the

LA
place where "the act on the part of the defendant which gives the plaintiff his cause of
complaint"occurred. In Voth, this Court applied Lord Pearson's test from Distillersin answering

IM
the question whether the tort alleged was a "foreign tort".
SH
Lord Pearson's formulation appears, at least on the face of things, to assist the appellant. This is
because it focuses attention on the act of a defendant. Thus, it can be said that in this case the last
act of the appellant that gave the respondent his cause of action took place at the point of
LU

uploading, which occurred in New Jersey. Furthermore, the appellant and the interveners
submitted that the "substance" or "common sense" criterion applied to the subject matter of the
PN

present proceedings would clearly assign the place of the alleged wrong to New Jersey (or New
York). That was where the matter complained of was composed, finally edited and uploaded on
the appellant's website to be made available all over the world. The place where the
H

overwhelming majority of those who could be expected to (and did) have access to the matter
resided, was also in the United States. As well, that was the place where any law addressed to
changing conduct (and sanctioning a civil wrong) would enjoy its principal impact. It represented
the place where the actors involved, who made the material available to the world would,
normally, have access to legal advice and be subject to laws that they could reasonably be
expected to ascertain and comply with.

The issue in Distillerswas whether the plaintiff in that case had a "cause of action which arose
within the jurisdiction" of the Supreme Court of New South Wales for the purposes of s 18(4) of
the Common Law Procedure Act 1899 (NSW). In that sense, the case was concerned with the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.707

first of the three issues raised in this appeal, namely jurisdiction. Neither Distillersnor Vothwere
addressed to the issue of identifying the applicable law.

In these proceedings, as I have already found, the long-arm jurisdiction of the Supreme Court of
Victoria would be properly invoked by reference to r 7.01(1)(j) (because the respondent suffered
damage in Victoria). Therefore, it was not essential or even necessary to localise the tort in
Victoria for jurisdiction purposes. In David Syme & Co Ltd v Grey Gummow J suggested that
there was no compelling reason why the "process of identification and localisation is to be
performed in the same way in relation to both jurisdiction and choice of law". His Honour went
on to cite the following passage from Cheshire and North:

LA
"It has always been questionable whether jurisdictional cases should be used as authority in the
choice of law context ... [W]hilst a court may be prepared to hold that a tort is committed in

IM
several places for the purposes of a jurisdictional rule, it should insist on one single locus
delictiin the choice of law context."
SH
Even if one were to accept that Distillersprovides the applicable test for identifying the place of
the tort for choice of law purposes, in that case the Privy Council emphasised the need to
characterise properly the act or wrong-doing of the defendant that gives rise to the plaintiff's
LU

cause of action. In Distillers, an Australian plaintiff sued the English manufacturer of the drug
Distaval whose principal ingredient was Thalidomide, in the Supreme Court of New South
PN

Wales. The drug was manufactured in the United Kingdom, while the consequences in human
loss and suffering were felt in many other countries. The alleged negligent act on the part of the
H

defendant was not in the design or manufacture of the drug. Instead it was its unsuitability for
pregnant women because of the potential to cause defects and deformities in the unborn foetus.
The Full Court of the Supreme Court of New South Wales, held that it was not the manufacture
of the drug (in England), but the placing of the drug on the New South Wales market without the
appropriate warning that constituted the wrong. The Privy Council affirmed that conclusion.

Similarly, in Voth, Lord Pearson's test was applied by this Court in the context of identifying
whether New South Wales was a clearly inappropriate forum for the proceedings there in
question. One of the relevant considerations in that case (which involved a statement, or more

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.708

precisely an omission, made in Missouri but directed to an Australian company) was whether the
alleged tort of negligent misstatement was a foreign or a local tort.

It may be argued that Vothis also helpful to the appellants. In that case this Court held that a
negligent statement by the defendant made in Missouri directed at Australian companies that
relied upon such statements in New South Wales (which was also where the loss resulted) was in
fact a foreign tort. However, the Court there characterised the act of the defendant that gave rise
to the plaintiff's cause of action as the provision of accountancy services to the plaintiff
companies. That act was said to have been initiated and completed in Missouri.

LA
This brings me to the second problem of using the test from Distillersfor the purposes of
identifying the place of the tort for choice of law purposes in these proceedings. Both in

IM
Distillersand in Voth, the tort alleged was negligence. In the present proceedings, it is
defamation. The act on part of the appellant (defendant) complained of is the publication of
SH
material that allegedly damaged the respondent's reputation, not the making of a negligent
statement. Formulating the act in this way brings attention back to the place of publication,
which, as I have held, included Victoria.
LU

Even if, for the purposes of the choice of law rule in Zhang, the right approach to localisation of
PN

the tort is "when the tort is complete, to look back over the series of events constituting it and ask
the question, where in substance did this cause of action arise?", I agree that no single overly-
generalised criterion such as the place of injury or damage, or the place where the defendant
H

acted would be appropriate for identifying the place of the wrong in all actions of tort. Rather,
the place of the wrong needs to be ascertained in a principled fashion, based on an analysis of the
relevant legal issues in view of the rights, interests and legitimate expectations of the parties.

In a cause of action framed in defamation, the publication of the material which damages the
reputation of the plaintiff is essential. Merely creating and making the material available is
insufficient. The material has to be accessed or communicated in a jurisdiction where the
plaintiff has a reputation. That will usually be the place where the plaintiff is resident. Unlike
product liability or some other negligence claims, damage to reputation cannot occur
"fortuitously" in a place outside of the defendant's contemplation. Where a person or corporation

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.709

publishes material which is potentially defamatory to another, to ask the publisher to be
cognisant of the defamation laws of the place where the person resides and has a reputation is not
to impose on the publisher an excessive burden. At least it is not to do so where the potential
damage to reputation is substantial and the risks of being sued are commensurately real.
Publishers in the United States are well aware that few, if any, other jurisdictions in the world
observe the approach to the vindication of reputation adopted by the law in that country.

The foregoing approach may pose problems, particularly in cases where the plaintiff has a
substantial reputation in more than one legal jurisdiction and seeks to recover for the damage in
all such jurisdictions in a single proceeding. In such a case, potential liability in defamation for
the publication of material relating to such a person on the Internet may indeed have a chilling

LA
effect on free speech merely because one of those jurisdictions has more restrictive defamation
laws than the others. This approach could subject Australian defendants to the more restrictive

IM
defamation laws of foreign jurisdictions. However, such problems are the result of the absence of
uniformity in defamation laws, combined with an ability to access and broadcast material across
SH
national boundaries (which is not limited to the Internet) and the absence of international treaties
or reciprocal laws to govern those issues. Problems of a similar nature will arise whatever test is
adopted for choice of law purposes unless this Court were to revert to a parochial approach of
LU

answering all questions in proceedings properly founded in an Australian forum by reference

only to the law of that forum.
PN

Conclusion: The present case does not present an acute example of the foregoing difficulties. To
the knowledge of the appellant, the respondent ordinarily resided in Victoria. He had his business
H

address there. He was an officer there of several companies listed on the Australian Stock
Exchange. He was prominent in the local Jewish (Lubavitcher) community. He was also well
known there for charitable and sporting interests.

True, some readers of Barron's Online, or Barron'smagazine with access to the appellant's
website in New Jersey (or in New York), would have known of the respondent. Arguably, an
action based on the tort of defamation could therefore also be brought in those jurisdictions of
the United States. However, in this case it could not be suggested that the respondent had
resorted to Victoria only in order to invoke the process of its courts or in an exercise of forum
shopping. So far as damage to his reputation was concerned, Victoria, as the place of his

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.710

residence, was where most such damage would be done, rather than amongst business, religious
or other acquaintances in North America or with the very large number of strangers there who
might read about the respondent in the appellant's Internet publications.

Importantly, in the proceedings before the primary judge the respondent confined his claim to the
recovery of damages and the vindication of his reputation in Victoria. He also undertook not to
bring proceedings in any other place. The conclusion is therefore overwhelming that the
proceedings in the Supreme Court of Victoria were based on a local cause of action, and the
applicable law in those proceedings would be the defamation law of Victoria. It follows that no
error has been shown in the conclusions of the primary judge in this respect.

LA
The Victorian court as a convenient forum

The applicable test: The appellant finally challenged the primary judge's conclusion concerning

IM
the provision of relief pursuant to r 7.05(2)(b). That rule permits the Supreme Court of Victoria
to stay proceedings such as the present on the ground "that Victoria is not a convenient forum for
SH
the trial of the proceeding".

I have made it clear in earlier cases that I prefer the expression of the common law on this
LU

question in the terms adopted by the House of Lords in England in Spiliada Maritime Corp v
Cansulex Ltd. In my view, the issue is (as the terms of the Victorian rule suggest) whether the
PN

court in which the proceedings are pending is the natural forum for the trial or whether there is
another forum that is "more appropriate". However, although the formulation by the House of
Lords has found favour in most Commonwealth jurisdictions, and is more harmonious with the
H

rules of public international law respectful of comity between nations and their courts, I must
accept that this Court has adopted an approach more defensive of the exercise of properly
invoked jurisdiction by Australian courts.

In my view it is a mistake to re-express the rule, having been made under statutory power, in
terms of past common law formulae. In this respect, I adhere to the view that I expressed in
Zhang. However, upon this point, my opinion (shared by Callinan J) was a minority one. The
majority of this Court concluded, in respect of the equivalent provision in the Supreme Court
Rules 1970 (NSW) that, notwithstanding the language of the rule in that case, the test to be

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.711

applied was whether the party objecting to the forum had shown that the court selected was a
"clearly inappropriate forum".

The relevant rules of the Supreme Court of Victoria are somewhat different from those of the
Supreme Court of New South Wales considered in Zhang. However, the divergence is presently
immaterial. In resolving the convenient forum issue, the primary judge was bound to apply the
"clearly inappropriate forum" test.

The primary judge accepted, and applied, this Court's approach. There was therefore no error of
principle in his consideration of the third issue. In accordance with established appellate
principles, this Court is not authorised to disturb a discretionary conclusion on the convenient

LA
forum issue, unless error is shown that warrants such disturbance. There was no error in the
identification of the applicable test.

IM
The parties' arguments: The principal argument of the appellant on this last point of challenge
rested on its contention that error had occurred in the earlier legal mistakes concerning
SH
jurisdiction and the identification of the applicable law. The appellant criticised the weight given
by the primary judge to the undertaking of the respondent not to sue elsewhere and disclaiming
any damages in any other place. However, the essential ground for the disturbance of the primary
LU

judge's conclusion was that the applicable jurisdiction and law of the wrong alleged was either
New Jersey or New York in the United States.
PN

When those submissions are rejected, as I have held they properly were, the foundation for
interfering in the conclusion at first instance is knocked away. In Oceanic Sun Line Special
H

Shipping Company Inc v Fay, Gaudron J remarked that "the selected forum should not be seen as
an inappropriate forum if it is fairly arguable that the substantive law of the forum is applicable"
to the proceedings. In Voth, this Court accepted that the applicability to the proceedings of the
substantive law of the forum was a very significant, although not decisive, factor in the exercise
of the Court's discretion on the convenient forum issue.

Conclusion: Once jurisdiction and the place of the wrong are established in Victoria, the
submission of error on the convenient forum issue becomes much more difficult to accept. The
primary judge applied the correct test. The present proceedings were founded on a local cause of
action, and it is more than just "arguable" that the applicable law was the law of Victoria. No

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.712

basis has been shown to disturb the conclusion that the proceedings in Victoria should not be
stayed on the ground that the Supreme Court of that State was not a clearly inappropriate forum
for the trial of those proceedings. Even if I were of a different inclination in the balance of
evidentiary considerations, I would not be entitled to give effect to that view in the absence of a
demonstrated error. None has been shown. It follows that the appeal fails.

The outcome: a result contrary to intuition

The dismissal of the appeal does not represent a wholly satisfactory outcome. Intuition suggests
that the remarkable features of the Internet (which is still changing and expanding) makes it

LA
more than simply another medium of human communication. It is indeed a revolutionary leap in
the distribution of information, including about the reputation of individuals. It is a medium that

IM
overwhelmingly benefits humanity, advancing as it does the human right of access to
information and to free expression. But the human right to protection by law for the reputation
SH
and honour of individuals must also be defended to the extent that the law provides.

The notion that those who publish defamatory material on the Internet are answerable before the
LU

courts of any nation where the damage to reputation has occurred, such as in the jurisdiction
where the complaining party resides, presents difficulties: technological, legal and practical. It is
PN

true that the law of Australia provides protections against some of those difficulties which, in
appropriate cases, will obviate or diminish the inconvenience of distant liability. Moreover, the
spectre of "global" liability should not be exaggerated. Apart from anything else, the costs and
H

practicalities of bringing proceedings against a foreign publisher will usually be a sufficient

impediment to discourage even the most intrepid of litigants. Further, in many cases of this kind,
where the publisher is said to have no presence or assets in the jurisdiction, it may choose simply
to ignore the proceedings. It may save its contest to the courts of its own jurisdiction until an
attempt is later made to enforce there the judgment obtained in the foreign trial. It may do this
especially if that judgment was secured by the application of laws, the enforcement of which
would be regarded as unconstitutional or otherwise offensive to a different legal culture.

However, such results are still less than wholly satisfactory. They appear to warrant national
legislative attention and to require international discussion in a forum as global as the Internet

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.713

itself. In default of local legislation and international agreement, there are limits on the extent to
which national courts can provide radical solutions that would oblige a major overhaul of
longstanding legal doctrine in the field of defamation law. Where large changes to settled law are
involved, in an area as sensitive as the law of defamation, it should cause no surprise when the
courts decline the invitation to solve problems that others, in a much better position to devise
solutions, have neglected to repair.

Order

The appeal should be dismissed with costs.

CALLINAN J. The question which this case raises is whether the development of the Internet

LA
calls for a radical shift in the law of defamation.

IM
Facts

The appellant publishes for profit the Wall Street Journal, a daily financial newspaper, and
SH
Barron's, a weekly magazine, which is also concerned with financial matters. The edition of
Barron's dated Monday, 30 October 2000, but which was available publicly two days earlier,
contained an article by a journalist working for the appellant, Bill Alpert, headed "Unholy Gains"
LU

and sub-headed "When stock promoters cross paths with religious charities, investors had best be
on guard." A large photograph of the respondent appeared on the first page of the magazine. The
PN

article, of about 7,000 words, also contained photographs of other persons including Mr Nachum
Goldberg. Barron'shas a large circulation in the United States. Altogether, it was likely that
H

305,563 copies of the magazine were sold. A small number of them entered Australia, some of
which were sold in Victoria. Barron'salso put the article on the Internet. The relevant article
appeared on the appellant's website on 29 October 2000. Subscribers who paid an annual fee
were able to obtain access to that site at its address wsj.com. The site had about 550,000
subscribers. The appellant has an office that it calls a "corporate campus" in New Jersey where it
has a web server on which its website is stored. It was conceded by the appellant that it could not
identify the addresses of all of its subscribers but that 1,700 or so of them paid subscription fees
by credit cards whose holders had Australian addresses. The respondent is a businessman. He is
involved in philanthropic, political, sporting and religious affairs. His business activities have
extended beyond Australia. He lives in Victoria and has many friends and associates there. He is

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.714

the chairman of a corporation, shares in which are traded in the United States. He has sought
investment in that corporation from investors in the United States.

It is unnecessary to set out the whole of the article. The first three paragraphs sketch some of the
interests of the respondent. The fourth states that some of his business dealings with religious
charities raise "uncomfortable questions". The author then uses some language that the media
have appropriated from the law courts, implying that a balanced trial with equal opportunity to
participate by all concerned has taken place: that a "Barron's investigation foundthat several
charities traded heavily in stocks promoted by Gutnick."(emphasis added) The article associates
the respondent with Mr Nachum Goldberg who is apparently a convicted tax evader and another
person awaiting trial for stock manipulation in New York.

LA
A detailed discussion of various of the respondent's religious and political activities and business

IM
dealings follows. One paragraph of the article claims that an intercepted communication from the
convicted tax evader was taken by Australian prosecutors to mean that the respondent was the
SH
former's "biggest money-laundering customer".

The proceedings in the Supreme Court of Victoria

LU

The respondent brought proceedings against the appellant in defamation in the Supreme Court of
Victoria. After an amendment of his statement of claim he alleged publication both online and by
PN

hard copies sold in Australia. He pleaded that the article meant, and was understood to mean that
he:
H

"(a) was a customer of Nachum Goldberg who had recently been imprisoned for tax evasion and
money laundering; and

(b) was Nachum Goldberg's biggest customer; and

(c) was masquerading as a reputable citizen when he was, in fact, a tax evader who had
laundered large amounts of money through Nachum Goldberg; and

(d) had bought Nachum Goldberg's silence so as to conceal his identity as one of Goldberg's
customers."

He also claimed punitive damages in reliance upon the following allegations:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.715

"(a) The [appellant] is a large corporation listed on the New York Stock Exchange with its
headquarters at 200 Liberty Street, New York. The [appellant's] principal area of business is
publication. The [appellant] publishes, amongst other things, 'Barron's' and the 'Wall Street
Journal', both in print and as on-line services. In 1999 the [appellant's] revenue was US$2 billion
and its net income was US$272 million. (b) At all relevant times the [appellant] published the
internet service 'Barron's Online' as a subscription service for profit and published its journal
'Barron's' for profit.

(c) The imputations alleged ... were seriously defamatory of the [respondent].

LA
(d) The [appellant] published the words without any honest belief in the truth of the imputations
alleged, ... alternatively, recklessly, not caring whether the imputations were true or false.

IM
(e) The [appellant] published the words for commercial advantage and in order to attract readers
SH
to its subscription services and journal and in circumstances where the commercial advantage to
the [appellant] outweighed the risk that as a result of defaming the [respondent] the [appellant]
might have to pay damages to the [respondent].
LU

(f) The [appellant] has failed and refused to apologise to the [respondent]."
PN

Another paragraph of the respondent's pleading contained the following allegations:

"The publication of the article in Victoria ... was the intended consequence, alternatively the
H

natural and probable consequence of the following acts of the [appellant] - (a) securing
subscriptions to its wsj.com and Barron's Online websites from persons resident within Victoria;

(b) writing the article or causing the article to be written;

(c) editing the article;

(d) formatting the article into a web page file for Barron's Online;

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.716

(e) transferring the file containing the article from New York to the [appellant's] server in South
Brunswick, New Jersey;

(f) placing the file containing the article onto the [appellant's] web servers in New Jersey;

(g) creating links to the article (both direct and indirect) on the wsj.com and Barron's Online
websites; and

(h) thereby making the article available for downloading in Victoria by the [appellant's]
subscribers from time to time to the wsj.com and Barron's Online websites."

On service of the writ and statement of claim in the United States, the appellant entered a

LA
conditional appearance and applied to have service of the writ and statement of claim set aside,
or alternatively, to have the respondent's action permanently stayed. The appellant undertook, in

IM
the event of a stay of the Victorian action, to raise no limitations or jurisdictional objections there
if the respondent were to sue in the United States. The application was supported by copious
SH
affidavit material and oral evidence on behalf of the appellant describing the nature of the
Internet and access to it, and the law of New Jersey and elsewhere in the United States, relevant
aspects of which were referred to by Hedigan J who heard the applicant's application.
LU

The primary judge summarized the appellant's arguments: that publication was effected in New
Jersey and not Victoria; that no act was committed in Victoria to ground service of Victorian
PN

proceedings out of Victoria without an order of the Court pursuant to Order 7 of the Rules of
Court of that State; and, thirdly that Victoria was not a convenient forum for the trial of the
H

respondent's action.

His Honour rejected all of the appellant's arguments and dismissed its application. The appellant
applied for leave to appeal to the Court of Appeal of Victoria. Buchanan JA and O'Bryan AJA
who constituted that Court also rejected the appellant's arguments. Their Honours said:

"The authorities establish that defamatory material is published at the time and in the place
where it is made manifest in a form capable of being comprehended by a third party. That is
sufficient to dispose of this case, although we think that publication is not constituted by delivery
without comprehension. The principle has been applied to speech, writing, television, radio and
telephone. For the most part those authorities pre-date the internet, but in our view the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.717

established principles are appropriate to this new form of communication. In our view that
conclusion largely disposes of the submissions of the applicant based upon O 7. The service of
the writ out of Australia was justified by paragraphs (i) and (j) of R 7.01(1). The proceeding is
founded upon a tort committed within Victoria and is brought in respect of damage suffered in
Victoria. The later amendment of the statement of claim after the writ was served to plead
defamation resulting from the publication of printed copies of the magazine in Victoria could not
detract from the force of the unamended allegations based upon the publication of the article by
means of the internet, which had earlier rendered service out of Victoria valid.

As to the plea of forum non conveniens, we perceive no appellable error in the exercise of the
judge's discretion. Indeed we think the decision was plainly correct. Publication took place in

LA
Victoria. The [respondent] resides and carries on business in Victoria. He wishes to restore his
reputation in Victoria, and has undertaken to sue in no other place. The illegal activities in which

IM
the [respondent] is said to have participated took place principally in Victoria. The [respondent]
has sued in respect of a section of the article which stands by itself. The [appellant] may well try
SH
to broaden the debate. However, a defence based upon Polly Peck v Trelford[206]as that
decision has been interpreted in David Syme v Hore-Lacy is hardly likely to lead to a case
principally concerned with events in the United States of America."
LU

Leave was therefore refused on the basis that the trial judge's decision was plainly correct.
PN

The appeal to this Court

In this Court, the appellant repeated the arguments rehearsed in the courts below. The Internet,
H

which is no more than a means of communication by a set of interconnected computers, was

described, not very convincingly, as a communications system entirely different from pre-
existing technology. The nature and operation of the Internet and the World Wide Web were
explained by two highly qualified experts, Mr Barry Hammond BSc, Internet consultant to
leading Australian companies, and Dr Roger Clarke, Visiting Fellow (formerly Reader in
Information Systems) in the Computer Science Department, Australian National University.
They described the Internet as a set of interconnexions among computers all over the world to
facilitate an exchange of messages. Using their computers, people can communicate with one
another, and gain access to information. They claimed that it was a unique telecommunications

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.718

system defying analogy with pre-existing technology. The description however, by the appellant
of the server as passive is inaccurate. It also overlooks the legal significance, indeed the essential
role of all participants in, and enablers of, the dissemination of defamatory matter which is to be
found in longstanding jurisprudence of this country. In Webb v Bloc, ]Isaacs J said this:

"The meaning of 'publication' is well described in Folkard on Slander and Libel, in these words:
'The term published is the proper and technical term to be used in the case of libel, without
reference to the precise degree in which the defendant has been instrumental to such publication;
since, if he has intentionally lent his assistance to its existence for the purpose of being

LA
published, his instrumentality is evidence to show a publication by him.' In Starkie on the Law of
Slander and Libel[210], it is said: 'The declaration generally avers, that the defendant published

IM
and caused to be published; but the latter words seem to be perfectly unnecessary either in a civil
or criminal proceeding; in civil proceedings, the principal is to all purposes identified with the
SH
agent employed by him to do any specific act' .... In Parkes v Prescott[211], Giffard QC quotes
from the second edition of Starkie: 'All who are in any degree accessory to the publication of a
libel, and by any means whatever conduce to the publication, are to be considered as principals
LU

in the act of publication: thus if one suggest illegal matter in order that another may write or print
it, and that a third may publish it, all are equally amenable for the act of publication when it has
PN

been so effected.' In R v Paine[212]it is held: 'If one repeat and another write a libel, and a third
approve what is wrote, they are all makers of it; for all persons who concur, and show their
assent or approbation to do an unlawful act, are guilty: so that murdering a man's reputation by a
H

scandalous libel may be compared to murdering his person; for if several are assisting and
encouraging a man in the act, though the stroke was given by one, yet all are guilty of
homicide.'" (original emphasis)

A publisher, particularly one carrying on the business of publishing, does not act to put matter on
the Internet in order for it to reach a small target. It is its ubiquity which is one of the main
attractions to users of it. And any person who gains access to the Internet does so by taking an
initiative to gain access to it in a manner analogous to the purchase or other acquisition of a
newspaper, in order to read it.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.719

The appellant contends that the Internet is not "pushed" into any particular jurisdiction. The
contention ignores the commercial and social realities that greater publication produces both
greater profit and broader persuasion. Indeed, the appellant's arguments would suggest that all of
its objectives were exclusively high-minded. Revenues from increased advertising and
circulation, and the word "profit" never passed the appellant's advocate's lips. It may well be that
"firewalls" to deny access to the unintended or non-subscribing reader are at present perhaps
imperfect. So be it. Publishers are not obliged to publish on the Internet. If the potential reach is
uncontrollable then the greater the need to exercise care in publication.

LA
The appellant adopted the criticism of the application of traditional rules relating to publication
on the Internet made by Dicey and Morris in The Conflict of Laws, that to localize a defamatory

IM
statement is "somewhat unrealistic", and that "[i]t might therefore, be more appropriate to regard
the place of commission, in such cases, as the country in which, in the light of all the
SH
circumstances of the case, the substantial events which give rise to the claim have occurred."
LU

I disagree. The most important event so far as defamation is concerned is the infliction of the
damage, and that occurs at the place (or the places) where the defamation is comprehended.
PN

Statements made on the Internet are neither more nor less "localized" than statements made in
any other media or by other processes. Newspapers have always been circulated in many places.
The reach of radio and television is limited only by the capacity of the technology to transmit
H

and hear or view them, which already, and for many years, has extended beyond any one
country. In any event, a "publisher", whether on the Internet or otherwise, will be likely to
sustain only nominal, or no damages at all for publication of defamatory matter in a jurisdiction
in which a person defamed neither lives, has any interests, nor in which he or she has no
reputation to vindicate. Furthermore, it may be that an action inadvisably brought in such a
jurisdiction might be met by a finding that the jurisdiction is not a convenient or appropriate
forum.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.720

The appellant argued that the respondent, having set out to make money in the United States,
must expect to be subjected to lawful scrutiny in that country. No doubt the fact of lawful
scrutiny in that country, if such the publication was, would provide a defence to the appellant to
defamation proceedings there. That fact does not however have anything to say about unlawful
publication in this country.

The Court was much pressed with arguments about the ubiquity of the Internet. That ubiquity, it
was said, distinguished the Internet from practically any other form of human endeavour.
Implicit in the appellant's assertions was more than a suggestion that any attempt to control,

LA
regulate, or even inhibit its operation, no matter the irresponsibility or malevolence of a user,
would be futile, and that therefore no jurisdiction should trouble to try to do so. I would reject

IM
these claims. Some brands of motor cars are ubiquitous but their manufacturers, if they wish to
sell them in different jurisdictions must comply with the laws and standards of those
SH
jurisdictions. There is nothing unique about multinational business, and it is in that that this
appellant chooses to be engaged. If people wish to do business in, or indeed travel to, or live in,
or utilise the infrastructure of different countries, they can hardly expect to be absolved from
LU

compliance with the laws of those countries. The fact that publication might occur everywhere
does not mean that it occurs nowhere. Multiple publication in different jurisdictions is certainly
PN

no novelty in a federation such as Australia.

The appellant invited the Court to prefer, in effect, a United States jurisdiction to an Australian
H

one because the latter would deprive it of the Constitutional protection available in the former.
This was the essence of one of the respondent's arguments in Regie National des Usines Renault
SA v Zhang, that he might be deprived of legitimate juridical advantages available to a plaintiff
in New South Wales if he were compelled to sue elsewhere. I do not think my opinion there, to
which I would adhere here, was affected by my dissent in that case. In ZhangI said:

"... it is erroneous to give, as the Court of Appeal did, undue weight to a perception of advantage
to the respondent by allowing the proceedings in New South Wales to continue, rather than to
assess the advantages and disadvantages accruing to both sides in each jurisdiction in
considering whether New South Wales was an inappropriate one.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.721

Australian defamation law, and, for that matter, English defamation law also, and the policy
underlying them are different from those of the United States. There is no doubt that the latter
leans heavily, some might say far too heavily, in favour of defendants. Nor has the metaphor for
free speech developed by Holmes J in a series of cases and beginning with his dissenting
judgment in Abrams v United States, a marketplace of ideas, escaped criticism in the United
States. Writing in The New Criterion, Robert H. Bork pointed out:

"The market for ideas has few of the self-correcting features of the market for goods and
services."

Later he added:

LA
"In a word, what the Constitution says, as interpreted by today's Court, is that one idea isas good
as another so far as the law is concerned; only the omnipotent individual may judge." (original

IM
emphasis)
SH
Quite deliberately, and in my opinion rightly so, Australian law places real value on reputation,
and views with scepticism claims that it unduly inhibits freedom of discourse. In my opinion the
law with respect to privilege in this country, now and historically, provides an appropriate
LU

balance which does justice to both a publisher and the subject of a publication.

The appellant acknowledges that in order to succeed it has to persuade this Court that it should
PN

depart from a line of authority beginning with the Duke of Brunswick's case[220]in 1849 and
applied consistently since that year. The departure, it is submitted, is justified by this
H

consideration:

"In the context of global dissemination of information by a technology which has no clear or
close comparison with any other, a publication rule which does not expose publishers to liability
in every jurisdiction, or at least in multiple jurisdictions, but which nonetheless provides
plaintiffs with access to a court which can compensate them for all damage suffered, strikes the
most acceptable balance."

I reject this submission. Comparisons can, as I have already exemplified, readily be made. If a
publisher publishes in a multiplicity of jurisdictions it should understand, and must accept, that it

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.722

runs the risk of liability in those jurisdictions in which the publication is not lawful and it inflicts
damage.

The appellant sought to equate its placement of matter on the Internet with the placement of
books on library shelves. The comparison is, self-evidently, not well made. In addition, it
overlooks that, in respect of booksellers, libraries and other innocent enablers, there will usually
be a defence of innocent dissemination. A "subordinate distributor" who is "innocent'" is not
taken to have published the defamatory material, and is therefore not liable in a defamation
action at common law or under the Codes. A subordinate distributor will generally be treated as
"innocent" if the subordinate distributor establishes that:

LA
(1) the subordinate distributor did not know that the publication contained the defamatory
material complained of;

IM
(2) the subordinate distributor did not know that the publication was of a character likely to
contain defamatory material; and
SH
(3) such want of knowledge was not due to negligence on the part of the subordinate distributor.
LU

Whether such a defence may be available to publishers on the Internet will depend upon the
PN

particular facts and circumstances of the case, but it seems rather unlikely that a person in the
position of the appellant here could ever persuasively mount it.
H

The decision at first instance was criticised by the appellant on the basis that his Honour
erroneously treated the tort as a Victorian domestic tort by regarding the place of the last event
that completed the tort as conclusive, instead of looking over the series of events constituting it
and asking the question: where in substance did the cause of action arise?

The submission repeats the language of Lord Pearson delivering the judgment of their Lordships
in Distillers Co (Biochemicals) Ltd v Thompson which was largely adopted in this Court in Voth
v Manildra Flour Mills Pty Ltd. That language was however used in a different context, and has
no application to the rules relating to publication of defamatory matter which are specific to that

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.723

tort, have developed over a long period, and have frequently been the subject of detailed
legislation.

Each publication under current law gives rise to a separate cause of action. This is entrenched in
Australian and English law. The principle was recently confirmed by the English Court of
Appeal. Samuels JA rightly observed in Australian Broadcasting Corporation v Waterhouse, a
single publication rule could only be introduced throughout Australia by statute.

As Hedigan J held, the torts of libel and slander are committed when and where comprehension
of the defamatory matter occurs. The rules have been universally applied to publications by
spoken word, in writing, on television, by radio transmission, over the telephone or over the

LA
Interne. In Browne v Dunn the House of Lords held that there was no publication of a
defamatory petition to a person (Mrs Cook) who had signed but not read the petition.

IM
The appellant's submission that publication occurs, or should henceforth be held to occur
relevantly at one place, the place where the matter is provided, or first published, cannot
SH
withstand any reasonable test of certainty and fairness. If it were accepted, publishers would be
free to manipulate the uploading and location of data so as to insulate themselves from liability
in Australia[235], or elsewhere: for example, by using a web server in a "defamation free
LU

jurisdiction" or, one in which the defamation laws are tilted decidedly towards defendants. Why
would publishers, owing duties to their shareholders, to maximise profits, do otherwise? The
PN

place of "uploading" to a web server may have little or no relationship with the place where the
matter is investigated, compiled or edited. Here, the State where the matter was uploaded was
H

different from the State in which the article was edited. Matter may be stored on more than one
web server, and with different web servers at different times. Different parts of a single web page
may be stored on different web servers in different jurisdictions. Many publications in this
country, whether by television, radio, newspaper or magazine originate in New South Wales.
The result of the adoption of a rule of a single point of publication as submitted by the appellant,
is that many publications in Victoria, South Australia, Tasmania, Western Australia and
Queensland would be governed by the Defamation Act 1974(NSW) which provides, in its
present form, for a regime by no means commanding general acceptance throughout this country.
Choice of law in defamation proceedings in this country raises a relatively simple question of
identifying the place of publication as the place of comprehension: a readily ascertainable fact.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.724

I agree with the respondent's submission that what the appellant seeks to do, is to impose upon
Australian residents for the purposes of this and many other cases, an American legal hegemony
in relation to Internet publications. The consequence, if the appellant's submission were to be
accepted would be to confer upon one country, and one notably more benevolent to the
commercial and other media than this one, an effective domain over the law of defamation, to the
financial advantage of publishers in the United States, and the serious disadvantage of those
unfortunate enough to be reputationally damaged outside the United States. A further
consequence might be to place commercial publishers in this country at a disadvantage to
commercial publishers in the United States.

There is another relevant consideration. The law of defamation has some elements in common

LA
with the law of injurious falsehood, copyright and contempt. With respect to the last, as
Windeyer J in Australian Consolidated Press Ltd v Morgan[236]pointed out, "[t]he power [of

IM
punishing for contempt] has been not infrequently exercised in Australia in a salutary way
against newspaper companies for publishing matter calculated to prejudice the fair trial of
SH
pending proceedings." It would be anomalous if an international publisher might be liable for
contempt in this country but not in defamation.
LU

Finally, Victoria is a clearly appropriate forum for the litigation of the respondent's claim to
vindicate his reputation which has been attacked in Victoria, as well, plainly as elsewhere. For
PN

myself I would see no immediate reason why, if a person has been defamed in more than one
jurisdiction, he or she, if so advised might not litigate the case in each of those jurisdictions.
However, that issue does not arise here as the respondent has offered an undertaking to proceed
H

in Victoria only. The proceedings should be neither stayed nor set aside.

The appeal should be dismissed with costs.

******************************************************************************
******

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.725

 IN THE HIGH COURT OF MADRAS

Habeas Corpus Petition Nos. 249 to 252 of 2006 and HCMP Nos. 19 to 26 of 2006

Decided On: 16.03.2006

M. Saravanan and Ors.

Vs.

State and Ors.

Judges/Coram:
P. Sathasivam and J.A.K. Sampath Kumar, JJ.

LA
ORDER

P. Sathasivam, J.

IM
3. Even at the admission stage, we heard
1. Dr. L. Prakash, M. Saravanan, Vijayan Mr. S. Jayakumar, learned Public
@ Vijayakumar and Asir @ Asir Gunasingh, Prosecutor appearing for the respondents.
SH
who are A-1 to A-4 respectively in Sessions
Case No. 9 of 2004 on the file of V Fast 4. In the light of the order to be passed
Track Court (FTC), Chennai, invoking the here-under, we are of the view that there
jurisdiction under Article 226 of the is no need to refer all the factual details as
Constitution of India, have filed the above stated in the affidavit filed in support of the
LU

Habeas Corpus Petitions for quashing of above Petitions.

S.C. No. 9 of 2004 pending on the file of
the said Court and to set them at liberty 5. Fact remains, the petitioners herein,
since, according to them, the State has viz., A-1 to A-4 in S.C. No. 9 of 2004 on
foisted false cases against them.
PN

the file of V FTC, Chennai, are charged

with various offences punishable under
2. Mr. R. Karuppan, learned counsel Section 120-B IPC., Sections 5 & 6 of
appearing for the petitioners, mainly Immoral Traffic (Prevention) Act 1956 read
contended that all the petitioners have with Section 109 IPC., Sections 4 and 6 of
H

been languishing in jail for the past five the Indecent Representation of Women
years. According to him, the petitioners are (Prohibition) Act, 1986 and Section 67 of
innocents and since Dr. L. Prakash (A-1) Information Technology Act 2000 read with
did not accede to the demand of V. Section 109 IPC, etc. According to the
Rajendran, Assistant Commissioner of State, the complainant one Ganesan was
Police, Vadapalani, Chennai, for a bribe of used by Dr.Prakash (A.1/petitioner in
Rs. 5,00,000/-, the cases have been HCP.252 of 2006) for having intercourse
foisted against him and others, who were with several young ladies. The said illegal
working under him. He further contended activities were videographed and
that the respondents curiously filed a Final photographed by the petitioner (Dr.
Report on 20.3.2002 within 90 days, Prakash) and by screening those
because of which, the petitioners were not videographs and photographs through
granted bail. He also contended that the Internet, he amassed several crores and
Additional Final Report filed on 18.02.2003 thereby spoiled the life of many young
has been substituted and the respondents ladies. It is further seen that the
have played fraud on the Court. petitioners were not successful in getting
an order in their Bail Applications and that

© Manupatra Information Solutions Pvt. Ltd.

April 25, 2019 Page |1
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.726
 all the petitions filed by them were Report or the complaint, even if they are
dismissed. taken at their face value and accepted in
their entirety, do not constitute the offence
6. Regarding the allegation relating to alleged, in such cases, no question of
filing of second Final Report, its appreciating the evidence arises; it is a
maintainability, substitution of another matter merely of looking at the complaint
one, etc., it is for the court concerned to or the First Information Report to decide
consider the said aspect. We are also of whether the offence alleged is disclosed or
the opinion that the petitioners can very not. In the same decision, the Hon'ble
well raise those objections before the trial Supreme Court has also held that while
court at the appropriate stage. We are not exercising jurisdiction under Section 561-
expressing our view at this stage since it is A, the High Court would not embark upon
relevant to note that after dismissal of an enquiry as to whether the evidence in
their Bail Applications, several directions question is reliable or not; and that is the
have been issued for early conclusion of function of the trial Magistrate, and
the trial. As a matter of fact, in Crl.O.P. ordinarily it would not be open to any party
No. 25095 of 2003, directions have been to invoke the High Court's inherent
issued then and there and finally on jurisdiction and contend that on a
24.02.2006, after recording the Report reasonable appreciation of the evidence

LA
filed by the State/Inspector of Police that the accusation made against the accused
out of the total witnesses 82; 43 witnesses would not be sustained.
have been examined, 21 witnesses were
dispensed with; 11 witnesses are yet to be 9. The same principle is applicable while

IM
examined and 8 witnesses are to be cross- invoking the jurisdiction under Section 482
examined, time for completion of the trial Cr.P.C.. That is the reason, when Mr.
has been extended by two months. A Karuppan vehemently contended that
perusal of various orders passed in the said
SH
absolutely there is no case made out from
Petition makes it clear that the trial in S.C. the contents of the F.I.R. against all the
No. 9 of 2004 on the file V FTC, Chennai, is accused, we refrain to make any enquiry in
being monitored and directions are being the light of the fact that the trial has come
issued then and there by the learned single to a concluding stage and also of the fact
Judge for early completion of the trial. that the proceedings are closely monitored
LU

by this Court, ie., by the learned single

7. At the time of hearing of the above Judge, then and there.
Petitions, learned Public Prosecutor has
brought to our notice that, as on date, on 10. It is to be made clear that in a case of
PN

the side of the Prosecution, 6 more this nature, it is not permissible to

witnesses are to be examined and he prescribe any outer-limit for conclusion of
assured that the case could be disposed of the criminal proceedings. Learned Public
even before the extended period, viz., Prosecutor has produced the Photographs
H

24.04.2006. He also disputed the and particulars relating to the persons

allegation made by the learned counsel for involved, witnesses so far examined and to
the petitioners with reference to be examined on the side of the
manipulation of the charge sheet. prosecution. Hence, it cannot be compared
with other ordinary cases where only few
8. Learned counsel for the petitioners witnesses are examined on the side of the
heavily relied on the observations made by prosecution.
the Honourable Apex Court in the decision
reported in MANU/SC/0086/1960 : 11. In view of the information that the
1960CriLJ1239 R.P. Kapur v. State of prosecution is to examine only 6 witnesses
Punjab. In the said case, the Supreme and of the fact that the trial is being
Court considered the inherent power of closely monitored by the learned single
High Courts under Section 561-A of the Judge, we are satisfied that the petitioners
Criminal Procedure Code, which is have not made out a prima facie case for
corresponding to Section 482 of the quashing S.C. No. 9 of 2004 pending on
present Code. In the said decision, the the file of V Fast Track Court, Chennai.
Supreme Court has held that where the Accordingly, the Habeas Corpus Petitions
allegations made in the First Information

© Manupatra Information Solutions Pvt. Ltd.

April 25, 2019 Page |2
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.727
 are dismissed. Consequently, connected
Miscellaneous Petitions are also dismissed.

**********************************
***************

LA
IM
SH
LU
PN
H

© Manupatra Information Solutions Pvt. Ltd.

April 25, 2019 Page |3
FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.728
 Avnish Bajaj vs State of Delhi

150(2008)DLT 769

JUDGMENT S. Muralidhar, J.

1.1 Over three and a half years ago, an internet website carried a listing which offered for sale a
video clip, shot on a mobile phone, of two children of a school in Delhi indulging in an explicitly
sexual act. The petitioner, who was the Managing Director (MD) of the company that owned the
website at the relevant point in time, asks this Court to annul his criminal prosecution for the
offences of making available for sale and causing to be published an obscene product within the
meaning of Section 292 Indian Penal Code (IPC) and Section 67 of the Information Technology

LA
Act 2000 (IT Act). This petition under Section 482 of the Code of Criminal Procedure 1973
('CrPC') also raises questions concerning the criminal liability of directors for the offences

IM
attributable to a company, both under the IPC as well as the IT Act, particularly when such
company is not arraigned as an accused.
SH
1.2 Before discussing the background and the sequence of events leading to the filing of this
petition, it is necessary to understand the context in which the issues arise for determination. The
LU

regulation of pornography on the internet has posed a serious challenge to governments and
legislatures primarily on account of the nature of the medium. The easy availability, even to
PN

children, of pornographic material in digital form including video clips, its rapid transmission
across the world wide web, and the absence of effective filters to screen out objectionable
material from being accessed are factors that compound the challenge. It is said that "controlling
H

pornography on the internet is problematic because we may not know from whom or from where
the material originates, how many people are receiving the information, or if the material is
crossing international boundaries." [See Robyn Forman Pollack, "Creating the Standards of a
Global Community: Regulating Pornography on the Internet- an International Concern" 10
Temple International and Comparative Law Journal, (Fall, 1996) 467].

1.3 It is acknowledged that "the main concern of the legislators and parents in relation to the
internet is child pornography, rather than other forms of sexually explicit content. This has been
the case ever since paedophiles started to use the internet for circulating pornographic materials
related to children." [See Yaman Akdeniz, "Cyber Rights, Protection and Markets: Article

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.729

Governing Pornography and Child Pornography on the Internet: The UK Approach" 32
University of West Los Angeles Law Review 247 (2001)] Akdeniz points out that although in
some countries there are arguments against proscription of pornography based on freedom of
speech concerns, "there is general consensus that the line should be drawn with child
pornography." These factors need to be borne in mind while examining the irreversible harm that
can be caused by making available on the internet sexually explicit material that answers the
description of child pornography.

Background facts 2.1 Baazee.com India Private Limited ('BIPL'), a wholly owned subsidiary of
Ebay Inc. USA, and the owner of the website http://www.baazee.com, was during the relevant
period in the process of being acquired by and consequently renamed as Ebay India Private

LA
Limited (EIPL). BIPL had its main office at Mumbai and another office in Delhi. During
November to December 2004 the petitioner Avnish Bajaj was the MD of BIPL (which later was

IM
renamed as EIPL).
SH
2.2 The website baazee.com provided an online platform or market where a seller and a buyer
could interact. To be either a seller or buyer a person had to first register himself with
baazee.com by filling out an online form giving details including the name, email id, date of
LU

birth (the age had to be 18 and above). The person registering had to choose an appropriate
'baazee ID' and a password which would be used every time the person logged on to the website
PN

baazee.com to transact either as a seller or a buyer. While registering, the applicant had to make
a declaration to the following effect:
H

I have read the User agreement carefully - I am above 18 years of age. I have read and agreed to
abide by the baazee.com user agreement...." The next stage in the registering process was
reached after the person clicked on "Accept Terms & Submit". Thereafter an email was sent to
the person by baazee.com in which a link was provided for activating the account. A person who
registered following the above online procedure could either sell or buy products on the
electronic market that baazee.com offered by using the baazee.com ID and password.

2.3 To be a seller a two-step process was envisaged. The first step was to get registered
following the procedure described hereinbefore. The second step was to "create a listing." Again
several steps were to be followed. First the seller would select a category and sub-category that

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.730

broadly classified the product proposed to be sold. Then the item details had to be specified. The
website advised: "Enter the title that you would like to give your item in the text box provided.
Give a title that describes your item best. Try to include specifications such as brand name,
model number etc. The idea is to make your title most self-explanatory and distinctive. Do not
use web language (HTML)." The website also recommended that the seller should "always
include an image that depicts your item correctly." The price and payment mode preferences
were also to be indicated. Baazee.com also offered a mode of receiving payment under
'paisapay'. The user could also opt for other methods like cheques, demand drafts, cash on
delivery etc. 2.4 When a user was listing an item for the first time on the site, a customer support
representative had to verify his contact details (address and phone number) by calling up the user

LA
on the contact number given in the registration details. For an already registered user who wished
to list some other item, there was an automated website filter which checked the item to identify

IM
whether it was a prohibited or restricted item. BIPL had a Safety and Trust Division which
instituted word and text filters so that objectionable listings could be removed. A Community
SH
Watch Programme was also operational. If anyone brought to the notice of BIPL that any
objectionable material was being listed, it would trigger a process by which the listing would be
deactivated. Once the item was automatically screened by the filter, the listing was placed on the
LU

site with a unique computer generated item ID.

2.5 The buying process was fairly straightforward. The registered buyer had to find the item by
PN

using the Search box. He then had to browse the categories and sub-categories. After reading the
item description, if the person intended to buy, he would click "buy now", select the payment
H

method, specify the delivery details and confirm the order. This resulted in a purchase order
being generated. Then came the question of payment through either the credit card or online
bank transfer. If the buyer opted for a "paisapay" option and made an online payment, the normal
banking payment gateway got attracted. Once the payment gateway confirmed the receipt of the
payment then an automated payment confirmation was sent to the buyer. Thereafter the buyer
received the item, depending on the product, through email, hand delivery, courier or post.

2.6 When buyers opted for the "paisapay" method, the system would once in a week calculate the
amount payable to the listed user and send a file to the HDFC bank to issue a printed demand
draft (DD) in the name of bank account number provided by the seller on www. baazee.com. The

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.731

HDFC Bank would then dispatch the DD to the address provided by the seller. For facilitating
this entire transaction BIPL received a commission which was usually a percentage of the selling
price of the product.

The sequence of events 3.1 The sequence of events relevant to the present case unfolded thus.
Ravi Raj, a fourth year student of the Indian Institute of Technology (IIT) Kharagpur, was
registered as a seller with baazee.com since 21st July 2004. He had already been using the site
for listing products for sale. His email ID was psell@sify.com.

3.2 In the evening of Saturday 27th November 2004, Ravi Raj placed on the baazee.com website
a listing offering an MMS video clip for sale at Rs. 125 per piece. He adopted the seller's name

LA
as Alice Electronics and gave his address as 12-A/39, Roshpa Tower, Main Road, Malanche,
Kharagpur. In order to avoid detection by the filters installed by baazee.com, Ravi Raj included

IM
the clip under the category Books and Magazines and sub-category 'e-books'. Although
baazee.com did have a filter for some of the words which appear on the website, the listing
SH
nevertheless took place. For instance, the word "sex" at serial No. 23 of the list and word
"sexual" at serial No. 70 of the list were definitely part of the suspected words.

3.3 The electronic website baazee.com when visited had the following item description on its
LU

site: "Item 27877408 - DPS Girls having fun!!! full video + Baazee points." The price was Rs.
125. Under the column "seller's details" the name indicated was: "alice elec" and Location:
PN

"Kharagpur". The seller was shown as a Member since 21st July 2004. Upon clicking on the item
description, the listing read as under:
H

DPS Girls having fun!!! Do you want to see that video clip which has rocked the whole DELHI
and now has become a hot point of discussion in the entire Nation?

YES, Then what are you waiting for!!!! Just order for this product and it will be delivered to you
within few hours.

This video is of a girl of DPS RK PURAM which has been filmed by his boyfriend in very
sexual explicit conditions.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.732

Please note: This video clip of around 2:30 Minutes and will be send to you as an email
attachment.

3.4 The buyer interested in getting a copy had to click on the 'buy now' option, make a payment
through credit card or 'paisa pay' option. The buyer had to pay Rs. 128 per clip which included a
commission of Rs.3 that went to BIPL. This was deducted from the amount received from the
buyer and the balance of Rs. 125 per clip was remitted to the seller by the HDFC bank. The
seller, on receiving confirmation that payment had been made, would send the video clip by an
email attachment by a zip file with the description 'dps_rkpuram-sex-scandle.zip'. Between
around 8.30 pm in the evening of November 27th 2004 when the listing went on line till around
10 am on 29th November 2004 when the listing was de-activated, eight transactions of sale of

LA
the said video clip took place to buyers located in various parts of the country.

IM
3.5 At around 8.20 pm on Saturday 27th November 2004 information was received on email
from Amit Vohra using emailed threadsincp@sify.com for Community Watch. The mail titled
SH
"fraud report about item ID 27877408" read as under:

User's Message The username of the party is alice-elec. This person is trying to sell a video
which is illegal in India as it was shot on two people who are below the legal age of 18 &
LU

pornography is illegal in India. You need to sort this issue & you should even report it to the
legal authorities as this can get your site in trouble.
PN

3.6. This email was assigned to Namrata of BIPL at around 8.25pm on 27th November 2004
itself. At around 6:25pm on the next date i.e. 28th November 2004, which happened to be a
H

Sunday, it was assigned to Swapna Sawant of the BIPL and the priority was shifted to the 'high
alert' category.

3.7 On 29th November 2004 at 10:10am baazee.com wrote to Alice Electronics that it had
noticed "that the listings put up on site by you are either obscene or pornographic in nature" and
that the Baazee User Agreement prohibits trade in such items. It accordingly informed the seller
"we have closed the item as it is against the User Agreement." Soon thereafter Swapna Sawant of
BIPL addressed a letter next morning i.e. on Monday 29th November at 10:38 am to Amit Vohra
thanking him for "spotting this and reporting to us at Community Watch that the Item ID:
27877408 is pornographic in nature. We have closed the items and have taken this issue up with

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.733

the seller." The video clip was removed on 29th November 2004 Monday at around 10:38 am.
Meanwhile eight persons with distinct IDs located in different parts of the country including
Calcutta, Nellore, Pune, Delhi, Banglore and Chennai had purchased it.

3.8 On 9th December 2004 two events took place. The Crime Branch of Delhi police, on
receiving credible information that the said MMS clip was sold for Rs. 125 by a website,
registered FIR No. 645 of 2004. On the same day a news item appeared in a Delhi the newspaper
"Today" with the headlines "DPS sex video at baazee.com". The news item by Anupam Thapa
had the byline "Outrage Exclusive" and stated "online website goes ahead with the sale of the
infamous clip". The news item stated: "India's biggest online trading portal baazee.com had
listed the said MMS clip under the title 'DPS girls having fun' with the member ID of 27877408.

LA
The police upon investigation learnt that one Alice Electronics of Kharagpur West Bengal had
since 27th November 2004 sold 8 copies of the said MMS clip."

IM
3.9 The police sent notices under Section 91 CrPC to the petitioner and Sharat Digumarti, the
SH
Senior Manager, Trust and Safety, BIPL (who is Accused No. 3) and obtained information on the
working of the website. On 10th December 2004 in response to a query addressed to baazee.com,
Sharat Digumarti provided "the details of the seller (alice_elec) and the buyers who purchased
LU

this item." He stated that they had "already disabled the ability of the seller and the buyers in
modifying their contact details and the attached file contains the contact details of these users
PN

which was taking from our database (File Name 'DPS Data') and also file (File Name: DPS
Listing) which show the item that was listed on the site."
H

3.10 On 11th December 2004 the police seized the printout of an email containing two pages
regarding email ID vishwa777@yahoo.com dated 27th November 2004 with the time as
17:58:26 which was the placement of the order and an email of the same date received at that
very address from Ravi Raj the seller at with the time as 20:05:13 with the email attachment
dps_rkpuram_sex_scandal.zip which is a zip file sent to the said email ID. The subject of the
email was 'DPS Sex Scandal'. The third item seized was an Amkette floppy which had an email
from the seller and confirmation email from baazee.com. Details of the email placement of the
order and receipt of the product by each of the other buyers was also collected.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.734

3.11 On 12 December 2004 Sharat Digumarti furnished the details of the payments received
from the buyers and confirmed that a sum of Rs. 17,787.87 was disbursed to the seller
'alice_elec' through the HDFC Payment Services.

3.12 On 14th December 2004, the petitioner wrote to the police about his role and responsibility.
Inter alia he stated that: "I am responsible for the India operations of the Company and my
charges, assigns, includes policy decisions, planning, control and overall supervision of day to
day functioning of the organization."

3.13 In his letter dated 14th December 2004 Sharat Digumarti explained the registration, buying
and selling process and payment process at baazee.com. He enclosed a note on how the "list of

LA
the suspected and banned words" worked and the process of detection of leakage. He also gave
details of the working of Community Watch. Thereafter a list of 120 words as on 14th December

IM
was attached. Although in the said list at serial No. 106 the word "dps" and at serial No. 110 the
word "RKP" were included, these were admittedly added after the sale of the objectionable video
SH
clip came to light. The contents of the clip itself were therefore not under screening in the
automated process since the clip itself was not on the baazee. com.

3.14 The Manager, Finance and paisapay of baazee.com wrote a detailed letter to the police
LU

giving information on how the said system works and gave a complete list of the transactions
involving the video clip. This letter confirmed that Rs. 128 was charged per piece from each of
PN

the buyers. Rs.3 rupees were paisapay charges and Rs. 125 went to the seller.

3.15 On 17th December 2004, Ravi Raj was arrested at Kharagpur and certain recoveries were
H

effected from him including the CPU containing the hard disk of the computer from where the
email attachments of the offending video clip were despatched. The petitioner Avnish Bajaj was
arrested in Mumbai on the same day. He was later released on bail by this Court on 21st
December 2004. At the conclusion of the investigations, a charge sheet was filed showing Ravi
Raj, Avnish Bajaj and Sharat Digumarti as Accused Nos. 1,2 and 3 respectively.

3.16 The learned Metropolitan Magistrate (MM) by an order dated 14th February 2006 took
cognizance of the offences under Sections 292 and 294 IPC and Section 67 IT Act. The three
accused were summoned to face trial. Ravi Raj has since been absconding and his trial has been
separated.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.735

3.17 This petition was filed by Avnish Bajaj, the MD of BIPL (EIPL) seeking the quashing of
the criminal proceedings on various grounds which will be discussed hereafter. During the
pendency of this petition there has been a stay of the proceedings before the trial court.

Submissions of Counsel 4.1 Arguments on behalf of the petitioner were addressed by Mr. Arun
Jaitley and Mr. Sidharth Luthra, Senior Advocates.

4.2 According to the petitioner, the case against BIPL is not, and cannot possibly be, in relation
to the video clip since the clip itself was not made available on baazee. com. The video clip was
transferred directly between the seller and buyer without the intervention of the website. While
no submission was made in regard to the video clip being obscene, the submission of the

LA
petitioner was that at the highest BIPL was concerned only with the listing placed on the website
which by itself was not obscene and did not attract the offence under Section 292/294 IPC or

IM
Section 67 IT Act.

4.3 It was then argued that in any event without BIPL (EIPL) being made an accused, no
SH
criminal liability attached to the petitioner for an IPC offence only because he happened to be the
MD of BIPL (EIPL) at the relevant time. The revenue generated by the website was not profit as
contemplated by Section 292 IPC and in any event such income was not generated by the
LU

petitioner but by BIPL which is not an accused in the case. Reasonable care was taken by the
website to immediately remove the video clip once it was brought to its knowledge that it was
PN

objectionable. Therefore the website acted diligently and did not commit any illegality. The
charge sheet when read as a whole does not make out even a prima facie case against the
H

petitioner in his individual capacity for the offences under Sections 292/ 294 IPC.

4.4 In relation to Section 67 IT Act, it was argued that in the absence of the company BIPL
(EIPL) itself being made an accused, no liability could attach to the petitioner with the aid of
Section 85 IT Act. A reading of the charge sheet as a whole would show that although the
petitioner as MD was in overall charge of the policy and planning of the business, he had no
direct role in the placing of the listing or its filtering and subsequent removal. This was an
automated process and the work of supervising the placing of listings on the website had been
delegated to specific individuals like Accused No. 3 Sharat Digumarti. Criminal liability cannot
be fastened lightly in the absence of a specific case being made out against the petitioner in his

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.736

individual capacity, particularly since the company of which he was MD is not arraigned as an
accused.

5.1 Appearing for the State, Ms. Mukta Gupta, learned Senior Standing Counsel submitted that
the sequence of events, the listing, video clip and the role attributed to the petitioner, fully make
out a case against the petitioner for the offences under Section 292 IPC and Section 67 IT Act.
The offence under Section 292 IPC includes not only overt acts but illegal omissions within the
meaning of Sections 32, 35 and 36 IPC. The failure to have adequate filter in a system which is
entirely automated, entails serious consequences and a website cannot escape such legal
consequences.

LA
5.2 It is further submitted by the learned Counsel for the State that the fact that website earned
profits through the sale is evident from the bank statements which show that for each video clip

IM
it did earn a commission of Rs.3. The chain of events show that the website had a role to play in
several of the stages before the video clip was sent by the seller to the buyer by an email
SH
attachment. The fact that payment was made to the seller even as on 27th December 2004 shows
that no attempt was made to prevent or stop the commission of the illegality by the website.

5.3 It was submitted by Ms. Gupta that the petitioner was the person in-charge of the affairs of
LU

the company that owned the website and was responsible for its policy and planning. There is
adequate material set out in the charge sheet which shows that the petitioner had a direct role in
PN

the matter. Notwithstanding that the BIPL itself is not arraigned as an accused, the petitioner can
nevertheless be proceeded against for the role played by him in the transaction.
H

5.4 For the offence under Section 67 IT Act, it is not necessary that the company BIPL itself
should be an accused. As explained in the judgments of the Supreme Court, what is relevant is
whether at the trial a case for convicting the company for the offences had been made out. The
present stage was premature to come to a conclusion either way. Even at a subsequent stage in
the proceedings, the court can summon the company if sufficient material emerges against it.

5.5 Finally it was submitted that the crime is of an extremely grave nature and cannot go
unpunished on technicalities. Even if the charge sheet does not contain specific allegations, the
matter can still proceed to the next stages. At this stage the court is only to examine if a prima
facie case is made out and on that test no interference is called for.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.737

Are the offences under Sections 292 and 294 IPC and Section 67 IT Act attracted?

6.1 The question that first requires to be addressed is whether in the facts and circumstances of
the case, as disclosed in the charge sheet, a prima facie case for offences under Sections 292 and
294 IPC and Section 67 IT Act is made out. If the answer to this question is in the affirmative,
the further question that arises is whether a prima facie case has been made out against the
petitioner for those offences.

6.2 Section 292 IPC concerns the offence of sale of obscene materials and reads thus:

LA
292. Sale, etc., of obscene books, etc. (1) For the purposes of Sub-section (2), a book, pamphlet,
paper, writing, drawing, painting, representation, figure or any other object, shall be deemed to

IM
be obscene if it is lascivious or appeals to the prurient interest or if its effect, or (where it
comprises two or more distinct items) the effect of any one of its items, is. if taken as a whole,
SH
such as to tend to deprave and corrupt person, who are likely, having regard to all relevant
circumstances, to read, see or hear the matter contained or embodied in it].

(2) Whoever-
LU

(a) sells, lets to hire, distributes, publicly exhibits or in any manner puts into circulation, or for
PN

purposes of sale, hire, distribution, public exhibition or circulation, makes, produces or has in his
possession any obscene book, pamphlet, paper, drawing, painting, representation or figure or any
other obscene object whatsoever, or
H

(b) imports, exports or conveys any obscene object for any of the purposes aforesaid, or knowing
or having reason to believe that such object will be sold, let to hire, distributed or publicly
exhibited or in any manner put into circulation, or

(c) takes part in or receives profits from any business in the course of which he knows or has
reason to believe that any such obscene objects are for any of the purposes aforesaid, made,
produced, purchased, kept, imported, exported, conveyed, publicly exhibited or in any manner
put into circulation, or

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.738

(d) advertises or makes known by any means whatsoever that any person is engaged or is ready
to engage in any act which is an offence under this section, or that any such obscene object can
be procured from or through any person, or

(e) offers or attempts to do any act which is an offence under this section, shall be punished on
first conviction with imprisonment of either description for a term which may extend to two
years, and with fine which may extend to two thousand rupees, and, in the event of a second or
subsequent conviction, with imprisonment of either description for a term which may extend to
five years, and also with fine which may extend to five thousand rupees.

Exception.- ...

LA
6.3 Section 292(1) is a deeming provision. If any "book, pamphlet, paper, writing, drawing,
painting, representation, figure or any other object" is "lascivious or appeals to the prurient

IM
interest" or "if taken as a whole is such as to tend to deprave or corrupt person, who are likely to
read, see or hear the matter contained or embodied in it", then such object "shall be deemed to be
SH
obscene." The law in this regard has been explained by the Supreme Court in Ranjit D. Udeshi v.
State of Maharashtra , C.T. Prim v. State and Samaresh Bose v. Amal Mitra .
LU

6.4 In the present case, there are two pieces of material that call for scrutiny. One is the video
clip and the other the listing on the website baazee.com. It was not argued by learned Counsel for
PN

the petitioner that the video clip in question did not even prima facie attract the definition of an
obscene object within the meaning of Section 292 (1) IPC. Also, it is a matter of record that a
separate case has been instituted before the Juvenile Justice Board against the child involved in
H

the act. As will be noticed hereafter, the listing itself suggested that even according to the seller
the clip answered the description of child pornographic material.

6.5 To recall, the petitioner's submission was that BIPL and not the petitioner was, if at all,
concerned with the listing on the website which by itself was not obscene. According to the
petitioner, the video clip was transferred directly from the seller to the buyer without the
intervention of the web site. The question then arises whether the listing even prima facie
answers the definition of obscenity attracting Section 292(1) IPC.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.739

6.6 The entire text of the listing has been set out earlier in para 3.3. Prima facie it appears that the
listing itself answered the definition of obscenity since it contained words or writing that
appealed "to the prurient interest" or if taken as a whole was "such as to tend to deprave or
corrupt person, who are likely to read, see or hear the matter contained or embodied in it." The
listing contained explicit words that left a person in no doubt that what was sought to be sold was
lascivious. The words "This video is of a girl of DPS RK PURAM which has been filmed by his
boyfriend in very sexual explicit conditions" are a prominent feature of the listing which invited
a potential buyer to purchase the obscene object which was the video clip by projecting it as
child pornography since the reference is to school children. Despite the arguments to the contrary
of the learned Senior counsel for the petitioner, this Court is not able to agree with their

LA
submissions that the listing itself was not even prima facie an obscene material or text.

6.7 It was argued that even then, there was no overt act done by BIPL in relation to the video clip

IM
or listing, to even prima facie attract the offence under Section 292 (2) IPC. This Court is unable
to agree. As far as the listing is concerned, its contents were in the knowledge of BIPL the
SH
moment the listing was placed on the website by Ravi Raj. The offence under Section 292 (2) (a)
IPC gets attracted when the prosecution is able to prove that a person has "publicly exhibited or
in any manner put into circulation" or "has in his possession" the obscene object. Even if Ravi
LU

Raj, and not BIPL, may have inserted the listing, the website of BIPL certainly "possessed" it.
The website was easily accessible on the net and therefore the website also "publicly exhibited"
PN

the listing. It cannot be said therefore that in respect of the listing, Section 292 (2) (a) IPC is not
even prima facie attracted as far as BIPL is concerned.
H

6.8 In relation to the video clip, the wording of Section 292(2) (d) IPC is wide enough to include
an attempt at making known "by any means whatsoever" that "such obscene object can be
procured." The placing of an advertisement on the website informing the viewer that an obscene
material or object is available for sale, one click away, is enough to attract the offence under
Section 292(2)(d). The advertisement might itself have been inserted by the seller but the website
facilitated the sale by carrying the listing which informed the potential buyer that such a video
clip that is pornographic can be procured for a price. For instance, there could be a notice board
in the premises of a club or association, on which is pasted a listing by one of the members
offering for sale a pornographic film. It would not be open to the club/association to say that it in

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.740

providing space on its notice board it is not by itself "making known" that an obscene object "can
be procured from or through any person." Section 292(d) would be attracted in such a situation to
fasten criminal liability on the club itself. If it is proved that a particular member was aware of
the placing of such listing on the notice board such member would also be liable. Baazee.com
here was using a public space in the form of a website that could be accessed by any internet
user.

6.9 In relation to the essential ingredients of the offence of sale of or offer for sale of obscene
products, reference was made to paras 10 and 11 of the judgment in Ranjit D. Udeshi which read
thus:

LA
10. Before dealing with that problem we wish to dispose of Mr. Garg's third argument that the
prosecution must prove that the person who sells or keeps for sale any obscene object knows that

IM
it is obscene, before he can be adjudged guilty. We do not accept this argument. The first sub-
section of Section 292 (unlike some others which open with the words "whoever knowingly or
SH
negligently etc.") does not make knowledge of obscenity an ingredient of the offence. The
prosecution need not prove something which the law does not burden it with. If knowledge were
made a part of the guilty act (acts reus), and the law required the prosecution to prove it, it would
LU

place an almost impenetrable defence in the hands of offenders. Something much less than actual
knowledge must therefore suffice. It is argued that the number of books these days is so large
PN

and their contents so varied that the question whether there is mens era or not must be based on
definite knowledge of the existence of obscenity. We can only interpret the law as we find it and
if any exception is to be made it is for Parliament to enact a law. As we have pointed out, the
H

difficulty of obtaining legal evidence of the offender's knowledge of the obscenity of the book
etc., has made the liability strict. Under our law absence of such knowledge, may be taken in
mitigation but it does not take the case out of the sub-section.

11. Next to consider is the second part of the guilty act (actus reus), namely, the selling or
keeping for sale of an object which is found to be obscene. Here, of course, the ordinary guilty
intention (mens rea) will be required before the offence can be said to be complete. The offender
must have actually sold or kept for sale, the offending article. The circumstances of the case will
then determine the criminal intent and it will be a matter of a proper inference from them. The
argument that the prosecution must give positive evidence to establish a guilty intention involves

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.741

a supposition that mens rea must always be established by the prosecution through positive
evidence. In criminal prosecution mens rea must necessarily be proved by circumstantial
evidence alone unless the accused confesses. The sub-section makes sale and possession for sale
one of the elements of the offence. As sale has taken place and the appellant is a book-seller the
necessary inference is readily drawn at least in this case. Difficulties may, however, arise in
cases close to the border. To escape liability the appellant can prove his lack of knowledge
unless the circumstances are such that he must be held guilty for the acts of another. The court
will presume that he is guilty if the book is sold on his behalf and is later found to be obscene
unless he can establish that the sale was without his knowledge or consent. The law against
obscenity has always imposed a strict responsibility. When Wilkes printed a dozen copies of his

LA
Essay on Woman for private circulation, the printer took an extra copy for himself. That copy
was purchased from the printer and it brought Wilkes to grief before Lord Mansfield. The gist of

IM
the offence was taken to be publication-circulation and Wilkes was presumed to have circulated
it. Of course, Wilkes published numerous other obscene and libellous writings in different ways
SH
and when Madame Pampadour asked him:

How far does the liberty of the Press extend in England?" he gave the characteristic answer: "I do
not know. I am trying to find out !" (See 52 Harv. L. Rev. 40).
LU

6.10 A reading of the above paragraphs shows that there are two elements to be satisfied in order
PN

to prove the offence under Section 292 IPC. The first is that the person accused of the offence
had the knowledge that what was being offered for sale or exhibited or possessed was obscene.
The second is that such person had the intention to commit any of the acts mentioned in Section
H

292 (2) IPC. In Ranjit D. Udeshi it was held that the prosecution did not have to prove that the
accused had knowledge that the contents of the books being offered for sale were in fact obscene
since the deeming provision in Section 292 (1) IPC stood attracted. However the prosecution was
required to prove that the accused did intend to sell such obscene object.

6.11 Turning to the case on hand, the listing here was carried by the website baazee.com. The
text of the listing leaves no doubt that the object being offered for sale was obscene. By not
having appropriate filters that could have detected the words in the listing or the pornographic
content of what was being offered for sale, the website ran a risk of having imputed to it the
knowledge that such an object was in fact obscene. These are the attendant risks that a website

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.742

owner attracts when he exploits cyber space for profits. The proliferation of the internet and the
possibility of a widespread use through instant transmission of pornographic material, calls for a
strict standard having to be insisted upon. Owners or operators of websites that offer space for
listings might have to employ content filters if they want to prove that they did not knowingly
permit the use of their website for sale of pornographic material. Given the nature of the offence
and the 'strict liability' envisaged by Section 292 (1) IPC, even if for some reason the filters fail,
the presumption that the owner of the website had the knowledge that the product being offered
for sale was obscene would get attracted. This of course would be a rebuttable presumption. It
would be open to the owner of the website to show that it took reasonable precaution to filter the
listing for obscene material, this it was nevertheless placed on the website listed without its

LA
knowledge and that it took prompt corrective once it knew that the listing or the product offered
for sale was obscene. But that would be a matter for evidence at the trial.

IM
6.12 For the purposes of the present petition it is enough to examine if the offence under Section
292 IPC is prima facie attracted. This Court finds that it does as far as BIPL (EIPL) is concerned.
SH
It is therefore not necessary at this stage for this Court to examine if there is a valid defence
available to BIPL or, whether, as contended by the prosecution, the offence would get attracted
even on account of the illegal omissions of BIPL.
LU

7.1 Next, we turn to Section 67 of the IT Act which reads as under:

PN

Section 67-Publishing of information which is obscene in electronic form Whoever publishes or

transmits or causes to be published in the electronic form, any material which is lascivious or
H

appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons
who are likely, having regard to all relevant circumstances, to read, see or hear the matter
contained or embodied in it, shall be punished on first conviction with imprisonment of either
description for a term which may extend to five years and with fine which may extend to one
lakh rupees and in the event of a second or subsequent conviction with imprisonment of either
description for a term which may extend to ten years and also with fine which may extend to two
lakh rupees.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.743

7.2 The plain words of the above provision unambiguously state that the offence stands attracted
when there is publishing, transmitting or where anyone "causes to be published in the electronic
form" any material that is "lascivious or appeals to the prurient interest" or "if its effect is such as
to tend to deprave and corrupt persons who are likely, having regard to all relevant
circumstances, to read, see or hear the matter contained or embodied in it." The remaining
portion of the provision borrows the language of Section 292(2)(d) IPC. As far as the present
case is concerned it has already been held that what was offered for sale through the listing and
the listing itself were prima facie obscene.

7.4 Therefore, it cannot be said that baazee.com in this case did not even prima facie "cause" the
publication of the obscene material. The ultimate transmission of the video clip might be through

LA
the seller to the buyer but in a fully automated system that limb of the transaction cannot take
place unless all the previous steps of registration with the website and making payment take

IM
place. It is a continuous chain. When five to six links of the chain are under the direct control of
the website and it is only on completion of each step that the final two steps which result in the
SH
actual publication of the obscene material ensue, it cannot be said that the website did not even
prima facie cause publication of the obscene material.
LU

8.1 As far as the offence under Section 294 is concerned, the learned Counsel for the prosecution
did not dispute the contention of the learned Counsel for the petitioner that the said offence was
PN

not attracted in the facts of the case. A reference may nevertheless be made to the Section 294
IPC:
H

294. Obscene acts and songs Whoever, to the annoyance of others--

(a) does any obscene act in any public place, or

(b) sings, recites or utters any obscene song, ballad or words, in or near any public place, shall be
punished with imprisonment of either description for a term which may extend to three months,
or with fine, or with both.

8.2 It appears that Section 294 IPC deals only with doing obscene acts and singing or reciting or
uttering obscene songs in a public place. It cannot be said that the website itself did an obscene

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.744

act or performed any obscene song. The offence under Section 294 is not even attracted prima
facie in the facts and circumstances of the present case.

9. To summarise this part of the discussion, this Court finds that a prima facie case for the
offence under Section 292 IPC and Section 67 IT Act is made out as far as the owner of the
website baazee.com, i.e. the company BIPL (renamed as EIPL) is concerned. The offence under
Section 294 IPC is not even prima facie attracted.

Is a prima facie case made out for the offences under Sections 292 IPC and 67 IT Act against
the petitioner?

10. The question that arises next is whether a prima facie case for the offence under Section

LA
292IPC and Section 67 IT Act is made out against the petitioner. It has been argued by the
learned Senior counsel for the petitioner that nowhere in the charge sheet is there any allegation

IM
that the petitioner himself facilitated the publishing of the obscene material or is in any way
directly involved in the transaction.
SH
11. It has been held that a prima facie case is indeed made out against BIPL. However, for some
reason BIPL has not been arraigned as an accused. No satisfactory explanation has been offered
LU

by the prosecution except suggesting during the course of arguments that the law in regard to
corporate criminal liability was not very clear. This is not an acceptable position in view of the
PN

clear position in the law as explained by the Supreme Court. The word 'person' is defined under
Section 11 IPC to include "any Company or Association or body of persons, whether
incorporated or not." Therefore for an offence under the IPC there is no immunity granted to a
H

company as such from prosecution. Even if, like in Section 292 IPC, the offence is punishable
with imprisonment and fine, a company can still be arraigned and tried as an accused. Section
305 CrPC deals with the procedure that is to be followed when the accused is a company. A
person will be nominated by such company to represent it during the trial. It may ultimately be
punished only with fine (since most offences are punishable with fine in addition to
imprisonment). This position in law has now been settled by the Constitution Bench of five
judges of the Supreme Court Standard Chartered v. Directorate of Enforcement . Overruling an
earlier decision of a three Judge Bench in Assistant Commissioner v. Velliappa Textiles , the
Constitution Bench by a 3:2 majority held that for an offence under the IPC or any other penal

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.745

statute where the provision makes the offence punishable with imprisonment fine, a company
can nevertheless be prosecuted. It was held (AIR, paras 7 and 8):

7. As in the case of torts, the general rule prevails that the corporation may be criminally liable
for the acts of an officer or agent, assumed to be done by him when exercising authorized
powers, and without proof that his act was expressly authorized or approved by the corporation.
In the statutes defining crimes, the prohibition is frequently directed against any "person" who
commits the prohibited act, and in many statutes the term "person" is defined. Even if the person
is not specifically defined, it necessarily includes a corporation. It is usually construed to include
a corporation so as to bring it within the prohibition of the statute and subject it to punishment. In
most of the statutes, the word "person" is defined to include a corporation. In Section 11 of the

LA
Indian Penal Code, the "person" is defined thus:

IM
The word "person" includes any Company or Association or body of persons, whether
incorporated or not.
SH
8. Therefore, as regards corporate criminal liability, there is no doubt that a corporation or
company could be prosecuted for any offence punishable under law, whether it is coming under
the strict liability or under absolute liability.
LU

12. Therefore, there was no legal bar in arraigning BIPL as an accused in the present case. It was
PN

then submitted by the State, on the strength of the decision of the Supreme Court in SWIL Ltd. v.
State of Delhi , that at a later point in time, even before passing an order on charge, the trial court
can summon the company as an accused. Even if this were to happen, that still does not obviate
H

the requirement in law for the prosecution to show that a prima facie case has been made out
against the petitioner in his individual capacity for the IPC offence. While, as will be discussed
hereafter, the position is different with regard to the offence under Section 67 IT Act, as far as
the offence under Section 292 IPC is concerned, the law as it presently stands does not envisage
an automatic liability attaching to a Director for the offences committed by a company.
Therefore even if at a subsequent stage of the proceedings BIPL is summoned to face trial for the
IPC offence, that would not, in the absence of a specific case being made out against the
petitioner in his individual capacity, result in his being an accused.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.746

13. It requires to be noted that, unlike some other statutes containing penal provisions, the IPC
does not incorporate the concept of criminal liability of a Director or an employee where the
principal accused is a company. In other words, there is no provision similar to Section 141 of
the Negotiable Instruments Act, 1881 ('NI Act') or Section 140 of the Customs Act, 1962 or
Section 85 of the IT Act. These are provisions that provide for a deemed criminal liability of a
person who, at the time of commission of the offence by the company, was in charge of the
affairs of the company or responsible to it for the conduct of its business. The proviso to such
provision makes it possible for such person to escape liability by proving at the stage of trial that
the offence was committed by the company without his or her knowledge. Therefore once the
deemed criminal liability gets attracted under the substantive provision, the burden shifts to the

LA
accused under the proviso to rebut such presumption. However, there is no such provision in the
IPC.

IM
14. In Maksud Saiyed v. State of Gujarat , the Supreme Court explained that (SCALE p. 323):
SH
13. Indian Penal Code does not contain any provision for attaching vicarious liability on the part
of the Managing Director or the Directors of the Company when the accused is the Company.
The learned Magistrate failed to pose unto himself the correct question viz. as to whether the
LU

complaint petition, even if given face value and taken to be correct in its entirety, would lead to
the conclusion that the respondents herein were personally liable for any offence. The Bank is a
PN

body corporate. Vicarious liability of the Managing Director and Director would arise provided
any provision exists in that behalf in the statute. Statutes indisputably must contain provision
fixing such vicarious liabilities. Even for the said purpose, it is obligatory on the part of the
H

complainant to make requisite allegations which would attract the provisions constituting
vicarious liability.

15. Recently this position was reiterated in S.K. Alagh v. State of U.P. where the Supreme Court
observed (SCALE p. 527):

16. Indian Penal Code, save and except some provisions specifically providing therefor, does not
contemplate any vicarious liability on the part of a party who is not charged directly for
commission of an offence.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.747

18. As, admittedly, drafts were drawn in the name of the company, even if appellant was its
Managing Director, he cannot be said to have committed an offence under Section 406 of the
Indian Penal Code. If and when a statute contemplates creation of such a legal fiction, it provides
specifically therefore. In absence of any provision laid down under the statute, a Director of a
company or an employee cannot be held to be vicariously liable for any offence committed by
the company itself. (See Sabitha Ramamurthy and Anr. v. R.B.S. Channabasavaradhya ).

15. We may, in this regard, notice that the provisions of the Essential Commodities Act,
Negotiable Instruments Act, Employees' Provident Fund (Miscellaneous Provision) Act, 1952
etc. have created such vicarious liability. It is interesting to note that Section 14A of the 1952
Act specifically creates an offence of criminal breach of trust in respect of the amount deducted

LA
from the employees by the company. In terms of the explanations appended to Section 405 of the
Indian Penal Code, a legal fiction has been created to the effect that the employer shall be

IM
deemed to have committed an offence of criminal breach of trust. Whereas a person in charge of
the affairs of the company and in control thereof has been made vicariously liable for the offence
SH
committed by the company along with the company but even in a case falling under Section 406
of the Indian Penal Code vicarious liability has been held to be not extendable to the Directors or
officers of the company. (See Maksud Saiyed v. State of Gujarat and Ors.).
LU

16.1 Although the Supreme Court has termed the liability of a Director, where the company is
PN

the accused, as being 'vicarious', the classical understanding of the concept of vicarious liability
is invariably in the context of a "master and servant" relationship. For instance, a company can
be made vicariously liable for the criminal acts of its employees or directors. In an article by
H

V.S.Khanna titled "Corporate Liability Standards: When should Corporations be held Criminally
Liable" 37 Am. Crim. L. Rev. 1239 (2000) the concept is explained thus:

Corporate liability is a form of vicarious liability wherein the corporation is held liable for the
wrongs of its agents. Vicarious liability is imposed on corporations under the doctrine of
respondeat superior when an agent (1) commits a crime (2) within the scope of employment (3)
with the intent to benefit the corporation.

(See also Thomas J. Bernard, "The Historical Development of Corporate Criminal Liability", 22
Criminology 3 1984) 16.2 Here we have a converse situation where the director is sought to be

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.748

made liable for the criminal acts of the company. Nevertheless, what the above two decisions of
the Supreme Court show is that as far as the IPC is concerned there is no automatic criminal
liability of a director where the company is arraigned as an accused.

17. The absence of such a provision in the IPC could be viewed as a lacuna but is not to be
lightly presumed as there have been numerous statutes enacted by Parliament thereafter which
have incorporated such provisions. For instance, Section 85 IT Act is similarly worded as
Section 141 NI Act and incorporates a deemed criminal liability of the director. The IT Act
amends certain provisions of the IPC as well. But Parliament has chosen not to make any
amendment to incorporate such a provision in the IPC. The Court has therefore to proceed with
the law as it exists, particularly since it is a penal statute which admits of strict construction.

LA
18. Does this mean that a Director or employee of a company can never be made an accused?

IM
The answer has to be in the negative. What it means is that if the prosecution seeks to make a
Director or an employee of a Company, which is the principal accused, liable for an IPC offence,
SH
then it will have to make out a case against such person in his or her individual capacity. The
precise role of the person concerned in the actions of the company which led to the offence will
have to be proved.
LU

19.1 Turning to the case on hand, it is urged by the prosecution that there are enough averments
in the charge sheet to establish a prima facie case against the petitioner even in his individual
PN

capacity and not merely in his capacity as MD of BIPL. It is submitted that the charge sheet may
not contain the precise words but when read as a whole does bring out the prima facie case
H

against the petitioner not only in his designation a the MD of baazee.com but as an individual as
well. In the written submission filed by the State it is asserted that there are "specific averments
explicitly describing the role of the petitioner in commission of the offence under Section 292 &
294 IPC and Section 67 IT Act by his acts and illegal omissions...." It is further sought to be
argued that the charge sheet cannot be complete or accurate thesis of the prosecution case.
Reliance is placed on the decision of the Supreme Court in R.K. Dalmia v. Delhi Administration
. It is further submitted that "it is wrong to say that the petitioner was charge sheeted and
cognizance was taken simply owing to his designation. The offence by the petitioner have been
committed by him individually though acting in his capacity as the Managing Director of the
company." Elsewhere in the written submission of the State it is averred as under:

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.749

It is wrong to suggest that the company merely facilitated the sale between the parties to the
transaction while in fact the company was an indispensable ally for the completion of the
transaction as is demonstrable from the flow chart.

19.2 The reference here is to a flow chart that the Court had asked the parties to produce which
would show the chain of transactions from the stage of the registration of a seller to the ultimate
delivery of the product to the buyer. Reliance has been placed by the prosecution on the
judgment in Keshub Mahindra v. State of Madhya Pradesh and Sushil Ansal v. State 2002 Crl LJ
1369 to contend that the liability for the IPC offences, where the company is the main accused

LA
would also be attached to the directors.

19.3 In order to appreciate these submissions the relevant paragraphs of the charge sheet may be

IM
noticed:
SH
The user agreement, downloaded from the site and details seized from, Sharat Digumarti,
indicates that arrangements arrived at between buyers and sellers are bipartite agreements with
no responsibility of Baazee.com whatsoever. However, in this case Baazee.com acted as an agent
LU

of the seller as it had taken a commission on the sale. The clip was priced at Rs 125/- each, but
billed at Rs. 128/- each with Rs3/- as commission per sale. This commission was credited to
PN

PaisaPay, a division of Baazee.com. The website Baazee.com had installed a program which
runs SQL cron jobs or checks the written words place by the sellers against a set of banned and
suspect words. The web portal is a public domain and can be accessed and read by just anyone.
H

The language of the advertisement placed on the website was quite explicit and left nothing for
the reader to imagine. The website was committed to block off offending words through
appropriate filters, as per Clause 1.12.4 Schedule 'C' Part II: Terms & Conditions of the ISP
guidelines, issued by the Government of India, which clearly states therein that "The Licensee
shall ensure that objectionable, obscene, unauthorized or any other content, messages or
communications infringing copyright, Intellectual Property right and International and domestic
Cyber Laws, in any form or inconsistent with the laws of India, are not carried in his network,
the ISP should take all necessary measures to prevent it." However, in-spite of the filters having
the word 'sexual' in its list, the program of Baazee.com failed to block off the offending

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.750

advertisement. Further, in-spite of being categorically informed by one of the users' thread
sincp@sify.com on 27.11.2004 at 8.20 p.m. the company, Baazee.com a 24 x 7 platform, failed
to act to stop the sale, immediately. All through the day on 28.11.2004 the sale was going on
unabated and it was finally closed on 29.11.04.

The language of the advertisement written down and represented by accused Ravi Raj, on the
website clearly conveyed the meaning that school children were involved in explicit sexual act.
Further the portal has charged and received commission on the sale of the offending clip. The
portal knew of the illegality of the fact, as the same was blocked on 29.11.04 but still chose to
profit form it by appropriating the commission, 15 days later. The investigation proves that
Avnish Bajaj as the MD of Baazee.com as well as Sharat Digumarti as Head Fraud and Risk

LA
Control, had knowledge of the contravention, through the Community Watch scheme. In spite of
being informed, the item was not blocked for 38 hours. 75% of all sales took place after the web

IM
portal was informed about it. The filters that were put up by the website were also grossly
inadequate. In spite of the word 'sexual' (at serial number 70) the word 'dps' (at serial number
SH
106) and word 'RKP' (at serial number 110) existing in the suspect list, their program was not
able to detect and block the advertisement which carried the same word. Likewise words like
Avnish Bajaj was the domain administrator and all policy decisions were made through him. In
LU

spite of the hue and cry made in the media about the issue, the policy makers for the website did
not put the names like DPS, RKPuram on their watch list till after the case was registered.
PN

After having gathered enough evidences to establish that the porn video film was listed for sale,
that it was actually purchased by at least 8 buyers, that the clipping was delivered to 8 buyers as
H

email attachment through Baazee.com, that payments were passed on to the accused Ravi Raj
col. No. 4., after deducting due commissions, that in spite of being categorically informed by one
of the users thread sincp@sify.com on 27.11.04 at 8.20 P.M. Baazee.com failed to act to stop the
sale, immediately, but closed it only after 38 hours, accused Avnish Bajaj, CEO of Baazee.com
mentioned in Col. No. 4 was arrested on 17.12.04.

Avnish Bajaj at the time, when the said porn clip was sold and brought through Baazee.com. was
the Managing Director of the Company, Baazee.com India Ltd. He was in charge for the Indian
operations of the Company and was responsible for policy decisions, planning, control and
overall supervision of day to day functioning of the organization. The profile on

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.751

checkdomain.com also listed Avnish Bajaj as the administrative contact of Baazee.com. The
issue of sale of pornographic CDs involving of two adolescents was widely in the media in the
first week of Nov. 2004. However no operative or policy changes were affected by the Company.
Baazee.com to prevent the listing/display/sale of the same on the portal. Although, the accused
company claimed that filters existed to block such objectionable materials, investigations
revealed that the claims made by the company were a mere eyewash. The filters were found to be
rudimentary, grossly inadequate and perfunctory. Various other interactive web portals like
jeevansaathi.com, naukri.com etc. adopt various measures like delayed insertion and regular
online monitoring. This even the established industry norms, to prevent offensive content from
coming up on websites were totally ignored. The accused company was even alerted by a

LA
customer on 27.11.04 itself, but the site was de-listed as "closed" only after 38 hours. Even after
being closed it remained lodged in the closed item list for the general public to access and see.

IM
The payments received were routed through PaisaPay, another division of Baazee.com
facilitating online money transfer and a commission of Rs.3/- per sale transaction was charged.
SH
Although the site was closed on 29.11.04, payments received from the buyers were not blocked
but sent to the seller on 3.12.04. Investigation proves that the MD of Baazee.com, who exercised
control over the day to day functioning of the organization did not exercise due diligence to
LU

prevent the listing of the said obscene and lascivious clipping. The investigation reveals that the
policies and conduct of Baazee.com its MD was designed to increase sale and maximize profits.
PN

Safeguard of prevailing moral values and prurient interests of any person in particular and the
society at large was not a pressing agenda. The investigations found that the policy makers of the
company were negligent in dealing with the matter and failed to exercise due diligence.
H

19.4 The other relevant portions in the charge sheet are: "Further, subsequent to the registration
and arrest in this case, the domain and the network contact information for the website
Baazee.com had been changed from Baazee.com to ebay.com, the principal company, who now
own the domain name Baazee.com, primarily to insulate the other Directors of the Company
from criminal responsibilities. The domain servers were also relocated by the company to
xxx.EBAYDNS.COM, USA.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.752

Sharat Digumarti was the Senior Manager, Trust and Safety who was responsible for maintaining
the subject and banned key word list and ensuring that no lascivious item is listed for sale on the
website. Sharat Digumarti was responsible for ensuring that no banned and illegal items are
traded on the website. However, he did not take appropriate measures to ensure that the list of
the banned and suspect words are updated keeping in mind the social and moral norms. Although
the website runs a 24 x 7 operations, no person had been deputed by him from his unit to review
the listings and to respond to alerts generated by the system. This allowed the item to remain
listed for 38 hours after an alert was raised by the Community Watch program. The filters that
have been claimed by the accused as a measure to block objectionable materials were found to be
grossly inadequate during the investigations. Sharat Digumarti has been charge-sheeted on

LA
recognizance without arrest."

The investigation conducted till date have gathered enough evidences against accused persons

IM
Avnish Bajaj, Ravi Raj and Sharat Digumarti Col. No. 4. It has been clearly established that all
the said three accused persons knowing fully well and having reasons to believe, have
SH
sold/transmitted a pornographic/obscene MMS clip causing lascivious impact on citizens by
appealing to their prurient interest for their undue pecuniary gains. Hence the present charge
sheet has been prepared u/s 292/294 IPC r/w 67 IT Act. It is therefore respectfully prayed that
LU

accused Accused Avnish Bajaj and Ravi Raj col. No. 4 on bail and Sharat Digumarti on
recognizance, may kindly be called through notices and witness through summons for holding
PN

their trial in accordance with law. The list of witnesses, documents and materials exhibits have
also been enclosed.
H

19.5 This Court is unable to agree with the submission of the prosecution that the above contents
of the charge sheet make out a prima facie case against the petitioner for the IPC offence both in
his capacity as MD of BIPL as well as in his individual capacity. When read as a whole, the
charge sheet does not bring out the individual culpability of the petitioner at all. It brings out the
culpability of the company and the reference throughout to the petitioner is in his role as the MD
of such company. A useful contrast can be made with the averments pertaining to Sharat
Digumarti which have been extracted in the earlier paragraph. There the precise role of the
person who was Senior Manager, Trust and Safety, BIPL has been described. As regards the
petitioner, the averment is that he was in charge of policy and planning and was negligent in not

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.753

putting in place sufficient filtering mechanisms. In light of the strict liability principle, this by
itself cannot satisfy the requirement of there being sufficient material against the petitioner to
attract even prima facie the offence against him under Section 292 IPC.

19.6 A director does not automatically become criminally liable for the criminal acts of the
company. If one carefully reads the judgment in Keshub Mahindra it would be clear that UCIL,
the company was itself an accused. It is in that context that the Supreme Court made
observations about the individual liability of the directors. There were specific allegations in the
charge sheet that each of the directors was party to the decision taken by the UCIL concerning
the safety of the Union Carbide Plant. There are no such averments here as to the precise direct
role of the petitioner. Even in the case of Sushil Ansal no such argument appears to have been

LA
advanced that in the absence of the company the directors could still be made accused. It is not
possible to equate the said two decisions with the case on hand because here the company has

IM
not been made an accused at all. In the absence of the company being made an accused and in
the absence of specific allegations concerning the MD of the company, it is not possible to
SH
accept that the submission that the MD can be proceeded against for the IPC offence.

19.7 It was then sought to be argued that even illegal omissions i.e. the failure to do an act would
LU

attract Section 292 IPC. Sections 32 and 35 IPC were referred to for this purpose. The law in
India as regards illegal omissions has been explained in Ambika Prasad v. Emperor and Anna v.
PN

State of Hyderabad AIR 1956 Hyd 99. There must be a legal compulsion to do an act and the
failure to perform such an act would result in illegal omission. Not any and every omission to
perform an act would result in a criminal liability. A reference may be made to the decisions in
H

Queen v. Anthony Udyan (1883) ILR 6 Mad 280 and Basharat v. Emperor AIR 1934 Lahore
813. These provisions will have to be strictly construed. Otherwise each and every omission can
attract criminal liability. The charge sheet when read as a whole can at best be said to bring out a
prima facie case of omission by BIPL which owned the website and not by the petitioner in his
individual capacity.

19.8 The charge sheet discloses that at various stages, in an automated system, roles were
assigned to individual employees of BIPL. There was a separate Manager for Trust and Safety.
When the Community Watch group alerted the website, the matter was first marked to an
employee Namrata then to another employee Swapna Sawant. Even with reference to the flow

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.754

chart, the prosecution was unable to show at what stages the petitioner as MD was himself
directly involved in the screening of the listing or its subsequent removal. In the circumstances, it
would be a mere surmise that the petitioner was himself responsible for the offence. There must
be a specific allegation in the charge sheet that, despite knowing the failure of the filters, he
nevertheless did nothing about it. There is no such averment in the charge sheet. In fact the
liability sought to be attached to the petitioner is only in his capacity as MD of the company and
not in his individual capacity. Therefore it is not possible to accept the argument of the
prosecution that the doctrine of illegal omission results in a criminal liability being attached to
the petitioner here.

20.1 Next, we turn to the offence under Section 67 of the IT Act vis-à-vis the petitioner here. For

LA
this it is necessary to reproduce Section 85 of the IT Act which reads as under:

IM
Section 85 - Offences by companies (1) Where a person committing a contravention of any of
the provisions of this Act or of any rule, direction or order made thereunder is a company, every
SH
person who, at the time the contravention was committed, was in charge of, and was responsible
to, the company for the conduct of business of the company as well as the company, shall be
guilty of the contravention and shall be liable to be proceeded against and punished accordingly:
LU

Provided that nothing contained in this sub-section shall render any such person liable to
punishment if he proves that the contravention took place without his knowledge or that he
PN

exercised all due diligence to prevent such contravention.

(2) Notwithstanding anything contained in Sub-section (1), where a contravention of any of the
H

provisions of this Act or of any rule, direction or order made thereunder has been committed by a
company and it is proved that the contravention has taken place with the consent or connivance
of, or is attributable to any neglect on the part of, any director, manager, secretary or other
officer of the company, such director, manager, secretary or other officer shall also be deemed to
be guilty of the contravention and shall be liable to be proceeded against and punished
accordingly.

Explanation.-For the purposes of this section,-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.755

(i) "company" means any body corporate and includes a firm or other association of individuals;
an

(ii) "director", in relation to a firm, means a partner in the firm.

20.2 There are two parts to Section 85 IT Act. The first part says "where a person committing a
contravention of any of the provision of this Act or of any rule, direction or order made
thereunder is a company." On a plain reading of the provision, therefore, the company has to
necessarily be found to be in contravention of a provision of the IT Act. In such event, the
deeming provision in the second part gets attracted. This attaches a deemed criminal liability on
a person who, at the time of commission of the offence, was in "charge of, and was responsible

LA
to, the company". This deemed liability shifts the burden of proof to the individual who is in
charge of the affairs of the company.

IM
20.3 The question whether in the absence of arraigning the company as an accused, such a
deemed criminal liability can attach to the directors was first addressed in the judgment of a
SH
Bench of the three Judges of Supreme Court in State of Madras v. C.V. Parekh . There the
Manager and Managing Director of Microtec Castings (P) Ltd. were made the accused along
with two other accused who were a godown clerk and the representative to another company
LU

G.Ranji and Co. The company itself i.e. the Microtec Castings (P) Ltd. was not made an accused.
They were charged with having committed a contravention of Clause 5 of the Iron and Steel
PN

Control Order, 1956 which is framed under the Essential Commodities Act, 1955. The Supreme
Court acquitted the accused and in para 3 of the judgment it was observed as under (SCC, p.
H

493):

3. Learned Counsel for the appellant, however, sought conviction of the two respondents on the
basis of Section 10 of the Essential Commodities Act under which, if the person contravening an
order made under Section 3 (which covers an order under the Iron and Steel Control Order,
1956) is a company, every person who, at the time the contravention was committed, was in
charge of, and was responsible to, the company for the conduct of the business of the Company
as well as the company, shall be deemed to be guilty of the contravention and shall be liable to
be proceeded against and punished accordingly. It was urged that the two respondents were in
charge of, and were responsible to, the company for the conduct of the business of the company

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.756

and, consequently, they must be held responsible for the sale and for thus contravening the
provisions of Clause 5 of the Iron and Steel (Control) Order. This argument cannot be accepted,
because it ignores the first condition for the applicability of Section 10 to the effect that the
person contravening the order must be a company itself. In the present case, there is no finding
either by the Magistrate or by the High Court that the sale in contravention of Clause 5 of the
Iron & Steel (Control) Order was made by the Company. In fact, the Company was not charged
with the offence at all. The liability of the persons in charge of the Company only arises when
the contravention is by the Company itself. Since, in this case, there is no evidence and no
finding that the Company contravened Clause 5 of the Iron & Steel (Control) Order, the two
respondents could not be held responsible. The actual contravention was by Kamdar and

LA
Villabhadas Thacker and any contravention by them would not fasten responsibility on the
respondents. The acquittal of the respondents is, therefore, fully justified. The appeal fails and is

IM
dismissed.

20.4. Later, a two-Judge Bench of the Supreme Court in Sheo Ratan Agarwal v. State of Madhya
SH
Pradesh while dealing with the same provision held as under (SCC, p.354):

5. ...The Section appears to our mind to be plain enough. If the contravention of the order made
LU

Under Section 3 is by a Company, the persons who may be held guilty and punished are (1) the
Company itself (2) every person who, at the time the contravention was committed, was in
PN

charge of, and was responsible to, the Company for the conduct of the business of the Company
whom for short we shall describe as the person-in-charge of the Company, and (3) any director,
manager, secretary or other officer of the Company with whose consent or connivance or
H

because of neglect attributable to whom the offence has been committed, whom for short we
shall describe as an officer of the Company. Any one or more or all of them may be prosecuted
and punished. The Company alone may be prosecuted. The person-in-charge only may be
prosecuted. The conniving officer may individually be prosecuted. One, some or all may be
prosecuted. There is no statutory compulsion that the person-in-charge or an officer of the
Company may not be prosecuted unless he be ranged alongside the Company itself. Section 10
indicates the persons who may be prosecuted where the contravention is made by the Company.
It does not lay down any condition that the person-in-charge or an officer of the Company may
not be separately prosecuted if the Company itself is not prosecuted. Each or any of them may be

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.757

separately prosecuted or along with the Company. Section 10 lists the person who may be held
guilty and punished when it is a Company that contravenes an order made Under Section 3 of the
Essential Commodities Act. Naturally, before the person-in-charge or an officer of the Company
is held guilty in that capacity it must be established that there has been a contravention of the
Order by the Company.

20.5 In the same paragraph of Sheo Ratan Agarwal, the above highlighted portions of the
judgment in C.V. Parekh were explained thus (SCC, p.355):

That should be axiomatic and that is all that the Court laid down in State of Madras v. C.V.
Parekh (supra) as a careful reading of that case will show and not that the person-in-charge or an

LA
officer of the Company must be arraigned simultaneously along with the Company if he is to be
found guilty and punished. The following observations made by the Court clearly bring out the

IM
view of the Court:

It was urged that the two respondents were in charge of, and were responsible to, the company
SH
for the conduct of the business of the Company and, consequently, they must be held responsible
for the sale and for thus contravening the provisions of Clause 5 of the Iron and Steel (Control)
Order. This argument cannot be accepted, because it ignores the first condition for the
LU

applicability of Section 10 to the effect that the person contravening the order must be a
company itself. In the present case, there is no finding either by the Magistrate Or by the High
PN

Court that the sale in convention of Clause 5 of the Iron & Steel (Control) Order was made by
the Company. In fact, the Company was not charged with the offence at all. The liability of the
H

persons in charge of the Company only arises when the contravention is by the Company itself.
Since, in this case, there is no evidence and no finding that the Company contravened Clause 5
of the Iron & Steel (Control), Order the two respondents could not be held responsible. The
actual contravention was by Kamdar and Villabhadas Thacker and any contravention by them
would not fasten responsibility on the respondents.

The sentences underscored by us clearly show that what sought to be emphasised was that there
should be a finding that the contravention was by the Company before the accused could be
convicted and not that the Company itself should have been prosecuted along with the accused.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.758

We are therefore clearly of the view that the prosecutions are maintainable and that there is
nothing in Section 10 of the Essential Commodities Act which bars such prosecutions.

20.6 Although it was urged by learned Senior Counsel for the petitioner that the above
observations of the two-Judge Bench of the Supreme Court are contrary to what was held by the
larger bench of three judges in C.V. Parekh, on a careful reflection this Court is of the view that
the judgment in Sheo Rattan Agarwal is a possible view to take of what was in fact held by the
Supreme Court in C.V. Parekh.

20.7 The next important decision in this regard is U.P. Pollution Control Board v. Messers Modi
Distillery and Ors. . There the question that arose was whether without making the company an

LA
accused in a case involving the offences under Sections 47 of the Water (Prevention and Control
of Pollution) Act 1974, the directors of that company could be made liable. The said provision

IM
was one that provided for a deemed criminal liability of the director. The Single Judge of the
Allahabad High Court had discharged the directors on the ground that the company being an
SH
accused was a pre-requisite to proceeding against the directors. Reversing the decision of the
High Court, the Supreme Court held (SCC, p.689-690)

6. The learned Single Judge has focussed his attention only on the technical flaw in the
LU

complaint and has failed to comprehend that the flaw had occurred due to the recalcitrant attitude
of Modi Distillery and furthermore the infirmity is one which could be easily removed by having
PN

the matter remitted to the Chief Judicial Magistrate with a direction to call upon the appellant to
make the formal amendments to the averments contained in para 2 of the complaint so as to
H

make the controlling company of the industrial unit figure as the concerned accused in the
complaint. All that has to be done is the making of a formal application for amendment by the
appellant for leave to amend by substituting the name of Modi Industries Limited, the company
owning the industrial unit, in place of Modi Distillery. Although as a pure proposition of law in
the abstract the learned Single Judge's view that there can be no vicarious liability of the
Chairman, Vice-Chairman, Managing Director and members of the Board of Directors under
Sub-section (1) or (2) of Section 47 of the Act unless there was a prosecution against Modi
Industries Limited, the company owning the industrial unit, can be termed as correct, the
objection raised by the petitioners before the High Court ought to have been viewed not in
isolation but in the conspectus of facts and events and not in vacuum. We have already pointed

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.759

out that the technical flaw in the complaint is attributable to the failure of the industrial unit to
furnish the requisite information called for by the Board. Furthermore, the legal infirmity is of
such a nature which could be easily cured. Another circumstance which brings out the narrow
perspective of the learned Single Judge is his failure to appreciate the fact that the averment in
para 2 has to be construed in the light of the averments contained in paras 17, 18 and 19 which
are to the effect that the Chairman, Vice-Chairman, Managing Director and members of the
Board of Directors were also liable for the alleged offence committed by the Company.

20.8 The decision in Sheo Ratan Agarwal was reiterated in Anil Hada v. Indian Acrylic Ltd.
where the Supreme Court was interpreting Sections 138 and 141 of the NI Act. That was a case
where the company itself had not been made an accused but its directors were sought to be made

LA
as an accused. The Court noticed C.V. Parekh (but mistakenly to referred to it as a decision of a
two Judge Bench) and proceeded to hold: "But if a company is not proceeded due to any illegal

IM
snag or otherwise, the other prosecuted persons cannot, on that score alone, escape from the
penal liability through the legal fiction envisaged in Section 141 of the Act." The Court in Anil
SH
Hada also took note of the observations in Modi Distillery and explained that they "were obiter.
That apart, the law on the point was specifically discussed and dealt with in Sheoratan Aggarwal
with which we are in respectful agreement."
LU

20.9 Therefore, in light of the law explained in the decisions of the Supreme Court after C.V.
PN

Parekh, it appears that without the company being made an accused, its directors can be
proceeded against under Section 67 read with Section 85 IT Act. There is another factor which
weighs with this Court. At the present stage, it is too early to conclude that the company will
H

never be made an accused. It is possible, following the dictum in SWIL that the trial court may at
any stage hereafter summon the company to face trial for the offence under Section 67 IT Act. In
SWIL the Supreme Court relied on the earlier decision in Raghubans Dubey v. State of Bihar
and held (SCC, p. 689):

6...After taking cognizance of the offence, the Magistrate under Section 204 CrPC is empowered
to issue process to the accused. At the stage of issuing process, it is for the Magistrate to decide
whether process should be issued against particular person/persons named in the charge-sheet
and also not named therein. For that purpose, he is required to consider the FIR and the
statements recorded by the police officer and other documents tendered along with charge-sheet.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.760

Further, upon receipt of police report under Section 173(2) CrPC, the Magistrate is entitled to
take cognizance of an offence under Section 190(1)(b) even if the police report is to the effect
that no case is made out against the accused by ignoring the conclusion arrived at by the
investigating officer and independently applying his mind to the facts emerging from the
investigation by taking into account the statement of the witnesses examined by the police. At
this stage, there is no question of application of Section 319 CrPC.

20.10 In that event, the difficulty in the petitioner being proceeded against may not arise at all.
Prima facie there appears to be sufficient material to summon the company. In fact the Supreme
Court in Modi Distillery observed that the trial court could overcome such technical objection by
directing the arraigning of the company as an accused as otherwise it would be "a travesty of

LA
justice." For the above reasons it is not possible to hold that not even a prima facie is made out
against the petitioner for the offence under Section 67 read with Section 85 IT Act.

IM
21. An end note before summarizing the conclusions. As this case reveals, the law in our country
SH
is not adequate to meet the challenge of regulating the use of the internet to prevent
dissemination of pornographic material. It may be useful to look at the legislative response in
other common law jurisdictions. In the United States, there have been three legislations that have
LU

dealt with censorship of pornographic material on the internet: the Communications Decency Act
(CDA), which was enacted as a part of the Telecommunications Act of 1996, the Child Online
PN

Protection Act 1998 (COPA) and the Children Internet Protection Act 2003 (CIPA). The CDA
sought to prohibit the use of an interactive computer service to send or display in any manner to
those under the age of 18, any communication that depicts or displays sexual or excretory
H

activities in a manner that is patently offensive. This was which was however struck down as
unconstitutional by the U.S. Supreme Court in Reno v. ACLU 521 U.S. 844 (1997). The COPA
narrowed the range of the material prohibited but was also held to be unconstitutional. The
CIPA, which casts a duty on public libraries and schools to install software to block obscene or
pornographic images, was upheld as constitutionally valid by the U.S. Supreme Court in United
States v. American Library Association 539 U.S. 194 (2003). There are nevertheless serious
concerns expressed about the effectiveness of such laws and the challenges that exist in
enforcing prohibition of child pornography on the internet. [For instance, see Heidi Wachs,
"Permissive Pornography: the Selective Censorship of the Internet under CIPA", 11 Cardozo

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.761

Women's L.J. 441] In the United Kingdom, the Obscene Publications Act, 1959 was amended by
the Criminal Justice and Public Order Act of 1994 (CJPOA) to deal with the specific problem of
internet pornography by extending the Act to cover the transmission of electronically stored data.
It makes service providers liable for material placed on the internet by a third party thus
requiring them to monitor material for obscene matter. Further the Protection of Children Act,
1978 was amended by CJPOA, 1994 to include photographs in electronic data format. India may
want to develop a different legislative model to regulate the use of the internet with a view to
prohibiting its use for disseminating child pornographic materials. Nevertheless, the task
deserves the utmost priority.

22. This Court accordingly holds as follows:

LA
(a) The charge sheet when read as a whole brings out a prima facie case attracting the offences

IM
under Section 292(1) (a) and 292 (2) (d) IPC and Section 67 IT Act. However, not even a prima
facie case for the offence under Section 294 IPC is made out.
SH
(b) A prima facie case for the offence under Section 292 (2) (a) and 292 (2) (d) IPC is made out
against BIPL now named as EIPL both in respect of the listing and the video clip respectively.
LU

(c) However, as far as the petitioner Avnish Bajaj is concerned, since the IPC does not recognise
the concept of an automatic criminal liability attaching to the director where the company is an
PN

accused, not even a prima facie case for the offence under Section 292 IPC is made out even
when the charge sheet is read as a whole; it only seeks to implicate him in his designation as MD
of BIPL and not in his individual capacity.
H

(d) Therefore, the petitioner will stand discharged as far as the offences under Sections 292 and
294 IPC are concerned. This will however not affect the case against the other accused.

(e) A prima facie case for the offence under Section 67 read with Section 85 IT Act is made out
against the petitioner since the law as explained by the decisions of the Supreme Court
recognises the deemed criminal liability of the directors even where the company is not arraigned
as an accused and particularly since it is possible that BIPL (EIPL) may be hereafter summoned
to face trial.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.762

(f) Consequently, while the case against the petitioner of the offences under Sections 292 and
294 IPC is quashed, the prosecution of the petitioner for the offence under Section 67 read with
Section 85 IT Act will continue.

23. It is clarified that the learned trial court will proceed to the next stage of passing an order on
charge uninfluenced by the observations in regard to the offences in respect of which it has been
held by this Court that a prima facie case has been made out against the petitioner. The petition
and the application are accordingly disposed of. The interim stay is vacated.

******************************************************************************

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.763

 Syed Asifuddin and Ors.

Vs.

The State of Andhra Pradesh and Ors.

(2005 CRI LJ 4314)

ORDER

V.V.S. Rao, J.

LA
1. These two petitions are filed by different persons under Section 482 of Code of Criminal
Procedure, 1973 (Cr. P. C.) seeking similar relief. Both the matters were admitted on the same

IM
day and since then both the matters are being listed together for being disposed of as such, this
common order covers both the matters. The petitioners in both the matters seek the relief of
SH
quashing F. I. R. No. 20 of 2003 of Criminal Investigation Department (C. I. D.) Police,
Hyderabad, registered under Sections 409, 420 and 120B of Indian Penal Code, 1860 (for short,
IPC), Section 65 of the Information Technology Act, 2000 (for short, IT Act) and Section 63 of
LU

the Copyright Act, 1957 (for short, Copyright Act).

2. The crime was registered against the petitioners on a written complaint given by the Head of
PN

Sales and Marketing Wing of M/s. Reliance Infocomm Ltd., Hyderabad, the second respondent
herein. In the complaint, it is alleged that certain vested elements of the trade of mobile
H

telephone services began to woo the subscribers of Reliance India Mobile (RIM) into various
other schemes promoted by other similar service providers, which would have the impact on the
image as well as the revenues of the second respondent. Reliance Infocomm under Dhirubhai
Ambani Pioneer Offer launched telephone services named as 'Reliance India Mobile' with a view
to make communication affordable to the masses. The same was later modified and the scheme
titled 'POBF, which is the most affordable in the market today. Under the said scheme, the
subscriber gets a digital handset worth Rs. 10.500/- as well as service bundle for three years with
an initial payment of Rs. 3.350/-and monthly outflow of meager Rs. 600/-. The subscriber also
gets one year warranty and insurance for three years. The handset given to the subscriber is third

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.764

generation digital handset with a host of features which are of first of its kind coupled with
attractive tariff options. In view of this, the market response in twin cities has been phenomenal.
This has an impact on the business of other service providers for the reason that those service
providers attempted unethical and illegal practices for weaning away the subscribers of the
second respondent.

3. In the complaint, the modus operandi adopted by other mobile service providers is described
as follows : The subscribers of the second respondent are attracted by making phone calls
impressing upon them that the tariff plans and services provided by others are better than the
services of Reliance Infocomm and also advise them that they have an option to shift the service
provider by paying an amount of Rs. 3,000/~ towards plan charges and deposits if desired are

LA
only Rs. 540/- towards activation fee. Certain unknown persons in Abids, Begumpet, Koti,
Himayatnagar and Malak-pet are making the calls to the subscribers of second respondent. Once

IM
the subscriber agrees that he can keep a world class handset which is proprietary to Reliance and
also enjoy the best tariff plan of the competitor, he is asked to meet any of the business
SH
associates of rival service providers. At the rendezvous, the customer is asked to wait for an hour
and an usher carries the handset to an undisclosed location in Secunderabad for conversion
process, which takes about 45 minutes to an hour and half. During this time, ESN number of
LU

Reliance instrument is hacked by reprogramming and the subscriber is given the handset and
instructed to switch off and switch on the handset later in the day and start enjoying the new
PN

services.

4. After receiving above written complaint lodged by the second respondent through its Head of
H

Sales and Marketing Wing, the senior executive officer of Criminal Investigation Department, on
instructions of the Additional Director General of Police, CID, registered crime No. 20 of 2003
under various provisions of IPC, IT Act and Copyright Act as mentioned hereinabove and took
up investigation. The crime was registered on 31-5-2003. Investigation revealed that all the
handsets of Reliance India Mobile are being migrated to TATA Indicom network at the behest of
TATA Indicom staff members and that same is illegal as there is an agreement between the
manufacturers of the Reliance handsets and Reliance India Mobile Limited. In view of the
statements given by the witnesses, the investigating officer came to a conclusion that prima facie
case is made out against the staff members of TATA Indicom and directed two inspectors to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.765

conduct raids at the Head Office of TATA Indicom situated in Khan Lathif Khan Estate,
Hyderabad. This was ordered in view of specific information received about tampering of
Reliance handsets by the staff members of TATA Indicom. Further on specific information about
similar such practices going on at TATA Indicom centre opposite to Harihara Kala Bhavan,
Secunderabad, the investigating officer along with two other inspectors and panch witnesses
proceeded to LM counter at the above place when one Raj Naren, Officer of TATA Indicom
revealed that the General Manager (Marketing), Madhavan and Anil Ambati, Manager
(Marketing) of TATA Indicom are accepting the handsets belonging to Reliance Infocomm
Limited and re-programming with their network with different tariff packages. At the time of
conducting raid in Secunderabad Office of TATA Indicom, the investigating officer also came

LA
across one Shaik Mustaffa who stated that he purchased handset from Reliance Infocomm
network. Therefore, the investigating officer arrested Raj Naren and Shaik Mustaffa, and seized

IM
two mobile telephone handsets, one each from the possession of the two arrested persons. On
examination, it was found that the handset recovered from Raj Naren is Samsung N191 co-
SH
branded with Reliance with ESN No. 3F7AB 832. The said set was migrated to TATA Indicom
with No. 56376361 allotted by TATA Indicom. Its original Reliance India Mobile number was
31086523. The two accused along with mobile sets were brought to the office of C. I. D., and
LU

kept under surveillance of C. I. D., staff. The team of inspectors sent to the Office of TATA
Indicom at Khan Lathif Khan Estate also arrested Syed Asifuddin, Patlay Navin Kumar and
PN

Khaja/Gareed Nawaj (petitioners in Criminal Petition No. 2601 of 2003) and Manoj (petitioner
No. 2 in Criminal Petition No. 2602 of 2003). Two Samsung N191 co-branded with Reliance re-
programmed handsets with distinct ESN and serial numbers were also seized along with 63
H

application forms of persons who migrated from Reliance India Limited to TATA Indicom along
with the affidavits. After getting the details of the search team, the investigating officer filed
remand report before the Court of IX Metropolitan Magistrate, Hyderabad on 3-6-2003. In the
remand report, it is further stated as under :

The investigation made so far revealed that the Reliance Infocomm is offering under Dhirubhai
Ambani Pioneer Scheme a third generation digital handset costing about Rs. 10.500/- for a mere
payment of Rs. 3.350/- with a condition to sail with their network for a period of 3 years with
option to exit either by surrendering the handset or paying the cost of the handset to the
company. Investigation also reveals that there is an agreement existing between the Samsung

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.766

manufacturers and LG manufacturers With Reliance Infocomm regarding their exclusive models
Samsung N191 and LG-2030. These model handsets are to be exclusively used by Reliance India
Mobile Limited only. In contravention to the above contract the TATA Indicom staff members
who are figured as an accused are tampering with pre-programmed CDM-A digital, handsets
belonging to Reliance Infocomm and activating with their network with all dubious means which
is an offence under Section 65, I.T. Act. Secondly, the customer is not barred from exiting from
the Reliance network as such and to quit from that network he has to fulfil the obligations laid
down in the terms and conditions of the Reliance company. Till the lock in period of 3 years is
over, the handset supplied to the customer by Reliance Infocomm is a joint property of the
company and any kind of transaction on the part of the subscriber without fulfilling the

LA
obligations laid down in the terms and conditions is clear case of Breach of Trust since the
customer has not settled the accounts with the company. Further as the competition between the

IM
CDMA service providers blown out of proportions, the TATA Indicom has hatched a conspiracy
to hijack the customers of Reliance Infocomm by all fraudulent means and as a part of their
SH
Infocomm by all fraudulent means and as a part of their conspiracy trying to woo the customers
of Reliance Infocomm with different tariff packages and trying to trap gullible customers and
succeeded in their attempt to attract their customers and so far as many as 63 customers
LU

belonging to Reliance Infocomm so far migrated to TATA Indicom by illegal means.

5. These two petitions came to be filed on 17-6-2Q03 for quashing crime No. 20 of 2003 by the
PN

means of TATA Indicom. While admitting the petitions, this Court passed orders in criminal
miscellaneous petition No. 3951 of 2003 staying all further proceedings including investigation
H

of the crime pending disposal of the main petition. The Public Prosecutor filed criminal
miscellaneous petition No. 232 of 2005 for vacating the said order. The matters were "finally
heard at that stage itself and are being, disposed of finally.

6. The petitioners in both the petitions are employees of Tata Tele Services Limited (TTSL)
which provides basic telephone services including Wireless in Local Loop (WLL) services on
non-exclusive basis in the service area including State of Andhra Pradesh under the name of Tata
Indicom. All of them are alleged to have committed offences punishable under Sections 420, 409
and 120B of IPC, Section 65 of IT Act and Section 63 of Copyright Act. Learned Senior Counsel
for the petitioner, Sri C. Padmanabha Reddy, submits that it is always open for the subscriber to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.767

change from one service provider to the other service provider and the subscriber who wants to
change from Tata Indicom always takes his handset, to BSNL or to Reliance to get service
connected and to give up services of TTSL. According to the learned counsel, the CDMA
handsets brought to TTSL by subscribers of other service providers are capable of
accommodating two separate lines and can be activated on principal assignment mobile (NAM 1
or NAM 2). The mere activation of NAM 1 or NAM 2 by TTSL in relation to a handset brought
to it by the subscriber of other service provider does not amount to any crime. According to
learned counsel, an offence under Section 409 of IPC is not at all made out even by going
through the FIR, as well as remand report. In the absence of dishonest appropriation or
conversion to their own use, alleged criminal breach of trust by the petitioners does not arise.

LA
IM
7. The learned Senior Counsel also submits that there was no allegation against the petitioners
that they deceived the second respondent fraudulently and dishonestly to deliver the property or
SH
to retain the property and therefore the offence of cheating under Section 420 of IPC does not
arise: As Section 120B of IPC is relatable only to the offences under Sections 490 and 420 of
IPC, the charge under Section 120B of IPC is misconceived. Insofar as the offence under Section
LU

65 of IT Act is concerned, the submission of the learned Senior Counsel is as follows : A

telephone handset is not a computer nor a computer system containing a computer programme.
PN

Alternatively, in the absence of any law which is in force requiring the maintenance of
"computer source code", the allegation that the petitioners concealed, destroyed or altered any
computer source code, is devoid of any substance and therefore the offence of hacking is absent.
H

In the absence of any allegation by the second respondent that they have a copyright to the
source code of the computer programme in the handsets supplied by second respondent, the
infringement of copyright does not arise. He lastly submits that the allegation that TTSL has a
subscriber base of 100 thousand (one lakh) customers in Andhra Pradesh and therefore there was
no necessity for TTSL to woo the customers/subscribers of second respondent.

8. The learned Additional Public Prosecutor, Sri H. Prahlad Reddy and the learned counsel for
the second respondent, Sri D. Seshadri Naidu, submit that when a cognizable offence under
various provisions of different statutes is registered and investigation is pending, this Court
cannot quash the F. I. R., at the stage of investigation. After conducting appropriate preliminary

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.768

investigation and examining witnesses the police have come to the conclusion that the petitioners
have committed offences involving highly technical aspects, and therefore unless and until
proper evidence is let in before the criminal Court, on mere assertions of the accused a crime
cannot be quashed. They would contend that the cell phone handsets with CDMA technology
supplied by the second respondent to its subscribers are dedicated to Reliance Indicomm Limited
and by interfering with the computer programme and converting the handsets to be responsive to
the technology adopted by TTSL is itself an offence and therefore these petitions are not
maintainable.

9. The submission of the learned Senior Counsel that even if the allegations in F. I. R., are taken
to be true, an offence under Sections 409, 420 and 120B of IPC, is not made put has force.

LA
Admittedly, a subscriber of second respondent is given a mobile phone instrument and
connection with an understanding that the subscriber has exclusive right to use the phone. If the

IM
accused allegedly induced the subscriber of the second respondent to opt for the services
provided by TTSL, an offence under Section 409 of IPC., cannot be said to have made out.
SH
Section 405 of IPC, defines 'criminal breach of trust The offence of criminal breach of trust
requires entrustment with property and dishonest use or disposal of the property by the person to
whom the property is entrusted. Both these things are absent. There is no allegation that the
LU

property in respect of which the second respondent has right was entrusted to TTSL or its
employees who are the petitioners herein. Similarly, an offence of cheating as defined under
PN

Section 415 of IPC., is not at all made out because a subscriber of second respondent was never
induced to deliver the property to TTSL nor there was dishonest or fraudulent inducement by the
H

petitioners of the second respondent or its subscribers to deliver the property. Indeed the delivery
of the property as such is not present in the case. In so far as offence of Section 120B of IPC, is
concerned, the same is made in relation to alleged offence under Sections 409, 420 and 120B of
IPC., and therefore the petitioners cannot be prosecuted for offences under Sections 409, 420 and
120B of IPC. Insofar as these alleged offences are concerned, if any criminal trial is conducted,
the same Would result in miscarriage of justice for as held by the Supreme Court in State of
West Bengal v. Swapan Kumar, MANU/SC/0120/1982 : 1982 Cri LJ 819 and State of Haryana
v. Bhajan Lal, MANU/SC/0115/1992 : 1992 Cri LJ 527, when the F.I.R., does not disclose
commission of cognizable offence, the police have no power to investigate such offence. In such

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.769

a case, this Court would be justified in quashing investigation on the basis of information laid
with the police.

10. The petitioners are also alleged to have committed offences under Section 63 of Copyright
Act and Section 65 of IT Act. In the considered opinion of this Court, it would be necessary first
to deal with the allegations separately and then deal with the case of the prosecution on the basis
of prima facie conclusions. Before doing so, it is necessary to briefly mention about computer
and computer source code.

11. The I.T. Act defines computer in clause (i) of Section 2(1) of the Act. According to the
definition, 'computer' means any electronic, magnetic, optical or other high speed data processing

LA
device or system which performs logical, arithmetic and memory functions by manipulations of
electronic, magnetic or optical impulses, and includes all input, output, processing, storage,

IM
computer software or communication facilities which are connected or related to the computer in
a computer system or computer network. 'Computer system' is defined in clause (1) of Section
SH
2(1) of I.T. Act, as to mean a device or collection of devices, including input and Output support
devices which are programmable, capable of being used in conjunction with external files which
contain computer programmes, electronic instructions, data storage and retrieval and
LU

communication control. The I.T. Act also defines 'computer network' in clause (j) of Section 2(1)
of the Act, which reads as under :
PN

(j) computer network' means the interconnection of one or more computer through-

(i) the use of satellite, microwave, terrestrial line or other communication media; and
H

(ii) terminals or a complex consisting of two or more interconnected computers whether or not
the interconnection is continuously maintained;

12. A reading of clauses (i), (j) and (1) of Section 2(1) of the I.T. Act would show that any
electronic, magnetic or optical device used for storage of information received through satellite,
microwave or other communication media and the devices which are programmable and capable
of retrieving any information by manipulations of electronic, magnetic or optical impulses is a
computer which can be used as computer system in a computer network.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.770

13. A computer has to be appropriately instructed so as to make it work as per its specifications.
The instructions issued .to the computer consists of a series of Os and is in different permutations
and combinations. This machine language can be in different form in different manner, which is
called computer language. The communicator as well as the computer understand "a language"
and mutually respond with each other. When specified or particular instructions are given,
having regard to the capacity of the computer it performs certain specified functions. The
instructions or programme given to computer in a language known to the computer are not seen
by the users of the computer/consumers of computer functions. Known as source code in
computer parlance, the programme written in whatever computer language by the person who
assembled the programme are not seen by the users. A source code is thus a programme as

LA
written by the programmer. Every computer functions as a separate programme and thus a
separate source code.

IM
14. Computer source code or source code, or just source or code may be defined as a series of
statements written in some human readable computer programming language constituting several
SH
text files but the source code may be printed in a book or recorded on a tape without a file
system, and this source code is a piece of computer software. The same is used to produce object
code. But a programme to be run by interpreter is not carried out on object code but on source
LU

code and then converted again. [Diane Rowland and Elizabeth Macdonald : Information
Technology Law; Canandish Publishing Limited; (1997). p. 17] Thus, source code is always
PN

closely guarded by the computer companies, which develop different function specific computer
programmes capable of handling various types of functions depending on the need. The law as
H

we presently see is developing in the direction of recognizing a copyright in the source code
developed by a programmer. If source code is copied, it would certainly violate copyright of
developer. With this brief background in relation to computer source code, we may now consider
in brief the technological aspects of a cell phone and how it works. This is necessary to
understand the controversy involved in this case.

15. Alexander Graham Bell invented telephone in 1876. This enabled two persons at two
different destinations to communicate with each other through a network of wires and
transmitters. In this, the sound signals are converted into electrical impulses and again re-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.771

converted into sound signals after reaching the destination. The radio communication was
invented by Nikolai Tesla in 1880, which was formerly presented by Guglielmo Marconi in
1894. A combination of telephone technology and radio technology resulted in radio telephone,
which became very popular as technology advanced. Two persons can communicate with each
other through radio telephone without there being any intervention of network of wires and other
infrastructure. The radio signals travel through atmosphere medium and remain uninterrupted as
long as the frequency at which radio signals travel is not disturbed. The science realized that the
radio telephone communication required heavy equipment by way of powerful transmitter and
that it can facilitate only 25 people to use the system. The problem was solved by
communication technology by dividing a large area like a city into small cells and any two

LA
persons connected to a cell system - at a time receive 800 frequencies and crores of people can
simultaneously communicate with each other at the same time. That is the reason why the term

IM
'cell mobile phone or cell phone'.
SH
16. In the cell technology, a person using a phone in one cell of the division will be plugged to
the central transmitter, which will receive the signals and then divert the signals to the other
LU

phone to which the same are intended. When the person moves from one cell to other cell in the
same city, the system i.e., Mobile Telephone Switching Office (MTSO) automatically transfers
PN

signals from tower to tower when the telephone user moves from one division to another. [How
Cell Phones Work? See website -http://electronics, howstuffworks. com. Much of the
information on technological aspects of Cell Phones is taken from this. cell phone, it looks the
H

database and diverts the call to that cell phone by picking up frequency pair that is used by the
receiver cell phone.] Another advantage in a cell phone compared with radio phone is that when
the radio phone is used, one person can talk at a time as both the persons can communicate
simultaneously and also receive sound signals simultaneously.

17. All cell phone service providers like Tata Indicom and Reliance India Mobile have special
codes dedicated to them and these are intended to identify the phone, the phone's owner and the
service provider. To understand how the cell phone works, we need to know certain terms in cell
phone parlance. System Identification Code (SID) is a unique 5-digit number that is assigned to
each carrier by the licensor. Electronic Serial Number (ESN) is a unique 32-bit number

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.772

programmed into the phone when it is manufactured by the instrument manufacturer. Mobile
Identification Number (MIN) is a 10-digit number derived from cell phone number given to a
subscriber. When the cell phone is switched on, it listens for a SID on the control channel, which
is a special frequency used by the phone and base station to talk to one another about things like
call set-up and channel changing. If the phone cannot find any control channels to listen to, the
cell phone displays "no service" message as it is out of range. When cell phone receives SID, it
compares it to the SID programmed into the phone and if these code numbers match, cell knows
that it is communicating with its home system. Along with the SID, the phone also transmits
registration request and MTSO which keeps track of the phone's location in a database, knows
which cell phone you are using and gives a ring. When MTSO gets a call intended to one

LA
18. The essential functions in the use of cell phone, which are performed by the MTSO, is the
central antenna/central transmitter and other transmitters in other areas well-coordinated with the

IM
cell phone functions in a fraction of a second. All this is made possible only by a computer,
which simultaneously receives, analyses and distributes data by way of sending and receiving
SH
radio/electrical signals.

19. So as to match with the system of the cell phone provider, every cell phone contains a circuit
LU

board, which is the brain of the phone. It is a combination of several computer chips
programmed to convert analog to digital [Analog - Anything analogous to something else.
PN

Analog computer - A computing machine so designed and constructed as to provide information

H

in terms of physical quantities analogous to those in which the problems are formulated.

Digital - 1. Of, pertaining to, or like the fingers or digits 2. Digitate. 3. Showing information,
such as numerals, by means of electronics : digital watches.

Digital computer - An electronic computing machine which receives problems and processes the
answers in numerical form, especially one using the binary system.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.773

(See "The New International Webster's Comprehensive Dictionary of the English Language",
Encyclopedic Edition, 2003 edn., pp. 52 and 358).]

and digital to analog conversion and translation of the outgoing audio signals and incoming
signals. This is a micro-processor similar to the one generally used in the compact disk of a
Desktop computer. Without the circuit board, cell phone instrument cannot function. Therefore,
it is not possible to accept the submission that a cell phone is not a computer. Even by the very
definition of the computer and computer network as defined in IT Act, a cell phone is a computer
which is programmed to do among others the function of receiving digital audio signals, convert
it into analog audio signal and also send analog audio signals in a digital form externally by
wireless technology.

LA
20. The main allegation against the petitioners is that the MIN of Reliance phone is irreversibly

IM
integrated with ESN and the petitioners hacked ESN so as to wean away RIM customers to
TATA Indicom service. The question is whether the manipulation of this electronic 32-bit
SH
number (ESN) programmed into Samsung N191 and LG-2030 cell phone instrument exclusively
franchised to second respondent amounts to altering source code used by these computer
handsets i.e., cell phone instruments. In the background facts, a question would also arise
LU

whether such alteration amounts to hacking with computer system? If the query answered in the
affirmative, it is always open to the police to alter the F. I. R., or it is always open to the criminal
PN

Court to frame a charge specifically with regard to hacking with computer system, which is an
offence under Section 66 of the IT Act. At this stage, we may read Sections 65 and 66 of the IT
At.
H

65. Tampering with computer source documents :- Whoever knowingly or intentionally

conceals, destroys or alters or intentionally or knowingly causes another to conceal, destroy, or
alter any computer source code used for a computer, computer programme, computer system or
computer network, when the computer source code is required to be kept or maintained by law
for the time being in force, shall be punishable with imprisonment up to three years, or with fine
which may extend up to two lakh rupees, or with both.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.774

Explanation.- For the purposes of this, "computer source code" means the listing of programmes,
computer commands, design and layout and programme analysis of computer resource in any
form.

66. Hacking with Computer System :- (1) Whoever with the intent to cause or knowing that he is
likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters
any information residing in a computer resource or diminishes its value or utility or affects it
injuriously by any means, commits hacking.

(2) Whoever commits hacking shall be punished with imprisonment up to three years, or with
fine which may extend up to two lakh rupees, or with both.

LA
21. The offence of tampering with computer source documents under Section 65 of the IT Act is
made out when a person,

IM
(i) intentionally conceals, destroys or alters a computer source code used for a computer,
SH
computer programme, computer system or computer network;

(ii) intentionally or knowingly causes another to conceal, destroy or alter any computer source
code used for a computer, computer programme, computer system or computer network; and
LU

(iii) (a) However, the offence is made out only when computer source code is required to be kept
PN

or

(b) when computer source code is maintained by law for the time being in force.
H

22. The punishment prescribed by law for the above offence is imprisonment up to three years or
a fine of Rs. 2,00,000/- or both.

23. What is a computer source code is also defined in the Explanation to Section 65 of IT Act,
which reads as under :

Explanation : For the purposes of this, "computer source code" means the listing of programmes,
computer commands, design and layout and programme analysis of computer resource in any
form.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.775

24. By the very definition of 'computer source code,' a) list of programmes; b) computer
commands; (c) design and layout and d) programme analysis of computer resource in any form,
is a 'computer source code' for the purpose of Section 65 of I.T. Act. Going by the definition,
ESN of Samsung N191 model cell phone handset or ESN of LG-2030 model cell phone handset
exclusively used by the second respondent as well as SID of second respondent come within the
definition of computer source code. Every cell phone operator is required to obtain SID from the
licensor i.e., Government of India. Further, ESN is a permanent part of the phone whereas MIN
and SID are programmed into phone when one purchases a service plan and have the phone
activity. When a customer of second respondent opts for its services, the MIN and SID are
programmed into the handset. If some one manipulates and alters ESN, as per the case of second

LA
respondent, Samsung/LG handsets which are exclusively used by them become usable by other
service providers like TATA Indicom. Therefore, prima facie, when the ESN is altered, the

IM
offence under Section 65 of I.T. Act is attracted because every service provider like second
respondent has to maintain its own SID code and also gives a customer specific number to each
SH
instrument used to avail the services provided. The submission that as there is no law which
requires a computer source code to be maintained, an offence cannot be made out, is devoid of
any merit. The disjunctive word "or" is used by the Legislature between the phrases "when the
LU

computer source code is required to be kept" and the other phrase "maintained by law for the
time being in force" and, therefore, both the situations are different. This Court, however, hastens
PN

to add that whether a cell phone operator is maintaining computer source code, is a matter of
evidence. So far as this question is concerned, going by the allegations in the complaint, it
becomes clear that the second respondent is in fact maintaining the computer source code. If
H

there is allegation against any person including the petitioners, certainly an offence under Section
65 of I.T. Act is made out. Therefore, the crime registered against the petitioners cannot be
quashed with regard to Section 65 of the I.T. Act.

25. That takes me to the allegation that the petitioners violated Section 63 of Copyright Act,
1957. So as to keep pace with the advancement in science and technology especially in the field
of communication and data processing, Parliament has amended Copyright Act, 1957 in 1995
bringing within its fold computer programme also as literary work to be protected by Copyright
Act.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.776

26. Section 2(ffb), (fie) and 2(o) of Copyright Act read as under.

2(ffb) "computer" includes any electronic or similar device having information processing
capabilities;

2(ffc) "computer programme" means a set of instructions expressed in words, codes, schemes or
in any other form, including a machine readable medium, capable of causing a computer to
perform a particular task or achieve a particular result;

2(o) "literary work" includes computer programmes, tables and compilations including computer
databases;

LA
27. Section 14 defines the copyright as exclusive right subject to provisions of the Copyright
Act, to do or authorise the doing of any of the Acts enumerated in respect of the work or

IM
substantial part thereof. Section 14(b) of the Copyright Act reads as under :

14. Meaning of copyright.- For the purposes of this Act, "copyright" means the exclusive right
SH
subject to the provisions of this Act, to do or authorise the doing of any of the following acts in
respect of a work or any substantial part thereof, namely :-
LU

(a) omitted.

(b) in the case of a computer programme,-

PN

(i) to do any of the acts specified in Clause (a); (ii) to sell or give on commercial rental or offer
for sale or for commercial rental any copy of the computer programme :
H

Provided that such commercial rental does not apply in respect of computer programmes where
the programme itself is not the essential object of the rental;

(c) and (d) omitted.

28. Therefore, reading Section 2(o), (ffc) and Sections 13 and 14 together, it becomes clear that a
computer programme is by very definition original literary work and, therefore, the law protects
such copyright. Under Section 63 of the Copyright Act, any infringement of the copyright in a
computer programme/source code is punishable. Therefore, prima facie, if a person alters
computer programme of another person or another computer company, the same would be

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.777

infringement of the copyright. Again the entire issue in this regard is subject to the evidence that
may be led by the complainant at the time of trial. This Court, however, examined the
submission of the learned senior counsel for the petitioners in the background of the provisions
of the Copyright Act and observations made herein are not intended to decide the question one
way or the other. The trial Court has to deal with these aspects.

29. As noticed hereinabove, unless and until investigation by the Police into a complaint is
shown to be illegal or would result in miscarriage of justice, ordinarily the criminal investigation
cannot be quashed. This principle is well settled and is not necessary to burden this judgment
with the precedents except making a reference to R.P. Kapoor v. State of Punjab,
MANU/SC/0086/1960 : 1960 Cri LJ 1239 ; State of Haryana v. Bhajan Lal, 1992 Cri LJ 527

LA
(SC) (supra) and State of Tamil Nadu v. Thirukkural Permal, MANU/SC/0615/1995 : [1995] 1
SCR 712 .

IM
30. In the result, for the above reasons, Crime No. 20 of 2003 insofar as it is under Sections 409,
SH
420 and 120B of Indian Penal Code, 1860 is quashed and insofar as the crimes under Section 65
of the Information Technology Act, 2000 and Section 63 of the Copyright Act, 1957, the
criminal petitions are dismissed. The C.I.D. Police, which registered Crime No. 20 of 2003, is
LU

directed to complete investigation and file a final report before the Metropolitan Magistrate
competent to take cognizance of the case within a period of three months from the date of receipt
PN

of this order.

31. The criminal petitions are accordingly dismissed.

H

*************************************************************

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.778

 INTEL CORPORATION

v.

Kourosh Kenneth HAMIDI

1 Cal. Rptr. 3d 32 (2003)

30 Cal. 4th 1342

71 P.3d 296

LA
WERDEGAR, J.

IM
Intel Corporation (Intel) maintains an electronic mail system, connected to the Internet, through
which messages between employees and those outside the company can be sent and received,
SH
and permits its employees to make reasonable nonbusiness use of this system. On six occasions
over almost two years, Kourosh Kenneth Hamidi, a former Intel employee, sent e-mails
criticizing Intel's employment practices to numerous current employees on Intel's electronic mail
LU

system. Hamidi breached no computer security barriers in order to communicate with Intel
employees. He offered to, and did, remove from his mailing list any recipient who so wished.
Hamidi's communications to individual Intel employees caused neither physical damage nor
PN

functional disruption to the company's computers, nor did they at any time deprive Intel of the
use of its computers. The contents of the messages, however, caused discussion among
H

employees and managers.

On these facts, Intel brought suit, claiming that by communicating with its employees over the
company's e-mail system Hamidi committed the tort of trespass to chattels. The trial court
granted Intel's motion for summary judgment and enjoined Hamidi from any further mailings. A
divided Court of Appeal affirmed.

After reviewing the decisions analyzing unauthorized electronic contact with computer systems
as potential trespasses to chattels, we conclude that under California law the tort does not
encompass, and should not be extended to encompass, an electronic communication that neither

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.779

damages the recipient computer system nor impairs its functioning. Such an electronic
communication does not constitute an actionable trespass to personal property, i.e., the computer
system, because it does not interfere with the possessor's use or possession of, or any other
legally protected interest in, the personal property itself. (See Zaslow v. Kroenert (1946) 29 Cal.
2d 541, 551, 176 P.2d 1; Ticketmaster Corp. v. Tickets.com, Inc. (C.D.Cal, Aug. 10, 2000, No.
99CV7654) 2000 WL 1887522,; Rest.2d Torts, § 218.) The consequential economic damage
Intel claims to have suffered, i.e., loss of productivity caused by employees reading and reacting
to Hamidi's messages and company efforts to block the messages, is not an injury to the
company's interest in its computers— which worked as intended and were unharmed by the
communications—any more than the personal distress caused by reading an unpleasant letter

LA
would be an injury to the recipient's mailbox, or the loss of privacy caused by an intrusive
telephone call would be an injury to the recipient's telephone equipment.

IM
Our conclusion does not rest on any special immunity for communications by electronic mail; we
do not hold that messages transmitted through the Internet are exempt from the ordinary rules of
SH
tort liability. To the contrary, e-mail, like other forms of communication, may in some
circumstances cause legally cognizable injury to the recipient or to third parties and may be
actionable under various common law or statutory theories. Indeed, on facts somewhat similar to
LU

those here, a company or its employees might be able to plead causes of action for interference
with prospective economic relations (see Guillory v. Godfrey (1955) 134 Cal. App. 2d 628, 630-
PN

632, 286 P.2d 474 [defendant berated customers and prospective customers of plaintiffs' cafe
with disparaging and racist comments]), interference with contract (see Blender v. Superior
H

Court (1942) 55 Cal. App. 2d 24, 25-27, 130 P.2d 179 [defendant made false statements about
plaintiff to his employer, resulting in plaintiffs discharge]) or intentional infliction of emotional
distress (see Kiseskey v. Carpenters' Trust for So. California (1983) 144 Cal. App. 3d 222, 229-
230, 192 Cal. Rptr. 492 [agents of defendant union threatened life, health, and family of
employer if he did not sign agreement with union].) And, of course, as with any other means of
publication, third party subjects of e-mail communications may under appropriate facts make
claims for defamation, publication of private facts, or other speechbased torts. (See, e.g.,
Southridge Capital Management v. Lowry (S.D.N.Y.2002) 188 F. Supp. 2d 388, 394-396
[allegedly false statements in e-mail sent to several of plaintiffs clients support actions for
defamation and ` interference with contract].) Intel's claim fails not because e-mail transmitted

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.780

through the Internet enjoys unique immunity, but because the trespass to chattels tort—unlike the
causes of action just mentioned—may not, in California, be proved without evidence of an injury
to the plaintiffs personal property or legal interest therein.

Nor does our holding affect the legal remedies of Internet service providers (ISP's) against
senders of unsolicited commercial bulk e-mail (UCE), also known as "spam." (See Ferguson v.
Friendfinders, Inc. (2002) 94 Cal. App. 4th 1255, 1267, 115 Cal. Rptr. 2d 258.) A series of
federal district court decisions, beginning with CompuServe, Inc. v. Cyber Promotions, Inc.
(S.D.Ohio 1997) 962 F. Supp. 1015, has approved the use of trespass to chattels as a theory of
spammers' liability to ISP's, based upon evidence that the vast quantities of mail sent by
spammers both overburdened the ISP's own computers and made the entire computer system

LA
harder to use for recipients, the ISP's customers. (See id. at pp. 1022-1023.) In those cases,
discussed in greater detail below, the underlying complaint was that the extraordinary quantity of

IM
UCE impaired the computer system's functioning. In the present case, the claimed injury is
located in the disruption or distraction caused to recipients by the contents of the e-mail
SH
messages, an injury entirely separate from, and not directly affecting, the possession or value of
personal property.
LU

FACTUAL AND PROCEDURAL BACKGROUND

PN

We review a grant of summary judgment de novo; we must decide independently whether the
facts not subject to triable dispute warrant judgment for the moving party as a matter of law.
H

(Galanty v. Paul Revere Life Ins. Co. (2000) 23 Cal. 4th 368, 374, 97 Cal. Rptr. 2d 67, 1 P.3d
658; Norgart v. Upjohn Co. (1999) 21 Cal. 4th 383, 404, 87 Cal. Rptr. 2d 453, 981 P.2d 79; Code
Civ. Proc, § 437c, subd. (c).) The pertinent undisputed facts are as follows.

Hamidi, a former Intel engineer, together with others, formed an organization named Former and
Current Employees of *38 Intel (FACE-Intel) to disseminate information and views critical of
Intel's employment and personnel policies and practices. FACE-Intel maintained a Web site
(which identified Hamidi as Webmaster and as the organization's spokesperson) containing such
material. In addition, over a 21-month period Hamidi, on behalf of FACE-Intel, sent six mass e-
mails to employee addresses on Intel's electronic mail system. The messages criticized Intel's

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.781

employment practices, warned employees of the dangers those practices posed to their careers,
suggested employees consider moving to other companies, solicited employees' participation in
FACE-Intel, and urged employees to inform themselves further by visiting FACE-Intel's Web
site. The messages stated that recipients could, by notifying the sender of their wishes, be
removed from FACE-Intel's mailing list; Hamidi did not subsequently send messages to anyone
who requested removal.

Each message was sent to thousands of addresses (as many as 35,000 according to FACE-Intel's
Web site), though some messages were blocked by Intel before reaching employees. Intel's

LA
attempt to block internal transmission of the messages succeeded only in part; Hamidi later
admitted he evaded blocking efforts by using different sending computers. When Intel, in March

IM
1998, demanded in writing that Hamidi and FACE-Intel stop sending e-mails to Intel's computer
system, Hamidi asserted the organization had a right to communicate with willing Intel
SH
employees; he sent a new mass mailing in September 1998.

The summary judgment record contains no evidence Hamidi breached Intel's computer security
in order to obtain the recipient addresses for his messages; indeed, internal Intel memoranda
LU

show the company's management concluded no security breach had occurred.[1] Hamidi stated
he created the recipient address list using an Intel directory on a floppy disk anonymously sent to
PN

him. Nor is there any evidence that the receipt or internal distribution of Hamidi's electronic
messages damaged Intel's computer system or slowed or impaired its functioning. Intel did
H

present uncontradicted evidence, however, that many employee recipients asked a company
official to stop the messages and that staff time was consumed in attempts to block further
messages from FACE-Intel. According to the FAC-Intel Web site, moreover, the messages had
prompted discussions between "[e]xcited and nervous managers" and the company's human
resources department.

Intel sued Hamidi and FACE-Intel, pleading causes of action for trespass to chattels and
nuisance, and seeking both actual damages and an injunction against further e-mail messages.
Intel later voluntarily dismissed its nuisance claim and waived its demand for damages. The trial
court entered default against FACE-Intel upon that organization's failure to answer. The court

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.782

then granted Intel's motion for summary judgment, permanently enjoining Hamidi, FACE-Intel,
and their agents "from sending unsolicited e-mail to addresses on Intel's computer systems."
Hamidi appealed; FACE-Intel did not.[2]

*39 The Court of Appeal, with one justice dissenting, affirmed the grant of injunctive relief. The
majority took the view that the use of or intermeddling with another's personal property is
actionable as a trespass to chattels without proof of any actual injury to the personal property;
even if Intel could not show any damages resulting from Hamidi's sending of messages, "it
showed he was disrupting its business by using its property and therefore is entitled to injunctive
relief based on a theory of trespass to chattels." The dissenting justice warned that the majority's
application of the trespass to chattels tort to "unsolicited electronic mail that causes no harm to

LA
the private computer system that receives it" would "expand the tort of trespass to chattel in
untold ways and to unanticipated circumstances."

We granted Hamidi's petition for review.[3]

IM
SH
Discussion

I. Current California Tort Law

LU

Dubbed by Prosser the "little brother of conversion," the tort of trespass to chattels allows
recovery for interferences with possession of personal property "not sufficiently important to be
PN

classed as conversion, and so to compel the defendant to pay the full value of the thing with
which he has interfered." (Prosser & Keeton, Torts (5th ed.1984) § 14, pp. 85-86.)
H

Though not amounting to conversion, the defendant's interference must, to be actionable, have
caused some injury to the chattel or to the plaintiffs rights in it. Under California law, trespass to
chattels "lies where an intentional interference with the possession of personal property has
proximately caused injury." (Thrifty-Tel, Inc. v. Bezenek (1996) 46 Cal. App. 4th 1559, 1566, 54
Cal. Rptr. 2d 468, italics added.) In cases of interference with possession of personal property
not amounting to conversion, "the owner has a cause of action for trespass or case, and may
recover only the actual damages suffered by reason of the impairment of the property or the loss
of its use." (Zasloiv v. Kroenert, supra, 29 Cal.2d at p. 551, 176 P.2d 1, italics added; accord,
Jordan v. Talbot (1961) 55 Cal. 2d 597, 610, 12 Cal. Rptr. 488, 361 P.2d 20.) In modern

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.783

American law generally, "[t]respass remains as an occasional remedy for minor interferences,
resulting in some damage, but not sufficiently serious or sufficiently important to amount to the
greater tort" of conversion. (Prosser & Keeton, Torts, supra, § 15, p. 90, italics added.)

The Restatement, too, makes clear that some actual injury must have occurred in order for a
trespass to chattels to be actionable. Under section 218 of the Restatement Second of Torts,
dispossession alone, without further damages, is actionable (see id., par. (a) & com. d, pp. 420-
421), but other forms of interference require some additional harm to the personal property or the
possessor's interests in it. (Id., pars, (b)-(d).) "The interest of a possessor of a chattel in its
inviolability, unlike the similar interest of a possessor of land, is not given legal protection by an
action for nominal damages for harmless intermeddlings with the chattel. In order that an actor

LA
who interferes with another's chattel may be liable, his conduct must affect some other and more
important interest of the possessor. Therefore, one who intentionally intermeddles with another's

IM
chattel is subject to liability only if his intermeddling is harmful to the possessor's materially
valuable interest in the physical condition, quality, or value of the chattel, or if the possessor is
SH
deprived of the use of the chattel for a substantial time, or some other legally protected interest of
the possessor is affected as stated in Clause (c). Sufficient legal protection of the possessor's
interest in the mere inviolability of his chattel is afforded by his privilege to use reasonable force
LU

to protect his possession against even harmless interference." (Id., com. e, pp. 421-422, italics
added.)
PN

The Court of Appeal (quoting 7 Speiser et al., American Law of Torts (1990) Trespass, § 23:23,
p. 667) referred to "`a number of very early cases [showing that] any unlawful interference,
H

however slight, with the enjoyment by another of his personal property, is a trespass.'" But while
a harmless use or touching of personal property may be a technical trespass (see Rest.2d Torts, §
217), an interference (not amounting to dispossession) is not actionable, under modern California
and broader American law, without a showing of harm. As already discussed, this is the rule
embodied in the Restatement (Rest.2d Torts, § 218) and adopted by California law (Zaslow v.
Kroenert, supra, 29 Cal.2d at p. 551, 176 P.2d 1; Thrifty-Tel, Inc. v. Bezenek, supra, 46
Cal.App.4th at p. 1566, 54 Cal. Rptr. 2d 468).

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.784

In this respect, as Prosser explains, modern day trespass to chattels differs both from the original
English writ and from the action for trespass to land: "Another departure from the original rule of
the old writ of trespass concerns the necessity of some actual damage to the chattel before the
action can be maintained. Where the defendant merely interferes without doing any harm—as
where, for example, he merely lays hands upon the plaintiffs horse, or sits in his car—there has
been a division of opinion among the writers, and a surprising dearth of authority. By analogy to
trespass to land there might be a technical tort in such a case .... Such scanty authority as there is,
however, has considered that the dignitary interest in the inviolability of chattels, unlike that as
to land, is not sufficiently important to require any greater defense than the privilege of using
reasonable force when necessary to protect them. Accordingly it has been held that nominal

LA
damages will not be awarded, and that in the absence of any actual damage the action will not
lie." (Prosser & Keeton, Torts, supra, § 14, p. 87, italics added, fns. omitted.)

IM
SH
Intel suggests that the requirement of actual harm does not apply here because it sought only
injunctive relief, as protection from future injuries. But as Justice Kolkey, dissenting below,
observed, "[t]he fact the relief sought is injunctive does not excuse a showing of injury, whether
LU

actual or threatened." Indeed, in order to obtain injunctive relief the plaintiff must ordinarily
show that the defendant's wrongful acts threaten to cause irreparable injuries, ones that cannot be
PN

adequately compensated in damages. (5 Witkin, Cal. Procedure (4th ed. 1997) Pleading, § 782,
p. 239.) Even in an action for trespass to real property, in which damage to the property is not an
*41 element of the cause of action, "the extraordinary remedy of injunction" cannot be invoked
H

without showing the likelihood of irreparable harm. (Mechanics' Foundry v. Ryall (1888) 75 Cal.
601, 603, 17 P. 703; see Mendelson v. McCabe (1904) 144 Cal. 230, 232-233, 77 P. 915
[injunction against trespass to land proper where continued trespasses threaten creation of
prescriptive right and repetitive suits for damages would be inadequate remedy].) A fortiori, to
issue an injunction without a showing of likely irreparable injury in an action for trespass to
chattels, in which injury to the personal property or the possessor's interest in it is an element of
the action, would make little legal sense.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.785

The dispositive issue in this case, therefore, is whether the undisputed facts demonstrate
Hamidi's actions caused or threatened to cause damage to Intel's computer system, or injury to its
rights in that personal property, such as to entitle Intel to judgment as a matter of law. To review,
the undisputed evidence revealed no actual or threatened damage to Intel's computer hardware or
software and no interference with its ordinary and intended operation. Intel was not dispossessed
of its computers, nor did Hamidi's messages prevent Intel from using its computers for any
measurable length of time. Intel presented no evidence its system was slowed or otherwise
impaired by the burden of delivering Hamidi's electronic messages. Nor was there any evidence
transmission of the messages imposed any marginal cost on the operation of Intel's computers. In
sum, no evidence suggested that in sending messages through Intel's Internet connections and

LA
internal computer system Hamidi used the system in any manner in which it was not intended to
function or impaired the system in any way. Nor does the evidence show the request of any

IM
employee to be removed from FACE-Intel's mailing list was not honored. The evidence did
show, however, that some employees who found the messages unwelcome asked management to
SH
stop them and that Intel technical staff spent time and effort attempting to block the messages. A
statement on the FACE-Intel Web site, moreover, could be taken as an admission that the
messages had caused "[e]xcited and nervous managers" to discuss the matter with Intel's human
LU

resources department.

Relying on a line of decisions, most from federal district courts, applying the tort of trespass to
PN

chattels to various types of unwanted electronic contact between computers, Intel contends that,
while its computers were not damaged by receiving Hamidi's messages, its interest in the
H

"physical condition, quality or value" (Rest.2d Torts, § 218, com. e, p. 422) of the computers was
harmed. We disagree. The cited line of decisions does not persuade us that the mere sending of
electronic communications that assertedly cause injury only because of their contents constitutes
an actionable trespass to a computer system through which the messages are transmitted. Rather,
the decisions finding electronic contact to be a trespass to computer systems have generally
involved some actual or threatened interference with the computers' functioning.

In Thrifty-Tel, Inc. v. Bezenek, supra, 46 Cal.App.4th at pages 1566-1567, 54 Cal. Rptr. 2d 468
(Thrifty-Tel), the California Court of Appeal held that evidence of automated searching of a
telephone carrier's system for authorization codes supported a cause of action for trespass to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.786

chattels. The defendant's automated dialing program "overburdened the [plaintiffs] system,
denying some subscribers access to *42 phone lines" (Id., at p. 1564, 54 Cal.Rptr .2d 468),
showing the requisite injury.

Following Thrifty-Tel, a series of federal district court decisions held that sending UCE through
an ISP's equipment may constitute trespass to the ISP's computer system. The lead case,
CompuServe, Inc. v. Cyber Promotions, Inc., supra, 962 F. Supp. 1015, 1021-1023
(CompuServe), was followed by Hotmail Corp. v. Van$ Money Pie, Inc. (N.D.Cal., Apr. 16,
1998, No. C 98-20064 JW) 1998 WL 388389, page *7, America Online, Inc. v. IMS
(E.D.Va.1998) 24 F. Supp. 2d 548, 550-551, and America Online, Inc. v. LCGM, Inc.
(E.D.Va.1998) 46 F. Supp. 2d 444, 451-452.

LA
In each of these spamming cases, the plaintiff showed, or was prepared to show, some

IM
interference with the efficient functioning of its computer system. In CompuServe, the plaintiff
ISP's mail equipment monitor stated that mass UCE mailings, especially from nonexistent
SH
addresses such as those used by the defendant, placed "a tremendous burden" on the ISP's
equipment, using "disk space and draining] the processing power," making those resources
unavailable to serve subscribers. (Compu-Serve, supra, 962 F.Supp. at p. 1022.) Similarly, in
LU

Hotmail Corp. v. Van$ Money Pie, Inc., supra, 1998 WL 388389 at page *7, the court found the
evidence supported a finding that the defendant's mailings "fill[ed] up Hotmail's computer
PN

storage space and threatened] to damage Hotmail's ability to service its legitimate customers."
America Online, Inc. v. IMS, decided on summary judgment, was deemed factually
indistinguishable from CompuServe; the court observed that in both cases the plaintiffs "alleged
H

that processing the bulk e-mail cost them time and money and burdened their equipment."
(America Online, Inc. v. IMS, supra, 24 F.Supp.2d at p. 550.) The same court, in America
Online, Inc. v. LCGM, Inc., supra, 46 F.Supp.2d at page 452, simply followed CompuServe and
its earlier America Online decision, quoting the former's explanation that UCE burdened the
computer's processing power and memory.

Building on the spamming cases, in particular CompuServe, three even more recent district court
decisions addressed whether unauthorized robotic data collection [4] from a company's publicly
accessible Web site is a trespass on the company's computer system. (eBay, Inc. v. Bidder's
Edge, Inc., supra, 100 F.Supp.2d at pp. 1069-1072 (eBay); Register.com, Inc. v. Verio, Inc.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.787

(S.D.N.Y.2000) 126 F. Supp. 2d 238, 248-251; Ticketmaster Corp. v. Tickets.com, Inc., supra,
2000 WL 1887522 at p. *4.) The two district courts that found such automated data collection to
constitute a trespass relied, in part, on the deleterious impact this activity could have, especially
if replicated by other searchers, on the functioning of a Web site's computer equipment.

In the leading case, eBay, the defendant Bidder's Edge (BE), operating an auction aggregation
site, accessed the eBay Web site about 100,000 times per day, accounting for between 1 and 2
percent of the information requests received by eBay *43 and a slightly smaller percentage of the
data transferred by eBay. (eBay, supra, 100 F.Supp.2d at pp. 1061, 1063.) The district court
rejected eBay's claim that it was entitled to injunctive relief because of the defendant's
unauthorized presence alone, or because of the incremental cost the defendant had imposed on

LA
operation of the eBay site (id. at pp. 1065-1066), but found sufficient proof of threatened harm in
the potential for others to imitate the defendant's activity: "If BE's activity is allowed to continue

IM
unchecked, it would encourage other auction aggregators to engage in similar recursive
searching of the eBay system such that eBay would suffer irreparable harm from reduced system
SH
performance, system unavailability, or data losses." (Id. at p. 1066.) Again, in addressing the
likelihood of eBay's success on its trespass to chattels cause of action, the court held the evidence
of injury to eBay's computer system sufficient to support a preliminary injunction: "If the court
LU

were to hold otherwise, it would likely encourage other auction aggregators to crawl the eBay
site, potentially to the point of denying effective access to eBay's customers. If preliminary
PN

injunctive relief were denied, and other aggregators began to crawl the eBay site, there appears
to be little doubt that the load on eBay's computer system would qualify as a substantial
H

impairment of condition or value."

Another district court followed eBay on similar facts a domain name registrar's claim against a
Web hosting and development site that robotically searched the registrar's database of newly
registered domain names in search of business leads in Register.com, Inc. v. Verio, Inc., supra,
126 F.Supp.2d at pages 249-251. Although the plaintiff was unable to measure the burden the
defendant's searching had placed on its system (id. at pp. 249-250), the district court, quoting the
declaration of one of the plaintiffs officers, found sufficient evidence of threatened harm to the
system in the possibility the defendant's activities would be copied by others: "`I believe that if
Verio's searching of Register.com's WHOIS database were determined to be lawful, then every

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.788

purveyor of Internet-based services would engage in similar conduct.'" (Id. at p. 250.) Like eBay,
the court observed, Register.com had a legitimate fear "that its servers will be flooded by search
robots."

In the third decision discussing robotic data collection as a trespass, Ticketmaster Corp. v.
Tickets.com, Inc., supra, 2000 WL 1887522 (Ticketmaster), the court, distinguishing eBay,
found insufficient evidence of harm to the chattel to constitute an actionable trespass: "A basic
element of trespass to chattels must be physical harm to the chattel (not present here) or some
obstruction of its basic function (in the court's opinion not sufficiently shown here).... The
comparative use [by the defendant of the plaintiffs computer system] appears very small and
there is no showing that the use interferes to any extent with the regular business of [the

LA
plaintiff].... Nor here is the specter of dozens or more parasites joining the fray, the cumulative
total of which could affect the operation of [the plaintiffs ] business."

IM
In the decisions so far reviewed, the defendant's use of the plaintiffs computer system was held
SH
sufficient to support an action for trespass when it actually did, or threatened to, interfere with
the intended functioning of the system, as by significantly reducing its available memory and
processing power. In Ticketmaster, supra, 2000 WL 1887522, the one case where no such effect,
LU

actual or threatened, had been demonstrated, the court found insufficient evidence of harm to
support a trespass action. These decisions do not persuade us to Intel's position here, for Intel
PN

has demonstrated neither any appreciable effect on the operation of its computer system from
Hamidi's messages, nor any likelihood that Hamidi's actions will be replicated by others if found
not to constitute a trespass.
H

That Intel does not claim the type of functional impact that spammers and robots have been
alleged to cause is not surprising in light of the differences between Hamidi's activities and those
of a commercial enterprise that uses sheer quantity of messages as its communications strategy.
Though Hamidi sent thousands of copies of the same message on six occasions over 21 months,
that number is minuscule compared to the amounts of mail sent by commercial operations. The
individual advertisers sued in America Online, Inc. v. IMS, supra, 24 F.Supp.2d at page 549, and
America Online, Inc. v. LCGM, Inc., supra, 46 F.Supp.2d at page 448, were alleged to have sent
more than 60 million messages over 10 months and more than 92 million messages over seven
months, respectively. Collectively, UCE has reportedly come to constitute about 45 percent of all

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.789

e-mail. (Hansell, Internet Is Losing Ground in Battle Against Spam, N.Y. Times (Apr. 22, 2003)
p. Al, col. 3.) The functional burden on Intel's computers, or the cost in time to individual
recipients, of receiving Hamidi's occasional advocacy messages cannot be compared to the
burdens and costs caused ISP's and their customers by the ever-rising deluge of commercial e-
mail.

Intel relies on language in the eBay decision suggesting that unauthorized use of another's chattel
is actionable even without any showing of injury: "Even if, as [defendant] BE argues, its
searches use only a small amount of eBay's computer system capacity, BE has nonetheless
deprived eBay of the ability to use that portion of its personal property for its own purposes. The
law recognizes no such right to use another's personal property." (eBay, supra, 100 F.Supp.2d at

LA
p. 1071.) But as the eBay court went on immediately to find that the defendant's conduct, if
widely replicated, would likely impair the functioning of the plaintiffs system (id. at pp. 1071-

IM
1072), we do not read the quoted remarks as expressing the court's complete view of the issue. In
isolation, moreover, they would not be a correct statement of California or general American law
SH
on this point. While one may have no right temporarily to use another's personal property, such
use is actionable as a trespass only if it "has proximately caused injury." (Thrifty-Tel, supra, 46
Cal.App.4th at p. 1566, 54 Cal. Rptr. 2d 468.) "[I]n the absence of any actual damage the action
LU

will not lie." (Prosser & Keeton, Torts, supra, § 14, p. 87.) Short of dispossession, personal
injury, or physical damage (not present here), intermeddling is actionable only if "the chattel is
PN

impaired as to its condition, quality, or value, or [¶] ... the possessor is deprived of the use of the
chattel for a substantial time." (Rest.2d Torts, § 218, pars, (b), (c).) In particular, an actionable
H

deprivation of use "must be for a time so substantial that it is possible to estimate the loss caused
thereby. A mere momentary or theoretical deprivation of use is not sufficient unless there is a
dispossession...." (Id., com. i, p. 423.) That Hamidi's messages temporarily used some portion of
the Intel computers' processors or storage is, therefore, not enough; Intel must, but does not,
demonstrate some measurable loss from the use of its computer system.

*45 In addition to impairment of system functionality, CompuServe and its progeny also refer to
the ISP's loss of business reputation and customer goodwill, resulting from the inconvenience
and cost that spam causes to its members, as harm to the ISP's legally protected interests in its
personal property. (See CompuServe, supra, 962 F.Supp. at p. 1023; Hotmail Corp. v. Van$

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.790

Money Pie, Inc., supra, 1998 WL 388389 at p. *7; America Online, Inc. v. IMS, supra, 24
F.Supp.2d at p. 550.) Intel argues that its own interest in employee productivity, assertedly
disrupted by Hamidi's messages, is a comparable protected interest in its computer system. We
disagree.

Whether the economic injuries identified in CompuServe were properly considered injuries to
the ISP's possessory interest in its personal property, the type of property interest the tort is
primarily intended to protect (see Rest.2d Torts, § 218 & com. e, pp. 421-22; Prosser & Keeton,
Torts, supra, § 14, p. 87), has been questioned.[6] "[T]he court broke the chain between the
trespass and the harm, allowing indirect harms to CompuServe's business interests—reputation,
customer goodwill, and employee time—to count as harms to the chattel (the server)." (Quilter,

LA
The Continuing Expansion of Cyberspace Trespass to Chattels, supra, 17 Berkeley Tech. L.J. at
pp. 429-430.) "[T]his move cuts trespass to chattels free from its moorings of dispossession or

IM
the equivalent, allowing the court free reign [sic] to hunt for `impairment.'" (Burk, The Trouble
with Trespass (2000) 4 J. Small & Emerging Bus.L. 27, 35.) But even if the loss of goodwill
SH
identified in CompuServe were the type of injury that would give rise to a trespass to chattels
claim under California law, Intel's position would not follow, for Intel's claimed injury has even
less connection to its personal property than did CompuServe's.
LU

CompuServe's customers were annoyed because the system was inundated with unsolicited
PN

commercial messages, making its use for personal communication more difficult and costly.
(CompuServe, supra, 962 F.Supp. at p. 1023.) Their complaint, which allegedly led some to
cancel their *46 CompuServe service, was about the functioning of CompuServe's electronic
H

mail service. Intel's workers, in contrast, were allegedly distracted from their work not because
of the frequency or quantity of Hamidi's messages, but because of assertions and opinions the
messages conveyed. Intel's complaint is thus about the contents of the messages rather than the
functioning of the company's e-mail system. Even accepting CompuServe's economic injury
rationale, therefore, Intel's position represents a further extension of the trespass to chattels tort,
fictionally recharacterizing the allegedly injurious effect of a communication's contents on
recipients as an impairment to the device which transmitted the message.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.791

This theory of "impairment by content" (Burk, The Trouble with Trespass, supra, 4 J. Small &
Emerging Bus.L. at p. 37) threatens to stretch trespass law to cover injuries far afield from the
harms to possession the tort evolved to protect. Intel's theory would expand the tort of trespass to
chattels to cover virtually any unconsented—to communication that, solely because of its content,
is unwelcome to the recipient or intermediate transmitter. As the dissenting justice below
explained, "`Damage' of this nature—the distraction of reading or listening to an unsolicited
communication—is not within the scope of the injury against which the trespass-to-chattel tort
protects, and indeed trivializes it. After all, `[t]he property interest protected by the old action of
trespass was that of possession; and this has continued to affect the character of the action.'
(Prosser & Keeton on Torts, supra, § 14, p. 87.) Reading an e-mail transmitted to equipment

LA
designed to receive it, in and of itself, does not affect the possessory interest in the equipment.
[11] Indeed, if a chattel's receipt of an electronic communication constitutes a trespass to that

IM
chattel, then not only are unsolicited telephone calls and faxes trespasses to chattel, but
unwelcome radio waves and television signals also constitute a trespass to chattel every time the
SH
viewer inadvertently sees or hears the unwanted program." We agree. While unwelcome
communications, electronic or otherwise, can cause a variety of injuries to economic relations,
reputation and emotions, those interests are protected by other branches of tort law; in order to
LU

address them, we need not create a fiction of injury to the communication system.

Nor may Intel appropriately assert a property interest in its employees' time. "The Restatement
PN

test clearly speaks in the first instance to the impairment of the chattel.... But employees are not
chattels (at least not in the legal sense of the term)." (Burk, The Trouble with Trespass, supra, 4
H

J. Small & Emerging Bus.L. at p. 36.) Whatever interest Intel may have in preventing its
employees from receiving disruptive communications, it is not an interest in personal property,
and trespass to chattels is therefore not an action that will lie to protect it. Nor, finally, can the
fact Intel staff spent time attempting to block Hamidi's messages be bootstrapped into an injury
to Intel's possessory interest in its computers. To quote, again, from the dissenting opinion in the
Court of Appeal: "[I]t is circular to premise the damage element of a tort solely upon the steps
taken to prevent the damage. Injury can only be established by the completed tort's
consequences, not by the cost of the steps taken to avoid the injury and prevent the tort;
otherwise, we can create injury for every supposed tort."

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.792

Intel connected its e-mail system to the Internet and permitted its employees to make use of this
connection both for business and, to a reasonable extent, for their own purposes. In doing so, the
company *47 necessarily contemplated the employees' receipt of unsolicited as well as solicited
communications from other companies and individuals. That some communications would,
because of their contents, be unwelcome to Intel management was virtually inevitable. Hamidi
did nothing but use the e-mail system for its intended purpose—to communicate with employees.
The system worked as designed, delivering the messages without any physical or functional
harm or disruption. These occasional transmissions cannot reasonably be viewed as impairing
the quality or value of Intel's computer system. We conclude, therefore, that Intel has not

LA
presented undisputed facts demonstrating an injury to its personal property, or to its legal interest
in that property, that support, under California tort law, an action for trespass to chattels.

II. Proposed Extension of California Tort Law

IM
SH
We next consider whether California common law should be extended to cover, as a trespass to
chattels, an otherwise harmless electronic communication whose contents are objectionable. We
decline to so expand California law. Intel, of course, was not the recipient of Hamidi's messages,
LU

but rather the owner and possessor of computer servers used to relay the messages, and it bases
this tort action on that ownership and possession. The property rule proposed is a rigid one,
PN

under which the sender of an electronic message would be strictly liable to the owner of
equipment through which the communication passes—here, Intel—for any consequential injury
H

flowing from the contents of the communication. The arguments of amici curiae and academic
writers on this topic, discussed below, leave us highly doubtful whether creation of such a rigid
property rule would be wise.

Writing on behalf of several industry groups appearing as amici curiae, Professor Richard A.
Epstein of the University of Chicago urges us to excuse the required showing of injury to
personal property in cases of unauthorized electronic contact between computers, "extending the
rules of trespass to real property to all interactive Web sites and servers." The court is thus urged
to recognize, for owners of a particular species of personal property, computer servers, the same
interest in inviolability as is generally accorded a possessor of land. In effect, Professor Epstein

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.793

suggests that a company's server should be its castle, upon which any unauthorized intrusion,
however harmless, is a trespass.

Epstein's argument derives, in part, from the familiar metaphor of the Internet as a physical
space, reflected in much of the language that has been used to describe it: "cyberspace," "the
information superhighway," e-mail "addresses," and the like. Of course, the Internet is also
frequently called simply the "Net," a term, Hamidi points out, "evoking a fisherman's chattel." A
major component of the Internet is the World Wide "Web," a descriptive term suggesting neither
personal nor real property, and "cyberspace" itself has come to be known by the oxymoronic
phrase "virtual reality," which would suggest that any real property "located" in "cyberspace"
must be "virtually real" property. Metaphor is a two-edged sword.

LA
Indeed, the metaphorical application of real property rules would not, by itself, transform a

IM
physically harmless electronic intrusion on a computer server into a trespass. That is because,
under California law, intangible intrusions on land, including electromagnetic transmissions, are
SH
not actionable as trespasses (though they may be as nuisances) unless they cause physical
damage to the real property. (San Diego Gas & Electric Co. v. Superior Court (1996) 13 Cal. 4th
893, 936-937, 55 Cal. Rptr. 2d 724, 920 P.2d 669.) Since Intel does not claim Hamidi's
LU

electronically transmitted messages physically damaged its servers, it could not prove a trespass
to land even were we to treat the computers as a type of real property. Some further extension of
PN

the conceit would be required, under which the electronic signals Hamidi sent would be recast as
tangible intruders, perhaps as tiny messengers rushing through the "hallways" of Intel's
computers and bursting out of employees' computers to read them Hamidi's missives. But such
H

fictions promise more confusion than clarity in the law. (See eBay, supra, 100 F.Supp.2d at pp.
1065-1066 [rejecting eBay's argument that the defendant's automated data searches "should be
thought of as equivalent to sending in an army of 100,000 robots a day to check the prices in a
competitor's store"].)

The plain fact is that computers, even those making up the Internet, are—like such older
communications equipment as telephones and fax machines—personal property, not realty.
Professor Epstein observes that "[a]though servers may be moved in real space, they cannot be
moved in cyberspace," because an Internet server must, to be useful, be accessible at a known
address. But the same is true of the telephone: to be useful for incoming communication, the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.794

telephone must remain constantly linked to the same number (or, when the number is changed,
the system must include some forwarding or notification capability, a qualification that also
applies to computer addresses). Does this suggest that an unwelcome message delivered through
a telephone or fax machine should be viewed as a trespass to a type of real property? We think
not: As already discussed, the contents of a telephone communication may cause a variety of
injuries and may be the basis for a variety of tort actions (e.g., defamation, intentional infliction
of emotional distress, invasion of privacy), but the injuries are not to an interest in property,
much less real property, and the appropriate tort is not trespass.

More substantively, Professor Epstein argues that a rule of computer server inviolability will,
through the formation or extension of a market in computer-to-computer access, create "the right

LA
social result." In most circumstances, he predicts, *49 companies with computers on the Internet
will continue to authorize transmission of information through e-mail, Web site searching, and

IM
page linking because they benefit by that open access. When a Web site owner does deny access
to a particular sending, searching, or linking computer, a system of "simple one-on-one
SH
negotiations" will arise to provide the necessary individual licenses.

Other scholars are less optimistic about such a complete propertization of the Internet. Professor
LU

Mark Lemley of the University of California, Berkeley, writing on behalf of an amici curiae
group of professors of intellectual property and computer law, observes that under a property
PN

rule of server inviolability, "each of the hundreds of millions of [Internet] users must get
permission in advance from anyone with whom they want to communicate and anyone who
owns a server through which their message may travel." The consequence for e-mail could be a
H

substantial reduction in the freedom of electronic communication, as the owner of each computer
through which an electronic message passes could impose its own limitations on message
content or source. As Professor Dan Hunter of the University of Pennsylvania asks rhetorically:
"Does this mean that one must read the `Terms of Acceptable Email Usage' of every email
system that one emails in the course of an ordinary day? If the University of Pennsylvania had a
policy that sending a joke by email would be an unauthorized use of their system, then under the
logic of [the lower court decision in this case], you commit 'trespass' if you emailed me a ...
cartoon." (Hunter, Cyberspace as Place, and the Tragedy of the Digital Anticommons (2003) 91
Cal. L.Rev. 439, 508-509.)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.795

Web site linking, Professor Lemley further observes, "would exist at the sufferance of the linked-
to party, because a Web user who followed a `disapproved' link would be trespassing on the
plaintiffs server, just as sending an e-mail is trespass under the [lower] court's theory." Another
writer warns that "[c]yber-trespass theory will curtail the free flow of price and product
information on the Internet by allowing website owners to tightly control who and what may
enter and make use of the information housed on its Internet site." (Chang, Bidding on Trespass:
eBay, Inc. v. Bidder's Edge, Inc. and the Abuse of Trespass Theory in Cyberspace Law (2001)
29 AIPLA Q.J. 445, 459.) A leading scholar of Internet law and policy, Professor Lawrence
Lessig of Stanford University, has criticized Professor Epstein's theory of the computer server as

LA
quasi-real property, previously put forward in the eBay case (eBay, supra, 100 F. Supp. 2d
1058), on the ground that it ignores the costs to society in the loss of network benefits: "eBay

IM
benefits greatly from a network that is open and where access is free. It is this general feature of
the Net that makes the Net so valuable to users and a source of great innovation. And to the
SH
extent that individual sites begin to impose their own rules of exclusion, the value of the network
as a network declines. If machines must negotiate before entering any individual site, then the
costs of using the network climb." (Lessig, The Future of Ideas: The Fate of the Commons in a
LU

Connected World (2001) p. 171; see also Hunter, Cyberspace as Place, and the Tragedy of the
Digital Anticommons, supra, 91 Cal. L.Rev. at p. 512 ["If we continue to mark out anticommons
PN

claims in cyberspace, not only will we preclude better, more innovative uses of cyberspace
resources, but we will lose sight of what might be possible"].)
H

We discuss this debate among the amici curiae and academic writers only to note its existence
and contours, not to attempt its resolution. Creating an absolute property *50 right to exclude
undesired communications from one's e-mail and Web servers might help force spammers to
internalize the costs they impose on ISP's and their customers. But such a property rule might
also create substantial new costs, to e-mail and e-commerce users and to society generally, in lost
ease and openness of communication and in lost network benefits. In light of the unresolved
controversy, we would be acting rashly to adopt a rule treating computer servers as real property
for purposes of trespass law.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.796

The Legislature has already adopted detailed regulations governing UCE. (Bus. & Prof.Code, §§
17538.4, 17538.45; see generally Ferguson v. Friendfinders, Inc., supra, 94 Cal. App. 4th 1255,
115 Cal. Rptr. 2d 258.) It may see fit in the future also to regulate noncommercial e-mail, such as
that sent by Hamidi, or other kinds of unwanted contact between computers on the Internet, such
as that alleged in eBay, supra, 100 F. Supp. 2d 1058. But we are not persuaded that these
perceived problems call at present for judicial creation of a rigid property rule of computer server
inviolability. We therefore decline to create an exception, covering Hamidi's unwanted electronic
messages to Intel employees, to the general rule that a trespass to chattels is not actionable if it
does not involve actual or threatened injury to the personal property or to the possessor's legally
protected interest in the personal property. No such injury having been shown on the undisputed

LA
facts, Intel was not entitled to summary judgment in its favor.

III. Constitutional Considerations

IM
Because we conclude no trespass to chattels was shown on the summary judgment record,
SH
making the injunction improper on common law grounds, we need not address at length the
dissenters' constitutional arguments. A few clarifications are nonetheless in order.

Justice Mosk asserts that this case involves only "a private entity seeking to enforce private
LU

trespass rights." (Dis. opn. of Mosk, J., post, 1 Cal.Rptr.3d at p. 74, 71 P.3d at p. 331.) But the
injunction here was issued by a state court. While a private refusal to transmit another's
PN

electronic speech generally does not implicate the First Amendment, because no governmental
action is involved (see Cyber Promotions, Inc. v. American Online, Inc. (E.D.Penn.1996) 948 F.
H

Supp. 436, 441-45 [spammer could not force private ISP to carry its messages]), the use of
government power, whether in enforcement of a statute or ordinance or by an award of damages
or an injunction in a private lawsuit, is state action that must comply with First Amendment
limits. (Cohen v. Cowles Media Co. (1991) 501 U.S. 663, 668, 111 S. Ct. 2513, 115 L. Ed. 2d
586; NAACP v. Claiborne Hardware Co. (1982) 458 U.S. 886, 916, fn. 51, 102 S. Ct. 3409, 73
L. Ed. 2d 1215; New York Times v. Sullivan (1964) 376 U.S. 254, 265, 84 S. Ct. 710, 11 L. Ed.
2d 686.) Nor does the nonexistence of a "constitutional right to trespass" (dis. opn. of Mosk, J.,
post, 1 Cal.Rptr.3d at p. 74, 71 P.3d at p. 331) make an injunction in this case per se valid.
Unlike, for example, the trespasser-to-land defendant in Church of Christ in Hollywood v.
Superior Court (2002) 99 Cal. App. 4th 1244, 121 Cal. Rptr. 2d 810, Hamidi himself had no

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.797

tngible presence on Intel property, instead speaking from his own home through his computer.
He no more invaded Intel's property than does a protester holding a sign or shouting through a
bullhorn outside corporate headquarters, posting a letter through the mail, or telephoning to
complain of a corporate practice. (See Madsen v. Women's Health Center (1994) 512 U.S. 753,
765, 114 S. Ct. 2516, 129 *51 L.Ed.2d 593 [injunctions restraining such speakers must "burden
no more speech than necessary to serve a significant government interest"].

Justice Brown relies upon a constitutional "right not to listen," rooted in the listener's "personal
autonomy" (dis. opn. of Brown, J., post, 1 Cal.Rptr.3d at p. 58, 71 P.3d at p. 318), as compelling

LA
a remedy against Hamidi's messages, which she asserts were sent to "unwilling" listeners (id. at
p. 54, 71 P.3d at p. 315). Even assuming a corporate entity could under some circumstances

IM
claim such a personal right, here the intended and actual recipients of Hamidi's messages were
individual Intel employees, rather than Intel itself. The record contains no evidence Hamidi sent
SH
messages to any employee who notified him such messages were unwelcome. In any event, such
evidence would, under the dissent's rationale of a right not to listen, support only a narrow
injunction aimed at protecting individual recipients who gave notice of their rejection. (See
LU

Bolger v. Youngs Drug Products Corp. (1983) 463 U.S. 60, 72, 103 S. Ct. 2875, 77 L. Ed. 2d
469 [government may not act on behalf of all addressees by generally prohibiting mailing of
PN

materials related to contraception, where those recipients who may be offended can simply
ignore and discard the materials]; Martin v. City of Struthers (1943) 319 U.S. 141, 144, 63 S. Ct.
862, 87 L. Ed. 1313 [anti-canvassing ordinance improperly "substitutes the judgment of the
H

community for the judgment of the individual householder"]; cf. Rowan v. U.S. Post Office
Dept. (1970) 397 U.S. 728, 736, 90 S. Ct. 1484, 25 L. Ed. 2d 736 ["householder" may exercise
"individual autonomy" by refusing delivery of offensive mail].) The principle of a right not to
listen, founded in personal autonomy, cannot justify the sweeping injunction issued here against
all communication to Intel addresses, for such a right, logically, can be exercised only by, or at
the behest of, the recipient himself or herself.

DlSPOSITION

The judgment of the Court of Appeal is reversed.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.798

WE CONCUR: KENNARD, MORENO and PERREN, JJ.

Concurring Opinion by KENNARD, J.

I concur.

Does a person commit the tort of trespass to chattels by making occasional personal calls to a
mobile phone despite the stated objection of the person who owns the mobile phone and pays for
the mobile phone service? Does it matter that the calls are not made to the mobile phone's owner,
but to another person who ordinarily uses that phone? Does it matter that the person to whom the

LA
calls are made has not objected to them? Does it matter that the calls do not damage the mobile
phone or reduce in any significant way its availability or usefulness?

IM
The majority concludes, and I agree, that using another's equipment to communicate with a third
person who is an authorized user of the equipment and who does not object to the
SH
communication is trespass to chattels only if the communications damage the equipment or in
some significant way impair its usefulness or availability.
LU

Intel has my sympathy. Unsolicited and unwanted bulk e-mail, most of it commercial, is a
serious annoyance and inconvenience for persons who communicate electronically through the
PN

Internet, and bulk e-mail that distracts employees in the workplace can adversely affect overall
productivity. But, as the majority persuasively explains, to establish the tort of trespass to
chattels in California, the plaintiff must prove either damage to the plaintiffs personal property or
H

actual or threatened impairment of the plaintiffs ability to use that property. Because plaintiff
Intel has not shown that defendant Hamidi's occasional bulk e-mail messages to Intel's
employees have damaged Intel's computer system or impaired its functioning in any significant
way, Intel has not established the tort of trespass to chattels.

This is not to say that Intel is helpless either practically or legally. As a practical matter, Intel
need only instruct its employees to delete messages from Hamidi without reading them and to
notify Hamidi to remove their workplace e-mail addresses from his mailing lists. Hamidi's
messages promised to remove recipients from the mailing list on request, and there is no
evidence that Hamidi has ever failed to do so. From a legal perspective, a tort theory other than

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.799

trespass to chattels may provide Intel with an effective remedy if Hamidi's messages are
defamatory or wrongfully interfere with Intel's economic interests. (See maj. opn., ante, 1 Cal.
Rptr.3d at p. 37, 71 P.3d at p. 300.) Additionally, the Legislature continues to study the problems
caused by bulk e-mails and other dubious uses of modern communication technologies and may
craft legislation that accommodates the competing concerns in these sensitive and highly
complex areas.

Accordingly, I join the majority in reversing the Court of Appeal's judgment.

Dissenting Opinion of BROWN, J.

Candidate A finds the vehicles that candidate B has provided for his campaign workers, and A

LA
spray paints the water soluble message, "Fight corruption, vote for A" on the bumpers. The
majority's reasoning would find that notwithstanding the time it takes the workers to remove the

IM
paint and the expense they incur in altering the bumpers to prevent further unwanted messages,
candidate B does not deserve an injunction unless the paint is so heavy that it reduces the cars'
SH
gas mileage or otherwise depreciates the cars' market value. Furthermore, candidate B has an
obligation to permit the paint's display, because the cars are driven by workers and not B
personally, because B allows his workers to use the cars to pick up their lunch or retrieve their
LU

children from school, or because the bumpers display B's own slogans. I disagree.
PN

Intel has invested millions of dollars to develop and maintain a computer system. It did this not
to act as a public forum but to enhance the productivity of its employees. Kourosh Kenneth
Hamidi sent as many as 200,000 e-mail messages to Intel employees. The time required to
H

review and delete Hamidi's messages diverted employees from productive tasks and undermined
the utility of the computer system. "There may ... be situations in which the value to the owner of
a particular *53 type of chattel may be impaired by dealing with it in a manner that does not
affect its physical condition." (Rest.2d Torts, § 218, com. h, p. 422.) This is such a case.

The majority repeatedly asserts that Intel objected to the hundreds of thousands of messages
solely due to their content, and proposes that Intel seek relief by pleading content-based speech
torts. This proposal misses the point that Intel's objection is directed not toward Hamidi's
message but his use of Intel's property to display his message. Intel has not sought to prevent
Hamidi from expressing his ideas on his Web site, through private mail (paper or electronic) to

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.800

employees' homes, or through any other means like picketing or billboards. But as counsel for
Intel explained during oral argument, the company objects to Hamidi's using Intel's property to
advance his message.

Of course, Intel deserves an injunction even if its objections are based entirely on the e-mail's
content. Intel is entitled, for example, to allow employees use of the Internet to check stock
market tables or weather forecasts without incurring any concomitant obligation to allow access
to pornographic Web sites. (Loving v. Boren (W.D.Okla.1997) 956 F. Supp. 953, 955.) A private
property owner may choose to exclude unwanted mail for any reason, including its content.
(Rowan v. U.S. Post Office Dept. (1970) 397 U.S. 728, 738, 90 S. Ct. 1484, 25 L. Ed. 2d 736
(Rowan); Tillman v. Distribution Systems of America Inc. (1996) 224 A.D.2d 79, 648 N.Y.S.2d

LA
630, 635 (Tillman).)

IM
The majority refuses to protect Intel's interest in maintaining the integrity of its own system,
contending that (1) Hamidi's mailings did not physically injure the system; (2) Intel receives
SH
many unwanted messages, of which Hamidi's are but a small fraction; (3) Intel must have
contemplated that it would receive some unwanted messages; and (4) Hamidi used the email
system for its intended purpose, to communicate with employees.
LU

Other courts have found a protectible interest under very similar circumstances. In Thrifty-Tel v.
Bezenek (1996) 46 Cal. App. 4th 1559, 54 Cal. Rptr. 2d 468 (Thrifty-Tel ), the Court of Appeal
PN

found a trespass to chattels where the defendants used another party's access code to search for
an authorization code with which they could make free calls. The defendants' calls did not
H

damage the company's system in any way; they were a minuscule fraction of the overall
communication conducted by the phone network; and the company could have reasonably
expected that some individuals would attempt to obtain codes with which to make free calls (just
as stores expect shoplifters). Moreover, had the defendants succeeded in making free calls, they
would have been using the telephone system as intended. (Id, at p. 1563, 54 Cal. Rptr. 2d 468.)

Because I do not share the majority's antipathy toward property rights and believe the proper
balance between expressive activity and property protection can be achieved without distorting
the law of trespass, I respectfully dissent.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.801

THE INSTANT FINDING OF A TRESPASS CONFORMS THE LAW ON ELECTRONIC
MAIL TO THAT OF OTHER FORMS OF COMMUNICATION

The majority endorses the view of the Court of Appeal dissent, and reviews a finding of a
trespass in this case as a radical decision that will endanger almost every other form of
expression. Contrary to these concerns, the Court of Appeal decision belongs not to a
nightmarish future but to an unremarkable past—a long line of cases protecting the right of an
individual not to receive an unwanted message after having expressed that refusal to the speaker.
It breaks no new legal ground and follows traditional rules regarding communication.

It is well settled that the law protects a person's right to decide to whom he will speak, to whom

LA
he will listen, and to whom he will not listen. (Martin v. City of Struthers (1943) 319 U.S. 141,
149, 63 S. Ct. 862, 87 L. Ed. 1313 (Martin) [noting the "constitutional rights of those desiring to

IM
distribute literature and those desiring to receive it, as well as those who choose to exclude such
distributors"].) As the United States Supreme Court observed, "we have repeatedly held that
SH
individuals are not required to welcome unwanted speech into their homes" (Frisby v. Schultz
(1988) 487 U.S. 474, 485, 108 S. Ct. 2495, 101 L. Ed. 2d 420), whether the unwanted speech
comes in the form of a door-to-door solicitor (see Martin, at pp. 147-148, 63 S. Ct. 862), regular
LU

"snail" mail (Rowan, supra, 397 U.S. 728, 90 S. Ct. 1484, 25 L. Ed. 2d 736), radio waves (FCC
v. Pacifica Foundation (1978) 438 U.S. 726, 98 S. Ct. 3026, 57 L. Ed. 2d 1073), or other forms
PN

of amplified sound (Kovacs v. Cooper (1949) 336 U.S. 77, 69 S. Ct. 448, 93 L. Ed. 513). (See
Frisby v. Schultz, at p. 485, 108 S. Ct. 2495.)
H

Of course, speakers have rights too, and thus the result is a balancing: speakers have the right to
initiate speech but the listener has the right to refuse to listen or to terminate the conversation.
This simple policy thus supports Hamidi's right to send e-mails initially, but not after Intel
expressed its objection.

Watchtower Bible and Tract Society v. Village of Stratton (2002) 536 U.S. 150, 122 S. Ct. 2080,
153 L. Ed. 2d 205 does not compel a contrary result. Watchtower follows Martin, supra, 319
U.S. 141, 63 S. Ct. 862, 87 L. Ed. 1313, in holding that the government may not bar a speaker
from a homeowner's door, but the homeowner surely may. The Martin court invalidated an
ordinance that banned all door-to-door soliciting (in that case the speech was the noncommercial

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.802

ideas of a religious sect), even at homes where the residents wished to hear the speech. This
exclusion "substitute[d] the judgment of the community for the judgment of the individual
householder." (Martin, at p. 144, 63 S. Ct. 862.) Instead, the court authorized the property owner
to indicate his desire not to be disturbed. "This or any similar regulation leaves the decision as to
whether distributers of literature may lawfully call at a home where it belongs—with the
homeowner himself." (Id. at p. 148, 63 S. Ct. 862.) A speaker is entitled to speak with willing
listeners but not unwilling ones. A city can punish those who call at a home in defiance of the
previously expressed will of the occupant ...." (Ibid., italics added.) Watchtower, supra, 536 U.S.
150, 122 S. Ct. 2080, 153 L. Ed. 2d 205, reaffirmed the listener's complete autonomy to accept
or reject offered speech.

LA
Martin further recognized that the decisions regarding whether to accept a particular message
must be made by a nongovernmental actor, but not necessarily by every single potential listener

IM
on an individual level. "No one supposes ... that the First Amendment prohibits a state from
preventing the distribution of leaflets in a church against the will of the church authorities."
SH
(Martin, supra, 319 U.S. at p. 143, 63 S. Ct. 862, italics added.) Unanimity among the
congregation is not required. (See also Church of Christ in Hollywood v. Superior Court (2002)
99 Cal. App. 4th 1244, 121 Cal. Rptr. 2d 810 (Church of Christ).) The Supreme Court reaffirmed
LU

this rule in Lloyd Corp. v. Tanner (1972) 407 U.S. 551, 92 S. Ct. 2219, 33 L. Ed. 2d 131 (Lloyd)
and Hudgens v. *55 NLRB (1976) 424 U.S. 507, 96 S. Ct. 1029, 47 L. Ed. 2d 196, where private
PN

shopping mall owners validly excluded speakers from their malls. The owners could make this
decision, even though they were not the "intended and actual recipients of [the speakers']
H

messages." (Maj. opn., ante, 1 Cal.Rptr.3d at p. 51, 71 P.3d at p. 312.) The owners had no
obligation to obtain the agreement of every individual store within the mall, or of every
employee within every store in the mall.

This rule applies not only to real property but also to chattels like a computer system. In Loving
v. Boren, supra, 956 F.Supp. at page 955, the court held that the University of Oklahoma could
restrict the use of its computer system to exclude pornographic messages, notwithstanding the
contrary preferences of any individual faculty member (or student). Intel may similarly control
the use of its own property, regardless of any specific employee's contrary wishes. (See also Bus.
& Prof. Code, § 17538.4, subd. (h).) In any event, Hamidi had ample opportunity in his

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.803

preobjection e-mails to direct employees to his Web site or request the employees' private e-mail
addresses. He thus continues to use the internal Intel network to speak to an unreceptive
audience.[2]

*56 Accordingly, all that matters is that Intel exercised the right recognized in Martin to exclude
unwanted speech. The instant case is considerably easier than Lloyd and Hudgens in light of the
severe infringement on Intel's autonomy. Whereas the mall owners had been asked merely to
allow others to speak, Intel, through its server, must itself actively "participate in the
dissemination of an ideological message by displaying it on ... private property in a manner and
for the express purpose that it be observed and read...." (Wooley v. Maynard (1977) 430 U.S.
705, 713, 97 S. Ct. 1428, 51 L. Ed. 2d 752.)

LA
The principle that a speaker's right to speak to a particular listener exists for only so long as the

IM
listener wishes to listen applies also to mail delivery. (Rowan, supra, 397 U.S. 728, 90 S. Ct.
1484, 25 L. Ed. 2d 736.) In Bolger v. Youngs Drug Products Corp. (1983) 463 U.S. 60, 103 S.
SH
Ct. 2875, 77 L. Ed. 2d 469 (Bolger), the court struck down a law barring the mailing of
information regarding contraception because the government was deciding which messages
could be delivered. But Bolger cited Rowan with approval—a case that upheld the procedure by
LU

which private parties could refuse to receive specific materials. "[A] Insufficient measure of
individual autonomy must survive to permit every householder to exercise control over unwanted
PN

mail." (Rowan, supra, 397 U.S. at p. 736, 90 S. Ct. 1484.) Citing Martin, supra, 319 U.S. 141, 63
S. Ct. 862, 87 L. Ed. 1313, Rowan held "a mailer's right to communicate must stop at the
mailbox of an unreceptive addressee.... [¶] ... [¶] To hold less would tend to license a form of
H

trespass." (Rowan, at pp. 736-737, 90 S. Ct. 1484, italics added.) Furthermore, Bolger expressly
contemplated that some family members would exclude materials on behalf of others; the right to
accept or reject speech thus belonged to the household, not each individual member. (Bolger, at
p. 73, 103 S. Ct. 2875.)

The pertinent precedent for an antispam case is Rowan, which involved private action, not
Bolger, which involved governmental action. "`[H]ere we are not dealing with a government
agency which seeks to preempt in some way the ability of a publisher to contact a potential
reader; rather, we are dealing with a reader who is familiar with the publisher's product, and who

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.804

is attempting to prevent the unwanted dumping of this product on his property.'" (CompuServe,
supra, 962 F.Supp. at p. 1027, quoting Tillman, supra, 648 N.Y.S.2d at p. 635.)

Rowan further held the recipient could reject a message for any subjective reason, including
annoyance or discomfort at its content. (Rowan, supra, 397 U.S. at p. 738, 90 S. Ct. 1484.) A
private actor thus has no obligation to hear all messages just because he chooses to hear some. A
homeowner's desire to receive letters from relatives or friends does not compel him to accept
offensive solicitations. It is therefore possibly true but certainly immaterial that Intel might have
expected that some unwanted messages would be sent to its employees. A store that opens its
doors to the public should reasonably expect some individuals will attempt to shoplift, but the
store does not thereby incur an obligation to accept their presence and the disruption they cause.

LA
IM
*57 If we did create an "accept one, accept all" rule, whereby a party's acceptance of outside
mail abrogates the right to exclude any messages, the result would likely be less speech, not
SH
more. Courts have recognized the seeming paradox that permitting the exclusion of speech is
necessary to safeguard it. "It is ironic that if defendants were to prevail on their First Amendment
arguments, the viability of electronic mail as an effective means of communication for the rest of
LU

society would be put at risk." (CompuServe, supra, 962 F.Supp. at p. 1028.) The Court of Appeal
below likewise observed that employers' tolerance for reasonable personal use of computers
PN

"would vanish if they had no way to limit such personal usage of company equipment." (Cf.
Miami Herald Publishing Co. v. Tornillo (1974) 418 U.S. 241, 256, 94 S. Ct. 2831, 41 L. Ed. 2d
730 [compulsory fair reply law would deter newspaper from speaking to avoid forced expression
H

of disagreeable speech].) Furthermore, merely permitting exclusion may be insufficient absent a

mechanism for enforcement. If spamming expands to a new volume of activity, "[t]he cost
increases that would result from a massive increase in volume could even lead many sites to
discontinue supporting standard email altogether. Within a few years, email may no longer be the
near-universal method for communicating with people via the Internet that it is today." (Sorkin,
Technical and Legal Approaches to Unsolicited Electronic Mail (2001) 35 U.S.F. L.Rev. 325,
338-339, fn. omitted (Sorkin).)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.805

The majority expresses its agreement with the dissent below, which found that if the lost
productivity of Intel's employees serves as the requisite injury, "then every unsolicited
communication that does not further the business's objectives (including telephone calls)
interferes with the chattel... [¶] ... [¶] ... Under Intel's theory, even lovers' quarrels could turn into
trespass suits by reason of the receipt of unsolicited letters or calls from the jilted lover. Imagine
what happens after the angry lover tells her fiance not to call again and violently hangs up the
phone. Fifteen minutes later the phone rings. Her fiance wishing to make up? No, trespass to
chattel." But just as private citizens may deny access to door-to-door solicitors or mailers, they
may also maintain the integrity of their phone system from callers they wish to exclude. A
telephone, no less than an envelope, may be an instrument of trespass. (See Thrifty-Tel, Inc.,

LA
supra, 46 Cal.App.4th at pp. 1566-1567, 54 Cal. Rptr. 2d 468.)

Individuals may not commandeer the communications systems of unwilling listeners, even if the

IM
speakers are jilted lovers who wish to reconcile. (People v. Miguez (Crim.Ct.1990) 147 Misc. 2d
482, 556 N.Y.S.2d 231.)[3] The Miguez defendant repeatedly left messages[4] on the
SH
complainant's answering machine and pager, "interrupting him in his professional capacity as a
doctor." (Id. at p. 232.) It was the disruptive volume (not the specific content) of calls from
which the complainant was entitled to relief. Similarly, an individual could not lawfully
LU

telephone a police department 28 times in 3 hours and 20 minutes to inquire about a civil matter
where the police told him not to call because he was disrupting police operations. *58 (People v.
PN

Smith (App.Div.1977) 89 Misc. 2d 789, 392 N.Y.S.2d 968, 969-970.)

The law on faxes is even stricter. As faxes shift the costs of speech from the speaker to the
H

listener, senders of commercial e-mail must obtain prior consent from the recipient. (47 U.S.C. §
227.) Likewise, the users of automated telephone dialers also must obtain prior consent where
they result in costs to the recipient. (47 U.S.C. § 227(b)(1)(A)(iii); Missouri ex rel. Nixon v.
American Blast Fax, Inc. (8th Cir.2003) 323 F.3d 649, 657 (Blast Fax).) Because e-mail permits
mass unwanted communications without the senders having to bear the costs of postage or labor,
there is a much greater incentive for sending unwanted e-mail, and thus the potential volume of
unwanted email may create even greater problems for recipients than the smaller volume of
unwanted faxes. (Whang, supra, 37 San Diego L.Rev. at p. 1216 & fn. 112.) In any event,
honoring the wishes of a party who requests the cessation of unwanted telecommunications,

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.806

whether by phone, fax or e-mail, does nothing more than apply Martin to today's technology.
(Shannon, Combating Unsolicited Sales Calls: The "Do-Not-Call" Approach to Solving the
Telemarketing Problem (2001) 27 J. Legis. 381, 394.)

Therefore, before the listener objects, the speaker need not fear he is trespassing. Afterwards,
however, the First Amendment principle of respect for personal autonomy compels forbearance.
"The Court has traditionally respected the right of a householder to bar, by order or notice,
[speakers] from his property. See Martin v. City of Struthers, supra,.... In this case the mailer's
right to communicate is circumscribed only by an affirmative act of the addressee giving notice
that he wishes no further mailings from that mailer." (Rowan, supra, 397 U.S. at p. 737, 90 S. Ct.
1484, italics added.) Speakers need not obtain affirmative consent before speaking, and thus have

LA
no reason to fear unexpected liability for trespass, but they must respect the decisions of listeners
once expressed. The First Amendment protects the right not to listen just as it protects the right

IM
to speak.
SH
THE TRIAL COURT CORRECTLY ISSUED THE INJUNCTION

Intel had the right to exclude the unwanted speaker from its property, which Hamidi does not
dispute; he does not argue that he has a to right force unwanted messages on Intel. The instant
LU

case thus turns on the question of whether Intel deserves a remedy for the continuing violation of
its rights. I believe it does, and as numerous cases have demonstrated, an injunction to prevent a
PN

trespass to chattels is an appropriate means of enforcement.

The majority does not find that Hamidi has an affirmative right to have Intel transmit his
H

messages, but denies Intel any remedy. Admittedly, the case would be easier if precise statutory
provisions supported relief, but in the rapidly changing world of technology, in which even
technologically savvy providers like America Online and CompuServe are one step behind
spammers, the Legislature will likely remain three or four steps behind. In any event, the absence
of a statutory remedy does not privilege Hamidi's interference with Intel's property. Nor are
content-based speech torts adequate for violations of property rights unrelated to the speech's
content. In any event, the possibility of another avenue for relief does not preclude an injunction
for trespass to chattels.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.807

The majority denies relief on the theory that Intel has failed to establish the requisite actual
injury. As discussed, post, however, the injunction was properly *59 granted because the rule
requiring actual injury pertains to damages, not equitable relief, and thus courts considering
comparable intrusions have provided injunctive relief without a showing of actual injury.
Furthermore, there was actual injury as (1) Intel suffered economic loss; (2) it is sufficient for the
injury to impair the chattel's utility to the owner rather than the chattel's market value; and (3)
even in the absence of any injury to the owner's utility, it is nevertheless a trespass where one
party expropriates for his own use the resources paid for by another.

Harmless Trespasses to Chattels May be Prevented

LA
Defendant Hamidi used Intel's server in violation of the latter's demand to stop. This unlawful
use of Intel's system interfered with the use of the system by Intel employees. This misconduct

IM
creates a cause of action. "[I]t is a trespass to damage goods or destroy them, to make an
unpermitted use of them, or to move them from one place to another." (Prosser & Keeton on
SH
Torts (5th ed. 1984) Trespass to Chattels, § 14, p. 85, fns. omitted & italics added.) "[T]he
unlawful taking away of another's personal property, the seizure of property upon a wrongful
execution, and the appropriation of another's property to one's own use, even for a temporary
LU

purpose, constitute trespasses, although a mere removal of property without injuring it is not a
trespass when done by one acting rightfully." (7 Speiser et al., American Law of Torts (1990)
PN

Trespass, § 23:23, p. 667 (Speiser) fns. omitted & italics added.)

Regardless of whether property is real or personal, it is beyond dispute that an individual has the
H

right to have his personal property free from interference. There is some division among
authorities regarding the available remedy, particularly whether a harmless trespass supports a
claim for nominal damages. The North Carolina Court of Appeal has found there is no damage
requirement for a trespass to chattel. (See Hawkins v. Hawkins (1991) 101 N.C.App. 529, 400
S.E.2d 472, 475.) "A trespass to chattels is actionable per se without any proof of actual damage.
Any unauthorized touching or moving of a chattel is actionable at the suit of the possessor of it,
even though no harm ensues." (Salmond & Heuston, The Law of Torts (21st ed. 1996) Trespass
to Goods, § 6.2, p. 95, fns. omitted.) Several authorities consider a harmless trespass to goods
actionable per se only if it is intentional. (Winfield & Jolowicz on Torts (10th ed. 1975) Trespass
to Goods, p. 4 03 (Winfield & Jolowicz); Clerk & Lindsell on Torts (17th ed.1995) ¶ 13-159, p.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.808

703.) The Restatement Second of Torts, section 218, which is less inclined to favor liability,
likewise forbids unauthorized use and recognizes the inviolability of personal property.
However, the Restatement permits the owner to prevent the injury beforehand, or receive
compensation afterward, but not to profit from the trespass through the remedy of damages
unrelated to actual harm, which could result in a windfall. (Thrifty-Tel, supra, 46 Cal.App.4th at
p. 1569, 54 Cal. Rptr. 2d 468; Whang, supra, 37 San Diego L.Rev. at p. 1223.) "The interest of a
possessor of a chattel in its inviolability, unlike the similar interest of a possessor of land, is not
given legal protection by an action for nominal damages for harmless intermeddlings with the
chattel... . . . Sufficient legal protection of the possessor's interest in the mere inviolability of his
chattel is afforded by his privilege to use reasonable force to protect his possession against even

LA
harmless interference." (Rest.2d Torts, § 218, com. e, pp. 421-422, italics added.) Accordingly,
the protection of land and chattels may differ on the question of nominal damages unrelated *60

IM
to actual injury. The authorities agree, however, that (1) the chattel is inviolable, (2) the
trespassee need not tolerate even harmless interference, and (3) the possessor may use reasonable
SH
force to prevent it. Both California law and the Restatement authorize reasonable force
regardless of whether the property in question is real or personal. (Civ.Code, § 51; Rest.2d Torts,
§ 77.)
LU

The law's special respect for land ownership supports liability for damages even without actual
harm. (Speiser, supra, § 23:1, p. 592.) By contrast, one who suffers interference with a chattel
PN

may prevent the interference before or during the fact, or recover actual damages (corresponding
to the harm suffered), but at least according to the Restatement, may not recover damages in
H

excess of those suffered. But the Restatement expressly refutes defendant's assertion that only
real property is inviolable. From the modest distinction holding that only victims of a trespass to
land may profit in the form of damages exceeding actual harm, defendant offers the position that
only trespasses to land may be prevented. The law is to the contrary; numerous cases have
authorized injunctive relief to safeguard the inviolability of personal property.

The law favors prevention over posttrespass recovery, as it is permissible to use reasonable force
to retain possession of a chattel but not to recover it after possession has been lost. (See 1 Dobbs,
The Law of Torts (2001) §§ 76, 81, pp. 170,186; see also Deevy v. Tassi (1942) 21 Cal. 2d 109,
118-119, 130 P.2d 389.) Notwithstanding the general rule that injunctive relief requires a

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.809

showing of irreparable injury (5 Witkin, Cal. Procedure (4th ed. 1997) Pleading, § 782, p. 239),
Witkin also observes there are exceptions to this rule where injunctive relief is appropriate; these
include repetitive trespasses. (Id., § 784, p. 242.) The first case cited in that section, Mendelson
v. McCabe (1904) 144 Cal. 230, 77 P. 915 (Mendelson), is apposite to our analysis.

In entering McCabe's property, Mendelson exceeded the scope of the consent he received to do
so. McCabe had granted Mendelson the right to pass through his property on condition that
Mendelson close the gates properly, which he did not do. (Mendelson, supra, 144 Cal. at pp. 231-
232, 77 P. 915.) McCabe "did not allege that any actual damage had been caused by the acts of
[Mendelson] ... in leaving the gates open." (Id. at p. 232, 77 P. 915.) After finding that
Mendelson planned to continue his conduct over McCabe's objection, we authorized injunctive

LA
relief. (Id. at pp. 233-234, 77 P. 915.) Our analysis in Mendelson applies here as well. "The right
to an injunction is not always defeated by the mere absence of substantial damage from the acts

IM
sought to be enjoined. The acts of the plaintiff in leaving the gates open, if persisted in as he
threatened, will constitute a continual invasion of the right of the defendant to maintain the
SH
gates.... Moreover, the only remedy, other than that of an injunction, for the injury arising from
such continued trespass, would be an action against the plaintiff for damages upon each occasion
when he left the gates open. The damage in each case would be very small, probably insufficient
LU

to defray the expenses of maintaining the action not recoverable as costs. Such remedy is
inadequate and would require numerous petty suits, which it is not the policy of the law to
PN

encourage." (Id. at pp. 232-233, 77 P. 915.)

Our decision thus noted that injunctive relief was proper, regardless of actual injury, (1) if it is
H

necessary to protect the trespassee's right to control his property, or (2) if suits for damages are
impractical, because no individual suit would be worthwhile. *61 Accordingly, we reiterated the
rule that "`[a] trespass of a continuing nature, whose constant recurrence renders the remedy at
law inadequate, unless by a multiplicity of suits, affords sufficient ground for relief.'"
(Mendelson, supra, 144 Cal. at p. 233, 77 P. 915.) Both Mendelson grounds support an
injunction here.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.810

"Injunction is a proper remedy against threatened repeated acts of trespass ... particularly where
the probable injury resulting therefrom will be `beyond any method of pecuniary estimation,' and
for this reason irreparable."[5] (Uptown Enterprises v. Strand (1961) 195 Cal. App. 2d 45, 52,15
Cal. Rptr. 486; see also ibid, at p. 52, 15 Cal. Rptr. 486 [an otherwise lawful "entry for the
purpose of harassing the owner, giving his business a bad reputation ... or unjustifiably
interfering with the business relations between him and his patrons is unauthorized, wrongful and
actionable"].) Although Mendelson and Uptown Enterprises concerned real property, the
principles of safeguarding a party's possessory interest in property and of not encouraging
repetitive litigation apply no less to trespasses to chattels. Accordingly, several courts have
issued injunctive relief to prevent interference with personal property.

LA
In 1996, the Appellate Division of the New York Supreme Court considered the claim of
plaintiff Tillman, who sought to enjoin the unwanted delivery of a newspaper onto his property.

IM
(Tillman, supra, 224 A.D.2d 79, 648 N.Y.S.2d 630.) He offered no specific critique of the
newspaper's content, observing only "`[t]here is no reason that we have to clean up [defendant's]
SH
mess.'" (Id. at p. 632.) Citing Rowan, Martin, and Lloyd, the court rejected the defendants'
argument "that there is nothing a homeowner can do to stop the dumping on his or her property
of pamphlets or newspapers, no matter how offensive they might be," and instead upheld
LU

Tillman's right to prevent the mail's delivery, regardless of whether his objection was due to the
quantity (volume) or quality (content) of the messages. (Tillman, at p. 636.) In authorizing
PN

injunctive relief, the Tillman court found no need to quantify the actual damage created by the
delivery; it merely noted that the homeowner should not be forced either "to allow such
H

unwanted newspapers to accumulate, or to expend the time and energy necessary to gather and to
dispose of them." (Ibid.) Subsequent courts have extended this policy to the delivery of e-mail as
well.

The CompuServe court followed Tillman in authorizing an injunction to prevent the delivery of
unwanted e-mail messages. (CompuServe, supra, 962 F. Supp. 1015.) The majority summarily
distinguishes CompuServe and its progeny by noting there the "plaintiff showed, or was prepared
to show, some interference with the efficient functioning of its computer system." (Maj. opn.,
ante, 1 Cal.Rptr.3d at p. 42, 71 P.3d at p. 304.) But although CompuServe did note the
impairment imposed by the defendant's unsolicited email, this was not part of its holding. Just

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.811

before beginning its analysis, the court summarized its ruling without mentioning impairment.
"[T]his Court holds that where defendants engaged in a course of conduct of transmitting a
substantial volume of electronic data in the form of unsolicited e-mail to plaintiffs proprietary
computer equipment, where defendants continued such practice after repeated demands to cease
and desist, and where defendants deliberately evaded plaintiffs affirmative efforts to protect its
computer equipment from such use, plaintiff has a viable claim for trespass to personal property
and is entitled to injunctive relief to protect its property." (CompuServe, supra, 962 F.Supp. at p.
1017.) The cited criteria apply fully to Hamidi's conduct. Likewise, the conclusion of
CompuServe's analysis fully applies here: "Defendants' intentional use of plaintiffs proprietary
computer equipment exceeds plaintiffs consent and, indeed, continued after repeated demands

LA
that defendants cease. Such use is an actionable trespass to plaintiffs chattel." (Id. at p. 1027.)

Post-CompuServe case law has emphasized that unauthorized use of another's property

IM
establishes a trespass, even without a showing of physical damage. "Although eBay appears
unlikely to be able to show a substantial interference at this time, such a showing is not required.
SH
Conduct that does not amount to a substantial interference with possession, but which consists of
intermeddling with or use of another's personal property, is sufficient to establish a cause of
action for trespass to chattel." (eBay, Inc. v. Bidder's Edge, Inc. (N.D.Cal.2000) 100 F. Supp. 2d
LU

1058, 1070.)[6] "While the eBay decision could be read to require an interference that was more
than negligible, ... this Court concludes that eBay, in fact, imposes no such requirement.
PN

Ultimately, the court in that case concluded that the defendant's conduct was sufficient to
establish a cause of action for trespass not because the interference was `substantial' but simply
H

because the defendant's conduct amounted to `use' of Plaintiffs computer." (Oyster Software, Inc.
v. Forms Processing, Inc. (N.D.Cal., Dec. 6, 2001, No. C-00-0724 JCS) 2001 WL 1736382 .) An
intruder is not entitled to sleep in his neighbor's car, even if he does not chip the paint.

Hamidi concedes Intel's legal entitlement to block the unwanted messages. The problem is that
although Intel has resorted to the cyberspace version of reasonable force, it has so far been
unsuccessful in determining how to resist the unwanted use of its system. Thus, while Intel has
the legal right to exclude Hamidi from its system, it does not have the physical ability. It may
forbid Hamidi's use, but it cannot prevent it.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.812

To the majority, Hamidi's ability to outwit Intel's cyber defenses justifies denial of Intel's claim
to exclusive use of its property. Under this reasoning, it is not right but might that determines the
extent of a party's possessory interest. Although the world often works this way, the legal system
should not

Intel Suffered Injury

Even if CompuServe and its progeny deem injury a prerequisite for injunctive relief, such injury
occurred here. Intel suffered not merely an affront to its dignitary interest in ownership but
tangible economic loss. Furthermore, notwithstanding *63 the calendar's doubts, it is entirely
consistent with the Restatement and case law to recognize a property interest in the subjective

LA
utility of one's property. Finally, case law further recognizes as actionable the loss that occurs
when one party maintains property for its own use and another party uses it, even if the property

IM
does not suffer damage as a result.

Intel suffered economic loss

SH
Courts have recognized the tangible costs imposed by the receipt of unsolicited bulk e-mail
(UBE).[7] Approximately 10 percent of the cost of Internet access arises from the delivery of
LU

UBE, because networks must expand to ensure their functioning will not be disturbed by the
unwanted messages and must design software to reduce the flood of spam. (Whang, supra, 37
PN

San Diego L.Rev. at pp. 1203 & fn. 10, 1207 & fn. 37.) Especially where bulk e-mailers mask
the true content of their messages in the "header" (as Hamidi did), there is a shift in costs from
sender to recipient that resembles "`sending junk mail with postage due or making telemarketing
H

calls to someone's pay-perminute cellular phone.'" (Ferguson v. Friendfinders (2002) 94 Cal.

App. 4th 1255, 1268, 115 Cal. Rptr. 2d 258 (Ferguson), quoting State v. Heckel (2001) 143
Wash.2d 824, 24 P.3d 404, 410 (Heckel).) E-mail may be cheaper and more efficient than other
means of communication, but "[t]here is no constitutional requirement that the incremental cost
of sending massive quantities of unsolicited [messages] must be borne by the recipients."
(CompuServe, supra, 962 F.Supp. at p. 1026.)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.813

The Ferguson court noted the tangible economic loss to employers created by unwanted e-mail.
"Individuals who receive UCE can experience increased Internet access fees because of the time
required to sort, read, discard, and attempt to prevent future sending of UCE. If the individual
undertakes this process at work, his or her employer suffers the financial consequences of the
ivasted time." (Ferguson, supra, 94 Cal.App.4th at p. 1267, 115 Cal. Rptr. 2d 258, italics added.)
CompuServe likewise observed the recipient of unwanted e-mail must "sift through, at his
expense, all of the messages in order to find the ones he wanted or expected to receive."
(CompuServe, supra, 962 F.Supp. at p. 123, italics added.) Unwanted messages also drain the
equipment's processing power, and slow down the transfers of electronic data. The economic
costs of unwanted e-mail exist even if Intel employees, unlike CompuServe subscribers, do not

LA
pay directly for the time they spend on the Internet. No such direct costs appear here, only the
opportunity costs of lost time. But for Intel, "time is money" nonetheless. One justification for

IM
the strict rule against unsolicited faxes is that they "shift costs to the recipients who are forced to
contribute ink, paper, wear on their fax machines, as well as personnel time." (Blast Fax, supra,
SH
323 F.3d at p. 652, italics added.) (In re Johnny M. (2002) 100 Cal. App. 4th 1128, 123 Cal.
Rptr. 2d 316 [vandalism that diverted salaried employees from ordinary duties caused economic
loss through lost work product].)
LU

Courts have also recognized the harm produced by unwanted paper mail. Mail sent in violation
of a request to stop creates the "burdens of scrutinizing the mail for objectionable material and
PN

possible harassment." (Rowan, supra, 397 U.S. at p. 735, 90 S. Ct. 1484, italics added.) The
Tillman court thus held a newspaper could not compel unwilling recipients "to spend their own
H

time or money unwillingly participating in the distribution process by which a newspaper travels
from the printing press to its ultimate destination, i.e., disposal."

Although Hamidi claims he sent only six e-mails, he sent them to between 8,000 and 35,000
employees, thus sending from 48,000 to 210,000 messages. Since it is the effect on Intel that is
determinative, it is the number of messages received, not sent, that matters. In any event, Hamidi
sent between 48,000 and 210,000 messages; the "six" refers only to the number of distinct texts
Hamidi sent. Even if it takes little time to determine the author of a message and then delete it,
this process, multiplied hundreds of thousands of times, amounts to a substantial loss of
employee time, and thus work product. If Intel received 200,000 messages, and each one could

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.814

be skimmed and deleted in six seconds, it would take approximately 333 hours, or 42 business
days, to delete them all. In other words, if Intel hired an employee to remove all unwanted mail,
it would take that individual two entire months to finish. (Cf. Tubbs v. Delk (Mo. Ct.App.1996)
932 S.W.2d 454, 456 (Tubbs) [deprivation of access to chattel for "`less than five minutes'"
constitutes actionable trespass, although found justified there].)

Intel's injury is properly related to the chattel

The majority does not dispute that Intel suffered a loss of work product as a matter of fact, so
much as it denies that this loss may constitute the requisite injury as a matter of law. According
to the majority, the reduced utility of the chattel to the owner does not constitute a sufficiently

LA
cognizable injury, which exists only where the chattel itself suffers injury, i.e., its "market value"
falls. The Restatement and related case law are to the contrary.

IM
SH
The Restatement recognizes that the measure of impairment may be subjective; a cognizable
injury may occur not only when the trespass reduces the chattel's market value but also when the
trespass affects its value to the owner. "In the great majority of cases, the actor's intermeddling
LU

with the chattel impairs the value of it to the possessor, as distinguished from the mere affront to
his dignity as possessor, only by some impairment of the physical condition of the chattel. There
PN

may, however, be situations in which the value to the owner of a particular type of chattel may
be impaired by dealing with it in a manner that does not affect its physical condition." The
Restatement goes on to explain that A's using B's toothbrush could extinguish its value to B. The
H

brushing constitutes a trespass by impairing the brush's subjective value to the owner rather than
its objective market value. Moreover, there can be a trespass even though the chattel is used as
intended to brush teeth if it is used by an unwanted party.

As the Court of Appeal's opinion below indicated, interference with an owner's ability to use the
chattel supports a trespass. The opinion recalled the rule, which dates back almost 400 years,
holding that chasing an owner's animal amounts to a trespass to chattels. (See, e.g., Farmer v.
Hunt (1610) 123 Eng. Rep. 766; Winfield & Jolowicz, supra, Trespass to Goods, p. 403.) These
authorities do not require injury or damage to the animal; the interference with the owner's use of
the animal suffices to create a trespass. (Winfield & Jolowicz, p. 40.) Interference is actionable if

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.815

it "deprives the possessor of the use of that chattel." (Fleming, The Law of Torts (9th ed. 1998)
Trespass, § 4.1, p. 598.) Moreover, such interference need not permanently deny the owner the
ability to use the chattel mere delay is enough. (See Tubbs, supra, 932 S.W.2d at p. 456.)

A contemporary version of this interference would occur if a trespasser unplugged the computers
of the entire Intel staff and moved them to a high shelf in each employee's office or cubicle. The
computers themselves would suffer no damage, but all 35,000 employees would need to take the
time to retrieve their computers and restart them. This would reduce the computers' utility to
Intel, for, like the chased animals, they would not be available for immediate use. If the chasing
of a few animals supports a trespass, then so does even minimal interference with a system used
by 35,000 individuals.

LA
CompuServe is in accord, as it observed how a bundle of unwanted messages decreased the

IM
utility of the server. (Compu-Serve, supra, 962 F.Supp. at p. 1023.) Here, Intel maintains a
possessory interest in the efficient and productive use of its system—which it spends millions of
SH
dollars to acquire and maintain. Hamidi's conduct has impaired the system's optimal functioning
for Intel's business purposes. As the Restatement supports liability where "harm is caused to ...
some ... thing in which the possessor has a legally protected interest" (Rest.2d Torts, § 218, subd.
LU

(d)), Hamidi has trespassed upon Intel's chattel.

The unlawful use of another's property is a trespass, regardless of its effect on the property's
PN

utility to the owner

Finally, even if Hamidi's interference did not affect the server's utility to Intel, it would still
H

amount to a trespass. Intel has poured millions of dollars into a resource that Hamidi has now
appropriated for his own use. As noted above, "the appropriation of another's property to one's
own use, even for a temporary purpose, constitute[s][a] trespass[ ]." (Speiser, supra, § 23:23, p.
667, fn. omitted.) The use by one party of property whose costs have been paid by another
amounts to an unlawful taking of those resources—even if there is no unjust enrichment by the
trespassing party.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.816

In Buchanan Marine Inc. v. McCormack Sand Co. (E.D.N.Y.1990) 743 F. Supp. 139
(Buchanan), the plaintiff built and maintained mooring buoys for use by its own tugboats.
Defendants' barges used the buoy over plaintiffs objection. (Id. at pp. 140-141.) The federal
district court found such unlawful use could constitute a trespass to chattels (if the facts were
proved), and thus denied the defendants' motion for summary judgment. "[Defendants' meddling
with [the buoy] is either a trespass to a chattel or perhaps a conversion for which [plaintiff] may
seek relief in the form of damages and an injunction." (Id. at pp. 141-142.) There *66 was an
allegation of damage (to plaintiffs barge, not the buoy itself), which could support a claim for
damages, but this was not a prerequisite for injunctive relief. Even if defendants did not injure
the buoys in any way, they still had no right to expropriate plaintiffs property for their own

LA
advantage.

IM
The instant case involves a similar taking. Intel has paid for thousands of computers, as well as
SH
the costs of maintaining a server.[9] Like the Buchanan defendants, Hamidi has likewise acted as
a free rider in enjoying the use of not only Intel's computer system but the extra storage capacity
needed to accommodate his messages. Furthermore, Intel's claim, which does not object to
LU

Hamidi's speaking independently,[10] only to his use of Intel's property, resembles that of the
Buchanan plaintiff who "has not sought to prevent others from placing their own mooring buoys
PN

in the Harbor," but only the use of the plaintiffs property.[11] (Buchanan, supra, 743 F.Supp. at
p. 142.) Hamidi has thus unlawfully shifted the costs of his speaking to Intel. (Ferguson, supra,
94 Cal.App.4th at p. 1268, 115 Cal. Rptr. 2d 258; Blast Fax, supra, 323 F.3d at p. 652; Heckel,
H

supra, 24 P.3d at p. 410.)

Moreover, even such free ridership is not necessary to establish a trespass to chattels. Had the
Thrifty-Tel defendants succeeded in making free telephone calls without authorization, they
would stand in the same position as the Buchanan defendants. But the record does not show they
ever succeeded in making calls for which another subscriber (or the phone company itself) would
have to pay. Thus, neither injury to the trespassee nor benefit to the trespasser is an element of
trespass to chattel. "[T]respass to chattel has evolved considerably from its original common law
application—concerning the asportation of another's tangible property—to include even the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.817

unauthorized use of personal property." (Thrifty-Tel, supra, 46 Cal. App.4th at p. 1566, 54 Cal.
Rptr. 2d 468.)

As in those cases in which courts have granted injunctions to prevent the delivery of unwanted
mail, paper or electronic, Intel is not attempting to profit from its trespass action by receiving
nominal damages. Rather, it seeks an injunction to prevent further trespass. Moreover, Intel
suffered the requisite injury by losing a great deal of work product, a harm properly related to the
property itself, as well as the money it spent in maintaining the system, which Hamidi
wrongfully expropriated.

CONCLUSION

LA
Those who have contempt for grubby commerce and reverence for the rarified *67 heights of
intellectual discourse may applaud today's decision, but even the flow of ideas will be curtailed if

IM
the right to exclude is denied. As the Napster controversy revealed, creative individuals will be
less inclined to develop intellectual property if they cannot limit the terms of its transmission.
SH
Similarly, if online newspapers cannot charge for access, they will be unable to pay the
journalists and editorialists who generate ideas for public consumption.
LU

This connection between the property right to objects and the property right to ideas and speech
is not novel. James Madison observed, "a man's land, or merchandize, or money is called his
PN

property." (Madison, Property, Nat. Gazette (Mar. 27, 1792), reprinted in The Papers of James
Madison (Robert A. Rutland et al. edits.1983) p. 266, quoted in McGinnis, The Once and Future
Property-Based Vision of the First Amendment (1996) 63 U.Chi. L.Rev. 49, 65.) Likewise, "a
H

man has a property in his opinions and the free communication of them." (Ibid.) Accordingly,
"freedom of speech and property rights were seen simply as different aspects of an indivisible
concept of liberty."

The principles of both personal liberty and social utility should counsel us to usher the common
law of property into the digital age.

Dissenting Opinion by MOSK, J.

The majority hold that the California tort of trespass to chattels does not encompass the use of
expressly unwanted electronic mail that causes no physical damage or impairment to the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.818

recipient's computer system. They also conclude that because a computer system is not like real
property, the rules of trespass to real property are also inapplicable to the circumstances in this
case. Finally, they suggest that an injunction to preclude mass, noncommercial, unwelcome e-
mails may offend the interests of free communication.

I respectfully disagree and would affirm the trial court's decision. In my view, the repeated
transmission of bulk e-mails by appellant Kourosh Kenneth Hamidi (Hamidi) to the employees
of Intel Corporation (Intel) on its proprietary confidential email lists, despite Intel's demand that
he cease such activities, constituted an actionable trespass to chattels. The majority fail to

LA
distinguish open communication in the public "commons" of the Internet from unauthorized
intermeddling on a private, proprietary intranet. Hamidi is not communicating in the equivalent

IM
of a town square or of an unsolicited "junk" mailing through the United States Postal Service.
His action, in crossing from the public Internet into a private intranet, is more like intruding into
SH
a private office mailroom, commandeering the mail cart, and dropping off unwanted broadsides
on 30,000 desks. Because Intel's security measures have been circumvented by Hamidi, the
majority leave Intel, which has exercised all reasonable self-help efforts, with no recourse unless
LU

he causes a malfunction or systems "crash." Hamidi's repeated intrusions did more than merely
"prompt[ ] discussions between `[e]xcited and nervous managers' and the company's human
PN

resource department" (maj. opn., ante, 1 Cal. Rptr.3d at p. 38, 71 P.3d at p. 301); they also
constituted a misappropriation of Intel's private computer system contrary to its intended use and
against Intel's wishes.
H

The law of trespass to chattels has not universally been limited to physical dam-Chief Justice
pursuant to article VI, section 6 of the California Constitution. *68 age. I believe it is entirely
consistent to apply that legal theory to these circumstances—that is, when a proprietary computer
system is being used contrary to its owner's purposes and expressed desires, and self-help has
been ineffective. Intel correctly expects protection from an intruder who misuses its proprietary
system, its nonpublic directories, and its supposedly controlled connection to the Internet to
achieve his bulk mailing objectives—incidentally, without even having to pay postage.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.819

Intel maintains an intranet—a proprietary computer network—as a tool for transacting and
managing its business, both internally and for external business communications.[1] The network
and its servers constitute a tangible entity that has value in terms of the costs of its components
and its function in enabling and enhancing the productivity and efficiency of Intel's business
operations. Intel has established costly security measures to protect the integrity of its system,
including policies about use, proprietary internal e-mail addresses that it does not release to the
public for use outside of company business, and a gateway for blocking unwanted electronic
mail—a socalled firewall.

LA
The Intel computer usage guidelines, which are promulgated for its employees, state that the
computer system is to be "used as a resource in conducting business. Reasonable personal use is

IM
permitted, but employees are reminded that these resources are the property of Intel and all
information on these resources is also the property of Intel." Examples of personal use that
SH
would not be considered reasonable expressly include "use that adversely affects productivity."
Employee e-mail communications are neither private nor confidential.

Hamidi, a former Intel employee who had sued Intel and created an organization to disseminate
LU

negative information about its employment practices, sent bulk electronic mail on six occasions
to as many as 35,000 Intel employees on its proprietary computer system, using Intel's
PN

confidential employee e-mail lists and adopting a series of different origination addresses and
encoding strategies to elude Intel's blocking efforts. He refused to stop when requested by Intel
H

to do so, asserting that he would ignore its demands: "I don't care. I have grown deaf." Intel
sought injunctive relief, alleging that the disruptive effect of the bulk electronic mail, including
expenses from administrative and management personnel, damaged its interest in the proprietary
nature of its network.

The trial court, in its order granting summary judgment and a permanent injunction, made the
following pertinent findings regarding Hamidi's transmission of bulk electronic mail: "Intel has
requested that Hamidi stop sending the messages, but Hamidi has refused, and has employed *69
surreptitious means to circumvent Intel's efforts to block entry of his messages into Intel's
system.... [¶] ... The e-mail system is dedicated for use in conducting business, including

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.820

communications between Intel employees and its customers and vendors. Employee e-mail
addresses are not published for use outside company business.... [¶] The intrusion by Hamidi into
the Intel e-mail system has resulted in the expenditure of company resources to seek to block his
mailings and to address employee concerns about the mailings. Given Hamidi's evasive
techniques to avoid blocking, the self help remedy available to Intel is ineffective." The trial
court concluded that "the evidence establishes (without dispute) that Intel has been injured by
diminished employee productivity and in devoting company resources to blocking efforts and to
addressing employees about Hamidi's e-mails." The trial court further found that the "massive"
intrusions "impaired the value to Intel of its e-mail system."

The majority agree that an impairment of Intel's system would result in an action for trespass to

LA
chattels, but find that Intel suffered no injury. As did the trial court, I conclude that the
undisputed evidence establishes that Intel was substantially harmed by the costs of efforts to

IM
block the messages and diminished employee productivity. Additionally, the injunction did not
affect Hamidi's ability to communicate with Intel employees by other means; he apparently
SH
continues to maintain a Web site to publicize his messages concerning the company.
Furthermore, I believe that the trial court and the Court of Appeal correctly determined that the
tort of trespass to chattels applies in these circumstances.
LU

The Restatement Second of Torts explains that a trespass to a chattel occurs if "the chattel is
PN

impaired as to its condition, quality, or value" or if "harm is caused to some ... thing in which the
possessor has a legally protected interest." (Rest.2d Torts, § 218, subds. (b) & (d), p. 420, italics
added.) As to this tort, a current prominent treatise on the law of torts explains that "[t]he
H

defendant may interfere with the chattel by interfering with the plaintiffs access or use" and
observes that the tort has been applied so as "to protect computer systems from electronic
invasions by way of unsolicited email or the like." (1 Dobbs, The Law of Torts (2001) § 60, pp.
122-123.) Moreover, "[t]he harm necessary to trigger liability for trespass to chattels can be ...
harm to something other than the chattel itself." (Id., pp. 124-125; see also 1 Harper et al., The
Law of Torts (3d ed.1996 & 2003 supp.) § 2.3, pp. 2:14-2:18.) The Restatement points out that,
unlike a possessor of land, a possessor of a chattel is not given legal protection from harmless
invasion, but "the actor" may be liable if the conduct affects "some other and more important
interest of the possessor."

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.821

The Restatement explains that the rationale for requiring harm for trespass to a chattel but not for
trespass to land is the availability and effectiveness of self-help in the case of trespass to a
chattel. "Sufficient legal protection of the possessor's interest in the mere inviolability of his
chattel is afforded by his privilege to use reasonable force to protect his possession against even
harmless interference." (Rest.2d Torts, § 218, com. (e), p. 422.) Obviously, "force" is not
available to prevent electronic trespasses. As shown by Intel's inability to prevent Hamidi's
intrusions, self-help is not an adequate alternative to injunctive relief.

The common law tort of trespass to chattels does not require physical disruption to the chattel. It
also may apply when there is impairment to the "quality" or "value" of the chattel [liability if
"intermeddling is harmful to the possessor's materially valuable interest in the physical condition,

LA
quality, or value of the chattel"].) Moreover, as we held in Zaslow v. Kroenert (1946) 29 Cal. 2d
541, 551, 176 P.2d 1, it also applies "[w]here the conduct complained of does not amount to a

IM
substantial interference with possession or the right thereto, but consists of intermeddling with or
use of or damages to the personal property."[2]
SH
Here, Hamidi's deliberate and continued intermeddling, and threatened intermeddling, with
Intel's proprietary computer system for his own purposes that were hostile to Intel, certainly
LU

impaired the quality and value of the system as an internal business device for Intel and forced
Intel to incur costs to try to maintain the security and integrity of its server—efforts that proved
PN

ineffective. These included costs incurred to mitigate injuries that had already occurred. It is not
a matter of "bootstrapp[ing]" (maj. opn., ante, 1 Cal.Rptr.3d at p. 46, 71 P.3d at p. 308) to
consider those costs a damage to Intel. Indeed, part of the value of the proprietary computer
H

system is the ability to exclude intermeddlers from entering it for significant uses that are
disruptive to its owner's business operations.

If Intel, a large business with thousands of former employees, is unable to prevent Hamidi from
continued intermeddling, it is not unlikely that other outsiders who obtain access to its
proprietary electronic mail addresses would engage in similar conduct, further reducing the value
of, and perhaps debilitating, the computer system as a business productivity mechanism.
Employees understand that a firewall is in place and expect that the messages they receive are
from senders permitted by the corporation. Violation of this expectation increases the internal
disruption caused by messages that circumvent the company's attempt to exclude them. The time

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.822

that each employee must spend to evaluate, delete or respond to the message, when added up,
constitutes an amount of compensated time that translates to quantifiable financial damage.[3]

*71 All of these costs to protect the integrity of the computer system and to deal with the
disruptive effects of the transmissions and the expenditures attributable to employee time,
constitute damages sufficient to establish the existence of a trespass to chattels, even if the
computer system was not overburdened to the point of a "crash" by the bulk electronic mail.

The several courts that have applied the tort of trespass to chattels to deliberate intermeddling
with proprietary computer systems have, for the most part, used a similar analysis. Thus, the
court in CompuServe Inc. v. Cyber Promotions, Inc. (S.D.Ohio 1997) 962 F. Supp. 1015, 1022,

LA
applied the Restatement to conclude that mass mailings and evasion of the server's filters
diminished the value of the mail processing computer equipment to Compu-Serve "even though

IM
it is not physically damaged by defendant's conduct." The inconvenience to users of the system
as a result of the mass messages "decrease[d] the utility of CompuServe's e-mail service" and
SH
was actionable as a trespass to chattels. (Id. at p. 1023.)

The court in America Online, Inc. v. IMS (E.D.Va.1998) 24 F. Supp. 2d 548, on facts similar to
those in the present case, also applied the Restatement in a trespass to chattels claim. There,
LU

defendant sent unauthorized e-mails to America Online's computer system, persisting after
receiving notice to desist and causing the company "to spend technical resources and staff time
PN

to `defend' its computer system and its membership" against the unwanted messages. The
company was not required to show that its computer system was overwhelmed or suffered a
H

diminution in performance; mere use of the system by the defendant was sufficient to allow the
plaintiff to prevail on the trespass to chattels claim.

Similarly, the court in eBay, Inc. v. Bidder's Edge, Inc. (N.D.Cal.2000) 100 F. Supp. 2d 1058
determined that there was a trespass to chattels when the quality or value of a computer system
was diminished by unauthorized "web crawlers,"[4] despite the fact that eBay had not alleged
any "particular service disruption" (id. at p. 1065) or "specific incremental damages" (id. at p.
1063) to the computer system. Intermeddling with eBay's private property was sufficient to
establish a cause of action: "A trespasser is liable when the trespass diminishes the condition,
quality or value of personal property"; "[e]ven if [defendant's intrusions] use only a small amount

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.823

of eBay's computer ... capacity, [defendant] has nonetheless deprived eBay of the ability to use
that portion of its personal property for its own purposes. The law recognizes no such right to use
another's personal property." (Id. at p. 1071; see also, e.g., Oyster Software, Inc. v. Forms
Processing, Inc. (N.D.Cal., Dec. 6, 2001, No. C-00-0724 JCS) 2001 WL 1736382 at *12-*13
[trespass to chattels claim did not require company to demonstrate physical damage]; accord,
Register.com, Inc. v. Verio, Inc. (S.D.N.Y.2000) 126 F. Supp. 2d 238, 250; cf. Thrifty-Tel, Inc.
v. Bezenek (1996) 46 Cal. App. 4th 1559, 1566-1567, 54 Cal. Rptr. 2d 468 [unconsented
electronic access to a computer system constituted a trespass to chattels].)

These cases stand for the simple proposition that owners of computer systems, like owners of
other private property, have *72 a right to prevent others from using their property against their

LA
interests. That principle applies equally in this case. By his repeated intermeddling, Hamidi
converted Intel's private employee e-mail system into a tool for harming productivity and

IM
disrupting Intel's workplace. Intel attempted to put a stop to Hamidi's intrusions by increasing its
electronic screening measures and by requesting that he desist. Only when self-help proved
SH
futile, devolving into a potentially endless joust between attempted prevention and
circumvention, did Intel request and obtain equitable relief in the form of an injunction to
prevent further threatened injury.
LU

The majority suggest that Intel is not entitled to injunctive relief because it chose to allow its
PN

employees access to email through the Internet and because Hamidi has apparently told
employees that he will remove them from his mailing list if they so request. They overlook the
proprietary nature of Intel's intranet system; Intel's system is not merely a conduit for messages
H

to its employees. As the owner of the computer system, it is Intel's request that Hamidi stop that
must be respected. The fact that, like most large businesses, Intel's intranet includes external e-
mail access for essential business purposes does not logically mean, as the majority suggest, that
Intel has forfeited the right to determine who has access to its system. Its intranet is not the
equivalent of a common carrier or public communications licensee that would be subject to
requirements to provide service and access. Just as Intel can, and does, regulate the use of its
computer system by its employees, it should be entitled to control its use by outsiders and to seek
injunctive relief when self-help fails.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.824

The majority also propose that Intel has sufficient avenues for legal relief outside of trespass to
chattels, such as interference with prospective economic relations, interference with contract,
intentional infliction of emotional distress, and defamation; Hamidi urges that an action for
nuisance is more appropriate. Although other causes of action may under certain circumstances
also apply to Hamidi's conduct, the remedy based on trespass to chattels is the most efficient and
appropriate. It simply requires Hamidi to stop the unauthorized use of property without regard to
the content of the transmissions. Unlike trespass to chattels, the other potential causes of action
suggested by the majority and Hamidi would require an evaluation of the transmissions' content
and, in the case of a nuisance action, for example, would involve questions of degree and value
judgments based on competing interests. (See Hellman v. La Cumbre Golf & Country Club

LA
(1992) 6 Cal. App. 4th 1224, 1230-1231, 8 Cal. Rptr. 2d 293; 11 Witkin, Summary of Cal. Law
(9th ed. 1990) Equity, § 153, p. 833; Rest.2d Torts, § 840D).

IM
As discussed above, I believe that existing legal principles are adequate to support Intel's request
for injunctive relief. But even if the injunction in this case amounts to an extension of the
SH
traditional tort of trespass to chattels, this is one of those cases in which, as Justice Cardozo
suggested, "[t]he creative element in the judicial process finds its opportunity and power" in the
development of the law. (Cardozo, Nature of the Judicial Process (1921) p. 165.)[5]
LU

The law has evolved to meet economic, social, and scientific changes in society. The industrial
PN

revolution, mass production, *73 and new transportation and communication systems all
required the adaptation and evolution of legal doctrines.
H

The age of computer technology and cyberspace poses new challenges to legal principles. As this
court has said, "the socalled Internet revolution has spawned a host of new legal issues as courts
have struggled to apply traditional legal frameworks to this new communication medium."
(Pavlovich v. Superior Court (2002) 29 Cal. 4th 262, 266, 127 Cal. Rptr. 2d 329, 58 P.3d 2.) The
court must now grapple with proprietary interests, privacy, and expression arising out of
computer-related disputes. Thus, in this case the court is faced with "that balancing of judgment,
that testing and sorting of considerations of analogy and logic and utility and fairness" that
Justice Cardozo said he had "been trying to describe." (Cardozo, Nature of the Judicial Process,
supra, pp. 165-166.) Additionally, this is a case in which equitable relief is sought. As Bernard
Witkin has written, "equitable relief is flexible and expanding, and the theory that `for every

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.825

wrong there is a remedy' [Civ.Code, § 3523] may be invoked by equity courts to justify the
invention of new methods of relief for new types of wrongs." (11 Witkin, Summary of Cal. Law,
supra, Equity, § 3, p. 681.) That the Legislature has dealt with some aspects of commercial
unsolicited bulk e-mail (Bus. & Prof.Code, §§ 17538.4, 17538.45; see maj. opn., ante, 1
Cal.Rptr.3d at p. 50, 71 P.3d at p. 311) should not inhibit the application of common law tort
principles to deal with e-mail transgressions not covered by the legislation. (Cf. California Assn.
of Health Facilities v. Department of Health Services (1997) 16 Cal. 4th 284, 297, 65 Cal. Rptr.
2d 872, 940 P.2d 323; I.E. Associates v. Safeco Title Ins. Co. (1985) 39 Cal. 3d 281, 285, 216
Cal. Rptr. 438, 702 P.2d 596.)

Before the computer, a person could not easily cause significant disruption to another's business

LA
or personal affairs through methods of communication without significant cost. With the
computer, by a mass mailing, one person can at no cost disrupt, damage, and interfere with

IM
another's property, business, and personal interests. Here, the law should allow Intel to protect its
computer-related property from the unauthorized, harmful, free use by intruders.
SH
As the Court of Appeal observed, connecting one's driveway to the general system of roads does
not invite demonstrators to use the property as a public forum. Not mindful of this precept, the
LU

majority blur the distinction between public and private computer networks in the interest of
"ease and openness of communication." (Maj. opn., ante, 1 Cal.Rptr.3d at p. 50, 71 P.3d at p.
PN

311.) By upholding Intel's right to exercise self-help to restrict Hamidi's bulk e-mails, they
concede that he did not have a right to send them through Intel's proprietary system. Yet they
conclude that injunctive relief is unavailable to Intel because it connected its e-mail system to the
H

Internet and thus, "necessarily contemplated" unsolicited communications to its employees.

(Maj. opn., ante, at p. 47, 71 P.3d at p. 308.) Their exposition promotes unpredictability in a
manner that could be as harmful to open communication as it is to property rights. It permits
Intel to block Hamidi's e-mails entirely, but offers no recourse if he succeeds in breaking through
its security barriers, unless he physically or functionally degrades the system.

By making more concrete damages a requirement for a remedy, the majority has rendered speech
interests dependent on the impact of the e-mails. The sender will never know when or if the mass
e-mails *74 sent by him (and perhaps others) will use up too much space or cause a crash in the
recipient system, so as to fulfill the majority's requirement of damages. Thus, the sender is

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.826

exposed to the risk of liability because of the possibility of damages. If, as the majority suggest,
such a risk will deter "ease and openness of communication" (maj. opn., ante, 1 Cal. Rptr.3d at p.
50, 71 P.3d at p. 311), the majority's formulation does not eliminate such deterrence. Under the
majority's position, the lost freedom of communication still exists. In addition, a business could
never reliably invest in a private network that can only be kept private by constant vigilance and
inventiveness, or by simply shutting off the Internet, thus limiting rather than expanding the flow
of information.[6] Moreover, Intel would have less incentive to allow employees reasonable use
of its equipment to send and receive personal e-mails if such allowance is justification for
preventing restrictions on unwanted intrusions into its computer system. I believe the best
approach is to clearly delineate private from public networks and identify as a trespass to chattels

LA
the kind of intermeddling involved here.

The views of the amici curiae group of intellectual property professors that a ruling in favor of

IM
Intel will interfere with communication are similarly misplaced because here, Intel, contrary to
most users, expressly informed Hamidi that it did not want him sending messages through its
SH
system. Moreover, as noted above, all of the problems referred to will exist under the apparently
accepted law that there is a cause of action if there is some actionable damage.
LU

Hamidi and other amici curiae raise, for the first time on appeal, certain labor law issues,
including the matter of protected labor-related communications. Even assuming that these issues
PN

are properly before this court (see Cal. Rules of Court, rule 28(c)(1)), to the extent the laws allow
what would otherwise be trespasses for some labor-related communications, my position does
not exclude that here too. But there has been no showing that the communications are labor-law
H

protected.[7]

Finally, with regard to alleged constitutional free speech concerns raised by Hamidi and others,
this case involves a private entity seeking to enforce private rights against trespass. Unlike the
majority, I have concluded that Hamidi did invade Intel's property. His actions constituted a
trespass—in this case a trespass to chattels. There is no federal or state constitutional right to
trespass. (Adderley v. Florida (1966) 385 U.S. 39, 47, 87 S. Ct. 242, 17 L. Ed. 2d 149 ["Nothing
in the Constitution of the United States prevents Florida from even-handed enforcement of its
general trespass statute...."]; Church of Christ in Hollywood v. Superior Court (2002) 99 Cal.
App. 4th 1244, 1253-1254, 121 Cal. Rptr. 2d 810 [affirming a restraining order preventing

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.827

former church member from entering church property: "[the United States Supreme Court] has
never held that a trespasser or an uninvited guest may exercise general rights of free speech on
property privately owned"]; see also CompuServe Inc. v. Cyber Promotions, *75 Inc., supra, 962
F.Supp. at p. 1026 ["the mere judicial enforcement of neutral trespass laws by the private owner
of property does not alone render it a state actor"]; Cyber Promotions, Inc. v. American Online,
Inc. (E.D.Pa.1996) 948 F. Supp. 436, 456 ["a private company such as Cyber simply does not
have the unfettered right under the First Amendment to invade AOL's private property...."].)
Accordingly, the cases cited by the majority regarding restrictions on speech, not trespass, are
not applicable. Nor does the connection of Intel's e-mail system to the Internet transform it into a
public forum any more than any connection between private and public properties. Moreover, as

LA
noted above, Hamidi had adequate alternative means for communicating with Intel employees so
that an injunction would not, under any theory, constitute a free speech violation. (Lloyd Corp. v.

IM
Tanner (1972) 407 U.S. 551, 568-569, 92 S. Ct. 2219, 33 L. Ed. 2d 131.)

The trial court granted an injunction to prevent threatened injury to Intel. That is the purpose of
SH
an injunction. (Ernst & Ernst v. Carlson (1966) 247 Cal. App. 2d 125, 128, 55 Cal. Rptr. 626.)
Intel should not be helpless in the face of repeated and threatened abuse and contamination of its
private computer system. The undisputed facts, in my view, rendered Hamidi's conduct legally
LU

actionable. Thus, the trial court's decision to grant a permanent injunction was not "a clear abuse
of discretion" that may be "disturbed on appeal." (Shapiro v. San Diego City Council (2002) 96
PN

Cal. App. 4th 904, 912, 117 Cal. Rptr. 2d 631; see also City of Vernon v. Central Basin Mun.
Water Dist. (1999) 69 Cal. App. 4th 508, 516, 81 Cal. Rptr. 2d 650 [in an appeal of summary
H

judgment, the trial court's decision to deny a permanent injunction was "governed by the abuse
of discretion standard of review"].)

The injunction issued by the trial court simply required Hamidi to refrain from further
trespassory conduct, drawing no distinction based on the content of his emails. Hamidi remains
free to communicate with Intel employees and others outside the walls—both physical and
electronic—of the company.

For these reasons, I respectfully dissent.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.828

I CONCUR: GEORGE, C.J.

[1] To the extent, therefore, that Justice Mosk suggests Hamidi breached the security of Intel's
internal computer network by "circumvent[ing]" Intel's "security measures" and entering the
company's "intranet" (dis. opn. of Mosk, J., post, 1 Cal.Rptr.3d at p. 67, 71 P.3d at p. 326), the
evidence does not support such an implication. An "intranet" is "a network based on TCP/IP
protocols (an internet) belonging to an organization, usually a corporation, accessible only by the
organization's members, employees, or others with authorization." (

[2] For the first time, in this court, Intel argues Hamidi's appeal is moot because, as FACE-Intel's
agent, Hamidi is bound, whatever the outcome of his own appeal, by the unappealed injunction

LA
against FACE-Intel. But as Hamidi points out in response, he could avoid the unappealed
injunction simply by resigning from FACE-Intel; his own appeal is therefore not moot.

IM
[3] We grant both parties' requests for notice of legislative history materials relating to California
laws on spam and on injunctions in labor dispute cases. Hamidi's further request for notice of the
SH
"undisputed" fact that "email messages that travel into computer equipment consist of
electromagnetic waves" is denied as irrelevant.
LU

[4] Data search and collection robots, also known as "Web bots" or "spiders," are programs
designed to rapidly search numerous Web pages or sites, collecting, retrieving, and indexing
PN

information from these pages. Their uses include creation of searchable databases, Web
catalogues and comparison shopping services. (eBay, Inc. v. Bidder's Edge, Inc. (N.D.Cal.2000)
100 F. Supp. 2d 1058, 1060-1061; O'Rourke, Property Rights and Competition on the Internet:
H

In Search of an Appropriate Analogy (2001) 16 Berkeley Tech. L.J. 561, 570-571; Quilter, The
Continuing Expansion of Cyberspace Trespass to Chattels (2002) 17 Berkeley Tech. L.J. 421,
423-424.)

[5] In the most recent decision relied upon by Intel, Oyster Software, Inc. v. Forms Processing,
Inc. (N.D.Cal., Dec. 6, 2001, No. C-00-0724 JCS) 2001 WL 1736382, pages *12-*13, a federal
magistrate judge incorrectly read eBay as establishing, under California law, that mere
unauthorized use of another's computer system constitutes an actionable trespass. The plaintiff
accused the defendant, a business competitor, of copying the metatags (code describing the
contents of a Web site to a search engine) from the plaintiff's Web site, resulting in diversion of

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.829

potential customers for the plaintiff's services. With regard to the plaintiff's trespass claim (the
plaintiff also pleaded causes of action for, inter alia, misappropriation, copyright and trademark
infringement), the magistrate judge concluded that eBay imposed no requirement of actual
damage and that the defendant's conduct was sufficient to establish a trespass "simply because
[it] amounted to `use' of Plaintiff's computer." (Id. at p. *13.) But as just explained, we do not
read eBay, supra, 100 F. Supp. 2d 1058, as holding that the actual injury requirement may be
dispensed with, and such a suggestion would, in any event, be erroneous as a statement of
California law.

[6] In support of its reasoning, the CompuServe court cited paragraph (d) of section 218 of the
Restatement Second of Torts, which refers to harm "to some person or thing in which the

LA
possessor has a legally protected interest." As the comment to this paragraph explains, however,
it is intended to cover personal injury to the possessor or another person in whom the possessor

IM
has a legal interest, or injury to "other chattel or land" in which the possessor of the chattel
subject to the trespass has a legal interest. (Rest.2d Torts, § 218, com. j, p. 423.) No personal
SH
injury was claimed either in CompuServe or in the case at bar, and neither the lost goodwill in
CompuServe nor the loss of employee efficiency claimed in the present case is chattel or land.
LU

[7] The tort law discussion in Justice Brown's dissenting opinion similarly suffers from an
overreliance on metaphor and analogy. Attempting to find an actionable trespass, Justice Brown
PN

analyzes Intel's e-mail system as comparable to the exterior of an automobile (dis. opn. of
Brown, J., post, 1 Cal.Rptr.3d at pp. 52-53, 71 P.3d at pp. 313-314), a plot of land (id. at pp. 60-
61, 71 P.3d at pp. 319-320), the interior of an automobile (p. 62, 71 P.3d p. 321), a toothbrush
H

(pp. 64-65, 71 P.3d p. 323), a head of livestock (p. 65, 71 P.3d p. 323), and a mooring buoy (pp.
65-66, 71 P.3d pp. 324-325), while Hamidi is characterized as a vandal damaging a school
building (pp. 63-64, 71 P.3d p. 322) or a prankster unplugging and moving employees'
computers (p. 65, 71 P.3d p. 324). These colorful analogies tend to obscure the plain fact that this
case involves communications equipment, used by defendant to communicate. Intel's e-mail
system was equipment designed for speedy communication between employees and the outside
world; Hamidi communicated with Intel employees over that system in a manner entirely
consistent with its design; and Intel objected not because of an offense against the integrity or
dignity of its computers, but because the communications themselves affected employee-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.830

recipients in a manner Intel found undesirable. The proposal that we extend trespass to chattels to
cover any communication that the owner of the communications equipment considers annoying
or distracting raises, moreover, concerns about control over the flow of information and views
that would not be presented by, for example, an injunction against chasing another's cattle or
sleeping in her car.

[8] Justice Brown would distinguish Madsen v. Women's Health Center, supra, on the ground
that the operators of the health center in that case would not have been entitled to "drivef] [the
protesters] from the public streets," whereas Intel was entitled to block Hamidi's messages as
best it could. (Dis. opn. of Brown, J., post, 1 Cal.Rptr.3d at p. 55, fn. 1, 71 P.3d at p. 315, fn. 1.)
But the health center operators were entitled to block protesters' messages—as best they

LA
could—by closing windows and pulling blinds. That a property owner may take physical
measures to prevent the transmission of others' speech into or across the property does not imply

IM
that a court order enjoining the speech is not subject to constitutional limitations.
SH
Associate Justice of the Court of Appeal, Second Appellate District, Division Six, assigned by
the Chief Justice pursuant to article VI, section 6 of the California Constitution.

[1] The majority distinguishes Church of Christ on its facts, by asserting that a former church
LU

member could be barred from church property because she had a "tangible presence" on the
church's property. (Maj. opn., ante, 1 Cal.Rptr.3d at p. 50, 71 P.3d at p. 311.) But the majority
PN

does not refute the legal point that "the mere judicial enforcement of neutral trespass laws by the
private owner of property does not alone render it a state actor." (CompuServe, Inc. v. Cyber
H

Promotions, Inc. (S.D.Ohio 1997) 962 F. Supp. 1015, 1026 (CompuServe).)

The First Amendment does not shield Hamidi's speech, and the majority's authorities do not
suggest it does. On the contrary, the high court recognized that the First Amendment does not
preclude generally applicable laws, even where they incidentally restrict speech. (Cohen v.
Cowles Media Co. (1991) 501 U.S. 663, 669, 111 S. Ct. 2513, 115 L. Ed. 2d 586.) There is thus
no right to intrude upon privately owned property simply to generate speech. (Ibid.)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.831

The majority cites New York Times Co. v. Sullivan (1964) 376 U.S. 254, 84 S. Ct. 710, 11 L.
Ed. 2d 686, as well as N.A.A.C.P. v. Claiborne Hardware Co. (1982) 458 U.S. 886, 102 S. Ct.
3409, 73 L. Ed. 2d 1215, and Madsen v. Women's Health Center, Inc. (1994) 512 U.S. 753, 114
S. Ct. 2516, 129 L. Ed. 2d 593, none of which is apposite. In these cases, speakers enjoyed First
Amendment protection when they spoke to the public through a newspaper advertisement (with
the newspaper's consent) or a protest on a public street, a traditional public forum. (Schneider v.
State (1939) 308 U.S. 147, 60 S. Ct. 146, 84 L. Ed. 155.) If Hamidi had similarly expressed his
anti-Intel feelings in a newspaper advertisement or from a public street, these authorities would
be on point. By contrast, nothing in New York Times entitles a computer hacker to alter an
online newspaper's content so that it expresses the hacker's opinions against the paper's wishes.

LA
Intel's right to use reasonable force (see maj. opn., ante, 1 Cal.Rptr.3d at p. 40, 71 P.3d at p.
303), to prevent interference with its property distinguishes this case from the majority's United

IM
States Supreme Court precedents. Whereas Intel could attempt to block the unwanted messages,
Sullivan, who claimed to have been libeled by the newspaper, could not have burned the
SH
newspapers to prevent their publication, nor could the targets of the public protesters in
Claiborne Hardware or Madsen have driven them from the public streets where they were
speaking. Contrariwise, Intel, as the majority does not dispute, would have been allowed to
LU

suppress Hamidi's messages if it had been able to do so.

PN

[2] Hamidi required employees to take affirmative steps to remove themselves from the mailing
list. Not only might some employees have declined to do so because such removal might involve
a greater burden than simply deleting the unwanted message, but they also might reasonably
H

have assumed that such requests could be counterproductive. (Whang, An Analysis of

California's Common and Statutory Law Dealing with Unsolicited Commercial Electronic Mail:
An Argument for Revision (2000) 37 San Diego L.Rev. 1201, 1205-1206 (Whang).) "`Don't
respond [to spam]! Don't ask them to "take you off a list." People who respond—even
negatively—are viewed as Grade A targets. You will probably get more junk than ever.'" (Id. at
p. 1206 & fn. 24, quoting Campbell, Waging War on Internet Spammers, Toronto Star (Aug. 26,
1999) p. L5.)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.832

[3] New York further proscribes such conduct as criminal. (People v. Miguez, supra, 147 Misc.
2d 482, 556 N.Y.S.2d 231.)

[4] Some of the messages reflected a desire to reconcile: "`"Please don't hurt me anymore.
You've hurt me enough, I still love you."'" A later call stated, "`"Eddie I want to give you my
number; even if you don't call me I want you to have it."'" (People v. Miguez, supra, 556
N.Y.S.2d at p. 232.)

[5] The majority asserts Intel was not deprived of its computers "for any measurable length of
time" (maj. opn., ante, 1 Cal.Rptr.3d at p. 41, 71 P.3d at p. 303), which supposedly fits this case
within the rule that a "`mere momentary or theoretical'" deprivation is insufficient to establish a

LA
trespass to chattel (maj. opn., ante, at p. 44, 71 P.3d at p. 306). There is a chasm between the two
descriptions. The time needed to identify and delete 200,000 email messages is not capable of

IM
precise estimation, but it is hardly theoretical or momentary. Most people have no idea of how
many words they spoke yesterday, but that does not render the figure de minimis.
SH
[6] The majority asserts eBay does require impairment, because the opinion noted that the wide
replication of the defendant's conduct would likely impair the functioning of the plaintiff's
system. (Maj. opn., ante, 1 Cal. Rptr.3d at pp. 42-43, 71 P.3d at pp. 305-306.) Of course, the
LU

"wide replication" of Hamidi's conduct would likely impair Intel's operating system.
Accordingly, a diluted "likely impairment through wide replication" standard would favor Intel,
PN

not Hamidi.

[7] There is considerable debate regarding whether "spam" encompasses only unsolicited
H

commercial e-mail (UCE) or all UBE, regardless of its commercial nature. (Sorkin, supra, 35
U.S.F. L.Rev. at pp. 333-335.) Because parties object to spam due to its volume rather than the
sender's motivation, UBE is a preferable definition. (Id. at p. 335.) Moreover, as our decision in
Kasky v. Nike, Inc. (2002) 27 Cal. 4th 939, 119 Cal. Rptr. 2d 296, 45 P.3d 243 made plain, there
is no brightline distinction between commercial and noncommercial speech. (See also City of
Cincinnati v. Discovery Network, Inc. (1993) 507 U.S. 410, 419, 113 S. Ct. 1505, 123 L. Ed. 2d
99.)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.833

[8] Citing to Bolger, supra, 463 U.S. at page 72, 103 S. Ct. 2875, for the proposition that the
Constitution imposes on recipients the burden of disposing of unwanted mail, is inapposite
because, as explained in part I, ante, Bolger involved the government's objections to the delivery,
not the objection of a nongovernmental actor like Intel, which, under Rowan, supra, 397 U.S at
pages 736-738, 90 S. Ct. 1484, may exclude unwanted mail.

[9] In fact, Intel pays to maintain a high capacity to ensure that the system does not crash (or
slow down); if Intel had not preempted such harm, there is no dispute that Hamidi would be
liable for damages. As Professor Epstein cogently observes, Intel is thus being penalized for
engaging in preemptive selfhelp. According to the majority, Intel would do better by saving its
money and collecting damages after a crash/slowdown.

LA
[10] Intel does not object to Hamidi's transmitting the same message through his Web site, e-

IM
mail to employees' home computers, snail mail to their homes, distribution of materials from
outside the company's gates, or any other communication that does not conscript Intel's property
SH
into Hamidi's service. Intel does object to the use of its property, regardless of its message.
Although Intel objected that Hamidi sent antagonistic messages, Intel would presumably also
object if Hamidi sent "blank" messages that slowed down both the Intel system and the
LU

employees who use it.

[11] As with the hypothetical toothbrush, the Buchanan defendants used the buoy for its intended
PN

use. (Buchanan, supra, 743 F.Supp. at p. 140.)

[*] Associate Justice, Court of Appeal, Second Appellate District, Division Five, assigned by the
H

[1] The Oxford English Dictionary defines an intranet as "A local or restricted computer
network; spec, a private or corporate network that uses Internet protocols. An intranet may (but
need not) be connected to the Internet and be accessible externally to authorized users." (OED
Online, new ed., draft entry, Mar. 2003, [as of June 30, 2003]; see also Kokka, Property Rights
on an Intranet, 3 Spring 1998 J. Tech.L. & Policy 3, WL 3 UFLJTLP 3 at *3, *6 [defining an
intranet as "an internal network of computers, servers, routers and browser software designed to
organize, secure, distribute and collect information within an organization," which in large
organizations generally includes a wide range of services, including e-mail].) Contrary to the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.834

majority's assertion, there is nothing incorrect about characterizing Hamidi's unauthorized bulk
e-mails as intrusions onto Intel's intranet.

[2] In Zaslow, we observed that when the trespass involves "intermeddling with or use of"
another's property, the owner "may recover only the actual damages suffered by reason of the
impairment of the property or the loss of its use." (Zaslow v. Kroenert, supra, 29 Cal.2d at p.
551, 176 P.2d 1.) We did not state that such damages were a requirement for a cause of action;
nor did we address the availability of injunctive relief.

[3] As the recent spate of articles on "spam"— unsolicited bulk e-mail—suggests, the effects on
business of such unwanted intrusions are not trivial. "Spam is not just a nuisance. It absorbs

LA
bandwidth and overwhelms Internet service providers. Corporate tech staffs labor to deploy
filtering technology to protect their networks. The cost is now widely estimated (though all such

IM
estimates are largely guesswork) at billions of dollars a year. The social costs are
immeasurable.... [¶] `Spam has become the organized crime of the Internet.' ... `[M]ore and more
SH
it's becoming a systems and engineering and networking problem.' (Gleick, Tangled Up in Spam,
N.Y. Times (Feb. 9, 2003) magazine p. 1 [as of June 30, 2003]; see also Cooper & Shogren,
U.S., States Turn Focus to Curbing Spam, L.A. Times (May 1, 2003) p. A21, col. 2 ["Businesses
LU

are losing money with every moment that employees spend deleting"]; Turley, Congress Must
Send Spammers a Message, L.A. Times (Apr. 21, 2003) p. B13, col. 5 ["Spam now costs
PN

American businesses about $9 billion a year in lost productivity and screening"]; Taylor, Spam's
Big Bang! (June 16, 2003) Time, p. 51 ["The time we spend deleting or defeating spam costs an
estimated $8.9 billion a year in lost productivity"].) But the occasional spam addressed to
H

particular employees does not pose nearly the same threat of impaired value as the concerted
bulk mailings into one e-mail system at issue here, which mailings were sent to thousands of
employees with the express purpose of disrupting business as usual. information from the
websites of others. (eBay, Inc. v. Bidder's Edge, supra, 100 F.Supp.2d at p. 1061, fn. 2.)

[4] A "web crawler" is a computer program that operates across the Internet to obtain

[5] "It is revolting to have no better reason for a rule of law than that so it was laid down in the
time of Henry IV." (Holmes, The Path of the Law (1897) 10 Harv.L.Rev. 457, 469.)

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.835

[6] Thus, the majority's approach creates the perverse incentive for companies to invest less in
computer capacity in order to protect its property. In the view of the majority, Hamidi's massive
e-mails would be actionable only if Intel had insufficient server or storage capacity to manage
them.

[7] The bulk e-mail messages from Hamidi, a nonemployee, did not purport to spur employees
into any collective action; he has conceded that "[t]his is not a drive to unionize." Nor was his
disruptive conduct part of any bona fide labor dispute.

*****************************************************************************

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.836

 B.N. Firos

Vs.

State of Kerala & Others

W.A. No. 685 of 2004

JUDGMENT

LA
J.B. Koshy, J.

IM
1. Appellant/petitioner approached this court for declaring that section 70 of the Information
Technology Act, 2000 (hereinafter referred to as 'the Act') is unconstitutional and unenforceable
SH
and also for issuance of a writ of certiorari to quash Ext. P10 notification issued by the
Government of Kerala under sub-section (1) of section 70 of the Act (Central Act No. 21 of
2000). According to the appellant, while disposing of the Writ Petition, the learned single Judge
LU

did not enter into any finding regarding the constitutional validity of section 70 of the Act though
it upheld Ext. P10 notification issued by the State Government. The learned single Judge also
directed to withdraw the suit for declaration of copyright and for injunction filed against the
PN

petitioner though the learned single Judge held that the suit is maintainable. The court also
directed respondents 1 to 4 to withdraw the criminal complaint filed against the petitioner if the
H

petitioner accepts the judgment and informs the same to the second respondent in writing within
a period of one from the date of judgment. The petitioner did not accept the judgment, but,
challenged the same before this Court. The facts of this case are as follows: Government of
Kerala, as part of IT implementation in Government departments, conceived a project idea of
"FRIENDS" (Fast, Reliable, Instant, Efficient Network for Disbursement of Services). The
project envisaged is development of a software for single window collection of bills payable to
Government, local authorities, various statutory agencies, Government Corporation etc. towards
tax, fees, charges for electricity, water, etc. A person by making a consolidated payment in a
computer counter served through "FRIENDS" system can discharge all his liabilities due to the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.837

Government, local authorities and various agencies. The first respondent Kerala State
Government entrusted the work of developing the "FRIENDS" software with the fourth
respondent. Fourth respondent is a registered society under the control of Government as the
Total Solution Provider (TSP). The fourth respondent, in turn, entrusted the work of
development of pilot project to be set up at Thiruvananthapuram to the petitioner. The
application-software "FRIENDS" was first established at Thiruvananthapuram, free of cost, and
since the project was successful, Government decided to set up the same in all other 13 district
centres. By Ext. P6, fourth respondent entered contract with the petitioner for setting up and
commissioning "FRIENDS" software system in 13 centres all over Kerala for providing
integrated services to the customers through a single window for a total consideration of Rs. 13

LA
lakhs. Pursuant to Ext. P6 agreement, petitioner set up "FRIENDS" service centres in all the 13
centres and they were paid the agreed remuneration. After successful completion of the project,

IM
there was a subsequent agreement between the fourth respondent and the petitioner (Ext. P9 for
continued technical support and for maintenance of system). Extended period was over. Disputes
SH
arose between the petitioner and Government with regard to Intellectual Property Right (IPR) in
the software developed, namely, "FRIENDS". There is no dispute that IPR software is
recognised in law that copyright can be claimed for IPR in the software in view of the
LU

amendment in the Copyright Act, 1057 in 1994. When respondents 1 to 4 arranged to modify the
software "FRIENDS" to suit its further requirements through another agency, petitioner alleged
PN

violation of copyright and petitioner filed criminal complaint against respondents 1 to 4 which
was later referred. A counter case was filed by the State and fourth respondent against the
petitioner and charge sheet was issued and a crime was registered as Crime No. 119 of 2003 and
H

is pending before the Additional Chief Judicial Magistrate's Court, Thiruvananthapuram.

Petitioner filed an application for copyright before the Registrar of Copyright and the first
respondent filed a suit before the District Court, Thiruvananthapuram under sections 60 and 61
of the Copyright Act against the petitioner alleging infringement of copyright and for declaration
and injunction. Since the suit is pending in the civil court, the Registrar of Copyright left the
matter to be decided by the civil court and rejected petitioner's application for registration of
copyright in the "FRIENDS" software applied for by him leaving freedom to any party to apply
for registration of copyright after the civil court decides the issue. First respondent, State of
Kerala, also issued separate notification, Ext. P10, under section 70 of the Act declaring, among

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.838

other items, that the "FRIENDS" software installed in the computer system and computer
network established in all centres in Kerala as a 'protected system' for the purpose of the said
Act. It is true that the criminal case against the petitioner is pending before the Chief Judicial
Magistrate's Court, Thiruvananthapuram and suit filed by the first respondent against the
petitioner is pending in the District Court, Thiruvananthapuram. This writ petition was filed
challenging section 70 of the Act. It is also contended that Ext. P10 circular issued is arbitrary,
discriminatory and violate of article 19(1)(g) of the Constitution of India and against the
statutory right conferred under section 17 of the Copyright Act.

LA
2. Before going into the contentions raised, we may extract section 70 of the Information
Technology Act, 2000 as follows:

IM
70. Protected system:- (1) The appropriate Government may, by notification in the Official
Gazette, declare that any computer, computer system or computer network to be a protected
SH
system.

(2) The appropriate Government may, by order in writing, authorise the persons who are
LU

authorised to access protected systems notified under subsection (1).

(3) Any person who secures access or attempts to secure access to a protected system in
PN

contravention of the provisions of this section shall be punished with imprisonment of either
description for a term which may extend to ten years and shall also be liable to fine.
H

It is the main contention of the petitioner that the computer programme "FRIENDS" is a literary
work as defined under section 2(o) of the Copyright Act and he, being its creator ,is the author as
defined under section 2(d)(vi) and, therefore, he is entitled to registration of copyright.
According to him, his application for registration is presently rejected on account of the
pendency of the suit in the civil court and ultimately he is entitled to registration of copyright
under the Act. According to the petitioner, section 70 of the Act which confers the unfettered
powers on the State Government to declare any computer system as a protected system is
arbitrary and unconstitutional and inconsistent with Copyright Act and section 70 of the Act has
to be declared as illegal. The alternative contention of the petitioner is that Government should

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.839

have declared it as a protected system only after obtaining declaratory decree from the civil
court. In the writ petition as well as in the writ appeal even though petitioner challenged section
70 of the Information Technology Act as unconstitutional, serious contention was regarding Ext.
P10 and not regarding the validity of section 70 of the Act. According to the petitioner, there is
direct conflict between the provisions of section 17 of the Copyright Act and section 70 of the
Information Technology Act. When there is conflict between the two Acts, it is well settled law
that a harmonious construction has to be adopted. Further, Information Technology Act is a
comprehensive legislation with regard to Information Technology Act and its provisions. The
provisions of the same will be binding especially considering section 81 of the Act which
provides as follows:

LA
IM
81. Act to have overriding effect: The provisions of this Act shall have effect notwithstanding
anything inconsistent therewith contained in any other law for the time being in force.
SH
But, as far as the Copyright Act is concerned, it is a comprehensive special Act and it is a
comprehensive legislation regarding the law relating to Copyrights in India. Therefore, as far as
copyright in respect of information technology is concerned, it has to be considered with
LU

reference to the provisions of the Copyright Act and as rightly held by the learned single Judge
section 70 of the Information Technology Act is directly related to section 2(k) and 17(d) of the
PN

Copyright Act and Government's authority to notify the system as a protected system applied
only to such of the system of "Government work". Description of Government work is defined
H

under section 2(k) of the Copyright Act on which Government is confirmed copyright under
section 17(d). The learned single Judge held as follows:

.... Therefore while the IT Act deals with all matters pertaining to information technology,
copyright in respect of information technology has to be considered with reference to the
provisions of the Copyright Act and in this regard the contention of the petitioner in principle has
to be upheld. I feel the petitioner's contention is relevant only when section 70 is taken in
insolation, and if the Government proceeds to declare any computer system or network other
than "Government work" as protected. I am of the view that S. 70 of the IT Act is directly related

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.840

to Section 2(k) and 17(d) of the Copyright Act and Government's authority to notify any system
as protected applies only to such of the system as protected applies only to such of the system
which answers the description of "Government work" as defined in S. 2(k) of the Copyright Act
on which Govt. is conferred copyright under Section 17(d). In other words, a notification under
Sec. 70 of the IT Act is a declaration of copyright under Sec. 17(d) of the Copyright Act which
applies only to "Government work" within the meaning of Sec. 2(k) of the said Act. Since the
appellant conflict between the provisions of both the statutes can be resolved by adopting the
interpretation that a "Government work" as defined under Sec. 2(k) of the Copyright Act on
which Government has copyright under Sec. 17(d) of the said Act only can be declared by
Government as a "protected system" under Sec. 70 of the IT Act, the challenge against Sec. 70 as

LA
against the provisions of the Copyright Act does not survive and is only to be rejected. In other
words, Sec. 70 of the IT Act is not against but subject to the provisions of the Copyright Act and

IM
Government cannot unilaterally declare any system as "protected" other than "Government
work" falling under S. 2(k) of the Copyright Act on which Govt's copyright is recognised under
SH
Section 17(d) of the said Act. However, if the Government proceeds to declare any other
computer system or network under section 70 of the IT Act as a protected system, it will be open
to the aggrieved party to challenge such action as arbitrary and unauthorised. So long as the
LU

authority of the Government under section 70 of the IT Act is to declare only "Government
work" as defined under Sec. 2(k) of the Copyright Act as "protected system" the challenge
PN

against the validity of the section will not stand and the mere possibility of the Government
exceeding it's powers is no ground to declare statutory provision unconstitutional. Hence this
contention is rejected.
H

We agree with the above observations.

3. Section 2(k) of the Copyright Act deals with the Government work as follows:

(k) 'Government work' means a work which is made or published by or under the direction or
control of -

(i) the Government; or any department of the Government;

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.841

(ii) any Legislature in India;

(iii) any Court, Tribunal or other judicial authority in India;

Section 17(d) of the Copyright Act is as follows:

17. First owner of copyright:- Subject to the provisions of this Act, the author of a work shall be
the owner of the copyright therein;

(d) in the case of a Government work, Government shall, in the absence of any agreement to the
contrary, be the first owner of the copyright therein.

LA
There is a statutory presumption in favour of every enactment and apart from a vague statement

IM
that Section 70 of the Information Technology Act is unconstitutional, petitioner was not able to
show it is unconstitutional. Legislative power of Parliament is not questioned by the petitioner in
SH
enacting section 70. When virus of an enactment or section is challenged alleging conflict with
the provision in another Act, the conflict should be resolved as far as possible in favour of the
legislature putting the most liberal construction and looking at the substance of the legislation by
LU

using the principle of harmonious construction. (See: Diamond Sugar Mills v. State of UP -
MANU/SC/0252/1960 : AIR 1962 SC 652 at 655) and Peerless General Finance and Investment
PN

Co. Ltd. and another v. Reserve Bank of India and others - MANU/SC/0685/1992 : AIR 1992
SC 1033 para 50). When there is conflict between the provisions of two acts, the Court has to
construe the provisions in such a way to avoid a 'head on clash' and a harmonious construction
H

should be adopted to resolve the conflict (See: Jogendra Lal Saha v. State of Bihar and others -
MANU/SC/0282/1991 : AIR 1991 SC 1148 at page 1149). A harmonious construction of
Copyright Act and Information Technology Act is necessary and questions regarding the
'copyrights' for the computer system, electronic devices and other works under the Information
Technology Act are covered by the Copyright Act. Copyright (Amendment) Act, 1999 shows
that copyrights with regard to the data work, data basis, computer work etc. are specifically
covered under the Copyright Act. All matters connected with 'copyright can be resolved by the
provisions in the Copyright Act as it is a special Act for that purpose and matters regarding
information technology have to be resolved by applying the provisions of the Information

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.842

Technology Act as it is a special Act for that purpose. There is no conflict between the
provisions of Copyright Act and Section 70 of Information Technology Act. Hence, we are of
the opinion that there is no merit in the challenge made in section 70 of the Information
Technology Act.

4. The next question to be considered is whether Ext. P10 notification issued by the Government
is liable to be set aside and can Government declare "FRIENDS" application software or whether
it is a Government work within the meaning or whether it is a Government work within the
meaning of section 2(k) of the Copyright Act, this Court declared to decide the matter on merits
in O.P.33536 of 2002 by the District Court, Thiruvananthapuram. We are of the opinion that Ext.
P10 could be issued by the Government without registration of the copyright and even without a

LA
declaration of copyright by the civil court under section 60 of the Copyright Act. If any party
claims that he has got a copyright and the Government cannot declare it as a protected system, it

IM
is for him to go to the civil court and get an injunction and also get a declaration that he has got a
copyright of the property. It is settled position that no registration is required to claim copyright
SH
under the Copyright Act and nonregistration under the Copyright Act does not bar action for
infringement. The learned single Judge rightly held as follows:
LU

.... A Division Bench of this Court in Kumari Kanaka v. Sundarajan (1972 KLR 536) held that
registration of the work under the Copyright is not compulsory, nor is it a condition precedent for
PN

maintaining a suit for damages or for injunction against infringement of copyright. Similar is the
view taken by the Madras High Court in Manojah Cine Productions v. Sundaresan
(MANU/TN/0620/1975 : AIR 1976 Mad. 22) and by the Allahabad High Court in Nav Sahitya
H

Prakash v. Anand Kumar (MANU/UP/0177/1981 : AIR 1981 All. 200). Therefore, if the
"FRIENDS" software is a "Government work" as defined under section 2(k) of the Copyright
Act, then by virtue of section 17(d) of the said Act, the Government is entitled to notify it under
section 70 of the IT Act as a protected system without any prior registration under the Copyright
Act. There is nothing to indicate in section 70 of the IT Act that the Government should get any
declaratory decree of copyright from District Court under section 60 of the Copyright Act before
issuing notification declaring a computer system as protected. Sections 60 and 61 of the
Copyright Act are only remedial measures available to an aggrieved party. While Government is
free to issue notification under section 70 of the IT Act without any registration of copyright or

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.843

without obtaining any declaratory decree of copyright from District Court under section 60 of the
Act, it was open to the petitioner to challenge Ext. P10 by filing a suit under sections 60 and 61
of the Copyright Act. Though the petitioner is defending the suit, it will not be permissible for
the petitioner as defendant to challenge Ext. P10 in the pending suit filed by the State.

Admittedly, petitioner did not file any suit. Petitioner was free to file a suit under sections 60 and
61 of the Limitation Act wherein he could challenge Ext. P10 notification if it infringes his
copyright. Sections 60 and 61 of the Copyright Act read as follows:

60. Remedy in the case of groundless threat of legal proceedings:- Where any person claiming to

LA
be the owner of copyright in any work, by circulars, advertisements or otherwise, threatens any
other person with any legal proceedings or liability in respect of an alleged infringement of the

IM
copyright, any person aggrieved thereby may, notwithstanding anything contained in section 34
of the Specific Relief Act, 1963 (47 of 1963), institute a declaratory suit that the alleged
SH
infringement to which the threats related was not in fact an infringement of any legal rights of
the person making such threats and may in any such suit -
LU

(a) obtain an injunction against the continuance of such threats; and

(b) recover such damages, if an, as he has sustained by reason of such threats;
PN

Provided that this section does not apply if the person making such threats, with due diligence,
commences and prosecutes an action for infringement of the copyright claimed by him."
H

61. Owners of copyright to be party to the proceeding:- (1) In every Civil Suit or other
proceeding regarding infringement of copyright instituted by an exclusive licensee, the owner of
the copyright shall, unless the Court otherwise directs, be made a defendant and where such
owner is made a defendant, he shall have the right to dispute the claim of the exclusive licensee.

(2) Where any Civil Suit or other proceeding regarding infringement of copyright instituted by
an exclusive licensee is successful, no fresh suit or other proceeding in respect of the same cause
of action shall lie at the instance of the owner of the copyright.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.844

5. We agree with the learned single Judge that Ext. P10 is not an adjudicatory order under
Chapter DC of the Information Technology Act to file an appeal to the Cyber Appellate Tribunal
constituted under Chapter X of the Information Technology Act. It is true that under Ext. P6
agreement disputes between the parties could be settled by arbitration by second respondent in
terms of clause 7(2) of the said agreement. Petitioner has not chosen to avail such a remedy.
Admittedly, petitioner did not file any suit and did not go for arbitration. The remedy of the
petitioner was to file a suit or to refer the matter to arbitration instead of filing a writ petition.
That was not done. Counsel for the petitioner insisted that since they have not filed any suit and
writ petition was pending from about two years, the question whether "FRIENDS" software
developed is a Government work and whether Government can issue Ext. P10 notification under

LA
section 17(d) of the Copyright Act should be decided by this court. Arguments were advanced by
both sides to the point. The learned single Judge went through the contentions in detail and found

IM
after examining Exts. P1, 3, 6 and 9 that the software was developed for the Government and for
the purpose of rendering services by the Government to the public. Even though Exts. P6 and 9
SH
are executed with fourth respondent and Government is not directly a party, fourth respondent
was only a Government agency and Government created the above agency as a total solution
provider for developing software for the Government. Clause (10) of Ext. R4(b) reads as follows:
LU

10. Departmental Task Force will monitor the actual implementation of the project vis-a-vis the
milestones set by the TSP.
PN

Intellectual Property Rights of the system developed by all the TSPs and Departments shall vest
in the Government of Kerala. Government of Kerala will be free to deploy the same system or
H

with modification in any of the 2Government/Semi-Government/Quasi Government

Departments/Organisation.

Fourth respondent was bound by the above clause. Petitioner who understood technical support
by executing agreement with fourth respondent is also bound by the above clause in Ext. R4(b).
Government has decided itself to the IPR copyright in respect of "FRIENDS" software and there
is no document or clause in the agreement to show that fourth respondent has assigned IPR right
to the petitioner. The agreement was valid for a definite period and the petitioner was bound to
give technical support during the currency of agreement. The software developed is for the sole
purpose of collection of tax and amount payable to the various Government agencies through a

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.845

single window. The learned single Judge held that it answers the definition of 'Government work'
under section 2(k). We agree with the learned single Judge. It is contended by the learned
Government Pleader that findings 7 and 8 were not warranted as when suit is maintainable, the
court should not have directed to withdraw the suit, but, the question whether Government is
entitled to publish Ext. P10 notification under section 70 was decided by the learned single Judge
himself and, therefore, a declaratory suit was not necessary. The learned single Judge also held
that the petitioner is prohibited from claiming any right from "FRIENDS" software in view of
Ext. P10 notification. Therefore, a further suit is unnecessary and, in any event, no appeal has
been filed by the Government. We agree with the finding of the learned single Judge that section
70 of the Information Technology Act is not unconstitutional, but, while interpreting section 70

LA
of the Information Technology Act, a harmonious construction with Copyright Act is needed and
copyright of IT Government work is also protected under the Copyright Act and remedy

IM
provided under the Copyright Act can be availed by the parties, if their copyright is infringed
even in respect of IT work. No grounds are made out by the petitioner to set aside Ext. P10
SH
notification issued under section 70 of the Information Technology Act in a petition under article
226 of the Constitution of India. Therefore, the writ appeal is dismissed.

**************************************************************************
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.846

 National Association of Software and Service Companies

Vs.

Respondent: Ajay Sood and Ors.

2005(30) PTC 437 Del

JUDGMENT

Pradeep Nandrajog, J.

LA
IM
1. plaintiff has filed the present suit inter alias praying for a decree of permanent injunction
restraining the defendants or any person acting under their authority from circulating fraudulent
SH
E-mails purportedly originating from the plaintiff of using the trade mark 'NASSCOM' or any
other mark confusingly similar in relation to goods or services. Prayer for rendition of accounts
as well as damages has been made in the plaintiff.
LU

2. Application being IA. 2351/2005 has been filed by the parties under Order 23 Rule 3 CPC.
Application is signed on behalf of defendant No. 1 in person. On behalf of defendant No. 4, Mr.
PN

Shiv Agrawal a Director of defendant No. 4 has appended his signatures. Application is
supported with the affidavits of Mr. Ajay Sood and Mr. Shiv Agrawal. On behalf of plaintiff
H

application has been signed by Mr. Mohan Khanna. His affidavit has been enclosed Along with
the application. There are 4 defendants to the suit. Defendants 2 and 3 being Ms. Shweta Ganguli
and Mr. Preeti Malotra. As per averments made in the plaint said two defendants were the
authors of the offending E-mails which came to the notice of the plaintiff.

As per the application filed under Order 23 Rule 3 CPC it is stated that defendants 1 and 4,
through the medium of the present suit learnt about the offending acts and identified one Ms.
Tithypoorna Ganguli as the person who was responsible for the offending acts. It is stated that
defendants 2 and 3 were fictitious identities created by said Ms. Tithypoorna Ganguli.

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.847

3. As per the compromise application, defendants 1 and 4 have agreed to suffer a decree in terms
of paras 35 'a', 'b' and 'g' of the plaint. Defendants have further agreed that the hard disc seized
from the office of the defendants by the local Commissioner appointed by this Court could be
delivered up to the plaintiff. Needless to state application records that since defendants 2 and 3
are fictitious identities created by Tithypoorna Ganguli said defendants be deleted from the array
of parties.

4. Mr. Ajay Sood and Mr. Shiv Agrawal are present in court. They affirmed the Settlement.
Their statements have been recorded.

5. IA. 2351/2005 brings on record a settlement which in the opinion of the court is a bona-fide

LA
settlement and does not suffer from any illegality. Settlement is taken on record and is accepted.

6. is stands disposed of. CS (OS) No. 285/2005

IM
1. Normally where a suit is compromised and terms of compromise are brought on record, a
SH
short cryptic order is required to be passed decreeing the suit in terms of the compromise, but the
fact as have emanated in the present case require this Court to pass a reasoned order.

2. The plaint sets out the following case:--

LU

(i) NASSCOM is India's premiere software association representing 850 members of which
PN

nearly 150 are global companies. NASSCOM is a well known name in India and has a wide
range of activities detailed in paras 13 and 15 of the plaint.
H

(ii) Masquerading as NASSCOM, defendants, in order to obtain personal data from various
addresses, which they could then use for head-hunting, went on the website as if they were a
premiere selection and recruitment firm.

3. That from the office of defendants No. 1 and 4, offending e-mails were transmitted is not in
dispute as defendants 1 and 4 have suffered a consent decree. On 2nd March, 2005, I have
granted an ex-parte ad-interim injunction against the defendants restraining them from using the
trade name NASSCOM or any other name deceptively similar thereto. Defendants were further
restrained from holding themselves out as being associates or a part of NASSCOM. I had also
directed execution of a commission to visit the premises of the defendants and take into custody

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.848

the hard disc as it was reasonably to be expected that the fraudulent e-mails sent by the
defendants to various parties would be located on the hard-disc. Commission was executed on
2.3.2005 itself. Two hard discs were recovered on which offending e-mails were found. One e-
mail dated 10.1.2003 written by defendant No. 3 (a fictitious person), another e-mail dated
11.1.2005 (another fictitious person) were down-loaded from the hard-disc.

4. As per the compromise application filed, it transpired that a lady, Tithypoorna Ganguli, an
employee of defendant No. 4 created fictitious e-mail, Ids in the name of defendants No. 2 and 3
and sent the e-mails in the name of NASSCOM to third parties with a view to extract personal
data. In other words, head hunting was on. May be, head hunting was on behalf of defendant No.
4 but the truth would never surface in the present case for the reason parties have entered into a

LA
compromise.

IM
5. Internet has spawned novel and interesting methods to defraud individuals and companies,
'Phishing' is a form of internet fraud. In a case of 'Phishing', a person pretending to be a
SH
legitimate association such as a bank or an insurance company in order to extract personal data
from a user such as access codes, passwords etc. which are then used to his own advantage,
misrepresents on the identity of the legitimate party. Typically 'Phishing' scams involve persons
LU

who pretend to represent online banks and siphon cash from e-banking accounts after conning
consumers into handing over confidential banking details.
PN

6. The internet these days is full of scams. E-mail that form the basis of phishing attacks and
pose as a security cheek. These messages trick users into handing over their account details and
H

passwords. The quoted details are subsequently used for fraudulent transfers. It was only towards
the end of 2003 that phishing e-mails were spotted. Unfortunately, these are becoming
increasingly sophisticated. It appears that the expression 'phishing' comes from the word fishing
whereby a bate is set in the hope that someone will bite. Article titled "Plugging the Phishing
Hole": Legislation v. Technology by Robert Louis B Stevenson dated 17th March, 2005 talks
about the Act in the following terms:

"The Act, if passed will add two crimes to the current federal law; It would criminalize the act of
sending a phishing email regardless of whether any recipients of the email suffered any actual
damages. It would criminalize the act of creating a phishing website regardless of whether any

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.849

visitors to the website suffered any actual damages. Senator Leahy described the effects of the
Act in this way; The Act protects the integrity of the Internet in two ways. First, it criminalize the
bait. It makes it illegal to knowingly send out spoofed email that links to sham websites, with the
intention of committing a crime, Second, it criminalize the sham websites that are the true scene
of the crime. The Act is also notable for what it does not contain. The bail provides no guidance
or allocation of additional resources for its enforcement. This is in contrast with a recently
proposed bill in the House of Representatives aimed primarily at "spyware," While the House
bill adds no law related to phishing, it does provide for the appropriation of "the sum of $
10,000,000 to the Attorney General for prosecuting needed to discourage the use of spyware
and... phishing." Because the House bill adds no new law directed at phishing, this Brief does not

LA
further discuss or analyze. It is noted here only for the purpose of pointing out a possible
deficiency in the Act."

IM
7. I find no legislation in India on 'phishing'. An act which amounts to phishing, under the Indian
law would be a mis-representation made in the course of trade leading to confusion as to the
SH
source and origin of the e-mail causing immense harm not only to the consumer but even the
person whose name, identity or password is misused. It would also be an act of passing off as is
affecting or tarnishing the image of the plaintiff, if an action is brought by the aggrieved party.
LU

8. Whether law should develop on the lines suggested by Robert Louis B Stevenson in his article
PN

noted above is left by this Court for future development in an appropriate case.

9. As far as the present case is concerned, defendants 1 and 4 have acknowledged their
H

employees' illegal action as being vocative of plaintiffs right and have recognized the plaintiffs
in sum of Rs. 16,00,000. They have also consented to suffer a decree as recorded in the
application under Order 23 Rule 3 CPC.

10. Suit would stand decreed in terms of the compromise effected between the parties and as
contained in is No. 2351/2005. Said application shall form part of the decree to be drawn.

11. Hard-discs seized for the defendant's premises by the Local Commissioner on 2.3.2005 are
hereby ordered to be turned over to the plaintiff who would be the owner of the hard-discs.
Defendants 1 and 4, their servants and agents would be injuncted from circulating fraudulent e-

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.850

mails purportedly originating from the plaintiff or using the trade name NASSCOM or any other
name/mark and address of the plaintiff amounting to passing off and tarnishment.

12. No costs.

***************************************************************************

LA
IM
SH
LU
PN
H

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.851

 Abhinav Gupta

Vs.

State and Ors.

Crl. M.C.no. 3197/2009

JUDGMENT

V.K. Shali, J.

LA
1. This is a petition filed by the Petitioner under Section 482 Code of Criminal Procedure for quashing of

IM
the complaint case No. 2002/2001 titled M/s Kundan Rice Mills Ltd. v. M/s C.L. International.
SH
2. Briefly stated the facts leading to the filing of the present petition are that M/s Kundan Rice Mills Ltd.
Respondent herein filed a complaint case against the M/s C.L. International, Sh. Abhishek Gupta, Shri
LU

Abhinav Gupta and Sh. Ravinder Gupta claiming him to be the in-charge/manager. It is alleged that the
Petitioner Abhinav Gupta along with Abhishek Gupta and Ravinder Gupta used to purchase rice from the
Respondent company and in order to pay the outstanding amount of sell sale price the accused No. 1 to 4
PN

authorized to Mr. Abhinav Gupta accused No. 3 to sign the cheques. It is alleged that the apart from this
liability Mr. Abhinav Gupta, the Petitioner, had issued a cheque No. 046162 dated 21.03.2008 for a sum
H

of Rs. 6,87,958/- drawn on Bank of India, Overseas Brach, Vijay Building, 17, Bara Khamba Road, New
Delhi from the account of M/s C.L. International. It is alleged that the aforesaid cheque on presentation
was dishonoured on account of stop payment. The dishonoured cheque was returned along with a memo
dated 11th September, 2008 indicating that there were instructions of stop payment. It is alleged that the
Petitioner was the in-charge of day to day business of the conduct of the firm and is guilty of Section 138
read with Section 141 of the Negotiable Instruments Act.

3. I have heard the learned Counsel for the Petitioner. It is contended that since the cheque has been
dishonoured on account of stop payment and not because of insufficiency of funds, therefore, the offence
under Section 138 of the Negotiable Instrument Act is not made out and accordingly the Petitioner could
not have been summoned and the complaint deserved to be quashed. The learned Counsel for the

FOR PRIVATE CIRCULATION ONLY HPNLU SHIMLA Page No.852

Petitioner has placed reliance on case titled Bhageerathy v. V. Beena and Anr. Crl. M.C. No. 473/1992
Crl.L.J. 3946 of Kerala High Court wherein it has been held that if the cheque is dishonour only on the
ground of insufficiency of funds or the cheque exceeds the arrangement in the account then only an
offence under Section 138 of the Negotiable Instrument Act will be made out. Similar is the judgment of
another Single Judge of the Kerala High Court in case titled S. Ashok and Anr. v. Sri Vasudevan Moosad
MANU/KE/0073/1993 : 1993 Cri. L.J. 2486.

4. I have carefully considered the submissions of the learned Counsel for the Petitioner and gone through
the judgments relied upon. I do not subscribe to the view that an offence under Section 138 of the
Negotiable Instrument Act will be made out only in case if there is a dishonour of cheque on the ground
of insufficiency of funds or if the cheque is returned because it exceeds the amount which is available in
the account. The Hon'ble Supreme Court in case titled Goa Plast (P) Ltd. v. Chico Ursula D'Souza

LA
MANU/SC/0940/2003 : AIR 2004SC 408 has specifically laid down that in case the cheque is
dishonoured on account of stop payment to his bankers by the drawer of the cheque then an offence under

IM
Section 138 read with Section 142 of the Negotiable Instruments Act will be made out. The said judgment
dealt with this aspect of the matter in detail and formulates the aforesaid proposition of law.
SH
5. The very purpose of enacting the provision of 138 of the Negotiable Instrument Act is to confer
credibility to the commercial transactions by ensuring that the cheque is honoured by a party which issues
the cheque and that is why the dishonour of cheque on account of insufficient fund or stop payment would
LU

attract the provisions of Section 138 of the Negotiable Instruments Act. As a matter of fact in case there is
a direction to the banker by the drawer of the cheque that the cheque should not be honoured which is
PN

called in commercial parlance 'stop payment', it clearly shows that the drawer of the cheque had a
dishonest intention of ensuring that the cheque which is issued is not honoured and thus not only an
offence Under Section 138 of the Negotiable Instruments Act will be made out but an offence of cheating
H

will be also made out.

6. For the reasons mentioned above, I am of the view that there is no merit in the contention of the learned
Counsel for the Petitioner that as the cheque was dishonoured on account of stop payment no offence is
made out and the complaint deserves to be quashed. The petition is totally misconceived and accordingly
the same is dismissed.

7. Expression of any opinion hereinbefore may not be treated as an expression on the merits of the case.

******************************************************************************