ABA Section of Business Law
May/June 2001 (Volume 10, Number 5)
Get
a Grip!
Regulating cyberspace won't be easy
By John C. Beck
Web and regulation don't seem to go together.
After all, the Internet is finally becoming a worldwide web. It
is estimated that by 2005, the number of Internet users around the
globe will have almost tripled, climbing from 259 million at the
end of 1999 to more than 765 million. Further, it is predicted that
60 percent of the world online population will be outside the United
States by 2003.
While initially the Internet was primarily a U.S. phenomenon, this surge in international users marks the advent of a truly global electronic community. This, in turn, will create the emergence of a widespread, globally connected electronic marketplace, the likes of which has not existed before. Not only businesses, but also almost all governments recognize that the Internet will be integral to maintaining the competitiveness of their national economies.
But some larger questions about national competition and the Internet remain: Who is going to monitor all of this growth? Who is going to control it? Should it be controlled at all?
There are, as of yet, no easy answers to these questions. In fact,
each potential answer compels more questions, and more possible
answers. In a world of constant, rapid development - and one that
in many ways erases the standard definitions of borders and location
- how are issues such as taxation, legal recourse, privacy, jurisdiction
and consumer protection to be settled? Will - or even can - local
governments assert control over this expansive global phenomenon?
Or will the Internet by its very nature weaken the hold of traditional
national governments?
Certainly, those involved in new technology industries would prefer
that regulation, particularly government regulation, of the Internet
and e-commerce be kept to a minimum. They argue that attempts at
regulation are self-defeating in three ways.
First, they contend that by the time that deliberative and legislative
bodies like the U.S. Congress investigate, debate, vote and implement
regulatory rules for a particular technology, that technology has
been superseded.
Second, they argue that efforts to reign in technology and its applications will only squelch progress and force firms to take their innovations, jobs and revenues to less-regulated shores.
Third, they predict that attempts to control or constrain burgeoning
Net technologies only prompt developers and users to seek out new
applications and network solutions even more difficult to regulate
or trace back to a single source. In support they cite decentralized
sites such as Gnutella and the encrypted, user-identity-free Freenet
(both of which make it nearly impossible to trace users and, in
the case of Freenet, completely impossible to identify a central
"site" responsible for any transaction).
While international regulation might overcome the second problem,
firm flight, it is as impotent as national regulation against the
first or third problem.
Still, most industry participants accept the necessity of some degree of Internet regulation. It is how it should be regulated that has become the big issue. Internet companies recognize that consumer confidence increases when obvious security and privacy concerns are addressed, so they understand the need for providing a sense of consistency and trust through supporting familiar standards. Further, they need a way to protect themselves from international litigation.
However, most of these companies - and multilateral business organizations representing their interests, such as the Global Business Dialogue on E-Commerce - hold the view that, in general, the Internet should be left to regulate itself. They believe that with industry self-regulation, widespread standards of use will eventually surface that will provide basic consumer protection without burdening e-firms with the many problems that might arise from diverse national regulations.
Not surprisingly, governments oppose self-regulation since it would result in less tax revenue, less control over the types of transactions that can take place, less protection for their constituents, less control over information entering their countries (in nations where this is still highly regulated), and less ability to form alliances with profitable businesses, alliances that have, in the past, benefited politicians and bureaucrats. Self-regulation means less governmental influence, and hence potentially less benefit - or security - for legislators and their constituents.
Therefore, quite a number of international entities, countries and even small regions have begun to assert their desire to regulate the Internet in any number of ways. The state of Virginia, for instance, has created its own guidelines for an Internet Policy Act "for the facilitation of responsible industry and citizen empowerment in the use of the Internet." Numerous countries, such as Australia, China and Germany, have drafted national Internet and e-commerce policies.
International organizations are also forming policies, for example, the EU's recently passed Privacy Directive, or the Organisation for Cooperation and Development's (OECD's) "Guidelines for Consumer Protection in the Context of Electronic Commerce." Even the United Nations has adopted a declaration on "the Role of Information Technology in the Context of a Knowledge-based Global Economy."
The United States, which in the Internet's early stages seemed to be favoring a more "hands off" approach to regulation, now seems to be changing course. This past May, the Federal Trade Commission produced findings indicating that self-regulation was not proving to be an effective way of providing consumer protection, leading it to declare that "self-regulation alone, without some legislation, is unlikely to provide consumers with the level of protection they seek and deserve."
But how can state or national borders regulate what is essentially a borderless medium? A single transaction can be claimed by many competing jurisdictions with as many competing codes and laws. For instance, the European Union has much more stringent doctrines regarding consumer privacy protection than the United States does. Its current Privacy Directive asserts that all consumers in the EU should and will be protected by a prescribed set of rules, regardless of whether the Internet sites they visit are based in the EU or not.
But then should an e-commerce site based in the United States, for instance, be bound by governmental restrictions that it is not required to follow in this country, merely because a member of the EU might get into its site and make a transaction? If so, should it be legally responsible for meeting each of the Internet policy requirements of the hundreds of national governments whose citizens might have access to its site?
If a site in Canada, for example, contains information about Chinese dissidents, and citizens of the People's Republic of China manage to log onto that site and gather information that has been banned in their own country, should the Canadian site be brought up on international charges? If a German purchases a book banned in Germany but legally available in the Untited States from a U.S. Web site, can the German government file charges against that Web site for selling banned books in Germany, or is the site no more liable than if the customer bought the book in person in the United States?
Many maintain that such a complex and conflicting jumble of national legislation will cause more problems than solutions. And yet, if self-regulation is not sufficient, and individual national regulation is not the solution, what is?
Some suggest that independent, international regulatory organizations are the only real route to a coherent Internet policy. However, as of yet there is not much evidence that most countries would be willing to cede their legislative authority to an independent, outside organization.
Some scholars predict that it will take near-catastrophic conflicts before governments realize the necessity of such an independent regulatory organization. In the meantime, they will struggle with managing and understanding the numerous legislative issues that this new form of communication and business will create, including such things as jurisdiction, taxation and privacy.
If Internet business transactions have no location, who has jurisdiction over a sale? If a customer is sitting in an airport in Egypt, using a laptop that she bought in Japan to purchase a CD-ROM from a French Web site and arranging for it to be delivered to her home in the United States, where can we say the transaction took place? Which country - if any - has jurisdiction over the sale?
Or, as the Internet gets more advanced, the same customer may have an internationally based, Internet-only bank account, and she may send money electronically from this Internet bank account to her brother in the form of e-cash, which he can use to buy something for his birthday on any Web site he chooses. Can we pinpoint a "place" where any of these transactions happened? Or, if the brother uses this e-cash from his sister's account to make a purchase online after researching the product through some online consumer comparison sites, and the goods he purchased are defective or unsatisfactory, who is responsible for guaranteeing the quality of the goods?
- The country in which the Web site he bought them from is based?
- The country to where the unsatisfactory goods are delivered?
- The international bank that issued the e-cash?
- The ISP the brother went through to find the site?
- The consumer "bot" site he used to recommend the best
quality and price deal on the item?
Further, if the country where the product's Web site is based has less stringent consumer protection and satisfaction laws than the country he lives in, is the e-company he purchased it from responsible for providing him with the level of protection guaranteed in his country?
There are no easy answers, but some have suggested that such Internet "location" concerns will have to be settled akin to the way they are in maritime law - in the absence of a clear location where something occurred, a location must be found or assigned by mutual agreement in order to provide legal protection. Some proposed locations to determine legal jurisdiction might be:
- the country the Web site is based in,
- the place where the unsatisfactory goods are delivered,
- the place (or bank) where the money is eventually paid or escrowed.
Others have suggested that since the majority of online purchases are made with credit cards, credit card customer satisfaction guarantee policies could be used to guarantee the delivery and quality of goods.
Of course, each of these solutions raises issues of its own. For instance, e-companies, having no bricks-and-mortar hindrances, can easily evade the hand of regulation by moving from countries with more restrictive laws to those with less restrictive legislation. Countries could end up undermining and undercutting each others' regulatory efforts in the race for e-commerce revenue.
Using the legal framework of the place where the goods are delivered can be problematic too. Internet companies offering global services will argue that they can hardly be responsible for knowing the intricacies of the law in every single country that might have the ability to access or make a purchase from them. Laws like this, if imposed, might encourage e-commerce firms to serve only the large, developed markets, leaving emerging nations out of the Internet revolution.
Finally, relying on the legal framework developed for credit cards cannot be the global solution, for credit card use is less prevalent outside of the developed world, and it may, in the future, be even less prevalent with the rise of e-cash.
Since taxes are traditionally jurisdiction-based, it is not surprising that e-commerce taxation raises a similar set of problems, a similar set of solutions, and a similar set of dissatisfactions with those solutions. Who should, for example, tax the transaction made by our American consumer sitting in an Egyptian airport making a purchase from a French Web site? Some have suggested that the establishment of a universal tax regime for Internet sales is the only feasible solution, but it would be wise to remember how hard it has been to achieve tax harmonization just within the EU. Further, there are countries like the United States, which is not even willing to create consistent tax laws from state to state, let alone ready to cede that right to an outside source.
The most common practice for companies to determine state taxes on Web sales is to adopt the model of catalog sales, which are taxed in any state in which the catalog company has a physical presence. This has led firms like Amazon to locate distribution warehouses in states with small populations like Nevada, Georgia, Kentucky, Kansas, Delaware and North Dakota. During the early 1990s, Land's End, a catalog company, was able to bypass Japanese taxes by refusing to establish a Japanese sales or marketing presence in the country and by shipping its products directly from the United States.
A similar "physical presence" standard might be used
to determine national taxes for Internet commerce, but it would
have the same effect as state taxes - driving operations centers
to countries with smaller populations and lower taxes.
Internet companies have cited the lack of an obvious solution to
argue that e-commerce should be exempted from traditional forms
of taxation. But governments do not want to lose what is a growing
part of taxable transactions, no matter how hard they are to tax.
And as a matter of tax equity, governments can hardly expect bricks-and-mortar
companies to continue to pay taxes on the same sort of transactions
that go untaxed with e-commerce companies.
Concerns about privacy have also led some to ask for more regulation.
Until recently, there were no policies governing Web users' rights
to privacy protection, or requiring Web sites to clearly inform
online consumers and users which items of personal information would
be collected and how this information would or could be used. There
were also relatively few guidelines for what conditions constituted
a secure site.
That a Web site claimed its information transmissions were secure
did not always guarantee that they really were, or at least did
not indicate how high a level of security its system used. Recent
reports of government surveillance of the Internet and the access
afforded governments, companies and individuals to personal information
on users by their ISPs have also increased the clamor for some sort
of regulation.
These are real concerns to the average Internet user. In fact, many studies show that the number one concern users have with the Internet is its potential lack of security. It is believed that the fear of Internet credit card fraud and concerns regarding the safety of information transmission are the primary factors holding most consumers back from using the Internet to make purchases more frequently. Similar concerns are also holding businesses back from conducting more B2B transactions through online sources.
In many cases, however, these fears may actually be exaggerated. Forrester Research estimates that companies can expect to lose $1 for every $1,000 of transactions on the Net. (Meanwhile the global average for fraud on landline telephone calls is estimated at $25 per $1,000 and cell phone fraud in emerging markets tops out at $400 per $1,000 in sales.) Moreover, Internet companies are well aware of this consumer fear, and have taken steps to alleviate it by providing more secure sites with advanced encryption, and by obtaining seals of approval from outside watchdog agencies that monitor Web site security levels.
In fact, credit card numbers are much better protected than personal
information. Presently, in most countries, Web sites are allowed,
without clear notification, to gather information on users ranging
from simple things like age and location to monitoring which sites
individual users visit on a daily basis. Some are even able to monitor
purchases consumers have made from sites owned by the same corporation.
Because there is little control over what Web sites can do with
this information, they can choose to use it in any number of ways
- from gearing their banner ads to products they think the individual
consumer will be more prone to buy based on demographics or surfing
patterns, to selling consumer names, addresses and e-mail addresses
to companies who want to sell products unrelated to that Web site.
Of course, it may not be in Web companies' best interests to make
available what information they are gathering on users and how they
will use that information, since they may be profiting from not
giving users a choice. And since they are as yet not legally bound
to do so, many sites have chosen not to.
Though many organizations like the Federal Trade Commission have created models for self-regulating Internet sites to follow (the FTC's "Fair Information Practice Principles" recommends that Web sites provide four guidelines for consumer awareness: notice, choice, reasonable access and adequate security), the majority of Web sites are not voluntarily following these models. In fact, the FTC has found that only 20 percent of the companies they studied were fully following its suggested guidelines.
That is not to say that all Internet companies are not providing any sort of information regarding their privacy policies. But is that information clearly available to the consumer? What most critics - regardless of whether they agree or disagree with information-collection practices - seem to agree on is that full disclosure is of prime importance. Consumers must have clear, easy and immediate access to a site's privacy policy. They must also have the choice of whether or not they want to "sell" their privacy to that site in exchange for whatever services they may receive from it.
Some propose that sites be required to let consumers choose whether their information will be collected or used for other purposes, while still giving them full access to all of the site's services. Others suggest that the choice to surrender information could simply be contingent on whether the consumer chooses to use the site or not. If consumers did not want personal information to be gathered on them, they would simply choose not to use that site.
The courts still seem unprepared to insert themselves fully into Internet privacy issues. A gay Navy man was discharged from the service based on information AOL surrendered to military authorities without so much as a legal hearing. Some Raytheon employees who had complained about the firm on Yahoo message boards found their supposedly private identities were turned over to company officials without a court injunction. Eventually the legalities of "wire taps" and "search and seizure" of files on the Internet will be handled in the same way as similar intrusions in the physical world. But until the rules are completely understood by all the players, users beware.
Given the general irresolution, how should companies with an interest in e-commerce proceed?
First, they should reconcile themselves to some level of state
regulation - national governments have just too much to lose by
ceding the regulatory reins to e-businesses or to supranational
entities. Experts predict that national governments will attempt
therefore to create regulations for their individual countries,
and will probably have an inclination to rely on older models that
have already proved workable in the nondigital economy, and that
already have legal frameworks firmly established.
For instance, location and jurisdiction decisions will probably
be based on already established models such as maritime or mail-order
commerce laws. Internet companies setting up concerns at home and
abroad should probably look to the established cultural norms and
government policies (national and international) to predict the
laws that will eventually govern the Internet.
Second, while being reconciled to some state oversight, companies with e-commerce aspirations should continue to contest the level of that oversight. Too few American e-companies have established strong lobbying efforts in Washington. Perhaps with all the other pressures of raising money and starting operations, this was seen as a low priority.
Some companies have appointed well-known former politicians and bureaucrats to their boards for both their lobbying clout and their name value (mostly overseas), but a few old faces will not be enough to ensure that their side is heard. For companies who want e-commerce to be a significant part of their business, a stronger government lobbying effort should become part of their strategy.
Third, companies need to get out in front of regulatory efforts, pioneering their own solutions to contract enforcement, international trade issues, balance of payment problems as well as security and privacy concerns. Legislators would rather be handed something they can then call their own than have to write it up themselves. E-businesses need to have something ready to hand over that both protects the rule of law and promotes e-commerce competitiveness.
And they should make a special effort to dampen privacy concerns, demonstrating to government regulators that solutions exist that will allow consumers choice, awareness and protection while allowing businesses to collect the sort of information necessary to survive and thrive. State regulation is almost inevitable, but firms can still play a major role in determining its shape and weight.
Beck is an associate partner at the Accenture Institute for Strategic Change in Cambridge, Mass. His e-mail is john.c.beck@accenture.com .