The Selected Impacts of Electronic and Computer Technologies on Law MARK L. GORDON AND JEAN MARIE R. PECHETTE Gordon & Glickson P. C. 444 North Michigan Avenue Suite 3600 Chicago, Illinois 60611 Technological advances are redefining the way business is transacted in the 1990s. In the past few decades, the computer and electronic communications’ industries have mushroomed from novel ideas into necessary components in nearly every aspect of our society.*This explosion has resulted in rapidly changing and advancing technologies as well as lucrative commercial transactions. Along with this expansion, a wide range of critical legal issues and potential liabilities has also arisen. This paper will survey some of the legal issues that typically arise in connection with the use and abuse of computers and electronic communications. The first section will focus generally on the laws developed to protect databases and electronic communications from illegal entry or interception and theft or modification of the material contained therein, their applicability to computer crimes, as well as their deficiencies in providing protection. This section will also address issues of privacy and confidentiality as they affect databases and electronic communications. The second section will discuss the impact that the technology industry has on commercial transactions. This section will survey the applicability of the Uniform Commercial Code (UCC) to transactions involving hardware and software as well as the use of electronic communications to transact business. The section will also address the significance of electronic communications with respect to business transactions under the Statute of Frauds and the concept of the battle of the forms. LAWS REGULATING COMPUTER CRIMES The databases of any business are filled with confidential information highly critical to the day-to-day operations of that business. A hospital database, for example, contains a myriad of sensitive information regarding its physicians, staff, billing practices, its patients, their disorders, occupations, insurance carriers, cost of their treatments, etc. However, even with the use of certain safeguards, this information can be electronically transferred, intercepted, modified, or rerouted illegally from any computer in the world. The wide-ranging legal, financial, and social ramifications of such activities are enormous. An example of the dangerous consequences created by such a “break in,” using the same hospital database scenario, is as follows: An individual or perhaps a disgruntled hospital employee could access the database, from any computer at home or at work, and change patient diagnoses or treatment procedures, intercept information from another hospital or diagnostic laboratory and reroute or modify the information. Further disruption could occur if this access also involved the downloading of data containing the names of persons with any number of contagious diseases, particularly AIDS, and the uploading of this information on a bulletin board or any other manner of publication. 180
GORDON & PECHEITE IMPACTS OF TECHNOLDGIES ON LAW
181
The transfer or modification of information can be accomplished by any individual who, with the aid of a computer and a modem, is able to access a database. If the transfer is legal, the individual merely inputs the code or password and is able to easily access the desired data. However, if the individual is attempting to access the system illegally, before the data can be accessed, that individual must break the mathematical codes used to protect the system, much in the same manner as a burglar would break into a safe.3 Because of the ease of such “burglaries” or tamperings from remote locations and the sensitivity of the information contained in any number of databases worldwide, the federal government has developed and instituted laws governing the illegal entry, use and modification of information contained in databases or electronic communications. Presently, the federal approach to computer protection consists of three laws specifically enacted to prohibit illegal activities involving These laws are the Computer Fraud and computers or electronic tran~mission.~ Abuse Act,.’ the Electronic Communications and Privacy Act: and the Computer Security Act.’ Certain sections of the National Stolen Property Act,8 although not specifically designed to protect against unauthorized or illegal computer uses, prohibit the interstate transmission of stolen information via telephone lines, thereby governing certain illegal data t r a n ~ f e rAntivirus .~ acts have also been proposed to prohibit and protect computers against the use of programs that destroy or modify data. Although not yet law, these proposals evidence the future of legislation on computer viruses.
The ComputerFraud and Abuse Act The Counterfeit Device and Computer Fraud and Abuse Act of 1984 (CFAA), amended in 1986, was the first piece of legislation, at the federal level, specifically written to deter and punish individuals involved in computer crimes. The CFAA prohibits access to computers containing information relating to foreign relations and national defenses, if the information obtained was to be used to the endangerment or detriment of the United States or any other country. In addition, it also prohibits access to a federal computer if such access is to alter, destroy, prevent authorized use or obtain anything of value.1oHowever, the CFAA, although prohibiting six types of computer abuse and providing three felonies and three misdemeanors under which a conviction may result,” applies only to computers used by the federal government and federally insured institutions or activities involving interstate computer crimes.I2 Therefore, these limitations greatly reduce the CFAA’s potential for nationwide data protection to business and personal computers. In addition, although the CFAA provides for a jail scntencc, fcw individuals have been prosecuted,13and the CFAA lacks provisions requiring financial re~tituti0n.l~
The Electronic CommunicationsPrivacy Act The Electronic Communications Privacy Act (ECPA) was a necessary update to the Omnibus Crime Control and Safe Streets Act of 1968 (OCCSSA).IS ECPA was enacted because of OCCSSA’s questionable protection of electronic mail (e-mail) and computer transactions or communications.16 Congress specifically designed ECPA to respond to the deficiencies of OCCSSA and to protect existing and future forms of aural1’ and nonwire communications.lx
182
ANNALS NEW YORK ACADEMY OF SCIENCES
Comprised of eleven sections, the ECPA combats a variety of computer abuses and privacy issues.19 ECPA is applicable to most electronic communications or transmissions, including e-mail, electronic bulletin boards, digitized textual information, and videotext.20 The Computer Security Act The Computer Security Act of 1987 (CSA) was enacted to improve the security and privacy of the information contained in the federal computer system without imposing any criminal penalties. The CSA was designed to protect against computer crime through training. In support of this goal, the federal government established the National Institute of Standards and Technology (NIST) to create government standards for effective security. The Computer Systems Security and Privacy Board was also created by the CSA and will advise the NIST on security and privacy issues relating to computers?’ The Narional Stolen Propem Act The National Stolen Property Act (NSPA) prohibits the interstate transportation of stolen property. Although an interstate theft is governed by the CFAA, an interstate theft followed by an interstate transmission is covered by NSPA.22Section 1343 of the NSPA prohibits the use of wire communications to further a fraudulent interstate scheme used to obtain property or money. Although Section 1343 regulates radio, television, and telegraph communications, its greatest impact on computer crimes is its prohibition regarding telephone lines in an illegal interstate activity. For example, a computer “hacker’s” use of a modem to illegally access another computer requires the use of a phone line to transmit the electronic impulses (data) being transferred to the hacker’s computer. If the data is then transferred to a system or bulletin board in another state, this constitutes activity prohibited by the NSPA because of its use of telephone lines.
Antivirus Acts The recent proliferation of viruses has caused increased technological and legislative concern.23 Because of the infiltration of computer viruses, a variety of legislation has been proposed; however, Congress has yet to enact any of this proposed legislation specifically designed to protect against viruses.24 A violation of this Act occurs One such proposal is the Computer Virus when a person entering a program into the computer knows or has reason to believe that the program being entered may cause loss or expense. Malicious intent is not required. Although the standard for violation is quite low and therefore has broad application possibilities, it also proposes stiff criminal penalties of up to ten years in prison. In addition, no minimum dollar amount of loss is required, and civil penalties as well as reasonable attorney’s fees and costs are available to individuals who have suffered a loss.26 The Computer Protection Act of 1989 (H.R. 287),27 another piece of proposed legislation, creates penalties for individuals who knowingly and maliciously alter software for the purpose of disabling a computer.% H.R.287, however, requires a much higher level of proof than the proposed Computer Virus Act. It requires proof
GORDON & PECHEITE IMPACTS OF TECHNOLOGIES ON LAW
183
of a willful and knowing sabotage of the computer or its associated software, causing loss of data, impaired computer operation, or other tangible loss or harm.29 Two separate bills are also presently awaiting legislative action. These bills are proposed to amend the CFAA30 and would provide the CFAA criminal and civil penalties for the knowing transmittal of a program into a system with the intention to damage or misappropriate data in the system.3’ This amendment would thereby grant the CFAA broader powers in preventing computer crimes, including the introduction of viruses. Although a variety of laws exist to protect computers from theft or damage, systems are still inadequately protected from viruses. Because of the increasing rate of infection and the present proposed laws, the near future should evidence the introduction of antivirus legislation.
PRIVACY AND CONFIDENTIALITY Invasion of privacy through interception or subsequent viewing of electronic communications are also increasing in the workplace. In addition, the reliance on computer and electronic technologics in everyday business will also bring into conflict an employee’s right to privacy with the employer’s commercial goals. Although the dangers associated with the theft, modification or destruction of information may be readily apparent, an invasion of privacy through the illegal manipulation of an electronic transmission will have the same devastating effects. The constitutional guarantee of privacy is easily breached by an illegal entry into a database or the illegal interception of an electronic communication. For example, the interception of an inter- or intraoffice e-mail containing highly sensitive information regarding a business transaction and the subsequent rerouting of this information to a different individual or group of individuals may be more harmful than the destruction of the data outright.32 Privacy in the WorkprcrCe In addition to the exposure electronic communications are potentially subjected to through illegal interceptions, employees’ electronic messages are also subjected to eavesdropping by their employers. Presently, this type of interference is essentially unregulated because employee privacy in the workplace is a new legal concept. Claims however can be raised by employees under common law actions in tort, state or federal constitutional claims or any of the bodies of federal law prohibiting computer crimes. Although employees argue for privacy in their use of e-mail, an employer may believe the ability to view such transactions is more important to the commercial activities of the business than an employee’s right to private communication.33 h a 1 Applications
Legal protection of an individual’s privacy and confidentiality in the use of computers and electronic communication is widely available. However, because of the nature of the information in question, the present state of the law may not address the damages or properly assess the value of the information.
ANNALS NEW YORK ACADEMY OF SCIENCES
184
The ECPA, for example, protects the user of electronic messages from the following intentional acts: (1) the unauthorized interception of an electronic message in transit, (2) the disclosure or use of a wrongfully intercepted message,34(3) the unauthorized access of a private electronic message in and (4) the unauthorized disclosure by a service provider of the contents of a message in transit or storage.36This protection is, however, limited by a few caveats3’ As technology advances and the abuse of computer technology and electronic communications increases, it is apparent that a greater legislative effort will be necessary. This effort should focus on a more succinct definition of abuse and illegal use of computers and electronic transmissions as well as more specific guidelines regarding privacy issues as related thereto.3* COMMERCIAL TRANSACTIONS AND TECHNOLOGY
This section will address commercial issues and the significance of computers and electronic technologies.
Uniform Commercial Code The UCC was drafted in an attempt to regulate commercial transactions. However, transactions involving computer technology or using this technology in the transaction itself do not easily fall within the parameters established by the drafters of the UCC. Although the UCC’s application to the basic contract issues of formation and interpretation in a technology transaction is relatively clear, its applicability to a software transaction or a hardware lease is not.j9 Software
The UCC defines goods as “all things (including specifically manufactured goods) which are movable at the time of identification to the contract for sale other than money in which the price is to be paid, investment securities and things in action.”40 A question that naturally arises is whether software falls within this definition of goods. The first issue is thus to define software. Software has been characterized as consisting of the developer’s concepts and ideas translated into mathematical, machine-readable language!’
Although software is physically embodied in a diskette or tape, it still remains intangible. Thus, the relevant issue is, can something lacking physical substance be “movable at the time of identification to the contract for sale” so as to qualify as a good under the UCC? If the UCC‘s applicability to software is dependent on whether it is tangible or intangible, other legal applications may be relevant. However, because of treatment of software as both intangible42 and tangible? by different areas of the law, these other applications do not give the desired guidance. Thus, although the courts have wrestled with the question of whether software is or is not intangible, they have not reached a definitive conclusion regarding how software’s intangibility is reconciled with the definition of goods under Section 2 of the UCC. This issue has been skirted and in part resolved by focusing on software’s physical embodiment in a tangible medium,& thereby directing attention away from the definition of goods and towards the more disputed issue of licensing.
GORDON & PECHETTE IMPACTS OF TECHNOLOGIES ON LAW
185
Licensing and Leasing under the UCC It is obvious that hardware falls within the definition of goods; however, the leasing of equipment or licensing of software raises significant questions regarding the UCC’s definition of sale. Hardware. There are generally two ways in which to acquire computer hardware: purchasing outright or leasing. Because the purchase of hardware may have tax implications, or allow for the use of state-of-the-art equipment without a large capital outlay$’ it appears to be the preferred method of hardware acquisition. S o w a r e . Software is proprietary in nature, and in order to protect the original expression contained in the software,46the vendor will often license the software The impetus for licensing is that although it may have instead of selling it o~tright.~’ cost thousands of dollars to develop the software, it is relatively quick and inexpensive to make an exact It is therefore desirable for the developer or distributor to use a license. UCC application. Although leasing and licensing may be the best means by which to obtain or ‘‘sell’’ a system, equipment leases or software licenses are not actual sales. Therefore, will the UCC purchaser protections apply to these transactions? Whereas the introductory section of the UCC does apply Article 2 to transactions in goods, other sections apply only to the sale of goods.49This distinction does not however appear to be insurmountable. Courts have held the UCC applicable to short-term leases and software transactions absent the transfer of titles5” Statute of Frauds
The previous section addressed whether or not transactions for the purchase of software and hardware are governed by the UCC. This section will also discuss software and hardware in the light of business transactions, but will focus on the use of technology in the transaction. Commercial transactions have been traditionally regulated by laws, which require under certain circumstances that these transactions must be “written” or “signed” in order to be effective. However, the use of computer and electronic communications for transacting business has created a new genre of problems regarding these requirements. Individuals may now transact business using e-mail, electronic data interchange (EDI) or faxcs. For example, an offer to purchase is faxed to a party, and after a few modifications conducted through e-mail, the transaction is closed and the fax is signed and forwarded to the other party. Although an expeditious method of conducting business, will thc signed fax satisfy the writing requirement of the Statutc of Frauds, and are electronic messages “written” as required by the Statute of Frauds?
Traditional Requirements All states, with the exception of Louisiana, have adopted UCC 52-201(1) requiring that any contract for the sale of goods for a price of $500 or more must have some writing sufficient to indicate that a contract for sale has been made between the parties and signed by the parties. The statute generally denies coverage to those contracts that fall within its requirements but that are not supported by a signed writing. Thus, can the traditional legal requirements be harmonized with the latest technology?
ANNALS NEW YORK ACADEMY OF SCIENCES
186
Technology under the Statute of Frauds
Several cases have discussed the relevance of communication by fax in a commercial dispute; however, none has ruled directly on the necessity of a writing pursuant to the Statute of Frauds. Case law has held that faxes were writings under UCC 52-201 and under 9 U.S.C. $2 regarding federal arbitration writing requirem e n t ~ . In ~ ’ addition, telex, telegram, and mailgram have all been considered writings and satisfy the Statute of Frauds.52 Whether or not an electronic communication satisfies the Statute of Frauds has yet to be determined; however, decisions in other areas of the technology appear to support the conclusion that a recorded electronic message bearing some type of code or symbol intended as a party’s signature is written and signed. There remains, however, a debate over what standards should be used to determine the sufficiency of the message and whether or not it creates a legally binding contractual re1ation~hip.s~ Battle of the Fonns Traditional Doctrines
Traditional common law followed the “mirror image” rule and the “last shot” doctrine.s4 Under common law, an offer and acceptance must be mirror images of one another for a contract to be formed under traditional common law. According to the mirror image rule, if both parties perform, but the offer and acceptance or any number of counteroffers and acceptance do not match perfectly, the party who fires the last shot usually wins; that is, the most recent counteroffer is presumed to have been accepted and will govern the contract requirement^.^^ Battle of the Forms and the UCC
The drafters of the UCC have modified these traditional doctrines by providing that a definite and reasonable expression of acceptance, or a written confirmation sent within a reasonable time, will operate as an acceptance, despite the existence of different terms from those offered or agreed upon. If the conduct of the parties reflects acknowledgment of a contract, this conduct is generally sufficient to establish the formation of the contract even though the writings do not in and of themselves establish such a contract. In these cases, the terms of the contract consist of those terms upon which the writings agree, together with any supplementary terms incorporated under any other provision of the UCC.56 If the terms of an offer differ from the terms of acceptance or if any offer is followed by one or any number of counteroffers, UCC 12-207 governs which terms will be considered part of the contract?’ As Section 2-207(2) states: The additional terms are to be construed as proposals for additions to the contract. Between merchants such terms become part of the contract unless: (a) the offer expressly limits acceptance to the terms of the offer; (b) they materially alter it; or (c) notification of objection to them has already been given or is given within a reasonable time after notice of them is received.s8
Technology Transactions
In theory, the battle of the forms doctrine is applicable to electronic trading or transacting in the same manner as paper transactions. The difference is that
GORDON & PECHE'ITE IMPACTS OF TECHNOLOGIES ON LAW
187
information is traded electronically, as opposed to trading paper through the postal service. However, in practice electronic communications dramatically alter the dynamics of a battle of forms. For example, a buyer may fax a form purchase order to a seller. The buyer faxes only the front side of the form. When a dispute later arises, the question is whether or not the seller is bound by the terms on the back side of the form. If, however, the form had been sent by mail, this question would have never arisen.s9 This problem is, however, more acute with the use of EDI. ED1 uses specific codes or message structures that are agreed upon prior to the transaction. Because these codes are designed to be machine readable, and not written to be readable by humans, attempts to negotiate the terms and conditions of a transaction are difficult. In fact, most ED1 users are not inclined to communicate contract terms and conditions electronically.m This problem can, however, be controlled by the use of standard terms and conditions or by entering into a standard agreement.61
CONCLUSION
Technological advances have occurred at lightning speed; however, the laws necessary to protect these technological gains have not kept pace. Because of the necessity of advanced computer and electronic communications in everyday life, users must be aware of the laws available to protect them, as well as the deficiencies in these laws.
ACKNOWLEDGMENTS
The authors wish to gratefully express their appreciation to Cristen L. Kogl, an associate with Gordon & Glickson P.C., who made several contributions to this article. NOTES AND REFERENCES 1.
2.
3.
4.
5. 6. 7. 8. 9. 10.
Electronic communications include any transmission or communication between computers; for example, electronic messaging or electronic mail (e-mail), electronic bulletin boards, and videotext. Computer Transactions and Uniform Commercial Code Article 2A: Does 2A Fit? 1991. IV Software L. J. 493, 457. [hereinafter Does 2A Fit]; see also BERNACCHI, FRANK & STATLAND. 1986. Bernacchi on Computer Law: A Guide to the Legal and Management Aspects of Computer Technology 2-1. The Misuse of Electronically Transferred Confidential Information in Interstate Commerce: How Well Do Our Present Laws Address the Issues? 1991. IV Software L. J. 529,533 [hereinafter The Misuse]; see also SOMA& YOUNG.1984. Confidential Communications and Information in a Computer Era, 12 Hofstra L. Rev. 849,851. WILSON,Viewing Computer Crime: Where Does the Systems Error Really Exist? 1991. XI Comp./L. 3,265,271 [hereinafter Viewing Computer Crime]. 18 U.S.C. $1030 (1986). 18 U.S.C. $52510-21 (1988). 40 U.S.C. $759 (1987). 18 U.S.C. $5 2314 and 1343 (1988). The Misuse at 549. GILBERT, 1991. Breach of System Security and Theft of Data: Legal Aspects and Preventive Measures [hereinafter Breach of System Security]. This article was written
188
11.
12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26.
27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37.
ANNALS NEW YORK ACADEMY OF SCIENCES by Franqoise Gilbert, a partner with Gordon & Glickson P.C., Chicago, Illinois, in connection with a lecture given at SECURICOM 91, the Ninth International Congress on Computer and Communications Security and Protection, in Paris. For complete text, contact Mark Gordon, Esq., an author of present paper. CHEN,1990. Computer Crime and the Computer Fraud and Abuse Act of 1986, C0mp.l L. J. 71,77 [hereinafter Computer Fraud and Abuse Act]. The CFAA consists of six sections. These sections respectively prohibit: (a)(l) knowing unauthorized access to obtain information deemed restrictive by virtue of Executive Order for national security purposes; (a)(2) intentional unauthorized access to financial institute or consumer reporting agency files; (a)(3) intentional unauthorized access to any government computer which affects the government’s operation of the same; (a)(4) knowingly accessing a “Federal interest” computer with the intent to defraud and obtain anything of value in excess of the use of the computer itself; (a)(5) intentional unauthorized access of a “Federal interest” computer whereby such conduct alters, damages, destroys information therein, or prevents authorized use; and (a)(6) knowingly trafficking passwords or similar information with the intent to defraud provided such trafficking affects interstate/foreign commerce or such computer is used by or for the federal government. Pub. L. No. 99474, 5 2(e)-(c); 100 stat. 1213, 1213-14 (1986); Viewing Computer Crime at 272. Breach of System Security at 5. Id. Viewing Computer Crime at 271. 18 U.S.C. 5 2510 (1988). The Electronic Communications Privacy Act of 1986: The Impact on Software Communication Technologies. 1988.11 Software L. J. 243 [hereinafter The ECPAJ. Aural transfer is a transfer containing the human voice at any point between and including the point of origination and the point of reception. 18 U.S.C. 52511(1)(a) (1988). The ECPA at 248-249. Although the ECPA is comprised of eleven sections, the first three sections, $5 2510,25 11, 2512, are the most relevant to its protection against computer crimes. The remaining eight are relevant to electronic communications and information transfers. Although the ECPA is more focused on protecting electronic transmissions, because of the nature of office technology, any transmission between computers or databases are governed by the ECPA regulations. Viewing Computer Crime at 273. Breach of System Security at 6; Viewing Computer Crime at 274-275. The Misuse at 550. The recent panic over the Michaelangelo virus is but a symptom of this pervasive concern. Illinois, along with other states have, however, enacted an antivirus statute. H.R. 55, lOlst Congress, 1st session. & GROSSMAN, 1990. Destructive Computer Programs: Legal Recourse and The GORDON Protection of Computer Access Rights. Scientific Computing & Automation April 43, 47 [hereinafter Destructive Computer Programs]; see also, Breach of System Security at 6-7. H.R. 287, lOlst Congress, 1st session. Destructive Computer Programs at 49; Breach of System Security at 7. Id. at 49. Breach of System Security at 7. Id. at 7. The Monitoring of Electronic Mail in the Private Sector Workplace: An Electronic Assault on Employee Privacy Rights. 1991. IV Software L. J., 493. Id. 18 U.S.C. 5 2511(1) (1988). 18 U.S.C. 5 2701 (1988). 18 U.S.C. $5 2511(3)(a), 2702 (1988). The ECPA may not cover long-term archives, it will govern a service provider’s intentional wrongdoing, but not negligence, and applies only to public service providers. In
GORDON & PECHEITE IMPACTS OF TECHNOLOGIES ON LAW
38. 39. 40. 41. 42. 43.
44. 45. 46. 47.
48. 49. 50.
51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61.
189
addition, a service provider may disclose to private parties information regarding customers, excluding however the contents of any message. WRIGHT,1991. The Law of Electronic Commerce EDI, Fax and e-Mail: Technology, Proof and Liability, 383 (hereinafter Law of Electronic Commerce]; see also The Monitoring of Electronic Mail. This trend has already been evidenced by the number of recent legislative proposals aimed at the protection of computer systems and the data contained therein. See Breach of System Security at 6 7 . GORDON,1986. Computer Software: Contracting for Development and Distribution 83 [hereinafter Computer Software]. U.C.C. 12-105(1). Computer Software at 84. Id. at 85; see District of Columbia v. Universal Computer Assocs., 465 F.2d 615 (D.C. Cir. 1977). Id. at 85; see Rev. Proc. 69-21,1969-2 C.B. 303. Rev. Rul. 71-77, 1971-1C.B. 5 . Id. at 85-86. Does 2A Fit at 470. Under the United States Copyright Act of 1976, software that is an original work is considered a computer program for which copyright protection may exist. 17 U.S.C. 101 etseq. (1991). Software is generally licensed rather than sold to preserve the copyright owner’s exclusive rights of distribution and transfer. Unintentional transfer by sale may result in the loss of the copyright to the “computer program”: Does 2A Fit at 469; Computer Software at 70. Does 2A Fit at 469. Id. at 86, svealso U.C.C. 11 2-312 to 2-315. Id. at 86-88; see Hertz Commercial Leasing Cop. v. Transportation Credit Clearing House, Inc., 298 N.Y. 2d 392 (1969). rev’d on othergrounds, 64 Misc. 2d 910,316 N.Y.S. 2d 585 (1970), Chatlos Sys. Inc. v. National Cash Register Cop..479 F. Supp. 738 (D.N.J.), r e v 2 in part and remandedon othergrounds, 604 F.2d 737 (3rd Cir. 1979).affd. 670 F.2d 1304 (3rd Cir. 1982); cert. dis. 457 U.S. 1112. Law of Electronic Commerce at 287-288. Id. at 284-287. Id. at 289-294. Id. at 118, see also GROGAN,1985. Winning the Battle of the Forms in Product Distribution. The Comp. Law, Nov. at 8. Computer Software at 118. Id. Computer Software at 118. Id. at 119. Law of Electronic Commerce at 320; see American Multimedia. Inc. Y. Dolton Packaging Inc., 143 Misc. 2d 295,540 N.Y.S. 2d 410 (Sup. Ct. 1989). Law of Electronic Commerce at 321. The ABA has established Model Approaches, governing the issue of ED1 transactions; see Section 3.1 of the ABA Model ED1 Trading Partner Agreement which provides optional approaches to trade terms and conditions (TTCs). For example, (1) the TTCs will be those specified in the agreement’s appendix; (2) the TTCs will be those printed on each party’s respective standard form documents, copies of which are attached to the agreement and these terms control even though they may be inconsistent with each other; or (3) the TTCs will be the default provisions provided by law, just as if there were no trading partner agreement or other understanding on the TTCs.
GORDON & PECHEITE IMPACTS OF TECHNOLDGIES ON LAW
181
The transfer or modification of information can be accomplished by any individual who, with the aid of a computer and a modem, is able to access a database. If the transfer is legal, the individual merely inputs the code or password and is able to easily access the desired data. However, if the individual is attempting to access the system illegally, before the data can be accessed, that individual must break the mathematical codes used to protect the system, much in the same manner as a burglar would break into a safe.3 Because of the ease of such “burglaries” or tamperings from remote locations and the sensitivity of the information contained in any number of databases worldwide, the federal government has developed and instituted laws governing the illegal entry, use and modification of information contained in databases or electronic communications. Presently, the federal approach to computer protection consists of three laws specifically enacted to prohibit illegal activities involving These laws are the Computer Fraud and computers or electronic tran~mission.~ Abuse Act,.’ the Electronic Communications and Privacy Act: and the Computer Security Act.’ Certain sections of the National Stolen Property Act,8 although not specifically designed to protect against unauthorized or illegal computer uses, prohibit the interstate transmission of stolen information via telephone lines, thereby governing certain illegal data t r a n ~ f e rAntivirus .~ acts have also been proposed to prohibit and protect computers against the use of programs that destroy or modify data. Although not yet law, these proposals evidence the future of legislation on computer viruses.
The ComputerFraud and Abuse Act The Counterfeit Device and Computer Fraud and Abuse Act of 1984 (CFAA), amended in 1986, was the first piece of legislation, at the federal level, specifically written to deter and punish individuals involved in computer crimes. The CFAA prohibits access to computers containing information relating to foreign relations and national defenses, if the information obtained was to be used to the endangerment or detriment of the United States or any other country. In addition, it also prohibits access to a federal computer if such access is to alter, destroy, prevent authorized use or obtain anything of value.1oHowever, the CFAA, although prohibiting six types of computer abuse and providing three felonies and three misdemeanors under which a conviction may result,” applies only to computers used by the federal government and federally insured institutions or activities involving interstate computer crimes.I2 Therefore, these limitations greatly reduce the CFAA’s potential for nationwide data protection to business and personal computers. In addition, although the CFAA provides for a jail scntencc, fcw individuals have been prosecuted,13and the CFAA lacks provisions requiring financial re~tituti0n.l~
The Electronic CommunicationsPrivacy Act The Electronic Communications Privacy Act (ECPA) was a necessary update to the Omnibus Crime Control and Safe Streets Act of 1968 (OCCSSA).IS ECPA was enacted because of OCCSSA’s questionable protection of electronic mail (e-mail) and computer transactions or communications.16 Congress specifically designed ECPA to respond to the deficiencies of OCCSSA and to protect existing and future forms of aural1’ and nonwire communications.lx
182
ANNALS NEW YORK ACADEMY OF SCIENCES
Comprised of eleven sections, the ECPA combats a variety of computer abuses and privacy issues.19 ECPA is applicable to most electronic communications or transmissions, including e-mail, electronic bulletin boards, digitized textual information, and videotext.20 The Computer Security Act The Computer Security Act of 1987 (CSA) was enacted to improve the security and privacy of the information contained in the federal computer system without imposing any criminal penalties. The CSA was designed to protect against computer crime through training. In support of this goal, the federal government established the National Institute of Standards and Technology (NIST) to create government standards for effective security. The Computer Systems Security and Privacy Board was also created by the CSA and will advise the NIST on security and privacy issues relating to computers?’ The Narional Stolen Propem Act The National Stolen Property Act (NSPA) prohibits the interstate transportation of stolen property. Although an interstate theft is governed by the CFAA, an interstate theft followed by an interstate transmission is covered by NSPA.22Section 1343 of the NSPA prohibits the use of wire communications to further a fraudulent interstate scheme used to obtain property or money. Although Section 1343 regulates radio, television, and telegraph communications, its greatest impact on computer crimes is its prohibition regarding telephone lines in an illegal interstate activity. For example, a computer “hacker’s” use of a modem to illegally access another computer requires the use of a phone line to transmit the electronic impulses (data) being transferred to the hacker’s computer. If the data is then transferred to a system or bulletin board in another state, this constitutes activity prohibited by the NSPA because of its use of telephone lines.
Antivirus Acts The recent proliferation of viruses has caused increased technological and legislative concern.23 Because of the infiltration of computer viruses, a variety of legislation has been proposed; however, Congress has yet to enact any of this proposed legislation specifically designed to protect against viruses.24 A violation of this Act occurs One such proposal is the Computer Virus when a person entering a program into the computer knows or has reason to believe that the program being entered may cause loss or expense. Malicious intent is not required. Although the standard for violation is quite low and therefore has broad application possibilities, it also proposes stiff criminal penalties of up to ten years in prison. In addition, no minimum dollar amount of loss is required, and civil penalties as well as reasonable attorney’s fees and costs are available to individuals who have suffered a loss.26 The Computer Protection Act of 1989 (H.R. 287),27 another piece of proposed legislation, creates penalties for individuals who knowingly and maliciously alter software for the purpose of disabling a computer.% H.R.287, however, requires a much higher level of proof than the proposed Computer Virus Act. It requires proof
GORDON & PECHEITE IMPACTS OF TECHNOLOGIES ON LAW
183
of a willful and knowing sabotage of the computer or its associated software, causing loss of data, impaired computer operation, or other tangible loss or harm.29 Two separate bills are also presently awaiting legislative action. These bills are proposed to amend the CFAA30 and would provide the CFAA criminal and civil penalties for the knowing transmittal of a program into a system with the intention to damage or misappropriate data in the system.3’ This amendment would thereby grant the CFAA broader powers in preventing computer crimes, including the introduction of viruses. Although a variety of laws exist to protect computers from theft or damage, systems are still inadequately protected from viruses. Because of the increasing rate of infection and the present proposed laws, the near future should evidence the introduction of antivirus legislation.
PRIVACY AND CONFIDENTIALITY Invasion of privacy through interception or subsequent viewing of electronic communications are also increasing in the workplace. In addition, the reliance on computer and electronic technologics in everyday business will also bring into conflict an employee’s right to privacy with the employer’s commercial goals. Although the dangers associated with the theft, modification or destruction of information may be readily apparent, an invasion of privacy through the illegal manipulation of an electronic transmission will have the same devastating effects. The constitutional guarantee of privacy is easily breached by an illegal entry into a database or the illegal interception of an electronic communication. For example, the interception of an inter- or intraoffice e-mail containing highly sensitive information regarding a business transaction and the subsequent rerouting of this information to a different individual or group of individuals may be more harmful than the destruction of the data outright.32 Privacy in the WorkprcrCe In addition to the exposure electronic communications are potentially subjected to through illegal interceptions, employees’ electronic messages are also subjected to eavesdropping by their employers. Presently, this type of interference is essentially unregulated because employee privacy in the workplace is a new legal concept. Claims however can be raised by employees under common law actions in tort, state or federal constitutional claims or any of the bodies of federal law prohibiting computer crimes. Although employees argue for privacy in their use of e-mail, an employer may believe the ability to view such transactions is more important to the commercial activities of the business than an employee’s right to private communication.33 h a 1 Applications
Legal protection of an individual’s privacy and confidentiality in the use of computers and electronic communication is widely available. However, because of the nature of the information in question, the present state of the law may not address the damages or properly assess the value of the information.
ANNALS NEW YORK ACADEMY OF SCIENCES
184
The ECPA, for example, protects the user of electronic messages from the following intentional acts: (1) the unauthorized interception of an electronic message in transit, (2) the disclosure or use of a wrongfully intercepted message,34(3) the unauthorized access of a private electronic message in and (4) the unauthorized disclosure by a service provider of the contents of a message in transit or storage.36This protection is, however, limited by a few caveats3’ As technology advances and the abuse of computer technology and electronic communications increases, it is apparent that a greater legislative effort will be necessary. This effort should focus on a more succinct definition of abuse and illegal use of computers and electronic transmissions as well as more specific guidelines regarding privacy issues as related thereto.3* COMMERCIAL TRANSACTIONS AND TECHNOLOGY
This section will address commercial issues and the significance of computers and electronic technologies.
Uniform Commercial Code The UCC was drafted in an attempt to regulate commercial transactions. However, transactions involving computer technology or using this technology in the transaction itself do not easily fall within the parameters established by the drafters of the UCC. Although the UCC’s application to the basic contract issues of formation and interpretation in a technology transaction is relatively clear, its applicability to a software transaction or a hardware lease is not.j9 Software
The UCC defines goods as “all things (including specifically manufactured goods) which are movable at the time of identification to the contract for sale other than money in which the price is to be paid, investment securities and things in action.”40 A question that naturally arises is whether software falls within this definition of goods. The first issue is thus to define software. Software has been characterized as consisting of the developer’s concepts and ideas translated into mathematical, machine-readable language!’
Although software is physically embodied in a diskette or tape, it still remains intangible. Thus, the relevant issue is, can something lacking physical substance be “movable at the time of identification to the contract for sale” so as to qualify as a good under the UCC? If the UCC‘s applicability to software is dependent on whether it is tangible or intangible, other legal applications may be relevant. However, because of treatment of software as both intangible42 and tangible? by different areas of the law, these other applications do not give the desired guidance. Thus, although the courts have wrestled with the question of whether software is or is not intangible, they have not reached a definitive conclusion regarding how software’s intangibility is reconciled with the definition of goods under Section 2 of the UCC. This issue has been skirted and in part resolved by focusing on software’s physical embodiment in a tangible medium,& thereby directing attention away from the definition of goods and towards the more disputed issue of licensing.
GORDON & PECHETTE IMPACTS OF TECHNOLOGIES ON LAW
185
Licensing and Leasing under the UCC It is obvious that hardware falls within the definition of goods; however, the leasing of equipment or licensing of software raises significant questions regarding the UCC’s definition of sale. Hardware. There are generally two ways in which to acquire computer hardware: purchasing outright or leasing. Because the purchase of hardware may have tax implications, or allow for the use of state-of-the-art equipment without a large capital outlay$’ it appears to be the preferred method of hardware acquisition. S o w a r e . Software is proprietary in nature, and in order to protect the original expression contained in the software,46the vendor will often license the software The impetus for licensing is that although it may have instead of selling it o~tright.~’ cost thousands of dollars to develop the software, it is relatively quick and inexpensive to make an exact It is therefore desirable for the developer or distributor to use a license. UCC application. Although leasing and licensing may be the best means by which to obtain or ‘‘sell’’ a system, equipment leases or software licenses are not actual sales. Therefore, will the UCC purchaser protections apply to these transactions? Whereas the introductory section of the UCC does apply Article 2 to transactions in goods, other sections apply only to the sale of goods.49This distinction does not however appear to be insurmountable. Courts have held the UCC applicable to short-term leases and software transactions absent the transfer of titles5” Statute of Frauds
The previous section addressed whether or not transactions for the purchase of software and hardware are governed by the UCC. This section will also discuss software and hardware in the light of business transactions, but will focus on the use of technology in the transaction. Commercial transactions have been traditionally regulated by laws, which require under certain circumstances that these transactions must be “written” or “signed” in order to be effective. However, the use of computer and electronic communications for transacting business has created a new genre of problems regarding these requirements. Individuals may now transact business using e-mail, electronic data interchange (EDI) or faxcs. For example, an offer to purchase is faxed to a party, and after a few modifications conducted through e-mail, the transaction is closed and the fax is signed and forwarded to the other party. Although an expeditious method of conducting business, will thc signed fax satisfy the writing requirement of the Statutc of Frauds, and are electronic messages “written” as required by the Statute of Frauds?
Traditional Requirements All states, with the exception of Louisiana, have adopted UCC 52-201(1) requiring that any contract for the sale of goods for a price of $500 or more must have some writing sufficient to indicate that a contract for sale has been made between the parties and signed by the parties. The statute generally denies coverage to those contracts that fall within its requirements but that are not supported by a signed writing. Thus, can the traditional legal requirements be harmonized with the latest technology?
ANNALS NEW YORK ACADEMY OF SCIENCES
186
Technology under the Statute of Frauds
Several cases have discussed the relevance of communication by fax in a commercial dispute; however, none has ruled directly on the necessity of a writing pursuant to the Statute of Frauds. Case law has held that faxes were writings under UCC 52-201 and under 9 U.S.C. $2 regarding federal arbitration writing requirem e n t ~ . In ~ ’ addition, telex, telegram, and mailgram have all been considered writings and satisfy the Statute of Frauds.52 Whether or not an electronic communication satisfies the Statute of Frauds has yet to be determined; however, decisions in other areas of the technology appear to support the conclusion that a recorded electronic message bearing some type of code or symbol intended as a party’s signature is written and signed. There remains, however, a debate over what standards should be used to determine the sufficiency of the message and whether or not it creates a legally binding contractual re1ation~hip.s~ Battle of the Fonns Traditional Doctrines
Traditional common law followed the “mirror image” rule and the “last shot” doctrine.s4 Under common law, an offer and acceptance must be mirror images of one another for a contract to be formed under traditional common law. According to the mirror image rule, if both parties perform, but the offer and acceptance or any number of counteroffers and acceptance do not match perfectly, the party who fires the last shot usually wins; that is, the most recent counteroffer is presumed to have been accepted and will govern the contract requirement^.^^ Battle of the Forms and the UCC
The drafters of the UCC have modified these traditional doctrines by providing that a definite and reasonable expression of acceptance, or a written confirmation sent within a reasonable time, will operate as an acceptance, despite the existence of different terms from those offered or agreed upon. If the conduct of the parties reflects acknowledgment of a contract, this conduct is generally sufficient to establish the formation of the contract even though the writings do not in and of themselves establish such a contract. In these cases, the terms of the contract consist of those terms upon which the writings agree, together with any supplementary terms incorporated under any other provision of the UCC.56 If the terms of an offer differ from the terms of acceptance or if any offer is followed by one or any number of counteroffers, UCC 12-207 governs which terms will be considered part of the contract?’ As Section 2-207(2) states: The additional terms are to be construed as proposals for additions to the contract. Between merchants such terms become part of the contract unless: (a) the offer expressly limits acceptance to the terms of the offer; (b) they materially alter it; or (c) notification of objection to them has already been given or is given within a reasonable time after notice of them is received.s8
Technology Transactions
In theory, the battle of the forms doctrine is applicable to electronic trading or transacting in the same manner as paper transactions. The difference is that
GORDON & PECHE'ITE IMPACTS OF TECHNOLOGIES ON LAW
187
information is traded electronically, as opposed to trading paper through the postal service. However, in practice electronic communications dramatically alter the dynamics of a battle of forms. For example, a buyer may fax a form purchase order to a seller. The buyer faxes only the front side of the form. When a dispute later arises, the question is whether or not the seller is bound by the terms on the back side of the form. If, however, the form had been sent by mail, this question would have never arisen.s9 This problem is, however, more acute with the use of EDI. ED1 uses specific codes or message structures that are agreed upon prior to the transaction. Because these codes are designed to be machine readable, and not written to be readable by humans, attempts to negotiate the terms and conditions of a transaction are difficult. In fact, most ED1 users are not inclined to communicate contract terms and conditions electronically.m This problem can, however, be controlled by the use of standard terms and conditions or by entering into a standard agreement.61
CONCLUSION
Technological advances have occurred at lightning speed; however, the laws necessary to protect these technological gains have not kept pace. Because of the necessity of advanced computer and electronic communications in everyday life, users must be aware of the laws available to protect them, as well as the deficiencies in these laws.
ACKNOWLEDGMENTS
The authors wish to gratefully express their appreciation to Cristen L. Kogl, an associate with Gordon & Glickson P.C., who made several contributions to this article. NOTES AND REFERENCES 1.
2.
3.
4.
5. 6. 7. 8. 9. 10.
Electronic communications include any transmission or communication between computers; for example, electronic messaging or electronic mail (e-mail), electronic bulletin boards, and videotext. Computer Transactions and Uniform Commercial Code Article 2A: Does 2A Fit? 1991. IV Software L. J. 493, 457. [hereinafter Does 2A Fit]; see also BERNACCHI, FRANK & STATLAND. 1986. Bernacchi on Computer Law: A Guide to the Legal and Management Aspects of Computer Technology 2-1. The Misuse of Electronically Transferred Confidential Information in Interstate Commerce: How Well Do Our Present Laws Address the Issues? 1991. IV Software L. J. 529,533 [hereinafter The Misuse]; see also SOMA& YOUNG.1984. Confidential Communications and Information in a Computer Era, 12 Hofstra L. Rev. 849,851. WILSON,Viewing Computer Crime: Where Does the Systems Error Really Exist? 1991. XI Comp./L. 3,265,271 [hereinafter Viewing Computer Crime]. 18 U.S.C. $1030 (1986). 18 U.S.C. $52510-21 (1988). 40 U.S.C. $759 (1987). 18 U.S.C. $5 2314 and 1343 (1988). The Misuse at 549. GILBERT, 1991. Breach of System Security and Theft of Data: Legal Aspects and Preventive Measures [hereinafter Breach of System Security]. This article was written
188
11.
12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26.
27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37.
ANNALS NEW YORK ACADEMY OF SCIENCES by Franqoise Gilbert, a partner with Gordon & Glickson P.C., Chicago, Illinois, in connection with a lecture given at SECURICOM 91, the Ninth International Congress on Computer and Communications Security and Protection, in Paris. For complete text, contact Mark Gordon, Esq., an author of present paper. CHEN,1990. Computer Crime and the Computer Fraud and Abuse Act of 1986, C0mp.l L. J. 71,77 [hereinafter Computer Fraud and Abuse Act]. The CFAA consists of six sections. These sections respectively prohibit: (a)(l) knowing unauthorized access to obtain information deemed restrictive by virtue of Executive Order for national security purposes; (a)(2) intentional unauthorized access to financial institute or consumer reporting agency files; (a)(3) intentional unauthorized access to any government computer which affects the government’s operation of the same; (a)(4) knowingly accessing a “Federal interest” computer with the intent to defraud and obtain anything of value in excess of the use of the computer itself; (a)(5) intentional unauthorized access of a “Federal interest” computer whereby such conduct alters, damages, destroys information therein, or prevents authorized use; and (a)(6) knowingly trafficking passwords or similar information with the intent to defraud provided such trafficking affects interstate/foreign commerce or such computer is used by or for the federal government. Pub. L. No. 99474, 5 2(e)-(c); 100 stat. 1213, 1213-14 (1986); Viewing Computer Crime at 272. Breach of System Security at 5. Id. Viewing Computer Crime at 271. 18 U.S.C. 5 2510 (1988). The Electronic Communications Privacy Act of 1986: The Impact on Software Communication Technologies. 1988.11 Software L. J. 243 [hereinafter The ECPAJ. Aural transfer is a transfer containing the human voice at any point between and including the point of origination and the point of reception. 18 U.S.C. 52511(1)(a) (1988). The ECPA at 248-249. Although the ECPA is comprised of eleven sections, the first three sections, $5 2510,25 11, 2512, are the most relevant to its protection against computer crimes. The remaining eight are relevant to electronic communications and information transfers. Although the ECPA is more focused on protecting electronic transmissions, because of the nature of office technology, any transmission between computers or databases are governed by the ECPA regulations. Viewing Computer Crime at 273. Breach of System Security at 6; Viewing Computer Crime at 274-275. The Misuse at 550. The recent panic over the Michaelangelo virus is but a symptom of this pervasive concern. Illinois, along with other states have, however, enacted an antivirus statute. H.R. 55, lOlst Congress, 1st session. & GROSSMAN, 1990. Destructive Computer Programs: Legal Recourse and The GORDON Protection of Computer Access Rights. Scientific Computing & Automation April 43, 47 [hereinafter Destructive Computer Programs]; see also, Breach of System Security at 6-7. H.R. 287, lOlst Congress, 1st session. Destructive Computer Programs at 49; Breach of System Security at 7. Id. at 49. Breach of System Security at 7. Id. at 7. The Monitoring of Electronic Mail in the Private Sector Workplace: An Electronic Assault on Employee Privacy Rights. 1991. IV Software L. J., 493. Id. 18 U.S.C. 5 2511(1) (1988). 18 U.S.C. 5 2701 (1988). 18 U.S.C. $5 2511(3)(a), 2702 (1988). The ECPA may not cover long-term archives, it will govern a service provider’s intentional wrongdoing, but not negligence, and applies only to public service providers. In
GORDON & PECHEITE IMPACTS OF TECHNOLOGIES ON LAW
38. 39. 40. 41. 42. 43.
44. 45. 46. 47.
48. 49. 50.
51. 52. 53. 54. 55. 56. 57. 58. 59. 60. 61.
189
addition, a service provider may disclose to private parties information regarding customers, excluding however the contents of any message. WRIGHT,1991. The Law of Electronic Commerce EDI, Fax and e-Mail: Technology, Proof and Liability, 383 (hereinafter Law of Electronic Commerce]; see also The Monitoring of Electronic Mail. This trend has already been evidenced by the number of recent legislative proposals aimed at the protection of computer systems and the data contained therein. See Breach of System Security at 6 7 . GORDON,1986. Computer Software: Contracting for Development and Distribution 83 [hereinafter Computer Software]. U.C.C. 12-105(1). Computer Software at 84. Id. at 85; see District of Columbia v. Universal Computer Assocs., 465 F.2d 615 (D.C. Cir. 1977). Id. at 85; see Rev. Proc. 69-21,1969-2 C.B. 303. Rev. Rul. 71-77, 1971-1C.B. 5 . Id. at 85-86. Does 2A Fit at 470. Under the United States Copyright Act of 1976, software that is an original work is considered a computer program for which copyright protection may exist. 17 U.S.C. 101 etseq. (1991). Software is generally licensed rather than sold to preserve the copyright owner’s exclusive rights of distribution and transfer. Unintentional transfer by sale may result in the loss of the copyright to the “computer program”: Does 2A Fit at 469; Computer Software at 70. Does 2A Fit at 469. Id. at 86, svealso U.C.C. 11 2-312 to 2-315. Id. at 86-88; see Hertz Commercial Leasing Cop. v. Transportation Credit Clearing House, Inc., 298 N.Y. 2d 392 (1969). rev’d on othergrounds, 64 Misc. 2d 910,316 N.Y.S. 2d 585 (1970), Chatlos Sys. Inc. v. National Cash Register Cop..479 F. Supp. 738 (D.N.J.), r e v 2 in part and remandedon othergrounds, 604 F.2d 737 (3rd Cir. 1979).affd. 670 F.2d 1304 (3rd Cir. 1982); cert. dis. 457 U.S. 1112. Law of Electronic Commerce at 287-288. Id. at 284-287. Id. at 289-294. Id. at 118, see also GROGAN,1985. Winning the Battle of the Forms in Product Distribution. The Comp. Law, Nov. at 8. Computer Software at 118. Id. Computer Software at 118. Id. at 119. Law of Electronic Commerce at 320; see American Multimedia. Inc. Y. Dolton Packaging Inc., 143 Misc. 2d 295,540 N.Y.S. 2d 410 (Sup. Ct. 1989). Law of Electronic Commerce at 321. The ABA has established Model Approaches, governing the issue of ED1 transactions; see Section 3.1 of the ABA Model ED1 Trading Partner Agreement which provides optional approaches to trade terms and conditions (TTCs). For example, (1) the TTCs will be those specified in the agreement’s appendix; (2) the TTCs will be those printed on each party’s respective standard form documents, copies of which are attached to the agreement and these terms control even though they may be inconsistent with each other; or (3) the TTCs will be the default provisions provided by law, just as if there were no trading partner agreement or other understanding on the TTCs.
