Worst Internet Laws
I want a little credit for finding four laws that I could say something good about. It wasn’t easy. In contrast, the list of bad laws is much longer, so I limited myself to 10.
What makes a law "bad?" Unfortunately, there are many routes to ignominy, and mere legislative cluelessness isn’t sufficient. Some common themes: poor/ambiguous drafting, unintended consequences, justification bait-and-switch (publicly declaring that the law was intended to accomplish a goal it was never designed to do), and attempts to legislatively manufacture markets or change consumer behavior.
The dishonor roll:
E-Sign generally says that online contracts are not denied enforcement simply because they are in electronic form rather than on paper. Superficially, this sounds positive because it stops courts from underenforcing electronic contracts or overreacting to new communication technologies. The problem? This law was unnecessary. Although there was a little concern that some states would enact a non-standard version of the law, by the time that Congress passed E-Sign, there was a lot of momentum toward adopting the Uniform Electronic Transactions Act (UETA), and a lot of states had already implemented UETA. Worse, E-Sign has a partial preemption clause that makes it difficult/impossible to figure out which state laws survived it. So E-Sign is a prime example of how Congress cannot resist the lure of Internet regulation—even if it adds no value (or even subtracts value) in the process.
Another law that looks good on the surface, this law purports to provide safe harbors to protect online intermediaries from copyright infringement caused by other people. However, this law has at least two major flaws. First, it sets up a notice-and-takedown procedure that has led to significant abuse, such as content owners effectively "spamming" online service providers with poorly researched junk notices that impose significant investigatory costs on the provider-recipients.
Second, and perhaps more importantly, the law governs only late 1990s technologies; it doesn’t contemplate P2P file sharing and other decentralized forms of communications. This technological dependency makes the safe harbor increasingly irrelevant as technology evolves. As a stark example, consider that the online safe harbors didn’t get mentioned—not once!—in the most important online secondary infringement case to date: the Grokster Supreme Court opinion.
#8: Unlawful Internet Gambling Enforcement Act of 2006 (see the end of this file)
As I have said elsewhere, this law is "a flagship example of how special interest lobbying combined with legislative mumbling can produce an unreadable mess." First, the law is written in unintelligible Congress-ese. Second, the law is pockmarked with special interest exceptions, clearly showing who has the best lobbyists. Third, and most importantly, Congress did not specify (in this law or elsewhere) what constitutes illegal Internet gambling, yet the law requires third-party money sources to block the flow of money to illegal gambling operations. Thus, just like Kafka might write it, Congress deputizes private actors to block illegal activity without deciding for itself what constitutes illegal activity. As a result, banks and other money sources probably will curtail lots of legitimate activity to be on the safe side.
#7: Digital Millennium Copyright Act (DMCA) Anti-Circumvention
There are lots of reasons not to like the DMCA anti-circumvention law. Most obviously, the law targets "bad" technology rather than bad behavior—a regulatory model that usually fails when technological innovation bypasses such restrictions; or worse, the restrictions inhibit the development of socially beneficial technology.
However, the anti-circumvention laws make this list principally because of their unintended consequences. The law was designed to bolster content protection technology: the purported justification was that content owners wouldn’t feel comfortable putting content online without content protection measures, and this law restricts the capability to bypass those measures.
As it turns out, the hottest area of anti-circumvention litigation has nothing to do with such content protection schemes, but instead involves companies using the DMCA as an anti-competition law. Two flagship examples—Chamberlain, involving the sale of compatible after-market universal garage door openers (a case the EFF calls "mind-bogglingly absurd") and Lexmark, involving refilled printer cartridges—ultimately reached pro-competitive outcomes, but only after significant litigation and some disconcerting early rulings. Even with these rulings, companies now routinely consider anti-circumvention claims as part of a general anti-competitor campaign (for a very recent example, see here). As a result, the law has increased the cost of doing business and given plaintiffs another tool to try to restrict legitimate competition, while doing almost nothing to advance its principal goal of increasing protection for content owners.
#6: Electronic Communications Privacy Act
This law was written in 1986 (amending earlier versions), back when the Internet was an obscure academic network. Although the law wasn’t written with the Internet in mind, it has the heroic responsibility of governing a huge swath of private Internet communications, including email, private chat, VOIP, and others. Even if the law were well-drafted, applying a pre-Internet law to these communications would create plenty of ambiguity and friction. Unfortunately, this is not a well-drafted law; in my opinion, this law is one of the most poorly drafted statutes ever. The result is a tangled convoluted hairball that no one (even privacy experts) can understand or apply.
In 1995, there was some concern that the lack of Internet authentication would inhibit the development of e-commerce. As a result, VeriSign (and others) advocated that everyone on the Internet—both users and websites—should have digital certificates to validate their identity (the equivalent of an Internet driver’s license) so that websites and users each could figure out who they were dealing with. However, VeriSign and others expressed concern that a digital certificate issuer would face significant liability if the authenticated information was wrong. Thus, the argument went, if only digital certificate vendors could get some liability protection, digital certificate vendors would provide the necessary authentication that would allow e-commerce to explode.
In response to these concerns, Utah enacted the Digital Signatures Act to regulate the process of granting accurate certificates and limit the liability of digital certificate vendors. Utah hoped the law would encourage digital certificate vendors to relocate to Utah to take advantage of its friendly legal climate, making Utah a leader in e-commerce.
As it turns out, digital certificates weren’t needed to catalyze e-commerce, nor did the market materialize for digital certificates in the form contemplated by the statute (as a PKI-based system). As a result, this law was a complete failure, and no companies ever complied with the statute’s formalities. Indeed, the law proved to be so irrelevant that Utah has taken the highly unusual step of repealing the law. At least it owned up to its mistake (this time).
#4: Anti-Kid Spam Laws in Utah and Michigan
Nothing fires up the legislative machine like trying to protect kids from Internet dangers. In this case, Utah and Michigan created "do-not-email" registries, similar to the national Do-Not-Call registries, for the registration of kids’ email addresses. Porn spammers are supposed to check these databases and eliminate any registered kids’ addresses from their porn spam distributions.
While do-not-contact registries are generally popular, I’m in the minority of people of who think they are suboptimal policy (I explain my thinking, by deconstructing the federal Do-Not-Call registry here). In these cases, the do-not-email registries claim to be protecting kids, but they actually don’t try to authenticate registrants’ ages—making them a generic do-not-email registry, something even the FTC doesn’t favor. Most importantly, assuming that the database actually contains kids’ email addresses, it becomes a juicy target for criminal hackers, pedophiles, and other bad actors. Based on this concern, many privacy advocates, including the FTC, have advocated against kid-specific do-not-email registries.
As we saw with the Utah Digital Signatures Act, legislators can’t stimulate market demand simply by legislating the market into existence. In my opinion, no legislative act better illustrates this principle than the Dot Kids Implementation and Efficiency Act of 2002. In the name of providing a safe online haven for kids, Congress co-opted the .kids.us domain and decreed that only kid-safe content could reside there. In theory, parents would feel safe letting their kids loose there, and content publishers would have a good place to reach kids. Ultimately, Internet filters could simply enable .kids.us websites and shut off the rest of the Internet to kids.
The problem? Not many content publishers saw the value of creating kid-safe websites and housing them under the restrictive rules of the law. As a result, .kids.us is a virtual wasteland, housing fewer than 20 websites—almost all of which have less-than-compelling content. (You mean to tell me you’ve never been there? Check it out yourself.) Not exactly the most enticing destination for Junior. So .kids.us is a ghost-town-like reminder that legislators should stay out of the business of trying to manufacture markets.
#2: Utah/Alaska Anti-Adware Laws
Have you noticed a trend here? Utah makes my dud-law list three times—a hat trick of legislative incompetence. This is such a remarkable feat that we might consider banning Utah from enacting further Internet regulations until Utah can show that it will use its powers wisely.
This law makes my list because of the deceptive rationales used to justify it. Touted as an "anti-spyware," "consumer-protection" law, it was neither. The law targeted only adware, not spyware, and it gave enforcement rights to trademark owners, not consumers. As a result, the law gave trademark owners the power to take software out of consumers’ hands—even if the consumers actually wanted the technology. Further, by allowing trademark owners to attack competitors for engaging in comparative advertising, the law tried to inhibit beneficial competition rather than promoting it. Thus, despite its billing, this law was a profoundly regressive anti-consumer law.
Given its deceptive nature and adverse policy effects (which I explain in lengthy detail here), it should not be surprising that the law was quickly enjoined. (Disclosure note: I worked on an amicus brief challenging the law.) Chastened, the act’s sponsor subsequently amended the law to make it effectively irrelevant.
However, before Utah amended its law, Alaska implemented its own bastardization of Utah’s initial law. Among the Alaska law’s defects, it expects adware vendors to pop up a notice to potential downloaders, asking them for their geography. With this information, in theory, the vendor can avoid downloading the regulated software to Alaska residents. In other words, in an effort to fight unwanted pop-ups, the Alaska law mandates that software vendors deliver lots of unwanted pop-ups to consumers—even when both the vendors and consumers are located outside of Alaska. Classic legislator logic!
#1: Communications Decency Act (CDA)
Based on the discussion above, clearly there was plenty of competition for the worst Internet law of all time. However, I found picking a "winner" surprisingly easy. In fact, in my book, it isn’t particularly close.
The Communications Decency Act, passed in 1996, was Congress’ first comprehensive attempt to regulate Internet content. Not surprisingly, Congress made a lot of rookie mistakes. The CDA tried to keep kids away from Internet porn, a reaction to a sensational 1995 article (the "Rimm Report") published in the Georgetown Law Journal that proclaimed that the Internet was awash in porn. But later examinations thoroughly discredited the Rimm Report—meaning that Congress’ efforts/overreactions were based on bad social science.
Worse, Congress mistakenly assumed that non-porn content could be easily segregated from porn. In defense of this assumption, the government’s expert witness proposed a content-tagging system that would enable browsers to wall off porn. But this exposed a deep flaw in the law: the tagging system didn’t exist, browsers weren’t written to honor the tag, and it turns out that requiring publisher self-tagging for all Internet content is burdensome and cost-prohibitive.
Because web and email content publishers had no easy way to comply with the law, the law threatened to restrict virtually every Internet speaker. Further, Congress imposed punitive and draconian sanctions (including stiff jail time) for breaking the law. Congress really, really wanted to wipe porn off the Internet, but it chose a particularly mean-spirited way of doing so.
Not surprisingly, the law fared poorly in the courts. Within a week, it was enjoined. The next year, the U.S. Supreme Court unanimously struck down the law (although two judges would have found a way to preserve some of the law). For its lack of policy support, its sloppy blunderbuss approach to regulating speech, and its flat-out meanness, I hereby crown the CDA the worst Internet law (to date...).