Law And Borders: The Rise of Law in Cyberspace
David R. Johnson and David G. Post, 48 Stanford Law Review 1367  (1996)
( )


Global computer-based communications cut across territorial borders, creating a new realm of human activity and undermining the feasibility--and legitimacy--of applying laws based on geographic boundaries. While these electronic communications play havoc with geographic boundaries, a new boundary, made up of the screens and passwords that separate the virtual world from the "real world" of atoms, emerges. This new boundary defines a distinct Cyberspace that needs and can create new law and legal institutions of its own. Territorially-based law-making and law-enforcing authorities find this new environment deeply threatening. But established territorial authorities may yet learn to defer to the self-regulatory efforts of Cyberspace participants who care most deeply about this new digital trade in ideas, information, and services. Separated from doctrine tied to territorial jurisdictions, new rules will emerge, in a variety of online spaces, to govern a wide range of new phenomena that have no clear parallel in the nonvirtual world. These new rules will play the role of law by defining legal personhood and property, resolving disputes, and crystallizing a collective conversation about core values.

I. Breaking Down Territorial Borders

B. The Absence of Territorial Borders in Cyberspace

Cyberspace radically undermines the relationship between legally significant (online) phenomena and physical location. The rise of the global computer network is destroying the link between geographical location and: (1) the power of local governments to assert control over online behavior; (2) the effects of online behavior on individuals or things; (3) the legitimacy of the efforts of a local sovereign to enforce rules applicable to global phenomena; and (4) the ability of physical location to give notice of which sets of rules apply.

The Net thus radically subverts a system of rule-making based on borders between physical spaces, at least with respect to the claim that cyberspace should naturally be governed by territorially defined rules.

Cyberspace has no territorially-based boundaries, because the cost and speed of message transmission on the Net is almost entirely independent of physical location: Messages can be transmitted from any physical location to any other location without degradation, decay, or substantial delay, and without any physical cues or barriers that might otherwise keep certain geographically remote places and people separate from one another. The Net enables transactions between people who do not know, and in many cases cannot know, the physical location of the other party. Location remains vitally important, but only location within a virtual space consisting of the "addresses" of the machines between which messages and information are routed.

The system is indifferent to the physical location of those machines, and there is no necessary connection between an Internet address and a physical jurisdiction.

Although a domain name, when initially assigned to a given machine, may be associated with a particular Internet Protocol address corresponding to the territory within which the machine is physically located (e.g., a ".uk" domain name extension), the machine may move in physical space without any movement in the logical domain name space of the Net. Or, alternatively, the owner of the domain name might request that the name become associated with an entirely different machine, in a different physical location. Thus, a server with a ".uk" domain name may not necessarily be located in the United Kingdom, a server with a ".com" domain name may be anywhere, and users, generally speaking, are not even aware of the location of the server that stores the content that they read. Physical borders no longer can function as signposts informing individuals of the obligations assumed by entering into a new, legally significant, place, because individuals are unaware of the existence of those borders as they move through virtual space.

The power to control activity in Cyberspace has only the most tenuous connections to physical location. Many governments first respond to electronic communications crossing their territorial borders by trying to stop or regulate that flow of information as it crosses their borders. Rather than deferring to efforts by participants in online transactions to regulate their own affairs, many governments establish trade barriers, seek to tax any border-crossing cargo, and respond especially sympathetically to claims that information coming into the jurisdiction might prove harmful to local residents. Efforts to stem the flow increase as online information becomes more important to local citizens. In particular, resistance to "transborder data flow" (TDF) reflects the concerns of sovereign nations that the development and use of TDF's will undermine their "informational sovereignty,"\13\ will negatively impact on the privacy of local citizens,\14\ and will upset private property interests in information. Even local governments in the United States have expressed concern about their loss of control over information and transactions flowing across their borders.

But efforts to control the flow of electronic information across physical borders--to map local regulation and physical boundaries onto Cyberspace--are likely to prove futile, at least in countries that hope to participate in global commerce.\17\ Individual electrons can easily, and without any realistic prospect of detection, "enter" any sovereign's territory. The volume of electronic communications crossing territorial boundaries is just too great in relation to the resources available to government authorities to permit meaningful control.

U.S. Customs officials have generally given up. They assert jurisdiction only over the physical goods that cross the geographic borders they guard and claim no right to force declarations of the value of materials transmitted by modem. Banking and securities regulators seem likely to lose their battle to impose local regulations on a global financial marketplace. And state Attorneys General face serious challenges in seeking to intercept the electrons that transmit the kinds of consumer fraud that, if conducted physically within the local jurisdiction, would be more easily shut down.

Faced with their inability to control the flow of electrons across physical borders, some authorities strive to inject their boundaries into the new electronic medium through filtering mechanisms and the establishment of electronic barriers.\20\ Others have been quick to assert the right to regulate all online trade insofar as it might adversely impact local citizens. The Attorney General of Minnesota, for example, has asserted the right to regulate gambling that occurs on a foreign web page that was accessed and "brought into" the state by a local resident.\21\ The New Jersey securities regulatory agency has similarly asserted the right to shut down any offending Web page accessible from within the state.

But such protective schemes will likely fail as well.

First, the determined seeker of prohibited communications can simply reconfigure his connection so as to appear to reside in a different location, outside the particular locality, state, or country. Because the Net is engineered to work on the basis of "logical," not geographical, locations, any attempt to defeat the independence of messages from physical locations would be as futile as an effort to tie an atom and a bit together. And, moreover, assertions of law-making authority over Net activities on the ground that those activities constitute "entry into" the physical jurisdiction can just as easily be made by any territorially-based authority.

If Minnesota law applies to gambling operations conducted on the World Wide Web because such operations foreseeably affect Minnesota residents, so, too, must the law of any physical jurisdiction from which those operations can be accessed. By asserting a right to regulate whatever its citizens may access on the Net, these local authorities are laying the predicate for an argument that Singapore or Iraq or any other sovereign can regulate the activities of U.S. companies operating in cyberspace from a location physically within the United States.

All such Web-based activity, in this view, must be subject simultaneously to the laws of all territorial sovereigns.

Nor are the effects of online activities tied to geographically proximate locations. Information available on the World Wide Web is available simultaneously to anyone with a connection to the global network. The notion that the effects of an activity taking place on that Web site radiate from a physical location over a geographic map in concentric circles of decreasing intensity, however sensible that may be in the nonvirtual world, is incoherent when applied to Cyberspace. A Web site physically located in Brazil, to continue with that example, has no more of an effect on individuals in Brazil than does a Web site physically located in Belgium or Belize that is accessible in Brazil. Usenet discussion groups, to take another example, consist of continuously changing collections of messages that are routed from one network to another, with no centralized location at all; they exist, in effect, everywhere, nowhere in particular, and only on the Net.\23\

Nor can the legitimacy of any rules governing online activities be naturally traced to a geographically situated polity. There is no geographically localized set of constituents with a stronger claim to regulate it than any other local group; the strongest claim to control comes from the participants themselves, and they could be anywhere.

The rise of an electronic medium that disregards geographical boundaries also throws the law into disarray by creating entirely new phenomena that need to become the subject of clear legal rules but that cannot be governed, satisfactorily, by any current territorially-based sovereign. For example, electronic communications create vast new quantities of transactional records and pose serious questions regarding the nature and adequacy of privacy protections. Yet the communications that create these records may pass through or even simultaneously exist in many different territorial jurisdictions. What substantive law should we apply to protect this new, vulnerable body of transactional data? May a French policeman lawfully access the records of communications traveling across the Net from the United States to Japan? Similarly, whether it is permissible for a commercial entity to publish a record of all of any given individual's postings to Usenet newsgroups, or whether it is permissible to implement an interactive Web page application that inspects a user's "bookmarks" to determine which other pages that user has visited, are questions not readily addressed by existing legal regimes--both because the phenomena are novel and because any given local territorial sovereign cannot readily control the relevant, globally dispersed, actors and actions.

Because events on the Net occur everywhere but nowhere in particular, are engaged in by online personae who are both "real" (possessing reputations, able to perform services, and deploy intellectual assets) and "intangible" (not necessarily or traceably tied to any particular person in the physical sense), and concern "things" (messages, databases, standing relationships) that are not necessarily separated from one another by any physical boundaries, no physical jurisdiction has a more compelling claim than any other to subject these events exclusively to its laws.

II. A New Boundary for Cyberspace

A. Cyberspace as a Place

Many of the jurisdictional and substantive quandaries raised by border-crossing electronic communications could be resolved by one simple principle: conceiving of Cyberspace as a distinct "place" for purposes of legal analysis by recognizing a legally significant border between Cyberspace and the "real world."

Using this new approach, we would no longer ask the unanswerable question "where" in the geographical world a Net-based transaction occurred. Instead, the more salient questions become: What rules are best suited to the often unique characteristics of this new place and the expectations of those who are engaged in various activities there? What mechanisms exist or need to be developed to determine the content of those rules and the mechanisms by which they can enforced?

Answers to these questions will permit the development of rules better suited to the new phenomena in question, more likely to be made by those who understand and participate in those phenomena, and more likely to be enforced by means that the new global communications media make available and effective.

1. The New Boundary is Real.

Treating Cyberspace as a separate "space" to which distinct laws apply should come naturally, because entry into this world of stored online communications occurs through a screen and (usually) a "password" boundary. There is a "placeness" to Cyberspace because the messages accessed there are persistent and accessible to many people. You know when you are "there." No one accidentally strays across the border into Cyberspace. To be sure, Cyberspace is not a homogenous place; groups and activities found at various online locations possess their own unique characteristics and distinctions, and each area will likely develop its own set of distinct rules. But the line that separates online transactions from our dealings in the real world is just as distinct as the physical boundaries between our territorial governments--perhaps more so.

Crossing into Cyberspace is a meaningful act that would make application of a distinct "law of Cyberspace" fair to those who pass over the electronic boundary.

IV. Local Authorities, Foreign Rules: Reconciling Conflicts

What should happen when conflicts arise between the local territorial law (applicable to persons or entities by virtue of their location in a particular area of physical space) and the law applicable to particular activities on the Net? The doctrine of "comity," as well as principles applied when delegating authority to self-regulatory organizations, provide us with guidance for reconciling such disputes.

The doctrine of comity, in the Supreme Court's classic formulation, is "the recognition which one nation allows within its territory to the legislative, executive, or judicial acts of another nation, having due regard both to international duty and convenience, and to the rights of its own citizens or of other persons who are under the protections of its law."

It is incorporated into the principles set forth in the Restatement (Third) of Foreign Relations Law of the United States, in particular Section 403, which provides that "a state may not exercise jurisdiction to prescribe law with respect to a person or activity having connections with another state when the exercise of such jurisdiction is unreasonable," and that when a conflict between the laws of two states arises, "each state has an obligation to evaluate its own as well as the other state's interest in exercising jurisdiction [and] should defer to the other state if that state's interest is clearly greater.").\80\

It arose as an attempt to mitigate some of the harsher features of a world in which lawmaking is an attribute of control over physical space but in which persons, things, and actions may move across physical boundaries, and it functions as a constraint on the strict application of territorial principles that attempts to reconcile "the principle of absolute territorial sovereignty [with] the fact that intercourse between nations often demand[s] the recognition of one sovereign's lawmaking acts in the forum of another." In general, comity reflects the view that those who care more deeply about and better understand the disputed activity should determine the outcome. Accordingly, it may be ideally suited to handle, by extension, the new conflicts between the a-territorial nature of cyberspace activities and the legitimate needs of territorial sovereigns and of those whose interests they protect on the other side of the cyberspace border. This doctrine does not disable territorial sovereigns from protecting the interests of those individuals located within their spheres of control, but it calls upon them to exercise a significant degree of restraint when doing so.

Local officials handling conflicts can also learn from the many examples of delegating authority to self-regulatory organizations. Churches are allowed to make religious law. Clubs and social organizations can, within broad limits, define rules that govern activities within their spheres of interest. Securities exchanges can establish commercial rules, so long as they protect the vital interests of the surrounding communities.

In these cases, government has seen the wisdom of allocating rule-making functions to those who best understand a complex phenomenon and who have an interest in assuring the growth and health of their shared enterprise.

Cyberspace represents a new permutation of the underlying issue: How much should local authorities defer to a new, self-regulating activity arising independently of local control and reaching beyond the limited physical boundaries of the sovereign. This mixing of both tangible and intangible boundaries leads to a convergence of the intellectual categories of comity in international relations and the local delegation by a sovereign to self-regulatory groups. In applying both the doctrine of "comity" and the idea of "delegation" to Cyberspace, a local sovereign is called upon to defer to the self-regulatory judgments of a population partly, but not wholly, composed of its own subjects.

Despite the seeming contradiction of a sovereign deferring to the authority of those who are not its own subjects, such a policy makes sense, especially in light of the underlying purposes of both doctrines. Comity and delegation represent the wise conservation of governmental resources and allocate decisions to those who most fully understand the special needs and characteristics of a particular "sphere" of being. Although Cyberspace represents a new sphere that cuts across national boundaries, the fundamental principle remains.

If the sysops and users who collectively inhabit and control a particular area of the Net want to establish special rules to govern conduct there, and if that rule set does not fundamentally impinge upon the vital interests of others who never visit this new space, then the law of sovereigns in the physical world should defer to this new form of self-government.

Because controlling the flow of electrons across physical boundaries is so difficult, a local jurisdiction that seeks to prevent its citizens from accessing specific materials must either outlaw all access to the Net--thereby cutting itself off from the new global trade--or seek to impose its will on the Net as a whole. This would be the modern equivalent of a local lord in medieval times either trying to prevent the silk trade from passing through his boundaries (to the dismay of local customers and merchants) or purporting to assert jurisdiction over the known world. It may be most difficult to envision local territorial sovereigns deferring to the law of the Net when the perceived threat to local interests arises from the very free flow of information that is the Net's most fundamental characteristic--when, for example, local sovereigns assert an interest in seeing that their citizens are not adversely affected by information that the local jurisdiction deems harmful but that is freely (and lawfully) available elsewhere.

Examples include the German government's attempts to prevent its citizens access to prohibited materials, or the prosecution of a California bulletin board operator for making material offensive to local "community standards" available for downloading in Tennessee.

Local sovereigns may insist that their interest (in protecting their citizens from harm) is paramount, and easily outweighs any purported interest in making this kind of material freely available. But the opposing interest is not simply the interest in seeing that individuals have access to ostensibly obscene material, it is the "meta-interest" of Net citizens in preserving the global free flow of information.

If there is one central principle on which all local authorities within the Net should agree, it must be that territorially local claims to restrict online transactions (in ways unrelated to vital and localized interests of a territorial government) should be resisted. This is the Net equivalent of the First Amendment, a principle already recognized in the form of the international human rights doctrine protecting the right to communicate.

Participants in the new online trade must oppose external regulation designed to obstruct this flow. This naturally central principle of online law bears importantly on the "comity" analysis, because it makes clear that the need to preserve a free flow of information across the Net is just as vital to the interests of the Net as the need to protect local citizens against the impacts of unwelcome information may appear from the perspective of a local territorial sovereign.

For the Net to realize its full promise, online rule-making authorities must not respect the claims of territorial sovereigns to restrict online communications when unrelated to vital and localized governmental interests.

V. Internal Diversity

One of a border's key characteristics is that it slows the interchange of people, things, and information across its divide. Arguably, distinct sets of legal rules can only develop and persist where effective boundaries exist. The development of a true "law of Cyberspace," therefore, depends upon a dividing line between this new online territory and the nonvirtual world. Our argument so far has been that the new sphere online is cut off, at least to some extent, from rule-making institutions in the material world and requires the creation of a distinct law applicable just to the online sphere.

But we hasten to add that Cyberspace is not, behind that border, a homogeneous or uniform territory behind that border, where information flows without further impediment. Although it is meaningless to speak of a French or Armenian portion of Cyberspace, because the physical borders dividing French or Armenian territory from their neighbors cannot generally be mapped onto the flow of information in Cyberspace, the Net has other kinds of internal borders delineating many distinct internal locations that slow or block the flow of information.

Distinct names and (virtual) addresses, special passwords, entry fees, and visual cues --software boundaries--can distinguish subsidiary areas from one another. The Usenet newsgroup "alt.religion.scientology" is distinct from "," each of which is distinct from a chat room on Compuserve or America Online which, in turn, are distinct from the Cyberspace Law Institute listserver or Counsel Connect. Users can only access these different forums through distinct addresses or phone numbers, often navigating through login screens, the use of passwords, or the payment of fees. Indeed, the ease with which internal borders, consisting entirely of software protocols, can be constructed is one of Cyberspace's most remarkable and salient characteristics; setting up a new Usenet newsgroup, or a "listserver" discussion group, requires little more than a few lines of code.

The separation of subsidiary "territories" or spheres of activity within Cyberspace and the barriers to exchanging information across these internal borders allow for the development of distinct rule sets and for the divergence of those rule sets over time.

The internal borders within Cyberspace will thus allow for differentiation among distinct constellations of such information . Content or conduct acceptable in one "area" of the Net may be banned in another. Institutions that resolve disputes in one "area" of Cyberspace may not gain support or legitimacy in others. Local sysops can, by contract, impose differing default rules regarding who has the right, under certain conditions, to replicate and redistribute materials that originate with others. While Cyberspace's reliance on bits instead of atoms may make physical boundaries more permeable, the boundaries delineating digital online "spheres of being" may become less permeable. Securing online systems from unauthorized intruders may prove an easier task than sealing physical borders from unwanted immigration. Groups can establish online corporate entities or membership clubs that tightly control participation in, or even public knowledge of, their own affairs.

Such groups can reach agreement on or modify these rules more rapidly via online communications. Accordingly, the rule sets applicable to the online world may quickly evolve away from those applicable to more traditional spheres and develop greater variation among the sets.

The ability of inhabitants of Cyberspace to cross borders at will between legally significant territories, many times in a single day, is unsettling. This power seems to undercut the validity of developing distinct laws for online culture and commerce: How can these rules be "law" if participants can literally turn them on and off with a switch? Frequent online travel might subject relatively mobile human beings to a far larger number of rule sets than they would encounter traveling through the physical world over the same period. Established authorities, contemplating the rise of a new law applicable to online activities, might object that we cannot easily live in a world with too many different sources and types of law, particularly those made by private (non-governmental) parties, without breeding confusion and allowing anti-social actors to escape effective regulation.

But the speed with which we can cross legally meaningful borders or adopt and then shed legally significant roles should not reduce our willingness to recognize multiple rule sets. Rapid travel between spheres of being does not detract from the distinctiveness of the boundaries, as long as participants realize the rules are changing. Nor does it detract from the appropriateness of rules applying within any given place, any more than changing commercial or organizational roles in the physical world detracts from a person's ability to obey and distinguish rules as a member of many different institutional affiliations and to know which rules are appropriate for which roles Nor does it lower the enforceability of any given rule set within its appropriate boundaries, as long as groups can control unauthorized boundary crossing of groups or messages.

Alternating between different legal identities many times during a day may confuse those for whom cyberspace remains an alien territory, but for those for whom cyberspace is a more natural habitat in which they spend increasing amounts of time it may become second nature. Legal systems must learn to accommodate a more mobile kind of legal person.\105\

V1. Conclusion

Global electronic communications have created new spaces in which distinct rule sets will evolve. We can reconcile the new law created in this space with current territorially-based legal systems by treating it as a distinct doctrine, applicable to a clearly demarcated sphere, created primarily by legitimate, self-regulatory processes, and entitled to appropriate deference--but also subject to limitations when it oversteps its appropriate sphere.

The law of any given place must take into account the special characteristics of the space it regulates and the types of persons, places, and things found there. Just as a country's jurisprudence reflects its unique historical experience and culture, the law of Cyberspace will reflect its special character, which differs markedly from anything found in the physical world. For example, the law of the Net must deal with persons who "exist" in Cyberspace only in the form of an email address and whose purported identity may or may not accurately correspond to physical characteristics in the real world. In fact, an e-mail address might not even belong to a single person. Accordingly, if Cyberspace law is to recognize the nature of its "subjects," it cannot rest on the same doctrines that give geographically based sovereigns jurisdiction over "whole," locatable, physical persons. The law of the Net must be prepared to deal with persons who manifest themselves only by means of a particular ID, user account, or domain name.

Moreover, if rights and duties attach to an account itself, rather than an underlying real world person, traditional concepts such as "equality," "discrimination," or even "rights and duties" may not work as we normally understand them. New angles on these ideas may develop. For example, when AOL users joined the Net in large numbers, other Cyberspace users often ridiculed them based on the ".aol" tag on their email addresses--a form of "domainism" that might be discouraged by new forms of Netiquette. If a doctrine of Cyberspace law accords rights to users, we will need to decide whether those rights adhere only to particular types of online appearances, as distinct from attaching to particular individuals in the real world.

Similarly, the types of "properties" that can become the subject of legal discussion in Cyberspace will differ from real world real estate or tangible objects. For example, in the real world the physical covers of a book delineate the boundaries of a "work" for purposes of copyright law; those limits may disappear entirely when the same materials are part of a large electronic database. Thus, we may have to change the "fair use" doctrine in copyright law that previously depended on calculating what portion of the physical work was copied. Similarly, a web page's "location" in Cyberspace may take on a value unrelated to the physical place where the disk holding that Web page resides, and efforts to regulate web pages by attempting to control physical objects may only cause the relevant bits to move from one place to another. On the other hand, the boundaries set by "URLs" (Uniform Resource Locators, the location of a document on the World Wide Web) may need special protection against confiscation or confusingly similar addresses. And, because these online "places" may contain offensive material, we may need rules requiring (or allowing) groups to post certain signs or markings at these places' outer borders.

The boundaries that separate persons and things behave differently in the virtual world but are nonetheless legally significant. Messages posted under one e-mail name will not affect the reputation of another e-mail address, even if the same physical person authors both messages. Materials separated by a password will be accessible to different sets of users, even if those materials physically exist on the very same hard drive. A user's claim to a right to a particular online identity or to redress when that identity's reputation suffers harm, may be valid even if that identity does not correspond exactly to that of any single person in the real world.

Clear boundaries make law possible, encouraging rapid differentiation between rule sets and defining the subjects of legal discussion. New abilities to travel or exchange information rapidly across old borders may change the legal frame of reference and require fundamental changes in legal institutions. Fundamental activities of lawmaking--accommodating conflicting claims, defining property rights, establishing rules to guide conduct, enforcing those rules, and resolving disputes--remain very much alive within the newly defined, intangible territory of Cyberspace. At the same time, the newly emerging law challenges the core idea of a current law-making authority--the territorial nation state, with substantial but legally restrained powers.

If the rules of Cyberspace thus emerge from consensually based rule sets, and the subjects of such laws remain free to move among many differing online spaces, then considering the actions of Cyberspace's system administrators as the exercise of a power akin to "sovereignty" may be inappropriate. Under a legal framework where the top level imposes physical order on those below it and depends for its continued effectiveness on the inability of its citizens to fight back or leave the territory, the legal and political doctrines we have evolved over the centuries are essential to constrain such power. In that situation, where exit is impossible, costly, or painful, then a right to a voice for the people is essential. But when the "persons" in question are not whole people, when their "property" is intangible and portable, and when all concerned may readily escape a jurisdiction they do not find empowering, the relationship between the "citizen" and the "state" changes radically. Law, defined as a thoughtful group conversation about core values, will persist. But it will not, could not, and should not be the same law as that applicable to physical, geographically-defined territories.

1996 David R. Johnson and David G. Post. Permission granted to redistribute freely, in whole or in part, with this notice attached.