Zoning speech on the Internet: a legal and technical model.

• Author: Lessig, Lawrence

Speech, it is said,(1) divides into three sorts -- (1) speech that everyone has a right to (political speech, speech about public affairs); (2) speech that no one has a right to (obscene speech, child porn); and (3) speech that some have a right to but others do not (in the United States, Ginsberg(2) speech, or speech that is "harmful to minors," to which adults have a right but kids do not). Speech-protective regimes, on this view, are those where category (1) speech predominates; speech-repressive regimes are those where categories (2) and (3) prevail.

This divide has meaning for speech and regulation within a single jurisdiction, but it makes less sense across jurisdictions. For when viewed across jurisdictions, most controversial speech falls into category (3) -- speech that is permitted to some in some places, but not to others in other places. What constitutes "political speech" in the United States (Nazi speech) is banned in Germany; what constitutes "obscene" speech in Tennessee is permitted in Holland; what constitutes porn in Japan is child porn in the United States; what is "harmful to minors" in Bavaria is Disney in New York. Every jurisdiction controls access to some speech(3) --what we call "mandatory access controls" -- but what that speech is differs from jurisdiction to jurisdiction.

This diversity creates a problem (for governments at least) when we consider speech within cyberspace. Within cyberspace, mandated access controls are extremely difficult. If access control requires knowing (a) the identities of the speaker and receiver, (b) the jurisdictions of the speaker and receiver, and (c) the content of the speech at issue, then as cyberspace was initially designed, none of these data are easily determined. As a result, real space laws do not readily translate into the context of cyberspace.

One possible response to the change caused by the initial architecture of the Internet ("Net") would have been for governments simply to give up on access controls. Experience suggests that this is unlikely. As the popularity of the Net has grown, governments have shown an increasing interest in reestablishing mandated access controls over certain kinds of speech now published on the Internet. In the United States, this speech is sex-(4) or spam(5)-related; in Germany, it is both sex-and Nazi-related;(6) in parts of Asia, it is anything critical of Asian governments.(7) Across the world, governments seek to reregulate access to speech in cyberspace, so as to reestablish local control.

We take as given this passion for reregulation. It features prominently in the current political reality of cyberspace. This reality should push us to consider the options that regulators face -- not because regulators need encouragement, but because we should understand the consequences of any particular regulatory strategy. Some strategies pose greater costs than others; some strike at more fundamental features of the Net than do others. We aim to understand the tradeoffs that this reregulation presents.

This inquiry is particularly salient in the United States just now. In what may have become a biannual event, the United States Congress in 1998 passed its second attempt at regulating "indecent speech" on the Net -- the Child Online Protection Act(8) ("COPA"). Its first statute, the Communications Decency Act of 1996(9) ("CDA"), was struck down by the Supreme Court in 1997.(10) Now two years later, a federal district court in Philadelphia has enjoined enforcement of COPA.(11) And if the ACLU succeeds in striking this statute, Congress no doubt will be at it again. Among the headaches of Y2K will be another CDA; and among the more significant (if repetitive) cases of 2001 will be A CL U v. [the next attorney general].

Congress may never pass a statute that satisfies the Court,(12) but we think it could. There exists a type of "decency act," which we sketch here, that would pass constitutional muster. That act is not COPA. To see why this "decency act" would be constitutional where COPA was not, and to understand this alternative act, requires a broader view. It requires an analysis that makes clear the different values at stake.

Our aim in this essay is to provide just such a perspective. We offer in Part I a model of mandated access control that will clarify the issues in play. While this model will help resolve the constitutional questions raised by COPA, it will also help see the issues that mandated access controls present more generally. Given that different jurisdictions will want different restrictions, and given that those restrictions would be differentially costly, we provide in Part II a map of the different architectures and assignments of responsibility that might effect these restrictions. We then consider the trade-offs among these alternatives -- both generally, and in particular in the American context.

This approach is a type of sensitivity analysis. Regulation, in the view that we take of it here, is a function of both law and the architectures of the Internet within which law must function. By "architectures" we mean (a) the Internet's technical protocols (for example, TCP/IP), (b) its standards and standard applications (for example, browsers or a digital certificate standard), and (c) its entrenched structures of governance and social patterns of usage that themselves are not easily changed -- or at least not without coordinated action by many parties. These architectures are not fixed. They change, partly in response to both direct and indirect regulation by law. Thus in Part II we ask first how access can be controlled given the existing array of legal and architectural constraints. We then consider how changes in the current array might yield a different mix of costs and benefits.

We evaluate the various outcomes of these different legal and architectural choices along four separate dimensions. For any particular mix, we consider, first, the effectiveness at controlling access; second, the cost to participants, whether sender, receiver, or intermediary; third, the costs to a system of "free speech" that such access controls impose; and fourth, other second-order effects, including in particular how different architectures might enable other regulation, beyond the specific access control that a given change was designed to enable.

For concreteness, we will focus on sexually explicit speech. We pick this type of speech because, in the American context at least, there exist at least two permissible levels of regulation for such speech. Some sexually explicit speech is prohibited generally (obscene speech, child porn); some sexually explicit speech is prohibited only to minors (speech that is "harmful to minors"); and the balance of sexually explicit speech is permitted to everyone.(13) This range of regulations will therefore illustrate the more general problem of access control across jurisdictions.

We then apply our model to COPA. COPA has a significantly narrower reach than the original CDA. Although Congress was, we believe, responsive to the Supreme Court's opinion in Reno, there is a structural feature of COPA that still renders it unconstitutional, at least when compared to a second possible statute that would have achieved Congress's legitimate end.(14) Those attacking COPA are not in a position to suggest this alternative, because they believe that private regulation is better than any law. But while we agree that private regulation may be better than COPA, we will suggest that private regulation may be more costly for free speech interests than the alternative regulation that we sketch here.

Part III focuses on this cost differential. There we consider the unintended consequences of the various regulatory strategies proposed. We argue that any reckoning of the costs of mandated access control must consider these secondary costs (and benefits) as well. In our view, these have been ignored in the debate so far. Yet arguably, they will be the most significant. Long after the "problem" of "indecent speech" is solved, the consequences of our choices to deal with indecent speech -- these secondary effects -- will continue to influence the culture of the Net. Legal and policy analyses would do well to account in the first place for these secondary effects.

The last section, Part IV, applies the same model to efforts to control "unsolicited commercial email," or "spam." The motivation for spam control differs from the reasons for controlling "indecency." Spam control protects recipients from unwanted information pushed into their mailboxes rather than preventing them from pulling information that they want. Our model and analysis, however, apply equally well to controlling spam, and shed light on the likely effectiveness and side effects of various legislative and architectural changes that have been proposed.

1. A MODEL OF ACCESS CONTROL

   1. Elements

      In our model of mandated access control ("MAC"), we consider three relevant actors -- a sender, a recipient, and an intermediary. The sender makes available the relevant speech; the recipient gets access to the relevant speech; and an intermediary is an entity that stands between the two. As these definitions suggest, nothing in our description hangs upon whether the sender actually sends material to the recipient, or upon the mode with which the recipient gains access.

      These actors, we will assume, know different things about the speech that is to be regulated. We assume the sender knows about the contents of the item being sent. We assume the recipient has information about her own identity and residence. And finally we assume the intermediary has information neither about the content, nor about who the recipient is or where she resides. Obviously, these assumptions are not necessary. A sender might not have knowledge about the speech she makes available; and a recipient may not know where or who she is. But we assume a general case.

      ...