informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/bbs/FIDONET/blt4

453 lines
26 KiB
Plaintext
Raw Normal View History

Initial commit
2021-04-15 11:31:59 -07:00
This article, "Computer Electronic Mail and Privacy," appeared in THE
COMPUTER LAW AND SECURITY REPORT (4 Comp. L.Sec. Rpt. 4-8, Nov/Dec
1987). It appeared as part of a special "Information Law" section of
the British print publication. The article is about the American
federal statute known as the Electronic Communications Privacy Act of
1986. This article is:
Copyright 1986, 1987 Ruel T. Hernandez
Copies of this copyrighted article may only be used for PERSONAL USE.
This file replaces and supersedes documents found in PRIVACY.LBR and
PRIVACY2.LBR.
(PRIVACY.TXT - this has WordStar dot commands and Ctrl-P print codes)
COMPUTER_ELECTRONIC_MAIL_AND_PRIVACY
by
Ruel T. Hernandez
July 27, 1987
Copyright 1986, 1987 by Ruel T. Hernandez
INTRODUCTION
Three years ago, Congress introduced legislation which sought to
provide federal statutory guidelines for the privacy protection of
electronic communications, including electronic mail (e-mail) found on
commercial computer-based services and on other remote computer systems such
as electronic bulletin board systems (BBS). The old federal wiretap law
only gave protection to normal audio telephone communications. Before the
legislation culminated into the Electronic Communications Privacy Act of
1986 (ECPA), which went into effect on January 20, 1987, there was no
contemplation of computer-based electronic communications being transmitted
across telephone lines and then being stored on disk for later retrieval by
or forwarding to its intended recipient. Federal law did not provide
guidelines for protecting the transmitted electronic messages once they were
stored on these computer-based communications services and systems.
QUESTIONS
(1) Whether electronic mail and other intended private material stored
on an electronic computer communications service or system have Fourth
Amendment privacy protection?
(2) Should private electronic mail and other such material be accorded
federal statutory protection guidelines such as those enjoyed by the U.S.
Mail?
PROBLEM
Law enforcement seeks criminal evidence stored as e-mail either on a
commercial computer service, such as CompuServe, GEnie or The Source, or on
a hobbyist-supported BBS. (Note, this situation is equally applicable to
personal, private data stored on a remote system for later retrieval, such
as with CompuServe's "personal file" online storage capabilities.)
For example, a computer user calls up a computer communication system.
Using the electronic mail function, he leaves a private message that can
only be read by an intended recipient. The message is to inform the
recipient of a conspiracy plan to violate a federal or state criminal
statute. Law enforcement gets a tip about the criminal activity and learn
that incriminating evidence may be found on the computer system.
In 1982, such a situation occurred. (Meeks, Life_at_300_Baud:_Crime_on
the_BBS_Network, Profiles, Aug. 1986, 12-13.) A Detroit federal grand jury,
investigating a million-dollar cocaine ring, issued a subpoena ordering a
commercial service, The Source, to hand over private subscriber data files.
The files were routinely backed up to guard against system crashes. The
grand jury was looking for evidence to show that the cocaine ring was using
The Source as a communications base to send messages to members of the ring.
With such evidence, the grand jury could implicate and indict those
suspected of being part of the cocaine ring. The Source refused to obey the
subpoena on the basis of privacy. The prosecution argued The Source could
not vicariously assert a subscriber's privacy rights. Constitutional rights
are personal and could only be asserted by the person whose rights are
invaded. Additionally, since the files containing messages were duplicated
by the service, any user expectation of privacy would be extinguished. A
court battle ensued. However, before a ruling could be made, the kingpin of
the cocaine ring entered a surprise preemptime guilty plea to federal drug
trafficking charges. The case against The Source was discontinued.
Publicly posted messages and other public material may be easily
retrieved by law enforcement. It is the private material, such as e-mail,
which posed the problem.
Law enforcement's task was then to gather enough evidence to
substantiate a criminal case. Specifically, they would want the e-mail, or
other private files, transmitted by suspected criminals. In oppostion, the
provider or systems operator of a computer communications service or system,
in his assumed role as keeper of transmitted private electronic messages,
would not want to turn over the private data.
INADEQUACY OF OLD LAW
Meeks noted that as of August, 1986, "no ... protection exist[ed] for
electronic communications. Any law enforcement agency can, for example,
confiscate a local BBS and examine all the message traffic," including and
private files and e-mail. (Id.)
CASE LAW
There is little case law available on computer communications and
Fourth Amendment constitutional problems. (See_generally M.D. Scott,
Computer Law, 9-9 (1984 & Special Update, Aug. 1, 1984).) If not for the
preemptive guilty plea, the above described Detroit case may have provided
some guidance on computer-based communications and privacy issues.
Of the available cases, there are those which primarily dealt with
financial information found in bank and consumer credit organization
computers. In U.S._v._Davey, 426 F.2d 842, 845 (2 Cir. 1970), the
government had the right to require the production of relevant information
wherever it may be lodged and regardless of the form in which it is kept and
the manner in which it may be retrieved, so long as it pays the reasonable
costs of retrieval. In a California case, Burrows_v._Superior_Court, 13
Cal. 3d 238, 243, 118 Cal. Rptr. 166, 169 (1974), a depositor was found to
have a reasonable expectation that a bank would maintain the confidentiality
of both his papers in check form originating from the depositor and the
depositor's bank statements and records of those checks. However, in
U.S._v. Miller, 425 U.S. 435, 96 S.Ct. 1619 (1976), customer account
records on a bank's computer were held to not be private papers of the bank
customer, and, hence, there was no Fourth Amendment problem when they are
subpoenaed directly from the bank.
Although these cases have more of a business character in contrast to
personal e-mail found on computer systems such as CompuServe or a hobbyist-
supported BBS, they would hold that there would be very little to legally
stop unauthorized access to computer data and information.
Under the old law, a prosecutor, as in the Detroit case, may try to
analogize duplicated and backed up e-mail to business situations where data
on business computer databases are also backed up. Both types of computer
data are stored on a system and then later retrieved. The provider or
systems operator of a computer electronic communications system would
counterargue that the nature of computers always require the duplication and
backup of any computer data, whether the data files be e-mail or centrally-
based financial or credit data. Data stored on magnetic media are prone to
possible destruction. Duplication does not necessarily make e-mail the same
as financial or credit data stored in business computers. Centrally-based
business information is more concerned with the data processing. That
information is generally stored and retrieved by the same operator. E-mail
is more concerned with personal communications between individuals where the
sender transmits a private message to be retrieved only by an intended
recipient. The sender and the recipient have subjective expectations of
privacy that when viewed objectively are reasonable. Therefore, there would
be a constitutionally protected expectation of privacy under Katz_v._U.S.,
389 U.S. 347, 88 S.Ct. 507 (1967).
However, the prosecution would note under California_v._Ciraolo, --
U.S. --, 106 S.Ct. 1809 (1984), users would have to protect their electronic
mail from any privacy intrusion. The provider or operator of the service or
system has ultimate control over it. He has complete access to all areas of
the system. He could easily examine the material. The prosecution would
note the user could not reasonably protect his private data from provider or
operator invasion. This "knot-hole," where an observer can make an
observation from a lawful position, would exclude any reasonable expectation
of privacy. If there is no privacy, there can be no search and therefore no
Fourth Amendment constitutional violation. Law enforcement can retrieve the
material.
The Justice Department noted the ambiguity of the knothole in a
response to Senator Leahy's question whether the then existing wiretap law
was adequate to cover computer communications. (S. Rep. No. 541, 99th
Cong., 2d Sess. 4 reprinted_in 1986 U.S. Code Cong. & Ad. News 3558.) It
was "not always clear or obvious" whether a reasonable expectation of
privacy existed. (Id.)
FEDERAL WIRETAP STATUTES
The old federal wiretap statutes protected oral telephone
communications from police interceptions. This protection was made during
1968 in response to electronic eavesdropping conducted by government.
(Cohodas, Congress_Races_to_stay_Ahead_of_Technology, Congressional
Quarterly Weekly Report, May 31, 1986, 1235.) Although e-mail appears to
come under the old 18 U.S.C. sec. 2510(1) definition of "wire
communication," it was limited to audio transmissions by wire or cable. The
old 18 U.S.C. sec. 2510(4) required that an interception of a wire
communication be an aural acquisition of the communication. By being
"aural," the communication must be "heard." There would be a problem as to
whether an electronic communication could be "heard." Data transmissions
over telephone lines generally sound like unintelligible noisy static or
high pitched tones. There would certainly be no protection after a
communication has completed its transmission and been stored on a computer.
The communication's conversion into computer stored data, thus no longer in
transmission until later retrieved or forwarded as transmission to another
computer system, would clearly take the communication out of the old
statutory protected coverage.
"Eighteen years ago ... Congress could not appreciate - or in some
cases even contemplate - [today's] telecommunications and computer
technology...." (132 Cong. Rec. S7992 (daily ed. June 19, 1986) (statement
of Sen. Leahy).)
COMPARISON WITH U.S. MAIL PROTECTION
A letter sent by first class mail is given a high level of protection
against unauthorized intrusion by a combination of federal and U.S. Postal
Service statutes and regulations. For instance, the unauthorized taking out
of and examining of the contents of mail held in a "depository for mail
matter" before it is delivered to the mail's intended recipient is
punishable by fine, imprisonment, or both. (18 U.S.C. sec. 1702.) In
comparison, under the old law, electronic communications had no protection.
Federal protection for U.S. Mail provided a suggested direction as to how
electronic communications should be protected when it was no longer in
transmission.
SOLUTION - THE NEW LAW
There are two methods towards a solution: (1) court decisions; or (2)
new legislated privacy protection.
COURT DECISIONS
Courts may have chosen to read computer communications protection into
the old federal wiretap statute or into existing state law. However, they
were reluctant to do so. Courts "are in no hurry to [revise or make new law
in this area] and some judges are openly asking Congress for help....
[F]ederal Appeals Court Judge Richard Posner in Chicago said Congress needed
to revise current law, adding that 'judges are not authorized to amend
statutes even to bring them up-to-date.'" (Cohodas, 1233.)
NEW STATUTE
Last October 21, 1986, President Reagan signed the new Electronic
Communications Privacy Act of 1986 amending the federal wiretap law. ECPA
has since went into effect during the beginning of 1987. (P.L. 99-508,
Title I, sec. 111, 100 Stat. 1859; P.L. 99-508, Title II, sec. 202, 100
Stat. 1868.) ECPA created parallel privacy protection against both
interception of electronic communications while in transmission and
unauthorized access to electronic communications stored on a system.
The new ECPA first provides privacy protection for any
'electronic communication' ... [by] any transfer of signs,
signals, writing, images, sounds, data or intelligence of any
nature transmitted in whole or in part by a wire, radio,
electromagnetic, photoelectronic or photooptical system that
affects interstate or foreign commerce...."
(18 U.S.C. secs. 2510(12), 2511.) The Senate Report noted examples of
electronic communications to include non-voice communications such as
"electronic mail, digitized transmissions, and video teleconferences." (S.
Rep. No. 541, 99th Cong., 2d Sess. 14 reprinted_in 1986 U.S. Code Cong. &
Ad. News 3568.) Electronic communication is defined in terms of how it is
transmitted. So long as the means by which a communication is transmitted
affects interstate or foreign commerce, the communication is covered ECPA.
(18 U.S.C. sec. 2510(12).) Generally, that would include all telephonic
means including private networks and intra-company communications. (S.
Rep. No. 541, 99th Cong., 2d Sess. 12 reprinted_in 1986 U.S. Code Cong. &
Ad. News 3566.)
Second, ECPA protects the electronic communication when it has been
stored after transmission, such as e-mail left on an electronic computer
communication system for later pickup by its intended recipient. (18 U.S.C.
sec. 2510(17).) The legislation makes it a federal criminal offense to
break into any electronic system holding private communications or to exceed
authorized access to alter or obtain the stored communications. (18 U.S.C.
sec. 2701(a).)
The legislation would protect electronic computer communication systems
from law enforcement invasion of user e-mail without a court order. (18
U.S.C. secs. 2517, 2518, 2703.) Although the burden of preventing
disclosure of the e-mail is placed on the subscriber or user of the system,
the government must give him fourteen days notice to allow him to file a
motion to quash a subpoena or to vacate a court order seeking disclosure of
his computer material. (18 U.S.C. sec. 2704(b).) However, the government
may give delayed notice where there are exigent circumstances as listed by
the Act (18 U.S.C. sec. 2705.) Recognizing the easy user destruction of
computer data, ECPA allows the government to include in its subpoena or
court order the requirement that the provider or operator retain a backup
copy of electronic communications when there is risk of user destruction.
(18 U.S.C. sec. 2704(a).)
The legislation gives a civil cause of action to the provider or
operator, subscriber, customer or user of the system aggrieved by an
invasion of an electronic communication in the system in violation of the
ECPA. (18 U.S.C. secs. 2520, 2707.) If the provider or operator has to
disclose information stored on his system due to a court order, warrant,
subpoena, or certification under ECPA, no cause of action can be brought
against him by the person aggrieved by such disclosure. (18 U.S.C. sec.
2703(e); see_also 18 U.S.C. secs. 2701(c), 2702(b), 2511(2)(a)(i),
2511(3)(b)(iii) where the systems operator or provider is not held
criminally liable, may observe a private communication while performing
employment duties or according to authorization, etc., may intercept private
communication while making quality control checks or during the course of
forwarding communications to another system.)
SYSTEMS COVERED
Clearly, the national commercial services in the United States,
including CompuServe, MCI Mail or a company using a contracted e-mail
service, such as GE QUIK-COM (See S. Rep. No. 99-541, 99th Cong., 2d Sess.
8 reprinted_in 1986 U.S. Code Cong. & Ad. News 3562) are covered by ECPA.
However, there may be some confusion as to whether ECPA would protect
electronic communications found on a mere hobbyist-supported BBS. For
instance, language in ECPA does not expressly state the term "bulletin
board." Nonetheless, ECPA would indeed cover electronic bulletin boards.
What are electronic bulletin boards? Generally, they are personal
computers provided for and maintained by computer hobbyists out of their own
personal resources. These systems traditionally allow free access to
computer/modem-equipped members of local communities and provide for both
public and private electronic mail exchange. Some sophisticated systems,
such as the ProLine system written for Apple II computers, provide callers
with personal user areas where they may keep private files much like the
CompuServe personal file areas.
Augmenting the single stand-alone BBS, there are networks of bulletin
boards linked together, often with the assistance of university mainframes,
with other bulletin boards or mainframe computers by sophisticated "mail
routing" systems (such as ARPAnet and FIDOnet). These networks use
sophisticated message addressing instructions and computer automation where
networked computers make calls to other networked computers to exchange
"net-news" or private mail between users of the different bulletin boards.
Given the proper address routing instructions, a user may communicate with
another user on a cross-town BBS or on a BBS in another part of the country.
Although there is some delay with messages being routed through a network,
these networks help to reduce or eliminate the computer hobbyist's need to
make direct toll or long distance calls to faraway systems or having to pay
subscription fees to use a commercial electronic mail service. (Note, there
are also network exchange systems and "gateways" between commercial
services.)
As an alternative to commercial service subscriptions, businesses have
been turning to the use of BBS's and BBS mailing networks for increased
productivity, paperwork reduction, improved client contact and the
elimination of "telephone tag." (See Keaveney, Custom-Built_Bulletin_Boards,
Personal Computing, Aug. 1987, 91.) A number of these corporate BBS's are
open to the public with restricted access to business and client system
areas. Examples of such systems include two Washington D.C. area boards
run by Gannet Company Inc. ("[f]or all Gannet/USA Today employees and other
computer users") and Issue Dynamics Inc. (catering to the consulting
company's clients).
ECPA language would show protection for bulletin boards. 18 U.S.C.
sec. 2510(15) provides that "'electronic communication service' means any
service which provides to users thereof the ability to send or receive wire
or electronic communications" (emphasis added). A "remote computing
service" was defined in the Act as an electronic communications system that
provides computer storage or processing services to the public. (18 U.S.C.
sec. 2710(2).) An intra-company communications system, the corporate BBS,
would also be protected. (S. Rep. No. 541, 99th Cong., 2d Sess. 12
reprinted_in 1986 U.S. Code Cong. & Ad. News 3566.) Language in ECPA
refers to "the person or entity providing the wire or electronic
communication service," such as in 18 U.S. secs. 2701(c)(1) and 2702(a)(1).
Such language would indicate the inclusion of individuals and businesses who
operate bulletin board systems.
The Senate report, in addition to defining "electronic mail," gave a
separate definition of "electronic bulletin boards":
Electronic "bulletin boards" are communications networks created
by computer users for the transfer of information among computers.
These may take the form of proprietary systems or they may be
noncommercial systems operating among computer users who share special
interests. These noncommercial systems may [or may not] involve fees
covering operating costs and may require special "passwords" which
restrict entry to the system. These bulletin boards may be public or
semi-public in nature, depending on the degree of privacy sought by
users, operators or organizers of such systems.
(S. Rep. No. 541, 99th Cong., 2d Sess. 8-9 reprinted_in 1986 U.S. Code
Cong. & Ad. News 3562-3563.)
ECPA, as enacted, takes note of the different levels of security found
on hobbyist-supported BBS's, i.e. the difference between configured system
areas containing private electronic mail and other areas configured to
contain public material. (18 U.S.C. sec. 2511(2)(g)(i).) The electronic
communications which a user seeks to keep private, through methods provided
by the system, would be protected by ECPA. In contrast, there would be no
liability for access to features configured by the system to be readily
accessible by the general public. An indicia of privacy on the system, with
no notice to show otherwise, would trigger ECPA coverage. An indicia of
privacy may include passwords and prompts asking if a message is to be kept
private.
House Representative Kastenmeier noted that there was an unusual
coalition of groups, businesses and organizations interested in ECPA.
(Kastenmeier, Communications_Privacy, Communications Lawyer, Winter 1987,
1, 24.) Among those interested included the BBS community. Reporters in
the BBS community noted how Senator Leahy and others were receptive to their
concerns. They report Leahy to have been "soliciting [users and BBS
operators'] comments and encourag[ing] sensitivity to the needs of BBS's in
the legislation.... [Senators and congressional members] are ... willing to
listen to our side of things." (BBSLAW02.MSG, dated 07/24/85, information
from Chip Berlet, Secretary, National Lawyers Guild Civil Liberties
Committee, transmitted by Paul Bernstein, SYSOP, LAW MUG, Chicago, Illinois
(312)280-8180, regarding Federal Legislation Affecting Computer Bulletin
Boards, deposited on The Legacy Network (213)553-1473 in Los Angeles,
California.)
ESCAPING COVERAGE
There are at least two possible ways to escape ECPA coverage. The
first is to provide adequate notice that all material on a service or system
may be publicly accessible even though methods of providing privacy remain.
The bulletin board system maintained by DePaul University College of Law
(312)341-6217, Chicago, Illinois, provides an example of an electronic
notice (displayed upon user access):
PURSUANT TO THE ELECTRONIC AND COMMUNICATIONS PRIVACY ACT OF 1986, 18
USC 2510 et. seq., NOTICE IS HEREBY GIVEN THAT THERE ARE NO FACILITIES
PROVIDED BY THIS SYSTEM FOR SENDING OR RECEIVING PRIVATE OR
CONFIDENTIAL ELECTRONIC COMMUNICATIONS. ALL MESSAGES SHALL BE DEEMED
TO BE READILY ACCESSIBLE TO THE GENERAL PUBLIC.
Do NOT use this system for any communication for which the sender
intends only the sender and the intended recipient or recipients to
read.
Note, although the DePaul notice states otherwise, user-operated message
privacy toggles remain on the board. The second possible method to escape
ECPA coverage would be to merely not provide any means of privacy.
One way of foiling the intent of a government subpoena or court order
requirement to keep duplicate copies of private electronic communications
would be the use of passworded private e-mail. For instance, the private
e-mail capabilities of GEnie Mail and GE QUIK-COM include user-toggled
passwording which utilizes an encryption technique that no one, not even the
provider, knows how to decipher. Bill Louden, General Manager of GEnie
(General Electric Network for Information Exchange), noted how GEnie Mail
and GE QUIK-COM passworded e-mail cannot be read by anyone who did not know
the password. "[N]ot even our 'god' number could ever read the [passworded]
mail." (Message from Bill Louden, GEnie, Legacy RoundTable (LAW), category
1, topic 7, message 6 (May 15, 1987).) The writer of the encryption
software has since left General Electric and no one has had success in
breaking the code. (Message from Bill Louden, GEnie, Legacy RoundTable
(LAW), category 1, topic 7, message 10 (May 17, 1987).)
CONCLUSION
With ECPA, e-mail and other private electronic communications stored on
computer communication systems have privacy protection. Unfortunately,
before ECPA, federal statutory guidelines for such protection were not
articulated. Case law also did not provide any helpful guidance. The
peculiarities of computers and computer storage were not addressed by the
old wiretap laws. Electronic communications privacy could not stand up
against constitutional privacy law as defined by the United States Supreme
Court. The then existing law was "hopelessly out of date." (S. Rep. No.
541, 99th Cong., 2d Sess. 2 reprinted_in 1986 U.S. Code Cong. & Ad. News
3556 (statement of Sen. Leahy).) Fortunately, a legislative solution to
bring privacy law up to date with the advancing computer communication and
information technology was provided for in ECPA.
-------------------------
Copyright 1986, 1987 Ruel T. Hernandez. This paper was originally written
for a Law and Technology seminar course at California Western School of Law.
The author may be contacted via CompuServe (71450,3341) or GEnie
(R.HERNANDEZ) or Intermail/UUCP (ruel@cup.portal.com).