April 12, 1988 Privacy, BBS's, ECPA, and Thompson v. Predaina ============================================== Information: This is a discussion, from a local San Diego BBS, about online privacy including a look at the _Thompson_v._Predaina_ BBS/ECPA lawsuit and how privacy law works, or not work, in different factual contexts. Some reformating and a few typo corrections were made from the original postings. Although this is somewhat comprehensive and may cover almost any user question about online privacy (as well as possibly clear up some misconceptions), this is not the complete discussion. It only includes most of what I wrote. The complete discussion is currently on PRO-SOL at (619)281-7222. Disclaimer: This material is only presented for informational purposes and not to convey legal advice. Advertisement: This discussion is from PRO-SOL (619)281-7222 in San Diego, California. PRO-SOL's Sysop is Morgan Davis. He is the author of the ProLine software that PRO-SOL and the growing network of ProLine systems run on. It's au UNIX-like system with shells and identical com- ands like on an UNIXsite -- but it runs on an Apple computer! The Pro- Line network is linked up with the UUCP and internet world too. As well as an in-depth discussion of online privacy, this next message should give you at least one sample of the types of discussions held on PRO- SOL. If you would like more information about PRO-SOL and the ProLine software, call PRO-SOL. Warning: These excerpts from the discussion are long -- totalling about 90k. ------------------------------------------------------------------------ Ruel T. Hernandez (B.A., M.A., J.D.), P.O. Box 5813, Chula Vista, CA 92012 CIS: 71450,3341 GEnie: R.HERNANDEZ - Internet: ruel@cup.portal.com ------------------------------------------------------------------------ CS-ID: #435.issues/legal@PRO-SOL 2908 chars Date: Sun, 27 Mar 88 15:23:31 PST From: ruel (Ruel Hernandez) Subject: online privacy -- part 1 For those of you who read the posts in proline/net, you may have noticed the excerpt from CompuServe: FEDERAL PRIVACY SUIT AGAINST BBS OPERATOR (March 26) An electronic bulletin board system user has filed a $112,000 law- suit against a BBS and its system operator claiming that the Sysop did not properly safeguard private electronic mail. The lawsuit could prove to be a landmark since a court ruling would be the first one handed down under the federal Electronic Communications Privacy Act of 1986. The ECPA mandates privacy protection of electronic communications, including the electronic mail found on comercial services and bulletin board sy- stems. Linda Thompson filed a pro se complaint in the US District Court for the Southern District of Indiana. The civil action alleges that Bob Predaina, doing business as the Professional's Choice Bulletin Board, violated federal or Indiana state law on 10 counts. According to the complaint obtained by Online Today, during Decem- ber of 1987, Predaina allowed others to access and view the contents of all electronic communications in a private message portion of the sub- scription BBS. Prviously deleted private messages were also restored so that others could read them. Apparently, Thompson`s private E-MAIL was among the messages made available to others. Again, in January, 1988, the Sysop "intentionally or recklessly in- tercepted and restored to the public portion of the board," a private message of Thompson's that she had previously deleted. In subsequent action, the Sysop denied Thompson access to the board even though she had paid one year subscription to the BBS. When Thompson requested that the Sysop refrain from actions that "were contrary to the law," Predaina refused. The last two counts of the complaint could be the most damaging and state that on January 6, the Sysop "intentionally, maliciously or with reckless disregard for the truth, made statements which on their face are damaging to the professional and personal reputation of [Thompson] in public and to another person, subjecting the Petitioner to humilia- tion, personal anguish and ridicule." In the suit, Predaina is charged with making similar statements in the form of publicly posted BBS mes- sages. Predaina did not respond to phone calls from Online Today for a reaction to the lawsuit. However, callers to Predaina's BBS are greeted with a public apology to Thompson. "Generally Sysops are good at policing themselves and their boards," Thompson told Online Today. "The reason for the lawsuit was that there apparently was going to be no resolution between [Predaina and myself]. I think that if you have a board that has a facility for private mail, you have a right to expect that private mail stays private and is not spread all over." - James Moran (continued next message) CS-ID: #436.issues/legal@PRO-SOL 14439 chars Date: Sun, 27 Mar 88 15:44:39 PST From: ruel (Ruel Hernandez) Subject: online privacy -- part 2 (continued from previous message) I've received some phone calls about something like this from a Seattle Sysop (who heard about it from from the EXEC-PC system). He indicated that the situation may have been more involved. Whether it was or not, you can see how complicated the situation could get. What he told me about the situation was that the lady had sent or was receiving a pri- vate message, via an echo intermail system on the OPUS or FIDO networks, which was changed by the Sysop of a system to public. So, her private communications would be echoed publicly on a bunch of different OPUS or FIDO systems across the nation. If this complaint is of the same case the Seattle Sysop told me about, well, it is a big mess. From what I understand, a defense fund was set up to help the defendant Sysop. This is one of two civil cases under the ECPA that I've heard about. In addition to this one, there was one case in New York which involved a bbs-type system run by a business for its employees. (Could have been a standalone BBS, or big LAN or a WAN for all I know.) The owner/president of the company was snooping in the private EMAIL to see what his employ- ees were saying about him. As a result one employee was fired for elec- tronically bad-mouthing his boss on the system. The New York case was dropped or settled, I've forgotten which. Of course, there are crimin- ally-related situations that ECPA was designed for, but those are war- rants/search&seizure situations involving the police and I don't know of any real cases there. Anyways, here's that complaint. The Seattle Sysop said the plaintiff here is a law student. And she is suing pro se here without an attorney. UNITED STATES DISTRICT COURT FOR THE SOUTHERN DISTRICT OF INDIANA CIVIL DIVISION Linda Thompson, ) Civil Action No. IP-88 93C ) ----------- Petitioner, ) ) v. ) ) Bob Predaina, ) d/b/a Professional's Choice ) Bulletin Board ) ) Respondent. ) COMPLAINT Comes now the Petitioner, Linda Thompson, and complains of the Re- spondent, Bob Predaina, doing business as the Professional's Choice Bulletin Board, and in support thereof would show the court: 1. That Petitioner Linda Thompson is a citizen of the United States and resident of the State of Indiana, County of Marion. 2. That this action arises under U.S.C., Title 18, Chapter 119, entitled Wire and Electronic Communications Interception of Oral Commun- ications, ss 2520; U.S.C., Title 18, Chapter 121 entitled Stored Wire and Electronic Communications and Transactional Records Access, ss 2707; U.S.C., Title 47, Chapter 5, entitled Wire or Radio Communication, ss 605(d)(3)(a) and the laws of the State of Indiana. The matter in con- troversey exceeds, exclusive of interest and costs, the sum of ten thou- sand dollars. 3. That the respondent, Bob Predaina, at all times material was the owner of a Computer Communications System, as defined in U.S.C., Title 18, ss 2510 (14) located in Marion County, Indiana. 4. That the Respondent, Bob Predaina, at all times material was the owner and operator (hereinafter "System Operator") of an electronic communication service, as defined in U.S.C., Title 18, ss 2510 (15) and or remote electronic communication service, as applicable, operated from, attached to or part of the Respondent's Computer Communications System. 5. That at all times material the computer service of the Respon- dent was operated under the name of The Professional's Choice Bulletin Board (hereinafter by name or "the BBS") in the county of Marion, state of Indiana. 6. That the BBS at all times material provided electronic communi- cation, as defined in U.S.C., Title 18, ss 2510 (12), between "users" as defined in U.S.C., Title 18, ss 2510 (13). 7. That at all times material, the BBS provided electronic stor- age, as defined in U.S.C., Title 18, ss 2510 (17) of the electronic com- munications of users. 8. That at all times material certain electronic storage and com- munication on the BBS was configured so that electronic communications designated by the user as "Receiver Only" were private electronic com- munications to a designated recipient and not readily accessible to the general public. 9. That at all times material, all electronic storage and communi- cation on the BBS was configured so that electronic communications transmitted by a user could be deleted only by the sending user, the system operator or the designated recipient of a "Receiver Only" commun- ication, and once deleted, said communication could not be transmitted, read or readily accessed by anyone, including the system operator. 10. That at all times material, the respondent was a person, as defined in U.S.C., Title 47, ss 153 (i) engaged in receiving, assisting in receiving, transmitting, or assisting in transmitting interstate com- munication by wire, as defined in U.S.C., Title 47, ss 153 (a) and (e), by means of the electronic communications service. 11. That at all times material, the Petitioner was an authorized user of the electronic communications service of the Respondent, and had paid the sum of $35.00 as a subscription fee for a one year service in October, 1987 to the Respondent. COUNT I: 12. The Petitioner incorporates and realleges paragraphs 1 through 11 above and further alleges that on an undeterminable date in January, 1988, without the permission or knowledge of the petitioner, that the Respondent, Bob Predaina, through the use of an electronic, mechanical, or other device, as defined in U.S.C., Title 18, 2510 (5), intentionally or recklessly intercepted, caused to be restored, and thereby altered the authorized access to a private electronic communication to which there was no intended recipient, which communication had been trans- mitted to and immediately deleted from the electronic storage of the BBS by the Petitioner on January 2, 1988, and that said actions of the Re- spondent are contrary to U.S.C., Title 18, ss 2511 (1)(a); U.S.C., Title 18, ss 2511 (1)(d); U.S.C., Title 18, ss 2511 (3)(a); U.S.C., Title 18, ss 2701 (a) and U.S.C., Title 47, ss 605 (a); COUNT II: 13. Petitioner incorporates and realleges paragraphs 1 through 11 and further alleges that the respondent, through the use of said device, caused said restored private electronic communication to be converted to a publicly visible electronic communication, readily accessible by mem- bers of the public, contrary to U.S.C., Title 18, ss 2511 (1)(c); U.S.C. Title 18, 2702 (a) and U.S.C., Title 47, ss 605 (a); COUNT III: 14. Petitioner incorporates and realleges paragraphs 1 through 11 and further alleges that on an undeterminable date in December, 1987 the Respondent through use of an electronic, mechanical, or other device, intentionally or recklessly caused to be made public a private electron- ic communication addressed to the Petitioner, Linda Thompson, without the permission or the knowledge of the sender or of the Petitioner con- trary to U.S.C., Title 18, ss 2511 (1)(a); U.S.C., Title 18, ss 2511 (1) (c); U.S.C., Title 18, ss 2511 (3)(a); U.S.C., Title 18, ss 2701 (a) and U.S.C., Title 47, ss 605 (a). COUNT IV: 15. Petitioner incorporates and realleges paragraphs 1 through 11 and paragraph 13 and further alleges that the Respondent replied in a public electronic communicaiton on the BBS to a private electronic com- munication addressed to the Petitioner, Linda Thompson, thereby disclos- ing certain contents of said electronic communication to members of the public, without the permission of the sender or the recipient, contrary to U.S.C., Title 18, ss 2511 (1)(c); U.S.C., Title 18, 2511 (1)(d); U.S.C., Title 18, ss 2511 (3)(a); U.S.C., Title 18, ss 2701 (a); U.S.C., Title 18, ss 2702 (a) and U.S.C., Title 47, ss 605 (a). COUNT V: 16. Petitioner incorporates and realleges paragraphs 1 through 11 and further alleges that during the month of December, the respondent allowed a person and/or persons unknown to access and view the contents of all electronic communications, both public and private in portions of the electronic storage not readily accessible by members of the general public without the knowledge or permission of the petitioner and to this end, that the Respondent restored certain previously deleted electronic communications of the petitioner and allowed such other person, not the intended recipient of any of such communications, to read such communi- cations, contrary to U.S.C., Title 18, ss 2511 (1)(a); U.S.C., Title 18, ss 2511 (1)(c); U.S.C., Title 18, ss 2511 (1)(d); U.S.C., Title 18, ss 2511 (3)(a); U.S.C., Title 18, ss 2701 (a); U.S.C., Title 18, ss 2702 (a) and U.S.C., Title 47, ss 605 (a). COUNT VI: 17. Petitioner realleges and incorporates paragraphs 1 through 11 and further states that on January 3, 1988, the respondent intentionally altered the access of the petitioner to the electronic communication service, contrary to U.S.C., Title 18, ss 2701 (a); COUNT VII: 18. Petitioner realleges and incorporates paragraphs 1 through 11 and further states that the respondent intentionally prevented the pe- titioner from authorized access to the electronic communication service from January 3, 1988 to January 6, 1988, contrary to U.S.C., Title 18, ss 2701 (a); COUNT VIII: 19. Petitioner realleges and incorporates paragraphs 1 through 18 and further states that on January 6, 1988, the Petitioner requested that the Respondent agree to refrain from any further such actions con- trary to law and the Respondent refused; COUNT IX: 20. Petitioner realleges and incorporates paragraphs 1 through 11 and paragraph 19 and further alleges that on January 6, the respondent intentionally, maliciously or with reckless disregard for the truth, made statements which on their face are damaging to the professional and personal reputation of the Petitioner in public and to another person, subjecting the Petitioner to humiliation, personal anguish and ridicule, and that said conduct of the Respondent was contrary to Statutory and common law of the State of Indiana; COUNT X: 21. Petitioner realleges and incorporates paragraphs 1 through 11 and paragraph 19 and further alleges that on January 8, the Respondent intentionally, maliciously, or with reckless disregard for the truth, made written statements in the form of electronic communications about the Petitioner which on their face are damaging to the professional and personal reputation of the Petitioner to members of the legal profes- sion, subjecting the Petitioner to humiliation, personal anguish and ridicule, and that said conduct of the Respondent was contrary to Statu- tory and common law of the State of Indiana; 22. Petitioner realleges and incorporates paragraphs 1 through 21 and further alleges that all of the facts alleged of the Respondent were committed willfully, knowingly, intentionally or recklessly, and/or for the purpose of direct or indirect commercial advantage of the Respon- dent. WHEREFORE, the Petitioner respectfully prays this Court for a stat- utory award of damages persuant to U.S.C., Title 18, ss 2520 (c)(2)(b) of ten-thousand dollars ($10,000.00) for each of counts I through V, totalling fifty-thousand dollars ($50,000.00); for a statutory award of damages persuant to U.S.C. Title 18, ss 2707 (c) of one-thousand dol- lars ($1,000.00) for each of counts VI and VII, totalling two-thousand dollars ($2,000.00); for a statutory award of damages persuant to U.S.C. Title 47 ss 605 (d)(3)(C)(i)(II) of $250.00 for each of Counts I through V, totalling one-thousand-two-hundred-fifty dollars ($1,250.00); puni- tive damages persuant to U.S.C., Title 47, ss 605 (d)(3)(C)(ii), U.S.C., Title 2520, ss (b)(2) in the amount of fifty-thousand ($50,000); for an award of nine-thousand ($9,000.00) for the damage to Petitioner's per- sonal and professional reputation alleged in Counts IX and X; all to the total amount of one-hundred-twelve-thousand-two-hundred-fifty dollars ($112,250.00) plus interest; and for attorneys fees and costs persuant to U.S.C. Title 18, ss 2520 (b)(3); U.S.C., Title 18 ss 2707 (b)(3); and U.S.C., Title 47, ss 605 (d)(3)(B)(iii); and for any and all other relief just or equitable under the circumstances. Respectfully submitted, Linda Thompson, pro se Petitioner P.O. Box 83 Beech Grove, Indiana 46107 Telephone: [deleted] ============== Okay, there it is. You be Judge Wapner. Would you find for the plain- tiff modem user or for the defendant Sysop? One factor you may want to consider is whether the defendant Sysop intended to change the status? Various facts that will have to brought out is whether the Sysop gave notice that he will make things public and therefore a caller should not send private EMAIL from the particular system in question. Of course, this is somewhat of a rehash of what was discussed before, but it might be interesting to talk about the situation in light of real case. And there are a bunch of other claims (or causes of action) in this situation besides violation of the federal ECPA statute which I could pull out of the puzzle for you later.... ***** CS-ID: #452.issues/legal@PRO-SOL 1675 chars Date: Wed, 30 Mar 88 14:46:19 PST From: ruel (Ruel Hernandez) Subject: The Thompson v. Predaina situation (part 1) THOMPSON V. PREDAINA The BBS/ECPA Lawsuit Case ========================= Okay, let's take an in-depth examination of the Thompson v. Predaina complaint. I'm going to go through it to see how I think the whole situation, not just the complaint, seems to work. Additionally, you will see how the law is supposed to operate in this area in a civil law BBS context. Some criminal law / criminal procedure will be discussed, but the focus of the case here is civil. Since I do not work for either side, and I'm only doing this for the academic exercise, you all will get to see the benefit of my work. For those of you who run a BBS, this should also alert you to what you should not do in running a BBS. All of this assumes you have privacy switches or toggles on the system, i.e., the caller/user of a BBS has the ability to send or receive private messages (or has access to pri- vate user areas), or that there is no type of non-privacy disclaimer warning on the system. In a related area, this should also give folks more of an idea as to when "flames" may cross the boundary line into lawsuit-producing defamation. We'll look at the situation in three parts: (1) federal statutory law, specifically the two claims under the Electronic Communications Privacy Act and the one other claim under a related federal statute; (2) pos- sible application, if any, under state statute -- in California, that would include Penal Code sections 502 and 637, and in Indiana, where the Thompson situation takes place, under a "computer trespass" criminal statute; and (3) general common law tort actions. (continued next message) CS-ID: #453.issues/legal@PRO-SOL 9435 chars Date: Wed, 30 Mar 88 15:02:37 PST From: ruel (Ruel Hernandez) Subject: The Thompson v. Predaina situation (part 2) (continued from last message) FEDERAL STATUTE =============== Essentially, Thompson brings three separate federal claims against Predaina. Two are under what is known as the Electronic Communications Privacy Act of 1986 (ECPA). The third is under the related section of 47 U.S.C. sec. 605 which was amended in 1984 to include encrypted satelite cable broadcasts. ECPA - General Background ------------------------- ECPA is the law that provides federal statutory privacy protection for computer communications both in transmission and while in storage on magnetic media. Generally, here we will be looking at stored communica- tions. Such communications has *no* federal constituational privacy protection due to the fact that there is no objective reasonable expec- tation of privacy in material when a third person has access. In other words, constitutional privacy is shattered for private EMAIL if someone like Sysop or an employee of a commercial online service can readily have access to and look at and read the private EMAIL. This is where ECPA comes along to fill in the "knothole" by saying such private com- puter material is given statutory privacy protection. ECPA was designed in great part as matter of criminal procedure to alleviate the uncertainty of whether a warrant or court order was required by the police to search the "private" communications found on an online system. This is in cases of the commission of felonies and other crimes specified by the statute. ECPA gave various strict guidelines that the police must follow in order to search the private communications. One important thing Sysops must know is that they may be asked to supply a back-up copy of specifically described communica- tions found on the system. They cannot have everything -- only what is specifically described and asked for in a warrant. This would be in line with the constitutional limitations for a warrant. In most cases, they may ask for private communications between person X and person Y. Accordingly, you don't have to give them anything concerning person W. ECPA requires notice be given to the person whose private communications is to be intruded upon unless there are exigent circumstances. The only ways a Sysop to get out from having to comply with the warrant is: (1) if in the case of a state-issued warrant or court order, the State prohibits such issuance; (2) the information sought is unusually voluminous in nature; or (3) compliance would cause an undue burden on the provider/Sysop. All that is when the police come knocking on the Sysop's door to look at private EMAIL. What we are really looking at here is when a private individual sues someone else for intruding upon his private communications. This is when we look at sections 2520 and 2707 of ECPA which each provide two different civil claims. The former covers private communications while in transmission, while the latter when the private communications is stored. Why sue under both? To make sure you catch the wrongdoer whether the communications is still in transmission or after it is stored. 18 U.S.C. sec. 2520 ------------------- Okay, what does the statute say here: "[A]ny person whose wire, oral, or electronic communications is intercepted, disclosed, or intentionally used in violation of this chapter may in a civil action recover from the person or entity which engaged in that violation such relief as may be appropriate." Here the private communications is still in transmission and has been divulged by the wrongdoer to someone other than the intended recipient (or his agent). The civil relief may include: (1) equitable or declaratory relief (respectively, either an injunction telling the person to stop the intrusion or a declaration by the court of the rights and inter- ests involved); (2) punitive damages (such as in the case of an outrageous intentional invasion and disclosure); and (3) reasonable attorney's fees and litigation costs. There are also various other damages allowed in the case of certain sat- ellite and radio transmissions. Complete defenses allowed here are good faith reliance on any of the following: (1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory author- ization (even it turns out to be invalid); (2) a request by an investigative or law enforcement officer in emergency situations such as: (i) immediate danger of death or serious bodily injury to any person, (ii) conspiratorial activities threatening the national security interest, or (iii) conspiratorial activities characteristic of organized crime; or (3) a good faith determination that ECPA allowed the intrusion. Notice that there is a lot of latitude allowed in these defenses so long as there is good faith. Of course, a court would have a lot of discre- tion to see whether certain conduct was in good faith. 18 U.S.C. sec. 2707 ------------------- Okay, what do we have here: "[A]ny provider of electronic communication service, subscriber, or customer aggrieved by any violation of this chapter in which the conduct constituting the violation the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity which engaged in that viola- tion such relief as may be appropriate." The private communications here is stored or "carried or maintained" (such as in the forwarding of EMAIL along Internet, ARPA, UUCP, BITNET, FIDOnet, etc.) that was knowingly accessed and divulged to the public or any third person. A plaintiff could seek the same types of relief as under 18 U.S.C. sec. 2520. In addition, a plaintiff can seek any actual damages suffered by him and any profits made by the wrongdoer as the result of his unlawful access to the private communications (such as someone accessing private financial information and using it to gain a financial advantage he would not have gotten otherwise). However, damages can be no less than $1000. Unauthorized Publication or Use of Communications -- 47 U.S.C., sec. 605 ------------------------------------------------------------------------ 47 U.S.C. sec. 605 provides yet another federal civil action in addi- tion to those allowed under ECPA. This statute was in existence before ECPA. What does this section say: "[N]o person receiving, assisting in re- ceiving, transmitting, or assisting in transmitting, any interstate or foreign communication by wire or radio shall divulge or publish the existence, contents, substance, purport, effect, or meaning thereof, except through authorized channels of transmission or reception, (1) to any person other than the addressee, his agent or attorney, (2) to a person employed or authorized to forward such communication to its destination, (3) to proper accounting or distributing officers of the various communication centers over which the communication may be passed, (4) the master of a ship under whom he is serving, (5) in response to a subpena issue by a court of com- petent jurisdiction, (6) on demand of other lawful authority." .... (There is more with regards to radio communications.) As you can see, this statute is very much related to ECPA. ECPA only further refines the protection with regard to stored communications. There may be some question as to whether stored communications on disk may come under this statute. Most likely the answer will be "yes," since we would be look- ing at individuals charged with handling messages (EMAIL) in the "re- ceiving, assisting in receiving, transmitting, or assisting in transmit- ting" of communications. This may include a Sysop who runs a BBS that is operated to receive and transmit private EMAIL. The persons the statute is aimed at would include some sort of communications, radio, telegraph, telephone or systems operator, or, in the case of a BBS, a Sysop (or someone who has Sysop status to examine, in this case, private EMAIL transmissions). What are the civil remedies allowed under this statute: (1) the plaintiff may get an injunction against the wrongdoer to stop what he is doing; (2) actual damages suffered by the plaintiff, plus any profits made by the wrongdoer who would not have made them if not for the unlawful use of the communications; or (3) statutory damages of $250 for each violation of this statute, but not more than $10,000. Additionally, if a violation was willfully committed and for direct or indirect commercial advantage or private financial gain, a court may increase any award to the plaintiff up to $50,000. The commercial advantage claim would be in Thompson's paragraph 22 of her complaint. However, if it is found that the wrongdoer did not know and had no rea- son to know that his actions constituted a violation of this statute, a judge has the discretion to reduce any award to plaintiff downward to $100. Okay, those are the federal statutes. Now for some state statutes. (continued next message) CS-ID: #454.issues/legal@PRO-SOL 9317 chars Date: Wed, 30 Mar 88 15:17:37 PST From: ruel (Ruel Hernandez) Subject: The Thompson v. Predaina situation (part 3) (continued from last message) STATE STATUTES ============== Here we are going to look at three more statutes. The first is a statute from Indiana since that is where _Thompson_v._Predaina_ takes place. The second two are California statutes since this is an area of most concern to callers of this system (almost all of the callers on PRO-SOL live in California!). Note, as a matter of jurisdiction, usually state statutes say that if a call originates in one state and terminates in another, the offense is committed in both states at both ends of the transmission. So, if an out-of-state user calls into a California computer communications system, and he commits some sort of offense on that system, he is deemed to have committed that offense in California. Indiana State Statute --------------------- There is one criminal statute in Indiana called a "computer tresspass" statute. Ind. Code sec. 35-45-2-3. It says: "A person who knowingly or intentionally accesses: (1) a computer system; (2) a computer net- work; or (3) any part of a computer system or computer network; without the consent of the owner of the computer system or computer network, or the consent of the owner's licensee, commits computer trespass, a Class A misdemeanor." As you can see, this could cover someone illegally using someone else's standalone PC, someone illegally logging in time on mainframe, or some- one illegally using or accessing part of a BBS or a computer network. The coverage is very broad. So, a prosecutor could nail someone for such illegal computer trespass for a misdemeanor. Could someone sue as a private person under this statute? Usually, you would have to look for a section that allows a civil suit by a plaintiff injured as the result of defendant's violation of a criminal statute. Ind. Code sec. 34-5-1-1, R.C.P. 2, may allow such a civil action to "be sought independently of and in addition to the punishment given or relief granted for the public offense." In California, the situation is laid out a little more specifically. California State Statute -- Penal Code Section 502 -------------------------------------------------- California has Penal Code section 502, known as the "Comprehensive Computer Data Access and Fraud Act." Unfortunately, hobbyist-type BBS's may not come under this statute since it appears to be primarily de- signed to protect business, company, or government computers, such as in the prosecution of a cracker invading a bank mainframe computer. But for your information, this is how the statute works in such situations, it provides the imposition of both criminal penalties and civil remedies against "[A]ny person [except an "any person who accesses his or her employer's computer, computer system, or computer network"] who commits ... (1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer net- work in oder to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data. (2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. (3) Knowingly and without permission uses or causes to be used computer services. (4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a compu- ter, computer system, or computer network. (5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an author- ized computer network. (6) Knowingly and without permission provides or sssists in providing a means of accessing a computer, compu- ter system, or computer network. (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or com- puter network. There are various criminal penalties allocated to these criminal of- fenses ranging from $250 to $10,000 and imprisonment of less than one year up to three years. A civil remedy is available to the owner or lessee (not licensee as with a user on a BBS) of a system. He may sue for compensatory damages against a wrongdoer ONLY AFTER THAT WRONGDOER HAS BEEN CONVICTED. The willfull misconduct of a child wrongdoer may be imputed to his parents -- thus the parents would be liable for damages caused by the child. As already noted, the California statute does not apply to hobbyist-type BBS's due to the commercial slant of the statute. If there was civil coverage for BBS's (the construction of the statute indicates there isn't any) it would only be after the wrongdoer has been convicted. California's Invasion of Privacy Statutes -- Section 637 -------------------------------------------------------- Another California statute that would look to be applicable to BBS stored-communications situations would be Section 637 of the California Penal Code which states: Every person not a party to a telegraphic or telephonic communica- tion who willfully discloses the contents of a telegraphic or tele- phonic message, or any part thereof, addressed to another person, without the permission of such person unless directed so to do by the lawful order of a court, is punishable by imprisonment in the state prison, or in the county jail not exceeding one year, or by fine not exceeding five thousand dollars ($5000), or by both fine and imprisonment. Section 637.2 of the California Penal Code allows civil action by "Any person who has been injured by a violation of this chapter [specifically Section 637 in our discussion here] may bring an action against the person who committed the violation for the greater of the following amounts: (1) three thousand dollars ($3000). (2) three times the amount of actual damages, if any, sustained by the plaintiff. A plaintiff could also ask for an injunction to stop the wrongdoer. The plaintiff does not have to suffer actual damages to sue under 637.2 -- for instance, he could get the statutory award of $3000 absent actual damages. If there are actual damages, the plaintiff could be awarded treble that amount. So far, it all looks good. Now, the question is "would private EMAIL communications come under this section 637, thus allowing a civil action under 637.2?" There was one interesting section 637 case that may dictate the answer for us. In _People_v._Wilson_, 17 Cal. App. 598, 94 Cal. Rptr. 923 (1971), there was a defendant using an answering service to receive calls from Tijuana with regard to the illegal transport of marijuana. By agreement with the defendant, the answering service was supposed to take all telephone messages meant for the subscriber, reduce the con- tents of the communications down to writing, and then give the messages to the subscriber. A narcotics agent found out about the answering ser- vice and told one of its employees to notify him whenever a call for the defendant came in. If section 637 were to apply, the evidence of messages obtained by the narcotics agent would be suppressed and not be allowed to be used against the defendant in the trial. However, section 637 was found to be inapplicable in this case because the answering service was a party of the telephonic communications and was the addressee of the communications -- people made calls to the an- swering service and not to the defendant. "The fact the answering ser- ice had agreed with defendant to convey messages to him after their re- ceipt does not bring them with purport of section 637." Could a BBS be the same as an answering service and therefore not come under section 637? Well, I'm sure one could see how the analogy would work. A BBS user would have an agreement with a Sysop to receive and send messages on the BBS. Users would call the BBS, and not the other users that they wish to communicate with. The BBS would be the ad- dressee of whatever communications meant to be ultimately accessed or "received" by another user. Likewise the BBS would be the addressee for whatever messages that the user would like to send out. The BBS would be a party to the communication and therefore could disclose the contents of whatever messages it receives and holds for others for purposes of section 637. Certaintly, one could see how the BBS/Sysop-as-a-party-to-the-communica- tion knothole tosses section 637 out of the window. (However, that doesn't mean you can't try to argue that section 637 applies to BBS's.) So you are left with the federal statutory claims and some common law claims (discussed infra). (continued next message) CS-ID: #455.issues/legal@PRO-SOL 11569 chars Date: Wed, 30 Mar 88 15:36:10 PST From: ruel (Ruel Hernandez) Subject: The Thompson v. Predaina situation (part 4) (continued from last message) COMMON LAW ========== Let's go back to the _Thompson_v._Predaina_ complaint to pull out some of the common law state claims that Thompson may be trying to bring into federal court under pendant claims subject matter jurisdiction. She has some explicitly laid out, but others are hidden in the general fact situation that need to be teased out. I really won't dispute why Thompson emphasized some more than others. Okay, what do we have.... Contracts (plus Interference with Contract) ------------------------------------------- There is a possible contracts action that has to be teased out of the situation. The following is is what she says in her complaint, but does not talk about it further as a separate Count for a contracts claim. 11. That at all times material, the Petitioner was an authorized user of the electronic communications service of the Respondent, and had paid the sum of $35.00 as a subscription fee for a one year service in October, 1987 to the Respondent. Here, Thompson is only using this paragraph to show a requirement of federal coverage under ECPA, i.e., that she was an "authorized user" of the BBS and therefore has a right to sue under ECPA. The sentence is divided into two parts by a comma where second part involving the $35.00 subscription fee describes the first part. The $35.00 gives some indi- cation as to her status as an "authorized user." Note, although money may seem to give more credibility to the situation it is not necessarily a requirement for ECPA coverage to apply. Congress took note of free hobbyist-type BBS's when it legislated ECPA. For instance, various lan- guage in ECPA would show coverage for these types of systems including commercial and subscription system. Also, the Senate Report defined "electronic bulletin boards." In part, the Senate wrote, "These noncom- mercial systems may involve fess covering operating costs...." The oper- ative word there is "may" which could be interpreted as "may not." Thus, fees may not be involved and free BBS's would be covered by ECPA. This may seem to be a nitpicky point to some, but people should take note of how ECPA should be interpreted and not be confused as to whether only commercial systems are covered by ECPA. As BBS users may have noticed, many free hobbyist BBS's around the country took note that ECPA covered their systems and Sysops fearful of liability under ECPA either placed ECPA non-privacy disclaimers (that users should call elsewhere if they want to ensure the privacy of whatever EMAIL they send) at the "front doors" of their systems or disabled all user privacy toggles on their systems. Although these disclaimers have been in existence before ECPA, they became more explicit citing section numbers of ECPA after ECPA took effect in January 1987. Okay, why would Thompson want to talk about a contracts claim? Well, to either get her $35 back, or a reasonable amount after deducting the value for the services she got from the BBS before she got kicked off it, or to seek specific performance of the contract to force Predaina to let her back on the system. Why would she not want to talk about it as a separate contracts claim? She may probably get it anyways as actual damages under her federal claims. A tort claim of Interference with Contract could also be drawn out of the situation (where Predaina was intentionally interfering with the contract he had with Thompson to provide BBS services to her). The same reasons for non-inclusion may possibly be because she may get it anyways under her federal claims or as part of "any and all other relief just or equitable under the circumstances" as prayed for at end of her complaint. Defamation ---------- In COUNT IX, Thompson writes: 20. Petitioner realleges and incorporates paragraphs 1 hrough 11 and paragraph 19 and further alleges that on January 6, the respondent intentionally, maliciously or with reckless disregard for the truth, made statements which on their face are damaging to the professional and personal reputation of the Petitioner in public and to another person, subjecting the Petitioner to humiliation, personal anguish and ridicule, and that said conduct of the Respondent was contrary to Statutory and common law of the State of Indiana; A simple common law defamation claim involving private persons is de- fined as an intentional or negligent publication of a false and defama- tory matter to a third person, understood by the third person that the defamatory imputations applied to the plaintiff, and plaintiff has suf- fered damages as a result. Thompson complains that Predaina "intentionally, maliciously or with reckless disregard for the truth, made statements which on their face are damaging to the professional and personal reputation of the Petitioner in public and to another person...." Unfortunately, we need more facts to see what Predaina said. However, presumedly, the statements that Thompson attributes to Predaina were made via the BBS. That would qualify it to be Libel under defamation law, since it was written and could be seen/read by the eye and not heard by the ear as in Slander. More specifically, it would be Libel Per Se since Thompson alleges that the statements were damaging to her professional, or business, reputation. (Defamation Per Se does not require the proof of special damages and general damages are presumed when one makes a defamatory remark about the plaintiff's business, or the plaintiff being associated with either a crime, a loathsome disease, or unchastity.) We don't really know what profession Thompson is in except for what is brought out in a little more detail in the next paragraph (paragraph 21) where Thompson states she is in the "legal profession." (The further significance of this phrase will be talked about a little more in the next discussion section.) So, presumedly, she is either a lawyer, law clerk, law student, or a legal assistant. She may be one of the last three since she is suing pro se i.e., without the assistance of an attorney. Business Tort: Injurious Falsehood ---------------------------------- Business Tort: Interference with Prospective Advantage ------------------------------------------------------ In COUNT X, Plaintiff Thompson writes: 21. Petitioner realleges and incorporates paragraphs 1 through 11 and paragraph 19 and further alleges that on January 8, the Respondent intentionally, maliciously or with reckless disregard for the truth, made written statements in the form of electronic communications about the Petitioner which on their face are damaging to the professional and personal reputation of the Pe- titioner to members of the legal profession, subjecting the Petitioner to humiliation, personal anguish, and ridicule, and that said conduct of the Respondent was contrary to Statutory and common law of the State of Indiana; First, the business tort of Injurious Falsehood (aka Disparagement) is the publication of matter derogatory to a plaintiff's property title, business, or personal affairs, calculated to prevent others from dealing with plaintiff. In other words, defendant said bad things that causes others to not deal with plaintiff. Thompson may be trying to say that as read by members of the legal profession, her job as a legal profes- sional was ruined. She may have to show damages to further substantiate this. Next, there is the business tort of Interference with Prospective Advan- tage deals with one's interference with some expectancy another person has. Thompson's would be arguing that Predaina, by making the defamatory statements which arguably would scare away potential clients of hers, was interferring with her future career as a legal professional, pre- sumedly as an attorney. Why do I catagorize these torts under this Count? Well, Thompson men- tions "legal profession" in the paragraph. That would trigger business- elated tort analysis to me in comparison to the mere mention of the word "professional" (which was already used in the previous paragraph). Infliction of Emotional Distress -------------------------------- Two possible types of Infliction of Emotional Distress claims may be pulled out of above quoted paragraphs 20 and 21. Both say "... subject- ing the Petitioner to humiliation, personal anguish, and ridicule...." There are two types of Infliction of Emotional Distress tort claims: (1) intentional and (2) negligent. Intentional Infliction of Emotional Distress is when one intentionally commits outrageous conduct calculated to cause severe emotional distress in another. Generally, as a modern rule, demonstrable injuries do not have to be proved. Negligent Infliction of Emotional Distress is where one breaches his duty to not subject another to foreseeable risk of harm that may fore- seeably result in emotional distress. Some jurisdictions require some sort of impact (she got hit), or a physical manisfestation of the emotional distress, or only that she be within the "zone of danger," or perceive harm to a close family member (or immediately come upon some accident to a close family member). Could it be one or the other or both? Most likely, Thompson may be trying to argue Intentional Infliction of Emotional Distress so she could ensure getting punitive damages. In both paragraphs 20 and 21, she writes that Thompson's conduct was "intentionally, maliciously or with reckless disregard for the truth..." That may arguably constitute outrageous conduct. Further, in both para- graphs, she writes "... subjecting the Petitioner to humiliation, per- onal anguish, and ridicule...." That may show severe emotional distress. Could it be Negligent Infliction of Emotional Distress? Maybe. Predaina would have a duty to not make defamatory remarks about Thompson which could possibly cause her suffer foreseeable emotional distress. Which one could it be? Well, maybe Intentional Infliction of Emotional Distress since Thompson is also trying to get punitive damages which are usually granted to punish the outrageous conduct of a defendant. How- ever, she may be trying to get punitive damages elsewhere under her federal claims, if there is enough outrageous conduct there to allow it. Perhaps there is in light of an alleged intentional and knowing disclosure of private communications to the public. Invasion of Privacy: Public Disclosure of Private Facts ------------------------------------------------------- A tort claim of Public Disclosure of Private Facts would underlie Thompson's complaint. As the name of the tort implies, it is the defen- dant's public disclosure of private facts about the plaintiff without the plaintiff's consent. Truth is no defense here as it would be in de- famation. No special damages have to be shown. Emotional distress could play a resulting factor here also. In the situation where a Sysop hits a switch and turns a private message into public, the private message may contain facts that would be consi- dered so private that no one would discuss them in public. Although we don't have enough facts as to what was disclosed, we can only imagine that the messages were indeed of a very, very private nature. Accord- ingly, it would not be socially acceptable to disclose them. (continued next message) CS-ID: #456.issues/legal@PRO-SOL 1017 chars Date: Wed, 30 Mar 88 15:38:41 PST From: ruel (Ruel Hernandez) Subject: The Thompson v. Predaina situation (part 5) (continued from last message) PRECEDENT? ========== Thompson v. Predaina is an interesting situation. Whatever the result of the case may be, we won't know for a while until it comes out in the federal reporters. Would this be a precedent setting case? Certainly as the first case under ECPA and also the first BBS case under 47 U.S.C. sec. 605, which has been used most recently, due to an 1984 amendment, to crack down on those stealing encrypted satellite cable broadcasts. The most interest- ing thing to see is how the judge actually applies the federal statutes to the BBS situation. However that is only if the case actually goes to trial. It may go to trial or it may settle out of court. Depending on the evidence, Thompson may win and the Sysop involved may have to byte some electronic dust in the form of paying out hard cash. ECPA was designed to prevent/punish/remedy situations like this. What- ever the true facts are, we'll have to wait and see what happens in this case. (end) ***** CS-ID: #461.issues/legal@PRO-SOL 11954 chars Date: Thu, 31 Mar 88 18:59:14 PST From: ruel (Ruel Hernandez) Subject: ECPA Application to Corporate Systems? Comment: to #457 by brock In this posting, I'm going to tackle the cumbersome question of whether ECPA could be found to apply to corporate computer communications sys- tems. My answer will be both "yes" and "no." That is, there will be a catch. In other words, ECPA applies, but not always. Some may want to think about this if they have access to a company computer system that has something like "private" EMAIL facilities on it. This would be the corporate "big brother" aspect allowed under ECPA. (Brock, as awful as it sounds, I think you're going to like what I dug up to both confirm and deny what you previously said on this point.) First, the network exception will be tossed out of the way (really nothing to do with the corporate situation). Second, the cracker and the corporate online system will be looked at (the "yes" answer). And, third, the "corporate big brother" situation will be discussed (the "no" answer). Nit(Net)Picky Exception ----------------------- First let's get one nitpicky situation out of the way. Specifically, let's take a look at what Counsel Meeks said about 18 U.S.C. sec 2702(b)(4) (disclosures "to a person employed or authorized or whose facilities are used to forward such communication to its destination"). Brock says that this section says that ECPA protection is inapplicable to corporate systems. On the contrary, this section only deals with the "efficient operation of the communications system" as directed by the legislative history found in the Senate Report. S. Rep. No. 541, 99th Cong., 2d Sess. 37 _reprinted_in_ 1986 U.S. Code Cong. & Ad. News 3591. The Senate Report says nothing more here as to applying or not applying to corpor- ate systems on this point. It seems to be more applicable to situations involving the different nets. It may seem like "open season" on the "open network highways", but it is more like the typical free or fee- ased BBS or commercial public online service situation where good faith standards may apply in quality control checks, etc. Perhaps the more applicable section would be 18 U.S.C. sec. 2701(c)(1) which will be discussed infra in the section entitled "The Corporate Big Brother Situation." The Cracker Situation --------------------- In general, with reference to what Brock said about ECPA's original drafters not applying to corporate systems at all, one could say that if they intended ECPA to not apply in all instances, why didn't they say so. They seemed to have let there be some protection with regard to cracker or unauthorized employee situations. First, let's do a little statutory construction and, second, some legislative history. First, as to statutory construction, there's 18 U.S.C. sec. 2511(2)(g): It shall not be unlawful under this chapter or chapter 121 of this title for any person (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is _readily_acces- sible_to_the_general_public._ A fair reading of this section would say that if the electronic communi- cation, or even the whole electronic communication system is not readily accessible to the general public, then a cracker or an unauthorized em- ployee to intercept communications would be unlawful under ECPA. What does the legislative history of ECPA tell us? In the "Statement" section of the Senate Report, in talking about the then pre-ECPA state of the law, the Senate writes, ... there is no comparable Federal statutory standards to protect the privacy and security of communications transmitted by new non-common carrier communications services or new forms of telecommunications and computer technology. The is so even though American citizens and American businesses are using these new forms of tech- nology in lieu of, or side-by-side with, first class mail and common carrier telephone services. It seems to me that the intent was to equate wholly private systems with public-type systems. Furthermore, in the "Purpose" section of the Senate Report, we have the following paragraph: Today we have large-scale electronic mail opera- tions, computer-to-computer data transmissions, cellular and cordless telephones, paging devices and video tele- conferencing. A phone call can be carried by wire, by microwave or fiber optics. It can be transmitted in the form of digitized voice, data or video. Since the dives- titure of AT&T and deregulation, many different companies, not just common carriers, offer a wide variety of tele- phone and other communication services. It does not make sense that a phone call transmitted via common carrier is protected by the current federal wiretap statute [pre- ECPA], while the same phone call transmitted via a private telephone network such as those used by many major U.S. corporations today, would not be covered by the statute. S. Rep. No. 541, 99th Cong., 2d Sess. 2-3 _reprinted_in_ 1986 U.S. Code Cong. & Ad. News 3557. Again, our federal legislature seems to be saying that both publicly accessible systems and wholly private corporate systems are to be treated the same. The legislative history goes one step further when the Congress amended amended the definition of "wire communications" to include "communica- tion affecting interstate or foreign commerce" in 18 U.S.C. sec 2510(1), the new "language recognizes that private networks and intra-company communications systems are common today and brings them within the pro- tection of the statute." S. Rep. No. 541, 99th Cong., 2d Sess. 12 re- printed in 1986 U.S. Code Cong. & Ad. News 3566, emphasis added. Al- though the definition applied to voice communications, this was further evidence to show the intent of the Congress that ECPA applied to a va- riety of systems both public and private, including corporate systems. With specific attention to stored communications, particularly stored electronic communications, added several new sections of law, including 18 U.S.C. sec. 2701 to address "the growing problem of unauthorized persons deliberately gaining access to, and sometimes tampering with, electronic or wire communications that are not intended to be available to the_public." S. Rep. No. 541, 99th Cong., 2d Sess. 35 reprinted in 1986 U.S. Code Cong. & Ad. News 3589, emphasis added. In a few paragraphs later, the legislative history then notes the dif- ferences "between offenses committed for purposes of commercial advan- tage, malicious destruction or damage, or for private commercial gain and all other types of violation." S. Rep. No. 541, 99th Cong., 2d Sess. 36 reprinted in 1986 U.S. Code Cong. & Ad. News 3590. Although "pri- vate commercial gain" may include logging unauthorized time on a paid subscription service with a stolen password, "commercial advantage ... and other types of violation" may include unlawfully accessing a closed, private company computer to gain company trade secrets. The Corporate Big Brother Situation? ------------------------------------ One confusing point may be with regards to 18 U.S.C. sec. 2701(c)(1) which provides that although it may be illegal to access or exceed authorized access to a system (and then possibly do some damage in addition to prying into someone's electronic communication), "the person or entity providing a wire or electronic communications service" would not be liable for any offenses regarding stored communications (voice mail, EMAIL, anything recorded). This exception (as well another excep- tion where the user authorized conduct which would otherwise be an of- fense) only applies to access, and any damage resulting, but not divul- ging whatever information obtained. That is taken up in section 2702. Common sense would say that these persons or entities providing elec- tronic communications services may be found to have to follow good faith standards as defined throughout ECPA and as talked about previously with regard to free or fee-based hobbyist-type BBS's. Unfortunately, it may not be that simple with regard to corporate sys- tems. The exceptions do say that there is no offense if "person or entity providing a wire or electronic communications service" goes prying through everything in the system and not for quality control checks. Section 2701(c)(1) would appear to be the statutory license allowing corporate Big Brother to shift through private EMAIL on the company computer to check up on its employees. How about another big hole for corporate Big Brother to step through? Let's take a look at 18 U.S.C. 2511(2)(a)(i) which deals with voice communications (called "wire communications" or "aural transfers" in ECPA): It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic commun- ication service, whose facilities are used in the transmission of a wire communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activ- ity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitor- ing except for mechanical or service quality control checks. There are two parts to this section (as divided here). First, there is the rule and, second, there is the exception. The rule appears to be reasonable as to what someone like a telephone operator can do so long as it is in "the normal course of his employ- ment" or "to the protection of the rights or property of the provider of that service." That seems acceptable. The exception says that only "a provider of wire communication service to the public," most likely a telephone company, can do no more than observe or do any random monitoring except for mechanical or service quality control checks. Again, wire communication can be generally be equated to voice calls. So, possibly, the boss of a company's in-house phone network may direct eavesdropping on company employee's phone calls within the system. Unfortunately, case law dealing with employee privacy tends to be in line with how ECPA works out for employee privacy in a corporate Big Brother situations. Too bad. Conclusion and Lingering Questions ---------------------------------- So, does ECPA apply to corporate computer communications systems? Well, the answer is both "yes" and "no." ECPA would protect private corporate online systems from crackers and unauthorized employees. But it may not protect an employee's private EMAIL from being looked at by the boss who owns the system and is therefore the person or entity providing the in- house electronic communications service. Perhaps rightly so, the section 2701(c)(1) exception, as well as section 2511(2)(a)(i), may acknowledge an employer's private property rights, but the unions would not like it. Of course, there may be provisions in an employment contract waiving any possible privacy protection, if any, against employer snooping in pri- vate EMAIL. Now, I can easily see how this "yes" and "no" application of ECPA applies to in-house corporate online systems. But what about contract set-ups, such as a business setting up a private company area on a normally public commercial system such as Portal? Is the employer/com- pany still a "person or entity providing a wire or electronic communica- tions service" to which the section 2701(c)(1) section is to apply? Or do we have a "yes" and "yes" application of ECPA, i.e., full ECPA pro- tection? (end) ***** CS-ID: #464.issues/legal@PRO-SOL 10603 chars Date: Fri, 1 Apr 88 00:25:15 PST From: ruel (Ruel Hernandez) Subject: Online Privacy -- One Last Time WARNING: some may find the issue discussed in this posting to be ridiculous, so only take a look at the first two paragraphs and if it seems worth your while to read, well, read on. If not, ^C and move on to another message or conference. It may sound so commonsensical to some that it may not be worth reading.) I think we may have run just about the full gamut of privacy in the BBS/online context. What I think the "last" question that should be addressed here regarding online privacy is what happens if the intended recipient of private EMAIL discloses the contents of that communica- tion. Has anyone's privacy been breached? Well, I would think so. However, was there some sort of violation under any law? Well, I really don't think so. I got this issue on PORTAL. PORTAL is fabulous online service available via TELENET. Has screen emulations, USENET and intermail access and a-okay chat facilities. On PORTAL, there is a flaming discussion going on where someone is ranting and raving about how someone else should not be trying to distribute copyrighted software via PORTAL. A lot of people flamed down on him via EMAIL and he decided to post those "private" messages. One of the public conference messages in this brawling discussion asked about whether this was legal to do so. So we have the problem. Is it an offense for someone to disclose the contents of a private message addressed to himself? For some this may sound like a ridiculous question to ask. For others, particularly a sender of one of those publicly posted but formerly private messages, this is an important matter. For anyone with the academic interest, this takes the privacy question, and related matters, a step further. I will look at this in four parts: (1) federal law, what looked at already; (2) a little criminal procedure; (3) common law; and (4) copyright law (in the context of the publicly posted private EMAIL, and not that of the unlawful distribution of copyrighted software). Again, this is all an academic exercise for me. Take it all as you will. I'm sure you may find the conclusions I came up with to be as ridiculous as I found them to be. (Sometimes the analysis leads to something that doesn't seem right, but nevertheless, it seems to be analytically correct. Yuck.) Federal Law ----------- Okay what does the federal law say here regarding a recipient's disclo- sure of private EMAIL he received? At first blush, ECPA seems to be inapplicable to this issue. After we go through this you'll see why. Let's review how ECPA works. ECPA protects private wire and electronic communications both while in transmission and as stored communications. While in transmission, the general rule in 18 U.S.C. sec. 2511 is that it is an offense to _intercept_ private communications. That is before receipt of the communications. In our situation here, we are talking about what happens after receipt. No application. While stored, the general rule in 18 U.S.C. sec. 2701 is that it is an offense to intentionally access without authorization or to intention- ally exceed one's authorization in accessing a facility. Here, the in- tended recipient of a private message has authority and generally does not exceed it in accessing a system and receiving a private message in- tended for him. No application. Now, the corrollory to section 2701 is in 18 U.S.C. sec. 2702 which is that generally it is an offense for a person or entity providing an electronic communications service to knowingly disclose the contents of a private message except to an addressee or intended recipient, or his agent, to someone else with the consent of the addressee, intended recipient, or agent, to someone employed or authorized or whose facili- ties are used to forward the message to another place, to the police, based on a warrant or court order or if inadvertantly found and appears to relate to a crime plus a few other exceptions including to the rights and property of the online provider, etc., etc. This section is aimed at at punishing a bad provider. The recipient of private EMAIL cannot be an offending party under this section. (Unless he helped the provi- der out in committing the offense??? Naah, he would be giving the pro- vider permission to look at his private EMAIL.) No application. Previously, we also looked at 18 U.S.C. sec. 605, which dealt with unauthorized publication. This is more of a transmission/intercept type statute where the communications is on its way to its intended recipi- ent. Someone along the communications line "receiving, assisting in receiving, transmitting, or assisting in transmitting" the communica- tions takes it and publishes it or uses it in an unauthorized fashion, such as capturing and illegally decoding encrypted satellite cable broadcasts or someone along an online network (INTERNET, OPUS, FIDO, ARPA, etc.) snagging a private message off the line and making it pub- lic. Our situation, here again, is after the communications has gone through this situation and is now received by the intended recipient. No application. See, this is ridiculous. Criminal Procedure ------------------ One general rule is that if you talk to someone, particularly a cop, you take the risk of any confidential information you tell him will be dis- closed to others. You take the risk of his testifying as to any admis- sions you may make to him. This is all before an arrest so the 5th Amendment right against self-incrimination does not vest yet and no Miranda warnings are needed. Most assuredly, one could see an analogy in a civil tattletail situa- tion. Youse takes the risk with whatever private material you send to another person. Common Law ---------- If you remember the Public Disclosure of Private Facts discussion from the previous messages on Thompson v. Predaina, well that's most likely the only analysis that would fall into this category. The questions to be asked here with regard to a recipient's public posting of private messages he received from someone else are: (1) how private are the facts; and (2) how socially acceptable or unacceptable are they to be disclosed. Copyright Law ------------- We'll generally be looking at the old common law copyright law first. Under the old common law copyright law, before the changes in federal copyright law, you had a right known as "the right of first publication." Under the old federal copyright law, in order to secure federal statutory copyright protection, you had to actually publish your work. (Now, under the modern federal copyright, you have a copyright as soon as you put something down on paper (or on disk, or in ram, etc.) and you can secure your copyright protection (and get your ticket to sue in court) by registering a copyright on an unpublished work.) Well, in the old days, to protect your work before it was published, you had to turn to the common law copyright. You could sue someone for usurping your right to first publication of your previously unpublished work that the other person stole and then published. This common law copyright relates to the general right of a person to be let alone. As applied to letters (hardcopy correspondence sent through the U.S. Mail, for anyone who has forgotten :-) ), the rule was summarized by Sir James Stephens in 1878: A person who writes and sends a letter to another retains his copyright in such letter, except in so far as the par- ticular circumstances of the case may given a right to publish such letter to the person addressed, ... but the property in the material on which the letter is written passes to the person to whom it is sent, so as to entitle him to destroy or transfer it. So, the sender owns the rights to the writing but the recipient owns the material it is written on. How does that work in the electronic mag- netic media of BBS's and online computer services? The application seems that the BBS Sysop or the online service owns the disk media, of course, and the sender owns the common law copyright in his writing. What about the recipient? What does he get? Well, certainly he does get the right to read the message that was sent to him. But does the recipient get to post that private message publicly in an open electronic conference or forum?? Well this is when we start talking about those two magic words in copy- right: "FAIR USE." So much has been said and written about fair use. A gross shorthand way of determining whether something constitutes fair use or a copyright infringement is generally based on the economic effect of the use. Is there commercial exploitation, how minimal is any effect on the market, how valuable or invaluable is the work, how much money is there to be made or lost? As an example, let's look at _Diamond_v._Am-Law_Publishing_Corp._, 745 F.2d 142 (2d Cir. 1984). There, a magazine, The American Lawyer, received a nasty letter from a person who criticized one of its articles that was written about that person. He said the magazine could publish his letter, but only with limited permission: "You are authorized to published this letter but only in its entirety." The magazine only pub- lished excerpts, cutting out the part attacking the magazine and the editor. The court there said that was fair use. There was little if any money to made on a letter to the editor. So, is there fair use here when someone publicly posts a messages he received via private EMAIL? Well, yes, so it would seem. There may be hard feelings and a lot of upset people, but they probably cannot suc- ceed in suing you unless a lot of money is involved, such as in corpor- ate insider information. Also, depending on the money involved, if any, you would essentially have the same result under federal statutory copy- right law. Conclusion ---------- Sounds terrible doesn't it -- that once the "private" EMAIL messages you send are received, you can't really protect your "privacy" rights in them. You take the risk someone will disclose what you send to them to the world. Fortunately, social morals and customs, as well as social pressures, come in to save the day, for the most part, to temper or cause one to stop doing such nasty things. That's what happened on portal when the user there (in good taste, but after receiving some nasty hate mail) stopped posting the private EMAIL he got from other people and only posted his side of the "private" discussions. CS-ID: #465.issues/legal@PRO-SOL 313 chars Date: Fri, 1 Apr 88 09:25:15 PST From: ruel (Ruel Hernandez) Subject: Re: Online Privacy -- One Last Time (a little clarification) Comment: to #464 by ruel Just one clarification on the tort of Public Disclosure of Private Facts. That generally deals with extremely personal facts that are typically kept private to prevent social embarrassment, such as in keeping it private within the family that Aunt so-and-so used to be in the insane asylum. That sort of thing. ***** CS-ID: #468.issues/legal@PRO-SOL 7153 chars Date: Sat, 2 Apr 88 13:58:59 PST From: ruel (Ruel Hernandez) Subject: Privacy (just one more tidbit) -- Employer Monitoring This is from RISKS DIGEST 6.23 (from sometime in February): ------------------------------ From: wolit@research.att.com Date: Tue, 9 Feb 88 15:45 EST Subject: OTA Report: The Electronic Supervisor The U.S. Congress, Office of Technology Assessment recently released a report on computer-based monitoring in the workplace entitled, "The Electronic Supervisor: New Technology, New Tensions," OTA-CIT-333 (Washington, DC: U.S. Government Printing Office, September, 1987). The following is from the Foreword: "The Electronic Supervisor: New Technology, New Tensions" deals with the use of computer-based technologies to measure how fast or how accurately employees work. New computer-based office systems are giving employers new ways to supervise job performance and control employees' use of telephones, but such systems are also controversial because they generate such detailed information about the employees they monitor. This assessment explores a broad range of questions related to the use of new technology in the workplace and its effects on privacy, civil liberties, and quality of working life. The assessment reports six findings: 1. Computer technology makes possible the continuous collection and analysis of management information about work performance and equipment use. This information is useful to managers in managing resources, planning workloads, and reducing costs. When it is applied to individual employees, however, the intensity and continuousness of computer-based monitoring raises questions about privacy, fairness, and quality of work life. 2. Computer-based systems offer opportunities for organizing work in new ways, as well as means of monitoring it more intensively. Electronic monitoring is most likely to raise opposition among workers when it is imposed without worker participation, when standards are perceived as unfair, or when performance records are used punitively. Worker involvement in design and implementation of monitoring programs can result in greater acceptance by workers, but despite activities of labor unions in some industries and recent progress in labor-management cooperation in others, most firms do not have mechanisms to do this. 3. There is reason to believe that electronically monitoring the quantity or speed of work contributes to stress and stress-related illness, although there is still little research separating the effects of monitoring from job design, equipment design, lighting, machine pacing, and other potentially stressful aspects of computer-based office work. 4. Monitoring the content of messages raises a different set of issues. Some employers say that service observation (listening to or recording the content of employees' telephone conversations with customers) helps assure quality and correctness of information and by protecting all parties in case of dispute. However, service observation also impacts the privacy of the customer, and workers and labor organizations have argued that it contributes to the stress of the employee, and creates an atmosphere of distrust. Monitoring the content of electronic mail messages or personal computer (PC) diskettes also raises privacy issues. 5. Telephone call accounting (computer-generated records of the time, duration, destination, and cost of calls) gives employers a powerful tool for managing the costs of telephone systems. However, it raises privacy questions when accounting records are used to track calling habits of individuals. Other cost control technologies can be used to limit nonbusiness uses of telephones, either instead of or in addition to call accounting. Establishing a policy for use of these technologies will be especially important for the Government as it builds a new Federal Telephone System. 6. Electronic monitoring is only one of a range of technologies used in today's workplace to gather information about the work process or to predict work quality based on personal characteristics of the workers. Many applications of technology, including polygraph testing, drug testing, genetic screening, and, possibly, brain wave testing, illustrate the tension between employers' rights to manage their enterprise, reduce costs, and reduce liability, and the employees' rights to preserve individual privacy and autonomy. Recent concerns of employers, labor unions, civil liberties groups, the courts, and individual workers suggest that a range of workplace privacy issues are in need of resolution. A discussion of this report and this topic in general might be appropri- ate for this newsgroup. Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998; mhuxd!wolit (Affiliation given for identification purposes only) ------------------------------ Note the fourth and the fifth findings. The fourth finding, regarding "Monitoring the content of electronic mail messages or personal computer (PC) diskettes also raises privacy issues." This is what we have discussed already with regards to ECPA. The fifth finding concerning "accounting records are used to track calling habits of individuals [i.e., employees in the workplace]" is much like the situation where an employer may have a "spy box" tracking who made what call when, to what number (toll, long distance, or preferrably local), and for how long. In the criminal procedure context, there is generally no reasonable expectation of privacy in such tracking information. It is much like someone trailing another so long as the other person is out in "public." There is no content to be examined, only names and numbers. In the BBS situation, under ECPA, a Sysop could disclose information about a user (except for communications and passwords) to any person other than to the government. The Senate Report gives examples of disclosures in "the normal course of business, such information as customer lists and payments...." S. Rep. No. 541, 99th Cong., 2d Sess. 38 reprinted in 1986 U.S. Code Cong. & Ad. News 3592. Therefore there is no offense when a Sysop says so-and-so called this system on such-and-such a date and at such-and-such a time. So, "who" lists and previous login lists are okay. However, if the government wants the information, they have to get a subpoena, or court order. Of course, by personal obligation, promise, or contract, the Sysop may have taken it upon himself to not make any non-governmental public disclosures. Geez, I'm going to have to hunt that OTA report down. Other than that, this should cover just about everything now regarding online privacy. --------------------------------- end ----------------------------------