home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
SysOp's Arsenal
/
SysOp's Arsenal 1 (Arsenal Computer).ISO
/
govwatch
/
ecpafido.txt
< prev
next >
Wrap
Text File
|
1994-07-26
|
22KB
|
462 lines
--- Following message extracted from SYSOP18 @ 1:374/14 ---
By Christopher Baker on Thu Jul 21 01:23:11 1994
From: Michael Hess
To: Floyd Drennon
Date: 19 Jul 94 20:03:00
Subj: Final word on BBS's and the ECPA 1/2
Floyd Drennon requested a closed session to tell Michael Hess:
FD> Hi Michael,
FD> 15 Jul 94, 18:00, Michael Hess wrote to Paul Nebeling:
MH>> attorney in your specific area for a legal opinion. I did. That's how
MH>> I got my opinion. From several attorneys.
FD> And for everyone you find to support your position, someone else can find
FD> another who will say exactly the opposite. Bottom line - there hasn't
FD> been a definitive case concerning a hobbiest board so any advice you
FD> receive at this point will be the unfounded opinion of the person
FD> providing it.
Here is my .02 cents worth that cost me about $20.00 today to compile. I'm sure
after reading it you and others may have a different outlook when trying to
deny that the ECPA of 1986 has no application:
AMATEUR BBS NETWORK APPLICATION OF THE ELECTRONIC
COMMUNICATIONS PRIVACY ACT OF 1986: BOON OR BANE?
=================================================
By Michael Hess, copyright 1994
9:05 a.m. July 19th, 1994
FEDERAL INFORMATION CENTER......................(800) 726-4995
Notes: Has no information or referral about ECPA 1986.
===
9:12 a.m.
FEDERAL COMMUNICATIONS COMMISSION...............(202) 418-0200
(PUBLIC AFFAIRS) 1919 M St. NWst Washington DC 20554
Notes: Has no idea what the ECPA 1986 is. So I looked in my trusty
database and called the:
===
9:20 a.m.
NATIONAL CRIMINAL JUSTICE REFERENCE SERVICE
BOX 6000 ROCKVILLE, MD.........................(301) 251-5500
Notes: Central clearinghouse for information on law enforcement and
criminal justice. Publishes bulletins and reports, provides
computer searches.
One relevant reference: End Run Around the Fourth Amendment; Why Roving
Surveillance Order is Un-Constitutional. 1990, Vol. 28 1990 American
Criminal Justice pp. 143-160.
Database only reaches up to 1990, no reference to Jackson Games v.
Secret Service 1990 as of yet. Referred me to the:
===
9:35 a.m.
FLORIDA DEPARTMENT of LAW ENFORCEMENT, COMPUTER CRIME DIVISION
contact: Jeff Herig.............................(904) 922-0739
Notes: Jeff could only offer a personal opinion. He wonders why in the
world folks in an amateur network would think their policy would negate
federal law?
His opinion is if a reasonable expectation of privacy exists then a
communication would be covered by the ECPA. This would include private
sysop comment areas, sysop mail areas, any communication that is not
readily accessible to the public.
As an aside, many of the training sessions that Jeff attends make
repeated reference to the Steve Jackson Games case. The training
sessions make it clear that electronic mail IS protected by the
Electronic Communications Privacy Act of 1986 and that investigators are
to keep the ECPA and particulars of the Steve Jackson Games case firmly
in mind when investigating a BBS. Then referred me to the:
===
11:03 a.m.
UNITED STATES DEPARTMENT of JUSTICE, COMPUTER CRIMES DIVISION
Dan Schneider...................................(202) 514-1026
Notes: Dan could not give specific advice either. However, he made it
clear that a company, group, or amateur policy can NOT supercede or
negate federal law. He took notes and is checking with his superior and
will get back to me.
===
11:25 a.m.
While I'm waiting let's see what we have learned so far and how we can
apply it.
The test keeps coming back to expectation of privacy and the
Fourth Amendment. For instance, our local Net 375 1.10 policy states:
"...fraternization. This conference (SYSOP375) is to be
kept private; only the sysop and co-sysop may have read
or read/write access to it. There are many other local..."
It would seem that there may be a reasonable expectation of privacy at
the local level. Does the policy above this (Region 18 1.06 policy)
negate this at a regional level? This policy states:
8. Local Net Policies
"It is the responsibility of each net to determine the method
of selecting coordinators for that net. Nets are encouraged
to formulate local policies describing the method and (if
appropriate) the timing of this process, as well as any
other local procedural issues deemed appropriate by the net
membership. No local net policy may conflict with existing
policies at the region, zone or interzone level..."
It appears that at least in one section of the regional policy that
a local net policy defers to the zone or interzone level, no other
search appears necessary. The relevent section in International
FidoNet 4.07 policy is as follows:
2.1.6 Private Netmail
"...The word "private" should be used with great care, especially
with users of a BBS. Some countries have laws which deal with
"private mail", and it should be made clear that the word
"private" does not imply that no person other than the recipient
can read messages. Sysops who cannot provide this distinction
should consider not offering users the option of "private mail..."
Todays BBS software has many improved features, especially in security
and mail handling ability. Many sysops participate in sysop only message
conferences. The exclusion of the general user public is accomplished by
security levels or other means through the software package. Many systems
also use email software as a "front end" that may handle the reading
of a sysop only area [or use a third piece of software, a "sysop editor"]
or other private conferences without ever passing these to the BBS
software that offers public areas.
..."If a user sends a "private message", the user has no control
over the number of intermediate systems through which that
message is routed. A sysop who sends a message to another
sysop can control this aspect by sending the message direct
to the recipient's system, thus guaranteeing that only the
recipient or another individual to whom that sysop has given
authorization can read the message. Thus, a sysop may have
different expectations than a casual user..."
International FidoNet policy further points out however that a "sysop
may have different expectations than a casual user." It would seem on
the face of it that a sysop in Net 375 would have a reasonable
expectation of privacy based on three written organizational policies
and indeed the Fourth Amendment and the ECPA.
Would the level of reasonable expectation of privacy diminish when
applied to a closed or restricted message conference on a regional or
North American scale? It does not seem so based on the volume of email
in administrative conferences when the question of opening them to the
general public arises. Thus it can be deduced that for a sysop, whether
at a local, regional or North American level at the least, the technology
does indeed exist and is in general use to exclude the general user public
from access to certain message conferences.
2.1.6.1 No Disclosure of in-transit mail
"...Disclosing or in any way using information contained in private
netmail traffic not addressed to you or written by you is
considered annoying behavior, unless the traffic has been released
by the author or the recipient as a part of a formal policy
complaint. This does not apply to echomail which is by definition
a broadcast medium, and where private mail is often used to keep
a sysop-only area restricted..."
International FidoNet policy makes three important distinctions in the
above. Disclosing private netmail when you are not the intended
recipient or the recipients authorized agent is prohibited and well
within [at least] US law. Secondly, "echomail" is excluded from the
"no disclosure" clause with a dubious caveat that "private mail" in a
sysop only message conference is also exempt.
This again, at least in the US, brings up the Fourth Amendment. If a
person can show a reasonable expectation of privacy, and further show
that that privacy was breached, they may have a reasonable expectation
of redress.
Excerpts from Jackson Games v. Secret Service bear this out:
"...The Secret Service denies that its personnel or its delegates
read the private electronic communications stored in the seized
materials and specifically allege that this information was
reviewed by use of key search words only. Additionally, the Secret
Service denies the deletion of any information seized with two
exceptions of "sensitive" or "illegal" information, the deletion of
which was consented to by Steve Jackson. However, the
preponderance of the evidence, including common sense 5,
establishes that the Secret Service personnel or its delegates did
read all electronic communications seized and did delete certain
information and communications in addition to the two documents
admitted deleted. The deletions by the Secret Service, other than
the two documents consented to by Steve Jackson, were done without
consent and cannot be justified..."
Judge Sparks makes it clear that reading and deleting electronic
communications "cannot be justified."
"...Elizabeth McCoy, Walter Milliken and Steffan O'Sullivan also
allege compensatory damages. These Plaintiffs all had stored
electronic communications, or E-mail, on the Illuminati bulletin
board at the time of seizure. All three of these Plaintiffs
testified that they had public and private communications in
storage at the time of the seizure. Steve Jackson, Elizabeth McCoy,
Walter Milliken and Steffan O'Sullivan all testified that
following June of 1990 some of their stored electronic
communications, or E-mail, had been deleted. It is clear, as
hereinafter set out, that the conduct of the United States Secret
Service violated two of the three statutes which the causes of
action of the Plaintiffs are based and, therefore, there are
statutory damages involved, but the Court declines to find from a
preponderance of the evidence that any of the individual Plaintiffs
sustained any compensatory damages..."
The folks above who were rewarded statutory damages had both "public and
private" stored communications. Judge Sparks does not make a distinction
in his awarding statutory damages between "public" or "private"
communications.
"...destruction in some manner. Notwithstanding that any alteration
or destruction by Blankenship, Steve Jackson, or anyone else would
constitute a criminal offense under this statute, Foley and the
Secret Service seized -- not just obtained disclosure of the
content -- all of the electronic communications stored in the
Illuminati bulletin board involving the Plaintiffs in this case.
This conduct exceeded the Government's authority under the
statute."
"The Government Defendants contend there is no liability for
alleged violation of the statute as Foley and the Secret Service
had a "good faith" reliance on the February 28, 1990, court
order/search warrant. The Court declines to find this defense by a
preponderance of the evidence in this case."
"Steve Jackson Games, Incorporated, as the provider and each
individual Plaintiffs as either subscribers or customers were
"aggrieved" by the conduct of the Secret Service in the violation
of this statute. While the Court declines to find from a
preponderance of the credible evidence the compensatory damages
sought by each Plaintiff, the Court will assess the statutory
damages of $1,000.00 for each Plaintiff..."
Sam Sparks, the United States District Judge who heard this case made it
clear that the Secret Service was not acting properly when it seized,
read and deleted stored electronic communications. And that "anyone else"
doing it "...would constitute a criminal offense under this statute."
Early in the opinion it was established that a BBS was indeed a "remote
computing service" in part:
"...of the law's applicability under the facts of this case. Steve
Jackson Games, Inc., through its Illuminati bulletin board
services, was a "remote computing service" within the definition of
Section 2711, and, therefore, the only procedure available to the
Secret Service to obtain "disclosure" of the contents of electronic
communications was to comply with this statute. See, 18 U.S.C. 2
7 0 3 . Agent Foley and the Secret Service, however, wanted more
electronic communications, both public and private. A court order
for such disclosure is only to issue if "there is a reason to
believe the contents of a[n] . . . electronic communication . are
relevant to a legitimate law enforcement inquiry." See, 18 U.S.C.
S 2703(d). Agent Foley did not advise the United States
Magistrate..."
And it's very clear that Judge Sparks considered both "public" and
"private" communications in his opinion. Sysops need to understand
that case law is very limited at this point because of the infancy
of computer email communications. However both private and public
communication were considered under the ECPA. In addition, the opinion
makes clear also that a BBS is indeed a "remote computing service" as
defined in the ECPA. The above case is a "beacon" of light in a
formerly gray area according to an un-official statement from the
Florida Department of Law Enforcement (FDLE), Computer Crimes
Division. In my conversation with Jeff Herig he made it clear that
the Steve Jackson Games case is the model case they are training
their officers on.
===
4:10 p.m. Brriinngg!
UNITED STATES DEPARTMENT of JUSTICE, CRIMINAL CRIMES DIVISION.
Notes: Dan Schneider returns my call and offers once again, in a very general
way, that I am being correct in my assumption that should an individual
be able to show that they have a reasonable expectation of privacy, an
individual may find relief in the Fourth Amendment and further in the
ECPA of 1986. He stresses that he simply cannot be responsible for
providing specific legal advice. But he allowed that both he and his
superior thought that I was considering the options correctly. An
analogy agreed upon was of a locked office drawer of an employee. In an
office desk there may be drawers normally locked and unlocked. The
unlocked drawers may be accessed by employees in the office so a lowered
expectation of privacy would be implied. A drawer normally locked
however may infer a much greater expectation of privacy because of the
severely limited access. The same would hold true for items marked
"secret" or "confidential" and there was general agreement that the
analogy would hold true for encrypted data. Dan informed me that the
Justice Department is relying on the opinions so far rendered. This
should tell the average sysop that adherence to the ECPA would be a good
idea. Dan also thought that there may be an appeal on file in the Steve
Jackson Games suit.
===
4:30 p. m.
UNITED STATES DISTRICT COURT WESTERN DISTRICT OF TEXAS,
AUSTIN DIVISION............................(512) 482-5896
A spokeswoman confirmed that Steve Jackson Games indeed has
an open appeal in the case.
===
Another earlier case relating to the ECPA of 1986 and its application
was an action against Alcor Life Extension Foundation in California. They
were running a BBS for clients and prospective clients in the Cryogenics
business. The case was settled out of court but did produce a motion for
dismissal.
The case consisted of in part the following:
"...4. On or about January 11, 1990, plaintiffs commenced civil
action No. SAC 90-021js in the United States District Court, Santa
Ana ("the Action"), against the defendants for injuries and damages
allegedly suffered as a result of the defendants' seizure of
plaintiff's E-mail..."
The prosecution contended that their warrant did not have to comply with
the ECPA because the scope of the warrant broadly covered BBS computer
equipment and its contents which they felt was sufficient, in lieu of
that defense they felt that a "good faith" reliance on the warrant as
issued was worthy of a dismissal. While leaving the question open to
further consideration, Judge Letts issued the following in reference to:
"...MOTION TO DISMISS COMPLAINT FOR DECLARATORY RELIEF AND DAMAGES
(ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 1986; U.S.C. Section
2701, et seq.)..."
"...The Motion of defendants to dismiss plaintiffs' complaint for
came on for hearing regularly on May 14, 1990."
"Defendants moved to dismiss on the grounds that the complaint
failed to state a claim pursuant to Federal Rule of Civil Procedure
12(b)6. Defendants asserted that, as a matter of law, no violation of
the Electronic Communication Privacy Act of 1986, 18 U.S.C section 2701,
et seq. occurred, or, alternately, that defendants are entitled to
dismissal due to their good faith reliance on a facially valid search
warrant."
"Having reviewed the papers filed in connection with this matter,
having heard oral argument, and being fully apprised of the relevant
facts and law,
IT IS HEREBY ORDERED that the Motion of defendants to dismiss the
complaint is DENIED. Said denial shall be without prejudice should
defendants wish to raise these same issues later in these
proceeding."
IT IS SO ORDERED.
DATED: May 18, 1990
[signed]
J. Spencer Letts
United States District Judge
===
6:07 p.m.
Conclusions
It is clear that there are many remaining questions about specific
applications of the ECPA. It is equally clear that authorities to the
highest level consider the Steve Jackson Games case to be of
considerable import when dealing with stored electronic communications.
Those in FidoNet who believe that the ECPA does not apply to them may
take heed to Judge Sparks ruling that makes no distinction between
public and private email communications. The statutory award made to the
folks whose email was read and deleted offers evidence of this.
Further, the Alcor case, while not offering a precedent, did deny a
motion to dismiss based on the defendants claim that the ECPA did not
apply. Early on offering evidence that the judiciary considers BBS
electronic communications protected under the ECPA.
Some have said that there is no private communication within FidoNet. Even
International FidoNet policy allows for different levels of expectations
when considering email privacy. In my view, based on the information
that I have gathered and presented here, unless a sysop opens any and
all communications to any caller or user, some level of the ECPA would
come into play.
The rapid advance of technology has made it possible and even likely
that FidoNet sysops have some kind of message conferences that are not
intended for the general public. Attempting to use FidoNet policy to
circumvent US Constitutional protections that can only be waived with a
legal signature is sheer folly. It is generally and widely accepted that
you cannot give up Constitutional rights without a signed document that
specifies exactly what rights you are giving up. Based on everything I
have learned, it is my belief that the ECPA in its application so far is
doing what it is intended to do. That is, it provides some measure of
protection for electronic stored and forwarded communications. Indeed
instead of being a bane it is a boon for sysops. Much of the Steve Jacksons
Games case by the US Secret Service was based on what a Secret Service
Agent saw at log on:
"...The only information Agent Foley had regarding Steve Jackson
Games, Inc. and Steve Jackson was that he thought this was a
company that put out games, but he also reviewed a printout of
Illuminati on February 25, 1990, which read, "Greetings, Mortal!
You have entered the secret computer system of the Illuminati, the
on-line home of the world's oldest and largest secret conspiracy.
5124474449300/1200/2400BAUD fronted by Steve Jackson Games,
Incorporated. Fnord. " The evidence in this case strongly suggests
Agent Foley, without any further investigation, misconstrued this
information to believe the Illuminati bulletin board was similar in
purpose to Blankenship's Phoenix bulletin board, which provided
information to and was used by "hackers..."
I suspect that those who are so quick to contend that the ECPA has no
effect on their system would perhaps even more quickly, change their
position should they find themselves in similar circumstances.
And finally it was noted by each party that I contacted; Any policy made
by any organization simply CANNOT ignore federal law. In the words of
one person consulted, if the Contitutional test of reasonable
expectation of privacy was applied and found to have merit, an internal
policy "would not mean spit."
CAUTION: I am not an attorney. The above is presented as information
only and all readers are advised to seek legal counsel in their
jurisdiction for specific advice.
-end ECPAFIDO.TXT-
That is about all the time I am going to spend on it. If anyone would care to
further the debate the issue, with factual references such as I have provided,
instead of simply saying the ECPA can't be applied, I will be happy to
participate.
michael.hess@f48.n375.z1.fidonet.org
== It was 8", then 5¼" now 3½"... play with it some more.
--- Golded 2.42 1635US1 via D'Bridge 003179 ---
* Origin: BBSNEWS * Lake Jordan, Alabama * USR 16.8 205-567-9310 (1:375/48)