home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker Chronicles 1
/
HACKER1.ISO
/
cud3
/
cud304c.txt
< prev
next >
Wrap
Text File
|
1992-08-18
|
21KB
|
441 lines
****************************************************************************
>C O M P U T E R U N D E R G R O U N D<
>D I G E S T<
*** Volume 3, Issue #3.04 (January 28, 1991) **
****************************************************************************
MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet)
ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto
RESIDENT SYSTEM CRASH VICTIM:: Brendan Kehoe
USENET readers can currently receive CuD as alt.society.cu-digest. Back
issues are also available on Compuserve (in: DL0 of the IBMBBS sig),
PC-EXEC BBS (414-789-4210), and at 1:100/345 for those on FIDOnet.
Anonymous ftp sites: (1) ftp.cs.widener.edu (2) cudarch@chsun1.uchicago.edu
E-mail server: archive-server@chsun1.uchicago.edu.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted as long as the source is
cited. Some authors, however, do copyright their material, and those
authors should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles relating to
the Computer Underground. Articles are preferred to short responses.
Please avoid quoting previous posts unless absolutely necessary.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent the
views of the moderators. Contributors assume all responsibility
for assuring that articles submitted do not violate copyright
protections.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
From: Reprint from BMUG (Berkeley MacIntosh Users' Group)
Subject: BMUG's ECPA Commentary (reprinted with permission from BMUG
Date: January, 1991
********************************************************************
*** CuD #3.04, File 3 of 4: The Politics of the ECPA of 1986 ***
********************************************************************
The Politics of the Electronic Communications Privacy Act of 1986
Copyright (C) 1990, Bernard Aboba. All rights reserved.
The Electronic Communications Privacy Act (ECPA) of 1986 was a landmark
piece of legislation which is likely to affect online services and hobbyist
bulletin boards for many years to come. Since the ECPA is a complex and
often arcane piece of legislation, it is very hard to understand without
looking at the history of how it came to be. In understanding the
politics of ECPA, this article relies heavily on the transcripts of the
House Judiciary Committee Hearings on H.R. 3378, which eventually became
the Electronic Communications Privacy Act.
During the hearings on ECPA in 1985-86 only one member of the online
service industry, The Source (subsequently acquired by Compuserve)
submitted an opinion. Though endorsing the bill, the assessment hinted
at possible long term costs imposed by the lack of preemption of state
standards. However, this one page assessment hardly made an impression on
the hearings compared with the impressive lineup of spokesmen from the
ACLU, cellular communications firms, Regional Bell Operating Companies
(RBOC's), broadcasting groups, credit and banking firms, and computer and
telecommunications industry associations, all lined up in support of the
bill.
Only the U.S. Department of Justice, manufacturers of scanning equipment,
and amateur radio associations expressed strong reservations about the
bill. However, since the passage of ECPA, the long term costs of the
legislation and its effects on commercial and hobbyist conferencing systems
have become apparent. Ironically, none of these effects were anticipated
at the hearings.
Outline of ECPA
Broadened Protection of Communications
The ECPA amended the Omnibus Crime Control and Safe Streets Act of 1968
(which covered wire tapping of common carriers) to prohibit monitoring of
all electronic communications systems not designed to be accessible by the
public. This includes voice, data, and video on non-public systems, and
applies to communications regardless of the mode of transmission.
Search and Seizure
To obtain access to communications such as electronic mail, the government
is required to obtain a warrant on probable cause. Law enforcement must
also obtain a court order based on reasonable suspicion before obtaining
toll records of telephone calls.or gaining access to records of an
electronic communications system which concern specific communications.
Criminal Penalties
Criminal penalties can result from unauthorized access to computers if
messages are obtained or altered. Felony charges can be brought if the
violation was commited maliciously or for commercial gain, in which case
the act is punishable by up to one year imprisonment and a $250,000 fine.
In other cases, a term of imprisonment of six months and a maximum fine of
$5,000 is applicable.
Civil Penalties
Civil damages may be pursued for violation of the rights contained in the
act.
Disclosure
Electronic communications systems operators may not disclose electronic
messages without authorization except in special circumstances. The
Politics of ECPA
The ECPA was supported by the cellular phone, telephone, packet switching,
paging, and broadcasting industries; private firms owning large
communications networks, miscellaneous computer and communications trade
associations, the ACLU and Consumer's Union, and credit bureaus. Law
enforcement agencies were supportive, but skeptical. The only vigorous
opposition came from amateur radio associations, and manufacturers of
scanning equipment which, while protesting loudly, saw few of their
recommended modifications enacted into law.
Also playing a role were sponsoring legislators, such as Senator Patrick
Leahy of Vermont, and Charles Mathias of Maryland, as well as
Representatives Robert Kastenmeier and Carlos Moorhead. Senator Leahy, in
his opening remarks at the hearings on the bill, set the stage for the
legislation:
"At this moment phones are ringing, and when they are answered, the message
that comes out is a stream of sounds denoting ones and zeros.... What is
remarkable is the fact that none of these transmissions are protected from
illegal wiretaps, because our primary law, passed back in 1968, failed to
cover data communications, of which computer to computer transmission are a
good example. When Congress enacted that law,Title III of the Omnibus
Crime Control and Safe Streets Act of 1968, it had in mind a particular
kind of communication - voice - and a particular way of transmitting that
communication - via a common carrier analog telephone network. Congress
chose to cover only the "aural acquisition" of the contents of a common
carrier wire communication. The Supreme Court has interpreted that
language to mean that to be covered by Title III, a communication must be
capable of being overheard. The statue simply fails to cover the
unauthorized interception of data transmissions." Senator Leahy also had
more practical reasons for supporting the bill. The rapidly growing U.S.
cellular communications industry had become alarmed by the ease with which
cellular communications could be monitored. Television sets built during
the period 1966-1982 were capable of picking up cellular conversations on
UHF channels 80-83. This was possible because cellular communications used
the same frequency modulation techniques utilized in transmitting
television sound. In addition, scanning equipment which for several
hundred dollars was capable of receiving cellular communications in the 800
Mhz band. During 1985, several incidents threatened to make the
vulnerability of cellular communications into front page news. For
example, private conversations of state legislators in Austin were
intercepted and made available in the public press, with embarrassing
consequences.
This ease of reception threatened the viability of the cellular industry.
In response, according to Richard Colgan of the Association of North
American Radio Clubs, "cellular firms resorted to pervasive
misrepresentation of the actual interception vulnerability of cellular. "
In fairness to the cellular industry, cellular communications does provide
certain inherent protections against interception. For example, since each
half of the conversation is transmitted on different frequencies, usually
it is only possible to listen in on one side of a conversation. In
addition, while it is easy to pick up some conversation, it is difficult to
pick up a particular conversation of interest. Also, the frequencies will
shift during passage from one cell to another. However, given the
relatively large cell size, frequencies are likely to be stable over the
average life of a call. In his remarks, Senator Leahy stated that the
ECPA was needed to help the cellular industry get off the ground, and that
the American people and American business wanted the ECPA. A more
emotional defense was made by John Stanton, Executive VP of McCaw
Communications, who stated "The inhibition of the growth of cellular
technology and paging technology, forced by the lack of privacy, is
unfair."
Law enforcement interests and businesses were also in favor of the bill.
In 1986, the nation was just becoming aware of the threat posed by computer
crime, and the need for laws allowing prosecution of perpetrators. The
ECPA was therefore viewed by elements of law enforcement and business as a
vehicle for criminalizing the act of breaking into computers. Businesses
such as GTE Telenet, EDS, and Chase Manhattan thus supported the ECPA as a
computer crime bill. Telephone companies such as AT&T even attempted to
tack on additional computer crime provisions covering breaking into to
their switching equipment.
In retrospect, the preoccupation with computer crime distorted evaluations
of the ECPA. Computer crime was more effectively addressed by state penal
code revisions such as California Penal Code Section 502 - Computer Crime,
and Section 499c - Trade Secrets. The purpose of ECPA was to insure
privacy rather than to define the criminal uses of computers.
The cellular industry had no such illusions. Mr. Philip Quigley, CEO of
pacTel Mobil Co. described the economic benefits of ECPA by noting that
without legislation, "defending the right (to privacy) could take years of
litigation." "Individuals can use scanning devices today... (it is our
intent) to merely excise out... the capability that exists today to zone in
on the channels and the frequencies that are associated with cellular
telephony." Without the ECPA, the industry would have faced incorporation
of expensive encryption technology into their systems. For example, John
Stanton of McCaw testified that "Encryption devices make it difficult to
roam from system to system," generated scratchy sound, and required 30%
more investment for the base unit, and 100% for the phone. Mr. Colgan's
estimated high grade commercial encryption as costing $40 for the
encryption chip (quantity one), plus associated circuitry . In either
case, the net cost for several million subscribers was estimated in the
tens if not hundreds of millions of dollars.
Industry associations such as ADAPSO pointed out the trade benefits of the
legislation, since Asia had not developed privacy protection, although
Europe had done so. John Stanton of McCaw commented that if the U.S.
passed the ECPA, then it would enjoy superior communications privacy to
that available in Europe.
Representatives of the nation's amateur radio enthusiasts were among the
staunchest opponents of the bill. Richard Colgan of the Association of
North American Radio Clubs represented their position. "While we have no
animosity towards cellular, we cannot sit idly by while they use their
influence to make dubious changes in public policy, largely to benefit
their bottom lines..." In response to the concerns of amateur radio
enthusiasts, and scanner manufacturers, the interception standard was
changed from "willful" to "intentional," so as to allow for "inadvertent"
interceptions.
Manufacturers of scanning equipment were vigorously opposed to ECPA since
the use of their devices was restricted by the act. Richard Brown of
Regency Electronics, a manufacturer of radio band scanners, argued
cellular radio licensees have never had any expectation of privacy, that
cellular operators, not the public, should bear the burden of securing
cellular communications, and that protecting specific radio frequencies was
imprudent.
This last point deserves elaboration. Under ECPA, monitoring of cordless
phone frequencies is not prohibited, although it is hard to argue that the
average individual's "expectation of privacy" is any different for a
cordless phone than it would be for a cellular phone. In fact, an
educated individual might even expect less privacy for a cellular call,
argued Richard Colgan, because the range of cellular communications is so
much larger than for cordless phones, thus making interception easier.
Among the most careful analyst of the ECPA was the U.S. Department of
Justice, as represented by James Knapp, deputy assistant attorney general
of the criminal division. Knapp concurred with the Amateur Radio
enthusiasts that cellular and cordless phone technology, as well as tone
and voice pagers, were easily intercepted, and therefore could not presume
an "expectation of privacy." Knapp also expressed skepticism about the
wisdom of criminalizing hobbyist behavior. Knapp was however in favor of
extending coverage to electronic mail. Finally, he argued for extension of
the crimes for which wire tapping could be authorized, beyond those
enumerated in Title III. This suggested modification to the act was
subsequently incorporated.
In contrast to the detailed arguments submitted by the parties discussed
above, the one page letter submitted by The Source had a minor impact at
best, suggesting that the ECPA, by not preempting state statutes, could
expose the online service industry to an entangling web of federal and
state statutes.
Analysis of the Economic Effects of ECPA
The parts of ECPA which have ramifications for online services and hobbyist
bulletin boards mostly have to do with access to stored messages. While
access to services are often offered via a packet switching network, or
could even be achieved via use of cellular modems or other radio
transmissions, worries about the privacy of such access are not likely to
be major concerns of customers.
An important aspect of ECPA is the presence of both criminal and civil
penalties. This provides an important incentive for aggrieved parties to
pursue litigation through contingency fee arrangements. The implications
of this for the online service business are serious. For example, the fee
for sending an EasyPlex message on Compuserve is on the order of a few
dollars, depending on the time spent in composing the message. For that
fee, Compuserve takes on the responsibility of not disclosing the message,
which could conceivably be worth millions to the sender and intended
recipient.
Firms Submitting Opinions on H.R. 3378
Phone Companies
Southwestern Bell
AT&T
Ameritech
Pacific Telesis
Bell South
Northwestern Bell
United States
Telephone Assoc.
Radio
Association of North American Radio Clubs
American Radio Relay League
National Association of Business & Educational Radio
Cellular
PacTel Mobile
McCaw Communications
Motorola
Centel
Hobbyists
Communications
Packet Switching
GTE Telenet
Misc. Associations
Electronic Mail Association
ADAPSO
National Assoc. of Manufacturers
Assoc. of American Railroads
IEEE
Paging
Telocator Network
Computers
Tandy
Law Enforcement
U.S. Dept. of Justice
Online Services
The Source
Citizen's Groups
ACLU
Consumer's Union
Firms with Private Networks
Chase Manhattan
EDS
Scanner Manufacturers
Dynascan
Regency Electronics
Uniden
Credit Bureaus
American Credit Services
Broadcasters
National Assoc. of Broadcasters
Radio-TV News Directors Association
Satellite TV Industry Association
CBS
Source: Hearings, Committee on the Judiciary, House of
Representatives, H.R. 3378, ECPA, 99th Congress, No. 50, 1986.
Of course, this burden is not theirs alone. Operators of corporate
communications systems (who were big supporters of ECPA) are also
likely targets. Indeed, several ECPA suits against employers and
municipalities have recently been filed. The potential for
litigation also exists for hobbyist systems such as computer
bulletin boards.
Government regulations fit into two categories: economic
regulation, and social regulation. In the economic category are
price controls on crude oil, and tarriffs. Equal opportunity
legislation is a regulation of the social type. The cost of a
social regulation can be broken down into two parts. One is the
cost of complying with the regulation, either by modification of
business practices, or payment of imposed penalties; another is
the cost of resolving ambiguities in the legislation through
establishment of case law. In the case of ECPA, reflection
discloses that the establishment of precedent is likely to be the
more expensive than compliance. For example, for a service to
modify sysop access privileges, and to introduce encryption of
private mail and passwords would probably entail an expenditure on
the order of a few million dollars for software development and
testing. In contrast, were only 0.01% of Compuserve's
subscribers to file an ECPA lawsuit, given 500,000 subscribers, and
average legal fees and penalties per case of $100,000, the bill
would come to over $10 million.
Due to its concentration on cellular industry concerns, the ECPA
concentrates more on insuring privacy for users than on limiting
the responsibilities of providers. Due to differences between
messages in transit and stored messages, cellular firms end up
forcing the costs of privacy onto hobbyists and outsiders, while
providers of online services are forced to bear these costs
themselves. In view of the potentially horrendous litigation
burdens, there is a strong incentive to limit the ability of
system administrators to read or disclose private mail.
The key to complying with the act is the notion of "expectations of
privacy." This notion governs both the legal aspects of ECPA, and
determinants of end user satisfaction. Under the ECPA, privacy is
only enforced for systems in which users were lead to "expect
privacy." Thus a sysop has two alternatives: to explicitly address
those expectations via an education campaign, or to play a game
similar to the cellular industry, in denying that privacy is a
significant issue. One of the concerns voiced by the cellular
industry in backing ECPA was that their budding industry could ill
afford the cost of solidifying the right to privacy via litigation
or adoption of encryption technology. Yet that is precisely the
course that the ECPA has forced on the online service industry.
Nor were the concerns of a budding industry entirely genuine.
Within the next two years, the revenues of cellular communication
firms will exceed those of all the participants in the information
services industry.
Bibliography
1. Electronic Communications Privacy Act of 1986, Public Law
99-508, 99th Congress, 2nd session.
2. Hearings of the Committee on the Judiciary, House of
Representatives, H.R. 3378, Electronic Communications Privacy Act,
99th Congress, No. 50, 1986.
3. California Penal Code, Section 502, Computer Crime, 502.7
Obtaining telephone or telegraph services by fraud, 499c, trade
secrets.
4. Wallace, Jonathan, and Lance Rose, SYSLAW, L.L.M Press, New
York City, 1990
********************************************************************
>> END OF THIS FILE <<
***************************************************************************