💾 Archived View for gemini.spam.works › mirrors › textfiles › bbs › mailsysp.lib captured on 2020-10-31 at 20:08:15.
View Raw
More Information
-=-=-=-=-=-=-
- Sysop Liability for Enroute (and/or Encrypted) Mail
Mike Riddle
1:285/27
[The following article is under submission. Reproduction on computer
bulletin boards is permitted for informational purposes only, provid-
ing that it remains intact with copy right notice and disclaimer.
Copyright (c) 1993 by Michael H. Riddle All other rights reserved.]
SYSOP LIABILITY FOR ENROUTE (AND/OR ENCRYPTED) MAIL
Recently email systems in general, and Fidonet in particular, have
seen a great deal of debate about the potential liability of sysops
for material entered on or passing through their systems. This
article attempts to discuss the laws, legal issues, and court deci-
sions known to bear on the subject.
While the law is unsettled on the liability of sysops for netmail on
their systems, enroute or otherwise, any liability attaches regardless
of enroute or encrypted status. Since liability, if any, increases
with actual sysop knowledge of the contents, encryption will not
increase any sysop liability and may, in fact, diminish it.
FACTS
Many individuals operate computer bulletin boards as a hobby. Many of
those bulletin boards (BBSes) are members of one or more networks,
passing messages in a store-and-forward manner using the public
switched telecommunications network. Many of those sysops have their
BBSes configured to allow private electronic mail to be routed through
their systems, either as a service to their users or as a requirement
of their membership and status in the network. Traditionally, such
"private" mail was stored on the system in a form that is readable by
the persons or entities operating the system. Depending on the
configuration and software involved, such private mail might be easily
read, or might be read only if a deliberate attempt to do so was made,
but in any event was available in ASCII format at some point, and/or
was stored using one of many compression schemes that could be read by
anyone with the proper software.
As a result of relatively recent technological developments, individu-
als now have the capability to encrypt data using their personal
computers, without using extraordinary amounts of time. Public key
cryptography systems, such as PEM or PGP, have been publicly released
and are seeing increasing use. The obvious result has been the use of
encryption for the contents of routed mail packets. For perhaps the
first time, sysops who route mail have started inquiring about their
liability for such mail, since the perception of safety that came from
a technical ability to read the mail is not present with encrypted
mail.
CRIMINAL LAW
Sysops providing "private" mail service operate under the terms and
limitations of the Electronic Communications Privacy Act of 1986
(ECPA) (18 U.S.C. ss 2510 et seq.). This section will, of necessity,
be somewhat "legalese." I've tried to make it as readable as possible
and still discuss the technical (in a legal sense) points that ought
to matter to sysops investigating their legal status.
Whether or not the ECPA appears to allow providers of "electronic" (as
opposed to "wire") communications the legal ability to monitor the
messages on their systems is a matter of some dispute. The best
answer is that the law on the subject is unclear. From the act:
"'wire communication' means any aural transfer ...." 18 USC 2510 (1).
On the other hand, "'electronic communication' means any transfer of
signs, signals, writing, images, sounds, data, or intelligence of any
nature...." 18 USC 2510 (12). "It shall not be unlawful under this
chapter for an operator of a switchboard, or an officer, employee, or
agent of a provider of wire *or electronic* [Note 1: see discussion
below] communication service, whose facilities are used in the trans-
mission of a wire [Note 2: see discussion below] communication, to
intercept, disclose, or use that communication in the normal course of
his employment while engaged in any activity which is a necessary
incident to the rendition of his service or to the protection of the
rights or property of the provider of that service, except that a
provider of wire communication service to the public shall not utilize
service observing or random monitoring except for mechanical or
service quality control checks." 18 USC section 2510(2)(a)(i)
(emphasis added). One of the drafters of the act has indicated that
the exception limiting "wire," but not "electronic," communication
stems from the drafters' knowledge of the state of the art at that
time; however, the distinction is present in the law.
From this two arguments can be (and have been) made. First, that by
prohibiting only providers of "wire" communications from service
observing or random monitoring, the drafters did not intend "elec-
tronic" communications to be subject to the same restrictions and that
service observing or random monitoring of electronic communications
are not prohibited. But the counter-argument is that while the law
exempts "providers of wire or electronic communication service, whose
facilities are used in the transmission of a ... communication, the
exemption does not specifically allow for "electronic" communications,
only wire. There is an internal inconsistency caused by the failure
either to omit the two words *or electronic* [Note 1] or to include
them [Note 2] in section 2511(2)(a) at the points indicated by my
insertion of [see discussion below].
One of the drafters of the ECPA recently commented that the legisla-
tive history supports the position that electronic communications were
exempted from the act's general prohibitions; that is, the drafters
intended to place special protections on voice, normally telephone,
communications while allowing real-time monitoring of electronic
communications as defined by the act.
It now seems clear to me that there is a glitch in ECPA with
regard to real time access for security purposes to elec-
tronic messages. 2511(2)(a) was supposed to allow monitor-
ing of electronic communications for security purposes by
the sysop -- the legislative history makes that clear and
distinguishes monitoring of voice which is more limited.
But the amendments failed, for technical reasons, to add
"and electronic communications" after the single reference
to "wire" -- so that the literal text now appears to read to
allow this type of security- based monitoring only with
regard to wire communications. There are some other argu-
ments [that would allow it]--but none is as bullet proof as
the section would have been if it had been written as I
think all intended.
This ambiguity is what led to the Department of Justice recommendation
that system administrators at government computer sites place explicit
disclaimers at logon, warning that keystroke monitoring or service
observation might be used, if they thought they would ever want to use
this technique.
The above discussion applies primarily to real-time monitoring. In
the only known decision construing the ECPA, the distinction between
"interception" (i.e., real-time monitoring) and "access to stored
communications" was essential to the holding that no "interception"
had taken place. Steve Jackson Games, Inc., v. U.S. Secret Service,
816 F. Supp. 432 (W.D. Tex. 1993). However, due to the nature of
store-and-forward mail, the mail remains in storage for some period,
and it is clear that the sysops legally have access to the material in
storage. However, sysops are limited in what they can do with their
knowledge, if any, of the mail in storage. With some limited excep-
tions, they may only disclose it to the sender or to the intended
recipient. They are required to disclose it pursuant to court orders
and subpoenas, but the ECPA gives particular instructions on how such
are to be obtained. And the sysops *may*, with respect to stored
communications, disclose the contents to a law enforcement agency if
the contents were *inadvertently* obtained *and* appear to involve the
commission of a crime. 18 USC 2702 (b)(6). The sysop also may
disclose the contents of a communication "as may be necessarily
incident to the rendition of the service or to the protection of the
rights or property of the provider of that service." 18 USC
2702(b)(5). Deleting any mail that does not comply with the sysop's
ideas of propriety or appropriateness is *not* specifically autho-
rized.
CIVIL LAW
The ECPA also provides for civil remedies by the person aggrieved by
an illegal disclosure of the contents of a private message.
18 U.S.C. 2707 et seq.
Over and above those limitations, the civil laws of forfeiture gener-
ally allow the government (state or federal) to seize property for
which probable cause exists to believe is the instrumentality of a
crime, and the lawful owner may attempt to recover in a civil action.
The burden of proof is upon the person claiming the interest in the
property to prove the property was *not* the instrumentality of a
crime.
ANALYSIS
Many sysops post some kind of disclaimer, either as a bulletin or as
part of a service contract, formal or implied, that no "private" mail
exists on their system. A threshold question is "what is 'private
mail' for the purpose of the ECPA or any other law or civil action?"
Notwithstanding any bulletin or disclaimer, almost all mail software
asks or treats some messages as "private." In the Fidonet protocols,
there is a defined bit in the message which gives the privacy status,
thus giving rise to an expectation of privacy. Also, netmail is
generally readable only by the sender, intended recipient, and the
sysops involved.
Interestingly, the law does not protect "private" messages. It
protects *any* message that is "not public," in the words of the law,
any message not "readily accessible to the general public." "'Readily
accessible to the general public' means...that such communication is
not (A) scrambled or encrypted; [or] (B) transmitted using modulation
techniques whose essential parameters have been withheld from the
public with the intention of preserving the privacy of such communica-
tion...." 18 U.S.C. 2510(16).
This protection would, in my opinion, include all "netmail" or
"email," notwithstanding any disclaimers that "we don't have private
mail." The existence of areas for public discussion, using most of
the "bandwidth" of hobby BBSes, obscures the fact that the basis of
the system, be it Fidonet or Internet, is electronic mail. To refer
again to the ECPA: "A person or entity providing electronic communi-
cation service to the public may divulge the contents of any such
communication... (i) as otherwise authorized in section 2511(2)(a)
[readily accessible to the general public], (ii) with the lawful
consent of the originator or any addressee or intended recipient of
such communication; [or] (iii) to a person employed or authorized, or
whose facilities are used, to forward such communication to its
destination.... 18 U.S.C. 2511(3)(b).
Thus, except for messages in public discussion areas, all communi-
cations stored on a BBS (that is, netmail or email) are protected, the
nature of the software raising an expectation of privacy and that
privacy being protected by law. Note that exception (iii) covers
forwarding routed mail to the next link in the process.
A thorough reading of the ECPA reveals no requirement for a sysop to
voluntarily disclose the contents of a message to anybody. The law
does, as noted above, allow such disclosures under limited circum-
stances. What then are the sources of liability for sysops for
messages stored on their systems?
In the area of criminal law, liability might attach as a conspirator,
co-conspirator, accessory or accomplice. Note, however, that a "mens
rea," a criminal intent, is generally required for criminal liability.
In the area of civil forfeitures, the mere fact that probable cause
existed to believe the system was an instrumentality of a crime is all
that is required for the seizure; however, as a practical matter,
seizures seem almost always to occur when there is probable cause (as
seen by the judicial system) to believe the owner is guilty of some-
thing.
How might a sysop protect themselves? First, note that disclosure to
law enforcement requires that the contents be inadvertently obtained.
An argument might exist that disclosure to law enforcement is also
allowed by the language that the sysop may disclose the contents of a
communication "as may be necessarily incident to the rendition of the
service or to the protection of the rights or property of the provid-
er of that service," 18 USC 2702(b)(5). The fact exists, however,
that the statute in other places specifically says the contents must
be inadvertently obtained to allow disclosure to law enforcement. As
a practical matter it might not matter, but one argument might be that
the sysop should *not* routinely monitor the contents, since disclo-
sure to law enforcement is only specifically authorized when knowledge
is inadvertent.
The argument can be made that, with respect to netmail, routed, direct
or crash, BBSes look most like common carriers, and therefore are, or
should be, exempt from liability for their contents. This argument is
strengthened when the BBS routinely gives access to routed netmail to
all users, or to any user who asks for it. This is because a true
common carrier has an obligation to handle traffic for anyone who
meets the requirements of the tariffs. Conversely, the BBS looks less
like a common carrier if relatively few users can access netmail. If
routed mail is added into the equation, the BBS begins to look more
like a relay point in a common carrier scheme when it grants relay
privileges to more and more other systems.
Note that in Cubby v. Compuserve, 776 F. Supp. 135 (S.D.N.Y. 1991),
the court held Compuserve not liable for material on their system
unless they were shown to have actual knowledge and did not take
appropriate action. The court found them to be like booksellers, who
are similarly immune unless actual knowledge is shown. If sysops make
a practice, or state as their practice, the routine viewing of all
material on their system, the qualified immunity they arguably have is
destroyed.
ENCRYPTION (finally)
Note that whether or not the message was encrypted did not figure in
any of the above analysis, except that there is a reasonable presump-
tion that if it were encrypted it was not "readily accessible to the
general public." As applied to PEM and PGP, this would, it seems,
exclude "signed" mail as long as it was not "encrypted" as well. When
considering the impact of encryption, we must note that normally for
criminal law to attach, knowledge (intent) is a prerequisite. For
seizure, there must at least be probable cause that the system was
used in the planning or commission of a crime. In either of those
cases, with respect to the sysop, encrypted messages tend to disprove
the elements: you can't show knowledge if the sysop can't read the
traffic, and you can't prove the system was used in a crime if you
can't read the traffic.
Law enforcement might be able to show the encrypted contents were
illegal if they could obtain the decrypted messages and trace back the
route; however, if a system ran in "pass-through" mode there would at
least be a question of proving the system was actually used. If the
system ran in toss and rescan, and if the message hadn't deleted due
to age or number of messages, then you could show the message was on
the system. But you still couldn't show the sysops had knowledge,
making it less likely they would be perceived as somehow "guilty" of
something. This last point is enhanced if it can be shown that the
system routinely routed mail for any and all parties.
CONCLUSION
The question of sysop liability for messages stored on or passing
through their system is unsettled. Sysop liability might attach as
part of a criminal act, but knowledge is required and the fact of
encryption would, when the sysop could not read the message, tend to
disprove knowledge. Liability might attach in the form of civil
forfeiture, but again lack of knowledge makes the sysop appear less
"blameworthy." While guilt is not an element of civil forfeiture, the
conventional wisdom is that forfeiture is only used when guilt of some
kind has attached, at least in the mind of law enforcement, to the
owner of the property. The more a sysop and system look like a common
carrier, handling traffic without knowledge of the contents, the less
likely they are to be subject to some sort of liability for their
actions. Finally, the use of public key encryption does not appear
increase their liability, and might in some circumstances decrease it.
For the reasons stated above, it is my conclusion that systems routing
mail should use pass-through where available, and should specifically
allow, and even encourage, the use of public key encryption as a
measure to limit their liability in case they are used in some ques-
tionable manner.
[The author is an attorney licensed to practice in the state and
federal courts of Nebraska. While he has studied the issues fairly
extensively, the comments apply generally to persons within the United
States and he is not giving legal advice to any particular person.
Finally, this memorandum does not address International Traffic in
Arms Regulations (ITAR) (22 CFR 120 ff) applicable to the export
and/or import of cryptographic software. No one should rely upon the
following without consulting their own attorney for advice on their
particular question or problem.]