💾 Archived View for spam.works › mirrors › textfiles › bbs › mailsysp.lib captured on 2023-11-04 at 12:23:16.

View Raw

More Information

⬅️ Previous capture (2023-06-14)

-=-=-=-=-=-=-


 
Mike Riddle 
1:285/27 
 
[The following article is under submission.  Reproduction on computer 
bulletin boards is permitted for informational purposes only, provid- 
ing that it remains intact with copy right notice and disclaimer.  
Copyright (c) 1993 by Michael H. Riddle All other rights reserved.]
 
 
          SYSOP LIABILITY FOR ENROUTE (AND/OR ENCRYPTED) MAIL 
 
Recently email systems in general, and Fidonet in particular, have 
seen a great deal of debate about the potential liability of sysops 
for material entered on or passing through their systems.  This 
article attempts to discuss the laws, legal issues, and court deci- 
sions known to bear on the subject. 
 
While the law is unsettled on the liability of sysops for netmail on 
their systems, enroute or otherwise, any liability attaches regardless
of enroute or encrypted status.  Since liability, if any, increases 
with actual sysop knowledge of the contents, encryption will not 
increase any sysop liability and may, in fact, diminish it. 
 
 
                                 FACTS 
 
Many individuals operate computer bulletin boards as a hobby.  Many of
those bulletin boards (BBSes) are members of one or more networks, 
passing messages in a store-and-forward manner using the public 
switched telecommunications network.  Many of those sysops have their
BBSes configured to allow private electronic mail to be routed through
their systems, either as a service to their users or as a requirement
of their membership and status in the network.  Traditionally, such 
"private" mail was stored on the system in a form that is readable by
the persons or entities operating the system.  Depending on the 
configuration and software involved, such private mail might be easily
read, or might be read only if a deliberate attempt to do so was made,
but in any event was available in ASCII format at some point, and/or 
was stored using one of many compression schemes that could be read by
anyone with the proper software. 
 
As a result of relatively recent technological developments, individu-
als now have the capability to encrypt data using their personal 
computers, without using extraordinary amounts of time.  Public key 
cryptography systems, such as PEM or PGP, have been publicly released
and are seeing increasing use.  The obvious result has been the use of
encryption for the contents of routed mail packets.  For perhaps the 
first time, sysops who route mail have started inquiring about their 
liability for such mail, since the perception of safety that came from
a technical ability to read the mail is not present with encrypted 
mail. 
 
 
                             CRIMINAL LAW
 
Sysops providing "private" mail service operate under the terms and 
limitations of the Electronic Communications Privacy Act of 1986 
(ECPA) (18 U.S.C. ss 2510 et seq.).  This section will, of necessity,
be somewhat "legalese."  I've tried to make it as readable as possible
and still discuss the technical (in a legal sense) points that ought 
to matter to sysops investigating their legal status. 
 
Whether or not the ECPA appears to allow providers of "electronic" (as
opposed to "wire") communications the legal ability to monitor the 
messages on their systems is a matter of some dispute.  The best 
answer is that the law on the subject is unclear.  From the act: 
"'wire communication' means any aural transfer ...."  18 USC 2510 (1). 
On the other hand,  "'electronic communication' means any transfer of
signs, signals, writing, images, sounds, data, or intelligence of any
nature...."  18 USC 2510 (12).  "It shall not be unlawful under this 
chapter for an operator of a switchboard, or an officer, employee, or
agent of a provider of wire *or electronic* [Note 1: see discussion 
below] communication service, whose facilities are used in the trans-
mission of a wire [Note 2: see discussion below] communication, to 
intercept, disclose, or use that communication in the normal course of
his employment while engaged in any activity which is a necessary 
incident to the rendition of his service or to the protection of the 
rights or property of the provider of that service, except that a 
provider of wire communication service to the public shall not utilize
service observing or random monitoring except for mechanical or 
service quality control checks."  18 USC section  2510(2)(a)(i)  
(emphasis added).  One of the drafters of the act has indicated that 
the exception limiting "wire," but not "electronic," communication 
stems from the drafters' knowledge of the state of the art at that 
time; however, the distinction is present in the law.   
 
From this two arguments can be (and have been) made.  First, that by 
prohibiting only providers of "wire" communications from service 
observing or random monitoring, the drafters did not intend "elec- 
tronic" communications to be subject to the same restrictions and that
service observing or random monitoring of electronic communications 
are not prohibited.  But the counter-argument is that while the law 
exempts "providers of wire or electronic communication service, whose
facilities are used in the transmission of a ... communication, the 
exemption does not specifically allow for "electronic" communications,
only wire.  There is an internal inconsistency caused by the failure 
either to omit the two words *or electronic* [Note 1]  or to include 
them [Note 2] in section 2511(2)(a) at the points indicated by my 
insertion of [see discussion below]. 
 
One of the drafters of the ECPA recently commented that the legisla- 
tive history supports the position that electronic communications were
exempted from the act's general prohibitions; that is, the drafters 
intended to place special protections on voice, normally telephone, 
communications while allowing real-time monitoring of electronic 
communications as defined by the act.   
 
     It now seems clear to me that there is a glitch in ECPA with 
     regard to real time access for security purposes to elec- 
     tronic messages.  2511(2)(a) was supposed to allow monitor- 
     ing of electronic communications for security purposes by 
     the sysop -- the legislative history makes that clear and 
     distinguishes monitoring of voice which is more limited.  
     But the amendments failed, for technical reasons, to add 
     "and electronic communications" after the single reference 
     to "wire" -- so that the literal text now appears to read to 
     allow this type of security- based monitoring only with 
     regard to wire communications.  There are some other argu- 
     ments [that would allow it]--but none is as bullet proof as 
     the section would have been if it had been written as I 
     think all intended.
 
This ambiguity is what led to the Department of Justice recommendation
that system administrators at government computer sites place explicit
disclaimers at logon, warning that keystroke monitoring or service 
observation might be used, if they thought they would ever want to use
this technique. 
 
The above discussion applies primarily to real-time monitoring.  In 
the only known decision construing the ECPA, the distinction between 
"interception" (i.e., real-time monitoring) and "access to stored 
communications" was essential to the holding that no "interception" 
had taken place.  Steve Jackson Games, Inc., v. U.S. Secret Service, 
816 F. Supp. 432 (W.D. Tex. 1993).  However, due to the nature of 
store-and-forward mail, the mail remains in storage for some period, 
and it is clear that the sysops legally have access to the material in
storage.  However, sysops are limited in what they can do with their 
knowledge, if any, of the mail in storage.  With some limited excep- 
tions, they may only disclose it to the sender or to the intended 
recipient.  They are required to disclose it pursuant to court orders
and subpoenas, but the ECPA gives particular instructions on how such
are to be obtained.  And the sysops *may*, with respect to stored 
communications, disclose the contents to a law enforcement agency if 
the contents were *inadvertently* obtained *and* appear to involve the
commission of a crime.  18 USC 2702 (b)(6).  The sysop also may 
disclose the contents of a communication "as may be necessarily 
incident to the rendition of the service or to the  protection of the
rights or property of the provider of that service."  18 USC 
2702(b)(5).  Deleting any mail that does not comply with the sysop's 
ideas of propriety or appropriateness is *not* specifically autho- 
rized. 
 
 
                               CIVIL LAW 
 
The ECPA also provides for civil remedies by the person aggrieved by 
an illegal disclosure of the contents of a private message.  
18 U.S.C. 2707 et seq.   
 
Over and above those limitations, the civil laws of forfeiture gener-
ally allow the government (state or federal) to seize property for 
which probable cause exists to believe is the instrumentality of a 
crime, and the lawful owner may attempt to recover in a civil action. 
The burden of proof is upon the person claiming the interest in the 
property to prove the property was *not* the instrumentality of a 
crime. 
 
 
                               ANALYSIS 
 
Many sysops post some kind of disclaimer, either as a bulletin or as 
part of a service contract, formal or implied, that no "private" mail
exists on their system.  A threshold question is "what is 'private 
mail' for the purpose of the ECPA or any other law or civil action?" 
Notwithstanding any bulletin or disclaimer, almost all mail software 
asks or treats some messages as "private."  In the Fidonet protocols,
there is a defined bit in the message which gives the privacy status,
thus giving rise to an expectation of privacy.  Also, netmail is 
generally readable only by the sender, intended recipient, and the 
sysops involved. 
 
Interestingly, the law does not protect "private" messages.  It 
protects *any* message that is "not public," in the words of the law,
any message not "readily accessible to the general public."  "'Readily
accessible to the general public' means...that such communication is 
not (A) scrambled or encrypted; [or] (B) transmitted using modulation
techniques whose essential parameters have been withheld from the
public with the intention of preserving the privacy of such communica-
tion...."  18 U.S.C. 2510(16). 
 
This protection would, in my opinion, include all "netmail" or 
"email," notwithstanding any disclaimers that "we don't have private 
mail."  The existence of areas for public discussion, using most of 
the "bandwidth" of hobby BBSes, obscures the fact that the basis of 
the system, be it Fidonet or Internet, is electronic mail.  To refer 
again to the ECPA:  "A person or entity providing electronic communi-
cation service to the  public may divulge the contents of any such 
communication... (i) as otherwise authorized in section 2511(2)(a) 
[readily accessible to the general public], (ii) with the lawful 
consent of the originator or any addressee or intended recipient of 
such communication; [or] (iii) to a person employed or authorized, or
whose facilities are used, to forward such communication to its 
destination....  18 U.S.C. 2511(3)(b). 
   
Thus, except for messages in public discussion areas, all communi- 
cations stored on a BBS (that is, netmail or email) are protected, the
nature of the software raising an expectation of privacy and that 
privacy being protected by law.  Note that exception (iii) covers 
forwarding routed mail to the next link in the process. 
 
A thorough reading of the ECPA reveals no requirement for a sysop to 
voluntarily disclose the contents of a message to anybody.  The law 
does, as noted above, allow such disclosures under limited circum- 
stances.  What then are the sources of liability for sysops for 
messages stored on their systems? 
 
In the area of criminal law, liability might attach as a conspirator,
co-conspirator, accessory or accomplice.  Note, however, that a "mens
rea," a criminal intent, is generally required for criminal liability.
 
In the area of civil forfeitures, the mere fact that probable cause 
existed to believe the system was an instrumentality of a crime is all
that is required for the seizure; however, as a practical matter, 
seizures seem almost always to occur when there is probable cause (as
seen by the judicial system) to believe the owner is guilty of some- 
thing. 
 
How might a sysop protect themselves?  First, note that disclosure to
law enforcement requires that the contents be inadvertently obtained. 
An argument might exist that disclosure to law enforcement is also 
allowed by the language that the sysop may disclose the contents of a
communication "as may be necessarily incident to the rendition of the
service or to the  protection of the rights or property of the provid-
er of that service," 18 USC 2702(b)(5).  The fact exists, however, 
that the statute in other places specifically says the contents must 
be inadvertently obtained to allow disclosure to law enforcement.  As
a practical matter it might not matter, but one argument might be that
the sysop should *not* routinely monitor the contents, since disclo- 
sure to law enforcement is only specifically authorized when knowledge
is inadvertent. 
 
The argument can be made that, with respect to netmail, routed, direct
or crash, BBSes look most like common carriers, and therefore are, or
should be, exempt from liability for their contents.  This argument is
strengthened when the BBS routinely gives access to routed netmail to
all users, or to any user who asks for it.  This is because a true 
common carrier has an obligation to handle traffic for anyone who 
meets the requirements of the tariffs.  Conversely, the BBS looks less
like a common carrier if relatively few users can access netmail.  If
routed mail is added into the equation, the BBS begins to look more 
like a relay point in a common carrier scheme when it grants relay 
privileges to more and more other systems.
 
Note that in Cubby v. Compuserve, 776 F. Supp. 135 (S.D.N.Y. 1991), 
the court held Compuserve not liable for material on their system 
unless they were shown to have actual knowledge and did not take 
appropriate action.  The court found them to be like booksellers, who
are similarly immune unless actual knowledge is shown.  If sysops make
a practice, or state as their practice, the routine viewing of all 
material on their system, the qualified immunity they arguably have is
destroyed. 
 
                         ENCRYPTION (finally) 
 
Note that whether or not the message was encrypted did not figure in 
any of the above analysis, except that there is a reasonable presump-
tion that if it were encrypted it was not "readily accessible to the 
general public."  As applied to PEM and PGP, this would, it seems, 
exclude "signed" mail as long as it was not "encrypted" as well.  When
considering the impact of encryption, we must note that normally for 
criminal law to attach, knowledge (intent) is a prerequisite.  For 
seizure, there must at least be probable cause that the system was 
used in the planning or commission of a crime.  In either of those 
cases, with respect to the sysop, encrypted messages tend to disprove
the elements:  you can't show knowledge if the sysop can't read the 
traffic, and you can't prove the system was used in a crime if you 
can't read the traffic.   
 
Law enforcement might be able to show the encrypted contents were 
illegal if they could obtain the decrypted messages and trace back the
route; however, if a system ran in "pass-through" mode there would at
least be a question of proving the system was actually used.  If the 
system ran in toss and rescan, and if the message hadn't deleted due 
to age or number of messages, then you could show the message was on 
the system.  But you still couldn't show the sysops had knowledge, 
making it less likely they would be perceived as somehow "guilty" of 
something.  This last point is enhanced if it can be shown that the 
system routinely routed mail for any and all parties. 
 
 
                              CONCLUSION 
 
The question of sysop liability for messages stored on or passing 
through their system is unsettled.  Sysop liability might attach as 
part of a criminal act, but knowledge is required and the fact of 
encryption would, when the sysop could not read the message, tend to 
disprove knowledge.  Liability might attach in the form of civil 
forfeiture, but again lack of knowledge makes the sysop appear less 
"blameworthy."  While guilt is not an element of civil forfeiture, the
conventional wisdom is that forfeiture is only used when guilt of some
kind has attached, at least in the mind of law enforcement, to the 
owner of the property.  The more a sysop and system look like a common
carrier, handling traffic without knowledge of the contents, the less
likely they are to be subject to some sort of liability for their 
actions.  Finally, the use of public key encryption does not appear 
increase their liability, and might in some circumstances decrease it.
 
For the reasons stated above, it is my conclusion that systems routing
mail should use pass-through where available, and should specifically
allow, and even encourage, the use of public key encryption as a 
measure to limit their liability in case they are used in some ques- 
tionable manner. 

[The author is an attorney licensed to practice in the state and 
federal courts of Nebraska.  While he has studied the issues fairly 
extensively, the comments apply generally to persons within the United
States and he is not giving legal advice to any particular person. 
Finally, this memorandum does not address International Traffic in 
Arms Regulations (ITAR) (22 CFR 120 ff) applicable to the export 
and/or import of cryptographic software.  No one should rely upon the
following without consulting their own attorney for advice on their 
particular question or problem.]