April 12, 1988
Privacy, BBS's, ECPA, and Thompson v. Predaina
==============================================
Information: This is a discussion, from a local San Diego BBS, about
online privacy including a look at the _Thompson_v._Predaina_ BBS/ECPA
lawsuit and how privacy law works, or not work, in different factual
contexts. Some reformating and a few typo corrections were made from
the original postings. Although this is somewhat comprehensive and may
cover almost any user question about online privacy (as well as possibly
clear up some misconceptions), this is not the complete discussion. It
only includes most of what I wrote. The complete discussion is currently
on PRO-SOL at (619)281-7222.
Disclaimer: This material is only presented for informational purposes
and not to convey legal advice.
Advertisement: This discussion is from PRO-SOL (619)281-7222 in San
Diego, California. PRO-SOL's Sysop is Morgan Davis. He is the author
of the ProLine software that PRO-SOL and the growing network of ProLine
systems run on. It's au UNIX-like system with shells and identical com-
ands like on an UNIXsite -- but it runs on an Apple computer! The Pro-
Line network is linked up with the UUCP and internet world too. As well
as an in-depth discussion of online privacy, this next message should
give you at least one sample of the types of discussions held on PRO-
SOL. If you would like more information about PRO-SOL and the ProLine
software, call PRO-SOL.
Warning: These excerpts from the discussion are long -- totalling about
90k.
------------------------------------------------------------------------
Ruel T. Hernandez (B.A., M.A., J.D.), P.O. Box 5813, Chula Vista, CA
92012 CIS: 71450,3341 GEnie: R.HERNANDEZ - Internet:
ruel@cup.portal.com
------------------------------------------------------------------------
CS-ID: #435.issues/legal@PRO-SOL 2908 chars
Date: Sun, 27 Mar 88 15:23:31 PST
From: ruel (Ruel Hernandez)
Subject: online privacy -- part 1
For those of you who read the posts in proline/net, you may have noticed
the excerpt from CompuServe:
FEDERAL PRIVACY SUIT AGAINST BBS OPERATOR
(March 26)
An electronic bulletin board system user has filed a $112,000 law-
suit against a BBS and its system operator claiming that the Sysop did
not properly safeguard private electronic mail. The lawsuit could prove
to be a landmark since a court ruling would be the first one handed down
under the federal Electronic Communications Privacy Act of 1986. The
ECPA mandates privacy protection of electronic communications, including
the electronic mail found on comercial services and bulletin board sy-
stems.
Linda Thompson filed a pro se complaint in the US District Court
for the Southern District of Indiana. The civil action alleges that Bob
Predaina, doing business as the Professional's Choice Bulletin Board,
violated federal or Indiana state law on 10 counts.
According to the complaint obtained by Online Today, during Decem-
ber of 1987, Predaina allowed others to access and view the contents of
all electronic communications in a private message portion of the sub-
scription BBS. Prviously deleted private messages were also restored so
that others could read them. Apparently, Thompson`s private E-MAIL was
among the messages made available to others.
Again, in January, 1988, the Sysop "intentionally or recklessly in-
tercepted and restored to the public portion of the board," a private
message of Thompson's that she had previously deleted. In subsequent
action, the Sysop denied Thompson access to the board even though she
had paid one year subscription to the BBS. When Thompson requested that
the Sysop refrain from actions that "were contrary to the law," Predaina
refused.
The last two counts of the complaint could be the most damaging and
state that on January 6, the Sysop "intentionally, maliciously or with
reckless disregard for the truth, made statements which on their face
are damaging to the professional and personal reputation of [Thompson]
in public and to another person, subjecting the Petitioner to humilia-
tion, personal anguish and ridicule." In the suit, Predaina is charged
with making similar statements in the form of publicly posted BBS mes-
sages.
Predaina did not respond to phone calls from Online Today for a
reaction to the lawsuit. However, callers to Predaina's BBS are greeted
with a public apology to Thompson.
"Generally Sysops are good at policing themselves and their
boards," Thompson told Online Today. "The reason for the lawsuit was
that there apparently was going to be no resolution between [Predaina
and myself]. I think that if you have a board that has a facility for
private mail, you have a right to expect that private mail stays private
and is not spread all over."
- James Moran
(continued next message)
CS-ID: #436.issues/legal@PRO-SOL 14439 chars
Date: Sun, 27 Mar 88 15:44:39 PST
From: ruel (Ruel Hernandez)
Subject: online privacy -- part 2
(continued from previous message)
I've received some phone calls about something like this from a Seattle
Sysop (who heard about it from from the EXEC-PC system). He indicated
that the situation may have been more involved. Whether it was or not,
you can see how complicated the situation could get. What he told me
about the situation was that the lady had sent or was receiving a pri-
vate message, via an echo intermail system on the OPUS or FIDO networks,
which was changed by the Sysop of a system to public. So, her private
communications would be echoed publicly on a bunch of different OPUS or
FIDO systems across the nation. If this complaint is of the same case
the Seattle Sysop told me about, well, it is a big mess. From what I
understand, a defense fund was set up to help the defendant Sysop.
This is one of two civil cases under the ECPA that I've heard about. In
addition to this one, there was one case in New York which involved a
bbs-type system run by a business for its employees. (Could have been a
standalone BBS, or big LAN or a WAN for all I know.) The owner/president
of the company was snooping in the private EMAIL to see what his employ-
ees were saying about him. As a result one employee was fired for elec-
tronically bad-mouthing his boss on the system. The New York case was
dropped or settled, I've forgotten which. Of course, there are crimin-
ally-related situations that ECPA was designed for, but those are war-
rants/search&seizure situations involving the police and I don't know
of any real cases there.
Anyways, here's that complaint. The Seattle Sysop said the plaintiff
here is a law student. And she is suing pro se here without an
attorney.
UNITED STATES DISTRICT COURT
FOR THE SOUTHERN DISTRICT OF INDIANA
CIVIL DIVISION
Linda Thompson, ) Civil Action No. IP-88 93C
) -----------
Petitioner, )
)
v. )
)
Bob Predaina, )
d/b/a Professional's Choice )
Bulletin Board )
)
Respondent. )
COMPLAINT
Comes now the Petitioner, Linda Thompson, and complains of the Re-
spondent, Bob Predaina, doing business as the Professional's Choice
Bulletin Board, and in support thereof would show the court:
1. That Petitioner Linda Thompson is a citizen of the United
States and resident of the State of Indiana, County of Marion.
2. That this action arises under U.S.C., Title 18, Chapter 119,
entitled Wire and Electronic Communications Interception of Oral Commun-
ications, ss 2520; U.S.C., Title 18, Chapter 121 entitled Stored Wire
and Electronic Communications and Transactional Records Access, ss 2707;
U.S.C., Title 47, Chapter 5, entitled Wire or Radio Communication, ss
605(d)(3)(a) and the laws of the State of Indiana. The matter in con-
troversey exceeds, exclusive of interest and costs, the sum of ten thou-
sand dollars.
3. That the respondent, Bob Predaina, at all times material was
the owner of a Computer Communications System, as defined in U.S.C.,
Title 18, ss 2510 (14) located in Marion County, Indiana.
4. That the Respondent, Bob Predaina, at all times material was
the owner and operator (hereinafter "System Operator") of an electronic
communication service, as defined in U.S.C., Title 18, ss 2510 (15) and
or remote electronic communication service, as applicable, operated
from, attached to or part of the Respondent's Computer Communications
System.
5. That at all times material the computer service of the Respon-
dent was operated under the name of The Professional's Choice Bulletin
Board (hereinafter by name or "the BBS") in the county of Marion, state
of Indiana.
6. That the BBS at all times material provided electronic communi-
cation, as defined in U.S.C., Title 18, ss 2510 (12), between "users" as
defined in U.S.C., Title 18, ss 2510 (13).
7. That at all times material, the BBS provided electronic stor-
age, as defined in U.S.C., Title 18, ss 2510 (17) of the electronic com-
munications of users.
8. That at all times material certain electronic storage and com-
munication on the BBS was configured so that electronic communications
designated by the user as "Receiver Only" were private electronic com-
munications to a designated recipient and not readily accessible to the
general public.
9. That at all times material, all electronic storage and communi-
cation on the BBS was configured so that electronic communications
transmitted by a user could be deleted only by the sending user, the
system operator or the designated recipient of a "Receiver Only" commun-
ication, and once deleted, said communication could not be transmitted,
read or readily accessed by anyone, including the system operator.
10. That at all times material, the respondent was a person, as
defined in U.S.C., Title 47, ss 153 (i) engaged in receiving, assisting
in receiving, transmitting, or assisting in transmitting interstate com-
munication by wire, as defined in U.S.C., Title 47, ss 153 (a) and (e),
by means of the electronic communications service.
11. That at all times material, the Petitioner was an authorized
user of the electronic communications service of the Respondent, and had
paid the sum of $35.00 as a subscription fee for a one year service in
October, 1987 to the Respondent.
COUNT I:
12. The Petitioner incorporates and realleges paragraphs 1 through
11 above and further alleges that on an undeterminable date in January,
1988, without the permission or knowledge of the petitioner, that the
Respondent, Bob Predaina, through the use of an electronic, mechanical,
or other device, as defined in U.S.C., Title 18, 2510 (5), intentionally
or recklessly intercepted, caused to be restored, and thereby altered
the authorized access to a private electronic communication to which
there was no intended recipient, which communication had been trans-
mitted to and immediately deleted from the electronic storage of the BBS
by the Petitioner on January 2, 1988, and that said actions of the Re-
spondent are contrary to U.S.C., Title 18, ss 2511 (1)(a); U.S.C., Title
18, ss 2511 (1)(d); U.S.C., Title 18, ss 2511 (3)(a); U.S.C., Title 18,
ss 2701 (a) and U.S.C., Title 47, ss 605 (a);
COUNT II:
13. Petitioner incorporates and realleges paragraphs 1 through 11
and further alleges that the respondent, through the use of said device,
caused said restored private electronic communication to be converted to
a publicly visible electronic communication, readily accessible by mem-
bers of the public, contrary to U.S.C., Title 18, ss 2511 (1)(c); U.S.C.
Title 18, 2702 (a) and U.S.C., Title 47, ss 605 (a);
COUNT III:
14. Petitioner incorporates and realleges paragraphs 1 through 11
and further alleges that on an undeterminable date in December, 1987 the
Respondent through use of an electronic, mechanical, or other device,
intentionally or recklessly caused to be made public a private electron-
ic communication addressed to the Petitioner, Linda Thompson, without
the permission or the knowledge of the sender or of the Petitioner con-
trary to U.S.C., Title 18, ss 2511 (1)(a); U.S.C., Title 18, ss 2511 (1)
(c); U.S.C., Title 18, ss 2511 (3)(a); U.S.C., Title 18, ss 2701 (a) and
U.S.C., Title 47, ss 605 (a).
COUNT IV:
15. Petitioner incorporates and realleges paragraphs 1 through 11
and paragraph 13 and further alleges that the Respondent replied in a
public electronic communicaiton on the BBS to a private electronic com-
munication addressed to the Petitioner, Linda Thompson, thereby disclos-
ing certain contents of said electronic communication to members of the
public, without the permission of the sender or the recipient, contrary
to U.S.C., Title 18, ss 2511 (1)(c); U.S.C., Title 18, 2511 (1)(d);
U.S.C., Title 18, ss 2511 (3)(a); U.S.C., Title 18, ss 2701 (a); U.S.C.,
Title 18, ss 2702 (a) and U.S.C., Title 47, ss 605 (a).
COUNT V:
16. Petitioner incorporates and realleges paragraphs 1 through 11
and further alleges that during the month of December, the respondent
allowed a person and/or persons unknown to access and view the contents
of all electronic communications, both public and private in portions of
the electronic storage not readily accessible by members of the general
public without the knowledge or permission of the petitioner and to this
end, that the Respondent restored certain previously deleted electronic
communications of the petitioner and allowed such other person, not the
intended recipient of any of such communications, to read such communi-
cations, contrary to U.S.C., Title 18, ss 2511 (1)(a); U.S.C., Title 18,
ss 2511 (1)(c); U.S.C., Title 18, ss 2511 (1)(d); U.S.C., Title 18, ss
2511 (3)(a); U.S.C., Title 18, ss 2701 (a); U.S.C., Title 18, ss 2702
(a) and U.S.C., Title 47, ss 605 (a).
COUNT VI:
17. Petitioner realleges and incorporates paragraphs 1 through 11
and further states that on January 3, 1988, the respondent intentionally
altered the access of the petitioner to the electronic communication
service, contrary to U.S.C., Title 18, ss 2701 (a);
COUNT VII:
18. Petitioner realleges and incorporates paragraphs 1 through 11
and further states that the respondent intentionally prevented the pe-
titioner from authorized access to the electronic communication service
from January 3, 1988 to January 6, 1988, contrary to U.S.C., Title 18,
ss 2701 (a);
COUNT VIII:
19. Petitioner realleges and incorporates paragraphs 1 through 18
and further states that on January 6, 1988, the Petitioner requested
that the Respondent agree to refrain from any further such actions con-
trary to law and the Respondent refused;
COUNT IX:
20. Petitioner realleges and incorporates paragraphs 1 through 11
and paragraph 19 and further alleges that on January 6, the respondent
intentionally, maliciously or with reckless disregard for the truth,
made statements which on their face are damaging to the professional and
personal reputation of the Petitioner in public and to another person,
subjecting the Petitioner to humiliation, personal anguish and ridicule,
and that said conduct of the Respondent was contrary to Statutory and
common law of the State of Indiana;
COUNT X:
21. Petitioner realleges and incorporates paragraphs 1 through 11
and paragraph 19 and further alleges that on January 8, the Respondent
intentionally, maliciously, or with reckless disregard for the truth,
made written statements in the form of electronic communications about
the Petitioner which on their face are damaging to the professional and
personal reputation of the Petitioner to members of the legal profes-
sion, subjecting the Petitioner to humiliation, personal anguish and
ridicule, and that said conduct of the Respondent was contrary to Statu-
tory and common law of the State of Indiana;
22. Petitioner realleges and incorporates paragraphs 1 through 21
and further alleges that all of the facts alleged of the Respondent were
committed willfully, knowingly, intentionally or recklessly, and/or for
the purpose of direct or indirect commercial advantage of the Respon-
dent.
WHEREFORE, the Petitioner respectfully prays this Court for a stat-
utory award of damages persuant to U.S.C., Title 18, ss 2520 (c)(2)(b)
of ten-thousand dollars ($10,000.00) for each of counts I through V,
totalling fifty-thousand dollars ($50,000.00); for a statutory award of
damages persuant to U.S.C. Title 18, ss 2707 (c) of one-thousand dol-
lars ($1,000.00) for each of counts VI and VII, totalling two-thousand
dollars ($2,000.00); for a statutory award of damages persuant to U.S.C.
Title 47 ss 605 (d)(3)(C)(i)(II) of $250.00 for each of Counts I through
V, totalling one-thousand-two-hundred-fifty dollars ($1,250.00); puni-
tive damages persuant to U.S.C., Title 47, ss 605 (d)(3)(C)(ii), U.S.C.,
Title 2520, ss (b)(2) in the amount of fifty-thousand ($50,000); for an
award of nine-thousand ($9,000.00) for the damage to Petitioner's per-
sonal and professional reputation alleged in Counts IX and X; all to the
total amount of one-hundred-twelve-thousand-two-hundred-fifty dollars
($112,250.00) plus interest; and for attorneys fees and costs persuant
to U.S.C. Title 18, ss 2520 (b)(3); U.S.C., Title 18 ss 2707 (b)(3);
and U.S.C., Title 47, ss 605 (d)(3)(B)(iii); and for any and all other
relief just or equitable under the circumstances.
Respectfully submitted,
Linda Thompson, pro se
Petitioner
P.O. Box 83
Beech Grove, Indiana 46107
Telephone: [deleted]
==============
Okay, there it is. You be Judge Wapner. Would you find for the plain-
tiff modem user or for the defendant Sysop? One factor you may want to
consider is whether the defendant Sysop intended to change the status?
Various facts that will have to brought out is whether the Sysop gave
notice that he will make things public and therefore a caller should not
send private EMAIL from the particular system in question. Of course,
this is somewhat of a rehash of what was discussed before, but it might
be interesting to talk about the situation in light of real case.
And there are a bunch of other claims (or causes of action) in this
situation besides violation of the federal ECPA statute which I could
pull out of the puzzle for you later....
*****
CS-ID: #452.issues/legal@PRO-SOL 1675 chars
Date: Wed, 30 Mar 88 14:46:19 PST
From: ruel (Ruel Hernandez)
Subject: The Thompson v. Predaina situation (part 1)
THOMPSON V. PREDAINA
The BBS/ECPA Lawsuit Case
=========================
Okay, let's take an in-depth examination of the Thompson v. Predaina
complaint. I'm going to go through it to see how I think the whole
situation, not just the complaint, seems to work. Additionally, you
will see how the law is supposed to operate in this area in a civil law
BBS context. Some criminal law / criminal procedure will be discussed,
but the focus of the case here is civil. Since I do not work for either
side, and I'm only doing this for the academic exercise, you all will
get to see the benefit of my work.
For those of you who run a BBS, this should also alert you to what you
should not do in running a BBS. All of this assumes you have privacy
switches or toggles on the system, i.e., the caller/user of a BBS has
the ability to send or receive private messages (or has access to pri-
vate user areas), or that there is no type of non-privacy disclaimer
warning on the system.
In a related area, this should also give folks more of an idea as to
when "flames" may cross the boundary line into lawsuit-producing
defamation.
We'll look at the situation in three parts: (1) federal statutory law,
specifically the two claims under the Electronic Communications Privacy
Act and the one other claim under a related federal statute; (2) pos-
sible application, if any, under state statute -- in California, that
would include Penal Code sections 502 and 637, and in Indiana, where the
Thompson situation takes place, under a "computer trespass" criminal
statute; and (3) general common law tort actions.
(continued next message)
CS-ID: #453.issues/legal@PRO-SOL 9435 chars
Date: Wed, 30 Mar 88 15:02:37 PST
From: ruel (Ruel Hernandez)
Subject: The Thompson v. Predaina situation (part 2)
(continued from last message)
FEDERAL STATUTE
===============
Essentially, Thompson brings three separate federal claims against
Predaina. Two are under what is known as the Electronic Communications
Privacy Act of 1986 (ECPA). The third is under the related section of
47 U.S.C. sec. 605 which was amended in 1984 to include encrypted
satelite cable broadcasts.
ECPA - General Background
-------------------------
ECPA is the law that provides federal statutory privacy protection for
computer communications both in transmission and while in storage on
magnetic media. Generally, here we will be looking at stored communica-
tions. Such communications has *no* federal constituational privacy
protection due to the fact that there is no objective reasonable expec-
tation of privacy in material when a third person has access. In other
words, constitutional privacy is shattered for private EMAIL if someone
like Sysop or an employee of a commercial online service can readily
have access to and look at and read the private EMAIL. This is where
ECPA comes along to fill in the "knothole" by saying such private com-
puter material is given statutory privacy protection.
ECPA was designed in great part as matter of criminal procedure to
alleviate the uncertainty of whether a warrant or court order was
required by the police to search the "private" communications found on
an online system. This is in cases of the commission of felonies and
other crimes specified by the statute. ECPA gave various strict
guidelines that the police must follow in order to search the private
communications. One important thing Sysops must know is that they may
be asked to supply a back-up copy of specifically described communica-
tions found on the system. They cannot have everything -- only what is
specifically described and asked for in a warrant. This would be in
line with the constitutional limitations for a warrant. In most cases,
they may ask for private communications between person X and person Y.
Accordingly, you don't have to give them anything concerning person W.
ECPA requires notice be given to the person whose private communications
is to be intruded upon unless there are exigent circumstances. The only
ways a Sysop to get out from having to comply with the warrant is:
(1) if in the case of a state-issued warrant or court order, the
State prohibits such issuance;
(2) the information sought is unusually voluminous in nature; or
(3) compliance would cause an undue burden on the provider/Sysop.
All that is when the police come knocking on the Sysop's door to look at
private EMAIL.
What we are really looking at here is when a private individual sues
someone else for intruding upon his private communications. This is
when we look at sections 2520 and 2707 of ECPA which each provide two
different civil claims.
The former covers private communications while in transmission, while
the latter when the private communications is stored. Why sue under
both? To make sure you catch the wrongdoer whether the communications
is still in transmission or after it is stored.
18 U.S.C. sec. 2520
-------------------
Okay, what does the statute say here: "[A]ny person whose wire, oral,
or electronic communications is intercepted, disclosed, or intentionally
used in violation of this chapter may in a civil action recover from the
person or entity which engaged in that violation such relief as may be
appropriate." Here the private communications is still in transmission
and has been divulged by the wrongdoer to someone other than the
intended recipient (or his agent).
The civil relief may include:
(1) equitable or declaratory relief (respectively, either
an injunction telling the person to stop the intrusion
or a declaration by the court of the rights and inter-
ests involved);
(2) punitive damages (such as in the case of an outrageous
intentional invasion and disclosure); and
(3) reasonable attorney's fees and litigation costs.
There are also various other damages allowed in the case of certain sat-
ellite and radio transmissions.
Complete defenses allowed here are good faith reliance on any of the
following:
(1) a court warrant or order, a grand jury subpoena,
a legislative authorization, or a statutory author-
ization (even it turns out to be invalid);
(2) a request by an investigative or law enforcement
officer in emergency situations such as:
(i) immediate danger of death or serious
bodily injury to any person,
(ii) conspiratorial activities threatening
the national security interest, or
(iii) conspiratorial activities characteristic
of organized crime;
or
(3) a good faith determination that ECPA allowed the
intrusion.
Notice that there is a lot of latitude allowed in these defenses so long
as there is good faith. Of course, a court would have a lot of discre-
tion to see whether certain conduct was in good faith.
18 U.S.C. sec. 2707
-------------------
Okay, what do we have here: "[A]ny provider of electronic communication
service, subscriber, or customer aggrieved by any violation of this
chapter in which the conduct constituting the violation the violation is
engaged in with a knowing or intentional state of mind may, in a civil
action, recover from the person or entity which engaged in that viola-
tion such relief as may be appropriate." The private communications here
is stored or "carried or maintained" (such as in the forwarding of EMAIL
along Internet, ARPA, UUCP, BITNET, FIDOnet, etc.) that was knowingly
accessed and divulged to the public or any third person.
A plaintiff could seek the same types of relief as under 18 U.S.C. sec.
2520. In addition, a plaintiff can seek any actual damages suffered by
him and any profits made by the wrongdoer as the result of his unlawful
access to the private communications (such as someone accessing private
financial information and using it to gain a financial advantage he
would not have gotten otherwise). However, damages can be no less than
$1000.
Unauthorized Publication or Use of Communications -- 47 U.S.C., sec. 605
------------------------------------------------------------------------
47 U.S.C. sec. 605 provides yet another federal civil action in addi-
tion to those allowed under ECPA. This statute was in existence before
ECPA.
What does this section say: "[N]o person receiving, assisting in re-
ceiving, transmitting, or assisting in transmitting, any interstate or
foreign communication by wire or radio shall divulge or publish the
existence, contents, substance, purport, effect, or meaning thereof,
except through authorized channels of transmission or reception,
(1) to any person other than the addressee, his agent
or attorney,
(2) to a person employed or authorized to forward such
communication to its destination,
(3) to proper accounting or distributing officers of
the various communication centers over which the
communication may be passed,
(4) the master of a ship under whom he is serving,
(5) in response to a subpena issue by a court of com-
petent jurisdiction,
(6) on demand of other lawful authority."
....
(There is more with regards to radio communications.) As you can see,
this statute is very much related to ECPA. ECPA only further refines
the protection with regard to stored communications. There may be some
question as to whether stored communications on disk may come under this
statute. Most likely the answer will be "yes," since we would be look-
ing at individuals charged with handling messages (EMAIL) in the "re-
ceiving, assisting in receiving, transmitting, or assisting in transmit-
ting" of communications. This may include a Sysop who runs a BBS that
is operated to receive and transmit private EMAIL. The persons the
statute is aimed at would include some sort of communications, radio,
telegraph, telephone or systems operator, or, in the case of a BBS, a
Sysop (or someone who has Sysop status to examine, in this case, private
EMAIL transmissions).
What are the civil remedies allowed under this statute:
(1) the plaintiff may get an injunction against the
wrongdoer to stop what he is doing;
(2) actual damages suffered by the plaintiff, plus
any profits made by the wrongdoer who would not
have made them if not for the unlawful use of the
communications; or
(3) statutory damages of $250 for each violation of
this statute, but not more than $10,000.
Additionally, if a violation was willfully committed and for direct or
indirect commercial advantage or private financial gain, a court may
increase any award to the plaintiff up to $50,000.
The commercial advantage claim would be in Thompson's paragraph 22 of
her complaint.
However, if it is found that the wrongdoer did not know and had no rea-
son to know that his actions constituted a violation of this statute, a
judge has the discretion to reduce any award to plaintiff downward to
$100.
Okay, those are the federal statutes. Now for some state statutes.
(continued next message)
CS-ID: #454.issues/legal@PRO-SOL 9317 chars
Date: Wed, 30 Mar 88 15:17:37 PST
From: ruel (Ruel Hernandez)
Subject: The Thompson v. Predaina situation (part 3)
(continued from last message)
STATE STATUTES
==============
Here we are going to look at three more statutes. The first is a
statute from Indiana since that is where _Thompson_v._Predaina_ takes
place. The second two are California statutes since this is an area of
most concern to callers of this system (almost all of the callers on
PRO-SOL live in California!). Note, as a matter of jurisdiction,
usually state statutes say that if a call originates in one state and
terminates in another, the offense is committed in both states at both
ends of the transmission. So, if an out-of-state user calls into a
California computer communications system, and he commits some sort of
offense on that system, he is deemed to have committed that offense in
California.
Indiana State Statute
---------------------
There is one criminal statute in Indiana called a "computer tresspass"
statute. Ind. Code sec. 35-45-2-3. It says: "A person who knowingly
or intentionally accesses: (1) a computer system; (2) a computer net-
work; or (3) any part of a computer system or computer network; without
the consent of the owner of the computer system or computer network, or
the consent of the owner's licensee, commits computer trespass, a Class
A misdemeanor."
As you can see, this could cover someone illegally using someone else's
standalone PC, someone illegally logging in time on mainframe, or some-
one illegally using or accessing part of a BBS or a computer network.
The coverage is very broad. So, a prosecutor could nail someone for
such illegal computer trespass for a misdemeanor.
Could someone sue as a private person under this statute? Usually, you
would have to look for a section that allows a civil suit by a plaintiff
injured as the result of defendant's violation of a criminal statute.
Ind. Code sec. 34-5-1-1, R.C.P. 2, may allow such a civil action to
"be sought independently of and in addition to the punishment given or
relief granted for the public offense."
In California, the situation is laid out a little more specifically.
California State Statute -- Penal Code Section 502
--------------------------------------------------
California has Penal Code section 502, known as the "Comprehensive
Computer Data Access and Fraud Act." Unfortunately, hobbyist-type BBS's
may not come under this statute since it appears to be primarily de-
signed to protect business, company, or government computers, such as in
the prosecution of a cracker invading a bank mainframe computer. But
for your information, this is how the statute works in such situations,
it provides the imposition of both criminal penalties and civil remedies
against "[A]ny person [except an "any person who accesses his or her
employer's computer, computer system, or computer network"] who commits
...
(1) Knowingly accesses and without permission alters,
damages, deletes, destroys, or otherwise uses any
data, computer, computer system, or computer net-
work in oder to either (A) devise or execute any
scheme or artifice to defraud, deceive, or extort,
or
(B) wrongfully control or obtain money,
property, or data.
(2) Knowingly accesses and without permission takes,
copies, or makes use of any data from a computer,
computer system, or computer network, or takes or
copies any supporting documentation, whether
existing or residing internal or external to a
computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes
to be used computer services.
(4) Knowingly accesses and without permission adds,
alters, damages, deletes, or destroys any data,
computer software, or computer programs which
reside or exist internal or external to a compu-
ter, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes
the disruption of computer services or denies or
causes the denial of computer services to an author-
ized computer network.
(6) Knowingly and without permission provides or sssists
in providing a means of accessing a computer, compu-
ter system, or computer network.
(7) Knowingly and without permission accesses or causes
to be accessed any computer, computer system, or com-
puter network.
There are various criminal penalties allocated to these criminal of-
fenses ranging from $250 to $10,000 and imprisonment of less than one
year up to three years.
A civil remedy is available to the owner or lessee (not licensee as with
a user on a BBS) of a system. He may sue for compensatory damages
against a wrongdoer ONLY AFTER THAT WRONGDOER HAS BEEN CONVICTED. The
willfull misconduct of a child wrongdoer may be imputed to his parents
-- thus the parents would be liable for damages caused by the child.
As already noted, the California statute does not apply to hobbyist-type
BBS's due to the commercial slant of the statute. If there was civil
coverage for BBS's (the construction of the statute indicates there
isn't any) it would only be after the wrongdoer has been convicted.
California's Invasion of Privacy Statutes -- Section 637
--------------------------------------------------------
Another California statute that would look to be applicable to BBS
stored-communications situations would be Section 637 of the California
Penal Code which states:
Every person not a party to a telegraphic or telephonic communica-
tion who willfully discloses the contents of a telegraphic or tele-
phonic message, or any part thereof, addressed to another person,
without the permission of such person unless directed so to do by
the lawful order of a court, is punishable by imprisonment in the
state prison, or in the county jail not exceeding one year, or by
fine not exceeding five thousand dollars ($5000), or by both fine
and imprisonment.
Section 637.2 of the California Penal Code allows civil action by "Any
person who has been injured by a violation of this chapter [specifically
Section 637 in our discussion here] may bring an action against the
person who committed the violation for the greater of the following
amounts:
(1) three thousand dollars ($3000).
(2) three times the amount of actual damages, if any,
sustained by the plaintiff.
A plaintiff could also ask for an injunction to stop the wrongdoer. The
plaintiff does not have to suffer actual damages to sue under 637.2 --
for instance, he could get the statutory award of $3000 absent actual
damages. If there are actual damages, the plaintiff could be awarded
treble that amount.
So far, it all looks good. Now, the question is "would private EMAIL
communications come under this section 637, thus allowing a civil action
under 637.2?"
There was one interesting section 637 case that may dictate the answer
for us. In _People_v._Wilson_, 17 Cal. App. 598, 94 Cal. Rptr. 923
(1971), there was a defendant using an answering service to receive
calls from Tijuana with regard to the illegal transport of marijuana.
By agreement with the defendant, the answering service was supposed to
take all telephone messages meant for the subscriber, reduce the con-
tents of the communications down to writing, and then give the messages
to the subscriber. A narcotics agent found out about the answering ser-
vice and told one of its employees to notify him whenever a call for the
defendant came in.
If section 637 were to apply, the evidence of messages obtained by the
narcotics agent would be suppressed and not be allowed to be used
against the defendant in the trial.
However, section 637 was found to be inapplicable in this case because
the answering service was a party of the telephonic communications and
was the addressee of the communications -- people made calls to the an-
swering service and not to the defendant. "The fact the answering ser-
ice had agreed with defendant to convey messages to him after their re-
ceipt does not bring them with purport of section 637."
Could a BBS be the same as an answering service and therefore not come
under section 637? Well, I'm sure one could see how the analogy would
work. A BBS user would have an agreement with a Sysop to receive and
send messages on the BBS. Users would call the BBS, and not the other
users that they wish to communicate with. The BBS would be the ad-
dressee of whatever communications meant to be ultimately accessed or
"received" by another user. Likewise the BBS would be the addressee for
whatever messages that the user would like to send out. The BBS would be
a party to the communication and therefore could disclose the contents
of whatever messages it receives and holds for others for purposes of
section 637.
Certaintly, one could see how the BBS/Sysop-as-a-party-to-the-communica-
tion knothole tosses section 637 out of the window.
(However, that doesn't mean you can't try to argue that section 637
applies to BBS's.)
So you are left with the federal statutory claims and some common law
claims (discussed infra).
(continued next message)
CS-ID: #455.issues/legal@PRO-SOL 11569 chars
Date: Wed, 30 Mar 88 15:36:10 PST
From: ruel (Ruel Hernandez)
Subject: The Thompson v. Predaina situation (part 4)
(continued from last message)
COMMON LAW
==========
Let's go back to the _Thompson_v._Predaina_ complaint to pull out some
of the common law state claims that Thompson may be trying to bring into
federal court under pendant claims subject matter jurisdiction. She has
some explicitly laid out, but others are hidden in the general fact
situation that need to be teased out. I really won't dispute why
Thompson emphasized some more than others. Okay, what do we have....
Contracts (plus Interference with Contract)
-------------------------------------------
There is a possible contracts action that has to be teased out of the
situation. The following is is what she says in her complaint, but does
not talk about it further as a separate Count for a contracts claim.
11. That at all times material, the Petitioner was
an authorized user of the electronic communications
service of the Respondent, and had paid the sum of
$35.00 as a subscription fee for a one year service
in October, 1987 to the Respondent.
Here, Thompson is only using this paragraph to show a requirement of
federal coverage under ECPA, i.e., that she was an "authorized user" of
the BBS and therefore has a right to sue under ECPA. The sentence is
divided into two parts by a comma where second part involving the $35.00
subscription fee describes the first part. The $35.00 gives some indi-
cation as to her status as an "authorized user." Note, although money
may seem to give more credibility to the situation it is not necessarily
a requirement for ECPA coverage to apply. Congress took note of free
hobbyist-type BBS's when it legislated ECPA. For instance, various lan-
guage in ECPA would show coverage for these types of systems including
commercial and subscription system. Also, the Senate Report defined
"electronic bulletin boards." In part, the Senate wrote, "These noncom-
mercial systems may involve fess covering operating costs...." The oper-
ative word there is "may" which could be interpreted as "may not."
Thus, fees may not be involved and free BBS's would be covered by ECPA.
This may seem to be a nitpicky point to some, but people should take
note of how ECPA should be interpreted and not be confused as to whether
only commercial systems are covered by ECPA. As BBS users may have
noticed, many free hobbyist BBS's around the country took note that ECPA
covered their systems and Sysops fearful of liability under ECPA either
placed ECPA non-privacy disclaimers (that users should call elsewhere if
they want to ensure the privacy of whatever EMAIL they send) at the
"front doors" of their systems or disabled all user privacy toggles on
their systems. Although these disclaimers have been in existence before
ECPA, they became more explicit citing section numbers of ECPA after
ECPA took effect in January 1987.
Okay, why would Thompson want to talk about a contracts claim? Well, to
either get her $35 back, or a reasonable amount after deducting the
value for the services she got from the BBS before she got kicked off
it, or to seek specific performance of the contract to force Predaina to
let her back on the system.
Why would she not want to talk about it as a separate contracts claim?
She may probably get it anyways as actual damages under her federal
claims.
A tort claim of Interference with Contract could also be drawn out of
the situation (where Predaina was intentionally interfering with the
contract he had with Thompson to provide BBS services to her). The same
reasons for non-inclusion may possibly be because she may get it anyways
under her federal claims or as part of "any and all other relief just or
equitable under the circumstances" as prayed for at end of her
complaint.
Defamation
----------
In COUNT IX, Thompson writes:
20. Petitioner realleges and incorporates paragraphs
1 hrough 11 and paragraph 19 and further alleges that
on January 6, the respondent intentionally, maliciously
or with reckless disregard for the truth, made statements
which on their face are damaging to the professional and
personal reputation of the Petitioner in public and to
another person, subjecting the Petitioner to humiliation,
personal anguish and ridicule, and that said conduct of
the Respondent was contrary to Statutory and common law
of the State of Indiana;
A simple common law defamation claim involving private persons is de-
fined as an intentional or negligent publication of a false and defama-
tory matter to a third person, understood by the third person that the
defamatory imputations applied to the plaintiff, and plaintiff has suf-
fered damages as a result.
Thompson complains that Predaina "intentionally, maliciously or with
reckless disregard for the truth, made statements which on their face
are damaging to the professional and personal reputation of the
Petitioner in public and to another person...."
Unfortunately, we need more facts to see what Predaina said. However,
presumedly, the statements that Thompson attributes to Predaina were
made via the BBS. That would qualify it to be Libel under defamation
law, since it was written and could be seen/read by the eye and not
heard by the ear as in Slander. More specifically, it would be Libel
Per Se since Thompson alleges that the statements were damaging to her
professional, or business, reputation. (Defamation Per Se does not
require the proof of special damages and general damages are presumed
when one makes a defamatory remark about the plaintiff's business, or
the plaintiff being associated with either a crime, a loathsome disease,
or unchastity.) We don't really know what profession Thompson is in
except for what is brought out in a little more detail in the next
paragraph (paragraph 21) where Thompson states she is in the "legal
profession." (The further significance of this phrase will be talked
about a little more in the next discussion section.) So, presumedly, she
is either a lawyer, law clerk, law student, or a legal assistant. She
may be one of the last three since she is suing pro se i.e., without the
assistance of an attorney.
Business Tort: Injurious Falsehood
----------------------------------
Business Tort: Interference with Prospective Advantage
------------------------------------------------------
In COUNT X, Plaintiff Thompson writes:
21. Petitioner realleges and incorporates paragraphs
1 through 11 and paragraph 19 and further alleges that
on January 8, the Respondent intentionally, maliciously
or with reckless disregard for the truth, made written
statements in the form of electronic communications
about the Petitioner which on their face are damaging
to the professional and personal reputation of the Pe-
titioner to members of the legal profession, subjecting
the Petitioner to humiliation, personal anguish, and
ridicule, and that said conduct of the Respondent was
contrary to Statutory and common law of the State of
Indiana;
First, the business tort of Injurious Falsehood (aka Disparagement) is
the publication of matter derogatory to a plaintiff's property title,
business, or personal affairs, calculated to prevent others from dealing
with plaintiff. In other words, defendant said bad things that causes
others to not deal with plaintiff. Thompson may be trying to say that
as read by members of the legal profession, her job as a legal profes-
sional was ruined. She may have to show damages to further substantiate
this.
Next, there is the business tort of Interference with Prospective Advan-
tage deals with one's interference with some expectancy another person
has. Thompson's would be arguing that Predaina, by making the defamatory
statements which arguably would scare away potential clients of hers,
was interferring with her future career as a legal professional, pre-
sumedly as an attorney.
Why do I catagorize these torts under this Count? Well, Thompson men-
tions "legal profession" in the paragraph. That would trigger business-
elated tort analysis to me in comparison to the mere mention of the word
"professional" (which was already used in the previous paragraph).
Infliction of Emotional Distress
--------------------------------
Two possible types of Infliction of Emotional Distress claims may be
pulled out of above quoted paragraphs 20 and 21. Both say "... subject-
ing the Petitioner to humiliation, personal anguish, and ridicule...."
There are two types of Infliction of Emotional Distress tort claims: (1)
intentional and (2) negligent.
Intentional Infliction of Emotional Distress is when one intentionally
commits outrageous conduct calculated to cause severe emotional distress
in another. Generally, as a modern rule, demonstrable injuries do not
have to be proved.
Negligent Infliction of Emotional Distress is where one breaches his
duty to not subject another to foreseeable risk of harm that may fore-
seeably result in emotional distress. Some jurisdictions require some
sort of impact (she got hit), or a physical manisfestation of the
emotional distress, or only that she be within the "zone of danger," or
perceive harm to a close family member (or immediately come upon some
accident to a close family member).
Could it be one or the other or both?
Most likely, Thompson may be trying to argue Intentional Infliction of
Emotional Distress so she could ensure getting punitive damages. In
both paragraphs 20 and 21, she writes that Thompson's conduct was
"intentionally, maliciously or with reckless disregard for the truth..."
That may arguably constitute outrageous conduct. Further, in both para-
graphs, she writes "... subjecting the Petitioner to humiliation, per-
onal anguish, and ridicule...." That may show severe emotional distress.
Could it be Negligent Infliction of Emotional Distress? Maybe. Predaina
would have a duty to not make defamatory remarks about Thompson which
could possibly cause her suffer foreseeable emotional distress.
Which one could it be? Well, maybe Intentional Infliction of Emotional
Distress since Thompson is also trying to get punitive damages which are
usually granted to punish the outrageous conduct of a defendant. How-
ever, she may be trying to get punitive damages elsewhere under her
federal claims, if there is enough outrageous conduct there to allow
it. Perhaps there is in light of an alleged intentional and knowing
disclosure of private communications to the public.
Invasion of Privacy: Public Disclosure of Private Facts
-------------------------------------------------------
A tort claim of Public Disclosure of Private Facts would underlie
Thompson's complaint. As the name of the tort implies, it is the defen-
dant's public disclosure of private facts about the plaintiff without
the plaintiff's consent. Truth is no defense here as it would be in de-
famation. No special damages have to be shown. Emotional distress could
play a resulting factor here also.
In the situation where a Sysop hits a switch and turns a private message
into public, the private message may contain facts that would be consi-
dered so private that no one would discuss them in public. Although we
don't have enough facts as to what was disclosed, we can only imagine
that the messages were indeed of a very, very private nature. Accord-
ingly, it would not be socially acceptable to disclose them.
(continued next message)
CS-ID: #456.issues/legal@PRO-SOL 1017 chars
Date: Wed, 30 Mar 88 15:38:41 PST
From: ruel (Ruel Hernandez)
Subject: The Thompson v. Predaina situation (part 5)
(continued from last message)
PRECEDENT?
==========
Thompson v. Predaina is an interesting situation. Whatever the result
of the case may be, we won't know for a while until it comes out in the
federal reporters.
Would this be a precedent setting case? Certainly as the first case
under ECPA and also the first BBS case under 47 U.S.C. sec. 605, which
has been used most recently, due to an 1984 amendment, to crack down on
those stealing encrypted satellite cable broadcasts. The most interest-
ing thing to see is how the judge actually applies the federal statutes
to the BBS situation. However that is only if the case actually goes to
trial. It may go to trial or it may settle out of court.
Depending on the evidence, Thompson may win and the Sysop involved may
have to byte some electronic dust in the form of paying out hard cash.
ECPA was designed to prevent/punish/remedy situations like this. What-
ever the true facts are, we'll have to wait and see what happens in this
case.
(end)
*****
CS-ID: #461.issues/legal@PRO-SOL 11954 chars
Date: Thu, 31 Mar 88 18:59:14 PST
From: ruel (Ruel Hernandez)
Subject: ECPA Application to Corporate Systems?
Comment: to #457 by brock
In this posting, I'm going to tackle the cumbersome question of whether
ECPA could be found to apply to corporate computer communications sys-
tems. My answer will be both "yes" and "no." That is, there will be
a catch.
In other words, ECPA applies, but not always. Some may want to think
about this if they have access to a company computer system that has
something like "private" EMAIL facilities on it. This would be the
corporate "big brother" aspect allowed under ECPA. (Brock, as awful as
it sounds, I think you're going to like what I dug up to both confirm
and deny what you previously said on this point.)
First, the network exception will be tossed out of the way (really
nothing to do with the corporate situation). Second, the cracker and
the corporate online system will be looked at (the "yes" answer). And,
third, the "corporate big brother" situation will be discussed (the "no"
answer).
Nit(Net)Picky Exception
-----------------------
First let's get one nitpicky situation out of the way. Specifically,
let's take a look at what Counsel Meeks said about 18 U.S.C. sec
2702(b)(4) (disclosures "to a person employed or authorized or whose
facilities are used to forward such communication to its destination").
Brock says that this section says that ECPA protection is inapplicable
to corporate systems.
On the contrary, this section only deals with the "efficient operation
of the communications system" as directed by the legislative history
found in the Senate Report. S. Rep. No. 541, 99th Cong., 2d Sess.
37 _reprinted_in_ 1986 U.S. Code Cong. & Ad. News 3591. The Senate
Report says nothing more here as to applying or not applying to corpor-
ate systems on this point. It seems to be more applicable to situations
involving the different nets. It may seem like "open season" on the
"open network highways", but it is more like the typical free or fee-
ased BBS or commercial public online service situation where good faith
standards may apply in quality control checks, etc.
Perhaps the more applicable section would be 18 U.S.C. sec. 2701(c)(1)
which will be discussed infra in the section entitled "The Corporate Big
Brother Situation."
The Cracker Situation
---------------------
In general, with reference to what Brock said about ECPA's original
drafters not applying to corporate systems at all, one could say that if
they intended ECPA to not apply in all instances, why didn't they say
so. They seemed to have let there be some protection with regard to
cracker or unauthorized employee situations. First, let's do a little
statutory construction and, second, some legislative history.
First, as to statutory construction, there's 18 U.S.C. sec.
2511(2)(g):
It shall not be unlawful under this chapter or chapter
121 of this title for any person (i) to intercept or
access an electronic communication made through an
electronic communication system that is configured so
that such electronic communication is _readily_acces-
sible_to_the_general_public._
A fair reading of this section would say that if the electronic communi-
cation, or even the whole electronic communication system is not readily
accessible to the general public, then a cracker or an unauthorized em-
ployee to intercept communications would be unlawful under ECPA.
What does the legislative history of ECPA tell us?
In the "Statement" section of the Senate Report, in talking about the
then pre-ECPA state of the law, the Senate writes,
... there is no comparable Federal statutory standards
to protect the privacy and security of communications
transmitted by new non-common carrier communications
services or new forms of telecommunications and computer
technology. The is so even though American citizens and
American businesses are using these new forms of tech-
nology in lieu of, or side-by-side with, first class mail
and common carrier telephone services.
It seems to me that the intent was to equate wholly private systems with
public-type systems.
Furthermore, in the "Purpose" section of the Senate Report, we have the
following paragraph:
Today we have large-scale electronic mail opera-
tions, computer-to-computer data transmissions, cellular
and cordless telephones, paging devices and video tele-
conferencing. A phone call can be carried by wire, by
microwave or fiber optics. It can be transmitted in the
form of digitized voice, data or video. Since the dives-
titure of AT&T and deregulation, many different companies,
not just common carriers, offer a wide variety of tele-
phone and other communication services. It does not make
sense that a phone call transmitted via common carrier is
protected by the current federal wiretap statute [pre-
ECPA], while the same phone call transmitted via a private
telephone network such as those used by many major U.S.
corporations today, would not be covered by the statute.
S. Rep. No. 541, 99th Cong., 2d Sess. 2-3 _reprinted_in_
1986 U.S. Code Cong. & Ad. News 3557.
Again, our federal legislature seems to be saying that both publicly
accessible systems and wholly private corporate systems are to be
treated the same.
The legislative history goes one step further when the Congress amended
amended the definition of "wire communications" to include "communica-
tion affecting interstate or foreign commerce" in 18 U.S.C. sec 2510(1),
the new "language recognizes that private networks and intra-company
communications systems are common today and brings them within the pro-
tection of the statute." S. Rep. No. 541, 99th Cong., 2d Sess. 12 re-
printed in 1986 U.S. Code Cong. & Ad. News 3566, emphasis added. Al-
though the definition applied to voice communications, this was further
evidence to show the intent of the Congress that ECPA applied to a va-
riety of systems both public and private, including corporate systems.
With specific attention to stored communications, particularly stored
electronic communications, added several new sections of law, including
18 U.S.C. sec. 2701 to address "the growing problem of unauthorized
persons deliberately gaining access to, and sometimes tampering with,
electronic or wire communications that are not intended to be available
to the_public." S. Rep. No. 541, 99th Cong., 2d Sess. 35 reprinted in
1986 U.S. Code Cong. & Ad. News 3589, emphasis added.
In a few paragraphs later, the legislative history then notes the dif-
ferences "between offenses committed for purposes of commercial advan-
tage, malicious destruction or damage, or for private commercial gain
and all other types of violation." S. Rep. No. 541, 99th Cong., 2d Sess.
36 reprinted in 1986 U.S. Code Cong. & Ad. News 3590. Although "pri-
vate commercial gain" may include logging unauthorized time on a paid
subscription service with a stolen password, "commercial advantage ...
and other types of violation" may include unlawfully accessing a closed,
private company computer to gain company trade secrets.
The Corporate Big Brother Situation?
------------------------------------
One confusing point may be with regards to 18 U.S.C. sec. 2701(c)(1)
which provides that although it may be illegal to access or exceed
authorized access to a system (and then possibly do some damage in
addition to prying into someone's electronic communication), "the person
or entity providing a wire or electronic communications service" would
not be liable for any offenses regarding stored communications (voice
mail, EMAIL, anything recorded). This exception (as well another excep-
tion where the user authorized conduct which would otherwise be an of-
fense) only applies to access, and any damage resulting, but not divul-
ging whatever information obtained. That is taken up in section 2702.
Common sense would say that these persons or entities providing elec-
tronic communications services may be found to have to follow good faith
standards as defined throughout ECPA and as talked about previously with
regard to free or fee-based hobbyist-type BBS's.
Unfortunately, it may not be that simple with regard to corporate sys-
tems. The exceptions do say that there is no offense if "person or
entity providing a wire or electronic communications service" goes
prying through everything in the system and not for quality control
checks. Section 2701(c)(1) would appear to be the statutory license
allowing corporate Big Brother to shift through private EMAIL on the
company computer to check up on its employees.
How about another big hole for corporate Big Brother to step through?
Let's take a look at 18 U.S.C. 2511(2)(a)(i) which deals with voice
communications (called "wire communications" or "aural transfers" in
ECPA):
It shall not be unlawful under this chapter for an
operator of a switchboard, or an officer, employee,
or agent of a provider of wire or electronic commun-
ication service, whose facilities are used in the
transmission of a wire communication, to intercept,
disclose, or use that communication in the normal
course of his employment while engaged in any activ-
ity which is a necessary incident to the rendition of
his service or to the protection of the rights or
property of the provider of that service, except that
a provider of wire communication service to the public
shall not utilize service observing or random monitor-
ing except for mechanical or service quality control
checks.
There are two parts to this section (as divided here). First, there is
the rule and, second, there is the exception.
The rule appears to be reasonable as to what someone like a telephone
operator can do so long as it is in "the normal course of his employ-
ment" or "to the protection of the rights or property of the provider
of that service." That seems acceptable.
The exception says that only "a provider of wire communication service
to the public," most likely a telephone company, can do no more than
observe or do any random monitoring except for mechanical or service
quality control checks. Again, wire communication can be generally be
equated to voice calls. So, possibly, the boss of a company's in-house
phone network may direct eavesdropping on company employee's phone calls
within the system.
Unfortunately, case law dealing with employee privacy tends to be in
line with how ECPA works out for employee privacy in a corporate Big
Brother situations. Too bad.
Conclusion and Lingering Questions
----------------------------------
So, does ECPA apply to corporate computer communications systems? Well,
the answer is both "yes" and "no." ECPA would protect private corporate
online systems from crackers and unauthorized employees. But it may not
protect an employee's private EMAIL from being looked at by the boss who
owns the system and is therefore the person or entity providing the in-
house electronic communications service. Perhaps rightly so, the section
2701(c)(1) exception, as well as section 2511(2)(a)(i), may acknowledge
an employer's private property rights, but the unions would not like it.
Of course, there may be provisions in an employment contract waiving any
possible privacy protection, if any, against employer snooping in pri-
vate EMAIL.
Now, I can easily see how this "yes" and "no" application of ECPA
applies to in-house corporate online systems. But what about contract
set-ups, such as a business setting up a private company area on a
normally public commercial system such as Portal? Is the employer/com-
pany still a "person or entity providing a wire or electronic communica-
tions service" to which the section 2701(c)(1) section is to apply? Or
do we have a "yes" and "yes" application of ECPA, i.e., full ECPA pro-
tection?
(end)
*****
CS-ID: #464.issues/legal@PRO-SOL 10603 chars
Date: Fri, 1 Apr 88 00:25:15 PST
From: ruel (Ruel Hernandez)
Subject: Online Privacy -- One Last Time
WARNING: some may find the issue discussed in this posting to be
ridiculous, so only take a look at the first two paragraphs and if it
seems worth your while to read, well, read on. If not, ^C and move on
to another message or conference. It may sound so commonsensical to
some that it may not be worth reading.)
I think we may have run just about the full gamut of privacy in the
BBS/online context. What I think the "last" question that should be
addressed here regarding online privacy is what happens if the intended
recipient of private EMAIL discloses the contents of that communica-
tion. Has anyone's privacy been breached? Well, I would think so.
However, was there some sort of violation under any law? Well, I really
don't think so.
I got this issue on PORTAL. PORTAL is fabulous online service available
via TELENET. Has screen emulations, USENET and intermail access and
a-okay chat facilities. On PORTAL, there is a flaming discussion going
on where someone is ranting and raving about how someone else should not
be trying to distribute copyrighted software via PORTAL. A lot of
people flamed down on him via EMAIL and he decided to post those
"private" messages. One of the public conference messages in this
brawling discussion asked about whether this was legal to do so.
So we have the problem. Is it an offense for someone to disclose the
contents of a private message addressed to himself?
For some this may sound like a ridiculous question to ask. For others,
particularly a sender of one of those publicly posted but formerly
private messages, this is an important matter. For anyone with the
academic interest, this takes the privacy question, and related matters,
a step further.
I will look at this in four parts: (1) federal law, what looked at
already; (2) a little criminal procedure; (3) common law; and (4)
copyright law (in the context of the publicly posted private EMAIL, and
not that of the unlawful distribution of copyrighted software). Again,
this is all an academic exercise for me. Take it all as you will. I'm
sure you may find the conclusions I came up with to be as ridiculous as
I found them to be. (Sometimes the analysis leads to something that
doesn't seem right, but nevertheless, it seems to be analytically
correct. Yuck.)
Federal Law
-----------
Okay what does the federal law say here regarding a recipient's disclo-
sure of private EMAIL he received? At first blush, ECPA seems to be
inapplicable to this issue. After we go through this you'll see why.
Let's review how ECPA works.
ECPA protects private wire and electronic communications both while in
transmission and as stored communications.
While in transmission, the general rule in 18 U.S.C. sec. 2511 is that
it is an offense to _intercept_ private communications. That is before
receipt of the communications. In our situation here, we are talking
about what happens after receipt. No application.
While stored, the general rule in 18 U.S.C. sec. 2701 is that it is an
offense to intentionally access without authorization or to intention-
ally exceed one's authorization in accessing a facility. Here, the in-
tended recipient of a private message has authority and generally does
not exceed it in accessing a system and receiving a private message in-
tended for him. No application.
Now, the corrollory to section 2701 is in 18 U.S.C. sec. 2702 which is
that generally it is an offense for a person or entity providing an
electronic communications service to knowingly disclose the contents of
a private message except to an addressee or intended recipient, or his
agent, to someone else with the consent of the addressee, intended
recipient, or agent, to someone employed or authorized or whose facili-
ties are used to forward the message to another place, to the police,
based on a warrant or court order or if inadvertantly found and appears
to relate to a crime plus a few other exceptions including to the rights
and property of the online provider, etc., etc. This section is aimed
at at punishing a bad provider. The recipient of private EMAIL cannot
be an offending party under this section. (Unless he helped the provi-
der out in committing the offense??? Naah, he would be giving the pro-
vider permission to look at his private EMAIL.) No application.
Previously, we also looked at 18 U.S.C. sec. 605, which dealt with
unauthorized publication. This is more of a transmission/intercept type
statute where the communications is on its way to its intended recipi-
ent. Someone along the communications line "receiving, assisting in
receiving, transmitting, or assisting in transmitting" the communica-
tions takes it and publishes it or uses it in an unauthorized fashion,
such as capturing and illegally decoding encrypted satellite cable
broadcasts or someone along an online network (INTERNET, OPUS, FIDO,
ARPA, etc.) snagging a private message off the line and making it pub-
lic. Our situation, here again, is after the communications has gone
through this situation and is now received by the intended recipient.
No application.
See, this is ridiculous.
Criminal Procedure
------------------
One general rule is that if you talk to someone, particularly a cop, you
take the risk of any confidential information you tell him will be dis-
closed to others. You take the risk of his testifying as to any admis-
sions you may make to him. This is all before an arrest so the 5th
Amendment right against self-incrimination does not vest yet and no
Miranda warnings are needed.
Most assuredly, one could see an analogy in a civil tattletail situa-
tion. Youse takes the risk with whatever private material you send to
another person.
Common Law
----------
If you remember the Public Disclosure of Private Facts discussion from
the previous messages on Thompson v. Predaina, well that's most likely
the only analysis that would fall into this category. The questions to
be asked here with regard to a recipient's public posting of private
messages he received from someone else are: (1) how private are the
facts; and (2) how socially acceptable or unacceptable are they to be
disclosed.
Copyright Law
-------------
We'll generally be looking at the old common law copyright law first.
Under the old common law copyright law, before the changes in federal
copyright law, you had a right known as "the right of first
publication."
Under the old federal copyright law, in order to secure federal
statutory copyright protection, you had to actually publish your work.
(Now, under the modern federal copyright, you have a copyright as soon
as you put something down on paper (or on disk, or in ram, etc.) and you
can secure your copyright protection (and get your ticket to sue in
court) by registering a copyright on an unpublished work.) Well, in the
old days, to protect your work before it was published, you had to turn
to the common law copyright. You could sue someone for usurping your
right to first publication of your previously unpublished work that the
other person stole and then published. This common law copyright
relates to the general right of a person to be let alone.
As applied to letters (hardcopy correspondence sent through the U.S.
Mail, for anyone who has forgotten :-) ), the rule was summarized by Sir
James Stephens in 1878:
A person who writes and sends a letter to another retains
his copyright in such letter, except in so far as the par-
ticular circumstances of the case may given a right to
publish such letter to the person addressed, ... but the
property in the material on which the letter is written
passes to the person to whom it is sent, so as to entitle
him to destroy or transfer it.
So, the sender owns the rights to the writing but the recipient owns the
material it is written on. How does that work in the electronic mag-
netic media of BBS's and online computer services? The application
seems that the BBS Sysop or the online service owns the disk media, of
course, and the sender owns the common law copyright in his writing.
What about the recipient? What does he get? Well, certainly he does
get the right to read the message that was sent to him.
But does the recipient get to post that private message publicly in an
open electronic conference or forum??
Well this is when we start talking about those two magic words in copy-
right: "FAIR USE."
So much has been said and written about fair use. A gross shorthand way
of determining whether something constitutes fair use or a copyright
infringement is generally based on the economic effect of the use. Is
there commercial exploitation, how minimal is any effect on the market,
how valuable or invaluable is the work, how much money is there to be
made or lost?
As an example, let's look at _Diamond_v._Am-Law_Publishing_Corp._, 745
F.2d 142 (2d Cir. 1984). There, a magazine, The American Lawyer,
received a nasty letter from a person who criticized one of its articles
that was written about that person. He said the magazine could publish
his letter, but only with limited permission: "You are authorized to
published this letter but only in its entirety." The magazine only pub-
lished excerpts, cutting out the part attacking the magazine and the
editor. The court there said that was fair use. There was little if
any money to made on a letter to the editor.
So, is there fair use here when someone publicly posts a messages he
received via private EMAIL? Well, yes, so it would seem. There may be
hard feelings and a lot of upset people, but they probably cannot suc-
ceed in suing you unless a lot of money is involved, such as in corpor-
ate insider information. Also, depending on the money involved, if any,
you would essentially have the same result under federal statutory copy-
right law.
Conclusion
----------
Sounds terrible doesn't it -- that once the "private" EMAIL messages you
send are received, you can't really protect your "privacy" rights in
them. You take the risk someone will disclose what you send to them to
the world. Fortunately, social morals and customs, as well as social
pressures, come in to save the day, for the most part, to temper or
cause one to stop doing such nasty things. That's what happened on
portal when the user there (in good taste, but after receiving some
nasty hate mail) stopped posting the private EMAIL he got from other
people and only posted his side of the "private" discussions.
CS-ID: #465.issues/legal@PRO-SOL 313 chars
Date: Fri, 1 Apr 88 09:25:15 PST
From: ruel (Ruel Hernandez)
Subject: Re: Online Privacy -- One Last Time (a little clarification)
Comment: to #464 by ruel
Just one clarification on the tort of Public Disclosure of Private
Facts. That generally deals with extremely personal facts that are
typically kept private to prevent social embarrassment, such as in
keeping it private within the family that Aunt so-and-so used to be in
the insane asylum. That sort of thing.
*****
CS-ID: #468.issues/legal@PRO-SOL 7153 chars
Date: Sat, 2 Apr 88 13:58:59 PST
From: ruel (Ruel Hernandez)
Subject: Privacy (just one more tidbit) -- Employer Monitoring
This is from RISKS DIGEST 6.23 (from sometime in February):
------------------------------
From: wolit@research.att.com
Date: Tue, 9 Feb 88 15:45 EST
Subject: OTA Report: The Electronic Supervisor
The U.S. Congress, Office of Technology Assessment recently released a
report on computer-based monitoring in the workplace entitled, "The
Electronic Supervisor: New Technology, New Tensions," OTA-CIT-333
(Washington, DC: U.S. Government Printing Office, September, 1987).
The following is from the Foreword:
"The Electronic Supervisor: New Technology, New Tensions"
deals with the use of computer-based technologies to measure
how fast or how accurately employees work. New computer-based
office systems are giving employers new ways to supervise job
performance and control employees' use of telephones, but such
systems are also controversial because they generate such
detailed information about the employees they monitor.
This assessment explores a broad range of questions related to
the use of new technology in the workplace and its effects on
privacy, civil liberties, and quality of working life.
The assessment reports six findings:
1. Computer technology makes possible the continuous
collection and analysis of management information
about work performance and equipment use. This
information is useful to managers in managing
resources, planning workloads, and reducing costs.
When it is applied to individual employees, however,
the intensity and continuousness of computer-based
monitoring raises questions about privacy, fairness,
and quality of work life.
2. Computer-based systems offer opportunities for
organizing work in new ways, as well as means of
monitoring it more intensively. Electronic monitoring
is most likely to raise opposition among workers when
it is imposed without worker participation, when
standards are perceived as unfair, or when performance
records are used punitively. Worker involvement in
design and implementation of monitoring programs can
result in greater acceptance by workers, but despite
activities of labor unions in some industries and
recent progress in labor-management cooperation in
others, most firms do not have mechanisms to do this.
3. There is reason to believe that electronically
monitoring the quantity or speed of work contributes
to stress and stress-related illness, although there
is still little research separating the effects of
monitoring from job design, equipment design,
lighting, machine pacing, and other potentially
stressful aspects of computer-based office work.
4. Monitoring the content of messages raises a different
set of issues. Some employers say that service
observation (listening to or recording the content of
employees' telephone conversations with customers)
helps assure quality and correctness of information
and by protecting all parties in case of dispute.
However, service observation also impacts the privacy
of the customer, and workers and labor organizations
have argued that it contributes to the stress of the
employee, and creates an atmosphere of distrust.
Monitoring the content of electronic mail messages or
personal computer (PC) diskettes also raises privacy
issues.
5. Telephone call accounting (computer-generated records
of the time, duration, destination, and cost of calls)
gives employers a powerful tool for managing the costs
of telephone systems. However, it raises privacy
questions when accounting records are used to track
calling habits of individuals. Other cost control
technologies can be used to limit nonbusiness uses of
telephones, either instead of or in addition to call
accounting. Establishing a policy for use of these
technologies will be especially important for the
Government as it builds a new Federal Telephone
System.
6. Electronic monitoring is only one of a range of
technologies used in today's workplace to gather
information about the work process or to predict work
quality based on personal characteristics of the
workers. Many applications of technology, including
polygraph testing, drug testing, genetic screening,
and, possibly, brain wave testing, illustrate the
tension between employers' rights to manage their
enterprise, reduce costs, and reduce liability, and
the employees' rights to preserve individual privacy
and autonomy. Recent concerns of employers, labor
unions, civil liberties groups, the courts, and
individual workers suggest that a range of workplace
privacy issues are in need of resolution.
A discussion of this report and this topic in general might be appropri-
ate for this newsgroup.
Jan Wolitzky, AT&T Bell Labs, Murray Hill, NJ; 201 582-2998; mhuxd!wolit
(Affiliation given for identification purposes only)
------------------------------
Note the fourth and the fifth findings.
The fourth finding, regarding "Monitoring the content of electronic mail
messages or personal computer (PC) diskettes also raises privacy
issues." This is what we have discussed already with regards to ECPA.
The fifth finding concerning "accounting records are used to track
calling habits of individuals [i.e., employees in the workplace]" is
much like the situation where an employer may have a "spy box" tracking
who made what call when, to what number (toll, long distance, or
preferrably local), and for how long.
In the criminal procedure context, there is generally no reasonable
expectation of privacy in such tracking information. It is much like
someone trailing another so long as the other person is out in "public."
There is no content to be examined, only names and numbers.
In the BBS situation, under ECPA, a Sysop could disclose information
about a user (except for communications and passwords) to any person
other than to the government. The Senate Report gives examples of
disclosures in "the normal course of business, such information as
customer lists and payments...." S. Rep. No. 541, 99th Cong., 2d
Sess. 38 reprinted in 1986 U.S. Code Cong. & Ad. News 3592. Therefore
there is no offense when a Sysop says so-and-so called this system on
such-and-such a date and at such-and-such a time. So, "who" lists and
previous login lists are okay. However, if the government wants the
information, they have to get a subpoena, or court order. Of course,
by personal obligation, promise, or contract, the Sysop may have taken
it upon himself to not make any non-governmental public disclosures.
Geez, I'm going to have to hunt that OTA report down. Other than that,
this should cover just about everything now regarding online privacy.
--------------------------------- end ----------------------------------