Sysop Liability for Enroute andor Encrypted Mail Mike Riddle 128527 The following article

Master Index Current Directory Index Go to SkepticTank Go to Human Rights activist Keith Henson Go to Scientology cult

Skeptic Tank!

* Sysop Liability for Enroute (and/or Encrypted) Mail Mike Riddle 1:285/27 [The following article is under submission. Reproduction on computer bulletin boards is permitted for informational purposes only, provid- ing that it remains intact with copy right notice and disclaimer. Copyright (c) 1993 by Michael H. Riddle All other rights reserved.] SYSOP LIABILITY FOR ENROUTE (AND/OR ENCRYPTED) MAIL Recently email systems in general, and Fidonet in particular, have seen a great deal of debate about the potential liability of sysops for material entered on or passing through their systems. This article attempts to discuss the laws, legal issues, and court deci- sions known to bear on the subject. While the law is unsettled on the liability of sysops for netmail on their systems, enroute or otherwise, any liability attaches regardless of enroute or encrypted status. Since liability, if any, increases with actual sysop knowledge of the contents, encryption will not increase any sysop liability and may, in fact, diminish it. FACTS Many individuals operate computer bulletin boards as a hobby. Many of those bulletin boards (BBSes) are members of one or more networks, passing messages in a store-and-forward manner using the public switched telecommunications network. Many of those sysops have their BBSes configured to allow private electronic mail to be routed through their systems, either as a service to their users or as a requirement of their membership and status in the network. Traditionally, such "private" mail was stored on the system in a form that is readable by the persons or entities operating the system. Depending on the configuration and software involved, such private mail might be easily read, or might be read only if a deliberate attempt to do so was made, but in any event was available in ASCII format at some point, and/or was stored using one of many compression schemes that could be read by anyone with the proper software. As a result of relatively recent technological developments, individu- als now have the capability to encrypt data using their personal computers, without using extraordinary amounts of time. Public key cryptography systems, such as PEM or PGP, have been publicly released and are seeing increasing use. The obvious result has been the use of encryption for the contents of routed mail packets. For perhaps the first time, sysops who route mail have started inquiring about their liability for such mail, since the perception of safety that came from a technical ability to read the mail is not present with encrypted mail. CRIMINAL LAW Sysops providing "private" mail service operate under the terms and limitations of the Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. ss 2510 et seq.). This section will, of necessity, be somewhat "legalese." I've tried to make it as readable as possible and still discuss the technical (in a legal sense) points that ought to matter to sysops investigating their legal status. Whether or not the ECPA appears to allow providers of "electronic" (as opposed to "wire") communications the legal ability to monitor the messages on their systems is a matter of some dispute. The best answer is that the law on the subject is unclear. From the act: "'wire communication' means any aural transfer ...." 18 USC 2510 (1). On the other hand, "'electronic communication' means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature...." 18 USC 2510 (12). "It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire *or electronic* [Note 1: see discussion below] communication service, whose facilities are used in the trans- mission of a wire [Note 2: see discussion below] communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks." 18 USC section 2510(2)(a)(i) (emphasis added). One of the drafters of the act has indicated that the exception limiting "wire," but not "electronic," communication stems from the drafters' knowledge of the state of the art at that time; however, the distinction is present in the law. From this two arguments can be (and have been) made. First, that by prohibiting only providers of "wire" communications from service observing or random monitoring, the drafters did not intend "elec- tronic" communications to be subject to the same restrictions and that service observing or random monitoring of electronic communications are not prohibited. But the counter-argument is that while the law exempts "providers of wire or electronic communication service, whose facilities are used in the transmission of a ... communication, the exemption does not specifically allow for "electronic" communications, only wire. There is an internal inconsistency caused by the failure either to omit the two words *or electronic* [Note 1] or to include them [Note 2] in section 2511(2)(a) at the points indicated by my insertion of [see discussion below]. One of the drafters of the ECPA recently commented that the legisla- tive history supports the position that electronic communications were exempted from the act's general prohibitions; that is, the drafters intended to place special protections on voice, normally telephone, communications while allowing real-time monitoring of electronic communications as defined by the act. It now seems clear to me that there is a glitch in ECPA with regard to real time access for security purposes to elec- tronic messages. 2511(2)(a) was supposed to allow monitor- ing of electronic communications for security purposes by the sysop -- the legislative history makes that clear and distinguishes monitoring of voice which is more limited. But the amendments failed, for technical reasons, to add "and electronic communications" after the single reference to "wire" -- so that the literal text now appears to read to allow this type of security- based monitoring only with regard to wire communications. There are some other argu- ments [that would allow it]--but none is as bullet proof as the section would have been if it had been written as I think all intended. This ambiguity is what led to the Department of Justice recommendation that system administrators at government computer sites place explicit disclaimers at logon, warning that keystroke monitoring or service observation might be used, if they thought they would ever want to use this technique. The above discussion applies primarily to real-time monitoring. In the only known decision construing the ECPA, the distinction between "interception" (i.e., real-time monitoring) and "access to stored communications" was essential to the holding that no "interception" had taken place. Steve Jackson Games, Inc., v. U.S. Secret Service, 816 F. Supp. 432 (W.D. Tex. 1993). However, due to the nature of store-and-forward mail, the mail remains in storage for some period, and it is clear that the sysops legally have access to the material in storage. However, sysops are limited in what they can do with their knowledge, if any, of the mail in storage. With some limited excep- tions, they may only disclose it to the sender or to the intended recipient. They are required to disclose it pursuant to court orders and subpoenas, but the ECPA gives particular instructions on how such are to be obtained. And the sysops *may*, with respect to stored communications, disclose the contents to a law enforcement agency if the contents were *inadvertently* obtained *and* appear to involve the commission of a crime. 18 USC 2702 (b)(6). The sysop also may disclose the contents of a communication "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service." 18 USC 2702(b)(5). Deleting any mail that does not comply with the sysop's ideas of propriety or appropriateness is *not* specifically autho- rized. CIVIL LAW The ECPA also provides for civil remedies by the person aggrieved by an illegal disclosure of the contents of a private message. 18 U.S.C. 2707 et seq. Over and above those limitations, the civil laws of forfeiture gener- ally allow the government (state or federal) to seize property for which probable cause exists to believe is the instrumentality of a crime, and the lawful owner may attempt to recover in a civil action. The burden of proof is upon the person claiming the interest in the property to prove the property was *not* the instrumentality of a crime. ANALYSIS Many sysops post some kind of disclaimer, either as a bulletin or as part of a service contract, formal or implied, that no "private" mail exists on their system. A threshold question is "what is 'private mail' for the purpose of the ECPA or any other law or civil action?" Notwithstanding any bulletin or disclaimer, almost all mail software asks or treats some messages as "private." In the Fidonet protocols, there is a defined bit in the message which gives the privacy status, thus giving rise to an expectation of privacy. Also, netmail is generally readable only by the sender, intended recipient, and the sysops involved. Interestingly, the law does not protect "private" messages. It protects *any* message that is "not public," in the words of the law, any message not "readily accessible to the general public." "'Readily accessible to the general public' means...that such communication is not (A) scrambled or encrypted; [or] (B) transmitted using modulation techniques whose essential parameters have been withheld from the public with the intention of preserving the privacy of such communica- tion...." 18 U.S.C. 2510(16). This protection would, in my opinion, include all "netmail" or "email," notwithstanding any disclaimers that "we don't have private mail." The existence of areas for public discussion, using most of the "bandwidth" of hobby BBSes, obscures the fact that the basis of the system, be it Fidonet or Internet, is electronic mail. To refer again to the ECPA: "A person or entity providing electronic communi- cation service to the public may divulge the contents of any such communication... (i) as otherwise authorized in section 2511(2)(a) [readily accessible to the general public], (ii) with the lawful consent of the originator or any addressee or intended recipient of such communication; [or] (iii) to a person employed or authorized, or whose facilities are used, to forward such communication to its destination.... 18 U.S.C. 2511(3)(b). Thus, except for messages in public discussion areas, all communi- cations stored on a BBS (that is, netmail or email) are protected, the nature of the software raising an expectation of privacy and that privacy being protected by law. Note that exception (iii) covers forwarding routed mail to the next link in the process. A thorough reading of the ECPA reveals no requirement for a sysop to voluntarily disclose the contents of a message to anybody. The law does, as noted above, allow such disclosures under limited circum- stances. What then are the sources of liability for sysops for messages stored on their systems? In the area of criminal law, liability might attach as a conspirator, co-conspirator, accessory or accomplice. Note, however, that a "mens rea," a criminal intent, is generally required for criminal liability. In the area of civil forfeitures, the mere fact that probable cause existed to believe the system was an instrumentality of a crime is all that is required for the seizure; however, as a practical matter, seizures seem almost always to occur when there is probable cause (as seen by the judicial system) to believe the owner is guilty of some- thing. How might a sysop protect themselves? First, note that disclosure to law enforcement requires that the contents be inadvertently obtained. An argument might exist that disclosure to law enforcement is also allowed by the language that the sysop may disclose the contents of a communication "as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provid- er of that service," 18 USC 2702(b)(5). The fact exists, however, that the statute in other places specifically says the contents must be inadvertently obtained to allow disclosure to law enforcement. As a practical matter it might not matter, but one argument might be that the sysop should *not* routinely monitor the contents, since disclo- sure to law enforcement is only specifically authorized when knowledge is inadvertent. The argument can be made that, with respect to netmail, routed, direct or crash, BBSes look most like common carriers, and therefore are, or should be, exempt from liability for their contents. This argument is strengthened when the BBS routinely gives access to routed netmail to all users, or to any user who asks for it. This is because a true common carrier has an obligation to handle traffic for anyone who meets the requirements of the tariffs. Conversely, the BBS looks less like a common carrier if relatively few users can access netmail. If routed mail is added into the equation, the BBS begins to look more like a relay point in a common carrier scheme when it grants relay privileges to more and more other systems. Note that in Cubby v. Compuserve, 776 F. Supp. 135 (S.D.N.Y. 1991), the court held Compuserve not liable for material on their system unless they were shown to have actual knowledge and did not take appropriate action. The court found them to be like booksellers, who are similarly immune unless actual knowledge is shown. If sysops make a practice, or state as their practice, the routine viewing of all material on their system, the qualified immunity they arguably have is destroyed. ENCRYPTION (finally) Note that whether or not the message was encrypted did not figure in any of the above analysis, except that there is a reasonable presump- tion that if it were encrypted it was not "readily accessible to the general public." As applied to PEM and PGP, this would, it seems, exclude "signed" mail as long as it was not "encrypted" as well. When considering the impact of encryption, we must note that normally for criminal law to attach, knowledge (intent) is a prerequisite. For seizure, there must at least be probable cause that the system was used in the planning or commission of a crime. In either of those cases, with respect to the sysop, encrypted messages tend to disprove the elements: you can't show knowledge if the sysop can't read the traffic, and you can't prove the system was used in a crime if you can't read the traffic. Law enforcement might be able to show the encrypted contents were illegal if they could obtain the decrypted messages and trace back the route; however, if a system ran in "pass-through" mode there would at least be a question of proving the system was actually used. If the system ran in toss and rescan, and if the message hadn't deleted due to age or number of messages, then you could show the message was on the system. But you still couldn't show the sysops had knowledge, making it less likely they would be perceived as somehow "guilty" of something. This last point is enhanced if it can be shown that the system routinely routed mail for any and all parties. CONCLUSION The question of sysop liability for messages stored on or passing through their system is unsettled. Sysop liability might attach as part of a criminal act, but knowledge is required and the fact of encryption would, when the sysop could not read the message, tend to disprove knowledge. Liability might attach in the form of civil forfeiture, but again lack of knowledge makes the sysop appear less "blameworthy." While guilt is not an element of civil forfeiture, the conventional wisdom is that forfeiture is only used when guilt of some kind has attached, at least in the mind of law enforcement, to the owner of the property. The more a sysop and system look like a common carrier, handling traffic without knowledge of the contents, the less likely they are to be subject to some sort of liability for their actions. Finally, the use of public key encryption does not appear increase their liability, and might in some circumstances decrease it. For the reasons stated above, it is my conclusion that systems routing mail should use pass-through where available, and should specifically allow, and even encourage, the use of public key encryption as a measure to limit their liability in case they are used in some ques- tionable manner. [The author is an attorney licensed to practice in the state and federal courts of Nebraska. While he has studied the issues fairly extensively, the comments apply generally to persons within the United States and he is not giving legal advice to any particular person. Finally, this memorandum does not address International Traffic in Arms Regulations (ITAR) (22 CFR 120 ff) applicable to the export and/or import of cryptographic software. No one should rely upon the following without consulting their own attorney for advice on their particular question or problem.]


E-Mail Fredric L. Rice / The Skeptic Tank