Computer Underground Digest Volume 2, Issue #2.04 (September 23, 1990)

---
Master Index Current Directory Index Go to SkepticTank Go to Human Rights activist Keith Henson Go to Scientology cult

Skeptic Tank!

**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 2, Issue #2.04 (September 23, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith USENET readers can currently receive CuD as alt.society.cu-digest. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. It is assumed that non-personal mail to the moderators may be reprinted, unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CONTENTS: File 1: Moderators' Corner File 2: Re: Evidence (was Re: Musing on Constitutionality) File 3: Why the FBI should be concerned about the Secret Service File 4: California Computer Abuse Law revisited File 5: Candidate for state governor supports electronic freedom & privacy File 6: Review of Steven Levy's CLOAK AND DAGGER File 7: The CU in the News ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------------------------------------------------------------------- ******************************************************************** *** CuD #2.04, File 1 of 7: Moderator's corner *** ******************************************************************** Date: September 23, 1990 From: Moderators Subject: Moderators' Corner ++++++++++ In this file: 1. CuD SURVEY 2. CuD FORMAT 3. LEN ROSE UPDATE ++++++++++++++++++ CuD Survey About Ready ++++++++++++++++++ Bob Krause has the survey of CuD readers about ready to send. The earlier announcement of the survey received positive responses, so he will send it out directly from his site. The purpose is to find out who the readership is. The subscribers are overwhelmingly professional (computer scientists, journalists, academics), with the rest divided up among students, law enforcement or computer security, and the generally curious. The results will remain in-house, although Bob intends to use some of the data for a conference paper. +++++++++++++++++++ CuD Format +++++++++++++++++++ We have tried to format CuD in response to the various suggestions that have come to us since we began. Since we moved to the current "standard" format, we have received few suggestions and no complaints. Sometimes a reality check is wise, so if you have suggestions, let us know. We currently format at 75 characters per line, but reader who print it out before reading may prefer 65 characters, our own preference. We are wondering if there is any strong feeling on the format, one way or the other. ++++++++++++++++++++++++ LEN ROSE UPDATE ++++++++++++++++++++++++ Len Rose's trial is still scheduled for February. His situation, however, continues to cause problems. Although even by the least charitable assessment his crimes are not serious, the publicity and that "taint" makes it difficult for him to find employment, and he has no steady source of income whatsoever. His problems are complicated by the seizure of his possessions. He lost his equipment, and even if ultimately exonerated as Craig Neidorf was, the financial burden makes it impossible to support his wife and children. Strong arguments have been made in the past for hiring people with competent computer skills, especially those who possess expertise in the realm of computer security. Len has demonstrated his competence in the past as a programmer and as a consultant, and his skills would be an asset to any employer. CuD is not an employment bulletin, but there are times when those seeking employment should have an alternative forum to engage in their search, and we are willing to provide space on occasion to put potential employers in contact with candidates. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ To: EFF-NEWS@NETSYS.COM Subject: Re: Evidence (was Re: Musing on Constitutionality) Date: 14 Sep 90 03:35:56 GMT ******************************************************************** *** CuD #2.04: File 2 of 7: From the Mailbag *** ******************************************************************** +++++++++++++++++++++++++++++ We received the following from one of the more interesting newsnets around, and the author gave permission to reprint it. ++++++++++++++++++++++++++++++ I have always been amused at reading how the goons confiscate printers when they move in. How silly! Yet it got me thinking... If I were a computer criminal, I might just create a very special printer with a bank of non-volatile storage in it. Or, for that matter, just buy one of the modern printers you can get these days with 4 megs ram, etc. I would use that storage, normally, to keep all the stolen access codes, calling card numbers, and other incriminating data. Pretty easy, with the high speed link I have to my printer, to fetch the codes from it. (I would also have the machine erase stuff if disconnected improperly, keeping backups somewhere far away.) Or I could hide this info in little hidden places in all kinds of semi-smart or smart peripherals -- including some off the shelf. So if we fight (correctly) to stop them from confiscating everything, this may drive the real criminals to such tricks, which may lead to grander confiscation. I point this out -- I don't know if there's an answer. (Author's name deleted by request) ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: 22 Sep 90 04:02:57 GMT From: Anonymous Subject: Why the FBI should be concerned about the Secret Service ******************************************************************** *** CuD #2.04: File 3 of 7: The FBI and the Secret Service *** ******************************************************************** Rumors have it that the FBI is not very happy with the way the secret service is conducting investigations. According to the rumors, the FBI thinks it's hampering their own investigations and making it more difficult to go prosecute big time criminals. Here's the gist of the arguments. PROFESSIONALISM: When the FBI was investigating the nuPrometheus League's alleged involvement in theft and distribution of Apple Software, the people they visited had very different experiences than those the secret service visited. The FBI was, so it's said, was polite, courteous, and generally professional. They didn't try to act like they knew more than they did, and they didn't try to intimidate those they questioned. In a case related to Sun Devil, an FBI agent stopped by to just chat and discussed some of the tactics used by the secret service and didn't seem at all happy about either their methods or their competence. If one agency isn't professional, it makes people less willing to cooperate with members of other agencies when they come around. JURISDICTION: The FBI and secret service have jurisdiction over computer crimes under the 1986 federal law outline computer crimes. The FBI generally investigates crimes involving break-ins at government offices or military installations, or in which the government is the target. The secret service is involved with investigating crimes involving access devices, which generally means crimes employing a modem to get into other computers or rip-off telecom companies. There may be a jurisdictional fight going on, and the secret service may be trying to expand the scope of its activities. If successful, it means more visibility, more appropriations, more staff, and more glory. This might explain why there was so much initial publicity over the hacker busts this year and why they are go after relatively easy targets. RIGHTS: The FBI probably has far more experience in the subtleties of questioning than the secret service, and they are more likely to know the limits of what they can and can't do. The secret service, by contrast, has relatively young agents doing the investigation, and some of those responsible for the Sun Devil investigation who were in the field doing the searches are said to have as little as two or three years total experience and little field experience. Lacking an experienced agent-in-charge, it's more likely that rights will be violated by young agents who simply don't know any better. Most people don't distinguish between FBI and secret service, so if rights are violated all government agencies are tainted. The FBI has been criticized in the past for violation the rights of political groups in the 1960s and the 1970s, and has been caught violating the rights of groups sympathetic to Latin American countries the Reagan administration opposed in the 1980s. They don't need the aggravation of another agency renewing the issues of constitutional rights and further limiting the scope of their power to investigate. BACKLASH: If a backlash occurs against the secret service, the FBI will also feel it. If restrictions are placed on what agencies are allowed to do as a response to abuses, the FBI would itself become a victim of the secret service because of new laws and policies that restrict their powers. A backlash could also result in negative publicity that would reduce the dangers of serious computer crime by creating a "cry wolf" scenario in which so many non-threats were publicized that real threats would go unheeded. A final consequence of backlash could be reduction in appropriations for combating technological crimes. How can any agency expect to present a convincing argument that there are dangerous computer crooks out there when the experience with the secret service has an image of focusing on juvenile delinquents who abuse credit cards or is involved in publicized trials where the defendant has the charges dropped during a prosecutor's arguments? It's one thing for the secret service to wind up with egg on its face, but when they splatter other enforcement agencies and tarnish them as well it doesn't help those agencies. There are many sincere government agents who respect the law and individuals' rights. Let's keep in mind that, although prohibited from speaking out publicly, those agents and their agencies, whether investigators or other federal prosecutors, should be seen as upholders of law and not violators of it. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: 19 September, 1990 From: Moderators Subject: California Computer Abuse Law revisited ******************************************************************** *** CuD #2.04: File 4 of 7: California Computer Abuse Law *** ******************************************************************** In a previous issue of Computer underground Digest (1.17, File 5), the California revision of Title 13 Sections 502 and 502.7 was described as an example of the potential dangers in "cracking down" on computer hackers. Upper case indicates emphasis that we have added. Title 13 Sect. 502.7: "(a) A person who, knowingly, willfully, and with intent to defraud a person providing telephone or telegraph service, avoids or attempts to avoid, OR AIDS ABETS OR CAUSES ANOTHER TO AVOID the lawful charge, in whole or in part, for telephone or telegraph service by any of the following means is guilty of a misdemeanor or a felony, as provided in subdivision (f):" There follows a list of proscribed means, including charging to non-existence credit cards and tampering with telecom facilities, most of which seem reasonable. One, however, strikes us as potentially dangerous. 502.7 (b) states: "Any person who MAKES, POSSESSES, SELLS, GIVES, OR OTHERWISE TRANSFERS TO ANOTHER, OR OFFERS OR ADVERTISES ANY INSTRUMENT, APPARATUS, OR DEVICE WITH INTENT TO USE IT or with knowledge or reason to believe it is intended to be used to avoid any lawful telephone or telegraph toll charge or to conceal the existence or place of origin of destination of any telephone or telegraph message; or (2) sells, gives, or otherwise transfers to another, or advertises plans or instruments for making or assemblying an instrument, apparatus, or device described in paragraph (1) of this subdivision with knowledge or reason to believe that they MAY BE {emphasis added} used to make or assemble the instrument, apparatus, or device is guilty of a misdemeanor or a felony, as provided in subdivision (f)." The broad wording of this laws would make it illegal to possess information on "boxing" or to possess an autodialer. The problematic language here is "with knowledge or reason to believe it is intended to avoid. . .". We have seen from Operation Sun Devil that, contrary to normal Constitutional procedures, the burden of proof of innocence lies on the "suspect." A BBS operator who puts boxing files in a text section, knowing that some users might try to apply the knowledge illegally, could, under the current philosophy of the Secret Service and others, be indicted. This may seen a remote possibility, but we have seen from recent activity that we simply cannot rely on good faith interpretations of the law by some prosecutors, especially those willing to distort "evidence" to strengthen a case. Further, the term "may be" is unnecessarily vague. Generally, the term means "expressing ability, permission, freedom, possibility, contingency, chance, competence..." (Chambers 20th Century Dictionary, 1972: p. 811). An automobile dealer presumably knows that a customer "may" use a car in the commission of a crime, or "may" drive the car while intoxicated. Yet, it is absurd to consider holding the dealer criminally liable for the sale in the event the customer "may" be able to do so. Our point is that the language of this Bill seems unnecessarily restrictive and open to potential abuses by law enforcement agents, especially those willing to seek "test cases" to test the laws. Californians should write their legislators with their concerns in hopes that the language would be revised in a way that allows legitimate targeting of "real" computer criminals, but reduces the potential for using the law to persecute those for whom less stringent and more productive responses are appropriate. Just as chilling is subdivision (g) of this passage. The language in (g) specifies: Any instrument, apparatus, device, plans, instructions, or written publication described in subdivision (b) or (c) may be seized under warrant or incident to a lawful arrest, and, upon the conviction of a person for a violation of subdivision (a), (b), or (c), the instrument, apparatus, device, plans, instructions, or written publication may be destroyed as contraband by the sheriff of the county in which the person was convicted or turned over to the person providing telephone or telegraph service in the territory in which it was seized. This section seems reasonable to the extent that it specifies confiscation of an illegal "instrument" upon conviction. The problem, however, is the apparent tendency in some states to seize equipment even when indictments are not forthcoming. The wording would seem to offer incentives to agents to secure an arrest as a means to confiscate equipment, even if charges were subsequently dropped. Again, this may seem far-fetched, but the undeveloped state of computer law and the actions of prosecutors in early 1990 leave little room for confidence in good faith interpretation of the wording. Take an example: If a person were to be indicted for posession of an auto-dialer (which generally has but one purpose) pursuant to a search warrant for unrelated reasons, computer equipment could be confiscated. We have seen from the actions of agents that the definition of "equipment" is quite broad, and can include printers, modems, answering machines, or even books and pictures. If the person is convicted of possession, then the equipment could be lost. Again, "common sense," that sixth sense that tells us the world is flat, would tell us that such a possibility seems absurd. However, the zealousness of Sun Devil agents reduces the absurdity to the level of a "could be," and it is because of their actions that we are concerned with this wording. Title 13, Sect 502 (h) provides that: Any computer, computer system, computer network, or any software or data, owned by the defendant, which is used during the commission of any public offense described in this section any computer, owned by the defendant, which is used as a repository for the storage of software or data illegally obtained in violation of this section shall be subject to forfeiture. The chilling aspect of this passage is that is says nothing about conviction. Does "subject to forfeiture" mean that, even if found innocent, one could lose their equipment? A good faith reading suggests that the intent of the language at least implies that a conviction must occur. But, in reading the indictments of Craig Neidorf and Len Rose (neither from California), we should be cautious before assuming that prosecutors will not resort to creative interpretations to file an indictment. We should also be aware that at least one California prosecutor has published statements advocating an aggressive enforcement policy against "hackers" and has advocated responses that he acknowledges are probably unconstitutional. Given the broad interpretation of the law, and considering how companies such as BellSouth have grossly inflated the value of products (such as in the Neidorf case, in which information available for $13 was valued, according to the first indictment, at $79,449, and in the second indictment reduced to $23,900). Given their public statements in the media and the hyperbole of indictments, we cannot assume "good faith" prosecution by law enforcement, and the language of the California Act seems wide open for abuse. Our purpose is not simply to criticize this law, but to use it as an icon for other state and federal law. Some states are revising their laws, and it is crucial that computerists be aware of, and offer input into, their wording to assure that legitimate enforcement needs are met and potential for abuse or misuse removed. There must be a balance, and without public input such a balance is unlikely. We find Jim Warren's article (File 5, following) significant. It suggests that computerists introduce this as an issue in political campaigns as a means of educating both the public and the politicians. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: Wed, 19 Sep 90 15:23:16 pdt From: well!jwarren@APPLE.COM(Jim Warren) Subject: Candidate for state governor supports electronic freedom & privacy ******************************************************************** *** CuD #2.04: File 5 of 7: Legal Changes / Electoral Processes *** ******************************************************************** [Please post & circulate] +++++++++++++++++++++++++++++++++++++ GUBERNATORIAL CANDIDATE SUPPORTS ELECTRONIC FREEDOM & PRIVACY Folks, we have a good chance of having a **State Governor** who (a) understands and favors technology, and -- more important -- (b) has signed and released the following statement (I just received a signed, dated copy by fax; I will fax it to anyone who requests it). -- Jim Warren, 9/16/90 [jwarren@well.sf.ca.us, or 415-851-7075/voice] +++++++++++++++++++++++++++++++++++++++++++ STATEMENT BY JIM GALLAWAY, CANDIDATE FOR GOVERNOR OF NEVADA I am the Republican candidate for Governor of the State of Nevada. I have been in the private telecomm industry for most of 20 years, and have been a principal in several telecomm and computer start-ups. I understand, support, and have practiced technological innovation. My wife and I have known Jim Warren for well over a decade. He has outlined some of the current issues about which owners and users of systems for e-mail, BBS, teleconferencing, electronic publishing and personal computing are deeply concerned. These are my positions, relative to some of the recent law enforcement practices by some government agents: 1. Government responses to alleged misdemeanors and crimes must be no more than comparable to the seriousness of the wrong-doings. 2. Simple electronic trespass without harm must be treated as any other simple trespass. It does not justify armed raids on teenagers, forced entry of private homes, nor seizure of telephone handsets, answering machines, computer printers, published documentation, audio tapes and the like. 3. The notion that equipment can be "arrested" and held inaccessible to its owner, without promptly charging the owner with a crime, is absolutely unacceptable. The practice of holding seized equipment and data for months or years is a serious penalty that must be imposed only by a court of law and only after a fair and public hearing and judicial finding of guilt. 4. Teleconferencing and BBS systems must have the same protections against suppression, prior restraint, search or seizure as do newspapers, printing presses and public meeting places. 5. The contents of electronic-mail and of confidential or closed teleconferencing exchanges must have the same protections against surveillance or seizure as does First Class Mail in a U.S. Post Office, and private discussions among a group in a home or boardroom. As Governor of the State of Nevada I will vigorously support all of these positions -- both statewide and nationally. /s/ Jim Gallaway, candidate for the Governor of Nevada [dated] 9/16/90 ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: 22 September, 1990 From: Gordon Meyer Subject: Review of Steven Levy's CLOAK AND DAGGER ******************************************************************** *** CuD #2.04: File 6 of 7: Review of Levy's Cloak and Dagger *** ******************************************************************** CuD Synopsis "Code and Dagger" by Steven Levy The Iconoclast, MacWorld 9/90 p69-80 Summary by Gordon Meyer ------------------------ In the spring of 1988 a group using the name "The nuPrometheus League (Software Artists for Information Dissemination)" mailed unmarked computer disks to several prominent computer industry journalists and authors. These disks contained Apple Computer source code to the Color Quick Draw routines used in the Macintosh operating system. One year later the author, Steven Levy, reports that he recently received a series of phone calls from an FBI agent investigating the case. Levy's column ("The Iconoclast") in the September 1990 issue of MacWorld paints an interesting story about the investigation, much of it mirroring the issues raised by the Secret Service's "Operation Sun devil" and other computer crime investigations. In his article Levy tells of the Agent repeatedly questioning him about nuPrometheus, despite Levy's denials of have any real knowledge of the matter. The agent appeared to be reading the questions of a list, without any real understanding of the answers he was receiving. Two weeks later Levy received a call from a different agent and when this agent was queried how he came to be questioning the author the reply was "Somehow your name came up". When asked why the FBI was pursuing the case one year later, despite the fact that no other nuPrometheus activity had occurred since the original incident, the answer was that this was a significant case of Interstate Transportation of Stolen Property and could be equated with the theft of a national secret. For, the agent explained, if a spy were to come by this code he could use to break into the Macintosh computer and steal the secrets within! Levy reports that others have been interviewed in conjunction with the case as well. One, Mitch Kapor, described his interview as being almost surrealistic and profoundly disturbing. Levy quotes Kapor as saying: "It seemed obvious to me they didn't have a clear sense of the technology - there was such a lack of understanding that the effort to investigate wouldn't bear fruit. They were lost in cyberspace." Others who were interviewed report similar experiences. John Perry Barlow was told that the annual Hacker's Conference (a yearly meeting of highly-skilled computer programmers) was actually a gathering of computer outlaws. Grady Ward, a former Apple programmer, was told that the stolen source codes was filtering back to Communist enemies (via Toshiba electronics). Levy, attempting to tip the scales of discourse back towards more rational thought, writes: "That (the claim that this is a case of interstate theft) may be the legal charge, but the theft of source code involved in nuPrometheus is quite a different matter from hijacking a truck or robbing a bank. Software is a much trickier object than swag or money - it can move in elusive ways, and therefore access to protected software is a technically complicated matter. And the problem of the criminal's motive requires an even deeper understanding. In order to understand and ultimately apprehend the perpetrator, one must realize that this particular crime seems motivated not by greed or maliciousness, but by a peculiar attitude toward technology in general and the role of Apply Computer in particular." ... "One has to feel some sympathy for the agents here - it's a terrible burden to have to solve this rather bizarre ideological crime without being steeped in the lore of Silicon Valley." (p.74) CuD readers will immediately recognize the similarities between this investigation and those associated with Operation sun devil. In both instances the investigators have constructed a list of suspects based on associations with "suspected hackers" and have defined cultural and socially normative activities as "conspiratorial" or "criminal" without regard for other, less accusatory, interpretations that could apply. The nuPrometheus investigation has resulted, thus far, in at least three people being directly accused of the crime, but (like in the sun devil cases) no formal charges have been filed. One suspect, Grady Ward, was told by an agent "we know you did it" and is evidently considered a suspect because he's one of five likeliest Apple employees that had requested access to the source code shortly before it fell into the hands of nuPrometheus. The feds consider him a suspect because "He had since left Apple, he had attended a liberal arts college, and had once formed an intellectual society called Cincinnatus, thus betraying the same fondness for antiquity shown by the name nuPrometheus." (p.76) Ward admits having had the source code at one time, but it was part of his job to have it, and besides, he says, it was distributed to hundreds of people in the project group via Internet. In his article Levy poses several questions concerning this investigation. One of which, he says, is why the FBI is spending it's resources to follow this case rather than chasing the white-collar thieves who sacked the country for a trillion dollars in the Savings-and-Loan fiasco. After all, he notes, Apple has managed to stay in business despite the theft of the code, and nuPrometheus has not followed up on their promise to release other inside information. Levy goes on to suggest that some in Silicon Valley believe that Apple, perhaps via it's security firm (Kroll Associates, believed to have a number of former federal agents on staff), has pressured the FBI into pursuing the case. Again, this sounds quite similar to the "Phrack - E911" case where it has been conjectured that Bell South persuaded the Government to pursue a case that could not be won. Levy concludes by suggesting that we may not have heard the least of the nuPrometheus investigation. Stephen Satchell, a computer writer in Reno, told Levy that the FBI agent who interviewed him had a list of potential interviewees that numbered around 60 people, in 39 states. Levy leaves us with one final question. "... when does an investigation become a witch-hunt?" It's a question that CU followers have heard before. --------- GRM Internet: 72307.1502@Compuserve.com Moderators Note: CuD-ites are encouraged to see Levy's full article in MacWorld. Like his work _Hackers_, Mr. Levy consistently produces entertaining and thought-provoking articles. END ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: 23 September, 1990 From: Various Contributors Subject: The CU in the News ******************************************************************** *** CuD #2.04: File 7 of 7: The CU in the News *** ******************************************************************** "Justice Department Computer Security Questioned" The General Accounting Office (GAO) has issued a report criticizing the Justice Department (DOJ) for failing to have a management system in place to secure its highly sensitive computer systems and has concluded that classified files were at risk. The report concludes that immediate action is required to correct security weaknesses at the main Justice Department data center and in computer systems used by DOJ litigating organizations. The report found several security weaknesses at DOJ's new data center in Rockville, MD, a site leased by DOJ from Control Data Corp. for 17 years. According to GAO, there are "numerous uncontrolled entrances...through which individuals could easily remove sensitive data." In addition, the report is critical of DOJ's lack of contingency plans for emergencies at the center and has not conducted a complete risk assessment that takes into account possible adverse actions by disgruntled employees. Copies of the report, entitled "Justice Automation: Tighter Computer Security Needed" may be obtainable from the GAO (202/225-6241). The report is GAO/IMTEC-90-69 and is dated July 30, 1990. ------------------------------ TRENTON, N.J. (UPI) -- Assembly Speaker Joseph Doria said Monday he was concerned by news that an alleged Republican break-in of Democratic computer files took place with the knowledge of the GOP's highest-ranking staff member. Doria, D-Hudson, said he had instructed all Assembly members and staff with knowledge of the ``hacking'' incident to turn their information over to Attorney General Robert Del Tufo, who is investigating the repeated break-ins. John Kohler, executive director of the GOP Assembly staff, resigned Friday admitting he had been aware of the activities of Jeffrey Land, a low-level staffer who reportedly broke into Democrats' files in the legislative computer system and discovered that Democrats had used the state-owned computer for political work. State law bars use of state equipment for political work or doing political work on state time. Previous to Kohler's resignation, however, top lawmakers had dismissed the break-ins as a computer hacker's prank. ------------------------------ "Think that Computer Message you just sent was Secret? Think Again" By Bart Ziegler Associated Press +++++++++++++++++ NEW YORK -- Next time you push that button on your computer to send a co-worker a racy electronic mail message about the boss, think twice. Someone may be reading your mail. Every day, millions of computer users send electronic messages to fellow employees, supervisors, clients and friends. Many assume these computer-to-computer electronic mail systems -- the postal system of the Information Age -- are confidential. But a recent lawsuit challenges that notion. The class action contends a California company spied on employees for months by monitoring thousands of their electronic messages. The lawsuit, filed last month by several employees again Epson America Inc. of Torrance, Calif., claims the company's computer operations manager made printed copies of electronic mail sent and received by 700 Epson workers. The suit claims such snooping violates a state wiretap law. Epson, a Japanese-owned company that sells personal computers, calls the lawsuit unfounded. "It is clearly not the policy of Epson to indiscriminately read electronic mail," said spokesman Scot Edwards. He declined to comment on the suit's specific allegations. The lawsuit is an example of a growing privacy debate surrounding "E-mail," which has mushroomed in popularity during the past decade with the growth in personal computers. Among other cases: o The mayor of Colorado Springs, Colo., caused a stir this year when it was discovered he had been reading printouts of electronic messages that City Council members had sent each other in confidence. o The Iran-Contra affair unraveled partly because investigators discovered electronic messages sent by L. Col. Oliver North and supporters. The North team didn't realize that every message was stored on computer tape. Computer experts say some E-mail systems automatically destroy electronic messages once they are read. Others keep a copy. But even systems that erase old messages aren't safe from snoops. In most systems, computer room operators can rea messages that haven't yet been opened by recipients, said Mike Zisman, president of SoftSwitch Inc., a Wayne, Pa., company that helps corporations link E-mail systems. "When you send a message, most people think it's as private as sending it through the U.S. Postal System. But in some companies it can be as private as writing it on the bathroom wall," said David Atlas, an E-Mail analyst at International Data Corp., a research firm. Atlas said he knows of another suit similar to the Epson class action, as well as employees at two other companies who are considering their own lawsuits, but he declined to identify them. Few employers have explicit policies on the use and privacy of E-Mail, said Walter Ulrich, an office automation specialist at the consulting firm Arthur D. Little Inc. "That's an area where companies should give guidance to employees," said Ulrich, who estimates that there are 10 million E-Mail users in North America. Ulrich recommended companies state they will not snoop in E-Mail systems unless they believe users are using them illegally or abusively. But he doesn't think companies should be barred outright from reading E-Mail, since the companies own the systems. The American Civil Liberties Union takes a stronger stance. It believes federal privacy safeguards are needed to prevent employers from eavesdropping on employees' personal affairs that happen to be contained in computer files. "There's virtually no law that would stop any employer from systematically reading al of the computerized information of any of their employees," said Lewis Maltby, coordinator of the ACLU's National Task Force on Civil Liberties in the World Place. Federal laws that bar wiretapping don't apply to computer systems, Maltby said. ******************************************************************** ------------------------------ **END OF CuD #2.04** ********************************************************************

---

E-Mail Fredric L. Rice / The Skeptic Tank