--- Following message extracted from SYSOP18 @ 1:374/14 --- By Christopher Baker on Thu Jul 21 01:23:11 1994 From: Michael Hess To: Floyd Drennon Date: 19 Jul 94 20:03:00 Subj: Final word on BBS's and the ECPA 1/2 Floyd Drennon requested a closed session to tell Michael Hess: FD> Hi Michael, FD> 15 Jul 94, 18:00, Michael Hess wrote to Paul Nebeling: MH>> attorney in your specific area for a legal opinion. I did. That's how MH>> I got my opinion. From several attorneys. FD> And for everyone you find to support your position, someone else can find FD> another who will say exactly the opposite. Bottom line - there hasn't FD> been a definitive case concerning a hobbiest board so any advice you FD> receive at this point will be the unfounded opinion of the person FD> providing it. Here is my .02 cents worth that cost me about $20.00 today to compile. I'm sure after reading it you and others may have a different outlook when trying to deny that the ECPA of 1986 has no application: AMATEUR BBS NETWORK APPLICATION OF THE ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 1986: BOON OR BANE? ================================================= By Michael Hess, copyright 1994 9:05 a.m. July 19th, 1994 FEDERAL INFORMATION CENTER......................(800) 726-4995 Notes: Has no information or referral about ECPA 1986. === 9:12 a.m. FEDERAL COMMUNICATIONS COMMISSION...............(202) 418-0200 (PUBLIC AFFAIRS) 1919 M St. NWst Washington DC 20554 Notes: Has no idea what the ECPA 1986 is. So I looked in my trusty database and called the: === 9:20 a.m. NATIONAL CRIMINAL JUSTICE REFERENCE SERVICE BOX 6000 ROCKVILLE, MD.........................(301) 251-5500 Notes: Central clearinghouse for information on law enforcement and criminal justice. Publishes bulletins and reports, provides computer searches. One relevant reference: End Run Around the Fourth Amendment; Why Roving Surveillance Order is Un-Constitutional. 1990, Vol. 28 1990 American Criminal Justice pp. 143-160. Database only reaches up to 1990, no reference to Jackson Games v. Secret Service 1990 as of yet. Referred me to the: === 9:35 a.m. FLORIDA DEPARTMENT of LAW ENFORCEMENT, COMPUTER CRIME DIVISION contact: Jeff Herig.............................(904) 922-0739 Notes: Jeff could only offer a personal opinion. He wonders why in the world folks in an amateur network would think their policy would negate federal law? His opinion is if a reasonable expectation of privacy exists then a communication would be covered by the ECPA. This would include private sysop comment areas, sysop mail areas, any communication that is not readily accessible to the public. As an aside, many of the training sessions that Jeff attends make repeated reference to the Steve Jackson Games case. The training sessions make it clear that electronic mail IS protected by the Electronic Communications Privacy Act of 1986 and that investigators are to keep the ECPA and particulars of the Steve Jackson Games case firmly in mind when investigating a BBS. Then referred me to the: === 11:03 a.m. UNITED STATES DEPARTMENT of JUSTICE, COMPUTER CRIMES DIVISION Dan Schneider...................................(202) 514-1026 Notes: Dan could not give specific advice either. However, he made it clear that a company, group, or amateur policy can NOT supercede or negate federal law. He took notes and is checking with his superior and will get back to me. === 11:25 a.m. While I'm waiting let's see what we have learned so far and how we can apply it. The test keeps coming back to expectation of privacy and the Fourth Amendment. For instance, our local Net 375 1.10 policy states: "...fraternization. This conference (SYSOP375) is to be kept private; only the sysop and co-sysop may have read or read/write access to it. There are many other local..." It would seem that there may be a reasonable expectation of privacy at the local level. Does the policy above this (Region 18 1.06 policy) negate this at a regional level? This policy states: 8. Local Net Policies "It is the responsibility of each net to determine the method of selecting coordinators for that net. Nets are encouraged to formulate local policies describing the method and (if appropriate) the timing of this process, as well as any other local procedural issues deemed appropriate by the net membership. No local net policy may conflict with existing policies at the region, zone or interzone level..." It appears that at least in one section of the regional policy that a local net policy defers to the zone or interzone level, no other search appears necessary. The relevent section in International FidoNet 4.07 policy is as follows: 2.1.6 Private Netmail "...The word "private" should be used with great care, especially with users of a BBS. Some countries have laws which deal with "private mail", and it should be made clear that the word "private" does not imply that no person other than the recipient can read messages. Sysops who cannot provide this distinction should consider not offering users the option of "private mail..." Todays BBS software has many improved features, especially in security and mail handling ability. Many sysops participate in sysop only message conferences. The exclusion of the general user public is accomplished by security levels or other means through the software package. Many systems also use email software as a "front end" that may handle the reading of a sysop only area [or use a third piece of software, a "sysop editor"] or other private conferences without ever passing these to the BBS software that offers public areas. ..."If a user sends a "private message", the user has no control over the number of intermediate systems through which that message is routed. A sysop who sends a message to another sysop can control this aspect by sending the message direct to the recipient's system, thus guaranteeing that only the recipient or another individual to whom that sysop has given authorization can read the message. Thus, a sysop may have different expectations than a casual user..." International FidoNet policy further points out however that a "sysop may have different expectations than a casual user." It would seem on the face of it that a sysop in Net 375 would have a reasonable expectation of privacy based on three written organizational policies and indeed the Fourth Amendment and the ECPA. Would the level of reasonable expectation of privacy diminish when applied to a closed or restricted message conference on a regional or North American scale? It does not seem so based on the volume of email in administrative conferences when the question of opening them to the general public arises. Thus it can be deduced that for a sysop, whether at a local, regional or North American level at the least, the technology does indeed exist and is in general use to exclude the general user public from access to certain message conferences. 2.1.6.1 No Disclosure of in-transit mail "...Disclosing or in any way using information contained in private netmail traffic not addressed to you or written by you is considered annoying behavior, unless the traffic has been released by the author or the recipient as a part of a formal policy complaint. This does not apply to echomail which is by definition a broadcast medium, and where private mail is often used to keep a sysop-only area restricted..." International FidoNet policy makes three important distinctions in the above. Disclosing private netmail when you are not the intended recipient or the recipients authorized agent is prohibited and well within [at least] US law. Secondly, "echomail" is excluded from the "no disclosure" clause with a dubious caveat that "private mail" in a sysop only message conference is also exempt. This again, at least in the US, brings up the Fourth Amendment. If a person can show a reasonable expectation of privacy, and further show that that privacy was breached, they may have a reasonable expectation of redress. Excerpts from Jackson Games v. Secret Service bear this out: "...The Secret Service denies that its personnel or its delegates read the private electronic communications stored in the seized materials and specifically allege that this information was reviewed by use of key search words only. Additionally, the Secret Service denies the deletion of any information seized with two exceptions of "sensitive" or "illegal" information, the deletion of which was consented to by Steve Jackson. However, the preponderance of the evidence, including common sense 5, establishes that the Secret Service personnel or its delegates did read all electronic communications seized and did delete certain information and communications in addition to the two documents admitted deleted. The deletions by the Secret Service, other than the two documents consented to by Steve Jackson, were done without consent and cannot be justified..." Judge Sparks makes it clear that reading and deleting electronic communications "cannot be justified." "...Elizabeth McCoy, Walter Milliken and Steffan O'Sullivan also allege compensatory damages. These Plaintiffs all had stored electronic communications, or E-mail, on the Illuminati bulletin board at the time of seizure. All three of these Plaintiffs testified that they had public and private communications in storage at the time of the seizure. Steve Jackson, Elizabeth McCoy, Walter Milliken and Steffan O'Sullivan all testified that following June of 1990 some of their stored electronic communications, or E-mail, had been deleted. It is clear, as hereinafter set out, that the conduct of the United States Secret Service violated two of the three statutes which the causes of action of the Plaintiffs are based and, therefore, there are statutory damages involved, but the Court declines to find from a preponderance of the evidence that any of the individual Plaintiffs sustained any compensatory damages..." The folks above who were rewarded statutory damages had both "public and private" stored communications. Judge Sparks does not make a distinction in his awarding statutory damages between "public" or "private" communications. "...destruction in some manner. Notwithstanding that any alteration or destruction by Blankenship, Steve Jackson, or anyone else would constitute a criminal offense under this statute, Foley and the Secret Service seized -- not just obtained disclosure of the content -- all of the electronic communications stored in the Illuminati bulletin board involving the Plaintiffs in this case. This conduct exceeded the Government's authority under the statute." "The Government Defendants contend there is no liability for alleged violation of the statute as Foley and the Secret Service had a "good faith" reliance on the February 28, 1990, court order/search warrant. The Court declines to find this defense by a preponderance of the evidence in this case." "Steve Jackson Games, Incorporated, as the provider and each individual Plaintiffs as either subscribers or customers were "aggrieved" by the conduct of the Secret Service in the violation of this statute. While the Court declines to find from a preponderance of the credible evidence the compensatory damages sought by each Plaintiff, the Court will assess the statutory damages of $1,000.00 for each Plaintiff..." Sam Sparks, the United States District Judge who heard this case made it clear that the Secret Service was not acting properly when it seized, read and deleted stored electronic communications. And that "anyone else" doing it "...would constitute a criminal offense under this statute." Early in the opinion it was established that a BBS was indeed a "remote computing service" in part: "...of the law's applicability under the facts of this case. Steve Jackson Games, Inc., through its Illuminati bulletin board services, was a "remote computing service" within the definition of Section 2711, and, therefore, the only procedure available to the Secret Service to obtain "disclosure" of the contents of electronic communications was to comply with this statute. See, 18 U.S.C. 2 7 0 3 . Agent Foley and the Secret Service, however, wanted more electronic communications, both public and private. A court order for such disclosure is only to issue if "there is a reason to believe the contents of a[n] . . . electronic communication . are relevant to a legitimate law enforcement inquiry." See, 18 U.S.C. S 2703(d). Agent Foley did not advise the United States Magistrate..." And it's very clear that Judge Sparks considered both "public" and "private" communications in his opinion. Sysops need to understand that case law is very limited at this point because of the infancy of computer email communications. However both private and public communication were considered under the ECPA. In addition, the opinion makes clear also that a BBS is indeed a "remote computing service" as defined in the ECPA. The above case is a "beacon" of light in a formerly gray area according to an un-official statement from the Florida Department of Law Enforcement (FDLE), Computer Crimes Division. In my conversation with Jeff Herig he made it clear that the Steve Jackson Games case is the model case they are training their officers on. === 4:10 p.m. Brriinngg! UNITED STATES DEPARTMENT of JUSTICE, CRIMINAL CRIMES DIVISION. Notes: Dan Schneider returns my call and offers once again, in a very general way, that I am being correct in my assumption that should an individual be able to show that they have a reasonable expectation of privacy, an individual may find relief in the Fourth Amendment and further in the ECPA of 1986. He stresses that he simply cannot be responsible for providing specific legal advice. But he allowed that both he and his superior thought that I was considering the options correctly. An analogy agreed upon was of a locked office drawer of an employee. In an office desk there may be drawers normally locked and unlocked. The unlocked drawers may be accessed by employees in the office so a lowered expectation of privacy would be implied. A drawer normally locked however may infer a much greater expectation of privacy because of the severely limited access. The same would hold true for items marked "secret" or "confidential" and there was general agreement that the analogy would hold true for encrypted data. Dan informed me that the Justice Department is relying on the opinions so far rendered. This should tell the average sysop that adherence to the ECPA would be a good idea. Dan also thought that there may be an appeal on file in the Steve Jackson Games suit. === 4:30 p. m. UNITED STATES DISTRICT COURT WESTERN DISTRICT OF TEXAS, AUSTIN DIVISION............................(512) 482-5896 A spokeswoman confirmed that Steve Jackson Games indeed has an open appeal in the case. === Another earlier case relating to the ECPA of 1986 and its application was an action against Alcor Life Extension Foundation in California. They were running a BBS for clients and prospective clients in the Cryogenics business. The case was settled out of court but did produce a motion for dismissal. The case consisted of in part the following: "...4. On or about January 11, 1990, plaintiffs commenced civil action No. SAC 90-021js in the United States District Court, Santa Ana ("the Action"), against the defendants for injuries and damages allegedly suffered as a result of the defendants' seizure of plaintiff's E-mail..." The prosecution contended that their warrant did not have to comply with the ECPA because the scope of the warrant broadly covered BBS computer equipment and its contents which they felt was sufficient, in lieu of that defense they felt that a "good faith" reliance on the warrant as issued was worthy of a dismissal. While leaving the question open to further consideration, Judge Letts issued the following in reference to: "...MOTION TO DISMISS COMPLAINT FOR DECLARATORY RELIEF AND DAMAGES (ELECTRONIC COMMUNICATIONS PRIVACY ACT OF 1986; U.S.C. Section 2701, et seq.)..." "...The Motion of defendants to dismiss plaintiffs' complaint for came on for hearing regularly on May 14, 1990." "Defendants moved to dismiss on the grounds that the complaint failed to state a claim pursuant to Federal Rule of Civil Procedure 12(b)6. Defendants asserted that, as a matter of law, no violation of the Electronic Communication Privacy Act of 1986, 18 U.S.C section 2701, et seq. occurred, or, alternately, that defendants are entitled to dismissal due to their good faith reliance on a facially valid search warrant." "Having reviewed the papers filed in connection with this matter, having heard oral argument, and being fully apprised of the relevant facts and law, IT IS HEREBY ORDERED that the Motion of defendants to dismiss the complaint is DENIED. Said denial shall be without prejudice should defendants wish to raise these same issues later in these proceeding." IT IS SO ORDERED. DATED: May 18, 1990 [signed] J. Spencer Letts United States District Judge === 6:07 p.m. Conclusions It is clear that there are many remaining questions about specific applications of the ECPA. It is equally clear that authorities to the highest level consider the Steve Jackson Games case to be of considerable import when dealing with stored electronic communications. Those in FidoNet who believe that the ECPA does not apply to them may take heed to Judge Sparks ruling that makes no distinction between public and private email communications. The statutory award made to the folks whose email was read and deleted offers evidence of this. Further, the Alcor case, while not offering a precedent, did deny a motion to dismiss based on the defendants claim that the ECPA did not apply. Early on offering evidence that the judiciary considers BBS electronic communications protected under the ECPA. Some have said that there is no private communication within FidoNet. Even International FidoNet policy allows for different levels of expectations when considering email privacy. In my view, based on the information that I have gathered and presented here, unless a sysop opens any and all communications to any caller or user, some level of the ECPA would come into play. The rapid advance of technology has made it possible and even likely that FidoNet sysops have some kind of message conferences that are not intended for the general public. Attempting to use FidoNet policy to circumvent US Constitutional protections that can only be waived with a legal signature is sheer folly. It is generally and widely accepted that you cannot give up Constitutional rights without a signed document that specifies exactly what rights you are giving up. Based on everything I have learned, it is my belief that the ECPA in its application so far is doing what it is intended to do. That is, it provides some measure of protection for electronic stored and forwarded communications. Indeed instead of being a bane it is a boon for sysops. Much of the Steve Jacksons Games case by the US Secret Service was based on what a Secret Service Agent saw at log on: "...The only information Agent Foley had regarding Steve Jackson Games, Inc. and Steve Jackson was that he thought this was a company that put out games, but he also reviewed a printout of Illuminati on February 25, 1990, which read, "Greetings, Mortal! You have entered the secret computer system of the Illuminati, the on-line home of the world's oldest and largest secret conspiracy. 5124474449300/1200/2400BAUD fronted by Steve Jackson Games, Incorporated. Fnord. " The evidence in this case strongly suggests Agent Foley, without any further investigation, misconstrued this information to believe the Illuminati bulletin board was similar in purpose to Blankenship's Phoenix bulletin board, which provided information to and was used by "hackers..." I suspect that those who are so quick to contend that the ECPA has no effect on their system would perhaps even more quickly, change their position should they find themselves in similar circumstances. And finally it was noted by each party that I contacted; Any policy made by any organization simply CANNOT ignore federal law. In the words of one person consulted, if the Contitutional test of reasonable expectation of privacy was applied and found to have merit, an internal policy "would not mean spit." CAUTION: I am not an attorney. The above is presented as information only and all readers are advised to seek legal counsel in their jurisdiction for specific advice. -end ECPAFIDO.TXT- That is about all the time I am going to spend on it. If anyone would care to further the debate the issue, with factual references such as I have provided, instead of simply saying the ECPA can't be applied, I will be happy to participate. michael.hess@f48.n375.z1.fidonet.org == It was 8", then 5¬" now 3«"... play with it some more. --- Golded 2.42 1635US1 via D'Bridge 003179 --- * Origin: BBSNEWS * Lake Jordan, Alabama * USR 16.8 205-567-9310 (1:375/48)