1993-10-01 - Re: FIDOnet encryption (or lack thereof)

Header Data

From: Mike Godwin <mnemonic@eff.org>
To: mimir@u.washington.edu (Al Billings)
Message Hash: 0a4d10d3e11e7f92881575e611335b70c25d996acb03a851dbb1ce035e658ee7
Message ID: <199310012140.AA23553@eff.org>
Reply To: <Pine.3.05z.9310011445.A10475-b100000@carson.u.washington.edu>
UTC Datetime: 1993-10-01 21:43:39 UTC
Raw Date: Fri, 1 Oct 93 14:43:39 PDT

Raw message

From: Mike Godwin <mnemonic@eff.org>
Date: Fri, 1 Oct 93 14:43:39 PDT
To: mimir@u.washington.edu (Al Billings)
Subject: Re: FIDOnet encryption (or lack thereof)
In-Reply-To: <Pine.3.05z.9310011445.A10475-b100000@carson.u.washington.edu>
Message-ID: <199310012140.AA23553@eff.org>
MIME-Version: 1.0
Content-Type: text/plain


 
Al Billings writes:

>  As has already been shown from Fidonet policy, Fidonet does not guarantee
> private mail  in any from and, in fact, advises that mail will be going
> through many sites and can be read along the way.
 
You could be extrapolating from Fidonet's refusal to *guarantee* e-mail
privacy (after all, how could Fidonet *enforce* it?) that all users
of every Fido BBS everywhere have waived their rights under ECPA.

My understanding is that Fidonet policy was drafted not in order to comply
with ECPA, but to acknowledge that, in this decentralized network, there
was no authority a user a could appeal to if his e-mail was not kept
private. But I'd be interested in seeing a direct quote of the policy
provision you're alluding to here. 

And what about me? I don't post from a Fido BBS, so even if there's a
Fidonet-wide waiver of ECPA rights, it's not a waiver *I* have agreed to.
What if mail from me passes through a Fido node on its way to a non-Fido
destination? 

>  The third point does not apply if the sysops offer no private mail in the
> first place.
 
Certainly, if they offer no mail at all, they're not liable, since no mail
passes through their systems.

But the interesting case is this: let's assume that you're right that all
Fido users everywhere have agreed to waive their ECPA rights. Then are the
sysops who reserve their right to read e-mail reading *all* e-mail that
passes through their systems?

If not, this puts the lie to the claim that they're limiting their
liability by reserving their right to read e-mail. After all, the
criminally significant communications may be the ones they're skipping.

In general, criminal liability depends on *knowledge*--you normally can't
be held criminally liable for acts and communications you didn't know
about.

I know of no case in which a sysop has been held *civilly* liable for
failing to read all e-mail on his system. So, in terms of classic risk
analysis, what does that statistic tell you?

> > I suggest that you inform sysops who tell you otherwise that they can
> > contact me at the Legal Services Department of EFF. You've got my e-mail
> > address already--my phone number is 202-347-5400.
> 
>  I don't need sysops to tell me otherwise.

I wasn't referring you to any sysops.

> I've been running my own BBS
> for over three years. My system has a very clear policy statement that
> refers to the ECPA and states VERY clearly who can read the messages
> posted on my system in different areas. As I'm not a Fido hub (and barely
> participate in that network at all), I don't have to worry about passing
> other mail through my system.

If all your users have agreed to waive their e-mail privacy rights, and
you're not dealing with any mail that does not either originate or
terminate on your system, then you're not in violation of ECPA.


--Mike







Thread