1993-10-03 - Re: PGP in Fidonet

Header Data

From: Mike Godwin <mnemonic@eff.org>
To: anonymous@extropia.wimsey.com
Message Hash: f2035e22b2b5add3528fbf7be6b15066710e72e6c787c3301e8f2331bed878f4
Message ID: <199310030757.AA04131@eff.org>
Reply To: <199310030409.AA15860@xtropia>
UTC Datetime: 1993-10-03 07:58:51 UTC
Raw Date: Sun, 3 Oct 93 00:58:51 PDT

Raw message

From: Mike Godwin <mnemonic@eff.org>
Date: Sun, 3 Oct 93 00:58:51 PDT
To: anonymous@extropia.wimsey.com
Subject: Re: PGP in Fidonet
In-Reply-To: <199310030409.AA15860@xtropia>
Message-ID: <199310030757.AA04131@eff.org>
MIME-Version: 1.0
Content-Type: text/plain


 
anonymous writes:

> Frankly, no.  I have however followed this same endless debate among
> lawyers in BBS_LAW, however, and (if I understand all parties correctly)
> their assessment for the most part disagrees with the one you cite here.
 
I don't want to play duelling credentials, and, as I said earlier, there
are some parts of ECPA over which reasonable lawyers can disagree. But
many of the assumptions some sysops make about a) whether they're exempt
from ECPA and b) whether they're at risk if they don't read e-mail, and c)
whether it helps to have a sysop-can-read-e-mail policy when the sysop
does not in fact read all e-mail, and d) whether encryption creates a
special risk of liability for sysops strike me as pretty uninformed.

Note: even if the courts were to decide that I'm wrong on point (a), it's
irrelevant to points (b), (c), and (d) above. The notion that sysops have
some *legal* reason to ban encrypted messages is profoundly silly, and
unsupported by any caselaw anywhere. And you can quote me on that.

> Perhaps we misunderstand each other; I do not mean, literally, that
> "hobby BBSs are exempt from ECPA," but that the situations addressed are
> generally avoided by sysop policies.

Avoidable, yes, but not by policies per se--sysops can avoid ECPA
liability by contracting with users or by limiting their viewing of
private mail to the specific restrictions of ECPA.

> 5]  Is prosecutable under ECPA?  If so, has such a prosecution been
>     successful?
 
They're as frequent and successful as prosecutions of sysops for carrying
encrypted mail. Which is to say, there are no cases on point regarding
ECPA, but at least we know what the statute says. On the other hand,
there's no statute that says sysops will be criminally liable if they
don't ban encrypted communications.

> It is my understanding that noncommercial FIDOnet participants are not
> in fact common carriers and that technical, legal common carrier status
> requires more than simply ignoring e-mail.  I understand it also brings
> more potential liabilities than FIDO can handle.
 
The issue of common-carrier status isn't relevant to the points I've been
making here. I'm assuming that no BBS qualifies as a common carrier.

> In any case, I am informed hobby sysops have been arrested and their
> systems seized for allegedly illegal traffic on their systems of which
> they claim to have had no knowledge.

Please do not make the common layman mistake of supposing that arrest or
seizure equals criminal liability. If you want to talk about specific
cases, please cite them. 

It should be noted, however, that the Steve Jackson Games seizure occurred
even though there was no illegal material on his system.

> I believe this is the case in the
> CT case pending.

You are mistaken.

> Even if these cases are eventually dismissed, the
> legal expense and personal disruption to a private party (usually a
> young person of very limited means) is catastrophic and without
> practical recourse.
 
But you still don't get it--there's no correlation between these seizures
and the use of truly private or encrypted e-mail.

No connection at all. Period. The link is entirely in some sysops' minds.

> As I say, there seems to be a great deal more to legal "common carrier"
> status than simply ignoring e-mail.  In FIDOdom common carrier status is
> regarded as a much larger can of worms, with more potential problems and
> liabilities for sysops than other options.
 
As well it should be. But common-carrier status is not the only way to
avoid legal liability.



--Mike








Thread