From: Karl Lui Barrus <klbarrus@owlnet.rice.edu>
Date: Sat, 12 Mar 94 09:36:05 PST
To: cypherpunks@toad.com
Subject: Re: MAIL and Coming Police State
Message-ID: <9403121735.AA29376@flammulated.owlnet.rice.edu>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

>Karl Barrus writes:
>> I mention this because I have asked and been told repeatedly by an
>> attorney friend of mine that running a remailer on a system where you
>> don't have authorization to do so is a violation of the ECPA.  (i.e.
>> access beyond what the system administration intends for you to have).

>I would be interested in what legal research your attorney friend
>engaged in in order to come to this conclusion.  Possibly it would be a

Sure.  The attorney is Ed Cavazos (polekat@well.sf.ca.us) - I met him
first as a user on his BBS (Bamboo Gardens, WWIVnet, now in Houston
after years in Austin) where he runs Modem/BBSLaw net, and then in
person a few times at EFH (Electronic Frontiers Houston) meetings or
events.

He was involved in the Steve Jackson vs. Secret Service case, not as
lead attorney, but as an assistant.  Since this is the only case
involving the ECPA to hit the courts and he was in on it, I'm going to
have to go with his judgement, unless somebody can argue super
persuasively (and preferably convince him too!)

As a side note at the last EFH event, we had about 50 people in a room
talking about the Clipper Chip and its cons - people that stayed after
his talk on legal issues in cyberspace.

Anyway, I've asked him several times about the legality of remailers,
and during his last talk he addressed them, again ;).

Like a fool, I didn't take notes, but from what I remember, the ECPA:

* forbids others reading private communications
* makes it a crime to attempt unauthorized access on a system with
  private communication facilities (i.e. email)
* forbids you from access above/beyond what the system intended for
  you

I think there is one more thing that goes along with the ECPA, but I
can't remember.  I will email polekat and ask again, hopefully in a
few days or so he'll be able to get back to me.  Again, this is all
from memory.

Anyway, the last one is the key.  It says the even if you are a legit
user, the following are still illegal:

* you find a way to defeat security
* you read files that you aren't supposed to, even if the permissions
  let you
* you run programs or use the system in any way that the system
  administration didn't intend for you (i.e. you run crack all the time
  or you run a remailer)

Now, I was careful to make a distinction: running a remailer on a
current account, and running one on an old account.

(Because the four remailers I used to run were on old account of mine
when I was a student at UH.  Now I am at Rice, and Ed said it is
DEFINITELY a violation to run a remailer on an account you aren't even
supposed to have anymore)

But, he said that even running one on a current account is a violation
unless you have permission.

I mean, I don't mean to scare anybody or spread FUD - for example I am
not out of the remailer business ;) it's just the next one I set up
will be with the approval/blessing/whatever of the system
administration!

> violation if running a remailer was specifically prohibited by the
> operator (though this sounds more like a contract problem than an ECPA

Well, the way it is prohibited here at Rice is by a policy which
forbids sending mail to any unauthorized or nonstandard program.
Stuff like filter, procmail, slocal (if MH were on owlnet ;) would be
allowed, but definitely not a remailer.

> Holding this to be a violation is also particularly silly since it
> would make unlawful the doing of something by instrumentality of
> software an act which can easily be done (and was done, before the
> current era of software remailers) by hand.  One would solicit for

Yeah, but by this logic why is it illegal to export cryptographic
software when you can print it and mail it anywhere you please?
Silly, yet illegal.

Karl Barrus
<klbarrus@owlnet.rice.edu>

-----BEGIN PGP SIGNATURE-----
Version: 2.3a

iQCVAgUBLYH9GoOA7OpLWtYzAQE1cQP+MvYFldT0fkfMa66vz8bdj3eqwleuKohb
VJzmBZolS2ki0D/Wz01BkCxyhUj4ENLCT1zr6C+mWw7cFhyx+MuTnKKOWPWyiTp7
9NgkyjYhqw66jCIXvP/s828sY831OhcBe7iZTjcuvGTPuPzbuV04J7Exj1DYPfp5
WeGl0kZ5+dE=
=i4en
-----END PGP SIGNATURE-----