1995-01-10 - Re: Files and mail

Header Data

From: craig@passport.ca (Craig Hubley)
To: cypherpunks@toad.com
Message Hash: 861e4d2511895ecd16bd567fe7939d26651e41099349e4d9b68f6532802bd1fc
Message ID: <m0rRcHN-0002GeC@forged.passport.ca>
Reply To: <199501070212.SAA19162@netcom3.netcom.com>
UTC Datetime: 1995-01-10 08:49:55 UTC
Raw Date: Tue, 10 Jan 95 00:49:55 PST

Raw message

From: craig@passport.ca (Craig Hubley)
Date: Tue, 10 Jan 95 00:49:55 PST
To: cypherpunks@toad.com
Subject: Re: Files and mail
In-Reply-To: <199501070212.SAA19162@netcom3.netcom.com>
Message-ID: <m0rRcHN-0002GeC@forged.passport.ca>
MIME-Version: 1.0
Content-Type: text/plain

> "I'm Wozz" <wozzeck@phantom.com> writes:
>  > Any professional knows better than to read private
>  > mail...and if this is so...then they aren't worthy of having
>  > a site to run
> For legal purposes, most BBS systems declare that for the
> purposes of the ECPA, there is no such thing as private mail on
> their system.  The Sysop is then free to read anything he wishes
> to.  This policy is clearly stated in the user agreements of
> almost all BBS systems offering access to the public.

This may be true of public access BBS systems, but on corporate
sites the smart money pulls the other way.  Smart corps avoid
reading email for the same reason they avoid listening in on 
voice conversations (except in telemarketing etc.).  Likelihood
of a corporation being held liable for any abusive use of a system
by an employee is drastically outweighed by the likelihood of
a costly wrongful dismissal suit should any investigation of private
correspondence reveal some private fact (e.g. they are gay,
they are having an affair, etc.) that leads to their dismissal
(and thus loss of access to the system!).  In other words, abuse by
managers of their supervisory priveleges is far more likely to come 
back and haunt the organization than abuse by employees, in legal
terms anyway.

At a recent seminar on doing business on the internet I stated
this opinion to an audience that included at least 20 lawyers.
None disagreed, the numbers are clear enough.  One added the
qualification, which I agree with, that pirated software that
the organization directly benefits from is a specific exception
where the organization is guilty until proven innocent.  But
he hastened to add that the rest of the argument stood up.  We
agreed that a 'software audit' program such as the SPA provides
could meet that need without compromising end user privacy.

Slowly I believe that Prodigy, AOL, etc., are getting this message,
that it costs more to censor than not to.  Reading of the week:
"Defending Pornography", by the head of the ACLU (yes a woman) who
argues that the fight against censorship is equivalent to the fight
for women's rights, and historically has always had the same enemies.
Kind words on the jacket from Friedan and other mainstream feminists.
>  > as for PGP, this is an individual thing....I'm sure mike
>  > has no such objections...i know here at MindVox we
>  > don't...in fact, we installed it for the users
> Many BBS Sysops forbid PGP and kick users off their systems who

I can't speak to the paranoia of garage system operators but:

> use it.  They cite fears of encrypted illegal porn and credit
> card numbers passing through their systems, and potential legal
> liability.

We work with a lot of large corporate clients using the internet.
We have recommended PGP as a means of securing privacy for all
corporate communications (note I don't use it from this site as
I don't download all mail from here before reading it, a GUI
PGP that was usable would go a long way to overcoming resistance)
and deal only with BBS operators who fully support user privacy.
As I suggest, we have recommended strongly against investigating
the contents of mail etc., and have been backed by the lawyers
of these organizations who see a nightmare of legal liability
even in the *ability* to look. (When does the ability to look
become an obligation to record?  Go ask your service provider!)

It seems to me that, although there have been some misguided
prosecutions with serious impact on the livelihoods of some
small operators, the defense that the operators did not know
what was moving through their site has held up.  Criminal
liability hinges on knowledge of the act - you cannot be held
criminally liable unless you knew what was going on... period.
Exceptions to that ('guilty until proven innocent' doctrine
that blames the publisher and forces them also to be a censor)
are offensive to the principles of both the law and liberalism.
I would cite broadcasting law as an example of such an abusive
body of law, and note that it was written entirely in this century.

The 'common carrier' status is not a silver bullet, it obligates
carriers to co-operate with authorities to maintain that status,
as it is specially granted.  It is actually better to let it evolve
by precedent, a 'de facto' common carrier defense, as that way it
cannot be withdrawn by a government without special legislation that
itself may be overturned by the courts (in constitutional democracies).

In other words, keep on using PGP, ditch providers who forbid it, and
recommend it to every company you can.  Once it becomes clear to Ford
and Kraft and GM that a decision to hold a BBS operator responsible
for traffic that moved through his system without his intervention,
is also likely to deem *them* responsible for employees (and suppliers!)
once they have established internally a comfortable precedent of just
leaving the mail alone... very expensive and disruptive to overturn...
you can be damn sure that some serious campaign contributions will swing
over to the privacy advocates.

I make these assumptions:  that corporate America, as commercial entities,
have no interest in knowing about anything that is not directly related
to the making of money.  It does not want its business complicated by
the necessity to become a censor of employee discussions.  Piss tests
etc. were an example of DoD over-control forcibly imposed on the private
sector... with predictable results like the Intel Pentagronk (who ever heard
of a serious system being built entirely without benefit of psychoactives?)

With DoD spending disappearing, the military-industrial complex shrinking,
this economic influence is reduced and we get more overt legislative attempts
to exert control like the Clipper, motivated by 'civilian' concerns like
'kiddie porn' (gee Japan has no such laws and it hasn't collapsed yet, has
lower incidence of child molestation too...) and 'violent porn' (same story,
you can get it in Denmark and they have less rape than here...) and 'stolen
goods' (which can be moved around easily enough by a hundred other means).

In other words, the same lame excuses that politicians use every time they
want to control people.  But I don't think business is with the program,
I think corporations only react to fear of liability etc. (which is kept
heightened by governments with their own agenda) which can be reduced by
education and measured by intelligent risk analysis.  In my opinion, as 
the architect of several risk management systems, the latter demonstrates
that the danger is less than 'most BBS operators' think, and it arises
from different factors than they think, to wit:

  If a small service provider is prosecuted for moving alt.binaries.snuff
  through his system, it is not because he carries it: so do 500 other
  service providers, and they can't prosecute them all.  It is because
  he was careless enough to indicate in non-PGP-encrypted email that he
  was intending to make a political donation to the prosecutor's opponent.
  Barring a nationwide crackdown, where the initial prosecution is always
  carefully chosen for minimum public sympathy, these random prosecutions
  are going to be motivated by the petty whims of cops and bureaucrats.
  I see no reason why one would leave one's opinions open to them to read.
  All that can do is make you a target, and who needs to be a target ?

That said, I can understand their fear.  If I were operating an internet
service today, I doubt I would have posted this to cypherpunks (which I
read primarily to protect my own privacy, that of my clients, and advise
them on effective means of privacy protection).  Now I'm probably on an
NSA list somewhere... good thing I'm up here in Canada...!

Craig Hubley                Business that runs on knowledge
Craig Hubley & Associates   needs software that runs on the Web
craig@passport.ca   416-778-6136  416-778-1965 FAX