to: jerry berman, subj

TO:

FROM:SUBJ:

DATE:

Jerry Berman,Chief Legislative CounselAmerican civil Liberties unionCarl MalamudRegulation of bulletin board and other remote computingsystems.May 10, 1986

I. Introduction

Over the past year there have been several legislative andjUdicial initiatives that attempt to define the pUblic policyissues surrounding new computer and communications technologiessuch as remote bulletin boards, electronic mail and other formsof sharing information. The technology has not fit very well·with existing laws and there has been a growing pUblic debate onhow to classify these new types of activities. This memorandumaddresses two of the more serious policy areas being affected:the constitutional rights to privacy and free speech.

II. Overview of the Basic Technology

The basic development that has spawned much of the currentdebate has been remote computing. In the early days of thecomputer industry, all computing was done in isolated sites.These sites were specially adapted rooms that contained thecomputer and various access devices such as card readers and,later, terminals. Access was usually highly controlled and onlyskilled technicians were able to use the equipment.

In the early 1970's, several types of minicomputers becameavailable. These computers were smaller than the earliermainframes and became available to many small research andbusiness groups. Soon after, the Apple II microcomputer madecomputing available to individuals. The increase in the numberof computers! created a great demand for communication betweendifferent sites to share information and exchange messages.

Remote computing -started out with terminals being spreadaround a building so that people could use computers from theiroffices instead of the main location of the equipment. Next,computing became possible from remote buildings in a campus likeatmosphere. Modern communications switches now allow access fromlocations almost anywhere in the world. Using thesecommunications switches, individuals can access vast amounts ofinformation in remote databases and exchange messages with a widevariety of people over large pUblic and private networks.

1

Remote Computing Services - continued

A. Remote Computing and Databases.

with access to a wide variety of computers at differentlocations, it became possible to start having computersspecialize in different areas. Some computing centers are knownfor their modelling and simulation capabilities. others areknown for their statistical software, or text processingcapabilities or for their ability" to store, organize and retrievelarge quantities of data.

A specialized form of remote computing is the remotedatabase. These online databases store large amounts ofspecialized information. Most corporations keep their personneland accounting information in a database for managers in avariety of areas to access. Many research efforts result inlarge databases of experimental results that will prove useful toother researchers in the field.

One of the oldest commercial examples of remote databases isthe Dow Jones New Service. This electronic news service containsa wide variety of data about economic conditions and financialmarkets. Back copies of the Wall Street Journal and consultingreports on different markets and issues are available online.Remote databases are also widely used in the library sciences.Services such as BRS and Dialog have large amounts ofbibliographic data that can be searched.

B. Electronic Messaging Systems

Large numbers of people using computers creates a demand forways for those people to exchange information. Many systemsoffer an analogy to the telephone. If two people agree, theirterminals can be linked together and they can "talk" to eachother. Everything that one person types will appear on theothers person terminal and vice versa.

Another form of communication is electronic mail.Electronic mail" allows a person to "deposit" a letter in acomputer which then forwards that letter to another person. Thatperson might be on the same computer, but calling in from anothersite. Electronic mail is used more often than the "telephone"types of systems because the other person doesn't have to be onthe computer at the same time. Using the ever increasing web ofnetworks, it is also possible to mail a letter to people on othercomputers. The computers communicate with each other andexchange mail messages much as the post office would fly mailbetween post offices in different cities.

2


There are three types of electronic mail systems that haveemerged. First are the wholly pUblic systems. These functionmuch like common carrier telephone companies, accepting businessfrom almost all comers. GTE's Telenet and MCI's MCIMail are twoexamples of these large commercial mail systems. In many ways,these companies resemble the US Post Office, UPS or the overnightservices such as Federal Express and Emory.

The second type· of electronic mail system is the whollyprivate one. Many corporations have installed electronic mailsystems to allow all corporate personnel to communicate fromdifferent offices. The mail systems are used to exchangememoranda, to distribute company policy and as a substitute formeetings. The wholly private systems are owned and run by theuser of the system.

It is important to note that wholly private systems are notnecessarily run by corporations. Many nonprofit groups such astrade associations also use mail systems for communication. Thetechnology involved is becoming cheap enough that even groups of10 or 20 people can cost effectively set up an electronic mailsystem.

The third type of mail system is a hybrid of public andprivate. The large commercial systems allow the creation ofValue Added Networks. These networks allow a user to create anetwork that looks like a private one, but is really constructedon top of the larger pUblic facilities. An analogy to thetelephone industry would be leased telephone lines. The linesare owned and operated by the phone company but look like aprivately-owned line to the users because it is always availableto them.

Usually electronic mail is addressed to a specific person.Many systems allow you to address mail to wide groups of people,or "mailing lists." It is even possible to address mail to"Resident" and deliver it to all people on the system!

Another way to make information available to a wide varietyof people is to post it on an electronic bulletin board. Insteadof the mail being delivered to all people, people read thebulletin board and read all messages that they are interestedin. Posting things on bulletin boards allow you to communicatewith people that you have not yet identified. In many ways, itis much like pUblishing a small newspaper, or getting up in apUblic meeting and making an announcement.

3


Technically, a bulletin board message and an electronic mailmessage are identical. Both consist of some text which is meantto be read by the recipients. The difference is that in anelectronic mail message, the message has a specificallyidentified recipient or set of recipients. A bulletin boardconsists of a message that is available to anybody who has accessto that particular computer system.

Bulletin boards can be semi-public because their use can berestricted. Of course, it is always possible to restrict use bynot letting people on that particular system in the first ~lace.

Even when people are on the system, it is possible to ~mpose

additional levels of security so that certain bulletin boards areonly available to certain people.

There have emerged two types of public bulletin boards.Some commercial organizations, particularly CompuServe and theSource offer a package of electronic mail and bulletin boardservices to subscribers who pay a fee based on usage.Subscribers can examine bulletin boards on topics ranging fromdialogues on legal issues to movie reviews to recipe files.

Other bulletin boards are run by individuals or small groupsand are usually non-profit. Many of the early bulletin. boardswere an outgrowth of the advent of microcomputers. Topics onthese boards focus on technical issues relating to microcomputersand programming. These early users wrote software that allowsany cheap microcomputer become a bulletin board system. Thissoftware was placed in the pUblic domain, making operating abulletin board a trivial matter.

Literally hundreds of these small bulletin boards havesprung up around the country. Most specialize in a topic or aparticular outlook on life. Boards exist that cater to rightwing extremists, to musicians, to pedophiles and as places toexchange recipes. Many boards operate as a sort of singles barwhere people can meet.

Several boards operate as a meeting place for a culturalunderground of "hackers" who spend hours trying to gain access toother organizations computers. Information on these hackerboards include phone numbers of computer systems, ways tocircumvent the security systems and how to gain access to data.A common target of the hackers are the large databanks offinancial records kept by banks, credit card firms and creditagencies. Other targets are high security systems run by thecommunications companies and by the government.

4

._-_._. --_.- _._~~~-----_.-

'. '.'~"._.__••_.~~ ••_. "_'_~__h "~""_~ -_


III. Privacy and Communication

A. Title III and Eavesdropping

Title III of the Omnibus Crime Control and Safe Streets Actof 1968 made it unlawful to intercept any "aural" communicationstransmitted by wire. Under Title III, individuals have a legallyenforceable expectation of the privacy of their telephoneconversations. This expectation of privacy is enforceableagainst three classes of potential intruders.

First, the government may monitor.a telephone line onlyafter it has met heightened standards of due process and probablecause. Before being allowed to intercept a piece of mail, thegovernment must identify precisely the piece that violates a law.With telephone conversations, it is impossible to predict exactlywhen an illegal act will occur. The government must thereforemonitor all of a persons conversations to find the incriminatingmatter. Because of the non-limiting nature of a search of aperson's telephone conversations, Title III required a specialcertification by an Assistant Attorney General before thegovernment approaches a Federal judge for an order to approvewiretapping.

The second class of potential intruders is the generalpUblic. Title III allows a civil suit for actual and punitivedamages as well as attorney's fees against those that interceptan aural telephone conversation. Finally, Title III makes ·alimited exception for the operator of the telephone system. Thecommon carrier is allowed to monitor individual conversations,but only for the purposes of quality and service checks.

Since only "aural" communications transmitted by wire arecovered under the present law, there is no protection for voicecommunications transmitted over non-wire media such asmicrowave. The law thus protects some forms' of communicationsbut will not protect the privacy of that same communication overa different transmission media.

In addition to . the problem of non-wire "aural"communications, Title III does not cover any data communications.Since data is not "aural" a conversation over a computer bulletinboard is not protected, even though the content may be the sameas an aural conversation and the communication takes place overthe very same phone wire.

5


B. The Electronic Communication Privacy Act

In response to the inconsistency in the present law, therehas been a strong push over the last year to enact the ElectronicCommunication Privacy Act of 1985 sponsored by CongressmanKastenmeier of Wisconsin and Senator Leahy of Vermont. The billis the result of an unusual coalition that includes many industrygroups, the ACLU and the Justice Department. Although thelegislation is currently in a state of flux, several key featureshave emerged.

First, the protection of Title 18 of the u.S. Code would beextended to any "electronic communication" regardless of thepublic or private nature or the type of transmission media.Under the proposed legislation it would unlawful to intercept any"transmission of signs, signals, writing, images, sounds, data orintelligence of any nature." The purpose of the legislation isto provide a technology independent means of protecting theprivacy of data communications.

Several exceptions to privacy include the interception ofcommunications systems such as walkie talkies or police radiosthat are meant to be accessible to the pUblic. There is also anexception for interception by law enforcement officials if theyhave a court order. The provider of service may monitorcommunications if the purpose of the monitoring is to providequality assurance and not to intercept the contents of messages.

Both the present law and the original Kastenmeierlegislation had a very strict definition of communications.Since an electronic mail message has to pause in a computer whileawaiting the availability of transmission facilities, it wouldnot be protected under a strict definition of communications.Changes to the current legislation have been made that alsoextend protection to communications in the stream oftransmission, even if that means they are sitting and waiting.

Another problem with assuring adequate privacy protection isthat when mail messages are sent electronically, a copy is madeby the system operator in case of a malfunction in thecommunications system. These copies do not fall within a strictdefinition of communications. However,' if there is noexpectation of privacy in these backup copies, it makes no senseto establish an expectation of privacy, in the message actuallytransmitted. There are thus provisions in the legislation toextend protection to copies made by the system operator solelyfor the purposes of data integrity.

6


C. Limits of the Electronic Communications Privacy Act

Several things are not covered by the ElectronicCommunications Privacy Act. Once a mail message has beenreceived, it is typically stored on the system by the recipient.The recipient might want to refer to the contents of the messageat a future time or might want to just save it for documentationpurposes. The Electronic Communications Privacy Act does - notdeal directly with these files kept by individuals since they arenot in communication. However, because most people will accessthose files using some form of telecommunications facility,anybody breaking into a saved electronic message file would becovered under the interception provisions of the Act.

Another aspect of privacy is the privacy of an onlinedatabase. Under the Privacy Act, transmission of data from aremote computer to a local system would be protected. However,the actual database stored on the remote computer would not beconsidered to be a message. It is rather a. message that iswaiting to be sent. The purpose of keeping the information is toallow for future transmission. Because the Privacy Act onlyattempts to resolve the question of data in the process oftransmission, there seems to be a potential gap in privacyprotection.

Both on-line databases and files kept by individuals can beconsidered to be property, just as a chair or a set of filecabinets or copies of business records. Both of these types ofinformation can thus be treated under traditional privacyconcepts under the search and seizure provisions of the 4thAmendment and under criminal law.

Attempts by individuals to access databases withoutauthorization or to snoop in files can be dealt with undertraditional criminal law concepts. Many states currently havelegislation dealing with computer crime, and there are severalbills in the Congress that also attempt to deal with the matter.See for example the Counterfeit Access Device and Computer Fraudand Abuse Act of 1985, H.R. 1001 introduced by Rep. Hughes.

7


D. Extensions of the Constitutional Definition-of Privacy

Attempts by the government to access data records seem tofall under the question of whether the individual has a"constitutionally protected reasonable expectation of privacy."Katz v. united States, 389 US 347, 360 (1967) (Harlen, J.,concurring). Constitutional protection is extended only when theindividual has an expectation in the privacy of the matter. Thismeans that communications intended to be pUblic, such as a radiobroadcast or a billboard, do not have any expectation of privacy.secondly, there are certain areas where even the individual'sexpectation of privacy exists, society may not treat thatexpectation as being reasonable.

Two recent Supreme Court decisions show the reluctance ofthe judiciary to extend traditional privacy protection againstnew forms of technological surveillance. In California v.ciraola, Slip Opinion, No. 84-1513, 6/19/86, Justice Burger wrotefor a majority of 5 and refused to extend the common law doctrineof privacy of the home to freedom from aerial observation. InDow Chemical v. EPA, Slip Opinion, No. 84-1259, 6/19/86, the same5-4 court refused to recognize the concept of an "industrialcurtilage" which establishes an expectation of privacy fromaerial surveillance.

In both decisions, the Court put the new technological formsof surveillance outside the reasonable area of privacy. In bo~h

cases, the new forms of technology were said to be observation ofan "open field." As the Court said in Oliver v. united states,"open fields do not provide the setting for those intimateactivities that the [Fourth] Amendment is intended to shelterfrom governmental interference or surveillance." 466 US 170,179(1984) •

Justice Powell argued in dissent in the Ciraola case thatthe majority erred in not applying the curtilige doctrine to newforms of technology. He argued that Fourth Amendment should beconstrued in "light of contemporary norms and conditions" andshould not freeze "into constitutional law those enforcementpractices that existed at the time of the Fourth Amendment'spassage." quoting Payton v. New York, 445 US 573~ 591, n. 33(1980) •

8

Remote Computing Services - Continued

Both of these decisions are important because of theincreasing technical capabilities of sophisticated users to gainaccess to any computer system. If the two Court opinions implythat if government can "easily" access information, it ispossible that they would not extend Fourth Amendment protectionto certain forms of electronic data kept in the home if it isaccessible through technologically-advanced snooping.

One protection against any eroding Fourth Amendmentprotection would be the Electronic Communications Privacy Act.Before information can be accessed, you must be in communicationwith the computer. This can be done over various communicationsmedia, which would put it within the scope of the legislatiori.The only other way to access the information would be by being onthe property where the computer is physically stored. If thatcomputer is owned by the person being searched, physical accessto the computer would be governed by traditional Fourth Amendmentconcepts. If the computer is owned by somebody else, theinformation would presumably be treated like any other thirdparty business record.

IV. First Amendment

It has long been accepted that the First Amendmentguarantees of freedom of speech and press to do not extend toobscene material. See Roth v. united States, 354 US 476, 485(1957). Just what material is obscene has been the SUbject ofmany cases and much controversy. The Court formulated a numberof tests that all ultimately required the justices to decide eachcase individually. In Miller v. California, the Court attemptedto resolve the problem by defining obscenity as whether "theaverage person, applying contemporary community standards" wouldappeal to the prurient interest. 413 US 15,24 (1973).

The Miller obscenity test illustrates just one of the FirstAmendment issues that are raised by remote computing. If asystem operator living in New York City allows a Berkeleyresident to post an obscene message on a bulletin board thatoffends a resident of Muncie, Indiana the concept of a "communitystandard" becomes somewhat elusive.

The issue of obscenity on remote computing facilities is notjust a theoretical one. A recent legislative effort is theComputer Pornography and Child Exploitation Prevention Actintroduced by Senator Tribble. The bill was introduced inresponse to several incidents where private electronic bulletin

9

Remote Computing Services - Continued

boards were used for the transmission of information concerningchild pornography.

In his testimony on the Tribble bill, Henry Hudson, aVirginia prosecuting attorne¥ claimed that there were fiveseparate computer systems ~n metropolitan Washington thatexchanged messages on child pornography and sexual abuse.Because the bill punishes those who knowingly permit theircomputer service to be used for the transmission of materialcontaining obscene, lewd or lascivious matter, the bill attemptsto hold the system operator responsible for the contents of thebulletin board.

Although the Tribble bill gathered strong support from manyquarters, the Department of Justice has said that the bill isprobably unconstitutional. The American civil Liberties Unionargued that in Stanley v. Georgia, the Supreme Court held thateven "obscene" material may be viewed in one's own home and theviewing of a bulletin board falls squarely within Stanley.

On May 16, 1984, police in Los Angeles seized the computerof Thomas Tcimpidi$. Tcimpidis was charged with running abulletin board that had messages containing telephone credit cardnumbers that had been obtained without authorization. Pollack,Free Speech Issues Surround Computer Bulletin Board Use, New YorkTimes, 11/12/84. In 1985 the Private Sector bulletin board, oneof the largest of the hacker boards, was seized by the Middlesex,New Jersey County Prosecutor's office.

The defense in the Private Sector case, New Jersey v. Blichargues that impoundment of the bulletin board equipmentconstitutes a prior restraint on speech. Prior restraints onspeech bear a "heavy presumption against" constitutionality.Bantam Books, Inc. v. Sullivan, 372 US 58, 70 (1963). Thedefense in Blich argue that even if Blich 'can be prosecuted underthe New Jersey Computer Theft statute, 2c:20-25(c), impoundmentof the bulletin board operates prohibits the exchange of any typeof message.

The seizure of the Tcimpidis and Private Sector bulletinboard may just be early attempts by law enforcement to deal witha new type of situation. However, even if outright seizuredisappears, there may be attempts to regulate the operation ofthe bulletin boards. The Court has been very clear that anyattempt to limit the time, place and manner of speech must leaveopen adequate alternative channels of communication. See Schadv. Burough of Mount Ephraim, 101 S.ct. 2176 (1981). If themedium used to communicate is a unique one, government may notmake an outright ban on the use of that medium. Thus, in

10


Milwaukee Social Democratic PUblishing Co. v. Burleson, 255 US407 (1921), Justice Holmes (in dissent) argued that.because mailsare a unique means of communication, the U. s. Government couldnot refuse to carry the Socialist paper The Call. Ithiel de SolaPool, Technologies of Freedom, Belknap Pres (Mass., 1983), p. 88.

The amount of regulation or government intervention that isallowed depends partially on the characterization of the newtechnology. More regulation of radio and TV have been allowedbecause of the "scarce" nature of the airwaves. Althoughregulation of who may or may not go into the business wo~ld neverhave been allowed with the print media, the Court sustained thevalidity of the Communications Act of 1934 in FCC v. pottsvilleBroadcasting Co., 309 US 134 (1940). Then, in 1964 allowed theregulation of content, by insisting on the equal time doctrinefor political·comment by a radio station. Red Lion BroadcastingCompany v. FCC, 395 US 367 (1969).

The scarcity rational for regulation of media such as TV andradio does not transfer well to the newer forms of communication.Bulletin boards are not scarce. Because of the spontaneousnature of the communications, it resembles more a town hall or aset of fliers than a radio station. Another problem withregulation of bulletin boards is the typical size of thecomputers involved. It would be hard to enforce an "equalaccess" provision or some of other form of common carrierregulation for some of the small bulletin boards. Also the easewith which they are established and the sheer number makesregulation of this technology fairly problematic.

V. The Role of the System Operator

Perhaps the most controversial area in the emerging publicpolicy debate is the role of the system operator. It is withthis issue that the traditional concepts of First Amendment andPrivacy come into conflict. Both the New Jersey Case and theTribble bill raise the issue of the responsibility of the systemoperator. Under both situations, the system operator is beingheld responsible for the work of others.

One can make a strong argument that the system operator hasinvited the participation of others and is thus responsible fortheir actions. Many times, the participants on a system areanonymous or use code names. It would not be just to say thatnobody should bear the consequences of illegal acts. Since thesystem operator is readily identifiable and has undertaken theresponsibility, so the argument goes, they should be held liable

11


for any violations of the law.

The other side of the argument, rais~d by almost all systemoperators is that it is technically impossible to monitor thecontents of every communication on the system. Even a smallbulletin board may have hundreds of messages per day. Monitoringeach and every message would destroy the utility of the bulletinboard as a means of communication. In the case of electronicmail, the argument is even stronger. Mail is intended to be readonly by the designated recipients. It can be argued that therecipients and senders to have an expectation of privacy, even ifit is not a legally-based expectation.

It seems more useful to look at the responsibility of thesystem operator in different contexts rather than try and arriveat a blanket rule. It is clear that if the system operatordirectly helps break the law, i.e. by actively encouragingillegal behavior, there would be some direct liability.

A much more difficult question is the liability of theoperator for the acts of others. In a traditional analysis, thepUblisher of a bulletin board or newsletter is held liable forthe contents of a defamatory message. In Fogg v. Boston & LRCo., 148 Mass. 513, 20 NE 109 (1889), a defendant railroad washeld liable for the acts of one of its employees in posting adefamatory message on a train station bulletin board. In thecase of a newspaper, a publisher was held liable even though hewas away on vacation when the message was published. WorldPublishing Co. v. Minahan, 173 P. 815 (Sup. ct. Oklas. 1918).

On the other hand, telephone companies have not generallybeen held to publishers of defamatory material if their equipmentis used. Because the telephone company did not participatedirectly in the communication of the message, they have been heldnot to be liable. Anderson v. New York Telephone Co., 35 NY2d746, 361 NYS2d 913 (1974). A similar result has been found inthe context of a radio station where the station was madeextemporaneously and the station was not able to prevent itsdissemination. Summit Hotel Co. V. National Broadcasting Co.,336 PA 182, 8 A.2d 302 (1939).

12


VI. Conclusion

After the passage of the Communications Act of 1934,problems could be button-holed by looking at the underlyingtechnology. Messages carried by mail or by telephone had anexpectation of privacy and were not considered to be pUblic.Conversely, if the message traveled the air waves, there was aper se determination that this was pUblic and did not deserveprivacy protection~ Remote computing 'services combine bothpublic and privacy aspects within one technological medium.

Likewise, the liability of the system operator is anotherexample of the merging of previously separate technologies.Under the "privacy" branch, the telephone company was notresponsible for the acts of others. Under the "publication"branch, a radio station was responsible for pUblishinginformation that was not true. Both pUblication and privatemessages take place on remote computing systems. Which standardshould apply, that of the common carrier or of the pUblishinghouse?

Continuing to rely on analogies to other technologies willonly serve to confuse matters. The Electronic CommunicationsPrivacy Act attempts to solve the problem by defining'communications independently of any of the specific technologies.That approach will serve to make a more robust law an~ topreserve the fundamental values meant to be addressed by thelegislation. The merging of pUblic and private speech may alsoserve to provide a technology-independent definition of speechfor First Amendment purposes.

13

to: jerry berman, subj

Documents