gnu@hoptoad.uucp (John Gilmore) (08/18/86)
Many people probably missed lll-crg!well!tenney's offer to email a copy of the Electronic Communications Privacy Act. Listen up! This is no joke! It appears to put legal liability on Usenet hosts which forward mail or news for other hosts, and could alter or destroy the current structure of Usenet (and/or Stargate). It was written by people who DON'T UNDERSTAND EMAIL and networking, and was lobbied for by the commercial email companies (telemail, compuserve, etc). Read <1632@well.UUCP> (vnews/readnews users type 'p'). Post discussion to net.mail (keep it out of the other groups). This bill, S.2575, is now pending in the Senate Judiciary Committee. It purports to extend constitutional protection against unreasonable search to electronic storage. However, it also does many other things. It loosens the existing wiretap authorization laws and also allows wiretaps and "tracking devices" (bugs) to be placed on people for up to 48 hours without a court order. It also makes it illegal to tune in cellular phone calls on your TV (channels 80-83). And it makes you legally responsible for the carriage of email unless you run a "public access" system. Note that the current version of the bill (introduced last week with no debate) may be better or worse than the above; my copy has not arrived yet. To get an up to date, official copy of the bill, contact the staff below. If you object to it, tell them why, and tell them that you want action on the bill delayed for further review (e.g. until your views can be heard in written comments). Tell your home state Senators and Congressmen the same thing. Congressional staff: Ann Harkin, John Podesta 202 224 4242 Steve Metalitz, Ken Mannella 202 224 5617 Judiciary Committee 202 224 5225 ACLU: Jerry Berman, technology/privacy 202 544 1681 Hit them now on it, before they get back to session and try to pass it! -- John Gilmore {sun,ptsfa,lll-crg,ihnp4}!hoptoad!gnu jgilmore@lll-crg.arpa May the Source be with you!
werner@utastro.UUCP (Werner Uhrig) (08/19/86)
In article <1013@hoptoad.uucp>, gnu@hoptoad.uucp (John Gilmore) writes:
X> Many people probably missed lll-crg!well!tenney's offer to email a copy of
X> the Electronic Communications Privacy Act.
X>
X> Listen up! This is no joke!
X>
X> It appears to put legal liability on Usenet hosts which forward mail or
X> news for other hosts, and could alter or destroy the current structure
X> of Usenet (and/or Stargate). It was written by people who DON'T UNDERSTAND
X> EMAIL and networking, and was lobbied for by the commercial email companies
X> (telemail, compuserve, etc).
X>
X> This bill, S.2575, is now pending in the Senate Judiciary Committee. It
X> purports to extend constitutional protection against unreasonable
X> search to electronic storage. However, it also does many other
X> things. It loosens the existing wiretap authorization laws and also
X> allows wiretaps and "tracking devices" (bugs) to be placed on people
X> for up to 48 hours without a court order. It also makes it illegal to
X> tune in cellular phone calls on your TV (channels 80-83). And it makes
X> you legally responsible for the carriage of email unless you run a "public
X> access" system.
X>
X> To get an up to date, official copy of the bill, .....
X> If you object to it, tell them why, and tell them that you want [a delay]
X>
from what I read here, this should also be of interest to ARPA and CSNET sites,
as well as FIDONET, MAILNET, etc., etc. ... In other words, I suggest maximum
distribution of this message to anyone even remotely interested in computer
communications. I'll take it on me to forward this message to all ARPA-sites,
as well as the the actual text of the Electronic Communications Privacy Act
if I can find it online somewhere.
I have not read the Act (yet) and do not have an opinion on it as yet, so all
I am speaking up for at this point is:
LET's CALL THIS TO EVERYONE's ATTENTION
*BEFORE* THE MATTER IS CAST INTO CONCRETE!!!
---Werner "democracy is a matter of knowing when and where to cast your vote"
gnu@hoptoad.uucp (John Gilmore) (08/20/86)
I have put a copy of S.2575, the Electronic Communications "Privacy" Act, on lll-crg.arpa in the file pub/s.2575, which is available for public anonymous ftp. It's 68K of ASCII text. You can't get it this way unless you're on the Arpanet. Uucp folks send mail to {lll-crg,ptsfa,hplabs,hoptoad}!well!tenney (Glenn Tenney) to get a copy. If there is a consensus in favor, I'm willing to post the bill to net.mail or net.sources. MAIL votes to me on this, at {ihnp4, ptsfa,sun,utzoo,cbosgd}!hoptoad!gnu. Be quick -- there's not much time. If it's likely that you won't see the bill for a few days, I suggest calling your Senator's staff now, asking for an official copy, and telling the staff that you are "concerned" about the bill and want action delayed on it for further study. This may keep them from voting on it as soon as they get back from recess, if enough people call. Here's a note I added to the online copy of the bill: [Note added by John Gilmore, hoptoad!gnu or jgilmore@lll-crg.arpa: This version is not under consideration any more; it was replaced on 12Aug by a text that nobody to my knowledge has seen, then the Patents, Trademarks and Copyrights subcommittee voted the new text up to the full Senate Judiciary Committee. I am working to get a copy of the current draft and will let people know when I have one online. I have spoken with Judiciary staffer Cindy Blackburn at 202-224-8059 and she says there will be no public hearings where we could testify; we just have to write, call, telegram, and otherwise buttonhole the congressmen on this. I suggest that you definitely call YOUR senators, in case it gets to the full Senate, and in addition, contact one or more (draw at random so we don't all get the same ones) of the Judiciary Committee senators: Thurmond (chairman), Mathias, Laxalt, Hatch, Simpson, Broyhill, Grassley, Denton, Spector, McConnell, Biden, Kennedy, Byrd, Metzenbaum, Deconcini, Leahy (sponsor of the bill), Heflin, and Simon. Please cover as many bases as you can -- time is short and our only chance is to let these guys know they're making a mistake, with our network on the line. Letters and telegrams can be sent to: Senator ______, US Senate, Washington, DC, 20510. Contact directory assistance at 202 555 1212 for phone numbers. Wouldn't it be nice if these guys were on the net?] -- John Gilmore {sun,ptsfa,lll-crg,ihnp4}!hoptoad!gnu jgilmore@lll-crg.arpa May the Source be with you!
desj@brahms.BERKELEY.EDU (David desJardins) (08/20/86)
In article <1013@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >Many people probably missed lll-crg!well!tenney's offer to email a copy of >the Electronic Communications Privacy Act. > >It appears to put legal liability on Usenet hosts which forward mail or >news for other hosts, and could alter or destroy the current structure >of Usenet (and/or Stargate). > >This bill, S.2575 [...] makes you legally responsible for the carriage >of email unless you run a "public access" system. I'd just like to interject my own observations here. I strongly agree with John's suggestion that you read the bill for yourself (many thanks to him for making it available, at least to those of us with ARPA access). It is in fact very easy to read. Unfortunately, I can't find anything in it to substantiate John's claims above. The first claim (that it "puts legal liability on Usenet hosts") is very imprecise, which of course makes it hard to refute, but in my reading of the text I could find nothing that seems to me likely to affect the normal operation of any Usenet host. The word "liability" does not appear in the text. The second claim, that you are "legally responsible for the carriage of email unless you run a 'public access' system" is also unclear -- is this supposed to mean liable to the sender for its delivery, or liable for things like libel and copyright violation, or liable to someone else for something else altogether? In any case I could find nothing to this effect in the bill, and the words "public access" also do not appear. Let me make clear that I am not denying John's claims. I am simply stating that I could not see how they were justified by the text of the bill. It is not impossible that either I overlooked a major provision, or that the claims above are implied rather than explicitly stated (for example, if by amending the previous law Usenet hosts are to be subjected to existing law from which they were previously exempt). Perhaps John or one of the other people who have posted about this act can explain how the claims above are derived from the text of the act. Quotes from the bill itself, or at least references to speicfic sections, would help us resolve exactly what it is that the bill would do. Frankly, while I understand that time is somewhat short, I think it is important that we should be clear on the exact implications of the bill before we jump off into mass letter-writing and phone calls. Both because it is possible that the impact of the bill has been exaggerated, and because a careful examination of the bill, if it upholds the claims that have been made, would certainly encourage many more people to protest to their elected representatives (myself, for one). -- David desJardins
dudek@endor.harvard.edu (Glen Dudek) (08/20/86)
I am not a lawyer, but after wading through the pertinent sections of S.2575 (my thanks to Glenn Tenney and John Gilmore for making this bill known and available), I am not overly concerned. It seems to be primarily concerned with protecting the privacy of electronic messages, and establishing the guidelines under which such electronic messages can be divulged or obtained by legal investigation. This is the primary section on privacy and disclosure: "(3)(A) Except as provided in subparagraph (B) of this paragraph, a person or entity providing an electronic communication service to the public shall not willfully divulge the contents of any communication (other than one to such person or entity, or an agent thereof) while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication or an agent of such addressee or intended recipient. "(B) A person or entity providing electronic communication service to the public may divulge the contents of any such communication-- "(i) as otherwise authorized in section 2511(2)(a) or 2517 of this title; "(ii) with the lawful consent of the originator or any addressee or intended recipient of such communication; "(iii) to a person employed or authorized, or whose facilities are used, to forward such communication to its destination; or "(iv) which were inadvertently obtained by the service provider and which appear to pertain to the commission of a crime, if such divulgence is made to a law enforcement agency.". These do not seem to be unreasonable restrictions. So, what is hiding between the lines of the legal mumbo-jumbo that I am missing? Please reference the appropriate sections so I can try to make sense of it again. Glen Dudek postmaster@harvard.harvard.edu
desj@brahms.BERKELEY.EDU (David desJardins) (08/20/86)
In article <189@husc6.HARVARD.EDU> dudek@harvard.UUCP (Glen Dudek) writes: > This is the primary section on privacy and disclosure: > > "(3)(A) Except as provided in subparagraph (B) of this > paragraph, a person or entity providing an electronic communication > service to the public shall not willfully divulge the contents of any > communication (other than one to such person or entity, or an agent > thereof) while in transmission on that service to any person or entity > other than an addressee or intended recipient of such communication or > an agent of such addressee or intended recipient. > > "(B) A person or entity providing electronic communication > service to the public may divulge the contents of any such > communication-- > > "(ii) with the lawful consent of the originator or any > addressee or intended recipient of such communication; If *this* is what worries you, there is a very simple solution. Have your mail feeds (the originators of mail through your machine) sign consent forms stating their understanding that complete non- disclosure of Usenet mail is not guaranteed. Presto, "lawful consent"! I find it hard to believe that this provision is what is stirring up all the fuss. -- David desJardins
dmm@calmasd.CALMA.UUCP (David MacMillan) (08/21/86)
>the Electronic Communications Privacy Act. > >This bill, S.2575, is now pending in the Senate Judiciary Committee. It net.ham-radio people have noted for some time that this bill severely limits the freedom to receive radio-borne information in a manner quite at odds with tradition. "Orwellian" would be the kindest term I can think of. Anyway, does anyone know if it would be possible to suggest to, say, the "60 minutes" people that they (quickly) do a segment on S.2575? They would be the ones who could show the "average" (i.e. non-computer, non-radio) person that his/her right to receive information is being limited in a dangerous, precedent setting way. It's not a long step to overt censorship. The L.A. Times, N.Y. Times, and San Jose Mercury-News might be other good avenues, as might the NPR news programs. David M. MacMillan, KB6MPN "If feather-dusters are - UCSD [Lit] (ex-UCSC/Crown) made of feathers, what are - Calma/GE [Info-Sci] (ex IBM) crop-dusters made of?" - UCSD Soaring Club - LM, 'cellist - SSA, USHGA, ARRL (work) (619) 587-3099 (home) (619) 452-7761
devine@vianet.UUCP (Bob Devine) (08/22/86)
> This Bill, S.2757, the "Electronic Communications Privacy Act", > appears to put legal liability on Usenet hosts which forward mail or > news for other hosts, and could alter or destroy the current structure > of Usenet (and/or Stargate). It was written by people who DON'T UNDERSTAND > EMAIL and networking, and was lobbied for by the commercial email companies There is still time for getting your message to the senators. The hearing for Rehquist's nomination at Chief Justice has delayed the full Judiciary committee hearing on the subcommittee report until mid-September (whenever the congressional recess is over). It is expected to be passed by Judiciary but probably won't clear the full Senate, conference committee and get the President's signature this year because of time constraints. However, stranger things have happened, so don't delay! Note that this bill will be one of the first for action when the Senate reconvenes. Bob Devine [this information came from the Aug. 18th edition of MISweek]
bogstad@brl-smoke.ARPA (William Bogstad ) (08/22/86)
[Note: All of my comments are based on S.2575 dated June 19 (legislative day 16), 1986. I do not yet have the newest version of the bill. My statements are based on my understanding of the bill. I do not have any legal training and would welcome corrections (if any are needed) from those with more accurate information.] Well, first some general information. If you have gotten a copy of bill S.2575 you may want to compare it to the previous law. This can be found in the U.S. Code Title 18. Most large public libraries probably have a bound copy of the entire U.S. Code. (about 20? volumes) The last complete edition I know of was 1982. The last supplement (III) is from Jan. 20, 1986. I had to copy a total of 12 pages to get the whole thing. It dealt with "wire", "oral", and telegraph-like communications. Wire and oral communications are essentially phone and face-to-face conversations. In article <189@husc6.HARVARD.EDU> dudek@harvard.UUCP (Glen Dudek) writes: > >I am not a lawyer, but after wading through the pertinent sections of >S.2575 ... I am not overly concerned. It seems to be >primarily concerned with protecting the privacy of electronic messages, >and establishing the guidelines under which such electronic messages >can be divulged or obtained by legal investigation. Yes, it does finally address the subject of electronic messages. However, the bill changes some things for other forms of communication. In particular, it explicitly excludes cordless telephone conversations from protection. See the change in definition of "wire communication" in Sec. 101. (a) (1) (D) (of S.2575) by inserting before the semicolon at the end the following: "or communications affecting interstate or foreign commerce, but such term does not include the radio portion of a cordless telephone communication that is transmitted between the cordless telephone handset and the base unit". I think this is a very bad inconsistency. In particular, because other radio transmitted telephone conversations are protected - (cellular and older mobile phones). The claim is that it is too easy to tap cordless telephone conversations. Well, this is true, but from conversations with people who I believe to be knowledgeable in that area, I believe it is just as easy to tap these other forms. In my opinion, a better law would be to protect scrambled/encrypted conversations on the radio waves and leave unprotected messages legally unprotected. This might encourage the vendors to provide systems with real security and would put the law more in step with the protection you can expect to actually have if someone tries to break the law anyway. This would also avoid the problem with accidently picking up a conversation, i.e. tuning your amateur radio across the bands and happen to cross the frequencies used for phone transmissions. I believe this accidental reception would be illegal. With an encrypted signal, this problem is avoided. One other thing of interest is the fact that the penalties for listening to cellular conversations are lower then for other transmission media. It makes you kind of wonder if the penalties were based on the cost of the equipment involved. (cordless < cellular < mobile) >This is the >primary section on privacy and disclosure: > > "(3)(A) Except as provided in subparagraph (B) of this > paragraph, a person or entity providing an electronic communication > service to the public shall not willfully divulge the contents of any > communication (other than one to such person or entity, or an agent > thereof) while in transmission on that service to any person or entity > other than an addressee or intended recipient of such communication or > an agent of such addressee or intended recipient. > > "(B) A person or entity providing electronic communication > service to the public may divulge the contents of any such > communication-- > > "(iii) to a person employed or authorized, or whose > facilities are used, to forward such communication to its destination; > or Note: This makes it legal to read the messages in your mail spool directory if you administer the system. > > "(iv) which were inadvertently obtained by the service > provider and which appear to pertain to the commission of a crime, if > such divulgence is made to a law enforcement agency.". Why this exception? Yes, we all want to stop crime, but I can't find a similar statement for phone conversations. There are mentions of service personnel monitoring transmission for quality control, but I don't think this allows them to divulge the contents of those conversations without a court order. Why can't e-mail get the same legal protection. That's it for now, but I haven't finished going through the bill yet. I'm also interested in the amendments to the bill which were made suddenly (and apparently without discussion). Bill Bogstad bogstad@hopkins-eecs-bravo.arpa bogstad@brl-smoke.arpa
tenney@well.UUCP (Glenn S. Tenney) (08/22/86)
In article <189@husc6.HARVARD.EDU> dudek@harvard.UUCP (Glen Dudek) writes: > >I am not a lawyer, but after wading through the pertinent sections of >S.2575 ... , I am not overly concerned. >... > > "(B) A person or entity providing electronic communication > service to the public may divulge the contents of any such > communication-- >... > "(iv) which were inadvertently obtained by the service > provider and which appear to pertain to the commission of a crime, if > such divulgence is made to a law enforcement agency.". > >These do not seem to be unreasonable restrictions. So, what is hiding >between the lines of the legal mumbo-jumbo that I am missing? Please >reference the appropriate sections so I can try to make sense of it again. > > Glen Dudek > postmaster@harvard.harvard.edu That last paragraph means (in my opinion, also of a non-lawyer) that if you INADVERTENTLY peek at some mail passing through your node of the net AND it appears to pertain to a crime THEN you can feel free to divulge otherwise PRIVATE MAIL! Lets see you do that with US Snail: I'm the mailroom clerk and happen to open your letter and ... ((that is just one of the problems)) -- Glenn Tenney UUCP: {hplabs,glacier,lll-crg,ihnp4!ptsfa}!well!tenney ARPA: well!tenney@LLL-CRG.ARPA Delphi and MCI Mail: TENNEY As Alphonso Bodoya would say... (tnx boulton) Disclaimers? DISCLAIMERS!? I don' gotta show you no stinking DISCLAIMERS!
gnu@hoptoad.uucp (John Gilmore) (08/22/86)
You can't tell the players without a key. ">>" is me, John Gilmore; ">" is David desJardins (desj@brahms.BERKELEY.EDU). Text direct from the bill is indented 8 spaces. Left margin is me commenting. Indented paragraphs are me paraphrasing the bill. Please don't anybody quote more than 10 lines of this or we'll never figure it out. >>It appears to put legal liability on Usenet hosts which forward mail or >>news for other hosts, and could alter or destroy the current structure >>of Usenet (and/or Stargate). >>This bill, S.2575 [...] makes you legally responsible for the carriage >>of email unless you run a "public access" system. >Unfortunately, I can't find anything in it to substantiate John's claims >above... By "puts legal liability on" I meant "makes subject to suit or prosecution". > The second claim, that you are "legally responsible for the carriage of >email unless you run a 'public access' system" is also unclear... I meant "responsible to the sender for disclosing it to third parties": "(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person-- "(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public; "CHAPTER 121 -- STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS "Section 2702. Disclosure of contents "(a) PROHIBITIONS.-- Except as provided in subsection (b)-- "(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; "Section 2707. Civil action "(a) CAUSE OF ACTION. -- Any provider of electronic communications service, subscriber, or customer aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity which engaged in that violation such relief as may be appropriate. This requires that a Usenet host carrying email not send the message to anyone other than the recipient(s). While some waffling could be done around the word "knowingly", I'd hate to hang my defense on it. I've seen enough email go astray in the uucp network to wonder if I should be carrying other peoples' email after this bill passes. You might be able to maintain that software bugs which cause mail to be divulged to third parties do not cause "knowing" divulgence, but after a history of such bugs and divulgences is shown over time, a case could be made. I think it should be possible to set up and run an unreliable email service in the US, with the customers knowing full well that it is unreliable. (By "unreliable" I mean that not only might the message not get there, it might go somewhere else.) The bill removes this choice, which seems to be the choice we in the Usenet have currently made. -- The sections on "governmental access" require careful reading. Here's what I get from the bill, paraphrased: They need a warrant to get email less than 180 days old out of an "electronic communications system". They need only a subpoena or court order to get email older than 180 days from anywhere. They need only a subpoena or court order to get anything from a "remote computing service", no matter what its age. Unix machines used by end-users would mostly be classed as remote computing services, though machines that just forwarded mail might be considered electronic communications systems. This means that once a message is in /usr/spool/mail/$USER or your mbox, it can be gotten without a warrant. Warrants are much harder to get then subpoenas or court orders. The Constitution spells out the requirements for a warrant, and it requires an exact description of what they are searching for. All of this is available to the state (and maybe local) governments, as well as the Feds. Access to your data with a warrant: does not notify you. Access to your data with a court order or subpoena, which notifies you: causes them to make a backup copy, then tell you they want the data, and give you 14 days to protest. If you don't protest, or if your protest loses in court, the computer center turns over the backup to the government. It is not possible to appeal this protest to a higher court. Access to your data with a court order or subpoena, which does not notify you: can be done by having a medium high bureaucrat, defined below, certify that notifying you might have an "adverse result", defined below. You will find out 90 days later, but you don't get to block it, since your 14 day period expired while you didn't know they were asking for the data. "Section 2705. Delayed notice "(a) DELAY OF NOTIFICATION.-- "(2) An adverse result for the purposes of paragraph (1) of this subsection is--- "(A) endangering the life or physical safety of an individual; "(B) flight from prosecution; "(C) destruction of or tampering with evidence; "(D) intimidation of potential witnesses; or "(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. "(6) As used in this subsection, the term 'supervisory official' means the investigative agent in charge or assistant investigative agent in charge or an equivalent of an investigating agency's headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney's headquarters or regional office. I find this to be a little loose. I think all files less than 180 days old should require a warrant, no matter where they happen to be sitting. I don't see why the government would ever choose to tell you it was after your data, since getting a signature that your finding out would "unduly delay a trial" should be pretty trivial; for example, you might protest or hire a lawyer, and that would delay them. I think that if they can't get a warrant, but choose to not notify you, they should not be given the data until you have been notified and had a chance to protest. I also think that the bill should provide a clear definition of the difference between a remote computing service and an electronic communications system -- which the FCC has been trying to do for a long time, and failing -- or should treat the two the same. -- John Gilmore {sun,ptsfa,lll-crg,ihnp4}!hoptoad!gnu jgilmore@lll-crg.arpa May the Source be with you!
desj@brahms.BERKELEY.EDU (David desJardins) (08/23/86)
In article <1032@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: > > "CHAPTER 121 -- STORED WIRE AND ELECTRONIC COMMUNICATIONS AND > TRANSACTIONAL RECORDS ACCESS > > "Section 2702. Disclosure of contents > "(a) PROHIBITIONS.-- Except as provided in subsection (b)-- > "(1) a person or entity providing an electronic > communication service to the public shall not knowingly divulge to any > person or entity the contents of a communication while in electronic > storage by that service; > >I think it should be possible to set up and run an unreliable email >service in the US, with the customers knowing full well that it is >unreliable. (By "unreliable" I mean that not only might the message >not get there, it might go somewhere else.) The bill removes this >choice, which seems to be the choice we in the Usenet have currently >made. It's too bad you didn't quote a little further. But I suppose you have to be selective when you are trying to make a point that is not borne out by the actual text. "(b) EXCEPTIONS.-- A person or entity may divulge the contents of a communication-- "(3) with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service; This seems to indicate quite clearly that the originator can give consent for the contents of his message to be disclosed. For an individual Usenet host, the "originator" and "addressee" are either users on that machine or other Usenet hosts (or possibly machines on other nets). So all you need is a release from your mail feeds, stating that they give their "lawful consent" for the unintentional disclosure of the contents of their communi- cations. -- David desJardins
desj@brahms.BERKELEY.EDU (David desJardins) (08/23/86)
In article <1665@well.UUCP> tenney@well.UUCP (Glenn S. Tenney) writes: >> "(B) A person or entity providing electronic communication >> service to the public may divulge the contents of any such >> communication-- >> "(iv) which were inadvertently obtained by the service >> provider and which appear to pertain to the commission of a crime, if >> such divulgence is made to a law enforcement agency.". > >That last paragraph means (in my opinion, also of a non-lawyer) that >if you INADVERTENTLY peek at some mail passing through your node of >the net AND it appears to pertain to a crime THEN you can feel free >to divulge otherwise PRIVATE MAIL! Lets see you do that with US Snail: >I'm the mailroom clerk and happen to open your letter and ... As a matter of fact this is *exactly* the provision that does currently apply to the US Mail -- I think it has been copied verbatim into this new context. But what I find strange is that this disclosure is certainly legal under existing law -- right now there are essentially no restrictions. So, while half of the net is screaming that S 2575 is *too* restrictive, you are arguing for *more* restrictions. Just another sign that there is far from total agreement on the net about the various provisions of this bill. -- David desJardins
mc68020@gilbbs.UUCP (Thomas J Keller) (08/23/86)
In article <15389@ucbvax.BERKELEY.EDU>, desj@brahms.BERKELEY.EDU (David desJardins) writes: > In article <1032@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: > > > > "CHAPTER 121 -- STORED WIRE AND ELECTRONIC COMMUNICATIONS AND > > TRANSACTIONAL RECORDS ACCESS > > > > "Section 2702. Disclosure of contents > > "(a) PROHIBITIONS.-- Except as provided in subsection (b)-- > > "(1) a person or entity providing an electronic > > communication service to the public shall not knowingly divulge to any > > person or entity the contents of a communication while in electronic > > storage by that service; > > > > "(b) EXCEPTIONS.-- A person or entity may divulge the > contents of a communication-- > "(3) with the lawful consent of the originator or an > addressee or intended recipient of such communication, or the > subscriber in the case of remote computing service; > > This seems to indicate quite clearly that the originator can give consent > for the contents of his message to be disclosed. For an individual Usenet > host, the "originator" and "addressee" are either users on that machine or > other Usenet hosts (or possibly machines on other nets). So all you need > is a release from your mail feeds, stating that they give their "lawful > consent" for the unintentional disclosure of the contents of their communi- > cations. To begin with, Mr. Gilmore complains about a law which proposes to make it illegal for the operator of an electronic communication service to knowingly divulge the contents of any communication while in storage on their machine. Why? We all know that Mr. Gilmore has little respect for the privacy of mail which is routed through his machine (which is why I try to route my mail around hoptoad whenever possible). It would seem that Mr. Gilmore wishes to have the right (without threat of prosecution) to now divulge the contents of messages routed through his machine. While there are aspects of this bill I don't especially care for, and I have written a letter to my congresscritters about it, I think that in this instance, at least, Mr. Gilmore is off base. Mr. DesJardins then confuses the system adminstrators of mail feed sites with "originators" and "addressees". I beg to differ. As *I* read the text of the bill, only **I** may authorize the intentional divulging on the content of messages I send. A release from any mail feed site would have no legal standing in such a question. Both gentlemen seem to have missed the fact that the language specifies "intentional" or "knowingly" divulgin the contents of messages. If some flaw of the software or hardware, or an error on the part of a sender results in the contents of a message being *inadvertantly* (or "unkonwingly") divulged to someone other than the addressee, there is no violation involved. This bill is a mess, it attempts to cover too many things with language that is inadequate, and is clearly designed by persons having little or no knowledge of the technical realities of electronic communications. On this basis alone, we should all write to the appropriate legislators and bodies, expressing displeasure with the bill. -- Disclaimer: Disclaimer? DISCLAIMER!? I don't need no stinking DISCLAIMER!!! tom keller "She's alive, ALIVE!" {ihnp4, dual}!ptsfa!gilbbs!mc68020 (* we may not be big, but we're small! *)
desj@brahms.BERKELEY.EDU (David desJardins) (08/24/86)
In article <877@gilbbs.UUCP> mc68020@gilbbs.UUCP (Thomas J Keller) writes: > Mr. DesJardins then confuses the system adminstrators of mail feed sites >with "originators" and "addressees". I beg to differ. As *I* read the text >of the bill, only **I** may authorize the intentional divulging on the >content of messages I send. A release from any mail feed site would have no >legal standing in such a question. I would say instead that Mr. Keller fundamentally misunderstands the operation of Usenet mail. There expressly is *not* a "Usenet" organization which provides for the delivery of mail from one user to another. Rather, Usenet is composed of a number of *distinct entities*, each of which has taken on a very limited role: that of receiving mail from one machine foo, examining the message, noting that the addressee is "bar!(random stuff)," and forwarding the message to machine bar. I see no moral or legal reason why any Usenet site should have any responsibility whatsoever to the individual who happened to originate the text of a particular message at a site with which they have no interaction whatsoever, under either existing or proposed law. A site's only responsibility is and should be to the sites to which it sends and from which it receives. -- David desJardins
tenney@well.UUCP (Glenn S. Tenney) (08/25/86)
In article <3230@brl-smoke.ARPA> bogstad@brl.arpa (William Bogstad (JHU|mike) <bogstad>) writes: > ... >> "(3)(A) Except as provided in subparagraph (B) of this >> paragraph, a person or entity providing an electronic communication >> service to the public shall not willfully divulge the contents of any >> communication (other than one to such person or entity, or an agent >> thereof) while in transmission on that service to any person or entity >> other than an addressee or intended recipient of such communication or >> an agent of such addressee or intended recipient. >> >> "(B) A person or entity providing electronic communication >> service to the public may divulge the contents of any such >> communication-- >> ... >> "(iv) which were inadvertently obtained by the service >> provider and which appear to pertain to the commission of a crime, if >> such divulgence is made to a law enforcement agency.". > > Why this exception? Yes, we all want to stop crime, but I >can't find a similar statement for phone conversations. There are >mentions of service personnel monitoring transmission for quality >control, but I don't think this allows them to divulge the contents of >those conversations without a court order. Why can't e-mail get the >same legal protection. > > Bill Bogstad " 'electronic communication' menas any transfer of signs, signals, writing, images, sounds, data, or intelligence of ANY NATURE transmitted in whole or in part by a WIRE, RADIO, ELECTROMAGNETIC, PHOTOELECTRONIC or PHOTOOPTICAL system ... , but does not include ... B) any WIRE or ORAL communication ... " Well, to me the above is at best ambiguous, since in one case they include wire communications then exclude the same ones. I therefore don't know, but one could say that telephone conversations MIGHT be included as 'electronic communication', especially if digitized. Of course, records, tapes and movies ARE included. Hmm, depending on what is photo- optical, this might even include any letter that CAN be read by a photo- optic reader (since the letter would be a PART of the optical recognition system). On second thought, every check I write is the data part of a photooptic system, so all my checks would be considered ... The essence here is that this is LUDICROUS, but I believe the wording says that! -- Glenn Tenney
sewilco@mecc.UUCP (Scot E. Wilcoxon) (08/26/86)
In article <15406@ucbvax.BERKELEY.EDU> desj@brahms.UUCP (David desJardins) writes: >In article <877@gilbbs.UUCP> mc68020@gilbbs.UUCP (Thomas J Keller) writes: >> Mr. DesJardins then confuses the system adminstrators of mail feed sites >>with "originators" and "addressees". I beg to differ. As *I* read the text >>of the bill, only **I** may authorize the intentional divulging on the >>content of messages I send. A release from any mail feed site would have no >>legal standing in such a question. >... >examining the message, noting that the addressee is "bar!(random stuff)," >and forwarding the message to machine bar. I see no moral or legal reason >why any Usenet site should have any responsibility whatsoever to the >individual who happened to originate the text of a particular message at >a site with which they have no interaction whatsoever, under either existing >or proposed law. A site's only responsibility is and should be to the sites >to which it sends and from which it receives. That's the way the June 19 (16) 1986 version seems: the bill assumes there is ONE SENDER, ONE RECEIVER, and INTERMEDIARIES. I didn't see definitions of sender/receiver/intermediary, but I imagine they're in the original sections of the code. In the case of UUCP MAIL, there may be many intermediaries. Each site only "knows" its neighbors (let's deal with anonymous uucp/ftp in a minute), so each site doesn't know nor care who the message sender/receivers are. Now what if a site has anonymous logins or daemons which can send/receive mail? (Public 'phone booth'?) It seems the sites being used by the sender/receivers don't need to confirm identity (anonymous access): "(h) It shall not be unlawful under this chapter-- ... "(ii) for a provider of electronic communication service to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire or electronic communication, or a user of that service, from fraudulent, unlawful or abusive use of such service; or ..." (page 4 of my listing.. Section 211(2) of title 18, USC) The above allows each site to keep records, but does not require it. In the case of USENET news articles, Section 211(2) of title 18, USC, is amended to allow "(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public; ..." The above allows whatever kind of USENET rebroadcasting is needed. USENET news are intended for access by anyone with the right kind of equipment (and good attempts at widening that base are obvious in the source). The above seems to allow any USENET site to send USENET news to anyone else. So what's the fuss? What new things is this law requiring of USENET and UUCP MAIL sites? It seems uucp can continue to lose mail. On the other hand, if any cracker reads or messes up a site's mail the law creates (section 2701) Federal penalties! -- Scot E. Wilcoxon Minn Ed Comp Corp {quest,dicome,meccts}!mecc!sewilco 45 03 N 93 08 W (612)481-3507 {{caip!meccts},ihnp4,philabs}!mecc!sewilco Laws are society's common sense, recorded for the stupid. The alert question everything anyway.
bogstad@brl-smoke.ARPA (William Bogstad ) (08/26/86)
In article <15406@ucbvax.BERKELEY.EDU> desj@brahms.UUCP (David desJardins) writes: >In article <877@gilbbs.UUCP> mc68020@gilbbs.UUCP (Thomas J Keller) writes: [edited] >and forwarding the message to machine bar. I see no moral or legal reason >why any Usenet site should have any responsibility whatsoever to the >individual who happened to originate the text of a particular message at >a site with which they have no interaction whatsoever, under either existing >or proposed law. A site's only responsibility is and should be to the sites >to which it sends and from which it receives. I don't know what the current legal responsibilities are on USENET (i.e. uucp mail), and I am not sure what they will be if the suggested legislation is enacted. However, I do think that there are some moral responsiblities. If you as a site administrator want to discard any mail that is not directly addressed to people on your site or based on any other criteria, I would have to accept that as being your moral right. Uucp mail has always been based on a system where service is provided in whatever quality and quantity the site felt it could provide. I am not aware of anyone being required to provide a certain level of service in order to become a member of USENET. Hopefully, your uucp map entry accurately describes the service you will attempt to provide so that others do not depend on you based on faulty information. I do think, however, that you have a moral responsibility to keep other people's mail private. Discard it if you must, but please don't publish it. [A similiar discussion on reading other's mail occurred just a short time ago here and in net.news, so maybe we should just let this subtopic go and make sure that the "correct" legal responsibilities are enacted. "Correct", of course, not having yet been determined and unless you get involved might not turn out the way you think it should, i.e. you may become responsible for uucp mail's delivery.] Bill Bogstad bogstad@hopkins-eecs-bravo.arpa bogstad@brl-smoke.arpa
root@topaz.RUTGERS.EDU (Charles Hedrick) (08/26/86)
One of the interesting issues is how the proposed changes would affect mail within our campus. Currently we have what I regard as a reasonable privacy policy. Users' files will not be divulged to anyone else unless there is a good reason for doing so. However good reasons can include University proceedings, and investigations by the system administrators involving resource usage or system security. I am hoping that nothing in the law will require me to get a court order to look at mail files on my own system, should I have a good reason for doing so. (Note that this is not something that I do under normal circumstances. But if I have probable cause to think that a user is doing something damaging, and that looking at their mail file will show it, I do not want to have to go to the police in order to proceed with an investigation. It should be possible to authorize this by an internal administrative proceeding of some sort. In general we try to avoid bringing down even the campus police on our students, except in really extreme cases.) It is not clear to me exactly what is protected. Most people seem to think that mail in transit through my site is protected. But once mail gets into the user's files, is it still protected? I am hoping that it is not. Otherwise we will have to have special flags in each byte to indicate whether the byte arrived via computer mail or not. It is also not clear to me that everything that is called electronic mail really is, according to the law. The law clearly has in view third parties providing a service to the public. Presumably it should still be possible for a company to route its memos among its staff electronically, without suddenly finding that it can't look at its own memos if the right person doesn't happen to be around to authorize it. I suspect that our lawyers will take the position that we are not providing general electronic mail service to our students. Rather, we are providing simplified ways for them to receive and turn in assignments, etc. I.e. they are using our computer only for what is broadly considered University business. They are not end users in the same sense as a user of a public timesharing system. If the term "public" turns out to have a crucial role, as I suspect it will, we are likely to find ourselves in the same situation as with our campus roads. Once a year we close all of our roads, just to prove to people that these are strictly internal University resources, and not a public road. I think we may want to take the view that we have an agreement with a few neighboring sites to exchange data via UUCP, but we are not provding an electronic mail service to the public. Once a year we may decide to bounce all communications for a day, just to make it clear that we are not in the mail business. Does this make any sense to anybody?
tenney@well.UUCP (Glenn S. Tenney) (08/27/86)
In article <5615@topaz.RUTGERS.EDU> root@topaz.RUTGERS.EDU (Charles Hedrick) writes: >One of the interesting issues is how the proposed changes would affect >mail within our campus. Currently we have what I regard as a >reasonable privacy policy. Users' files will not be divulged to >anyone else unless there is a good reason for doing so. However good >reasons can include University proceedings, and investigations by the >system administrators involving resource usage or system security. I >am hoping that nothing in the law will require me to get a court order >to look at mail files on my own system, should I have a good reason >for doing so. (Note that this is not something that I do under normal >circumstances. But if I have probable cause to think that a user is >doing something damaging, and that looking at their mail file will >show it, I do not want to have to go to the police in order to proceed >with an investigation. It should be possible to authorize this by an >internal administrative proceeding of some sort. In general we try to >avoid bringing down even the campus police on our students, except in >really extreme cases.) My reading of the bill says that you, as an employee of the service provider, can look at all communications either: as necessary and incident to rendering the service, or to the protection of the rights or property of the provider; and for forwarding the mail. I find it *INTERESTING* to think that the bill says the rights or property of the provider, so the university security force can look at all E-Mail just in case some student talks about infringing ANY rights of the university --- !!! BIG BROTHER !!! This stinks!!! > >It is not clear to me exactly what is protected. Most people seem to >think that mail in transit through my site is protected. But once >mail gets into the user's files, is it still protected? I am hoping >that it is not. Otherwise we will have to have special flags in each >byte to indicate whether the byte arrived via computer mail or not. Sorry, but it seems to be protected in transit AND within your site. >It is also not clear to me that everything that is called electronic >mail really is, according to the law. The law clearly has in view >third parties providing a service to the public. Presumably it should >still be possible for a company to route its memos among its staff >electronically, without suddenly finding that it can't look at its own >memos if the right person doesn't happen to be around to authorize it. >I suspect that our lawyers will take the position that we are not >providing general electronic mail service to our students. Rather, we >are providing simplified ways for them to receive and turn in >assignments, etc. I.e. they are using our computer only for what is >broadly considered University business. They are not end users in >the same sense as a user of a public timesharing system. Hmm. First, the bill talks about electronic communications services and remote computing services and the storage within those systems which you are providing. The bill talks about providing these services to the public. Well, if you are a net site forwarding e-mail for other sites, there is no question that those communications are protected. As for your students, are you a public university? Do you receive public funds? etc. My gut feeling is that even a private university really is providing services to that segment of the public that is able to pay for the services (ie. tuition). >If the term "public" turns out to have a crucial role, as I suspect it >will, we are likely to find ourselves in the same situation as with >our campus roads. Once a year we close all of our roads, just to >prove to people that these are strictly internal University resources, >and not a public road. I think we may want to take the view that we >have an agreement with a few neighboring sites to exchange data via >UUCP, but we are not provding an electronic mail service to the >public. Once a year we may decide to bounce all communications for a >day, just to make it clear that we are not in the mail business. Does >this make any sense to anybody? - - - slight subject change here - - - Another related, but perhaps missed point in the bill of special interest to universities is that it is a crime for someone that "intentionally exceeds an authorization to access that facility" in addition to the usual break in! This crime can have a fine of up to $250,000 and a year in prison. What a tool for power hungry security people to use on students that like to play around to see what their limits are. Just one short sentence, but what an affect. -- Glenn Tenney
gnu@hoptoad.uucp (John Gilmore) (08/28/86)
In article <15406@ucbvax.BERKELEY.EDU>, David desJardins writes: > I see no moral or legal reason > why any Usenet site should have any responsibility whatsoever to the > individual who happened to originate the text of a particular message at > a site with which they have no interaction whatsoever, under either existing > or proposed law. A site's only responsibility is and should be to the sites > to which it sends and from which it receives. This is certainly David's point of view. I don't think that this is what the current bill proposes, though. The bill gives the originator of a message the right to sue people who disclose it. Fabrications about my not really originating a message, it was originated by decvax when it passed the message to ucbvax, will not fool anybody, even a judge. [This is why I first got upset about the bill -- it changes the rules for our electronic mail system, without our consent.] If I send an email message through David's site, and he intercepts it and discloses it, the bill lets me sue him. If he's interested I'm sure we can put it to the test... David, I suggest you call a staffer on the Judiciary Committee and ask them which interpretation is intended by the authors. Try Cindy Blackburn at 202-224-8059. -- John Gilmore {sun,ptsfa,lll-crg,ihnp4}!hoptoad!gnu jgilmore@lll-crg.arpa May the Source be with you!
hes@ecsvax.UUCP (Henry Schaffer) (08/29/86)
> > ... > >> "(3)(A) Except as provided in subparagraph (B) of this > >> paragraph, a person or entity providing an electronic communication > >> service to the public shall not willfully divulge the contents of any ^^^^^^^^^^^^^^^^^^^^^ This is a crucial point - just because you allow certain people and sites to use your machine for this purpose does not mean that you are offering such services "to the public". Our position is that we restrict these services to our account holders (students, faculty, staff) and to sites with which we have arrangements, and that this does not constitute offering service "to the public." Our university counsel also mentioned that many laws are passed with vague areas which require litigation to define more clearly - this does appear to be a candidate for this category. --henry schaffer n c state univ
dricej@drilex.UUCP (Craig Jackson) (08/30/86)
In article <1683@well.UUCP> tenney@well.UUCP (Glenn S. Tenney) writes: > >Another related, but perhaps missed point in the bill of special >interest to universities is that it is a crime for someone that >"intentionally exceeds an authorization to access that facility" in addition >to the usual break in! This crime can have a fine of up to $250,000 and >a year in prison. What a tool for power hungry security people to >use on students that like to play around to see what their limits are. >Just one short sentence, but what an affect. > >-- Glenn Tenney I think that 'students that like to play around to see what their limits are' are exactly the target of this clause. Without this clause, any penalties on unauthorized access would be meaningless. In both business and academia, I think that most of the really serious security breachs were done by people who already have some authorization to access the computer. I haven't looked at the bill (I understand that it was posted with 14 bit compression). Does it cover malicious denial of service? (E.g intentionally wedging the machine?) -- Craig Jackson UUCP: {harvard,linus}!axiom!drilex!dricej BIX: cjackson
tenney@well.UUCP (Glenn S. Tenney) (09/02/86)
In article <1978@ecsvax.UUCP> hes@ecsvax.UUCP (Henry Schaffer) writes: >> > ... >> >> "(3)(A) Except as provided in subparagraph (B) of this >> >> paragraph, a person or entity providing an electronic communication >> >> service to the public shall not willfully divulge the contents of any > ^^^^^^^^^^^^^^^^^^^^^ > This is a crucial point - just because you allow certain people and sites >to use your machine for this purpose does not mean that you are offering >such services "to the public". > > Our position is that we restrict these services to our account holders >(students, faculty, staff) and to sites with which we have arrangements, >and that this does not constitute offering service "to the public." > I believe that this is exactly why this should be of concern to net.mail. If you forward e-mail for other uucp sites, this could (would?) be considered services "to the public" since you really don't restrict what e-mail you forward. -- Glenn