[news.sysadmin] Snooping in peoples' email IS a violation of Federal law.

gnu@hoptoad.UUCP (04/28/87)

Unfortunately this is true.  I tried to get the net stirred up enough to
fix it when the law was proposed last year, but either nobody complained
to their Congresscritters or they didn't listen hard enough, because it
was passed (Public Law 99-508, the Electronic Communications Privacy Act
of 1986).  As far as I know, nobody has yet been prosecuted under it
though, so what it really means is not clear.


There is a section that says:

        "(g) It shall not be unlawful under this chapter or chapter
121 of this title for any person--
...	"(iv) to intercept any wire or electronic communication the
transmission of which is causing harmful interference to any lawfully
operating station, to the extent necessary to indentify the source of
such interference..."

which might cover cases like trying to find out who forged mail (harmful
interference with lawful stations?  I'm sure this section was written for
radio though.)

The original case, where a system administrator says he watched the mail
logs until a piece of mail critical to his lab came in, while the recipient
was out of town, is probably legal, but the wording of the bill is so fuzzy
it's hard to say:

	"(b) EXCEPTIONS.--  A person or entity may divulge the
contents of a communication--

                "(3) with the lawful consent of the originator or an
addressee or intended recipient of such communication, or the
subscriber in the case of remote computing service;

                "(4) to a person employed or authorized or whose
facilities are used to forward such communication to its destination;

                "(5) as may be necessarily incident to the rendition
of the service or to the protection of the rights or property of the
provider of that service"...

One of these three would probably cover the case.

ECPA, we didn't stop it, now we have to figure out what the damn thing means.
-- 
Copyright 1987 John Gilmore; you can redistribute only if your recipients can.
(This is an effort to bend Stargate to work with Usenet, not against it.)
{sun,ptsfa,lll-crg,ihnp4,ucbvax}!hoptoad!gnu	       gnu@ingres.berkeley.edu

sysop@killer.UUCP (BBS Admin) (05/04/87)

In article <2062@hoptoad.uucp>, gnu@hoptoad.uucp (John Gilmore) writes:
> Unfortunately this is true.  I tried to get the net stirred up enough to
> fix it when the law was proposed last year, but either nobody complained
> to their Congresscritters or they didn't listen hard enough, because it
> was passed (Public Law 99-508, the Electronic Communications Privacy Act
> of 1986).  As far as I know, nobody has yet been prosecuted under it
> though, so what it really means is not clear.
> 
> 
The following is an act passed by the Texas Legislature.

                           AN ACT

relating to the creation and prosecution of offenses
involving computers; providing penalties and an affirmative
defense; adding Chapter 33 to the Penal Code.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:

SECTION 1.  Title 7, Penal Code, in amended by adding
Chapter 33 to the Penal Code.

                         CHAPTER 33

Section 33.01 DEFINITIONS.  In this Chapter:

  (1)  `COMMUNICATIONS COMMON CARRIER' means a person
who owns or operates a telephone system in this state that
includes equipment or facilities for the conveyance, trans-
mission, or reception of communications and who receives
compensation from persons who use that system.

  (2)  `COMPUTER' means an electronic device that
performs logical, arithmetic, or memory functions by the
manipulations of electronic or magnetic impulses and includes
all input, output, processing, storage, or communication
facilities that are connected or related to the device.
`COMPUTER' includes a network of two or more computers that
are interconnected to function or communicate together.

  (3)  `COMPUTER PROGRAM' means an ordered set of
data representing coded instructions or statements that when
executed by a computer cause the computer to process data or
perform specific functions.

  (4)  `COMPUTER SECURITY SYSTEMS' means the design,
procedures or other measures that the person responsible for
the operation and use of a computer employs to restrict the
use of the computer to particular persons or uses or that the
owner or licensee of data stored or maintained by a computer
in which the owner or licensee is entitled to store or main-
tain the data employs to restrict access to the data.

  (5)  `DATA' means a representation of information,
knowledge, facts, concepts or instructions that is being pre-
pared or has been prepared in a formalized manner and intend-
ed to be stored or processed, is being stored or processed,
or has been stored or processed in a computer.  Data may be
embodied in any form, including but not limited to computer
printouts, magnetic storage media, and punchcards, or may be
stored internally in the memory of the computer.

  (6)  `ELECTRIC UTILITY' has the meaning assigned by
Subsection (c), Section 3, Public Utility Regulatory Act
(Article 1446c, Vernon's Texas Civil Statutes).



Section 33.02.  BREACH OF COMPUTER SECURITY.
 (a)  A person commits an offense if the person:

     (1) uses a computer without the effective consent
of the owner of the computer or a person authorized to
license access to the computer and the actor knows that there
exists a computer security system intended to prevent him
from making that use of the computer; or

     (2)  gains access to data stored or maintained by a
computer without the effective consent of the owner or
licensee of the data and the actor knows that there exists a
computer security system intended to prevent him from gaining
access to that data.

 (b) A person commits an offense if the person intention-
ally or knowingly gives a password, identifying code, person-
al identification number, or other confidential information
about a computer security system to another person without
the effective consent of the person employing the computer
security system to restrict the use of a computer or to
restrict access to data stored or maintained by a computer.

 (c) An offense under this section is a Class A
misdemeanor.

 Section 33.03.  HARMFUL ACCESS.

 (a) A person commits an offense if the person
intentionally or knowingly:

      (1) causes a computer to malfunction or interrupts
the operation of a computer without the effective consent of
the owner of the computer or a person authorized to license
access to the computer or a person authorized to license
access to the computer; or

      (2) alters, damages or destroys data or a computer
program stored, maintained or produced by a computer, without
the effective consent of the owner or licensee of the data or
computer program.

 (b) An offense under this section is:

      (1) a Class B misdemeanor if the conduct did not
cause any loss or damage or if the value of the loss or
damage caused by the conduct is less that $200.00;

      (2) a Class A misdemeanor if the value of the loss
or damage caused by the conduct is $200.00 or more but less
than $2,500.00; or

      (3) a felony of the third degree if the value of
the loss or damage caused by the conduct is $2,500.00 or
more.

 Section 33.04.  DEFENSES.  It is an affirmative defense
to prosecution under Sections 33.02 and 33.03 of this code
that the actor was an officer, employee, or agent of a
communications common carrier or electric utility and commit-
ted the proscribed act or acts in the course of employment
while engaged in an activity that is a necessary incident to
the rendition of services or to the protection of the rights
or property of the communications common carrier or electric
utility.

 Section 33.05.  ASSISTANCE BY THE ATTORNEY GENERAL.  The
attorney general, if requested to do so by a prosecuting
attorney, may assist the prosecuting attorney in the investi-
gation or prosecution of an offense under this chapter or of
any other offense involving the use of a computer.

 SECTION 2.  This Act takes effect September 1, 1985.

 SECTION 3.  The importance of this legislation and the
crowded condition of the calendars in both houses create an
emergency and an imperative public necessity that the consti-
tutional rule requiring bills to be read on three several
days in each house be suspended, and this rule is hereby
suspended.

> ECPA, we didn't stop it, now we have to figure out what the damn thing means.
> -- 
> Copyright 1987 John Gilmore; you can redistribute only if your recipients can.
> (This is an effort to bend Stargate to work with Usenet, not against it.)
> {sun,ptsfa,lll-crg,ihnp4,ucbvax}!hoptoad!gnu	       gnu@ingres.berkeley.edu


                                            Charlie Boykin
                                     {cuae2,ihnp4}!killer!sysop

cetron@utah-cs.UUCP (Edward J Cetron) (05/11/87)

In article <844@killer.UUCP> sysop@killer.UUCP (BBS Admin) writes:
>In article <2062@hoptoad.uucp>, gnu@hoptoad.uucp (John Gilmore) writes:
>> Unfortunately this is true.  I tried to get the net stirred up enough to
>The following is an act passed by the Texas Legislature.
>
....
>
>Section 33.02.  BREACH OF COMPUTER SECURITY.
> (a)  A person commits an offense if the person:
>
...
>
>     (2)  gains access to data stored or maintained by a
>computer without the effective consent of the owner or
>licensee of the data and the actor knows that there exists a

and now here is the rub...... Where is the OWNER of the data defined.  This
is the problem that I think is going to cause the most trouble.  In our view,
since all lab personnel are given lab accounts (i.e. they don't pay for them)
and since most of what they use the computers for is work-related, who really
'owns' the data in their directories?  Given current Univ. policy, any programs
or whatever created by employees using Univ. facilities are 'owned' by the U.
But graduate students aren't contracted employees, but then again they DO get
paid, but then again......

	As John Gilmore has written, the ECPA says a lot of stuff - but does
ANYONE really know what it really means....

-ed

heiby@mcdchg.UUCP (05/11/87)

This is one of the better such laws I've seen.  As with the others, though,
this one needs some help with definitions and the consequences of those
definitions.  [whole article == :-)]

BBS Admin (sysop@killer.UUCP) writes:
|   (2)  `COMPUTER' means an electronic device that
| performs logical, arithmetic, or memory functions by the
| manipulations of electronic or magnetic impulses and includes
| all input, output, processing, storage, or communication
| facilities that are connected or related to the device.
| `COMPUTER' includes a network of two or more computers that
| are interconnected to function or communicate together.
For example, my wristwatch.  Some watches have special programming keypads,
aso well.  Maybe they become a "network"?  I use my fingers in connection
with the processing, storage, and communication of the data stored in the
watch.  What does that make the fingers or the devices attached to them?

|   (4)  `COMPUTER SECURITY SYSTEMS' means the design,
| procedures or other measures that the person responsible for
| the operation and use of a computer employs to restrict the
| use of the computer to particular persons or uses or ....
I keep my shirt cuff pulled down over the face of the watch and don't
let anybody know what time it is unless they ask me.  I also use the wrist
band and clasp as an integral part of the security system to keep it in place
behind my shirt cuff.

|   (5)  `DATA' means a representation of information,
| knowledge, facts, concepts or instructions ...
| may be stored internally in the memory of the computer.
Like, what time my alarm is set to go off.

|      (1) uses a computer without the effective consent
| of the owner of the computer or a person authorized ....
|
|  (c) An offense under this section is a Class A misdemeanor.
If such person moves my shirt cuff out of the way to check the time.

|       (1) causes a computer to malfunction or interrupts
| the operation of a computer ....
| 
|       (2) alters, damages or destroys data or ....
| 
|  (b) An offense under this section is:
| 
|       (3) a felony of the third degree if the value of
| the loss or damage caused by the conduct is $2,500.00 or more.
So, if someone interrupts the operation of the computer on my wrist,
like by stealing it, and I miss an appointment causing me to lose
a business account that is worth more than $2,500, then the pickpocket
has committed a 3rd degree felony by lifting my $40 watch.
(Unless, of course, the pickpocket works for the phone company and needed
to know what time it was in connection with his/her official duties.)
-- 
Ron Heiby, heiby@mcdchg.UUCP	Moderator: comp.newprod & comp.unix
Motorola Microcomputer Division (MCD), Schaumburg, IL
"Small though it is, the human brain can be quite effective when used properly"