mjranum@gouldsd.UUCP (Marcus J Ranum) (04/27/87)
As part of the process of recovering from my earlier embarrassing posting, I tracked down consultant friend of mine who has had considerable dealings with legal issues associated with communications privacy. I got a more-or-less straightforward lecture from him. Here are the main points, and I won't venture to add much in the way of conclusions. E-mail *IS* protected by law under a variation of the rules that apply to wire-tapping. If a private citizen dials into a corporate system breaks in, and reads mail that was not sent to him, he is in trouble. For real, for no kidding, you can go to jail. A good example would be a situation where one employee caught a co-worker reading his/her mail, as long as they had exercised "diligence" in keeping files protected, etc. My friend then went on to explain that the law, in its infinite wisdom, must make certain exceptions for special cases. In the case, for example, of a system's PostMaster, it is okay to read mail that is misdirected. The tricky part comes in when you start dealing with whether the systems that are transferring mail are providing it as a service, selling the service, or the service is simply incidental. A lowly mortal like me couldn't see much logical difference, but he explained that there *IS* a major difference between, say, Compuserve's liability if they read your mail, and the local university's computer services sysop. The argument, as I recall, in this case runs as follows: if I am selling E-mail as a service, I have a more pressing need to read mis-routed mail than if I'm not, but I should also get in more trouble if I do it for the wrong reason. I may have that wrong. It was very confusing. There are also, more to my dismay, about 1.5 billion loopholes in the ECPA so that state, federal, and security agencies can do whatever they want. A local cop would have some trouble, but the NSA is, as usual, above having to ask anyone before doing anything to them. I can see none of this is germane to the previous discussion. Reading mail when you're a sysop at the local college is fine, since it turns out there HASN'T BEEN AN ECPA TEST CASE YET. Nobody has bothered, since the law is so vague and open to interpretation. The local college sysop could lose a suit, unless he/she could demonstrate need to know. The NSA will never lose a suit anyhow. Anyway, I'm sorry I flamed off without doing my research before. I have since tracked my original idea to (and this *IS* embarrasing) an article in Time Magazine (one of the more inaccurate rags). This was a mistake. It does seem, however, that I was not totally talking through my hat. On the other hand, I suspect the ECPA is just another of the cute ways Big Brother lets us think we have privacy, while making it illegal to snoop on him (like that, don't you ?). Until there are some test cases where a college student wins against the college sysop, don't sweat it. --mjr() -- If a million monkeys program a million IBM PCs for a million years, they will write something much better than MS-DOS. It will probably run faster, multitask, and really support wildcards. User support will be dramatically improved. -me