mnemonic@eff.org (Mike Godwin) (05/20/91)
In article <1991May20.051224.16358@gn.ecn.purdue.edu> psun@gn.ecn.purdue.edu (Pete) writes: > >The original objector, seeing >no firm footing, subtly shifted topic into sysop liability. >It is this persons contention (and this person claims to be >something of an authority on communication law) that a sysop >can be held liabel for anything posted on his system. This >doesn't seem unreasonable. The person then further states >that any system that receives the automated mailing from that >system can likewise be held liabel for its contents. As a lawyer, I've been doing research on the issue of sysop liability for the Electronic Frontier Foundation. It is by no means clear that mere republication by a sysop of (say) libelous material would make the sysop liable. Bulletin-board systems are run differently from newspapers, magazines, and broadcast stations--the latter are liable for republication because the operators or their agents always have an opportunity to review the material they republish. This is not the case for many BBSs--many postings to BBSs, like postings to Usenet, are not normally reviewed by system operators, and the volume of traffic on many BBSs (and certainly on Usenet) makes such review impossible. Law professor (and software author) Loftus Becker argues in an article for the Connecticut Law Review that sysops should be liable only if actual knowledge of the libelous material is shown. This conclusion, in my opinion, dovetails nicely with the Supreme Court's reasoning in Gertz v. Robert Welch Inc. (1973), in which the standard of liability for public figures is explained as being lower than that for private individuals because public figures have more access to the media to correct defamation. In the world of BBSs, typically, the defamed person has as much potential access to correct the defamation as the defamer had to spread it in the first place. (Just as a public figure may go to a different newspaper to correct defamation in the NATIONAL ENQUIRER, a person defamed on a BBS may seek access to another BBS to tell his story.) The law on this issue is not settled, of course. There have been very few, if any, cases concerning BBS defamation (primarily, I believe, because the remedy of responding to the defamer is so much easier than the remedy of suing him). So anyone who claims that the law is settled in this area is not telling the truth. --Mike -- Mike Godwin, | To see a world in a grain of sand mnemonic@eff.org | And heaven in a wild flower (617) 864-0665 | Hold infinity in the palm of your hand EFF, Cambridge, MA | And eternity in an hour
riddle@hoss.unl.edu (Michael H. Riddle) (05/20/91)
In <1991May20.051224.16358@gn.ecn.purdue.edu> psun@gn.ecn.purdue.edu (Pete) writes: >Let me begin by apologizing for dredging up a topic that has likely >been thrashed about many times before. * * * > The original objector, seeing >no firm footing, subtly shifted topic into sysop liability. >It is this persons contention (and this person claims to be >something of an authority on communication law) that a sysop >can be held liabel for anything posted on his system. This >doesn't seem unreasonable. The person then further states >that any system that receives the automated mailing from that >system can likewise be held liabel for its contents. >Is there any truth in this? What can be considered an >illegal posting? Can UseNet as an electronic distribution >mechanism similar to fidonet, be used as a model for >appropriate postings? If half of what this lawyer stated on >the echo is true, any university or business receiving a >usenet feed can be shut down... >Answeres appreciated as always. > Well, the real answer is that the law on this is "unsettled" and that some systems /have/ been shut down and some sysops placed at jeopardy because of information received from outside and made available on their systems. The names JOLNET and Steve Jackson Games come quickly to mind. I've cross-posted this response to comp.org.eff.talk (if my news.reader works correctly), which is probably a better place for this. There are two models which might be used in the legal discussion. The first is that of the Normal Citizen, who is responsible for what he says or does. If you hear something libelous and repeat it, you might well be liable for your repetition. (There's a whole body of law limiting this in the case of public figures and controversy. It's how lawyers pay the bills.) The second model is that of the publisher. There might be a limited defense/exception for "republication." There might not be. If there is, it might or might not apply to sysops. As someone said about recent Secret Service investigations, while comparing "Phrack" (electronic only publication) to "2600" (electronic and paper)--"I come out on paper, and the Constitution knows how to handle that." Of course, shutting down the Illuminati BBS is not the same thing as shutting down Usenet, and somehow I think the difference would become important quickly. Which isn't to say that size makes it right, but rather acknowledges reality. Disclaimer: I'm a graduate J.D., but not yet licensed in any jurisdiction and this certainly isn't specific legal advice. Anyone needing legal advice needs to see a lawyer licensed in their state. -- <<<< insert standard disclaimer here >>>> riddle@hoss.unl.edu | Nebraska Inns of Court ivgate!inns!postmaster@uunet.uu.net | +1 402 593 1192 Sysop of 1:285/27@Fidonet | 3/12/24/9600/8N1/V.32/V.42bis
brown@cs.utk.edu (Lance A. Brown) (05/20/91)
I do not know if this applies, but there was some (IMHO) really slimey
tactics being used in the Knoxville area by some government agent a couple
months ago.
This guy somehow managed to get a-hold of passwords for some users on the
largest local BBS's. He used these accounts to upload commercial software
and then waited to see what happened. If the sysop removed the software
then nothing happened, but if the sysop appeared to not do anything about
it this agent would come forward and warn the sysop about his behavior and
threaten legal action.
This happened on at least 4 BBS systems that I know of, and was relayed to
me by the sysop of one of the boards so I KNOW it happened. I find this
kind of behavior reprehensible, and what I would call entrapment. The fact
that this agent had somehow stolen passwords also makes me angry.
Lance
--
brown@cs.utk.edu
Lance A. Brown The Crystal Wind is the Storm,
3500 Sutherland Avenue, Apt. L-303 and the Storm is Data,
Knoxville, TN 37919 and the Data is Life
-- The Player's Litany
from _The Long Run_ by D.K. Moranbei@d75.UUCP (bei) (05/21/91)
In article <BROWN.91May20115025@duncan.cs.utk.edu> brown@cs.utk.edu (Lance A. Brown) writes: >I do not know if this applies, but there was some (IMHO) really slimey >tactics being used in the Knoxville area by some government agent a couple >months ago. >This guy somehow managed to get a-hold of passwords for some users on the >largest local BBS's. Think of an individual's computer(s) seized in a government raid. All the ProComm, Red Ryder, et cetera dialing directories are perused. Do the gov't folks call any of those numbers and log on as the account's owner? If so, are they impersonating that person? If you were going to say no, consider the common law enforcement claim that the username that one uses online (even if it's an alias) represents an actual person. You don't necessarily need a paid confidential informant, just a seized computer with account IDs and passwords on it. Another aspect of this is an individual's liability for acts committed by law enforcement personnel in disguise. Joe Average has his computer seized, and scrapes the cash together to buy a new one and a modem in six months. Whether by finding old backups or reading his phone bills, he pieces together much of an old dialing directory. On his first calls to Genie or Compu$erve, it soon becomes apparent that his account has been used in the time that his equipment was not in his possession. Is he financially liable for those connect charges? Let's also assume that Joe A. joined a few pay bbses and paid for time in advance. When he dials one of them, the time that he paid for has past. In the seizure of his equipment, he was prevented from accessing electronic information services of which he was (presumably) a customer in good standing. Is it relevant that he could have used another computer to dial them up? Yes, if the computer stores in your neighborhood are giving them away for free. Law enforcement personnel, and the private security personnel that accompany them, wouldn't be unduly hampered in their jobs by an awareness and sensitivity to the role that computers can play in people's lives. A computer which holds your personal phone numbers, your tax and other financial information, and the fruits of your skills and creativity should not be denied you for undue amounts of time. The lack of skilled investigative techniques and personnel doesn't absolve law enforcement agents from a duty of conscience, to do what they need to do and then *end* it. > He used these accounts to upload commercial software >and then waited to see what happened. If the sysop removed the software >then nothing happened, but if the sysop appeared to not do anything about >it this agent would come forward and warn the sysop about his behavior and >threaten legal action. Was this software concealed in any way? Did the agent clearly identify it as the commercial software that it was? It doesn't play well in Peoria when a narcotics undercover officer snorts the same coke as the guy that he arrests, but pays no penalty (other than the use of the drug -- ObAnti-Drug message.) >I find this >kind of behavior reprehensible, and what I would call entrapment. The fact >that this agent had somehow stolen passwords also makes me angry. It sounds like entrapment to me as well. If, for example, the agent puts up Microsoft Word and it's downloaded by seventy-five users before the sysop spots it and removes it. Even if it was only half an hour before the file was expunged, it was circulated. Who is culpable if civil or criminal charges result? The bbs operator who exercised reasonable caution and removed the files in a timely fashion? Or the user that uploaded them? (Who, were he not a spook or in the employ of spooks would face charges for those actions.) -- Bob -- Opinions expressed in this message are those of its author, except where messages by others are included with attribution. No endorsement of these opinions by Ralph Kirkley Associates or IBM should be inferred. Bob Izenberg [ ] Ralph Kirkley Associates work: 512 838 6311 [ ] bei@rt_trace.austin.ibm.com home: 512 346 7019 [ ] bei@dogface.UUCP
mnemonic@eff.org (Mike Godwin) (05/21/91)
In article <3935@d75.UUCP> bei@rt_trace.austin.ibm.com (Bob Izenberg) writes: >message.) > >>I find this >>kind of behavior reprehensible, and what I would call entrapment. The fact >>that this agent had somehow stolen passwords also makes me angry. > >It sounds like entrapment to me as well. Will someone explain to me why he believes that this person harassing Knoxville BBSs was actually a government agent? In none of these stories has anyone actually *seen* the purported agent, gotten a name, or checked an ID. I think it's a little premature to lay these antics at the door of the government. --Mike -- Mike Godwin, | To see a world in a grain of sand mnemonic@eff.org | And heaven in a wild flower (617) 864-0665 | Hold infinity in the palm of your hand EFF, Cambridge, MA | And eternity in an hour
jcomer@netxcom.netx.com (Jeff Comer) (05/25/91)
In article <BROWN.91May20115025@duncan.cs.utk.edu> brown@cs.utk.edu (Lance A. Brown) writes: >I do not know if this applies, but there was some (IMHO) really slimey >tactics being used in the Knoxville area by some government agent a couple >months ago. > >This guy somehow managed to get a-hold of passwords for some users on the >largest local BBS's. He used these accounts to upload commercial software >and then waited to see what happened. If the sysop removed the software >then nothing happened, but if the sysop appeared to not do anything about >it this agent would come forward and warn the sysop about his behavior and >threaten legal action. > >This happened on at least 4 BBS systems that I know of, and was relayed to >me by the sysop of one of the boards so I KNOW it happened. I find this >kind of behavior reprehensible, and what I would call entrapment. The fact >that this agent had somehow stolen passwords also makes me angry. I would use the term odious. I cannot imagine that any such case would ever be tried; if the agent "managed to get a-hold of passwords" (ie, steal), then that clearly is theft, B&E, and unlawful computer access or whatever the feds call it - they have laws for that. And evidence obtained illegally is not admissable. No DA would ever attempt to put that before a judge. Well, maybe I shouldn't say "ever"..... As I understand it (having just gone through it with the Marion Barry case), entrapment is basically trying to get someone to do something they would not have done otherwise. In the sysop case, there is no evidence to suggest whether or not the sysop would have removed or kept the copyrighted soft- ware had it arrived from another source. Any idea of how the agent managed to steal the passwords? +^^^^|^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^+ | jc | ROCOCO: You haven't seen the last of me! | | | DANGER: No, but the first of you turns my stomach! | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
learn@ddsw1.MCS.COM (William Vajk) (05/27/91)
In article <419@netxcom.netx.com> jcomer@netxcom.netx.com (Jeff Comer) writes: >In article <BROWN.91May20115025@duncan.cs.utk.edu> (Lance A. Brown) writes: >>This guy somehow managed to get a-hold of passwords for some users on the >>largest local BBS's. >Any idea of how the agent managed to steal the passwords? I have a feeling that "agents" of more than one sort do manage to steal passwords, some of them quite regularly with little effort. System igloo was "broken into" by such means this year. The details were forwarded to every individual and group who might be interested, with the concensus that there was actually little to be done. Personally, I KNOW exactly who it was. Bill Vajk
brown@cs.utk.edu (Lance A. Brown) (05/28/91)
>In article <1991May21.120543.1000@eff.org>, mnemonic@eff.org (Mike Godwin) writes: > In article <3935@d75.UUCP> bei@rt_trace.austin.ibm.com (Bob Izenberg) writes: >>message.) >> >>>I find this >>>kind of behavior reprehensible, and what I would call entrapment. The fact >>>that this agent had somehow stolen passwords also makes me angry. >> >>It sounds like entrapment to me as well. > Will someone explain to me why he believes that this person harassing > Knoxville BBSs was actually a government agent? In none of these stories > has anyone actually *seen* the purported agent, gotten a name, or > checked an ID. I think it's a little premature to lay these antics at > the door of the government. All I can say is that the person doing this represented himself as a government agent, ( I do not remember which agency specifically ) and that I have spoken personally with the sysops of one board where this occured and was warned to immediately change my password by the sysops of the three largest BBS's in Knoxville. I will recontact the sysop I spoke with and attempt to obtain more information regarding this. Lance -- brown@cs.utk.edu Lance A. Brown The Crystal Wind is the Storm, 3500 Sutherland Avenue, Apt. L-303 and the Storm is Data, Knoxville, TN 37919 and the Data is Life -- The Player's Litany from _The Long Run_ by D.K. Moran
bei@d75.UUCP (bei) (05/28/91)
In article <1991May26.192145.14175@ddsw1.MCS.COM> learn@ddsw1.MCS.COM (William Vajk) writes: >System igloo was "broken into" by such means this year. The details were >forwarded to every individual and group who might be interested, with the >concensus that there was actually little to be done. When Bill first told me about this, the incident with the dentists going to the cops about their computer hadn't become public knowledge. A break-in is a break-in, and if a mistake caused by an old BBS listing can garner police attention, so can an attempt to defraud by a user who may or may not have intentionally loaned out their password. Without mentioning the name of your user's employer, you can have no doubt that the company in question would have a room full of Federal officials come out to see you if the situation was reversed. Which law enforcement organizations did you contact? What was their response? We've all heard of some people at the state and federal level who have aggressive policies on computer intrusion. I'm at least five percent sure that the tradition of fair and prompt attention that some Illinois and Texas residents have come to expect will get this matter resolved. Only someone with no interest in his job, or too much interest in hiding the malfeasance of corporations that co-operate in investigations, would fail to heed your complaint. -- Bob -- Opinions expressed in this message are those of its author, except where messages by others are included with attribution. No endorsement of these opinions by Ralph Kirkley Associates or IBM should be inferred. Bob Izenberg [ ] Ralph Kirkley Associates work: 512 838 6311 [ ] bei@rt_trace.austin.ibm.com home: 512 346 7019 [ ] bei@dogface.UUCP
rogue@cellar.UUCP (Rache McGregor) (05/29/91)
brown@cs.utk.edu (Lance A. Brown) writes: /* Prior discussion removed */ > All I can say is that the person doing this represented himself as a > government agent, ( I do not remember which agency specifically ) and that > I have spoken personally with the sysops of one board where this occured > and was warned to immediately change my password by the sysops of the three > largest BBS's in Knoxville. I will recontact the sysop I spoke with and > attempt to obtain more information regarding this. > > Lance I'd like to know how the accounts that the 'agent' used were ascertained to be stolen. Were these BBSes invitation-only or public access systems? Had the 'agent' previously been removed from or refused validation to these boards? [The use of quotes around the word agent is not meant to be combative. It is meant to convey the unaffirmed identity of the caller involved.] Rogue Winter | "The truth knocks on the door and you say, rogue@cellar.uucp | "Go away, I'm looking for the truth," and so uunet!cellar!rogue | it goes away. Puzzling." Cellar 215/3369503 | -Robert Pirsig (quoted in Zen_To_Go, Jon Winokur)
learn@piroska.uchicago.edu (William Vajk (igloo)) (06/05/91)
In article <3962@d75.UUCP> bei@d75.UUCP (Bob Izenberg) writes: >In article <1991May26.192145.14175@ddsw1.MCS.COM> William Vajk writes: >>System igloo was "broken into" by such means this year. The details were >>forwarded to every individual and group who might be interested, with the >>concensus that there was actually little to be done. >Which law enforcement organizations did you contact? What was their >response? We've all heard of some people at the state and federal level >who have aggressive policies on computer intrusion. I'm at least five percent sure that the tradition of fair and prompt attention that some >Illinois and Texas residents have come to expect will get this matter >resolved. Only someone with no interest in his job, or too much interest >in hiding the malfeasance of corporations that co-operate in investigations, >would fail to heed your complaint. To be fair to the readers, I believe that I should mention that Bob and I have been discussing this very topic by phone as well, and I am afraid I have been something of a disappointment to Bob in that I haven't filed a police report, nor do I intend to. There are some prudent man considerations at work here which overwhelm my otherwise zealous approach to these difficulties. For openers, need I mention that Rich Andrews was a fine role model and model citizen at the leading edge of this electronic frontier when he saw some text on his public access system which caused him to lose sleep. He reported this information, as some keep suggesting I do presently, and lived to regret his actions. The results have devestated sevaral lives. Riggs, Darden, Grant, Neidorf, and Rose all fell prey to the predations of law enforcement, directly resulting from Rich's call for assistance. Rich also lost his job, his friends, and his equipment. They ript the tongue from the bearer of bad tidings. The written record shows that Andrews was cooperating with the authorities. He had been served a subpoena for certain records which he provided. Subesquently it was determined by the powers that be that the information he provided was not sufficient to meet the immediate needs of the investigation (read this to mean they wanted info in a hurry, they were quite obviously rushing justice and Rich's rights got in the way.) They applied for and received a search warrant, went out and too Rich's equipment away. They escalated the search proceedures well past reasonability and confiscated additional equipment from Steve Jackson Games and others. Given there are risks involved for an individualwho reports a "computer crime," I decided to take a pass. I haven't the fortune to be a philanthropist, nor do I see anyone wiling to fill that niche for me on the horizon. And finally, where I live is served by the Cook County Sherriff's Department for local police services. The unincorporated county is shrinking rapidly, and they are, in my opinion, not equipped nearly as well as San Luis Obispo was to handle "the case of the missing bbs." Bill Vajk