really, it's not my fault. blame Mike Godwin <g> === Subject: STOP THE TROGLODYTE FIDONET MIND-RAPISTS *NOW*! does routine FIDOnet email INVASION by operators VIOLATE the U.S. Electronic Communications Privacy Act? EFF's lawyer M. Godwin speaks with FIDOnet operator Al Billings <mimir@u.washington.edu> on the cypherpunks mailing list. Resident list crank Perry Metzger offers his own whitehot flame. this forward brought to you by cypherpunks Cyberspatial Reality Advancement Movement (CRAM) Information Liberation Front (ILF) Blacknet === From: Mike Godwin <mnemonic@eff.org> Subject: Re: FIDOnet encryption (or lack thereof) To: cypherpunks@toad.com Date: Fri, 1 Oct 1993 16:40:09 -0400 (EDT) Al Billings writes:

On Thu, 30 Sep 1993, Mike Godwin wrote:

...

My question is this: how does he know that the mail is encrypted if he's not examining the mail that passes through his system? If he *is* examining the mail that passes through his system, it seems likely that he is violating the Electronic Communications Privacy Act.

Only if he has stated that he allows private mail. Most sysops have specifically worded policy statements for their systems that say that the sysop can read any and all messages on the system and may do so at any time.

That's all very nice, but it doesn't enable a FIDO sysop to intercept messages from people who are not users of his or her particular system. Those people did not waive their rights to privacy under the ECPA.

Bulletin boards do not normally offer truely private mail because of some of the legal implications.

This is a common myth. First of all, there are many BBSs that do offer truly private mail, or whose sysops, as a matter of policy, do not read others' private mail. Secondly, there's no legal liability associated with allowing e-mail privacy. Third, federal law (the ECPA) bars sysops from examining mail except under some very precisely defined circumstances. I suggest that you inform sysops who tell you otherwise that they can contact me at the Legal Services Department of EFF. You've got my e-mail address already--my phone number is 202-347-5400. -Mike From: Mike Godwin <mnemonic@eff.org> Subject: Re: FIDOnet encrypted mail issues Date: Fri, 1 Oct 1993 17:16:48 -0400 (EDT) To: cypherpunks@toad.com anonymous@extropia.wimsey.com writes:

Now, the point most internet people forget is that FIDOnet hosts are hobbyists with 100% privately-owned machines and generally pay for the entire participation of their userbase out of their own pockets, excepting a few who get some dollars here and there from their generous callers.

I have never forgotten this. But their commitment and efforts do not amount to an amendment to federal law.

As a completely justified consequence, they can decide if they allow encrypted traffic _on their individual BBSs_.

Under what legal theory do they get an ECPA exemption as a "completely justified consequence"?

In that there is considerable fear of the consequences of illegal activity being conducted on their BBSs via encrypted mail, many sysops (such as the one you mention, leaving aside, for now, that he apparently confused a PGP key with an encrypted message) do not wish to take the risk and forbid encrypted traffic.

What they don't realize is that, rather than reducing the risk of legal liability, they are increasing it.

They also monitor e-mail, if only incidentally during the course of routine system maintenance, and notices to this effect are generally contained in log-on screens and new-user info files.

Any monitoring that results *directly* as a function of system maintenance is okay--it's sanctioned by ECPA.

In that these sysops are extremely, _personally_ vulnerable, they are generally more cautious than those internet folks who can hide behind institutions and businesses.

If they were really cautious, they'd talk to a lawyer before setting policy based on some guess as to what their legal liabilities may be. -Mike To: cypherpunks@toad.com Subject: Re: PGP in FIDO Date: Sat, 02 Oct 1993 16:11:04 -0400 From: "Perry E. Metzger" <pmetzger@lehman.com> anonymous@extropia.wimsey.com says:

Anyway, the ECPA is basically irrelevant in the BBS world, as 1] almost every BBS states at log-on that there is no such thing as truly "private" e-mail on the system as the sysop can, will and does see messages in all areas, and 2] he is personally _liable_ for any illegal activity on his BBS, so he can reasonably be expected to keep an eye on e-mail for anything that will put his ass in a sling.

You haven't been listening at all to Mr. Godwin, have you? 1) The ECPA *DOES* apply to the BBSes whether they want it to or not. All the hoping in the world doesn't make a statute go away. Merely declaring that the ECPA doesn't apply to you doesn't work -- try declaring the tax laws don't apply to you some time and see if that works. 2) The BBS operators are NOT liable UNLESS they censor the mail. If they censor the mail, they are liable for anything they fail to censor. If they do not censor, they are common carriers, and have no liability. In other words, jackasses pretending they understand the law have both broken the law and made themselves more, not less, liable for anthing left on their machines.

There has been a very heated war in FIDOland over PGP and other encryption. Considering the risk that sysops take on by permitting secure (?) communication on their BBSs,

They take NO risk. They are common carriers if they stop censoring their mail. People don't seem to understand that the law on this is very clear. By the idiotic logic the FIDO operators are using, the phone company could be siezed if two people have a conversation about a crime over the phone. The notion is, of course, absurd, and so is the stupid half-assed amateur lawyering the people who wrote the FIDO policies used.

Personally, _I_ would never stick my neck out like that, though I convinced many FIDOnet BBSs to do so for my own political and purely selfish reasons.

Actually, as I've just noted, you have not protected yourself. You have opened yourself up for massive legal liability where you had none before. The depths of human folly never cease to amaze me. This case is as if a group of bankers, deciding that they were scared that they might be held liable if one of their clients were a drug dealer (which they aren't) decides to embezzle all the client accounts instead to "keep themselves safe". Perry ------------------------------------------------------------------------- To find out more about the anon service, send mail to help@anon.penet.fi. Due to the double-blind, any mail replies to this message will be anonymized, and an anonymous id will be allocated automatically. You have been warned. Please report any problems, inappropriate use etc. to admin@anon.penet.fi.