* Reply to msg originally in CYPHERPUNKS
My question is this: how does he know that the mail is encrypted if he's not examining the mail that passes through his system? If he *is* examining the mail that passes through his system, it seems likely that he is violating the Electronic Communications Privacy Act.
In that FIDOnet mail points (or individual BBSs) are not required to pass or accept encrypted FIDO traffic under FIDOnet rules, some run a specific program that scans for the "PGP MESSAGE" string and bumps it to a SECURENET mail hub (or, in some cases, _kills_ it). It is not done by individual, personal inspection - at least not at mail hub level. Anyway, the ECPA is basically irrelevant in the BBS world, as 1] almost every BBS states at log-on that there is no such thing as truly "private" e-mail on the system as the sysop can, will and does see messages in all areas, and 2] he is personally _liable_ for any illegal activity on his BBS, so he can reasonably be expected to keep an eye on e-mail for anything that will put his ass in a sling. There has been a very heated war in FIDOland over PGP and other encryption. Considering the risk that sysops take on by permitting secure (?) communication on their BBSs, I must say I admire their courage when they allow it and participate on SECURENET. Personally, _I_ would never stick my neck out like that, though I convinced many FIDOnet BBSs to do so for my own political and purely selfish reasons. BTW, this message comes via FIDOnet and was originally PGP encrypted for the remailer, and the cypherpunks@toad.com mailing is converted to a conference on a FIDO BBS where I read the message to which I am responding.
Anyway, the ECPA is basically irrelevant in the BBS world, as ....
I'm truly amazed. Mike Godwin, who is a lawyer who *specializes* in this sort of thing, has rebuffed this statement several times, and given his phone number for interested BBS sysops to call him. And yet, people continue to spew disbelief. Of course, without real case law, Mike's opinion is still just that, but when some BBS sysop gets nailed by the ECPA, I'm gonna laugh. Marc
Marc Horowitz says:
Anyway, the ECPA is basically irrelevant in the BBS world, as ....
I'm truly amazed. Mike Godwin, who is a lawyer who *specializes* in this sort of thing, has rebuffed this statement several times, and given his phone number for interested BBS sysops to call him. And yet, people continue to spew disbelief.
Of course, without real case law, Mike's opinion is still just that, but when some BBS sysop gets nailed by the ECPA, I'm gonna laugh.
I have half a mind to get a FIDO account, try to send a message the sysop doesn't understand so he'll stop it, and then call the U.S. Attorney's office. Actually, I wouldn't ever do that -- my libertarian ethics stop me, since there is no real contract to get private mail between me and the operator, never mind how stupid what is is doing is. However, the law is the law. Disagreeing with it or consciously deciding to violate it is one thing, but smug amateur lawyering in which you pretend that it isn't supposed to apply to you is another. Perry
However, the law is the law. And as such is an ass, yes. Disagreeing with it or consciously deciding to violate it is one thing, but smug amateur lawyering in which you pretend that it isn't supposed to apply to you is another. I don't see the good in this sort of thing. The FIDOnet operators in question are probably operating in good faith, whether mistakenly or no, their smugness or lack thereof is not in evidence, and if there is anyone you should be annoyed with, it is the federal agencies which have created such a chilling atmosphere that their belief resulted. Put another way, they're terrified of the feds. Terrified people make stupid mistakes. The root of the problem is the cause of the terror, not the mistakes that result. I think it would be more constructive, instead of trying to imprison the BBS operator for offending your aethetic judgement (I realize you were not serious, of course -- please accept my rhetorical license as no less broad than your own), to document to them the reasoned legal opinion of the appropriately credentialled M. Godwin, so that they may protect themselves from legal assault.
Marc writes:
I'm truly amazed. Mike Godwin, who is a lawyer who *specializes* in this sort of thing, has rebuffed this statement several times, and given his phone number for interested BBS sysops to call him. And yet, people continue to spew disbelief.
One reason I gave out my number is to allow people to ask me specific questions that refer to how they run their *specific* systems--it may be that they're not risking ECPA liability, given the particular conditions they're working under. But one think I think sysops need to realize is that ECPA is the *default* setting.
Of course, without real case law, Mike's opinion is still just that, but when some BBS sysop gets nailed by the ECPA, I'm gonna laugh.
On some of my interpretations of ECPA, reasonable lawyers may disagree, but at this point most FIDO sysops who assert that ECPA doesn't apply haven't read the statute. --Mike
I'm truly amazed. Mike Godwin, who is a lawyer who *specializes* in this sort of thing, has rebuffed this statement several times, and given his phone number for interested BBS sysops to call him. And yet, people continue to spew disbelief.
Of course, without real case law, Mike's opinion is still just that, but when some BBS sysop gets nailed by the ECPA, I'm gonna laugh.
Could someone post the relevent parts of this? I'd like to upload this to several BBS's out here... -- Ed Carp, N7EKG erc@apple.com 510/659-9560 an38299@anon.penet.fi If you want magic, let go of your armor. Magic is so much stronger than steel! -- Richard Bach, "The Bridge Across Forever"
On Sat, 2 Oct 1993, Marc Horowitz wrote:
Anyway, the ECPA is basically irrelevant in the BBS world, as ....
I'm truly amazed. Mike Godwin, who is a lawyer who *specializes* in this sort of thing, has rebuffed this statement several times, and given his phone number for interested BBS sysops to call him. And yet, people continue to spew disbelief.
Of course, without real case law, Mike's opinion is still just that, but when some BBS sysop gets nailed by the ECPA, I'm gonna laugh.
Hasn't happened yet and the ECPA was passed in what? 1986? I really doubt if a BBS sysop is going to get nailed over someone's view of e-mail on their system.
Al Billings writes:
Hasn't happened yet and the ECPA was passed in what? 1986? I really doubt if a BBS sysop is going to get nailed over someone's view of e-mail on their system.
There's a new consciousness of ECPA thanks in part to the efforts of EFF and to Steve Jackson's successful ECPA case. But, Al, the issue is less whether a particular sysop is going to be prosecuted under ECPA than it is whether that sysop's conduct is *both* legal and ethical. Even if a sysop's policies fit within ECPA exceptions, it's dishonest to justify such policies in terms of risks that don't exist. There is no documented risk that a sysop will be at greater legal liability if he or she allows encrypted mail. --Mike
On Sun, 3 Oct 1993, Mike Godwin wrote:
But, Al, the issue is less whether a particular sysop is going to be prosecuted under ECPA than it is whether that sysop's conduct is *both* legal and ethical.
Even if a sysop's policies fit within ECPA exceptions, it's dishonest to justify such policies in terms of risks that don't exist. There is no documented risk that a sysop will be at greater legal liability if he or she allows encrypted mail.
True and if I had netmail set up for my system, I would probably allow encrypted netmail. I already offer the latest version of PGP (source and executable) to my users. The sysop ultimately has the right to choose if he or she allows encrypted mail on his or her system. After all, the sysop owns the machine and pays the bills, especially since most Fidonet sites are hobby sites with no fees for access. Wassail, Al Billings
anonymous@extropia.wimsey.com says:
Anyway, the ECPA is basically irrelevant in the BBS world, as 1] almost every BBS states at log-on that there is no such thing as truly "private" e-mail on the system as the sysop can, will and does see messages in all areas, and 2] he is personally _liable_ for any illegal activity on his BBS, so he can reasonably be expected to keep an eye on e-mail for anything that will put his ass in a sling.
You haven't been listening at all to Mr. Godwin, have you? 1) The ECPA *DOES* apply to the BBSes whether they want it to or not. All the hoping in the world doesn't make a statute go away. Merely declaring that the ECPA doesn't apply to you doesn't work -- try declaring the tax laws don't apply to you some time and see if that works. 2) The BBS operators are NOT liable UNLESS they censor the mail. If they censor the mail, they are liable for anything they fail to censor. If they do not censor, they are common carriers, and have no liability. In other words, jackasses pretending they understand the law have both broken the law and made themselves more, not less, liable for anthing left on their machines.
There has been a very heated war in FIDOland over PGP and other encryption. Considering the risk that sysops take on by permitting secure (?) communication on their BBSs,
They take NO risk. They are common carriers if they stop censoring their mail. People don't seem to understand that the law on this is very clear. By the idiotic logic the FIDO operators are using, the phone company could be siezed if two people have a conversation about a crime over the phone. The notion is, of course, absurd, and so is the stupid half-assed amateur lawyering the people who wrote the FIDO policies used.
Personally, _I_ would never stick my neck out like that, though I convinced many FIDOnet BBSs to do so for my own political and purely selfish reasons.
Actually, as I've just noted, you have not protected yourself. You have opened yourself up for massive legal liability where you had none before. The depths of human folly never cease to amaze me. This case is as if a group of bankers, deciding that they were scared that they might be held liable if one of their clients were a drug dealer (which they aren't) decides to embezzle all the client accounts instead to "keep themselves safe". Perry
By the idiotic logic the FIDO operators are using, the phone company could be siezed if two people have a conversation about a crime over the phone. The notion is, of course, absurd, and so is the stupid half-assed amateur lawyering the people who wrote the FIDO policies used.
You know, I wouldn't put it past some district attorneys to try... :( :( If you use the phone to make a drug deal, well, bye-bye Pac Bell!!! Hehehe... -- Ed Carp, N7EKG erc@apple.com 510/659-9560 an38299@anon.penet.fi If you want magic, let go of your armor. Magic is so much stronger than steel! -- Richard Bach, "The Bridge Across Forever"
Perry E. Metzger wrote: # They take NO risk. They are common carriers if they stop censoring # their mail. Not long after I moved here, I had a discussion with a local lawyer on common carrier status. Take my recollections for what they're worth after three years rattling around in the head of a non-attorney. One doesn't become a common carrier by virtue of personal policy. It's a label that must be applied for with the local communications regulatory authority (public utilities commission or what have you.) You must publish a tariff of your rate structure and other operating information. There's probably a lot more to do, but what it comes down to is paperwork, paperwork, paperwork, and (depending upon the lawyer) no small amount of legal time and expense. What I also heard that day was that this particular lawyer, who was obviously familiar with the process of consideration for common carrier status, would be unable to submit an application because of a conflict of interest his company would have. They represent the local telephone company, which had then, and still has now (in an unimpressive way,) an interest in getting into information services. I didn't make an exhaustive search for legal representation then, but I could imagine it taking a real expedition to find somebody that wasn't soaking up *some* of the money/influence that SWBT throws around in town (this being the state capitol.) [ Insert what Mike Godwin says next here. :-) ] Bob -- ============================================================================== Bob Izenberg voice phone: 512-891-8680 Motorola RISC Software bobi@vswr.sps.mot.com ==============================================================================
Bob Izenberg says:
Perry E. Metzger wrote:
# They take NO risk. They are common carriers if they stop censoring # their mail.
Not long after I moved here, I had a discussion with a local lawyer on common carrier status. Take my recollections for what they're worth after three years rattling around in the head of a non-attorney. One doesn't become a common carrier by virtue of personal policy. It's a label that must be applied for with the local communications regulatory authority (public utilities commission or what have you.)
Mike Godwin will have to confirm this, but to my knowledge Common Carrier is NOT a status you have to apply for. UUNET operates as a common carrier and has never registered with anyone. Perry
Perry E. Metzger wrote: # Mike Godwin will have to confirm this, but to my knowledge Common # Carrier is NOT a status you have to apply for. UUNET operates as a # common carrier and has never registered with anyone. Well, we won't really know until the legal beagles deliver their opinions (and perhaps not even then, if they disagree.) What I wonder is, what does the phrase "operates as a common carrier" mean? Who has to grant you that status before it has any meaning as a legal protection? Bob -- ============================================================================== Bob Izenberg voice phone: 512-891-8680 Motorola RISC Software bobi@vswr.sps.mot.com ==============================================================================
In my opinion, few if any BBSs qualify as common carriers. Common carriers hold themselves out as accepting all goods or passengers (or, in the case of communications, all messages) indifferently. I know of no sysop who operates under such a policy, or who would want to. uunet, in contrast, probably does qualify as a common carrier. My discussions of legal liability are not grounded in common-carrier law (in which I'm not yet an expert) but in criminal law and tort law. --Mike
Bob Izenberg says:
Perry E. Metzger wrote:
# Mike Godwin will have to confirm this, but to my knowledge Common # Carrier is NOT a status you have to apply for. UUNET operates as a # common carrier and has never registered with anyone.
Well, we won't really know until the legal beagles deliver their opinions (and perhaps not even then, if they disagree.) What I wonder is, what does the phrase "operates as a common carrier" mean? Who has to grant you that status before it has any meaning as a legal protection?
Many sorts of status do not require that anyone GRANT you anything. Lets say, for example, that you live in state that permits common law marriage. In such a state, it is sufficient to think of yourself and your S.O. as married, and behave in that manner -- at that point you legally are married. (Note that common law marriages are now only possible in a few state -- 9 I believe.) As for what "common carrier" means, it means that the law recognizes that you are a carrier of things, not a creator of them, and that you are not responsible for what you carry. That means that the phone company can transmit as many criminal phone conversations as it likes without having its switches siezed. In order to be a common carrier, you have to transmit all the messages you receive without differentiating between them, paying attention to what they are, or censoring them. Perry
Many sorts of status do not require that anyone GRANT you anything. Lets say, for example, that you live in state that permits common law marriage. In such a state, it is sufficient to think of yourself and your S.O. as married, and behave in that manner -- at that point you legally are married. (Note that common law marriages are now only possible in a few state -- 9 I believe.)
FYI, to be married in this way, you have to declare yourself in public as married - introducing yourself as someone's husband or wife, for example, is enough. But being "common law" married, it's only "legally" - that is, if one or both parties want to dissolve the marriage and don't want to exercise their rights, they can just walk away from the marriage. Texas is such a state. -- Ed Carp, N7EKG erc@apple.com 510/659-9560 an38299@anon.penet.fi If you want magic, let go of your armor. Magic is so much stronger than steel! -- Richard Bach, "The Bridge Across Forever"
Ed Carp says:
FYI, to be married in this way, you have to declare yourself in public as married - introducing yourself as someone's husband or wife, for example, is enough. But being "common law" married, it's only "legally" - that is, if one or both parties want to dissolve the marriage and don't want to exercise their rights, they can just walk away from the marriage.
Untrue. Common law marriage is a real marriage in every single sense. There is no legal difference in states that recognize it. You need a real honest to god divorce in order to end one. Look it up if you don't believe me. Perry
Ed Carp says:
FYI, to be married in this way, you have to declare yourself in public as married - introducing yourself as someone's husband or wife, for example, is enough. But being "common law" married, it's only "legally" - that is, if one or both parties want to dissolve the marriage and don't want to exercise their rights, they can just walk away from the marriage.
Untrue. Common law marriage is a real marriage in every single sense. There is no legal difference in states that recognize it. You need a real honest to god divorce in order to end one. Look it up if you don't believe me.
Not at all. I *did* look it up. Technically, you are correct - but that marriage is recorded by no government agency, you won't find it in any public records - hell, if you still file 'single' on your tax return, who's going to know? You can just walk away - and if your spouse agrees with you, you *can*. I'm not talking about 'what would do in court' - I'm talking real life. How do I know? I'm an ex-cop. I worked on one of those 'common law' marriage cases. -- Ed Carp, N7EKG erc@apple.com 510/659-9560 an38299@anon.penet.fi If you want magic, let go of your armor. Magic is so much stronger than steel! -- Richard Bach, "The Bridge Across Forever"
Ed Carp says:
Untrue. Common law marriage is a real marriage in every single sense. There is no legal difference in states that recognize it. You need a real honest to god divorce in order to end one. Look it up if you don't believe me.
Not at all. I *did* look it up. Technically, you are correct - but that marriage is recorded by no government agency, you won't find it in any public records - hell, if you still file 'single' on your tax return, who's going to know?
If you still file "single" on your tax returns, you haven't met the common law standard of acting in every way as if you were married.
You can just walk away - and if your spouse agrees with you, you *can*. I'm not talking about 'what would do in court' - I'm talking real life.
This is true even of normal marriages. If you and your spouse simply agreed never to make an issue of it, you could walk away and no one would ever know. I fail to see what your point is, but in any case this is NOT the mailing list for discussing this topic. Perry
Perry E. Metzger wrote: # As for what "common carrier" means, it means that the law recognizes # that you are a carrier of things, not a creator of them, and that you # are not responsible for what you carry. I've got that part, but what needs to be done / provided before the benefits of being a common carrier can be claimed? Bob -- ============================================================================== Bob Izenberg voice phone: 512-891-8680 Motorola RISC Software bobi@vswr.sps.mot.com ==============================================================================
Bob Izenberg says:
Perry E. Metzger wrote:
# As for what "common carrier" means, it means that the law recognizes # that you are a carrier of things, not a creator of them, and that you # are not responsible for what you carry.
I've got that part, but what needs to be done / provided before the benefits of being a common carrier can be claimed?
I noted it in the rest of my message. You have to act like a utility -- you do not discriminate between your customers, you do not read, censor, or otherwise differentiate in the carriage of their mail. If you behave like a utility, you become a common carrier. The law in this regard is somewhat complicated, so I would consult an attorney if I wanted to be sure about it. I will point out, though, that even if you are not a common carrier you have no liability for things you don't know about and don't participate in. This is why, for instance, the maker of a knife can't be arrested because the knife is used to kill someone instead of cutting bread. The law is actually reasonable. However, if you partially censor the mail going through your system, not only are you liable for ECPA violations, but you become liable for the content of the mail. Why? Because you are now taking responsibility for stopping things from going through, and should you fail to stop something from going through that is now a conscious decision on your part for which you have liability. Perry
Perry> Mike Godwin will have to confirm this, but to my knowledge Common Perry> Carrier is NOT a status you have to apply for. UUNET operates as a Perry> common carrier and has never registered with anyone. Interesting assertion. I suspect that you could say the same of any other regional IP provider. A lot of service providers leap to claim the appelation "common carrier", in the hope that it will absolve them of responsibility for their users' actions. In the real world, most providers, including UUNET and PSI, make their customers sign agreements that said customers won't use the networks for nefarious ends. Note that the phone company doesn't do this. It'll be a while (and a few court cases) before I have any confidence that the U.S. Gov't recognizes IP service providers as common carriers in any real sense. --strat NOTE: I don't speak for anyone but little old me, besides it's only my 2nd week here. :-) Bob Stratton strat@uunet.uu.net UUNET Technologies, Inc. uunet!strat 3110 Fairview Park Dr., Suite 570 Voice) +1 703 204 8000 Falls Church, Va 22042 Fax) +1 703 204 8001
Perry writes:
1) The ECPA *DOES* apply to the BBSes whether they want it to or not. All the hoping in the world doesn't make a statute go away. Merely declaring that the ECPA doesn't apply to you doesn't work -- try declaring the tax laws don't apply to you some time and see if that works.
That said, it should be noted that sysops can contract with users for users to waive their privacy rights under ECPA. But I think sysops should do this *explicitly*, and should not justify doing so because of vague perceptions of vaguely understood legal liability. I also have to take exception to the statement by some people here that sysops never allow private e-mail. I knew sysops who routinely did so when I lived in Austin. But maybe Austin is more enlightened than the rest of the country.
2) The BBS operators are NOT liable UNLESS they censor the mail. If they censor the mail, they are liable for anything they fail to censor. If they do not censor, they are common carriers, and have no liability.
I wouldn't say this quite so strongly, but Perry has the gist of it right. If you take on the duty of monitoring e-mail, you risk creating liability for yourself if something problematic doesn't get censored. And the sysops here generally admit that they don't real *all* e-mail. --Mike
anonymous writes:
In that FIDOnet mail points (or individual BBSs) are not required to pass or accept encrypted FIDO traffic under FIDOnet rules, some run a specific program that scans for the "PGP MESSAGE" string and bumps it to a SECURENET mail hub (or, in some cases, _kills_ it). It is not done by individual, personal inspection - at least not at mail hub level.
Absent waiver by users, this may still be an ECPA violation.
Anyway, the ECPA is basically irrelevant in the BBS world, as 1] almost every BBS states at log-on that there is no such thing as truly "private" e-mail on the system as the sysop can, will and does see messages in all areas, and 2] he is personally _liable_ for any illegal activity on his BBS, so he can reasonably be expected to keep an eye on e-mail for anything that will put his ass in a sling.
Item (1) is the relevant item--if users agree to waive their ECPA rights, there's no legal problem, although there may be ethical ones. As for (2), well, there's no legal theory that says that a sysop is liable for for any illegal activity on his BBS. The criminal law, in general, does not make people liable for the conduct of others in the absence of knowledge of that conduct. Please, please don't make assertions about criminal liability based on FIDO mythology.
There has been a very heated war in FIDOland over PGP and other encryption. Considering the risk that sysops take on by permitting secure (?) communication on their BBSs, I must say I admire their courage when they allow it and participate on SECURENET.
When you refer to the risk they're taking, could you be precise? What statistics do you have that support the statement that FIDO sysops are at risk if they allow encrypted communications? To my knowledge as a lawyer who works in this area, no sysop has been held liable for allowing encrypted communications on his or system. --Mike
anonymous@extropia.wimsey.com writes:
Anyway, the ECPA is basically irrelevant in the BBS world, as 1] almost every BBS states at log-on that there is no such thing as truly "private" e-mail on the system as the sysop can, will and does see messages in all areas, and 2] he is personally _liable_ for any illegal activity on his BBS, so he can reasonably be expected to keep an eye on e-mail for anything that will put his ass in a sling.
Ok, this is really getting bizarre. Why is it so hard to accept that the ECPA---federal law of the land---applies to BBS operators in the United States? It may be a pain in the butt, and it may be an insult to the noble souls who operate FIDOnet nodes out of the goodness of their hearts, but that's Life In The Big City. Perhaps some of the confusion stems from ignorance on my (and, perhaps, other Internet weenies') part about the topology and operation of FIDOnet. As I understand it, ECPA applies if private third party communications are routed through some FIDOnet agent. Does this ever happen? -- Mike McNally
participants (10)
-
Al Billings -
alk@et.msc.edu -
anonymous@extropia.wimsey.com -
bobi@vswr.sps.mot.com -
khijol!erc -
m5@vail.tivoli.com -
Marc Horowitz -
Mike Godwin -
Perry E. Metzger -
strat@uunet.uu.net