According to Mike Godwin:

Bill writes:

...

Heh. OK. Well, if one behaves "ethically", then I guess *that* closes the issue. It's his machine and he gets to make the rules. (this is my personally-adhered-to point of view)

My question is this: how does he know that the mail is encrypted if he's not examining the mail that passes through his system? If he *is* examining the mail that passes through his system, it seems likely that he is violating the Electronic Communications Privacy Act.

That was my first question. Then it occured to me that I have seen bbs's which have disclaimers wrt email privacy. That is the loophole he is exploiting. J. Michael Diehl ;^) |*The 2nd Amendment is there in case the mdiehl@triton.unm.edu | Government forgets about the 1st! <RL> Mike.Diehl@f29.n301.z1 |*God is a good Physicist, and an even .fidonet.org | better Mathematician. <Me> al945@cwns9.ins.cwru.edu|*I'm just looking for the opportunity to (505) 299-2282 (voice) | be Politically Incorrect! <Me> Can we impeach him yet? |*Protected by 18 USC 2511 and 18 USC 2703. PGP Key = 7C06F1 = A6 27 E1 1D 5F B2 F2 F1 12 E7 53 2D 85 A2 10 5D

Mike Godwin writes:

My question is this: how does he know that the mail is encrypted if he's not examining the mail that passes through his system? If he *is* examining the mail that passes through his system, it seems likely that he is violating the Electronic Communications Privacy Act.

With UNIX it's quite simple to grep for "-----BEGIN PGP MESSAGE-----"... and ditch messages that match. I guess one could also run the incoming mail through a spell-checker and reject messages with greater than %99 failure rate. Neither of these require actual examination of the message by a human, neither reveal content of a message to a human.

Al Billings writes:

On Thu, 30 Sep 1993, Mike Godwin wrote:

...

My question is this: how does he know that the mail is encrypted if he's not examining the mail that passes through his system? If he *is* examining the mail that passes through his system, it seems likely that he is violating the Electronic Communications Privacy Act.

Only if he has stated that he allows private mail. Most sysops have specifically worded policy statements for their systems that say that the sysop can read any and all messages on the system and may do so at any time.

That's all very nice, but it doesn't enable a FIDO sysop to intercept messages from people who are not users of his or her particular system. Those people did not waive their rights to privacy under the ECPA.

Bulletin boards do not normally offer truely private mail because of some of the legal implications.

This is a common myth. First of all, there are many BBSs that do offer truly private mail, or whose sysops, as a matter of policy, do not read others' private mail. Secondly, there's no legal liability associated with allowing e-mail privacy. Third, federal law (the ECPA) bars sysops from examining mail except under some very precisely defined circumstances. I suggest that you inform sysops who tell you otherwise that they can contact me at the Legal Services Department of EFF. You've got my e-mail address already--my phone number is 202-347-5400. --Mike

Al Billings writes:

As has already been shown from Fidonet policy, Fidonet does not guarantee private mail in any from and, in fact, advises that mail will be going through many sites and can be read along the way.

You could be extrapolating from Fidonet's refusal to *guarantee* e-mail privacy (after all, how could Fidonet *enforce* it?) that all users of every Fido BBS everywhere have waived their rights under ECPA. My understanding is that Fidonet policy was drafted not in order to comply with ECPA, but to acknowledge that, in this decentralized network, there was no authority a user a could appeal to if his e-mail was not kept private. But I'd be interested in seeing a direct quote of the policy provision you're alluding to here. And what about me? I don't post from a Fido BBS, so even if there's a Fidonet-wide waiver of ECPA rights, it's not a waiver *I* have agreed to. What if mail from me passes through a Fido node on its way to a non-Fido destination?

The third point does not apply if the sysops offer no private mail in the first place.

Certainly, if they offer no mail at all, they're not liable, since no mail passes through their systems. But the interesting case is this: let's assume that you're right that all Fido users everywhere have agreed to waive their ECPA rights. Then are the sysops who reserve their right to read e-mail reading *all* e-mail that passes through their systems? If not, this puts the lie to the claim that they're limiting their liability by reserving their right to read e-mail. After all, the criminally significant communications may be the ones they're skipping. In general, criminal liability depends on *knowledge*--you normally can't be held criminally liable for acts and communications you didn't know about. I know of no case in which a sysop has been held *civilly* liable for failing to read all e-mail on his system. So, in terms of classic risk analysis, what does that statistic tell you?

...

I suggest that you inform sysops who tell you otherwise that they can contact me at the Legal Services Department of EFF. You've got my e-mail address already--my phone number is 202-347-5400.

I don't need sysops to tell me otherwise.

I wasn't referring you to any sysops.

I've been running my own BBS for over three years. My system has a very clear policy statement that refers to the ECPA and states VERY clearly who can read the messages posted on my system in different areas. As I'm not a Fido hub (and barely participate in that network at all), I don't have to worry about passing other mail through my system.

If all your users have agreed to waive their e-mail privacy rights, and you're not dealing with any mail that does not either originate or terminate on your system, then you're not in violation of ECPA. --Mike