Computer email and privacy

　

COMPUTER ELECTRONIC MAIL AND PRIVACY

====================================

by

Ruel T. Hernandez

801 Cedarbend Way

Chula Vista, California 92010

(619) 421-6517 (voice)

(CompuServe: 71450,3341)

(GEnie Mail: R.HERNANDEZ)

January 11, 1987

Copyright (c) 1986, 1987 by Ruel T. Hernandez

　

(This is an edited version of a law school seminar paper I wrote at

California Western School of Law. A another version of the paper, entitled



"Electronic Mail - Your Right to Privacy," by Ruel T. Hernandez as told to

Dan Gookin, was published as the cover story in The Byte Buyer, San Diego's

Microcomputer Magazine, volume 4, number 24, December 5, 1986. That version

may also be found on their BBS at 619/226-3304 or 619/573-0359. Note,

citations to the Electronic Communications Privacy Act of 1986 refer to the

final version passed by the House of Representatives on October 2, 1986,

which was passed by the Senate the day before, as listed in the

Congressional Record.)

　

INTRODUCTION

Two years ago, legislation was introduced into Congress that sought to

provide federal statutory guidelines for privacy protection of computer

communications, such as electronic mail found on commercial computer systems

and on remote computer systems, commonly known as bulletin board systems

(BBS). Old federal wiretap law only gave protection to normal audio

telephonic communications. There was no contemplation of computers or their

operators using telephone lines to communicate. The old federal wiretap law

regulated police interceptions of communications while they are being

transmitted on a telephone line. Before the Electronic Communications

Privacy Act of 1976, the law did not provide guidelines for protecting the

transmitted message once it was stored within a computer system.

　

QUESTIONS

(1) Whether electronic mail and other intended private material stored

within an electronic computer communication system have Fourth Amendment

privacy protection?

(2) Should private electronic mail and other such material be accorded

the protection guidelines as with telephone communication and the U.S. Mail?

　

PROBLEM

Law enforcement seeks criminal evidence stored as E-Mail on either a

local, user-supported BBS, or on a commercial computer service, such as

CompuServe, GEnie or The Source. (Note, this situation is equally

applicable to personal, private data stored on a remote system for later

retrieval, as with CompuServe's online disk storage capabilities.)

For instance, a computer user calls up a computer communication system.

Using the electronic mail function, he leaves a private message that can

only be read by an intended recipient. The message is to inform the

recipient of a conspiracy plan to violate a federal or state criminal

statute. Law enforcement gets a tip about the criminal activity and learn

that incriminating evidence may be found on the computer system.

In 1982, such a situation occurred. (Meeks, Brock, "Life at 300 Baud:

Crime on the BBS Network," Profiles, August, 1986, 12-13.) A Detroit

federal grand jury, investigating a million-dollar cocaine ring, issued a

subpoena ordering a commercial service, The Source, to hand over private

subscriber data files. The files were routinely backed up to guard against

system crashes. The grand jury was looking for evidence to show that the

cocaine ring was using The Source as communication base to send messages to

members of the ring. With such evidence, the grand jury could implicate or

indict those suspected to be a part of the cocaine ring. The Source refused

to obey the subpoena. The prosecution argued The Source could not

vicariously assert a subscriber's privacy rights. Constitutional rights are

personal and could only be asserted by the person whose rights are invaded.

Additionally, if the files containing messages were duplicated, any

reasonable expectation of privacy by users would be extinguished. A court

battle ensued. However, before a ruling could be made, the kingpin of the

cocaine ring entered a surprise guilty plea to federal drug trafficking

charges. The case against the Source was discontinued.

Publicly posted messages and other public material may be easily

retrieved by law enforcement. It is the private material, such as E-Mail,

that poses the problem.

Law enforcement's task is then to gather enough evidence to

substantiate a criminal case. Specifically, they would want the E-Mail, or

other private files, transmitted by suspected criminals. A computer

communications service, as keeper and transmitter of private electronic

messages, would not want to turn over the private data.

　

INADEQUACY OF OLD LAW

Brock Meeks of Profiles magazine noted that as of August, 1986, "no ...

protection exist[ed] for electronic communications. Any law enforcement

agency can, for example, confiscate a local BBS and examine all the message

traffic," including and private files and E-Mail. (Ibid.)

In the next section, case law will be examined and statutory law prior

to the Electronic Communications Privacy Act of 1986 (ECPA) will be noted.

Seemingly applicable statutes, as they stood, provided no guidelines for

privacy protection of electronic computer communication systems, such as

CompuServe, GEnie, and local, user-operated BBSs.

CASE LAW

There is little case law available on computer communications and

Fourth Amendment constitutional problems. (M.D. Scott, Computer Law, 9-9

(1984 & Special Update, August 1, 1984).) If not for the surprise

preemptive guilty plea, the above described Detroit case may have provided

guidance on computer communications and privacy issues.

Of the available cases, Scott noted those that primarily dealt with

financial information found in bank and consumer credit organization

computers. In U.S. v. Davey, 426 F.2d 842, 845 (2 Cir. 1970), the

government had the right to require the production of relevant information

wherever it may be lodged and regardless of the form in which it is kept and

the manner in which it may be retrieved, so long as it pays the reasonable

costs of retrieval. In a California case, Burrows v. Superior Court, 13

Cal. 3d 238, 243, 118 Cal. Rptr. 166, 169 (1974), a depositor was found to

have a reasonable expectation that a bank would maintain the confidentiality

of both those papers in check form originating from the depositor and the

depositor's bank statements and records of those same checks. However, in

U.S. v. Miller, 425 U.S. 435, 440 (1976), customer account records on a

banks' computer were held to not be private papers of the bank customer,

and, hence, there is no Fourth Amendment problem when they are subpoenaed

directly from the bank.

The computer data and information in these cases have more of a

business character in contrast to personal E-Mail found on remote computer

systems such as CompuServe or a local BBS. Under the old law, a prosecutor,

as in the Detroit case, may try to analogize duplicated and backed up E-Mail

to business situations where data on business computer databases are also

backed up. Both types of computer data are stored on a system and then

later retrieved. The provider of the remote computing service or the sysop

would counterargue that the nature of computers always require the

duplication and backup of any computer data, whether the data files are E-

Mail or centrally-based financial or credit data. Duplication does not

necessarily make E-Mail the same as financial or credit data stored in

business computers. Centrally-based business information is more concerned

with the data processing. That information is generally stored and

retrieved by the same operator. E-Mail is more concerned with personal

communications between individuals where the sender transmits a private

message to be retrieved only by an intended recipient. The sender and the

recipient have subjective expectations of privacy that when viewed

objectively is reasonable. Therefore, there is a constitutionally protected

expectation of privacy under Katz v. U.S., 389 U.S. 347, 19 L.Ed. 88 S.Ct.

507 (1967). However, the prosecution would note under California v.

Ciraolo, -- U.S. --, 106 S.Ct. 1809 (1984), the users would have to protect

their electronic mail from any privacy intrusion. The provider or operator

of the remote system has ultimate control of his system. He has complete

access to all areas of the system. He could easily examine the material.

The prosecution would note the user could not reasonably protect his private

data from provider or operator invasion. This "knot-hole" would exclude any

idea of privacy. If there is no privacy, there can be no search and

therefore no Fourth Amendment constitutional violation. Law enforcement can

retrieve the material.

FEDERAL WIRETAP STATUTES

The federal wiretap statutes, before the Electronic Communication

Privacy Act of 1986, protected oral telephone communications from police

interceptions. This protection was made in 1968 in response to electronic

eavesdropping by government. (Cohodas, Nadine, "Congress Races to stay

Ahead of Technology," Congressional Quarterly Weekly Report, May 31, 1986,

1235.) Although E-Mail appears to come under the statute's definition of

"wire communication," under the old law, it was limited to audio

transmissions by wire or cable and does not mention stored computer data.

(18 U.S.C. sec. 2510(1).) The old law required that an interception of a

wire communication be an aural acquisition of the communication. (18 U.S.C.

sec. 2510(4).) Being "aural," the communication must be "heard."

Therefore, a computer communication may come under the old law while being

transmitted. After a caller's message is "sent" on a remote computer

system, the message is then stored within the computer's system. The

communication's conversion into computer stored data, thus no longer in

transmission until retrieved, takes the communication out of the old

statutory protection.

"Eighteen years ago ... Congress could not appreciate - or in some

cases even contemplate - [today's] telecommunications and computer

technology...." (132 Cong. Rec. S7992 (daily ed. June 19, 1986) (statement

of Sen. Leahy).)

CALIFORNIA'S INVASION OF PRIVACY AND WIRETAP STATUTE

California's "invasion of privacy" and wiretap statutes (Cal. Penal

Code sec. 630 et seq.), appears to provide state protection for BBSs.

California Penal Code sec. 637 reads as:

Every person not a party to a telegraphic or telephonic

communication who willfully discloses the contents of a

telegraphic or telephonic message, or any part thereof, addressed

to another person, without the permission of such person, unless

directed so to do by the lawful order of a court, is punishable

by imprisonment in the state prison, or in the count jail not

exceeding one year, or by fine not exceeding five thousand

dollars ($5000), or by both fine and imprisonment.

Again, the question here would be whether "telegraphic or telephonic

messages" include computer communications via modem where a transmitted

message is subsequently stored within a computer awaiting retrieval by its

intended recipient. Again, the storage of the data takes the computer

communications out of the statute. When the statute was passed, the

California legislature, much like the Congress, could not foresee the

technological advances in computer communications.

It should be noted that Assemblywoman Moore introduced legislation in

1985 that would amend have the California state constitution to explicitly

provide state constitutional privacy protection for remote computing

services and their stored information. However, nothing has come out of

this. Aside from political reasons for the lack of further action is one

possible legal consequential argument against the amendment may be if

computer privacy protection is specified in the state constitution, more

litigation may result to tie up the courts in cases deciding whether or not

there is privacy protection for other unspecified matters. Although,

overall, the California state constitution is much more specific than the

United States Constitution, it may be best to not be any more specific with

regard to privacy.

PROTECTION FOR U.S. MAIL

Statutory U.S. Mail protection provides a suggestion for statutory

provisions of privacy protection for E-Mail deposited in electronic

communication systems. The unauthorized taking out of and examining of the

contents of mail held in a "depository for mail matter" before it is

delivered to the mail's intended recipient is punishable by fine,

imprisonment, or both. (18 U.S.C. sec. 1702.)

　

SOLUTION - THE NEW LAW

There are two methods towards a solution: (1) court decisions; and (2)

new legislated privacy protection.

COURT DECISIONS

Courts may have chosen to read computer communications protection into

the old federal wiretap statute or into existing state law. However, they

were reluctant to do so. Courts "are in no hurry to [revise or make new law

in this area] and some judges are openly asking Congress for help....

[F]ederal Appeals Court Judge Richard Posner in Chicago said Congress needed

to revise current law, adding that 'judges are not authorized to amend

statutes even to bring them up-to-date.'" (Cohodas, Nadine, "Congress Races

to Stay Ahead of Technology," Congressional Quarterly Weekly Report, May 31,

1986, p. 1233.)

NEW STATUTE

Last October 21, 1986, President Reagan signed the Electronic

Communications Privacy Act of 1986 amending the federal wiretap law. The

new Act (P.L. 99-508) would not take immediate effect until three months

after the signing - presumably January 21, 1986. (18 U.S.C. secs. 111 and

202.)

When the new law does take effect, it would first provide privacy

protection for any

'electronic communication' ... [by] any transfer of signs,

signals, writing, images, sounds, data or intelligence of any

nature transmitted in whole or in part by a wire, radio,

electromagnetic, photoelectronic or photooptical system that

affects interstate or foreign commerce...."

(18 U.S.C. sec. 2510(10).)

Second, and more importantly for this discussion, ECPA would protect

"stored wire and electronic communications," i.e. E-Mail stored and backed

up on disk or tape on an electronic computer communication system. (18

U.S.C. sec. 2701(a)(1) and (2).) The legislation makes it a federal

criminal offense to break into any electronic system holding copies of

messages or to exceed authorized access to alter or obtain the stored

messages. (Ibid.)

The legislation would protect electronic computer communication systems

from law enforcement invasion of user E-Mail without a court order. (18

U.S.C. sec. 2703.) Although the burden of preventing invasion of the E-Mail

is placed on the subscriber or user of the system, the government must give

him notice allowing him fourteen days to file a motion to quash a subpoena

or to vacate a court order seeking disclosure of his computer data. (18

U.S.C. sec. 2704(b).) However, the government may give delayed notice when

there are exigent circumstances as listed by the Act (18 U.S.C. sec. 2705.)

The legislation gives a civil cause of action to the provider or

operator, subscriber, customer or user of the system aggrieved by an

invasion of private material stored in the system in violation of ECPA. (18

U.S.C. sec. 2702; see also 18 U.S.C. sec. 2520.) If the provider or

operator has to disclose information stored on his system due to a court

order, warrant, subpoena, or certification under ECPA, there can be no cause

of action against him by any person aggrieved by such disclosure. (18

U.S.C. sec. 2703(e); see also sec. 2702(b).)

The electronic communications, under this new Act, must be sent by a

system that "affects interstate or foreign commerce." (18 U.S.C. sec.

2510(12).) The "electronic communications" may practically be limited to

electronic communications sent by common carrier telephone lines.

There may be some question as to whether or not ECPA is confined to

commercial systems and does not cover user-operated bulletin board systems.

That would be similar to arguing the old federal wiretap law was confined to

long distance communications and not to local telephone calls. The House

report (H.R. No. 647, 99th Cong. (1986)), indicates user-operated BBSs are

intended to be covered by the Act. The House noted a difference between

commercial subscription systems and user-operated BBSs readily accessible by

the public. However, it also noted the different levels of security found

on user-operated BBSs, i.e. the difference between system areas containing

private electronic mail and other areas containing public information.

Electronic communications that the operator attempts to keep confidential

would be protected by ECPA, while there would be no liability for access to

features configured to be readily accessible by the general public.

Language in the Act also refers to "the person or entity providing the wire

or electronic communication service." Such language may be seen to indicate

the inclusion of individuals who operate a BBS. (18 U.S. secs. 2701(c)(1)

and 2702(a)(1) and (b).) Additionally, a remote computing service was

defined in the Act as an electronic communications system that provides

computer storage or processing services to the public. (18 U.S.C. sec.

2710(2).) This would certainly be applicable to a user-operated BBS that

is easily accessible to public with the simple dialing of a telephone number

by a modem-equipped computer. On the political side, Senator Leahy, a

principal sponsor of the Act was reported to have been "soliciting [users

and operators' of BBSs] comments and encourage sensitivity to the needs of

BBS's in the legislation.... They are ... willing to listen to our side of

things." (BBSLAW02.MSG, dated 07/24/85, information from Chip Berlet,

Secretary, National Lawyers Guild Civil Liberties Committee, transmitted by

Paul Bernstein, SYSOP, LAW MUG, Chicago, Illinois 312/280-8180, regarding

Federal Legislation Affecting Computer Bulletin Boards, deposited on The

Legacy Network 213/553-1473.)

　

CONCLUSION

Electronic mail stored on computer communication systems have Fourth

Amendment constitutional privacy protection. Unfortunately, before the

Electronic Communications Privacy Act of 1986, such protection was not

articulated by federal or state statutory guidelines. Case law also did

not provide any helpful guidance. The peculiarities of computers and

computer storage posed problems which were not addressed by the old wiretap

laws. They were also problems overwhelmed by constitutional privacy law as

defined by the United States Supreme Court. A legislative solution was

required and was provided for by ECPA.

[For more information on ECPA, see 132 Cong. Rec. H8977 (daily ed.

October 2, 1986) or "Major Provisions of 1986 Electronic Privacy Act,"

Congressional Quarterly Weekly Report, October 11, 1986, 2558.]