This article, "Computer Electronic Mail and Privacy," appeared in THE COMPUTER LAW AND SECURITY REPORT (4 Comp. L.Sec. Rpt. 4-8, Nov/Dec 1987). It appeared as part of a special "Information Law" section of the British print publication. The article is about the American federal statute known as the Electronic Communications Privacy Act of 1986. This article is: Copyright 1986, 1987 Ruel T. Hernandez Copies of this copyrighted article may only be used for PERSONAL USE. This file replaces and supersedes documents found in PRIVACY.LBR and PRIVACY2.LBR. (PRIVACY.TXT - this has WordStar dot commands and Ctrl-P print codes) COMPUTER_ELECTRONIC_MAIL_AND_PRIVACY by Ruel T. Hernandez July 27, 1987 Copyright 1986, 1987 by Ruel T. Hernandez INTRODUCTION Three years ago, Congress introduced legislation which sought to provide federal statutory guidelines for the privacy protection of electronic communications, including electronic mail (e-mail) found on commercial computer-based services and on other remote computer systems such as electronic bulletin board systems (BBS). The old federal wiretap law only gave protection to normal audio telephone communications. Before the legislation culminated into the Electronic Communications Privacy Act of 1986 (ECPA), which went into effect on January 20, 1987, there was no contemplation of computer-based electronic communications being transmitted across telephone lines and then being stored on disk for later retrieval by or forwarding to its intended recipient. Federal law did not provide guidelines for protecting the transmitted electronic messages once they were stored on these computer-based communications services and systems. QUESTIONS (1) Whether electronic mail and other intended private material stored on an electronic computer communications service or system have Fourth Amendment privacy protection? (2) Should private electronic mail and other such material be accorded federal statutory protection guidelines such as those enjoyed by the U.S. Mail? PROBLEM Law enforcement seeks criminal evidence stored as e-mail either on a commercial computer service, such as CompuServe, GEnie or The Source, or on a hobbyist-supported BBS. (Note, this situation is equally applicable to personal, private data stored on a remote system for later retrieval, such as with CompuServe's "personal file" online storage capabilities.) For example, a computer user calls up a computer communication system. Using the electronic mail function, he leaves a private message that can only be read by an intended recipient. The message is to inform the recipient of a conspiracy plan to violate a federal or state criminal statute. Law enforcement gets a tip about the criminal activity and learn that incriminating evidence may be found on the computer system. In 1982, such a situation occurred. (Meeks, Life_at_300_Baud:_Crime_on the_BBS_Network, Profiles, Aug. 1986, 12-13.) A Detroit federal grand jury, investigating a million-dollar cocaine ring, issued a subpoena ordering a commercial service, The Source, to hand over private subscriber data files. The files were routinely backed up to guard against system crashes. The grand jury was looking for evidence to show that the cocaine ring was using The Source as a communications base to send messages to members of the ring. With such evidence, the grand jury could implicate and indict those suspected of being part of the cocaine ring. The Source refused to obey the subpoena on the basis of privacy. The prosecution argued The Source could not vicariously assert a subscriber's privacy rights. Constitutional rights are personal and could only be asserted by the person whose rights are invaded. Additionally, since the files containing messages were duplicated by the service, any user expectation of privacy would be extinguished. A court battle ensued. However, before a ruling could be made, the kingpin of the cocaine ring entered a surprise preemptime guilty plea to federal drug trafficking charges. The case against The Source was discontinued. Publicly posted messages and other public material may be easily retrieved by law enforcement. It is the private material, such as e-mail, which posed the problem. Law enforcement's task was then to gather enough evidence to substantiate a criminal case. Specifically, they would want the e-mail, or other private files, transmitted by suspected criminals. In oppostion, the provider or systems operator of a computer communications service or system, in his assumed role as keeper of transmitted private electronic messages, would not want to turn over the private data. INADEQUACY OF OLD LAW Meeks noted that as of August, 1986, "no ... protection exist[ed] for electronic communications. Any law enforcement agency can, for example, confiscate a local BBS and examine all the message traffic," including and private files and e-mail. (Id.) CASE LAW There is little case law available on computer communications and Fourth Amendment constitutional problems. (See_generally M.D. Scott, Computer Law, 9-9 (1984 & Special Update, Aug. 1, 1984).) If not for the preemptive guilty plea, the above described Detroit case may have provided some guidance on computer-based communications and privacy issues. Of the available cases, there are those which primarily dealt with financial information found in bank and consumer credit organization computers. In U.S._v._Davey, 426 F.2d 842, 845 (2 Cir. 1970), the government had the right to require the production of relevant information wherever it may be lodged and regardless of the form in which it is kept and the manner in which it may be retrieved, so long as it pays the reasonable costs of retrieval. In a California case, Burrows_v._Superior_Court, 13 Cal. 3d 238, 243, 118 Cal. Rptr. 166, 169 (1974), a depositor was found to have a reasonable expectation that a bank would maintain the confidentiality of both his papers in check form originating from the depositor and the depositor's bank statements and records of those checks. However, in U.S._v. Miller, 425 U.S. 435, 96 S.Ct. 1619 (1976), customer account records on a bank's computer were held to not be private papers of the bank customer, and, hence, there was no Fourth Amendment problem when they are subpoenaed directly from the bank. Although these cases have more of a business character in contrast to personal e-mail found on computer systems such as CompuServe or a hobbyist- supported BBS, they would hold that there would be very little to legally stop unauthorized access to computer data and information. Under the old law, a prosecutor, as in the Detroit case, may try to analogize duplicated and backed up e-mail to business situations where data on business computer databases are also backed up. Both types of computer data are stored on a system and then later retrieved. The provider or systems operator of a computer electronic communications system would counterargue that the nature of computers always require the duplication and backup of any computer data, whether the data files be e-mail or centrally- based financial or credit data. Data stored on magnetic media are prone to possible destruction. Duplication does not necessarily make e-mail the same as financial or credit data stored in business computers. Centrally-based business information is more concerned with the data processing. That information is generally stored and retrieved by the same operator. E-mail is more concerned with personal communications between individuals where the sender transmits a private message to be retrieved only by an intended recipient. The sender and the recipient have subjective expectations of privacy that when viewed objectively are reasonable. Therefore, there would be a constitutionally protected expectation of privacy under Katz_v._U.S., 389 U.S. 347, 88 S.Ct. 507 (1967). However, the prosecution would note under California_v._Ciraolo, -- U.S. --, 106 S.Ct. 1809 (1984), users would have to protect their electronic mail from any privacy intrusion. The provider or operator of the service or system has ultimate control over it. He has complete access to all areas of the system. He could easily examine the material. The prosecution would note the user could not reasonably protect his private data from provider or operator invasion. This "knot-hole," where an observer can make an observation from a lawful position, would exclude any reasonable expectation of privacy. If there is no privacy, there can be no search and therefore no Fourth Amendment constitutional violation. Law enforcement can retrieve the material. The Justice Department noted the ambiguity of the knothole in a response to Senator Leahy's question whether the then existing wiretap law was adequate to cover computer communications. (S. Rep. No. 541, 99th Cong., 2d Sess. 4 reprinted_in 1986 U.S. Code Cong. & Ad. News 3558.) It was "not always clear or obvious" whether a reasonable expectation of privacy existed. (Id.) FEDERAL WIRETAP STATUTES The old federal wiretap statutes protected oral telephone communications from police interceptions. This protection was made during 1968 in response to electronic eavesdropping conducted by government. (Cohodas, Congress_Races_to_stay_Ahead_of_Technology, Congressional Quarterly Weekly Report, May 31, 1986, 1235.) Although e-mail appears to come under the old 18 U.S.C. sec. 2510(1) definition of "wire communication," it was limited to audio transmissions by wire or cable. The old 18 U.S.C. sec. 2510(4) required that an interception of a wire communication be an aural acquisition of the communication. By being "aural," the communication must be "heard." There would be a problem as to whether an electronic communication could be "heard." Data transmissions over telephone lines generally sound like unintelligible noisy static or high pitched tones. There would certainly be no protection after a communication has completed its transmission and been stored on a computer. The communication's conversion into computer stored data, thus no longer in transmission until later retrieved or forwarded as transmission to another computer system, would clearly take the communication out of the old statutory protected coverage. "Eighteen years ago ... Congress could not appreciate - or in some cases even contemplate - [today's] telecommunications and computer technology...." (132 Cong. Rec. S7992 (daily ed. June 19, 1986) (statement of Sen. Leahy).) COMPARISON WITH U.S. MAIL PROTECTION A letter sent by first class mail is given a high level of protection against unauthorized intrusion by a combination of federal and U.S. Postal Service statutes and regulations. For instance, the unauthorized taking out of and examining of the contents of mail held in a "depository for mail matter" before it is delivered to the mail's intended recipient is punishable by fine, imprisonment, or both. (18 U.S.C. sec. 1702.) In comparison, under the old law, electronic communications had no protection. Federal protection for U.S. Mail provided a suggested direction as to how electronic communications should be protected when it was no longer in transmission. SOLUTION - THE NEW LAW There are two methods towards a solution: (1) court decisions; or (2) new legislated privacy protection. COURT DECISIONS Courts may have chosen to read computer communications protection into the old federal wiretap statute or into existing state law. However, they were reluctant to do so. Courts "are in no hurry to [revise or make new law in this area] and some judges are openly asking Congress for help.... [F]ederal Appeals Court Judge Richard Posner in Chicago said Congress needed to revise current law, adding that 'judges are not authorized to amend statutes even to bring them up-to-date.'" (Cohodas, 1233.) NEW STATUTE Last October 21, 1986, President Reagan signed the new Electronic Communications Privacy Act of 1986 amending the federal wiretap law. ECPA has since went into effect during the beginning of 1987. (P.L. 99-508, Title I, sec. 111, 100 Stat. 1859; P.L. 99-508, Title II, sec. 202, 100 Stat. 1868.) ECPA created parallel privacy protection against both interception of electronic communications while in transmission and unauthorized access to electronic communications stored on a system. The new ECPA first provides privacy protection for any 'electronic communication' ... [by] any transfer of signs, signals, writing, images, sounds, data or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce...." (18 U.S.C. secs. 2510(12), 2511.) The Senate Report noted examples of electronic communications to include non-voice communications such as "electronic mail, digitized transmissions, and video teleconferences." (S. Rep. No. 541, 99th Cong., 2d Sess. 14 reprinted_in 1986 U.S. Code Cong. & Ad. News 3568.) Electronic communication is defined in terms of how it is transmitted. So long as the means by which a communication is transmitted affects interstate or foreign commerce, the communication is covered ECPA. (18 U.S.C. sec. 2510(12).) Generally, that would include all telephonic means including private networks and intra-company communications. (S. Rep. No. 541, 99th Cong., 2d Sess. 12 reprinted_in 1986 U.S. Code Cong. & Ad. News 3566.) Second, ECPA protects the electronic communication when it has been stored after transmission, such as e-mail left on an electronic computer communication system for later pickup by its intended recipient. (18 U.S.C. sec. 2510(17).) The legislation makes it a federal criminal offense to break into any electronic system holding private communications or to exceed authorized access to alter or obtain the stored communications. (18 U.S.C. sec. 2701(a).) The legislation would protect electronic computer communication systems from law enforcement invasion of user e-mail without a court order. (18 U.S.C. secs. 2517, 2518, 2703.) Although the burden of preventing disclosure of the e-mail is placed on the subscriber or user of the system, the government must give him fourteen days notice to allow him to file a motion to quash a subpoena or to vacate a court order seeking disclosure of his computer material. (18 U.S.C. sec. 2704(b).) However, the government may give delayed notice where there are exigent circumstances as listed by the Act (18 U.S.C. sec. 2705.) Recognizing the easy user destruction of computer data, ECPA allows the government to include in its subpoena or court order the requirement that the provider or operator retain a backup copy of electronic communications when there is risk of user destruction. (18 U.S.C. sec. 2704(a).) The legislation gives a civil cause of action to the provider or operator, subscriber, customer or user of the system aggrieved by an invasion of an electronic communication in the system in violation of the ECPA. (18 U.S.C. secs. 2520, 2707.) If the provider or operator has to disclose information stored on his system due to a court order, warrant, subpoena, or certification under ECPA, no cause of action can be brought against him by the person aggrieved by such disclosure. (18 U.S.C. sec. 2703(e); see_also 18 U.S.C. secs. 2701(c), 2702(b), 2511(2)(a)(i), 2511(3)(b)(iii) where the systems operator or provider is not held criminally liable, may observe a private communication while performing employment duties or according to authorization, etc., may intercept private communication while making quality control checks or during the course of forwarding communications to another system.) SYSTEMS COVERED Clearly, the national commercial services in the United States, including CompuServe, MCI Mail or a company using a contracted e-mail service, such as GE QUIK-COM (See S. Rep. No. 99-541, 99th Cong., 2d Sess. 8 reprinted_in 1986 U.S. Code Cong. & Ad. News 3562) are covered by ECPA. However, there may be some confusion as to whether ECPA would protect electronic communications found on a mere hobbyist-supported BBS. For instance, language in ECPA does not expressly state the term "bulletin board." Nonetheless, ECPA would indeed cover electronic bulletin boards. What are electronic bulletin boards? Generally, they are personal computers provided for and maintained by computer hobbyists out of their own personal resources. These systems traditionally allow free access to computer/modem-equipped members of local communities and provide for both public and private electronic mail exchange. Some sophisticated systems, such as the ProLine system written for Apple II computers, provide callers with personal user areas where they may keep private files much like the CompuServe personal file areas. Augmenting the single stand-alone BBS, there are networks of bulletin boards linked together, often with the assistance of university mainframes, with other bulletin boards or mainframe computers by sophisticated "mail routing" systems (such as ARPAnet and FIDOnet). These networks use sophisticated message addressing instructions and computer automation where networked computers make calls to other networked computers to exchange "net-news" or private mail between users of the different bulletin boards. Given the proper address routing instructions, a user may communicate with another user on a cross-town BBS or on a BBS in another part of the country. Although there is some delay with messages being routed through a network, these networks help to reduce or eliminate the computer hobbyist's need to make direct toll or long distance calls to faraway systems or having to pay subscription fees to use a commercial electronic mail service. (Note, there are also network exchange systems and "gateways" between commercial services.) As an alternative to commercial service subscriptions, businesses have been turning to the use of BBS's and BBS mailing networks for increased productivity, paperwork reduction, improved client contact and the elimination of "telephone tag." (See Keaveney, Custom-Built_Bulletin_Boards, Personal Computing, Aug. 1987, 91.) A number of these corporate BBS's are open to the public with restricted access to business and client system areas. Examples of such systems include two Washington D.C. area boards run by Gannet Company Inc. ("[f]or all Gannet/USA Today employees and other computer users") and Issue Dynamics Inc. (catering to the consulting company's clients). ECPA language would show protection for bulletin boards. 18 U.S.C. sec. 2510(15) provides that "'electronic communication service' means any service which provides to users thereof the ability to send or receive wire or electronic communications" (emphasis added). A "remote computing service" was defined in the Act as an electronic communications system that provides computer storage or processing services to the public. (18 U.S.C. sec. 2710(2).) An intra-company communications system, the corporate BBS, would also be protected. (S. Rep. No. 541, 99th Cong., 2d Sess. 12 reprinted_in 1986 U.S. Code Cong. & Ad. News 3566.) Language in ECPA refers to "the person or entity providing the wire or electronic communication service," such as in 18 U.S. secs. 2701(c)(1) and 2702(a)(1). Such language would indicate the inclusion of individuals and businesses who operate bulletin board systems. The Senate report, in addition to defining "electronic mail," gave a separate definition of "electronic bulletin boards": Electronic "bulletin boards" are communications networks created by computer users for the transfer of information among computers. These may take the form of proprietary systems or they may be noncommercial systems operating among computer users who share special interests. These noncommercial systems may [or may not] involve fees covering operating costs and may require special "passwords" which restrict entry to the system. These bulletin boards may be public or semi-public in nature, depending on the degree of privacy sought by users, operators or organizers of such systems. (S. Rep. No. 541, 99th Cong., 2d Sess. 8-9 reprinted_in 1986 U.S. Code Cong. & Ad. News 3562-3563.) ECPA, as enacted, takes note of the different levels of security found on hobbyist-supported BBS's, i.e. the difference between configured system areas containing private electronic mail and other areas configured to contain public material. (18 U.S.C. sec. 2511(2)(g)(i).) The electronic communications which a user seeks to keep private, through methods provided by the system, would be protected by ECPA. In contrast, there would be no liability for access to features configured by the system to be readily accessible by the general public. An indicia of privacy on the system, with no notice to show otherwise, would trigger ECPA coverage. An indicia of privacy may include passwords and prompts asking if a message is to be kept private. House Representative Kastenmeier noted that there was an unusual coalition of groups, businesses and organizations interested in ECPA. (Kastenmeier, Communications_Privacy, Communications Lawyer, Winter 1987, 1, 24.) Among those interested included the BBS community. Reporters in the BBS community noted how Senator Leahy and others were receptive to their concerns. They report Leahy to have been "soliciting [users and BBS operators'] comments and encourag[ing] sensitivity to the needs of BBS's in the legislation.... [Senators and congressional members] are ... willing to listen to our side of things." (BBSLAW02.MSG, dated 07/24/85, information from Chip Berlet, Secretary, National Lawyers Guild Civil Liberties Committee, transmitted by Paul Bernstein, SYSOP, LAW MUG, Chicago, Illinois (312)280-8180, regarding Federal Legislation Affecting Computer Bulletin Boards, deposited on The Legacy Network (213)553-1473 in Los Angeles, California.) ESCAPING COVERAGE There are at least two possible ways to escape ECPA coverage. The first is to provide adequate notice that all material on a service or system may be publicly accessible even though methods of providing privacy remain. The bulletin board system maintained by DePaul University College of Law (312)341-6217, Chicago, Illinois, provides an example of an electronic notice (displayed upon user access): PURSUANT TO THE ELECTRONIC AND COMMUNICATIONS PRIVACY ACT OF 1986, 18 USC 2510 et. seq., NOTICE IS HEREBY GIVEN THAT THERE ARE NO FACILITIES PROVIDED BY THIS SYSTEM FOR SENDING OR RECEIVING PRIVATE OR CONFIDENTIAL ELECTRONIC COMMUNICATIONS. ALL MESSAGES SHALL BE DEEMED TO BE READILY ACCESSIBLE TO THE GENERAL PUBLIC. Do NOT use this system for any communication for which the sender intends only the sender and the intended recipient or recipients to read. Note, although the DePaul notice states otherwise, user-operated message privacy toggles remain on the board. The second possible method to escape ECPA coverage would be to merely not provide any means of privacy. One way of foiling the intent of a government subpoena or court order requirement to keep duplicate copies of private electronic communications would be the use of passworded private e-mail. For instance, the private e-mail capabilities of GEnie Mail and GE QUIK-COM include user-toggled passwording which utilizes an encryption technique that no one, not even the provider, knows how to decipher. Bill Louden, General Manager of GEnie (General Electric Network for Information Exchange), noted how GEnie Mail and GE QUIK-COM passworded e-mail cannot be read by anyone who did not know the password. "[N]ot even our 'god' number could ever read the [passworded] mail." (Message from Bill Louden, GEnie, Legacy RoundTable (LAW), category 1, topic 7, message 6 (May 15, 1987).) The writer of the encryption software has since left General Electric and no one has had success in breaking the code. (Message from Bill Louden, GEnie, Legacy RoundTable (LAW), category 1, topic 7, message 10 (May 17, 1987).) CONCLUSION With ECPA, e-mail and other private electronic communications stored on computer communication systems have privacy protection. Unfortunately, before ECPA, federal statutory guidelines for such protection were not articulated. Case law also did not provide any helpful guidance. The peculiarities of computers and computer storage were not addressed by the old wiretap laws. Electronic communications privacy could not stand up against constitutional privacy law as defined by the United States Supreme Court. The then existing law was "hopelessly out of date." (S. Rep. No. 541, 99th Cong., 2d Sess. 2 reprinted_in 1986 U.S. Code Cong. & Ad. News 3556 (statement of Sen. Leahy).) Fortunately, a legislative solution to bring privacy law up to date with the advancing computer communication and information technology was provided for in ECPA. ------------------------- Copyright 1986, 1987 Ruel T. Hernandez. This paper was originally written for a Law and Technology seminar course at California Western School of Law. The author may be contacted via CompuServe (71450,3341) or GEnie (R.HERNANDEZ) or Intermail/UUCP (ruel@cup.portal.com).