Civil Liberties in Cyberspace:
When does hacking turn from an exercise
of civil liberties into crime?

by Mitchell Kapor

published in Scientific American,
September, 1991.


On March 1, 1990, the U.S. Secret Service raided the offices of Steve
Jackson, an entrepreneurial publisher in Austin, Tex. Carrying a
search warrant, the authorities confiscated computer hardware and
software, the drafts of his about-to-be-released book and many business
records of his company, Steve Jackson Games. They also seized the
electronic bulletin-board system used by the publisher to communicate
with customers and writers, thereby seizing all the private electronic
mail on the system.


The Secret Service held some of the equipment and material for months,
refusing to discuss their reasons for the raid. The publisher was forced
to reconstruct his book from old manuscripts, to delay filling orders
for it and to lay off half his staff. When the warrant application was
finally unsealed months later, it confirmed that the publisher was
never suspected of any crime.


Steve Jackson's legal difficulties are symptomatic of a widespread
problem.  During the past several years, dozens of individuals have been
the subject of similar searches and seizures. In any other context, this
warrant might never have been issued. By many interpretations, it
disregarded the First and Fourth Amendments to the U. S. Constitution,
as well as several existing privacy laws. But the government proceeded
as if civil liberties did not apply. In this case, the government was
investigating a new kind of crime -- computer crime.


The circumstances vary, but a disproportionate number of cases share a
common thread: the serious misunderstanding of computer-based communi-
cation and its implications for civil liberties. We now face the task
of adapting our legal institutions and societal expectations to the
cultural phenomena that even now are springing up from communications
technology.


Our society has made a commitment to openness and to free
communication. But if our legal and social institutions fail to adapt
to new technology, basic access to the global electronic media could be
seen as a privilege, granted to those who play by the strictest rules,
rather than as a right held by anyone who needs to communicate. To
assure that these freedoms are not compromised, a group of computer
experts, including myself, founded the Electronic Frontier Foundation
(EFF) in 1990.


In many respects, it was odd that Steve Jackson Games got caught up in a
computer crime investigation at all. The company publishes a popular,
award-winning series of fantasy roleplaying games, produced in the
form of elaborate rule books. The raid took place only because law
enforcement officials misunderstood the technologies -- computer
bulletin-board systems (BBSs) and on-line forums -- and misread the
cultural phenomena that those technologies engender.


Like a growing number of businesses, Steve Jackson Games operated an
electronic bulletin board to facilitate contact between players of its
games and their authors. Users of this bulletin-board system dialed in
via modem from their personal computers to swap strategy tips, learn
about game upgrades, exchange electronic mail and discuss games and
other topics.


Law enforcement officers apparently became suspicious when a Steve
Jackson Games employee -- on his own time and on a BBS he ran from his
house -- made an innocuous comment about a public domain protocol for
transferring computer files called Kermit. In addition, officials
claimed that at one time the employee had had on an electronic
bulletin board a copy of Phrack, a widely disseminated electronic publi-
cation, that included information they believed to have been stolen from
a BellSouth computer.


The law enforcement officials interpreted these facts as unusual
enough to justify not only a search and seizure at the employee's
residence but also the search of Steve Jackson Games and the seizure of
enough equipment to disrupt the business seriously. Among the items
confiscated were all the hard copies and electronically stored copies of
the manuscript of a rule book for a role-playing game called GURPS
Cyberpunk, in which inhabitants of so-called cyberspace invade
corporate and government computer systems and steal sensitive data.
Law enforcement agents regarded the book, in the words of one, as "a
handbook for computer crime."


A basic knowledge of the kinds of computer intrusion that are
technically possible would have enabled the agents to see that GURPS
Cyberpunk was nothing more than a science fiction creation and that
Kermit was simply a legal, frequently used computer program.
Unfortunately, the agents assigned to investigate computer crime did not
know what -- if anything -- was evidence of criminal activity.
Therefore, they intruded on a small business without a reasonable
basis for believing that a crime had been committed and conducted a
search and seizure without looking for "particular" evidence, in vi-
olation of the Fourth Amendment of the Constitution.


Searches and seizures of such computer systems affect the rights of
not only their owners and operators but also the users of those systems.
Although most BBS users have never been in the same room with the
actual computer that carries their postings, they legitimately expect
their electronic mail to be private and their lawful associations to
be protected.


The community of bulletin-board users and computer networkers may be
small, but precedents must be understood in a greater context. As
forums for debate and information exchange, computer-based bulletin
boards and conferencing systems support some of the most vigorous
exercise of the First Amendment freedoms of expression and association
that this country has ever seen. Moreover, they are evolving rapidly
into large-scale public information and communications utilities.


These utilities will probably converge into a digital national public
network that will connect nearly all homes and businesses in the U.S.
This network will serve as a main conduit for commerce, learning,
education and entertainment in our society, distributing images and
video signals as well as text and voice.  Much of the content of this
network will be private messages serving as "virtual" town halls,
village greens and coffeehouses, where people post their ideas in public
or semipublic forums.


Yet there is a common perception that a defense of electronic civil
liberties is somehow opposed to legitimate concerns about the
prevention of computer crime. The conflict arises, in part, because
the popular hysteria about the technically sophisticated youths known as
hackers has drowned out reasonable discussion.


Perhaps inspired by the popular movie _WarGames_, the general public
began in the 1980s to perceive computer hackers as threats to the
safety of this country's vital computer systems. But the image of
hackers as malevolent is purchased at the price of ignoring the
underlying reality -- the typical teenage hacker is simply tempted by
the prospect of exploring forbidden territory. Some are among our best
and brightest technological talents: hackers of the 1960s and 1970s,
for example, were so driven by their desire to master, understand and
produce new hardware and software that they went on to start companies
called Apple, Microsoft and Lotus.


How do we resolve this conflict? One solution is ensure that our scheme
of civil and criminal laws provides sanctions in proportion to the
offenses. A system in which an exploratory hacker receives more time in
jail than a defendant convicted of assault violates our sense of
justice. Our legal tradition historically has shown itself capable of
making subtle and not-so-subtle distinctions among criminal offenses.


There are, of course, real threats to network and system security. The
qualities that make the ideal network valuableQits popularity, its
uniform commands, its ability to handle financial transactions and its
international access -- also make it vulnerable to a variety of
abuses and accidents. It is certainly proper to hold hackers
accountable for their offenses, but that accountability should never
entail denying defendants the safeguards of the Bill of Rights,
including the rights to free expression and association and to free-
dom from unreasonable searches and seizures.


We need statutory schemes that address the acts of true computer crim-
inals (such as those who have created the growing problem of toll and
credit-card fraud) while distinguishing between those criminals and
hackers whose acts are most analogous to noncriminal trespass. And we
need educated law enforcement officials who will be able to recognize
and focus their efforts on the real threats.


The question then arises: How do we help our institutions, and
perceptions, adapt? The first step is to articulate the kinds of values
we want to see protected in the electronic society we are now shaping
and to make an agenda for preserving the civil liberties that are
central to that society. Then we can draw on the appropriate legal
traditions that guide other media. The late Ithiel de Sola Pool argued
in his influential book Technologies of Freedom that the medium of
digital communications is heir to several traditions of control: the
press, the common carrier and the broadcast media.


The freedom of the press to print and distribute is explicitly
guaranteed by the First Amendment. This freedom is somewhat limited,
particularly by laws governing obscenity and defamation, but the thrust
of First Amendment law, especially in this century, prevents the
government from imposing "prior restraint" on publications.


Like the railroad networks, the telephone networks follow common-car-
rier principles -- they do not impose content restrictions on the
"cargo" they carry. It would be unthinkable for the telephone company to
monitor our calls routinely or cut off conversations because the
subject matter was deemed offensive.


Meanwhile the highly regulated broadcast media are grounded in the
idea, arguably mistaken, that spectrum scarcity and the pervasiveness
of the broadcast media warrant government allocation and control of
access to broadcast frequencies (and some control of content). Access
to this technology is open to any consumer who can purchase a radio or
television set, but it is nowhere near as open for information
producers.


Networks as they now operate contain elements of publishers,
broadcasters, bookstores and telephones, but no one model fits. This
hybrid demands new thinking or at least a new application of the old
legal principles. As hybrids, computer networks also have some features
that are unique among the communications media. For example, most
conversations on bulletin boards, chat lines and conferencing systems
are both public and private at once. The electronic communicator speaks
to a group of individuals, only some of whom are known personally, in a
discussion that may last for days or months.


But the dissemination is controlled, because the membership is limited
to the handful of people who are in the virtual room, paying attention.
Yet the result may also be "published" -- an archival textual or voice
record can be automatically preserved, and newcomers can read the
backlog. Some people tend to equate on-line discussions with party (or
party-line) conversations, whereas others compare them to newspapers
and still others think of citizens band radio.


In this ambiguous context, freespeech controversies are likely to
erupt. Last year an outcry went up against the popular Prodigy comput-
er service, a joint venture of IBM and Sears, Roebuck and Co. The
problem arose because Prodigy management regarded their service as
essentially a newspaper" or "magazine," for which a hierarchy of
editorial control is appropriate. Some of Prodigy's customers, in
contrast, regarded the service as more of a forum or meeting place.


When users of the system tried to protest Prodigy's policy, its editors
responded by removing the discussion.  then the protestors tried to
use electronic mail as a substitute for electron- assembly,
communicating through huge mailing lists. Prodigy placed a limit on the
number of messages each individual could send.


The Prodigy controversy illustrates important principle that belongs on
civil liberties agenda for the future: freedom-of-speech issues will not
disappear simply because a service provider has tried to impose a
metaphor on its service. Subscribers sense, I believe, that freedom of
speech on the networks is central for individuals to use electronic
communications. Science fiction writer William Gibson once remarked
that "the street finds its own uses for things." Network service pro-
viders will continue to discover that their customers will always find
their own best uses for new media.


Freedom of speech on networks will be promoted by limiting content-based
regulations and by promoting competition among providers of network
services. The first is necessary because governments will be tempted
to restrict the content of any information service they subsidize or
regulate. The second is necessary because market competition is the
most efficient means of ensuring that needs of network users will be
met.


The underlying network should essentially be a "carrier" -- it should
operate under a content-neutral regime in which access is available to
any entity that can pay for it. The information and forum services would
be "nodes" on this network. (Prodigy, like GEnie and CompuServe,
currently maintains its own proprietary infrastructure, but a future
version of Prodigy might share the same network with services like
CompuServe.)


Each service would have its own unique character and charge its own
rates. If a Prodigy-like entity correctly perceives a need for an
electronic "newspaper" with strong editorial control, it will draw an
audience. Other less hierarchical services will share the network with
that "newspaper" yet find their own market niches, varying by format and
content.


The prerequisite for this kind of competition is a carrier capable of
highbandwidth traffic that is accessible to individuals in every
community. Like common carriers, these network carriers should be seen
as conduits for the distribution of electronic transmissions.  They
should not be allowed to change the content of a message or to discrim-
inate among messages.

This kind of restriction will require shielding the carriers from legal
liabilities for libel, obscenity and plagiarism.  Today the ambiguous
state of liability law has tempted some computer network carriers to
reduce their risk by imposing content restrictions. This could be
avoided by appropriate legislation. Our agenda requires both that the
law shield carriers from liability based on content and that carriers
not be allowed to discriminate.


All electronic "publishers" should be allowed equal access to networks.
Ultimately, there could be hundreds of thousands of these information
providers, as there are hundreds of thousands of print publishers
today. As "nodes," they will be considered the conveners of the
environments within which on-line assembly takes place.


None of the old definitions will suffice for this role. For example,
to safeguard the potential of free and open inquiry, it is desirable
to preserve each electronic publisher's control over the general flow
and direction of material under his or her imprimaturQin effect, to give
the "sysop," or system operator, the prerogatives and protections of a
publisher.


But it is unreasonable to expect the sysop of a node to review every
message or to hold the sysop to a publish er's standard of libel.
Message traffic on many individually owned services is already too
great for the sysop to review.  We can only expect the trend to grow.
Nor is it appropriate to compare nodes to broadcasters (an analogy
likely to lead to licensing and content-based regulation). Unlike the
broadcast media, nodes do not dominate the shared resource of a public
community, and they are not a pervasive medium. To take part in a
controversial discussion, a user must actively seek entry into the
appropriate node, usually with a subscription and a password.


Anyone who objects to the content of a node can find hundreds of other
systems where they might articulate their ideas more freely. The danger
is if choice is somehow restricted: if all computer networks in the
country are restrained from allowing discussion on particular subjects
or if a publicly sponsored computer network limits discussion.


This is not to say that freedom-of-speech principles ought to protect
all electronic communications. Exceptional cases, such as the BBS used
primarily to traffic in stolen long-distance access codes or credit-card
numbers, will always arise and pose problems of civil and criminal
liability. We know that electronic freedom of speech, whether in public
or private systems, cannot be absolute. In face-to-face conversation and
printed matter today, it is commonly agreed that freedom of speech
does not cover the communications inherent in criminal conspiracy,
fraud, libel, incitement to lawless action and copyright infringement.


If there are to be limits on electronic freedom of speech, what
precisely should those limits be? One answer to this question is the
U.S. Supreme Court's 1969 decision in Brandenburg v. Ohio.  The court
ruled that no speech should be subject to prior restraint or criminal
prosecution unless it is intended to incite and is likely to cause
imminent lawless action.


In general, little speech or publication falls outside of the
protections of the Brandenburg case, since most people are able to
reflect before acting on a written or spoken suggestion. As in
traditional media, any on-line messages should not be the basis of
criminal prosecution unless the Brandenburg standard is met.


Other helpful precedents include cases relating to defamation and
copyright infringement. Free speech does not mean one can damage a
reputation or appropriate a copyrighted work without being called to
account for it. And it probably does not mean that one can release a
virus across the network in order to "send a message" to network
subscribers. Although the distinction is trickier than it may first
appear, the release of a destructive program, such as a virus, may be
better analyzed as an act rather than as speech.


Following freedom of speech on our action agenda is freedom from unrea-
sonable searches and seizures. The Steve Jackson case was one of many
cases in which computer equipment and disks were seized and held some-
times for months -often without a specific charge being filed. Even when
only a few files were relevant to an investigation, entire computer
systems, including printers, have been removed with their hundreds of
files intact.


Such nonspecific seizures and searches of computer data allow "rummag-
ing," in which officials browse through private files in search of
incriminating evidence. In addition to violating the Fourth Amendment
requirement that searches and seizures be "particular," these searches
often run afoul of the Electronic Communications Privacy Act of 1986.
This act prohibits the government from seizing or intercepting elec-
tronic communications without proper authorization. They also contravene
the Privacy Protection Act of 1980, which prohibits the government from
searching the offices of Dublishers for documents, including
materials that are electronically stored.


We can expect that law enforcement agencies and civil libertarians
will agree over time about the need to establish procedures for
searches and seizures of "particular" computer data and hardware. Law
enforcement officials will have to adhere to guidelines in the above
statutes to achieve Fourth Amendment "particularity" while maximizing
the efficiency of their searches. They also will have to be trained to
make use of software tools that allow searches for particular files or
particular information within files on even the most capacious hard
disk or optical storage device.


Still another part of the solution will be law enforcement's abandonment
of the myth of the clever criminal hobbyist. Once law enforcement no
longer assumes worst-case behavior but looks instead for real evidence
of criminal activity, its agents will learn to search and seize only
what they need.


Developing and implementing a civil liberties agenda for computer net-
works will require increasing participation by technically trained
people. Fortunately, there are signs that this is begining to happen.
The Computers, Freedom and Privacy Conference, held last spring in San
Francisco, along with electronic conferences on the WELL (Whole Earth
'Lectronic Link) and other computer networks, have brought law
enforcement officials, supposed hackers and interested members of the
computer community together in a spirit of free and frank discussion.
Such gatherings are beginning to work out the civil liberties guidelines
for a networked society.


There is general agreement, for example, that a policy on electronic
crime should offer protection for security and privacy on both
individual and institutional systems. Defining a measure of damages
and setting proportional punishment will require further goodfaith
deliberations by the community involved with electronic freedoms, in-
cluding the Federal Bureau of Investigation, the Secret Service, the
bar associations, technology groups, telephone companies and civil
libertarians.  It will be especially important to represent the damage
caused by electronic crime accurately and to leave room for the valuable
side of the hacker spirit: the interest in increasing legitimate under-
standing through exploration.


We hope to see a similar emerging consensus on security issues. Network
systems should be designed not only to provide technical solutions to
security problems but also to allow system operators to use them
without infringing unduly on the rights of users. A security system
that depends on wholesale monitoring of traffic, for example, would
create more problems than it would solve.


Those parts of a system where damage would do the greatest harm --
financial records, electronic mail, military data -- should be
protected. This involves installing more effective computer security
measures, but it also means redefining the legal interpretations of
copyright, intellectual property, computer crime and privacy so that
system users are protected against individual criminals and abuses by
large institutions. These policies should balance the need for civil
liberties against the need for a secure, orderly, protected electronic
society.


As we pursue that balance, of course, confrontations will continue to
take place. In May of this year, Steve Jackson Games, with the support
of the EFF, filed suit against the Secret Service, two individual Secret
Service agents, an assistant U.S. attorney and others.


The EFF is not seeking confrontation for its own sake. One of the
realities of our legal system is that one often has to fight for a legal
or constitutional right in the courts in order to get it recognized
outside the courts. One goal of the lawsuit is to establish clear
grounds under which search and seizure of electronic media is
"unreasonable" and unjust. Another is to establish the clear
applicability of First Amendment principles to the new medium.


But the EFF's agenda extends far beyond liagation. Our larger agenda
includes sponsoring a range of educational initiatives aimed at the
public's general lack of familiarity with the technology and its
potential. That is why there is an urgent need for technologically
knowledgeable people to take part in the public debate over communica-
tions policy and to help spread their understanding of these issues.
Fortunately, the very technology at stake -- electronic conferencing
-- makes it easier than ever before to get involved in the debate.