|
Civil Liberties in Cyberspace: When does hacking turn from an exercise of civil liberties into crime? by Mitchell Kapor published in Scientific American, September, 1991. On March 1, 1990, the U.S. Secret Service raided the offices of Steve Jackson, an entrepreneurial publisher in Austin, Tex. Carrying a search warrant, the authorities confiscated computer hardware and software, the drafts of his about-to-be-released book and many business records of his company, Steve Jackson Games. They also seized the electronic bulletin-board system used by the publisher to communicate with customers and writers, thereby seizing all the private electronic mail on the system. The Secret Service held some of the equipment and material for months, refusing to discuss their reasons for the raid. The publisher was forced to reconstruct his book from old manuscripts, to delay filling orders for it and to lay off half his staff. When the warrant application was finally unsealed months later, it confirmed that the publisher was never suspected of any crime. Steve Jackson's legal difficulties are symptomatic of a widespread problem. During the past several years, dozens of individuals have been the subject of similar searches and seizures. In any other context, this warrant might never have been issued. By many interpretations, it disregarded the First and Fourth Amendments to the U. S. Constitution, as well as several existing privacy laws. But the government proceeded as if civil liberties did not apply. In this case, the government was investigating a new kind of crime -- computer crime. The circumstances vary, but a disproportionate number of cases share a common thread: the serious misunderstanding of computer-based communi- cation and its implications for civil liberties. We now face the task of adapting our legal institutions and societal expectations to the cultural phenomena that even now are springing up from communications technology. Our society has made a commitment to openness and to free communication. But if our legal and social institutions fail to adapt to new technology, basic access to the global electronic media could be seen as a privilege, granted to those who play by the strictest rules, rather than as a right held by anyone who needs to communicate. To assure that these freedoms are not compromised, a group of computer experts, including myself, founded the Electronic Frontier Foundation (EFF) in 1990. In many respects, it was odd that Steve Jackson Games got caught up in a computer crime investigation at all. The company publishes a popular, award-winning series of fantasy roleplaying games, produced in the form of elaborate rule books. The raid took place only because law enforcement officials misunderstood the technologies -- computer bulletin-board systems (BBSs) and on-line forums -- and misread the cultural phenomena that those technologies engender. Like a growing number of businesses, Steve Jackson Games operated an electronic bulletin board to facilitate contact between players of its games and their authors. Users of this bulletin-board system dialed in via modem from their personal computers to swap strategy tips, learn about game upgrades, exchange electronic mail and discuss games and other topics. Law enforcement officers apparently became suspicious when a Steve Jackson Games employee -- on his own time and on a BBS he ran from his house -- made an innocuous comment about a public domain protocol for transferring computer files called Kermit. In addition, officials claimed that at one time the employee had had on an electronic bulletin board a copy of Phrack, a widely disseminated electronic publi- cation, that included information they believed to have been stolen from a BellSouth computer. The law enforcement officials interpreted these facts as unusual enough to justify not only a search and seizure at the employee's residence but also the search of Steve Jackson Games and the seizure of enough equipment to disrupt the business seriously. Among the items confiscated were all the hard copies and electronically stored copies of the manuscript of a rule book for a role-playing game called GURPS Cyberpunk, in which inhabitants of so-called cyberspace invade corporate and government computer systems and steal sensitive data. Law enforcement agents regarded the book, in the words of one, as "a handbook for computer crime." A basic knowledge of the kinds of computer intrusion that are technically possible would have enabled the agents to see that GURPS Cyberpunk was nothing more than a science fiction creation and that Kermit was simply a legal, frequently used computer program. Unfortunately, the agents assigned to investigate computer crime did not know what -- if anything -- was evidence of criminal activity. Therefore, they intruded on a small business without a reasonable basis for believing that a crime had been committed and conducted a search and seizure without looking for "particular" evidence, in vi- olation of the Fourth Amendment of the Constitution. Searches and seizures of such computer systems affect the rights of not only their owners and operators but also the users of those systems. Although most BBS users have never been in the same room with the actual computer that carries their postings, they legitimately expect their electronic mail to be private and their lawful associations to be protected. The community of bulletin-board users and computer networkers may be small, but precedents must be understood in a greater context. As forums for debate and information exchange, computer-based bulletin boards and conferencing systems support some of the most vigorous exercise of the First Amendment freedoms of expression and association that this country has ever seen. Moreover, they are evolving rapidly into large-scale public information and communications utilities. These utilities will probably converge into a digital national public network that will connect nearly all homes and businesses in the U.S. This network will serve as a main conduit for commerce, learning, education and entertainment in our society, distributing images and video signals as well as text and voice. Much of the content of this network will be private messages serving as "virtual" town halls, village greens and coffeehouses, where people post their ideas in public or semipublic forums. Yet there is a common perception that a defense of electronic civil liberties is somehow opposed to legitimate concerns about the prevention of computer crime. The conflict arises, in part, because the popular hysteria about the technically sophisticated youths known as hackers has drowned out reasonable discussion. Perhaps inspired by the popular movie _WarGames_, the general public began in the 1980s to perceive computer hackers as threats to the safety of this country's vital computer systems. But the image of hackers as malevolent is purchased at the price of ignoring the underlying reality -- the typical teenage hacker is simply tempted by the prospect of exploring forbidden territory. Some are among our best and brightest technological talents: hackers of the 1960s and 1970s, for example, were so driven by their desire to master, understand and produce new hardware and software that they went on to start companies called Apple, Microsoft and Lotus. How do we resolve this conflict? One solution is ensure that our scheme of civil and criminal laws provides sanctions in proportion to the offenses. A system in which an exploratory hacker receives more time in jail than a defendant convicted of assault violates our sense of justice. Our legal tradition historically has shown itself capable of making subtle and not-so-subtle distinctions among criminal offenses. There are, of course, real threats to network and system security. The qualities that make the ideal network valuableQits popularity, its uniform commands, its ability to handle financial transactions and its international access -- also make it vulnerable to a variety of abuses and accidents. It is certainly proper to hold hackers accountable for their offenses, but that accountability should never entail denying defendants the safeguards of the Bill of Rights, including the rights to free expression and association and to free- dom from unreasonable searches and seizures. We need statutory schemes that address the acts of true computer crim- inals (such as those who have created the growing problem of toll and credit-card fraud) while distinguishing between those criminals and hackers whose acts are most analogous to noncriminal trespass. And we need educated law enforcement officials who will be able to recognize and focus their efforts on the real threats. The question then arises: How do we help our institutions, and perceptions, adapt? The first step is to articulate the kinds of values we want to see protected in the electronic society we are now shaping and to make an agenda for preserving the civil liberties that are central to that society. Then we can draw on the appropriate legal traditions that guide other media. The late Ithiel de Sola Pool argued in his influential book Technologies of Freedom that the medium of digital communications is heir to several traditions of control: the press, the common carrier and the broadcast media. The freedom of the press to print and distribute is explicitly guaranteed by the First Amendment. This freedom is somewhat limited, particularly by laws governing obscenity and defamation, but the thrust of First Amendment law, especially in this century, prevents the government from imposing "prior restraint" on publications. Like the railroad networks, the telephone networks follow common-car- rier principles -- they do not impose content restrictions on the "cargo" they carry. It would be unthinkable for the telephone company to monitor our calls routinely or cut off conversations because the subject matter was deemed offensive. Meanwhile the highly regulated broadcast media are grounded in the idea, arguably mistaken, that spectrum scarcity and the pervasiveness of the broadcast media warrant government allocation and control of access to broadcast frequencies (and some control of content). Access to this technology is open to any consumer who can purchase a radio or television set, but it is nowhere near as open for information producers. Networks as they now operate contain elements of publishers, broadcasters, bookstores and telephones, but no one model fits. This hybrid demands new thinking or at least a new application of the old legal principles. As hybrids, computer networks also have some features that are unique among the communications media. For example, most conversations on bulletin boards, chat lines and conferencing systems are both public and private at once. The electronic communicator speaks to a group of individuals, only some of whom are known personally, in a discussion that may last for days or months. But the dissemination is controlled, because the membership is limited to the handful of people who are in the virtual room, paying attention. Yet the result may also be "published" -- an archival textual or voice record can be automatically preserved, and newcomers can read the backlog. Some people tend to equate on-line discussions with party (or party-line) conversations, whereas others compare them to newspapers and still others think of citizens band radio. In this ambiguous context, freespeech controversies are likely to erupt. Last year an outcry went up against the popular Prodigy comput- er service, a joint venture of IBM and Sears, Roebuck and Co. The problem arose because Prodigy management regarded their service as essentially a newspaper" or "magazine," for which a hierarchy of editorial control is appropriate. Some of Prodigy's customers, in contrast, regarded the service as more of a forum or meeting place. When users of the system tried to protest Prodigy's policy, its editors responded by removing the discussion. then the protestors tried to use electronic mail as a substitute for electron- assembly, communicating through huge mailing lists. Prodigy placed a limit on the number of messages each individual could send. The Prodigy controversy illustrates important principle that belongs on civil liberties agenda for the future: freedom-of-speech issues will not disappear simply because a service provider has tried to impose a metaphor on its service. Subscribers sense, I believe, that freedom of speech on the networks is central for individuals to use electronic communications. Science fiction writer William Gibson once remarked that "the street finds its own uses for things." Network service pro- viders will continue to discover that their customers will always find their own best uses for new media. Freedom of speech on networks will be promoted by limiting content-based regulations and by promoting competition among providers of network services. The first is necessary because governments will be tempted to restrict the content of any information service they subsidize or regulate. The second is necessary because market competition is the most efficient means of ensuring that needs of network users will be met. The underlying network should essentially be a "carrier" -- it should operate under a content-neutral regime in which access is available to any entity that can pay for it. The information and forum services would be "nodes" on this network. (Prodigy, like GEnie and CompuServe, currently maintains its own proprietary infrastructure, but a future version of Prodigy might share the same network with services like CompuServe.) Each service would have its own unique character and charge its own rates. If a Prodigy-like entity correctly perceives a need for an electronic "newspaper" with strong editorial control, it will draw an audience. Other less hierarchical services will share the network with that "newspaper" yet find their own market niches, varying by format and content. The prerequisite for this kind of competition is a carrier capable of highbandwidth traffic that is accessible to individuals in every community. Like common carriers, these network carriers should be seen as conduits for the distribution of electronic transmissions. They should not be allowed to change the content of a message or to discrim- inate among messages. This kind of restriction will require shielding the carriers from legal liabilities for libel, obscenity and plagiarism. Today the ambiguous state of liability law has tempted some computer network carriers to reduce their risk by imposing content restrictions. This could be avoided by appropriate legislation. Our agenda requires both that the law shield carriers from liability based on content and that carriers not be allowed to discriminate. All electronic "publishers" should be allowed equal access to networks. Ultimately, there could be hundreds of thousands of these information providers, as there are hundreds of thousands of print publishers today. As "nodes," they will be considered the conveners of the environments within which on-line assembly takes place. None of the old definitions will suffice for this role. For example, to safeguard the potential of free and open inquiry, it is desirable to preserve each electronic publisher's control over the general flow and direction of material under his or her imprimaturQin effect, to give the "sysop," or system operator, the prerogatives and protections of a publisher. But it is unreasonable to expect the sysop of a node to review every message or to hold the sysop to a publish er's standard of libel. Message traffic on many individually owned services is already too great for the sysop to review. We can only expect the trend to grow. Nor is it appropriate to compare nodes to broadcasters (an analogy likely to lead to licensing and content-based regulation). Unlike the broadcast media, nodes do not dominate the shared resource of a public community, and they are not a pervasive medium. To take part in a controversial discussion, a user must actively seek entry into the appropriate node, usually with a subscription and a password. Anyone who objects to the content of a node can find hundreds of other systems where they might articulate their ideas more freely. The danger is if choice is somehow restricted: if all computer networks in the country are restrained from allowing discussion on particular subjects or if a publicly sponsored computer network limits discussion. This is not to say that freedom-of-speech principles ought to protect all electronic communications. Exceptional cases, such as the BBS used primarily to traffic in stolen long-distance access codes or credit-card numbers, will always arise and pose problems of civil and criminal liability. We know that electronic freedom of speech, whether in public or private systems, cannot be absolute. In face-to-face conversation and printed matter today, it is commonly agreed that freedom of speech does not cover the communications inherent in criminal conspiracy, fraud, libel, incitement to lawless action and copyright infringement. If there are to be limits on electronic freedom of speech, what precisely should those limits be? One answer to this question is the U.S. Supreme Court's 1969 decision in Brandenburg v. Ohio. The court ruled that no speech should be subject to prior restraint or criminal prosecution unless it is intended to incite and is likely to cause imminent lawless action. In general, little speech or publication falls outside of the protections of the Brandenburg case, since most people are able to reflect before acting on a written or spoken suggestion. As in traditional media, any on-line messages should not be the basis of criminal prosecution unless the Brandenburg standard is met. Other helpful precedents include cases relating to defamation and copyright infringement. Free speech does not mean one can damage a reputation or appropriate a copyrighted work without being called to account for it. And it probably does not mean that one can release a virus across the network in order to "send a message" to network subscribers. Although the distinction is trickier than it may first appear, the release of a destructive program, such as a virus, may be better analyzed as an act rather than as speech. Following freedom of speech on our action agenda is freedom from unrea- sonable searches and seizures. The Steve Jackson case was one of many cases in which computer equipment and disks were seized and held some- times for months -often without a specific charge being filed. Even when only a few files were relevant to an investigation, entire computer systems, including printers, have been removed with their hundreds of files intact. Such nonspecific seizures and searches of computer data allow "rummag- ing," in which officials browse through private files in search of incriminating evidence. In addition to violating the Fourth Amendment requirement that searches and seizures be "particular," these searches often run afoul of the Electronic Communications Privacy Act of 1986. This act prohibits the government from seizing or intercepting elec- tronic communications without proper authorization. They also contravene the Privacy Protection Act of 1980, which prohibits the government from searching the offices of Dublishers for documents, including materials that are electronically stored. We can expect that law enforcement agencies and civil libertarians will agree over time about the need to establish procedures for searches and seizures of "particular" computer data and hardware. Law enforcement officials will have to adhere to guidelines in the above statutes to achieve Fourth Amendment "particularity" while maximizing the efficiency of their searches. They also will have to be trained to make use of software tools that allow searches for particular files or particular information within files on even the most capacious hard disk or optical storage device. Still another part of the solution will be law enforcement's abandonment of the myth of the clever criminal hobbyist. Once law enforcement no longer assumes worst-case behavior but looks instead for real evidence of criminal activity, its agents will learn to search and seize only what they need. Developing and implementing a civil liberties agenda for computer net- works will require increasing participation by technically trained people. Fortunately, there are signs that this is begining to happen. The Computers, Freedom and Privacy Conference, held last spring in San Francisco, along with electronic conferences on the WELL (Whole Earth 'Lectronic Link) and other computer networks, have brought law enforcement officials, supposed hackers and interested members of the computer community together in a spirit of free and frank discussion. Such gatherings are beginning to work out the civil liberties guidelines for a networked society. There is general agreement, for example, that a policy on electronic crime should offer protection for security and privacy on both individual and institutional systems. Defining a measure of damages and setting proportional punishment will require further goodfaith deliberations by the community involved with electronic freedoms, in- cluding the Federal Bureau of Investigation, the Secret Service, the bar associations, technology groups, telephone companies and civil libertarians. It will be especially important to represent the damage caused by electronic crime accurately and to leave room for the valuable side of the hacker spirit: the interest in increasing legitimate under- standing through exploration. We hope to see a similar emerging consensus on security issues. Network systems should be designed not only to provide technical solutions to security problems but also to allow system operators to use them without infringing unduly on the rights of users. A security system that depends on wholesale monitoring of traffic, for example, would create more problems than it would solve. Those parts of a system where damage would do the greatest harm -- financial records, electronic mail, military data -- should be protected. This involves installing more effective computer security measures, but it also means redefining the legal interpretations of copyright, intellectual property, computer crime and privacy so that system users are protected against individual criminals and abuses by large institutions. These policies should balance the need for civil liberties against the need for a secure, orderly, protected electronic society. As we pursue that balance, of course, confrontations will continue to take place. In May of this year, Steve Jackson Games, with the support of the EFF, filed suit against the Secret Service, two individual Secret Service agents, an assistant U.S. attorney and others. The EFF is not seeking confrontation for its own sake. One of the realities of our legal system is that one often has to fight for a legal or constitutional right in the courts in order to get it recognized outside the courts. One goal of the lawsuit is to establish clear grounds under which search and seizure of electronic media is "unreasonable" and unjust. Another is to establish the clear applicability of First Amendment principles to the new medium. But the EFF's agenda extends far beyond liagation. Our larger agenda includes sponsoring a range of educational initiatives aimed at the public's general lack of familiarity with the technology and its potential. That is why there is an urgent need for technologically knowledgeable people to take part in the public debate over communica- tions policy and to help spread their understanding of these issues. Fortunately, the very technology at stake -- electronic conferencing -- makes it easier than ever before to get involved in the debate.