TUCoPS :: Cyber Law :: ecpalay.txt

The ECPA A Laymans View


                              A LAYMAN'S VIEW

                             Michael H. Riddle

(Copyright 1988, Michael H. Riddle.  This article may be further reproduced
and disseminated provided that no fees are charged beyond normal
reproduction costs and further provided that the following disclaimer is

DISCLAIMER: The author is not an lawyer.  This article represents one
layman's views of the background and contents of PL 99-508, the Electronic
Communications Privacy Act of 1986.  Anyone needing legal advice should
consult with the attorney of their choice.

Those of us who remember life before the Pepsi Generation can attest to the
change brought into our lives by advances in electronic technology.
Starting with the widespread use of the transistor, and continuing into the
integrated circuit, the large scale integrated circuit, the very large
scale integrated circuit, etc., electronic "miracles" have become
commonplace and cheap.  Perhaps the single best illustration of that change
is in the field of "information technology."  The advent of the personal
computer, the blurring of the lines between telecommunications and
computing, the breakup of the Bell system, and the growing technological
awareness of the general population have caused what can only be called a
revolution in the way we communicate with each other.  Not too many years
ago, we learned of world events from newspapers--today from television and
radio.  Not too many years ago we exchanged personal messages by mail--today
we telephone.  Not too many years ago, businesses in a hurry would send mail
special delivery--today they use overnight express or facsimile.  And,
increasingly, businesses and individuals use computer communications instead
of or in addition to these other means of passing information around our

Anytime someone passes what they hope to be a private communication to
another, they expect that their fellow citizens will respect its privacy.
Not only do the customs of society enforce this expectation, statute laws
have been enacted to insure it.  Thus, everyone knows, or should know, not
to tamper with the mail.  Everyone knows, or should know, not to
electronically eavesdrop ("bug") someone else's telephone calls.  And
everyone knows, or should know, not to do likewise with computer

Alas, not everyone knows that.  If everyone did, we wouldn't need laws to
protect what ought to be our reasonable expectations of privacy.  Not too
long ago, the Congress of the United States passed PL 99-508, the Electronic
Communications Privacy Act of 1986.  In doing so, Congress was recognizing
the way technology has changed society and trying to react to that change.

The Act contains two main parts, or Titles.  Title I--Interception of
Communications and Related Matters, merely updates existing laws to reflect
what I've said above.  Where the law used to say you can't bug private
telephone communications, it now says you can't bug private computer
communications.  Where it preserved your right to listen in to public radio
transmissions, it preserves your right to "listen in" to public computerized
transmissions (here the Congress particularly was thinking of unencrypted
satellite television, although the law is written in more general terms).
It allows the "provider of electronic communication service" (sysops, to
electronic bulletin board users) to keep records of who called and when, to
protect themselves from the fraudulent, unlawful or abusive use of such

Title II--Stored Wire and Electronic Communications and Transactional
Records Access, is the section that has caused the biggest concern among
bulletin board system operators and users.  Unfortunately, while a lot of
well-intentioned people knew that a law had been passed, most of them
started discussing it without taking the trouble to read it first.  As a
result, there has been a lot of misinformation about what it says, and a lot
of reaction and overreaction that was unnecessary.

The first thing we need to realize is that Title II adds a new chapter to
Title 18 of the United States Code (USC).  The USC fills most of two shelves
in the Omaha library.  It covers in general detail virtually everything the
federal government does.  In many places it gives departments and agencies
to pass rules and regulations that have the force of law.  If it didn't,
instead of filling two shelves it would probably fill two floors, and
Congress would be so bogged down in detail work it would get even less done
that it does now.  Of all the USC, Title 18 deals with Crimes and Criminal
Procedure.  That's where PL 99-508 talks about electronic communications.
It makes certain acts federal crimes.  Equally important, it protects
certain common-sense rights of sysops.

Under the Act, it is now a federal offense to access a system without
authorization.  That's right.  Using your "war-games dialer," you find a
modem tone on a number you didn't know about before and try to log on.  From
the way I read the law, you can try to log on without penalty.  After all,
you might not have used a war-games dialer.  You might just have got a wrong
number.  (Don't laugh, it's happened to me right here in Omaha!)  At the
point you realize its not the board you think you called, you ought to hang
up, because at the point where you gain access to that neat, new, unknown
system, you've just violated 18 USC 2701.

A lot of us are users of systems with "levels" of access.  In the BBS world,
levels may distinguish between old and new users, between club members and
non-members, or sysops from users.  In the corporate and government world,
levels may protect different types of proprietary information or trade
secrets.  Section 2701 also makes it a federal offense to exceed your
authorized access on a system.

What about electronic mail, or "e-mail?"  E-Mail has been the single biggest
area of misinformation about the new law.  First, section 2701 does make it
a federal offense to read someone else's electronic mail.  That would be
exceeding your authorization, since "private" e-mail systems do not intend
for anyone other than the sender or receiver to see that mail.  But, and a
big but, sysops are excluded.  Whoever staffed the bill for Congress
realized that system operators were going to have access to information
stored on their systems.  There are practical technical reasons for this,
but there are also practical legal reasons.  While the Act does not directly
address the liability of sysops for the use of their systems in illegal
acts, it recognizes they might have some liability, and so allows them to
protect themselves from illegal use.  Sysops are given a special
responsibility to go along with this special privilege.  Just like a letter
carrier can't give your mail to someone else, just like a telegraph operator
can't pass your telegram to someone else, just like a telephone operator
overhearing your call can't tell someone else what it was about, so sysops
are prohibited from disclosing your e-mail traffic to anyone, unless you (or
the other party to the traffic) give them permission.

Common sense, right.  So far all I think we've seen is that the law has
changed to recognize changes in technology.  But then, what about the
police?  If they can legally bug phones with a court order, if they can
legally subpoena telephone records, what can they do with bulletin boards?
Pretty much the same things.  The remaining sections of the Act go into
great detail about what the police can do and how they can do it.  The
detail is too much to get into in this article, and I would suggest that if
a sysop or user ever needed to know this information, that would be a case
when they ought to be seeing their attorney.  I will give a couple of
details, however:  if a sysop is served, they can be required to make a
backup copy of whatever information is on their system (limited, of course,
to that listed in the warrant or subpoena).  They must do this without
telling the persons under investigation.  They do not at this point,
generally, give the police the records.  They just tell the police that its
been done.  Then, the courts notify the user that this information has been
requested and the user has a chance to challenge it.  Eventually, after it
all gets sorted out, the information goes to the police or is destroyed,
whichever.  Again, if a sysop or user ever finds themselves in this
situation, don't rely on this article--see your lawyer.  And, see him/her
soon, because the Act imposes time limits.

If the Act makes all of this stuff federal crimes, what penalties does it
establish?  Again, generally, there are two cases.  The first is the one
most BBS operators and users will be concerned with.  "A fine of not more
than $5,000 or imprisonment for not more than six months, or both."
Actually, in the law, that's the second case.  The first is where businesses
were conducting industrial espionage--"for purposes of commercial advantage,
malicious destruction or damage, or private commercial gain."  In this case,
"a fine of not more that $250,000 or imprisonment for not more than one year,
or both, in the case of a first offense," and "a fine or imprisonment for not
more that two years, or both, for a subsequent offense."

What all this has said is that the federal criminal code now protects
electronic communications the way it previously protected written ones.  It
understands that mailmen, physical or electronic, have access to the mail
they carry, so it tells them not to tell.  It sets up some hefty penalties
for those who don't take privacy seriously enough.   And finally, it sets up
procedures for the contents of bulletin board and other electronic systems
to be sought for official investigation.  This is, of course, one layman's
opinion.  As long as the reader doesn't have criminal intent or hasn't been
served with some type of request for system records, it's probably adequate.
If, however, the reader finds him/herself confronting the law "up close and
personal," then this article should be noted for one and only one piece of
advice: see a lawyer, and soon!

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH