XX XXXXXX XXXXX XXXXX XX XX XX XX XX XX XX XX XXXX XX XXX XXXXXXX XX XX XX XX X XX XX XX XXXXXX XXXXXX XXXXX XX XX XXXXXX XXXXX XX XX XXXXXX XXXXXX XXXXXX XX XX XX XX XX XX XX XXXXX XXXX XX XXXX XXX XX XX XX XX XX XX XXXXX XX XX XXXXXX XXXXXX __________________________________ Fall-Winter 1994, Volume 2, Number 2 __________________________________ By George, Donaldson & Ford, L.L.P. Attorneys at Law 114 West Seventh Street, Suite 1000 Austin, Texas 78701 (512) 495-1400 (512) 499-0094 (FAX) gdf@well.sf.ca.us ___________________________________ Copyright (c) 1994 George, Donaldson & Ford, L.L.P. (Permission is granted freely to redistribute this newsletter in its entirety electronically.) ___________________________________ David H. Donaldson, Jr., Editor-in-Chief <6017080@mcimail.com> Peter D. Kennedy, Senior Editor Laura Prather, Contributing Editor ___________________________________ IN THIS ISSUE: 1. FIFTH CIRCUIT TACKLES E-MAIL INTERCEPTION ISSUE IN STEVE JACKSON GAMES v. U.S. SECRET SERVICE 2. COPYRIGHT AND JOINT AUTHORSHIP 3. DOING THE NON-LITERAL INFRINGEMENT TWIST 4. THINK BEFORE YOU LISTEN (AND RECORD) THAT FASCINATING CONVERSATION! 5. OTHER PEOPLE'S E-MAIL: TO READ OR NOT TO READ? _____________________________________________________________________ 1. FIFTH CIRCUIT TACKLES E-MAIL INTERCEPTION ISSUE IN STEVE JACKSON GAMES v. U.S. SECRET SERVICE Legal Bytes has followed this ground-breaking lawsuit brought by a small Austin, Texas game publishing company and others against the U.S. Secret Service for an illegal raid and seizure of the company's electronic bulletin board system called "Illuminati." Steve Jackson Games won over $50,000 in damages from the Secret Service because of its illegal raid, and the individuals each won $1,000 awards because the Secret Service illegally seized their electronic mail. The Secret Service paid the judgments and did not appeal. Steve Jackson Games and the others pressed forward with an appeal, on the one issue they lost -- their argument that the Secret Service, when it seized the bulletin board system not only illegally seized their mail, it also illegally intercepted some of those messages. From the users' point of view, the Secret Service raid did two things. First, the Secret Service walked off with all the mail in their mailboxes, and violated the Access to Stored Communication provision of the Electronic Communications Privacy Act. 18 U.S.C. s 2701, et seq. Some of those messages had been written, addressed, and sent, but not yet delivered to their addressee. They were temporarily resident on the Illuminati BBS's hard drive when the Secret Service seized the Illuminati computer. The users argued that the seizure of this in-transit mail was a second, separate violation of law -- an illegal interception of their mail prohibited by the Wiretap Act. 18 U.S.C. s 2510, et seq. They argued that in-transit mail was different and important. These messages were especially sensitive and vulnerable: the senders had lost control over their messages, but the addressees had not yet received them. Neither party to the messages could choose to keep or throw away the message, and thereby could not be said to have purposely risked unintentional disclosure of their messages by choosing to store them. Further, the BBS model of "store and forward" of messages is replicated in all significant computer communications. Unlike the traditional model of a telephone conversation, which takes place effectively instantaneously, computer communications often reside some determinable period of time in temporary storage on their way to their final destination. The level of legal protection afforded BBS in-transit e-mail potentially affects most computer communications. The Illuminati BBS's users argument was simple -- the Wiretap Act (as amended by the ECPA in 1986) defines "interception" as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." The users argued that the Secret Service did, in fact, acquire the contents of the e-mail when it walked off with the machine, and that the Wiretap Act does not require that e-mail be in the process of transmission when it is acquired, only that it is somewhere between its origin and destination. If the users were right, the government would need a court wiretap order before seizing in-transit electronic communications, an even higher standard than that needed to gain access to stored electronic communications. The Secret Service took the position that the Wiretap Act and the Stored Communications provision were separate, non-overlapping laws -- and that the Wiretap Act's prohibition of "interception" only applied to acts that tap into a data stream and capture the communication as it moves through a wire or cable. The Stored Communications provision, the Secret Service argued, applies to all stored communications, including those in temporary storage incident to transmission. Whether e-mail has been accessed by its recipient is irrelevant; what matters is whether the message is sitting still, or moving through wires when it is caught by the government. The Fifth Circuit sided with the Secret Service. See 36 F.3d 457 (1994). It noted that the Wiretap Act defines "wire communications" as "aural transfers," and includes within the definition of "wire communications" those communications in electronic storage. In contrast, when the Act defines "electronic communications" as "any transfer" of data other than a wire communication, it does not include electronic storage of such communications. Further, the Act does define "stored communications" to include electronic communications in "temporary, intermediate storage ... incidental to the electronic transmission thereof." Reading these provisions, the Court concluded that Congress must have meant to exclude the seizure of in-transit e-mail from the coverage of the Wiretap Act, and to leave it controlled by the Stored Communications provision only.[fn2] [fn2: This raises an interesting question: what about the seizure of voice mail or answering machine recordings? These appear to be clearly "wire communications," not "electronic communications," because they record "aural transfers." If so, seizure of these recordings without a court order, at least before they are received by the intended recipient, would violate the Wiretap Act.] It is important to note that the Fifth Circuit's decision does not leave e-mail without protection. The Fifth Circuit noted clearly that the Secret Service, by seizing, reading and deleting the Illuminati BBS e-mail without authorization, had violated 18 U.S.C. s 2701. Although law enforcement need not (within the Fifth Circuit, at least) get a court wiretap order to seize in-transit e- mail, any government access to e-mail must still meet the requirements of the Stored Communications provision of the ECPA (and the Fourth Amendment), which is no easy task. ____________________________________________________________________ 2. COPYRIGHT AND JOINT AUTHORSHIP Along with protecting solo inspirations, the Copyright Act also protects works created by two or more authors working together. Like joint owners of real estate, each "joint author" has all the rights and powers of a sole author, including the right to copy, display, perform, and create derivative works, and the power to transfer that right to others. What does it take to become a joint author of a work? The Copyright Act defines a joint author's work as "a work prepared by two or more authors with the intention that their contributions be merged into inseparable or interdependent parts of a unitary whole." The Act doesn't define, however, *how much* of a contribution it takes to become a "joint author." Melvin Nimmer, a revered scholar of copyright law, is credited with originating a concept, adopted by many courts, that resulted in a relatively low threshold of joint authorship. Nimmer's formulation was a "de minimis" demarcation line requiring that "more than a word or line must be added by one who claims to be a joint author" -- but perhaps not much more. As long as one made more than a *de minimis* contribution to a copyrighted work, the contributor qualifies as a joint author even if his or her contribution itself would not be copyrightable, standing alone. Recently, however, federal courts have reexamined the joint authorship issue and turned away from Professor Nimmer's formulation. The Seventh Circuit Court of Appeals (covering Wisconsin, Illinois and Indiana) in a case called ERICKSON v. TRINITY THEODORE, INC., 13 F.3d 1061 (7th Cir. 1994), spurned Nimmer's test for a younger, more attractive one proposed by Professor Jack Goldstein. Professor Goldstein's approach reasons that before claiming to be a "joint author," a collaborator ought to show that he or she could be an "author" based on his or her contribution to the work. That is, the collaborator's contribution, standing alone, must qualify as an original, copyrightable "work of authorship" before the collaborator is given the potentially valuable and powerful status of a joint author. The Seventh Circuit decided that Professor Goldstein's test better balanced society's interest in promoting creativity, on the one hand, with the free exchange of ideas on the other, and adopted it. The court stated that authors who merely consult others for ideas, reactions, editing or criticism (contributions that are not typically copyrightable taken alone) should be protected from claims of joint ownership by such contributors. The court reasoned that if mere suggestions, ideas or criticism could create joint authorship, the title of the copyright in the final work might remain fuzzy and subject to challenge. The Seventh Circuit (always attuned to the economic effects of legal rules) concluded that such uncertainty of title would affect the commercial value of such works and ought to be minimized. The Seventh Circuit did not leave collaborators completely without rights: collaborators can realize the value of their contributions through contractual agreements, which can be used to compensate persons who make valuable, but perhaps not copyrightable, contributions to a work. But the court decided that copyrights -- government-created and protected rights -- will not be casually granted to secondary collaborators. A good illustration of this shift in the willingness of courts to recognize joint authorship is the recent case of BALKIN v. WILSON, decided by a trial court in Michigan. (The opinion can be found on Westlaw at 1994 Westlaw 518849, No. 4-94-CV-35 (W.D. Mich. September 20, 1994). Two professors, Balkin and Wilson, worked on a project called "Literacy News: Breaking the Language Barrier Through Songs." Balkin wrote songs and Wilson wrote teachers' manuals to be used with the songs. Wilson provided ideas and input on the songs' content, claiming to have discussed with Balkin 70% of them, but he didn't write any music or lyrics. While the project was never completed, Balkin gave Wilson tapes of the songs. Wilson copied the tapes and sold many of them to his students and others. Balkin registered a copyright in the songs, and sued Wilson for an accounting of the money he made on the songs, claiming that it was Balkin who had the exclusive right to copy and sell the tapes. Wilson argued that he was a joint author, which would give him equal rights to copy and sell the tapes. Wilson admitted that his *ideas* and *discussions* with Balkin about the songs were not copyrightable but he claimed that his contribution to the final songs was more than "de minimis" -- enough to make him a joint author (at least under Professor Nimmer's test). The district court agreed with the Seventh Circuit, though, and used Professor Goldstein's "independently copyrightable" approach instead. Because the ideas and concepts that Wilson contributed were not independently copyrightable, the court held that Wilson did *not* have the right to copy and sell the tapes as a joint author. Collaborators like Wilson, the court said, must look to contractual agreements, not copyright law, to be compensated for their contributions. As these cases show, Professor Goldstein's approach is appealing for two reasons: First, it protects authors and those who deal with them from the uncertainty of joint authorship claims based on perhaps exaggerated opinions of the value of criticisms or contributions. Second, it provides more certainty to the definition of joint authorship because it incorporates the already well-defined concept of "copyrightability." Courts can now simply look to the law of copyright to determine whether a collaborator's contribution entitles him or her to joint authorship status, rather than try to define and apply an inevitably subjective level of "de minimis-ness." If the collaborator could have independently copyrighted the contribution that was incorporated into the work in question, he or she can claim joint ownership -- otherwise, copyright law provides no remedy, and collaborators need to protect themselves in other ways. ___________________________________________________________________ 3. DOING THE NON-LITERAL INFRINGEMENT TWIST Software companies have faced two major hurdles in figuring out whether copyright laws protect their creations. The first hurdle has been crossed: software has been declared to be more than a "useful article" (which would not be protected by the Copyright Act), but it can be an "original work of authorship" entitled to legal protection. There is no longer any question that the *literal* elements of computer program -- the source code and object code -- can be copyrighted just like books. The second hurdle is still being crossed: whether, and to what extent "non-literal" elements of software are also copyrightable. These non-literal elements include the program architecture, structure, sequence and organization, operational modules, and computer-user interfaces (the "look and feel" of software). This far more complicated question is still being hashed out in the federal courts. Until recently, computer software companies who work (and may end up in court) in territory covered by the U.S. Court of Appeals for the Fifth Circuit (which includes all of Texas, Louisiana, and Mississippi) have faced real uncertainty in how the Fifth Circuit would react to claims of non-literal infringement -- where a party claims its software's copyright has been infringed, not by literal copying of code, but by mimicking its non-literal elements. In 1987, the Fifth Circuit had apparently indicated that it would recognize only a narrow breed of non-literal infringement, if at all. In a case called PLAINS COTTON COOP. ASS'N v. GOODPASTURE COMPUTER SERV., INC., 807 F.2d 1256 (5th Cir.), cert. denied, 484 U.S. 821 (1987). The Fifth Circuit considered the claim of an employer who owned a mainframe software program that facilitated bidding on cotton orders. An employee had left Plains Cotton, formed a new company, and created a very similar software program for a PC platform. Despite many similarities between the two programs' user interfaces and approaches to the data, the Fifth Circuit held that there was insufficient evidence of copying of *copyrightable* material, and reversed a temporary injunction that had issued against the ex-employee's new company. The Fifth Circuit's PLAINS COTTON decision was made before several other federal courts had developed and begun using the "abstraction-filtration-comparison" approach to analyze claims of non-literal infringement. This analysis is generally considered to provide far more protection for non-literal aspects of computer programs than the Fifth Circuit's approach in PLAINS COTTON. See Legal Bytes, Vol. 1, Number 1 ("When is a Computer Program a Copy?"). The Fifth Circuit has now not only shed a remnant of nineteenth century thinking, but has forged ahead on the cutting edge of copyright protection. This summer, in a case called ENGINEERING DYNAMICS, INC. v. STRUCTURAL SOFTWARE, INC., 26 F.3d 1335 (5th Cir. 1994). The Fifth Circuit held that similarities between two computer programs' user interfaces could be the basis of a copyright infringement claim, even though the underlying programs were written in different languages and used different instructions to create the similar interfaces. This decision was startling for several reasons, none of which was directly related to case's facts. One surprise was that a current influential Fifth Circuit judge, Patrick E. Higgonbothom, had previously taken a very different view of non-literal infringement when he was a federal trial judge in Dallas. In 1978, he had ruled in SYNERCOM TECHNOLOGY, INC. v. UNIVERSITY COMPUTING COMPANY, INC., 462 F. Supp. 1003 (N.D. Texas 1978), that mainframe data input formats were not copyrightable because key-punched card formats, as well as their sequence and organization, were non- copyrightable ideas rather than the copyrightable expression of an idea. Another twist was that the defendant who won that case was none other than Engineering Dynamics, Inc., ("EDI"), who later became the plaintiff in ENGINEERING DYNAMICS, INC. v. STRUCTURAL SOFTWARE, INC. The attorney who successfully defended EDI against a claim of non-literal infringement before Judge Higgonbothom -- Tom Cantrell -- was again hired by EDI to prosecute *its* claim of non-literal infringement against Structural Software, Inc. ("SSI"). After winning the 1978 case against Synercom, EDI continued to refine the user interface to its program, including an 80-column input format that was used with its mainframe software systems and had become familiar to many users. When EDI developed a new computer interface program, it kept the familiar 80-column input format. In 1986, SSI entered the market with a product for personal computers that borrowed heavily from EDI's familiar 80- column format. EDI, which had once claimed that computer user interfaces couldn't be copyrighted, again used the same lawyer to sue SSI, and claim claim that the interfaces that it had created were copyrighted, and that SSI had infringed its copyright. There wasno question that the two computer programs themselves were literally different -- SSI's program was written for use with PCs, using languages and approaches substantially different than those used in EDI's mainframe program. At the time, SSI appeared to have a good defense. The Fifth Circuit had seemed to decide, in the PLAINS COTTON case, that non- literal elements of a program warranted little copyright protection. PLAINS COTTON even had similar facts: the defendant had developed a PC-based program that was inspired by a mainframe application and which copied its non-literal elements but which did not copy the code. In fact, when the trial judge reviewed EDI's claims against SSI in light of PLAINS COTTON,the case looked easy, and the judge dismissed all of EDI's copyright claims. In the meantime, however, the Fifth Circuit's approach in PLAINS COTTON had gotten a lot of criticism. No other court had chosen to follow it, and several other courts had adopted the more sophisticated "abstraction-filtration-comparison" analysis. The value and uniqueness of computer software does not reside solely in its literal code, but also in the way in which the software presents itself and interacts with the user. These valuable and unique non-literal elements can be mimicked using code that does not copy the original program, and therefore several courts have recognized claims of non-literal infringement. The changing law again benefitted EDI, as the Fifth Circuit moved away from its PLAINS COTTON approach. The court now explicitly recognized that "non-literal aspects of copyrighted works -- like structure, sequence, and organization -- may be protected under copyright law." Having thrown off the chains of its prior opinion, the court adopted the three-part abstraction- filtration-comparison method. This fact-intensive inquiry requires that the court first abstract the different levels of generality in the two programs at issue. The court then examines each level of abstraction to filter out program elements that cannot be protected under the Copyright Act, such as ideas, process, facts, public domain information, and "scenes a fair material"; that is, material in which the unprotected idea cannot be separated from expression that can be protected, or material which is so standard in an industry that it is indispensable. After the "abstraction" and "filtration" steps, the court compares the remaining protectible elements with the allegedly infringing program to determine whether the later program has copied substantially similar elements. Because the trial judge had not taken these steps, the Fifth Circuit sent the case back for analysis. The court cautioned that the scope of copyright protection is not always constant across all literary works. It recommended a cautious approach when defining the scope of protection available for computer user interfaces, because interfaces are highly functional (function is not protected) and because they often contain standardized technical information that is not protected (such as the complex engineering formulas common to both EDI and SSI's programs). The court suggested that, before finding infringement in user interfaces, a party should stand ready to prove a greater degree of similarity than what might be needed to show infringement of more literal aspects of a program. Ironically, the developing copyright law allowed the same company using the same lawyer to win both sides of the non-literal infringement debate. But recognizing non-literal infringement is a two-edged sword: while it may protect the value of unique expression of ideas developed by programmers, it also makes it more difficult to meet customer needs for new and better software without sacrificing the familiarity customers have with the friendly mugs of particular and popular user interfaces. ____________________________________________________________________ 4. THINK BEFORE YOU LISTEN (AND RECORD) THAT FASCINATING CONVERSATION! New electrical devices such as miniature tape recorders and cheap videotape cameras make it easier and more tempting for some people to watch, listen and record other people's affairs. Not only do professional journalists use tape recorders and cameras (sometimes secretly), but so do other professions like private investigators, lawyers and insurance adjusters. Amateurs get in the act, too, recording everything from Rodney King's beating by Los Angeles police officers to the man who took pot shots at the White House recently. Openly recording public events and conversations is generally fine, but when the microphone is hidden, the situation changes. The principal law governing when you can and cannot record oral conversations is the federal Wiretap Act, the same law that regulates eavesdropping on wire and other electronic communications -- by tapping phone lines and intercepting or computer communications. While many interesting and difficult question arise over how this law applies to electronic communications, it also covers low-tech eavesdropping of simple oral conversations, the topic of this article. The Act applies in all fifty states, and prohibits the recording of *any* oral conversation, unless a specific exception in the Act applies. The Wiretap Act (probably more accurately called an "electronic eavesdropping" law) makes unauthorized interception of oral conversations both a crime and a tort, meaning that you can both go to jail and get sued for money damages if you violate it. So, if you are planning some surreptitious snooping, you better fit into one of the statute's exceptions. This article surveys the two most important exceptions of this broad Act. Remember that the simple act of unauthorized recording is a violation of the Act -- the law can be broken even if the recorded conversation is not disclosed or even listened to. Disclosing the conversation, or using it (in a news story, for instance) knowing it was illegally intercepted is a separate violation. 1. Party to the Communication. This is the most important exception to the prohibition against taping conversations. If you are one of the parties to the oral communication, you can record, disclose and use it, even without the other party's knowledge or consent, so long as your purpose is not to commit a crime or otherwise violate someone's legal rights. Surreptitious recording of an interview to protect against blackmail, say, or to preserve a record of an agreement, or to accurately record an interview (if there is no ulterior illegal motive) is permitted under federal law. Looking to federal law is not enough, though -- most states also have legal restrictions on taping communications, particularly telephone calls. Texas, for example, has a "one party consent" law similar to the federal provisions, permitting taping of telephone calls if one of the parties consents. Other states, however, require both parties' consent before either party can legally record the communication. You should know the law of your state before recording a conversation, especially a phone call. And don't think that you can fit into the "one party consent" rule by leaving a hidden tape recorder unattended, to pick up whatever conversations might be in range. Claiming that "it's my recorder" doesn't make you a party to the conversation. Such tactics are as simple as electronic eavesdropping gets. 2. Public conversations. The Wiretap Act's restrictions are not limited to just "private" oral conversations, although that phrase is often bandied about in talk about the Act. When it comes to oral communications, the Act covers all conversations where the parties show "an expectation that such communication is not subject to interception, under circumstances justifying such expectation." Do not confuse this with the "reasonable expectation of privacy" standard which is part of Fourth Amendment law. The Wiretap Act covers more than conversations taking place in the spheres of privacy protected from unreasonable searches and seizures. The conversation doesn't have to be in the privacy of a home; it could be a tete-a-tete on a park bench or at a restaurant table, or multitudes of other conversations that take place "in public" but where the people talking reasonably don't expect to have their conversation recorded. Whether the Act applies will depend on the particular circumstances -- public speaking engagements, sporting events and the like should be safe to record, but keep in mind the "grandmother" rule -- if you would have trouble explaining to you grandmother why you had the right to tape somebody else's conversation, you will have trouble defending a claim under the Wiretap Act. ____________________________________________________________________ 5. OTHER PEOPLE'S E-MAIL: TO READ OR NOT TO READ? [The following is a revised version of an article that first appeared in Computer Underground Digest, Volume 6, Issue 96.] A lot of confusion remains regarding who can properly and legally read electronic mail, and under what circumstances. Most of the questions arise about mail not address to you. Can I read it? When? Can I show it to others? When? Systems administrators are especially concerned -- do they have the right to read mail passing through their systems just for the fun of it? For more legitimate reasons? What would be a legitimate reason? There is a complex federal statute dealing with the privacy of electronic mail, but it does not answer all the questions. Neither can this article, but the goal is to lay out some general principles about reading other people's mail, to cover some of the basic situations. More complicated scenarios, or new twists, will require more thinking. A simple rule: for several reasons, the wisest course for everyone, sysops and system users alike, is to treat electronic mail like Postal Service mail and telephone calls: if the letter or call is for you, don't snoop unless you have permission of at least one of the parties. If in doubt, don't. Simple enough. You can rarely get in trouble for not reading someone else's mail. What laws govern? The principal law regulating access to electronic communications (including e-mail) is a federal statute, applicable nation-wide, popularly known as the Electronic Communications Privacy Act of 1986 (or "ECPA" for short). The ECPA amended the Wiretap Act to include electronic communications with its previous provisions regarding oral and wire (telephone) communications. The ECPA also added a brand-new section governing access to stored electronic communications (the "Stored Communication" provision).[fn1] A U.S. Court of Appeals recently explained that Congress intended these two sections of the ECPA to handle different situations -- the Wiretap Act governs interception of data in the act of transmission, and the Stored Communication provision governs access to electronic communications in storage. Although this distinction gets thin in certain situations, it is a good working model. There has been very little guidance from the courts so far in interpreting the application of the ECPA and other laws to e-mail, and so any conclusions in this article should be taken for what they are, and no more -- informed guesses. The particular facts of any given situation will always be very important. [fn1: These laws can be found at 18 U.S.C. s 2501, et seq., and 18 U.S.C. s 2701, et seq., respectively.] The Wiretap Act. The Wiretap Act prohibits anyone from intercepting electronic communications, or knowingly disclosing or using intercepted communications. Intercepting mean simply to "acquire the contents" of the e-mail message. There are some exceptions: (1) if you are a party to the communication (of course); (2) you are not a party, but a party to the communication has given consent; (3) if the systems administrator is acting "in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service" (but not "service observing or random monitoring"); and (4) if there is a court order authorizing the interception. 18 U.S.C. s 2511(2). The Wiretap Act also specifically prohibits systems administrators from divulging the contents of an electronic communication, while in transmission, to anyone other than the addressee or intended recipient, which means the systems administrator cannot pass e-mail on to someone else, even if the administrator does not get a copy of the mail. There are exceptions, here, too: A systems administrator may forward mail (1) with the permission of a party to the communication; (2) under court order; (3) to a forwarding facility; or (4) to law enforcement, if the communication appears to pertain to the commission of a crime, (and the communication was inadvertently obtained by the service provider). Stored Communications. All bulletin board e-mail residing in a storage device -- whether permanently or temporarily incident to transmission -- is covered by the Stored Communications provisions of the ECPA, 18 U.S.C. s 2701, et seq. These provisions protect e- mail from two things: (1) unauthorized access, alteration and disruption, and (2) unauthorized disclosure. 18 U.S.C. s 2701, s 2702. The first provision prohibits "hacking"-type activity, the second protects the privacy of the mail from disclosure to unintended recipients without authorization. This provision has similar exceptions for disclosing e-mail as found in the Wiretap Act, described above. If you violate the ECPA. If you intercept, disclose, use, obtain, alter, prevent access to, or divulge electronic communications in violation of the ECPA, you have committed a crime. Not only that, you can get sued in civil court, and end up paying the lawyer who sues you. This makes the safer course not to read mail if unsure -- especially because the ECPA is not the only law out there. The important exceptions. Anyone can read or pass along e- mail with the consent of one of the parties. Systems administrators need not worry about forwarding messages, or reading messages that "bounce" in order to figure out what to do with them. Sysops may also review messages as a "necessary incident" (1) "to the rendition of his service" or (2) "to the protection of the rights or property of the provider of that service." There is some debate on the breadth of these exceptions. No court case has discussed how they apply to BBSs. Prudent systems administrators should read these exceptions narrowly. The whole point of the ECPA indicates that these exceptions are not a license to read users' mail at will, or even to spot-check to see if users are up to no good. The law says that the systems administrator "shall not utilize service observing or random monitoring except for mechanical or service quality control checks." Any spot-checking must be to monitor the system's functioning, not the users' activities. What if a systems administrator has specific information that a certain user might be using e-mail to discuss or even facilitate a crime? Does that justify nosing through the user's e-mail? Again, I believe only very narrow circumstances could justify it. The systems administrator is no more responsible for criminal plots in e-mail than Ma Bell is for telephone conspiracies. For that reason, the law need not give the administrator a private-cop badge to rifle through e-mail and monitor for any signs of crime. Because the ECPA permits a systems administrator to disclose to the police the contents of an e-mail message that was inadvertently obtained and which appears to pertain to the commission of a crime, this strongly implies that intentional sleuthing by systems administrators is forbidden. If a systems administrator has specific information that a user is about to damage the system or crash the service, say with a virus, the systems administrator could justify reviewing that user's e-mail as a protection to the system. The harder case is if the administrator suspects that a user's actions might be criminal, but the only threat to the system is that it might get seized by law enforcement on account of the user. (Most BBS crime poses no other threat to the system, as it usually depends on the systems' continued functioning). Here, the administrator might argue that the threat of a seizure of the system (and the resulting loss of property) justifies reading the suspected user's e-mail. At minimum, however, the ECPA's specific prohibition of random monitoring would require the systems administrator to have good, solid evidence against the user, not just a vague suspicion or anonymous claims that something bad is going on. A good point of reference: Remember that the same laws protecting electronic communications generally apply to BBSs and telephone companies alike. Most people would like to see Ma Bell's right to monitor phone calls be as narrow as possible. And consider the voice mail services that phone companies now offer -- they are not that different than e-mail, are they? Trying to avoid these rules. Some systems administrators still try to avoid the ECPA's restrictions on their curiosity by posting disclaimers such as "NOTICE: This system does not provide private electronic communications" or "WARNING: We read your mail. It is not private." With these warnings, some systems administrators think they can freely read everyone's e-mail. These warnings are a bad idea. First, they probably won't do the job. While the facts of the particular case will matter, such disclaimers will have a tough time in court. Judges and juries don't like "take it or leave it" ultimatums when it comes to privacy. The disclaimer probably isn't true, except on small boards: the system almost certainly does provide the means to communicate free from all prying eyes except the systems administrator, and on any busy system, the administrator can't read all the mail, which may re-create in practice the very expectation of privacy the administrator is trying to deny. Second, the disclaimers may make things worse. While trying to limit the risk of an ECPA lawsuit by a user, the disclaimer will raise the systems administrator's risks in other areas. An administrator who actually reads his or her user's e-mail can be charged with knowing its content, and this increases the potential for successful civil suits for libel, as well as the danger of criminal prosecution for aiding criminal activity on the BBS. The administrator can always claim "I didn't read that message," but the system's own words say the opposite. Worse, if the system is seized by law enforcement, the systems administrator may lose very helpful allies: the users. When innocent users try to sue the police for violating their rights under the ECPA, the police will be sure to defend their acts based on what the system itself told them: "no private e-mail here!" The ECPA should be a great deterrent against the wholesale seizure of BBSs; systems administrators diminish that deterrent by using these disclaimers. Finally, what possible reason, other than plain rude nosiness, justifies reading other people's mail? The law not only imposes no responsibility to read or monitor mail flowing through a system, it prohibits it. Systems administrators who fear criminal responsibility for what their users are discussing in e-mail are as wrong as if Southwestern Bell was worried about being held responsible for crimes committed over their phone system. Don't Forget State Privacy Laws. In addition to the federal ECPA, each state has varying laws to protect its citizens' privacy. Some states prohibit the recording of telephone conversations unless both parties consent, for instance, which is tougher than federal law. States also have vaguely defined, but real, general civil privacy rights that could be violated by unauthorized reading of electronic mail. For example, it appears to be generally accepted that the ECPA does not protect the privacy of an employee's e-mail from her employer's snooping (although it takes some effort to explain why this is probably the case). However, state laws may recognize narrow spheres of privacy at work. An employer who for years provides private, secure electronic communications among its employees may have permitted such a sphere of privacy to develop. If the employer suddenly, without notice, begins reading employee e-mail, it could violate state civil law. The safer practice for an employer would be to have a clear, written policy stating that company electronic mail is not private, and that the company retains (or is reclaiming) the right to review employee mail. Companies with gateways to outside mail services should be especially clear on their policy, because, rightly or wrongly, employees will have a greater expectation of privacy for personal mail they receive from outside the company, similar to personal letters sent to a work address. A tough, unanswered question: What about users' personal file directories on UNIX machines or BBS's? Many BBSs, Internet providers, and other computer systems provide their users storage areas. Many systems call and treat these areas as "private," and use the storage space as a selling point for their system. Would a systems administrator violate the ECPA by nosing through a private user's storage area, which commonly contains e- mail? The ECPA protects the privacy of e-mail, but copyright law imposes strict liability for copyright infringement. (See Legal Bytes, Vol. 2, No. 1, "BBS System Operators' Liability for Copyright Infringement: Let the Sysop Beware"). How does a systems administrator avoid unknowingly harboring infringing computer files without checking these storage areas? The solution may lie in the systems administrator getting proper consent from the user, before the fact, to monitor these files, but -- as with most tough questions of the application of the ECPA to computer communications -- no court has ruled on the question yet. ==================================================================== ABOUT THIS NEWSLETTER LEGAL BYTES is a service to our clients and friends. These articles are intended to be summaries and brief discussions of emerging legal issues in the field of computer law. They are not intended to be exhaustive discussions of the topics. Because of their nature, they should not be relied upon as legal advice or used as a basis for reaching a conclusion. If you have ideas or topics you would like to see discussed in LEGAL BYTES, drop us a line. Legal Bytes is online at: ftp.eff.org, /pub/Publications/E-Journals/Legal_Bytes/ gopher.eff.org, 1/Publications/E-Journals/Legal_Bytes gopher://gopher.eff.org/11/Publications/E-Journals/Legal_Bytes http://www.eff.org/pub/Publications/E-Journals/Legal_Bytes/ To subscribe to Legal Bytes: Send a message to legal-bytes-Request@io.com and include the words "subscribe legal-bytes" in the _body_ of the message. ABOUT GEORGE, DONALDSON & FORD, L.L.P. George, Donaldson & Ford, L.L.P., is a registered limited liability partnership specializing in litigation and in counseling clients in a broad range of practice areas, including computer law, copyright, trademark, trade secrets, business, libel, invasion of privacy, and constitutional law. Attorneys at George, Donaldson & Ford, L.L.P., are not board certified in any specialty. No designation has been made by the Texas Board of Legal Specialization for a Certificate of Special Competence in the area of computer law. ====================================================================