VI. PRIVACY

Privacy has been a concern of computer information system providers from the very beginning. With the speed, power, accessibility, and storage capacity provided by computers comes tremendous potential to infringe on people's privacy. It is imperative that users of services such as electronic mail understand how these services work, i.e., how private the users' communications really are, and who may have access to the users' "personal" E-mail. The same is true for stored computer files. Just as importantly, System Operators should be aware of what restrictions and requirements exist to maintain users' privacy expectations.

A. Pre-Electronic Communications Privacy Act of 1986

One of the most significant cases establishing privacy for electronic communications is *Katz v. United States*.[228] *Katz* involved the use of an electronic listening device (or "bug") mounted on the outside of a public telephone booth.[229] The government (who placed the bug) assumed that, because the bug did not actually penetrate the walls of the booth, and was not actually a "wire tap," there was no invasion of privacy.[230] However, Defendant argued that the bug was an unlawful search and seizure i n violation of the Fourth Amendment.[231] The court held that "the Fourth Amendment protects people, not places. What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. [citations omitted] But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected."[232] The decision in this case is also understood to say that if a person does not have a *reasonable* expectation of privacy, there is, in fact, no Fourth Amendment protection.[233] The person must have a subjective expectation of privacy, and to be reasonable, it must be an expectation that society is willing to recognize as reasonable.[234] For example, most people have a reasonable expectation that calls made from inside a closed telephone booth will be private. For computer users, this means that, because the computer operator has control over the system and can read any messages, the user cannot reasonably protect his or h er privacy. If there is no reasonable expectation of privacy, there can be no violation of privacy, and, therefore, no Fourth Amendment claim.[235]

Statutory protection of the right to privacy was originally provided by the Federal Wiretap Statute.[236] However, this statute affected only "wire communication," which is limited to "aural [voice] acquisition."[237] In *United States v. Seidlitz*,[238] the court held that interception of computer transmission is not an "aural acquisition" and, therefore, the Wiretap Act did not provide protection.[239] Even if the Act did cover transmission, it still does not cover stored computer data.[240] This does not result in significant or comprehensive protection of E-mail or stored data.

B. Electronic Communications Privacy Act of 1986

Prior to the passage of the Electronic Communications Privacy Act, communications between two persons were subject to widely disparate legal treatment depending on whether the message was carried by regular mail, electronic mail, an analog phone line, a cellular phone, or some other form of electronic communication system. This technology-dependent legal approach turned the Fourth Amendment's protection on its head. The Supreme Court had said that the Constitution protects people, not places, but the Wiretap Act did not adequately protect all personal communications; rather, it extended legal protection only to communications carried by some technologies.[241]

The Federal Wiretap Act was updated by the Electronic Communications Privacy Act of 1986.[242] The Electronic Communications Privacy Act deals specifically with the interception and disclosure of interstate [243] electronic communications [244] , and functions as the major sword and shield protecting E-mail. It works both to guarantee the privacy of E-mail and also to provide an outlet for prosecuting anyone who will not respect that privacy. The statute provides in part that "any person who (a) intention ally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept any wire, oral, or electronic communication"[245] shall be fined or imprisoned.[246] The intentional disclosure or use of the contents of any wire, oral, or electronic communication that is known or could reasonably be known to have been intercepted in violation of the statute is prohibited.[247] This largely guarantees the privacy of E-mail as well as data transfers over a network or telephone line going to or from a computer information system. In essence, E-mail cannot legally be read except by the sender or the receiver even if someone else actually intercepted the message. Further disclosure or use of the message contents by any party, other than the message sender and its intended recipient, is prohibited if the intercepting party knows or has reason to know that the message was illegally intercepted.

Section 2 of the Electronic Communications Privacy Act [248] provides an exception for SYSOPs and their employees to the extent necessary to manage properly the computer information system: It shall not be unlawful under this chapter for an operator of a switchboard, or an officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of rights or property of the provider of that service, except that a provider of wire communication service to the public shall not utilize service observing or random monitoring except for mechanical or service quality control checks.[249]

"Electronic Communication System" is defined as "any wire, radio, electromagnetic, photooptical or photoelectronic facilities for the transmission of electronic communications, and any computer facilities or related electronic equipment for the electronic storage of such communications."[250] Further exceptions are made for SYSOPs of these systems when the originator or addressee of the message gives consent;[251] when the message is being given to another service provider to be further forwarded towards its destination;[252] where the message is inadvertently obtained by the SYSOP; and appears to pertain to a crime;[253] when the divulgence is being made to a law enforcement agency;[254] or where the message is configured so as to be readily accessible t o the public.[255] It is worth noting that this section also applies to broadcast communications, as long as they are in a form not readily accessible to the general public (with some exceptions).[256] This will probably cover the up-and-coming technologies of radio-WANS (Wide Area Networks-computer networks which link computers by radio transmission rather than wires), cellular modems, and also packet radio. These technologies are especially likely to be covered by the statute if data is transmitted using some sort of encryption scheme.[257]

For law enforcement agencies to intercept electronic communications, they must first obtain a search warrant by following the procedure laid out in section 2518 of this Act.[258] The statute does not prohibit the use of pen registers or trap and trace dev ices.[259] The warrant requirement makes it harder for law enforcement officials to get at the contents of the communications, but does not substantially impede efforts to find out who is calling the computer information system.

C. Access to Stored Communications

Section 2511 of the Electronic Communications Privacy Act concerns the interception of computer communications. Section 2701 of the Act prohibits unlawful access to communications which are being stored on a computer.[260] The section reads, in part, "whoever -- (1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system"[261] shall be subject to fines and/or imprisonment.[262] Like section 2511, this section includes provisions prohibiting the divulgence of the stored messages.[263] Importantly, while this statute allows law enforcement agencies to gain access to stored communications, subject to a valid search warrant,[264] it does specifically allow the government to permit the system operator to first make backup copies of stored computer data, so that the electronic communications may be preserved for use outside of the investigation.[265] Such a statute is needed because the government often takes the stored data to sort through during the course of its investigation, as wa s the case in *Steve Jackson Games, Inc. v. United States Secret Service*.[266] In this case, the Secret Service raided a publisher and seized its bulletin board system, electronic mail and all. The court held that the government had to go through the procedures established by section 2701 et seq., covering stored wire and electronic communications, in order to discover properly the contents of the electronic mail on the BBS.[267] The court said that the evidence of good faith reliance on what the Secret Service believed to be a valid search warrant was insufficient.[268] The government *knew* that the computer had private electronic communications stored on it, and therefore the only means they could legally use to gain access to those communications wa s by compliance with the Act, and not by seizing the BBS.[269] The Steve Jackson Games Case was also valuable for showing the interplay between protection against interception of electronic communication [270] and access to stored communication.[271] Judge Sparks held, in essence, that taking a whole computer is not a n "interception" as contemplated by section 2510 et seq., especially in light of the protection of stored communication by section 1701 et seq. He analogized the situation to the seizure of a tape recording of a telephone conversation and said that the " aural acquisition" occurs when the tape is made, not each time the tape is played back by the police.[272] This interpretation is being appealed on the grounds that since the messages had been sent, and not yet received, they were intercepted-just as if someone had picked up and carried off a blue postal service mailbox from the side of the street.[273] The argument is that the Judge's requirement that the message actually be transversing the wire when the interception occurs is too narrow a reading of the term "interception."[274]

D. An Apparent Exception for Federal Records

A fairly recent case presents an apparent exception to the Electronic Communications Privacy Act.[275] In *Armstrong v. Executive Office of the President*,[276] while not mentioning the Electronic Communications Privacy Act, the court required certain electronic mail and stored data to be saved and made available for the National Archives.[277] While electronic communications are normally protected under the Electronic Communications Privacy Act, the Federal Records Act [278] requires that:

"all ... machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States under Federal law or in connection with the transaction of public business and preserved or appropriated for preservation by that agency ... as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the Government or because of the informational value of the data in them [be preserved]."[279]

The court held that the actual computer records must be saved, not just paper copies of the electronically mailed notes, because the computer records contain more information than printouts.[280] Printed copies of the messages contain the text of the note s, but only the computer records contain information such as who received the E-mail messages and when the communication was received.[281] A similar possible exception to the privacy of E-mail is the Presidential Records Act,[282] which requires that all records classified by the Act as "Presidential Records"[283] be preserved for historical researchers. However, the only case to apply this statute to Presidential E-mail held that the Presidential Records Act&127; impliedly precludes judicial review of the President's compliance with the Act.[284]

E. Privacy Protection Act of 1980

It is also possible that computer information systems will be protected under the Privacy Protection Act of 1980.[285] The Privacy Protection Act immunizes from law enforcement search and seizure any "work product materials possessed by a person reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication, in or affecting interstate commerce."[286] This statute was passed to overturn the decision in *Zurcher v. Stanford&127; Daily*,[287] a case which held that a newspaper office could be searched, even when no one working at the paper was suspected of a crime.[288] The only exceptions to the law's prohibition on searches of publishers are the following: probable cause to believe that the person possessing the materials has committed or is committing the crime to which the materials relate,[289] or the immediate seizure is necessary to prevent the death or serious injury to a human being.[290] A computer information system could f all under this statute when it is being used in the aid of a print publisher, such as when the service is used in a publisher's office or to transmit materials to a publisher.[291] More importantly for the System Operator, based on the list of types of "publishers" covered by this statute, electronic publishers should fall directly under this section.

The first case that attempted to apply this statute to electronic publishers was the *Steve Jackson Games* case, mentioned in the preceding section. It is a good case study in law enforcement violations of electronic data privacy. Steve Jackson Games is a small publisher of fantasy role-playing games in Texas.[292] The company also ran a BBS to gain customer feedback on the company's games.[293] The Secret Service took all of the company's computers, both their regular business computers and the one on which they were running the company's BBS (private electronic mail etc.).[294] They also took all of the copies of their latest game, GURPS Cyberpunk, which one of the Secret Service agents referred to as "a handbook for computer crime."[295] The raid by t he&127; Secret Service caused the company to temporarily shut down;[296] Steve Jackson Games also had to lay off half its employees.[297] The release of the game was delayed for months, since the Government took all of the word processing disks as well as all of the printed drafts of the game.[298] The Electronic Frontier Foundation, which provided legal counsel for Steve Jackson, likened the Secret Service's action to an indiscriminant seizure of all of a business's filing cabinets and printing presses.[299] Steve Jackson Games was raided because one of its employees ran a BBS out of his home-one out of a possible several thousand around the country that distributed the electronic journal "Phrack," in which a stolen telephone company document was published.[300] The document contained information which was publicly available in other forms.[301] The employee was also accused of being a part of a fraud scheme-the fraud being the explanation in a two line message what Kermit is-a publicly available communications protocol.[302] The employee was also co-SYSOP of the bulletin board system at Steve Jackson Games.[303] The case held that at the time of the raid, the Secret Service did not know that Steve Jackson Games was a publisher (even though they should have), as the Privacy Protection Act [304] requires, though they did know shortly after.[305] Judge Sparks said the continued refusal to return the publisher's work product, once the Secret Service had been informed that Steve Jackson Games was a publisher, amounted to a violation of the Act.[306] In the raid, the Secret Service seized a number of Steve Jackson's computers, and a number of papers.[307] As mentioned, this included the company's BBS, which contained public comments on newspaper articles submitted for review, public announcements, and other public and private communications.[308]

While the judge did find a violation of the Privacy Protection Act,[309] he did not specify which items led to the violation. The violation could have been the seizure of the papers, the computers used for word processing, or the BBS. Thus, the question still remains unanswered as to whether the seizure of the BBS alone, which was being used to generate work product for the publisher, would have amounted to a violation of the Act. Importantly, other users of the BBS who had posted public comments about Steve Jackson's Games were also plaintiffs in the case. They were not allowed recovery based on the Privacy Protection Act.[310] Therefore, either the individual message posters were not considered to be publishers themselves (only perhaps authors of works published in electronic form by Steve Jackson Games' BBS) or their messages were not considered to be work product subject to protection.

Copyright 1994 - 1995 by P-Law, Inc., and Kenneth M. Perry, Esq. All rights reserved. Reproduction is permitted so long as no charge is made for copies, no copies are placed on any electronic online service or database for which there is a fee other than a flat access charge, there is no alteration and this copyright notice is included.

Return to Table of Contents