Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!lll-crg!hoptoad!gnu From: gnu@hoptoad.uucp (John Gilmore) Newsgroups: net.mail Subject: Re: Congress is now debating the future of Usenet Message-ID: <1032@hoptoad.uucp> Date: Fri, 22-Aug-86 05:53:20 EDT Article-I.D.: hoptoad.1032 Posted: Fri Aug 22 05:53:20 1986 Date-Received: Fri, 22-Aug-86 20:24:18 EDT References: <1632@well.UUCP> <1013@hoptoad.uucp> <15341@ucbvax.BERKELEY.EDU> Organization: Nebula Consultants in San Francisco Lines: 141 You can't tell the players without a key. ">>" is me, John Gilmore; ">" is David desJardins (desj@brahms.BERKELEY.EDU). Text direct from the bill is indented 8 spaces. Left margin is me commenting. Indented paragraphs are me paraphrasing the bill. Please don't anybody quote more than 10 lines of this or we'll never figure it out. >>It appears to put legal liability on Usenet hosts which forward mail or >>news for other hosts, and could alter or destroy the current structure >>of Usenet (and/or Stargate). >>This bill, S.2575 [...] makes you legally responsible for the carriage >>of email unless you run a "public access" system. >Unfortunately, I can't find anything in it to substantiate John's claims >above... By "puts legal liability on" I meant "makes subject to suit or prosecution". > The second claim, that you are "legally responsible for the carriage of >email unless you run a 'public access' system" is also unclear... I meant "responsible to the sender for disclosing it to third parties": "(g) It shall not be unlawful under this chapter or chapter 121 of this title for any person-- "(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public; "CHAPTER 121 -- STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS "Section 2702. Disclosure of contents "(a) PROHIBITIONS.-- Except as provided in subsection (b)-- "(1) a person or entity providing an electronic communication service to the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service; "Section 2707. Civil action "(a) CAUSE OF ACTION. -- Any provider of electronic communications service, subscriber, or customer aggrieved by any violation of this chapter in which the conduct constituting the violation is engaged in with a knowing or intentional state of mind may, in a civil action, recover from the person or entity which engaged in that violation such relief as may be appropriate. This requires that a Usenet host carrying email not send the message to anyone other than the recipient(s). While some waffling could be done around the word "knowingly", I'd hate to hang my defense on it. I've seen enough email go astray in the uucp network to wonder if I should be carrying other peoples' email after this bill passes. You might be able to maintain that software bugs which cause mail to be divulged to third parties do not cause "knowing" divulgence, but after a history of such bugs and divulgences is shown over time, a case could be made. I think it should be possible to set up and run an unreliable email service in the US, with the customers knowing full well that it is unreliable. (By "unreliable" I mean that not only might the message not get there, it might go somewhere else.) The bill removes this choice, which seems to be the choice we in the Usenet have currently made. -- The sections on "governmental access" require careful reading. Here's what I get from the bill, paraphrased: They need a warrant to get email less than 180 days old out of an "electronic communications system". They need only a subpoena or court order to get email older than 180 days from anywhere. They need only a subpoena or court order to get anything from a "remote computing service", no matter what its age. Unix machines used by end-users would mostly be classed as remote computing services, though machines that just forwarded mail might be considered electronic communications systems. This means that once a message is in /usr/spool/mail/$USER or your mbox, it can be gotten without a warrant. Warrants are much harder to get then subpoenas or court orders. The Constitution spells out the requirements for a warrant, and it requires an exact description of what they are searching for. All of this is available to the state (and maybe local) governments, as well as the Feds. Access to your data with a warrant: does not notify you. Access to your data with a court order or subpoena, which notifies you: causes them to make a backup copy, then tell you they want the data, and give you 14 days to protest. If you don't protest, or if your protest loses in court, the computer center turns over the backup to the government. It is not possible to appeal this protest to a higher court. Access to your data with a court order or subpoena, which does not notify you: can be done by having a medium high bureaucrat, defined below, certify that notifying you might have an "adverse result", defined below. You will find out 90 days later, but you don't get to block it, since your 14 day period expired while you didn't know they were asking for the data. "Section 2705. Delayed notice "(a) DELAY OF NOTIFICATION.-- "(2) An adverse result for the purposes of paragraph (1) of this subsection is--- "(A) endangering the life or physical safety of an individual; "(B) flight from prosecution; "(C) destruction of or tampering with evidence; "(D) intimidation of potential witnesses; or "(E) otherwise seriously jeopardizing an investigation or unduly delaying a trial. "(6) As used in this subsection, the term 'supervisory official' means the investigative agent in charge or assistant investigative agent in charge or an equivalent of an investigating agency's headquarters or regional office, or the chief prosecuting attorney or the first assistant prosecuting attorney or an equivalent of a prosecuting attorney's headquarters or regional office. I find this to be a little loose. I think all files less than 180 days old should require a warrant, no matter where they happen to be sitting. I don't see why the government would ever choose to tell you it was after your data, since getting a signature that your finding out would "unduly delay a trial" should be pretty trivial; for example, you might protest or hire a lawyer, and that would delay them. I think that if they can't get a warrant, but choose to not notify you, they should not be given the data until you have been notified and had a chance to protest. I also think that the bill should provide a clear definition of the difference between a remote computing service and an electronic communications system -- which the FCC has been trying to do for a long time, and failing -- or should treat the two the same. -- John Gilmore {sun,ptsfa,lll-crg,ihnp4}!hoptoad!gnu jgilmore@lll-crg.arpa May the Source be with you!