Computer eMail and Privacy.txt

                    COMPUTER ELECTRONIC MAIL AND PRIVACY
                    ====================================

                                     by

                             Ruel T. Hernandez

                             801 Cedarbend Way
                       Chula Vista, California 92010
                           (619) 421-6517 (voice)
                          (CompuServe: 71450,3341)
                         (GEnie Mail: R.HERNANDEZ)

                              January 11, 1987

               Copyright (c) 1986, 1987 by Ruel T. Hernandez


     (This is an edited version of a law school seminar paper I wrote at
California Western School of Law.  A another version of the paper, entitled
"Electronic Mail - Your Right to Privacy," by Ruel T. Hernandez as told to
Dan Gookin, was published as the cover story in The Byte Buyer, San Diego's
Microcomputer Magazine, volume 4, number 24, December 5, 1986.  That version
may also be found on their BBS at 619/226-3304 or 619/573-0359.  Note,
citations to the Electronic Communications Privacy Act of 1986 refer to the
final version passed by the House of Representatives on October 2, 1986,
which was passed by the Senate the day before, as listed in the
Congressional Record.)


                                INTRODUCTION

     Two years ago, legislation was introduced into Congress that sought to
provide federal statutory guidelines for privacy protection of computer
communications, such as electronic mail found on commercial computer systems
and on remote computer systems, commonly known as bulletin board systems
(BBS).  Old federal wiretap law only gave protection to normal audio
telephonic communications.  There was no contemplation of computers or their
operators using telephone lines to communicate.  The old federal wiretap law
regulated police interceptions of communications while they are being
transmitted on a telephone line.  Before the Electronic Communications
Privacy Act of 1976, the law did not provide guidelines for protecting the
transmitted message once it was stored within a computer system.


                                 QUESTIONS

     (1) Whether electronic mail and other intended private material stored
within an electronic computer communication system have Fourth Amendment
privacy protection?

     (2) Should private electronic mail and other such material be accorded
the protection guidelines as with telephone communication and the U.S. Mail?


                                  PROBLEM

     Law enforcement seeks criminal evidence stored as E-Mail on either a
local, user-supported BBS, or on a commercial computer service, such as
CompuServe, GEnie or The Source.  (Note, this situation is equally
applicable to personal, private data stored on a remote system for later
retrieval, as with CompuServe's online disk storage capabilities.)

     For instance, a computer user calls up a computer communication system.
Using the electronic mail function, he leaves a private message that can
only be read by an intended recipient.  The message is to inform the
recipient of a conspiracy plan to violate a federal or state criminal
statute.  Law enforcement gets a tip about the criminal activity and learn
that incriminating evidence may be found on the computer system.

     In 1982, such a situation occurred.  (Meeks, Brock, "Life at 300 Baud:
Crime on the BBS Network," Profiles, August, 1986, 12-13.)  A Detroit
federal grand jury, investigating a million-dollar cocaine ring, issued a
subpoena ordering a commercial service, The Source, to hand over private
subscriber data files.  The files were routinely backed up to guard against
system crashes.  The grand jury was looking for evidence to show that the
cocaine ring was using The Source as communication base to send messages to
members of the ring.  With such evidence, the grand jury could implicate or
indict those suspected to be a part of the cocaine ring.  The Source refused
to obey the subpoena.  The prosecution argued The Source could not
vicariously assert a subscriber's privacy rights.  Constitutional rights are
personal and could only be asserted by the person whose rights are invaded.
Additionally, if the files containing messages were duplicated, any
reasonable expectation of privacy by users would be extinguished.  A court
battle ensued.  However, before a ruling could be made, the kingpin of the
cocaine ring entered a surprise guilty plea to federal drug trafficking
charges.  The case against the Source was discontinued.

     Publicly posted messages and other public material may be easily
retrieved by law enforcement.  It is the private material, such as E-Mail,
that poses the problem.

     Law enforcement's task is then to gather enough evidence to
substantiate a criminal case.  Specifically, they would want the E-Mail, or
other private files, transmitted by suspected criminals.  A computer
communications service, as keeper and transmitter of private electronic
messages, would not want to turn over the private data.


                           INADEQUACY OF OLD LAW

     Brock Meeks of Profiles magazine noted that as of August, 1986, "no ...
protection exist[ed] for electronic communications.  Any law enforcement
agency can, for example, confiscate a local BBS and examine all the message
traffic," including and private files and E-Mail.  (Ibid.)

     In the next section, case law will be examined and statutory law prior
to the Electronic Communications Privacy Act of 1986 (ECPA) will be noted.
Seemingly applicable statutes, as they stood, provided no guidelines for
privacy protection of electronic computer communication systems, such as
CompuServe, GEnie, and local, user-operated BBSs.

CASE LAW

     There is little case law available on computer communications and
Fourth Amendment constitutional problems.  (M.D. Scott, Computer Law, 9-9
(1984 & Special Update, August 1, 1984).)  If not for the surprise
preemptive guilty plea, the above described Detroit case may have provided
guidance on computer communications and privacy issues.

     Of the available cases, Scott noted those that primarily dealt with
financial information found in bank and consumer credit organization
computers.   In U.S. v. Davey, 426 F.2d 842, 845 (2 Cir. 1970), the
government had the right to require the production of relevant information
wherever it may be lodged and regardless of the form in which it is kept and
the manner in which it may be retrieved, so long as it pays the reasonable
costs of retrieval.  In a California case, Burrows v. Superior Court, 13
Cal. 3d 238, 243, 118 Cal. Rptr. 166, 169 (1974), a depositor was found to
have a reasonable expectation that a bank would maintain the confidentiality
of both those papers in check form originating from the depositor and the
depositor's bank statements and records of those same checks.  However, in
U.S. v. Miller, 425 U.S. 435, 440 (1976), customer account records on a
banks' computer were held to not be private papers of the bank customer,
and, hence, there is no Fourth Amendment problem when they are subpoenaed
directly from the bank.

     The computer data and information in these cases have more of a
business character in contrast to personal E-Mail found on remote computer
systems such as CompuServe or a local BBS.  Under the old law, a prosecutor,
as in the Detroit case, may try to analogize duplicated and backed up E-Mail
to business situations where data on business computer databases are also
backed up.  Both types of computer data are stored on a system and then
later retrieved.  The provider of the remote computing service or the sysop
would counterargue that the nature of computers always require the
duplication and backup of any computer data, whether the data files are E-
Mail or centrally-based financial or credit data.  Duplication does not
necessarily make E-Mail the same as financial or credit data stored in
business computers.  Centrally-based business information is more concerned
with the data processing.  That information is generally stored and
retrieved by the same operator.  E-Mail is more concerned with personal
communications between individuals where the sender transmits a private
message to be retrieved only by an intended recipient.  The sender and the
recipient have subjective expectations of privacy that when viewed
objectively is reasonable.  Therefore, there is a constitutionally protected
expectation of privacy under Katz v. U.S., 389 U.S. 347, 19 L.Ed. 88 S.Ct.
507 (1967).  However, the prosecution would note under California v.
Ciraolo, -- U.S. --, 106 S.Ct. 1809 (1984), the users would have to protect
their electronic mail from any privacy intrusion.  The provider or operator
of the remote system has ultimate control of his system.  He has complete
access to all areas of the system.  He could easily examine the material.
The prosecution would note the user could not reasonably protect his private
data from provider or operator invasion.  This "knot-hole" would exclude any
idea of privacy.  If there is no privacy, there can be no search and
therefore no Fourth Amendment constitutional violation.  Law enforcement can
retrieve the material.

FEDERAL WIRETAP STATUTES

     The federal wiretap statutes, before the Electronic Communication
Privacy Act of 1986, protected oral telephone communications from police
interceptions.  This protection was made in 1968 in response to electronic
eavesdropping by government.  (Cohodas, Nadine, "Congress Races to stay
Ahead of Technology," Congressional Quarterly Weekly Report, May 31, 1986,
1235.)  Although E-Mail appears to come under the statute's definition of
"wire communication," under the old law, it was limited to audio
transmissions by wire or cable and does not mention stored computer data.
(18 U.S.C. sec. 2510(1).)  The old law required that an interception of a
wire communication be an aural acquisition of the communication.  (18 U.S.C.
s...