DISCLAIMER: The author is not an lawyer. This article represents one layman's views of the background and contents of PL 99-508, the Electronic Communications Privacy Act of 1986. Anyone needing legal advice should consult with the attorney of their choice.
Anytime someone passes what they hope to be a private communication to another, they expect that their fellow citizens will respect its privacy. Not only do the customs of society enforce this expectation, statute laws have been enacted to insure it. Thus, everyone knows, or should know, not to tamper with the mail. Everyone knows, or should know, not to electronically eavesdrop ("bug") someone else's telephone calls. And everyone knows, or should know, not to do likewise with computer communications.
Alas, not everyone knows that. If everyone did, we wouldn't need laws to protect what ought to be our reasonable expectations of privacy. Not too long ago, the Congress of the United States passed PL 99-508, the Electronic Communications Privacy Act of 1986. In doing so, Congress was recognizing the way technology has changed society and trying to react to that change.
The Act contains two main parts, or Titles. Title I--Interception of Communications and Related Matters, merely updates existing laws to reflect what I've said above. Where the law used to say you can't bug private telephone communications, it now says you can't bug private computer communications. Where it preserved your right to listen in to public radio transmissions, it preserves your right to "listen in" to public computerized transmissions (here the Congress particularly was thinking of unencrypted satellite television, although the law is written in more general terms). It allows the "provider of electronic communication service" (sysops, to electronic bulletin board users) to keep records of who called and when, to protect themselves from the fraudulent, unlawful or abusive use of such service.
Title II--Stored Wire and Electronic Communications and Transactional Records Access, is the section that has caused the biggest concern among bulletin board system operators and users. Unfortunately, while a lot of well-intentioned people knew that a law had been passed, most of them started discussing it without taking the trouble to read it first. As a result, there has been a lot of misinformation about what it says, and a lot of reaction and overreaction that was unnecessary.
The first thing we need to realize is that Title II adds a new chapter to Title 18 of the United States Code (USC). The USC fills most of two shelves in the Omaha library. It covers in general detail virtually everything the federal government does. In many places it gives departments and agencies to pass rules and regulations that have the force of law. If it didn't, instead of filling two shelves it would probably fill two floors, and Congress would be so bogged down in detail work it would get even less done that it does now. Of all the USC, Title 18 deals with Crimes and Criminal Procedure. That's where PL 99-508 talks about electronic communications. It makes certain acts federal crimes. Equally important, it protects certain common-sense rights of sysops.
Under the Act, it is now a federal offense to access a system without authorization. That's right. Using your "war-games dialer," you find a modem tone on a number you didn't know about before and try to log on. From the way I read the law, you can try to log on without penalty. After all, you might not have used a war-games dialer. You might just have got a wrong number. (Don't laugh, it's happened to me right here in Omaha!) At the point you realize its not the board you think you called, you ought to hang up, because at the point where you gain access to that neat, new, unknown system, you've just violated 18 USC 2701.
A lot of us are users of systems with "levels" of access. In the BBS world, levels may distinguish between old and new users, between club members and non-members, or sysops from users. In the corporate and government world, levels may protect different types of proprietary information or trade secrets. Section 2701 also makes it a federal offense to exceed your authorized access on a system.
What about electronic mail, or "e-mail?" E-Mail has been the single biggest area of misinformation about the new law. First, section 2701 does make it a federal offense to read someone else's electronic mail. That would be exceeding your authorization, since "private" e-mail systems do not intend for anyone other than the sender or receiver to see that mail. But, and a big but, sysops are excluded. Whoever staffed the bill for Congress realized that system operators were going to have access to information stored on their systems. There are practical technical reasons for this, but there are also practical legal reasons. While the Act does not directly address the liability of sysops for the use of their systems in illegal acts, it recognizes they might have some liability, and so allows them to protect themselves from illegal use. Sysops are given a special responsibility to go along with this special privilege. Just like a letter carrier can't give your mail to someone else, just like a telegraph operator can't pass your telegram to someone else, just like a telephone operator overhearing your call can't tell someone else what it was about, so sysops are prohibited from disclosing your e-mail traffic to anyone, unless you (or the other party to the traffic) give them permission.
Common sense, right. So far all I think we've seen is that the law has changed to recognize changes in technology. But then, what about the police? If they can legally bug phones with a court order, if they can legally subpoena telephone records, what can they do with bulletin boards? Pretty much the same things. The remaining sections of the Act go into great detail about what the police can do and how they can do it. The detail is too much to get into in this article, and I would suggest that if a sysop or user ever needed to know this information, that would be a case when they ought to be seeing their attorney. I will give a couple of details, however: if a sysop is served, they can be required to make a backup copy of whatever information is on their system (limited, of course, to that listed in the warrant or subpoena). They must do this without telling the persons under investigation. They do not at this point, generally, give the police the records. They just tell the police that its been done. Then, the courts notify the user that this information has been requested and the user has a chance to challenge it. Eventually, after it all gets sorted out, the information goes to the police or is destroyed, whichever. Again, if a sysop or user ever finds themselves in this situation, don't rely on this article--see your lawyer. And, see him/her soon, because the Act imposes time limits.
If the Act makes all of this stuff federal crimes, what penalties does it establish? Again, generally, there are two cases. The first is the one most BBS operators and users will be concerned with. "A fine of not more than $5,000 or imprisonment for not more than six months, or both." Actually, in the law, that's the second case. The first is where businesses were conducting industrial espionage--"for purposes of commercial advantage, malicious destruction or damage, or private commercial gain." In this case, "a fine of not more that $250,000 or imprisonment for not more than one year, or both, in the case of a first offense," and "a fine or imprisonment for not more that two years, or both, for a subsequent offense."
What all this has said is that the federal criminal code now protects electronic communications the way it previously protected written ones. It understands that mailmen, physical or electronic, have access to the mail they carry, so it tells them not to tell. It sets up some hefty penalties for those who don't take privacy seriously enough. And finally, it sets up procedures for the contents of bulletin board and other electronic systems to be sought for official investigation. This is, of course, one layman's opinion. As long as the reader doesn't have criminal intent or hasn't been served with some type of request for system records, it's probably adequate. If, however, the reader finds him/herself confronting the law "up close and personal," then this article should be noted for one and only one piece of advice: see a lawyer, and soon!