[CONTACT]

[ABOUT]

[POLICY]

When does hacking turn from an

Found at: 0x1bi.net:70/textfiles/file?law/civlib.law

Civil Liberties in Cyberspace:
When does hacking turn from an exercise 
of civil liberties into crime?

by Mitchell Kapor

September, 1991.


On March 1, 1990, the U.S. Secret Service raided the offices of Steve
Jackson, an entrepreneurial publisher in Austin, Tex. Carrying a
electronic bulletin-board system used by the publisher to communicate
mail on the system.


The Secret Service held some of the equipment and material for months,
to reconstruct his book from old manuscripts, to delay filling orders
for it and to lay off half his staff. When the warrant application was
finally unsealed months later, it confirmed that the publisher was
never suspected of any crime.


Steve Jackson's legal difficulties are symptomatic of a widespread
the subject of similar searches and seizures. In any other context, this
as well as several existing privacy laws. But the government proceeded
as if civil liberties did not apply. In this case, the government was
nvestigating a new kind of crime -- computer crime.


The circumstances vary, but a disproportionate number of cases share a
common thread: the serious misunderstanding of computer-based communi-
cation and its implications for civil liberties. We now face the task
of adapting our legal institutions and societal expectations to the
cultural phenomena that even now are springing up from communications
technology.


Our society has made a commitment to openness and to free
communication. But if our legal and social institutions fail to adapt
to new technology, basic access to the global electronic media could be
assure that these freedoms are not compromised, a group of computer
experts, including myself, founded the Electronic Frontier Foundation
(EFF) in 1990.


computer crime investigation at all. The company publishes a popular,
award-winning series of fantasy roleplaying games, produced in the
form of elaborate rule books. The raid took place only because law
enforcement officials misunderstood the technologies -- computer
bulletin-board systems (BBSs) and on-line forums -- and misread the
cultural phenomena that those technologies engender.


Like a growing number of businesses, Steve Jackson Games operated an
electronic bulletin board to facilitate contact between players of its
via modem from their personal computers to swap strategy tips, learn
about game upgrades, exchange electronic mail and discuss games and
other topics.


Law enforcement officers apparently became suspicious when a Steve
Jackson Games employee -- on his own time and on a BBS he ran from his
transferring computer files called Kermit. In addition, officials
claimed that at one time the employee had had on an electronic
bulletin board a copy of Phrack, a widely disseminated electronic publi-
cation, that included information they believed to have been stolen from
a BellSouth computer.


The law enforcement officials interpreted these facts as unusual
enough to justify not only a search and seizure at the employee's
enough equipment to disrupt the business seriously. Among the items
confiscated were all the hard copies and electronically stored copies of
the manuscript of a rule book for a role-playing game called GURPS
Cyberpunk, in which inhabitants of so-called cyberspace invade
corporate and government computer systems and steal sensitive data.
Law enforcement agents regarded the book, in the words of one, as "a


A basic knowledge of the kinds of computer intrusion that are
technically possible would have enabled the agents to see that GURPS
Cyberpunk was nothing more than a science fiction creation and that
Kermit was simply a legal, frequently used computer program.
Unfortunately, the agents assigned to investigate computer crime did not
know what -- if anything -- was evidence of criminal activity.
Therefore, they intruded on a small business without a reasonable
basis for believing that a crime had been committed and conducted a
olation of the Fourth Amendment of the Constitution.


Searches and seizures of such computer systems affect the rights of
not only their owners and operators but also the users of those systems.
Although most BBS users have never been in the same room with the
actual computer that carries their postings, they legitimately expect
their electronic mail to be private and their lawful associations to
be protected.


The community of bulletin-board users and computer networkers may be
forums for debate and information exchange, computer-based bulletin
boards and conferencing systems support some of the most vigorous
exercise of the First Amendment freedoms of expression and association
that this country has ever seen. Moreover, they are evolving rapidly
nto large-scale public information and communications utilities.


These utilities will probably converge into a digital national public
network that will connect nearly all homes and businesses in the U.S.
This network will serve as a main conduit for commerce, learning,
education and entertainment in our society, distributing images and
video signals as well as text and voice.  Much of the content of this
network will be private messages serving as "virtual" town halls,
village greens and coffeehouses, where people post their ideas in public
or semipublic forums.


Yet there is a common perception that a defense of electronic civil
liberties is somehow opposed to legitimate concerns about the
the popular hysteria about the technically sophisticated youths known as


began in the 1980s to perceive computer hackers as threats to the
underlying reality -- the typical teenage hacker is simply tempted by
the prospect of exploring forbidden territory. Some are among our best
and brightest technological talents: hackers of the 1960s and 1970s,
for example, were so driven by their desire to master, understand and
called Apple, Microsoft and Lotus.


How do we resolve this conflict? One solution is ensure that our scheme
of civil and criminal laws provides sanctions in proportion to the
offenses. A system in which an exploratory hacker receives more time in
making subtle and not-so-subtle distinctions among criminal offenses.


There are, of course, real threats to network and system security. The
qualities that make the ideal network valuableQits popularity, its
uniform commands, its ability to handle financial transactions and its
nternational access -- also make it vulnerable to a variety of
abuses and accidents. It is certainly proper to hold hackers
accountable for their offenses, but that accountability should never
entail denying defendants the safeguards of the Bill of Rights,
ncluding the rights to free expression and association and to free-


We need statutory schemes that address the acts of true computer crim-
nals (such as those who have created the growing problem of toll and
credit-card fraud) while distinguishing between those criminals and
need educated law enforcement officials who will be able to recognize
and focus their efforts on the real threats.


The question then arises: How do we help our institutions, and
and to make an agenda for preserving the civil liberties that are
central to that society. Then we can draw on the appropriate legal
traditions that guide other media. The late Ithiel de Sola Pool argued
n his influential book Technologies of Freedom that the medium of


The freedom of the press to print and distribute is explicitly
of First Amendment law, especially in this century, prevents the


Like the railroad networks, the telephone networks follow common-car-
"cargo" they carry. It would be unthinkable for the telephone company to
monitor our calls routinely or cut off conversations because the


Meanwhile the highly regulated broadcast media are grounded in the
dea, arguably mistaken, that spectrum scarcity and the pervasiveness
of the broadcast media warrant government allocation and control of
access to broadcast frequencies (and some control of content). Access
to this technology is open to any consumer who can purchase a radio or
television set, but it is nowhere near as open for information


Networks as they now operate contain elements of publishers,
broadcasters, bookstores and telephones, but no one model fits. This
legal principles. As hybrids, computer networks also have some features
that are unique among the communications media. For example, most
conversations on bulletin boards, chat lines and conferencing systems
are both public and private at once. The electronic communicator speaks
to a group of individuals, only some of whom are known personally, in a


But the dissemination is controlled, because the membership is limited
to the handful of people who are in the virtual room, paying attention.
Yet the result may also be "published" -- an archival textual or voice
backlog. Some people tend to equate on-line discussions with party (or
and still others think of citizens band radio.


erupt. Last year an outcry went up against the popular Prodigy comput-
er service, a joint venture of IBM and Sears, Roebuck and Co. The
essentially a newspaper" or "magazine," for which a hierarchy of
editorial control is appropriate. Some of Prodigy's customers, in
contrast, regarded the service as more of a forum or meeting place.


When users of the system tried to protest Prodigy's policy, its editors
use electronic mail as a substitute for electron- assembly,
communicating through huge mailing lists. Prodigy placed a limit on the
number of messages each individual could send.


The Prodigy controversy illustrates important principle that belongs on
civil liberties agenda for the future: freedom-of-speech issues will not
metaphor on its service. Subscribers sense, I believe, that freedom of
communications. Science fiction writer William Gibson once remarked
that "the street finds its own uses for things." Network service pro-
viders will continue to discover that their customers will always find
their own best uses for new media.


Freedom of speech on networks will be promoted by limiting content-based
to restrict the content of any information service they subsidize or
most efficient means of ensuring that needs of network users will be
met.


The underlying network should essentially be a "carrier" -- it should
operate under a content-neutral regime in which access is available to
any entity that can pay for it. The information and forum services would
be "nodes" on this network. (Prodigy, like GEnie and CompuServe,
currently maintains its own proprietary infrastructure, but a future
version of Prodigy might share the same network with services like
CompuServe.)


Each service would have its own unique character and charge its own
electronic "newspaper" with strong editorial control, it will draw an
audience. Other less hierarchical services will share the network with
that "newspaper" yet find their own market niches, varying by format and
content.


The prerequisite for this kind of competition is a carrier capable of
community. Like common carriers, these network carriers should be seen
as conduits for the distribution of electronic transmissions.  They
nate among messages.

This kind of restriction will require shielding the carriers from legal
liabilities for libel, obscenity and plagiarism.  Today the ambiguous
avoided by appropriate legislation. Our agenda requires both that the
law shield carriers from liability based on content and that carriers
not be allowed to discriminate.


All electronic "publishers" should be allowed equal access to networks.
Ultimately, there could be hundreds of thousands of these information
today. As "nodes," they will be considered the conveners of the
environments within which on-line assembly takes place.


None of the old definitions will suffice for this role. For example,
to safeguard the potential of free and open inquiry, it is desirable
to preserve each electronic publisher's control over the general flow
and direction of material under his or her imprimaturQin effect, to give
the "sysop," or system operator, the prerogatives and protections of a


But it is unreasonable to expect the sysop of a node to review every
message or to hold the sysop to a publish er's standard of libel.
Message traffic on many individually owned services is already too
Nor is it appropriate to compare nodes to broadcasters (an analogy
likely to lead to licensing and content-based regulation). Unlike the
broadcast media, nodes do not dominate the shared resource of a public
community, and they are not a pervasive medium. To take part in a
controversial discussion, a user must actively seek entry into the
appropriate node, usually with a subscription and a password.


Anyone who objects to the content of a node can find hundreds of other
s if choice is somehow restricted: if all computer networks in the
country are restrained from allowing discussion on particular subjects
or if a publicly sponsored computer network limits discussion.


This is not to say that freedom-of-speech principles ought to protect
all electronic communications. Exceptional cases, such as the BBS used
numbers, will always arise and pose problems of civil and criminal
liability. We know that electronic freedom of speech, whether in public
or private systems, cannot be absolute. In face-to-face conversation and
fraud, libel, incitement to lawless action and copyright infringement.


U.S. Supreme Court's 1969 decision in Brandenburg v. Ohio.  The court
mminent lawless action.


traditional media, any on-line messages should not be the basis of
criminal prosecution unless the Brandenburg standard is met.


Other helpful precedents include cases relating to defamation and
copyright infringement. Free speech does not mean one can damage a
account for it. And it probably does not mean that one can release a
virus across the network in order to "send a message" to network
appear, the release of a destructive program, such as a virus, may be
better analyzed as an act rather than as speech.


Following freedom of speech on our action agenda is freedom from unrea-
cases in which computer equipment and disks were seized and held some-
times for months -often without a specific charge being filed. Even when
only a few files were relevant to an investigation, entire computer
files intact.


Such nonspecific seizures and searches of computer data allow "rummag-
ng," in which officials browse through private files in search of
ncriminating evidence. In addition to violating the Fourth Amendment
often run afoul of the Electronic Communications Privacy Act of 1986.
This act prohibits the government from seizing or intercepting elec-
tronic communications without proper authorization. They also contravene
the Privacy Protection Act of 1980, which prohibits the government from
materials that are electronically stored.


We can expect that law enforcement agencies and civil libertarians
enforcement officials will have to adhere to guidelines in the above
the efficiency of their searches. They also will have to be trained to
make use of software tools that allow searches for particular files or


Still another part of the solution will be law enforcement's abandonment
of the myth of the clever criminal hobbyist. Once law enforcement no
longer assumes worst-case behavior but looks instead for real evidence
of criminal activity, its agents will learn to search and seize only


Developing and implementing a civil liberties agenda for computer net-
The Computers, Freedom and Privacy Conference, held last spring in San
Francisco, along with electronic conferences on the WELL (Whole Earth
'Lectronic Link) and other computer networks, have brought law
enforcement officials, supposed hackers and interested members of the
computer community together in a spirit of free and frank discussion.
Such gatherings are beginning to work out the civil liberties guidelines
for a networked society.


There is general agreement, for example, that a policy on electronic
crime should offer protection for security and privacy on both
ndividual and institutional systems. Defining a measure of damages
and setting proportional punishment will require further goodfaith
cluding the Federal Bureau of Investigation, the Secret Service, the
bar associations, technology groups, telephone companies and civil
libertarians.  It will be especially important to represent the damage
caused by electronic crime accurately and to leave room for the valuable


We hope to see a similar emerging consensus on security issues. Network
that depends on wholesale monitoring of traffic, for example, would
create more problems than it would solve.


Those parts of a system where damage would do the greatest harm --
financial records, electronic mail, military data -- should be
measures, but it also means redefining the legal interpretations of
copyright, intellectual property, computer crime and privacy so that
large institutions. These policies should balance the need for civil
liberties against the need for a secure, orderly, protected electronic


As we pursue that balance, of course, confrontations will continue to
take place. In May of this year, Steve Jackson Games, with the support
of the EFF, filed suit against the Secret Service, two individual Secret
Service agents, an assistant U.S. attorney and others.


The EFF is not seeking confrontation for its own sake. One of the
or constitutional right in the courts in order to get it recognized
outside the courts. One goal of the lawsuit is to establish clear
"unreasonable" and unjust. Another is to establish the clear
applicability of First Amendment principles to the new medium.


But the EFF's agenda extends far beyond liagation. Our larger agenda
ncludes sponsoring a range of educational initiatives aimed at the
knowledgeable people to take part in the public debate over communica-
tions policy and to help spread their understanding of these issues.
Fortunately, the very technology at stake -- electronic conferencing
-- makes it easier than ever before to get involved in the debate.





Downloaded From P-80 International Information Systems 304-744-2253


AD: