EFFector Online Volume org Publicati

Found at: gopher.meulie.net:70/EFFector/effector5.05

           //////////////     //////////////     //////////////
         ///                ///                ///
       ///////            ///////            ///////
     ///                ///                ///
   //////////////     ///                ///
EFFector Online Volume 5 No. 5       4/2/1993       editors@eff.org
A Publication of the Electronic Frontier Foundation   ISSN 1062-9424

                        In this issue:
          Keys to Privacy in the Digital Information Age
        What's Important About the Medphone Libel Case?

          Keys to Privacy in the Digital Information Age
              by Jerry Berman and Daniel J. Weitzner 

   With dramatic increases in reliance on digital media for 
communications, the need for comprehensive protection of privacy in 
these media grows.  For many reading this newsletter, the point may 
challenges for those concerned about protecting communications 
or over the wire-based public telephone network, is relatively secure 
from random intrusion by others.  But the same communication 
carried, for example, over a cellular or other wireless communication 
nexpensive, easy-to-obtain, scanning technology.  If designed and
actually support and enhance the level of privacy that we all enjoy.  
But if, in the design process, privacy concerns are slighted, whether 
consciously or not, privacy may be compromised.

   Public policy has a critical impact on the degree of privacy 
ssues present the challenges of digital privacy protection in sharp
ntroduction of robust encryption technologies.  Motivated by
national security concerns, the National Security Agency is using 
export control regulations to discourage the widespread foreign and 
agents operating in and around the United States.  However, the 
NSA's restriction on the use of powerful encryption systems limits 
the ability of all who rely on electronic communication systems to 

   Second, on the domestic front, the FBI has proposed a 
comprehensive licensing regime that would require all new 
communications systems to be certified as "wire-tappable" before 
their introduction into the market.  This proposal threatens to force 
the widespread use of communications systems that have "back 
the scope of the FBI's wiretapping authority to an unspecified degree.  
Although these two proposals are now being pursued in independent 
appreciate the full implications for privacy.

Encryption Policy
   For the individual who relies on digital communications media, 
of robust encryption technology.  While legal restrictions on the use 
of scanners or other technology that might facilitate such invasions of 
lasting or comprehensive solutions.  We should have a guarantee -- 
technical means.  We already know how to do this, but we have not 
made encryption technology widely available for public use because 
of public policy barriers.  The actual debate going on involves both 
the National Security Agency and the National Institute of Standards 
and Technology.  They are in the process of deciding what version of 
a particularly strong type of encryption system ought to be promoted 
for public use.  Called Public Key Encryption systems, these coding 
to encrypt the message.

   In examining discrete issues such as the desirability of various 
cryptography standards, we take a comprehensive view of "digital 
clear vision of the underlying civil liberties issues at stake:  privacy 
and free speech.  It also requires looking beyond the cryptography 
questions raised by many to include some of law enforcement's 
For the sake of promoting innovation and protecting civil liberties, 

   Inasmuch as digital privacy policy has broad implications for 
constitutional rights of free speech and privacy, these issues must be 
explored and resolved in an open, civilian policy context.  This 
These questions are simply too important to be decided by the 
national security establishment alone.  The structure of the Act arose, 
n significant part, from the concern that the national security
establishment was exercising undue control over the flow of public 
nformation and the use of information technology.  When
considering the law in 1986, the Congress asked the question, 
"Whether it is proper for a super-secret agency [the NSA] that 
operates without public scrutiny to involve itself in domestic 
activities...?"  The answer was a clear no, and the authority for 
establishing computer security policy was vested in NIST (then the 
National Bureau of Standards).

   In this context, we need a robust public debate over our 
commercially developed cryptography.  It is no secret that 
throughout the cold war era, the Defense and State Departments and 
the National Security Agency have used any and all means, including 
threats of prosecution, control over research and denial of export 
licenses, to prevent advanced secret coding capabilities from getting 
nto the hands of our adversaries.  NSA does this to maximize its
ability to intercept and crack all international communications of 
national security interest.

   Now the Cold War is over, but the practice continues.  In recent 
years, Lotus, Microsoft, and others have developed or tried to 
ncorporate powerful encryption means into mass market software to
enhance the security and privacy of business, financial, and personal 
communications.  In an era of computer crime, sophisticated 

   Although NSA does not have the authority to interfere with 
over foreign distribution has significant domestic consequences.  
United States firms have been unable to sell competitive security and 
the cost of producing two different products is often prohibitive, NSA 

   While we all recognize that NSA has legitimate national security 
concerns in the post cold war era, this is a seriously flawed process.  
Foreign countries or entities who want to obtain advanced encryption 
technology can purchase it through intermediaries in the United 
States or from companies in a host of foreign countries who are not 
Emperor's New Clothes, NSA opts to act as if the process works by 
continuing to block export.

   In order to get some improvement in mass market encryption, the 
computer industry had to resort to using the threat of legislation to 
expedited clearance for the export of  encryption software of limited 
key lengths.  Still, all concede that the agreement does not go far 
enough and that far more powerful products are commonly available 
n the US.  The remaining limits specifying maximum key lengths
offers little long-term security given advances in computer 

   Does this kind of policy make any sense in the post Cold War era?  
Mass market products offer limited security for our citizens.  
Determined adversaries can obtain much more powerful products 
from foreign countries or by purchasing it here in the US.  Is the NSA 
adversaries -- and there's some debate as to whether the NSA policy 

FBI's Digital Telephony Proposal 
   The public policy debate on electronic privacy issues over the last 
few years has demonstrated that a comprehensive approach to 
questions regarding the availability of encryption technology and the 
corresponding infrastructure issues, such as those raised by the FBI's 
Digital Telephony Proposal.

   Last year, the FBI first proposed a "Sense of the Congress" 
communications equipment manufacturers were obligated to provide 
law enforcement access to the "plain text" of all voice, data and video 
communications, including communications using software 
encryption.  The Electronic Frontier Foundation (EFF) played an 
active and leading role both in opposing such a law and in seeking to 
find more acceptable means for meeting legitimate law enforcement 
needs.  Because of our advocacy and coalition-building efforts with 
communications and privacy groups, we were successful in 
Sense of the Congress Resolution from active consideration as part of 
Omnibus crime legislation last year.

   Putting aside its attempt to control the use of encryption systems, 
last year the FBI proposed legislation that would require telephone 
companies, electronic information providers, and computer and 
communications equipment manufacturers to seek an FCC "license" or 
Attorney General "certification" that their technologies are 
creating a domestic version of the export control laws for computer 
and communications technology.

   While the FBI claims that neither of last year's proposals address 
encryption issues, the Bureau has made it clear it plans to return to 
this issue in the future.  A broad-based coalition of public interest 
and industry groups, coordinated by the Electronic Frontier 
Foundation, has called on the FBI to explore more realistic, less 
vague, and less potentially onerous policy options for meeting 
legitimate law enforcement needs.  The EFF-coordinated coalition 
ncludes over 30 industry groups (including AT&T, Lotus, Microsoft,
Sun Microsystems, IBM and Digital Equipment) along with public 
nterest organizations such as the American Civil Liberties Union and
Computer Professionals for Social Responsibility.  Last year the 
coalition was successful at stopping two separate FBI legislative 
attempts, but we fully expect that the Digital Telephony proposal will 
be back on the table.

   At times, the arcana of encryption standards, export control laws, 
and technical specifications of new digital telephony equipment may 
unfortunately obscure the critical issues at stake in protecting 
ndividual privacy.  Many people are already relying on digital media
-- whether electronic mail, bulletin board systems, or other new 
media -- for a plethora of personal, political, professional, and 
cultural communications tasks.  To provide adequate privacy 
technical details and constitutional principles together, simply 
because more and more of our personal activities will be pursued 
through new digital media.

   The multi-front battle being waged about digital privacy creates 
formidable roadblocks to a final resolution of the policy disputes at 
ssue.  Neither the restrictions of encryption, nor the FBI's wiretap
concerns, can be thoroughly addressed independent of the other.  
Those who seek greater privacy and security cannot trust a 
undermined by action on the other issue.  And law enforcement and 
national security concerns cannot be adequately addressed without a 
and infrastructure fronts.  It is time for policymakers to conduct a 
comprehensive review of digital privacy and security policy, with a 
consideration of both of these sets of issues.

   In the case of the FBI's Digital Telephony proposal, we must tread 
carefully.  Current laws governing wiretapping authority, for 
example, reflect a subtle balance between the guarantees of privacy 
and security from state intervention embodied in our constitutional 
tradition on the one hand, and the needs of law enforcement, on the 
other.  The rule developed for one medium -- voice telephony -- 
cannot be mechanically extended to the host of new communications 
options now becoming available.  Rather, we must give careful 
consideration to the scope of wiretap authority that is appropriate to 
the new media that the FBI seek to sweep under their wiretap 
authority.  In the case of encryption policy, it is critical that private 
citizens have access to affordable, effective, and legal encryption 
technology.  In the information age, concerns for protecting 
ndividual privacy should take precedence over outmoded national


        "What's Important About the Medphone Libel Case?" 

                         By Mike Godwin

   Online conferencing seems so much like informal conversation that 
t may come as a surprise to some people to discover that they may
be bound by the same libel law that applies to The New York Times. 
major part) makes clear that there's no reason to believe that online 

_What is defamation and what is libel?_

   A communication is considered defamatory if it tends to damage 
both false and it defames someone, the person whose reputation is 
njured can sue for damages. In general, if the defamation is
*spoken* in the direct presence of an audience, it's called "slander"; 

   Libel law is an area of great interest for the people who run online 
forums. If a newspaper or TV station "republishes" a false 
the station for damages *in addition* to suing the person who made 
the original false statement. The big question for online forum 
operators, like CompuServe and Prodigy, is the extent to which the 

   A possible answer to this question appeared in a recent case called 
Cubby Inc. v. CompuServe. In that case, which took place in a federal 
been brought against CompuServe as a "republisher." In that case, 
the judge held that CompuServe is less like a newspaper or TV 
Although libel law, as limited by the First Amendment, allows print 
and TV "republishers" to be liable for defamation, it does not allow 
latter liable would create a burden on these parties to review every 
book they carry for defamatory material. This burden would "chill" 
the distribution of books (not to mention causing some people to get 
out of the bookstore or library business) and thus would come into 

   But the issues raised in this new libel suit involving Prodigy are 

_The facts of Medphone v. DeNigris_

   Peter DeNigis is being sued by the medical-instrument 
manufacturer Medphone for statements he made in the Money Talk 
forum on Prodigy. Medphone is claiming that DeNigris engaged in a 
"systematic program for defamation and trade disparagement" 
against the company, and is suing on business-libel and securities-
fraud theories. The company decided to sue DeNigris after its stock 
company's performance"--according to the company's press release, 
ts sales had been going up, and it had recently formed two
mportant business alliances. Medphone was alerted to the possible
cause of the stock decline when a stockholder notified the company 
about DeNigris's "frequent" statements about the company on 

   One example of a DeNigris posting (on Sept. 7), appeared in the LOS 
ANGELES TIMES account of the story: "Is the end near for 
Medphone?????????? Stock is quoted 25 cents to 38 cents. Closed at 
a new low Friday, at (38 cents). My research indicated company is 
terrible management. This company appears to be a fraud. Probably 

   Note that this statement does not prove that DeNigris has 
committed libel. DeNigris is reported to have lost $9000 on 
Medphone stock that he sold in November, so he may have good-
faith reasons to believe what he was saying about the company. He 
nsists his opinions, as stated, are "fair" and "can be documented" by
leading publications. If his statements turn out to be true, or even if 
t turns out that they're false but that he had a good-faith belief that
the statements are true, it could mean that he'll win the libel case 
against him.

   This does not mean, however, that there is not a credible case 
against him. For one thing, the comment about "fraud" is a very 
the stock's or company's underperformance. For another, DeNigris is 
alleged to have called Prodigy several times a day to post negative 
a plan to affect the company's reputation and stock price.

_Does this case raise any new legal issues?_ 

   The major difference between Medphone v. DeNigris and Cubby 
forum (Prodigy) liable as a republisher. This means that the 
complicated legal issue of "republisher liability" doesn't arise. 

   This makes the case a lot simpler legally. It is a well-settled legal 
may be held liable for defamation. Although the Electronic Frontier 
Foundation and other groups have taken the position (consistent with 
Cubby) that the owners and operators of digital forums, as 
*republishers*, deserve the same protections as republishers in other 
media, none of these groups has taken the position that there is 
that makes it less damaging or less libelous than if it appears in 
other media.

   Some people argue, however, that Prodigy *should* be a party to 
this lawsuit, or perhaps to another lawsuit. They argue that since 
like, say, USA Today. And they're troubled by the fact that Prodigy 
turned over records of some of its subscribers' messages to 
Medphone's and DeNigris's lawyers--isn't this a violation of the 

Let's address these criticisms in detail: 

   Some Prodigy subscribers apparently are arguing that Prodigy 
law and in part on subscribers' innate sympathy to the plight of 
another subscriber. There are two good reasons to disagree with this 
content (other than bouncing postings with profane language--this is 
apparently done through software). Following Cubby v. CompuServe, 
and absent any facts to the contrary, there is no reason to think 
that Peter DeNigris cannot be a defendant.) And even if there were a 
lawyers, not to anyone else, whether to sue Prodigy.

   With regard to the privacy rights of subscribers, it should be noted 
that Prodigy turned over records of subscriber messages to 
Medphone's lawyers (and, apparently, to DeNigris's lawyers) *in 
Electronic Communications Privacy Act, which authorizes disclosure 
of stored electronic communications in response to subpoena. What's 
more, Prodigy could have been held in contempt of court had it *not* 
complied with the subpoenas. 

   At this point, at least, it seems that the Medphone case does not 
libel lawsuit involving an online forum.

_What is significant about this case?_

   But even if the case does not raise new legal issues, it certainly 
very same technology that empowers people to be their own 
newspapers or TV stations rarely had to think about the potential 
that they might be sued for libel--after all, there wasn't much risk 
that even an intentionally irresponsible statement was going to do a 
libelous newspaper article or TV broadcast. 

   But just as the increasingly common phenomenon of online forums 
creates the possibility for each of us to reach vast, new audiences, it 
also creates the potential for us to commit defamation on a vast new 

   So, the Medphone case does turn out to be significant in a major 
that generations of professional journalists have already learned--
that statement may come back to haunt you. 


     EFFector Online is published by
     The Electronic Frontier Foundation
     666 Pennsylvania Ave., Washington, DC 20003
     Phone: +1 202 544-9237 FAX: +1 202 547 5481
     Internet Address: eff@eff.org
     Coordination, production and shipping by Cliff Figallo, EFF 
     Online Communications Coordinator (fig@eff.org)
 Reproduction of this publication in electronic media is encouraged.
 Signed articles do not necessarily represent the view of the EFF.
 To reproduce signed articles individually, please contact the authors
 for their express permission.

      *This newsletter is printed on 100% recycled electrons*


efforts and activities into other realms of the electronic frontier, we 
need the financial support of individuals and organizations.

becoming a member now. Members receive our bi-weekly electronic 
newsletter, EFFector Online (if you have an electronic address that 
can be reached through the Net), and special releases and other 
notices on our activities.  But because we believe that support should 
be freely given, you can receive these things even if you do not elect 
to become a member.

Your membership/donation is fully tax deductible.

Our memberships are $20.00 per year for students and $40.00 per 
year for regular members.  You may, of course, donate more if you 

Our privacy policy: The Electronic Frontier Foundation will never, 
under any circumstances, sell any part of its membership list.  We 
organizations  whose work we determine to be in line with our goals.  
But with us,  member privacy is the default. This means that you 
must actively grant us permission to share your name with other 

Mail to: The Electronic Frontier Foundation, Inc.
         238 Main St.
         Cambridge, MA 02142

            $20.00 (student or low income membership)
            $40.00 (regular membership)

    [  ] I enclose an additional donation of $_______




City or Town:

State:       Zip:      Phone: (    )             (optional)

FAX: (    )              (optional)

Email address:

to my Mastercard [  ]  Visa [  ]  American Express [  ]


Expiration date:

Signature: ________________________________________________


other non-profit groups from time to time as it deems
appropriate   [ ].