**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 3, Issue #3.04 (January 28, 1991) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto RESIDENT SYSTEM CRASH VICTIM:: Brendan Kehoe USENET readers can currently receive CuD as alt.society.cu-digest. Back issues are also available on Compuserve (in: DL0 of the IBMBBS sig), PC-EXEC BBS (414-789-4210), and at 1:100/345 for those on FIDOnet. Anonymous ftp sites: (1) ftp.cs.widener.edu (2) cudarch@chsun1.uchicago.edu E-mail server: archive-server@chsun1.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors, however, do copyright their material, and those authors should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: Reprint from BMUG (Berkeley MacIntosh Users' Group) Subject: BMUG's ECPA Commentary (reprinted with permission from BMUG Date: January, 1991 ******************************************************************** *** CuD #3.04, File 3 of 4: The Politics of the ECPA of 1986 *** ******************************************************************** The Politics of the Electronic Communications Privacy Act of 1986 Copyright (C) 1990, Bernard Aboba. All rights reserved. The Electronic Communications Privacy Act (ECPA) of 1986 was a landmark piece of legislation which is likely to affect online services and hobbyist bulletin boards for many years to come. Since the ECPA is a complex and often arcane piece of legislation, it is very hard to understand without looking at the history of how it came to be. In understanding the politics of ECPA, this article relies heavily on the transcripts of the House Judiciary Committee Hearings on H.R. 3378, which eventually became the Electronic Communications Privacy Act. During the hearings on ECPA in 1985-86 only one member of the online service industry, The Source (subsequently acquired by Compuserve) submitted an opinion. Though endorsing the bill, the assessment hinted at possible long term costs imposed by the lack of preemption of state standards. However, this one page assessment hardly made an impression on the hearings compared with the impressive lineup of spokesmen from the ACLU, cellular communications firms, Regional Bell Operating Companies (RBOC's), broadcasting groups, credit and banking firms, and computer and telecommunications industry associations, all lined up in support of the bill. Only the U.S. Department of Justice, manufacturers of scanning equipment, and amateur radio associations expressed strong reservations about the bill. However, since the passage of ECPA, the long term costs of the legislation and its effects on commercial and hobbyist conferencing systems have become apparent. Ironically, none of these effects were anticipated at the hearings. Outline of ECPA Broadened Protection of Communications The ECPA amended the Omnibus Crime Control and Safe Streets Act of 1968 (which covered wire tapping of common carriers) to prohibit monitoring of all electronic communications systems not designed to be accessible by the public. This includes voice, data, and video on non-public systems, and applies to communications regardless of the mode of transmission. Search and Seizure To obtain access to communications such as electronic mail, the government is required to obtain a warrant on probable cause. Law enforcement must also obtain a court order based on reasonable suspicion before obtaining toll records of telephone calls.or gaining access to records of an electronic communications system which concern specific communications. Criminal Penalties Criminal penalties can result from unauthorized access to computers if messages are obtained or altered. Felony charges can be brought if the violation was commited maliciously or for commercial gain, in which case the act is punishable by up to one year imprisonment and a $250,000 fine. In other cases, a term of imprisonment of six months and a maximum fine of $5,000 is applicable. Civil Penalties Civil damages may be pursued for violation of the rights contained in the act. Disclosure Electronic communications systems operators may not disclose electronic messages without authorization except in special circumstances. The Politics of ECPA The ECPA was supported by the cellular phone, telephone, packet switching, paging, and broadcasting industries; private firms owning large communications networks, miscellaneous computer and communications trade associations, the ACLU and Consumer's Union, and credit bureaus. Law enforcement agencies were supportive, but skeptical. The only vigorous opposition came from amateur radio associations, and manufacturers of scanning equipment which, while protesting loudly, saw few of their recommended modifications enacted into law. Also playing a role were sponsoring legislators, such as Senator Patrick Leahy of Vermont, and Charles Mathias of Maryland, as well as Representatives Robert Kastenmeier and Carlos Moorhead. Senator Leahy, in his opening remarks at the hearings on the bill, set the stage for the legislation: "At this moment phones are ringing, and when they are answered, the message that comes out is a stream of sounds denoting ones and zeros.... What is remarkable is the fact that none of these transmissions are protected from illegal wiretaps, because our primary law, passed back in 1968, failed to cover data communications, of which computer to computer transmission are a good example. When Congress enacted that law,Title III of the Omnibus Crime Control and Safe Streets Act of 1968, it had in mind a particular kind of communication - voice - and a particular way of transmitting that communication - via a common carrier analog telephone network. Congress chose to cover only the "aural acquisition" of the contents of a common carrier wire communication. The Supreme Court has interpreted that language to mean that to be covered by Title III, a communication must be capable of being overheard. The statue simply fails to cover the unauthorized interception of data transmissions." Senator Leahy also had more practical reasons for supporting the bill. The rapidly growing U.S. cellular communications industry had become alarmed by the ease with which cellular communications could be monitored. Television sets built during the period 1966-1982 were capable of picking up cellular conversations on UHF channels 80-83. This was possible because cellular communications used the same frequency modulation techniques utilized in transmitting television sound. In addition, scanning equipment which for several hundred dollars was capable of receiving cellular communications in the 800 Mhz band. During 1985, several incidents threatened to make the vulnerability of cellular communications into front page news. For example, private conversations of state legislators in Austin were intercepted and made available in the public press, with embarrassing consequences. This ease of reception threatened the viability of the cellular industry. In response, according to Richard Colgan of the Association of North American Radio Clubs, "cellular firms resorted to pervasive misrepresentation of the actual interception vulnerability of cellular. " In fairness to the cellular industry, cellular communications does provide certain inherent protections against interception. For example, since each half of the conversation is transmitted on different frequencies, usually it is only possible to listen in on one side of a conversation. In addition, while it is easy to pick up some conversation, it is difficult to pick up a particular conversation of interest. Also, the frequencies will shift during passage from one cell to another. However, given the relatively large cell size, frequencies are likely to be stable over the average life of a call. In his remarks, Senator Leahy stated that the ECPA was needed to help the cellular industry get off the ground, and that the American people and American business wanted the ECPA. A more emotional defense was made by John Stanton, Executive VP of McCaw Communications, who stated "The inhibition of the growth of cellular technology and paging technology, forced by the lack of privacy, is unfair." Law enforcement interests and businesses were also in favor of the bill. In 1986, the nation was just becoming aware of the threat posed by computer crime, and the need for laws allowing prosecution of perpetrators. The ECPA was therefore viewed by elements of law enforcement and business as a vehicle for criminalizing the act of breaking into computers. Businesses such as GTE Telenet, EDS, and Chase Manhattan thus supported the ECPA as a computer crime bill. Telephone companies such as AT&T even attempted to tack on additional computer crime provisions covering breaking into to their switching equipment. In retrospect, the preoccupation with computer crime distorted evaluations of the ECPA. Computer crime was more effectively addressed by state penal code revisions such as California Penal Code Section 502 - Computer Crime, and Section 499c - Trade Secrets. The purpose of ECPA was to insure privacy rather than to define the criminal uses of computers. The cellular industry had no such illusions. Mr. Philip Quigley, CEO of pacTel Mobil Co. described the economic benefits of ECPA by noting that without legislation, "defending the right (to privacy) could take years of litigation." "Individuals can use scanning devices today... (it is our intent) to merely excise out... the capability that exists today to zone in on the channels and the frequencies that are associated with cellular telephony." Without the ECPA, the industry would have faced incorporation of expensive encryption technology into their systems. For example, John Stanton of McCaw testified that "Encryption devices make it difficult to roam from system to system," generated scratchy sound, and required 30% more investment for the base unit, and 100% for the phone. Mr. Colgan's estimated high grade commercial encryption as costing $40 for the encryption chip (quantity one), plus associated circuitry . In either case, the net cost for several million subscribers was estimated in the tens if not hundreds of millions of dollars. Industry associations such as ADAPSO pointed out the trade benefits of the legislation, since Asia had not developed privacy protection, although Europe had done so. John Stanton of McCaw commented that if the U.S. passed the ECPA, then it would enjoy superior communications privacy to that available in Europe. Representatives of the nation's amateur radio enthusiasts were among the staunchest opponents of the bill. Richard Colgan of the Association of North American Radio Clubs represented their position. "While we have no animosity towards cellular, we cannot sit idly by while they use their influence to make dubious changes in public policy, largely to benefit their bottom lines..." In response to the concerns of amateur radio enthusiasts, and scanner manufacturers, the interception standard was changed from "willful" to "intentional," so as to allow for "inadvertent" interceptions. Manufacturers of scanning equipment were vigorously opposed to ECPA since the use of their devices was restricted by the act. Richard Brown of Regency Electronics, a manufacturer of radio band scanners, argued cellular radio licensees have never had any expectation of privacy, that cellular operators, not the public, should bear the burden of securing cellular communications, and that protecting specific radio frequencies was imprudent. This last point deserves elaboration. Under ECPA, monitoring of cordless phone frequencies is not prohibited, although it is hard to argue that the average individual's "expectation of privacy" is any different for a cordless phone than it would be for a cellular phone. In fact, an educated individual might even expect less privacy for a cellular call, argued Richard Colgan, because the range of cellular communications is so much larger than for cordless phones, thus making interception easier. Among the most careful analyst of the ECPA was the U.S. Department of Justice, as represented by James Knapp, deputy assistant attorney general of the criminal division. Knapp concurred with the Amateur Radio enthusiasts that cellular and cordless phone technology, as well as tone and voice pagers, were easily intercepted, and therefore could not presume an "expectation of privacy." Knapp also expressed skepticism about the wisdom of criminalizing hobbyist behavior. Knapp was however in favor of extending coverage to electronic mail. Finally, he argued for extension of the crimes for which wire tapping could be authorized, beyond those enumerated in Title III. This suggested modification to the act was subsequently incorporated. In contrast to the detailed arguments submitted by the parties discussed above, the one page letter submitted by The Source had a minor impact at best, suggesting that the ECPA, by not preempting state statutes, could expose the online service industry to an entangling web of federal and state statutes. Analysis of the Economic Effects of ECPA The parts of ECPA which have ramifications for online services and hobbyist bulletin boards mostly have to do with access to stored messages. While access to services are often offered via a packet switching network, or could even be achieved via use of cellular modems or other radio transmissions, worries about the privacy of such access are not likely to be major concerns of customers. An important aspect of ECPA is the presence of both criminal and civil penalties. This provides an important incentive for aggrieved parties to pursue litigation through contingency fee arrangements. The implications of this for the online service business are serious. For example, the fee for sending an EasyPlex message on Compuserve is on the order of a few dollars, depending on the time spent in composing the message. For that fee, Compuserve takes on the responsibility of not disclosing the message, which could conceivably be worth millions to the sender and intended recipient. Firms Submitting Opinions on H.R. 3378 Phone Companies Southwestern Bell AT&T Ameritech Pacific Telesis Bell South Northwestern Bell United States Telephone Assoc. Radio Association of North American Radio Clubs American Radio Relay League National Association of Business & Educational Radio Cellular PacTel Mobile McCaw Communications Motorola Centel Hobbyists Communications Packet Switching GTE Telenet Misc. Associations Electronic Mail Association ADAPSO National Assoc. of Manufacturers Assoc. of American Railroads IEEE Paging Telocator Network Computers Tandy Law Enforcement U.S. Dept. of Justice Online Services The Source Citizen's Groups ACLU Consumer's Union Firms with Private Networks Chase Manhattan EDS Scanner Manufacturers Dynascan Regency Electronics Uniden Credit Bureaus American Credit Services Broadcasters National Assoc. of Broadcasters Radio-TV News Directors Association Satellite TV Industry Association CBS Source: Hearings, Committee on the Judiciary, House of Representatives, H.R. 3378, ECPA, 99th Congress, No. 50, 1986. Of course, this burden is not theirs alone. Operators of corporate communications systems (who were big supporters of ECPA) are also likely targets. Indeed, several ECPA suits against employers and municipalities have recently been filed. The potential for litigation also exists for hobbyist systems such as computer bulletin boards. Government regulations fit into two categories: economic regulation, and social regulation. In the economic category are price controls on crude oil, and tarriffs. Equal opportunity legislation is a regulation of the social type. The cost of a social regulation can be broken down into two parts. One is the cost of complying with the regulation, either by modification of business practices, or payment of imposed penalties; another is the cost of resolving ambiguities in the legislation through establishment of case law. In the case of ECPA, reflection discloses that the establishment of precedent is likely to be the more expensive than compliance. For example, for a service to modify sysop access privileges, and to introduce encryption of private mail and passwords would probably entail an expenditure on the order of a few million dollars for software development and testing. In contrast, were only 0.01% of Compuserve's subscribers to file an ECPA lawsuit, given 500,000 subscribers, and average legal fees and penalties per case of $100,000, the bill would come to over $10 million. Due to its concentration on cellular industry concerns, the ECPA concentrates more on insuring privacy for users than on limiting the responsibilities of providers. Due to differences between messages in transit and stored messages, cellular firms end up forcing the costs of privacy onto hobbyists and outsiders, while providers of online services are forced to bear these costs themselves. In view of the potentially horrendous litigation burdens, there is a strong incentive to limit the ability of system administrators to read or disclose private mail. The key to complying with the act is the notion of "expectations of privacy." This notion governs both the legal aspects of ECPA, and determinants of end user satisfaction. Under the ECPA, privacy is only enforced for systems in which users were lead to "expect privacy." Thus a sysop has two alternatives: to explicitly address those expectations via an education campaign, or to play a game similar to the cellular industry, in denying that privacy is a significant issue. One of the concerns voiced by the cellular industry in backing ECPA was that their budding industry could ill afford the cost of solidifying the right to privacy via litigation or adoption of encryption technology. Yet that is precisely the course that the ECPA has forced on the online service industry. Nor were the concerns of a budding industry entirely genuine. Within the next two years, the revenues of cellular communication firms will exceed those of all the participants in the information services industry. Bibliography 1. Electronic Communications Privacy Act of 1986, Public Law 99-508, 99th Congress, 2nd session. 2. Hearings of the Committee on the Judiciary, House of Representatives, H.R. 3378, Electronic Communications Privacy Act, 99th Congress, No. 50, 1986. 3. California Penal Code, Section 502, Computer Crime, 502.7 Obtaining telephone or telegraph services by fraud, 499c, trade secrets. 4. Wallace, Jonathan, and Lance Rose, SYSLAW, L.L.M Press, New York City, 1990 ******************************************************************** >> END OF THIS FILE << ***************************************************************************