Civil Liberties in
Cyberspace:When does hacking turn
from an exercise
of civil liberties into crime?
by Mitchell Kapor
published in Scientific American,
September, 1991.
On March 1, 1990, the U.S. Secret Service raided the
offices of Steve
Jackson, an entrepreneurial publisher in Austin, Tex.
Carrying a
search warrant, the authorities confiscated computer
hardware and
software, the drafts of his about-to-be-released book and
many business
records of his company, Steve Jackson Games. They also
seized the
electronic bulletin-board system used by the publisher to
communicate
with customers and writers, thereby seizing all the
private electronic
mail on the system.
The Secret Service held some of the equipment and material
for months,
refusing to discuss their reasons for the raid. The
publisher was forced
to reconstruct his book from old manuscripts, to delay
filling orders
for it and to lay off half his staff. When the warrant
application was
finally unsealed months later, it confirmed that the
publisher was
never suspected of any crime.
Steve Jackson's legal difficulties are symptomatic of a
widespread
problem. During the past several years, dozens of
individuals have been
the subject of similar searches and seizures. In any other
context, this
warrant might never have been issued. By many
interpretations, it
disregarded the First and Fourth Amendments to the U. S.
Constitution,
as well as several existing privacy laws. But the
government proceeded
as if civil liberties did not apply. In this case, the
government was
investigating a new kind of crime -- computer crime.
The circumstances vary, but a disproportionate number of
cases share a
common thread: the serious misunderstanding of
computer-based communi-
cation and its implications for civil liberties. We now
face the task
of adapting our legal institutions and societal
expectations to the
cultural phenomena that even now are springing up from
communications
technology.
Our society has made a commitment to openness and to free
communication. But if our legal and social institutions
fail to adapt
to new technology, basic access to the global electronic
media could be
seen as a privilege, granted to those who play by the
strictest rules,
rather than as a right held by anyone who needs to
communicate. To
assure that these freedoms are not compromised, a group of
computer
experts, including myself, founded the Electronic Frontier
Foundation
(EFF) in 1990.
In many respects, it was odd that Steve Jackson Games got
caught up in a
computer crime investigation at all. The company publishes
a popular,
award-winning series of fantasy roleplaying games,
produced in the
form of elaborate rule books. The raid took place only
because law
enforcement officials misunderstood the technologies --
computer
bulletin-board systems (BBSs) and on-line forums -- and
misread the
cultural phenomena that those technologies engender.
Like a growing number of businesses, Steve Jackson Games
operated an
electronic bulletin board to facilitate contact between
players of its
games and their authors. Users of this bulletin-board
system dialed in
via modem from their personal computers to swap strategy
tips, learn
about game upgrades, exchange electronic mail and discuss
games and
other topics.
Law enforcement officers apparently became suspicious when
a Steve
Jackson Games employee -- on his own time and on a BBS he
ran from his
house -- made an innocuous comment about a public domain
protocol for
transferring computer files called Kermit. In addition,
officials
claimed that at one time the employee had had on an
electronic
bulletin board a copy of Phrack, a widely disseminated
electronic publi-
cation, that included information they believed to have
been stolen from
a BellSouth computer.
The law enforcement officials interpreted these facts as
unusual
enough to justify not only a search and seizure at the
employee's
residence but also the search of Steve Jackson Games and
the seizure of
enough equipment to disrupt the business seriously. Among
the items
confiscated were all the hard copies and electronically
stored copies of
the manuscript of a rule book for a role-playing game
called GURPS
Cyberpunk, in which inhabitants of so-called cyberspace
invade
corporate and government computer systems and steal
sensitive data.
Law enforcement agents regarded the book, in the words of
one, as "a
handbook for computer crime."
A basic knowledge of the kinds of computer intrusion that
are
technically possible would have enabled the agents to see
that GURPS
Cyberpunk was nothing more than a science fiction creation
and that
Kermit was simply a legal, frequently used computer
program.
Unfortunately, the agents assigned to investigate computer
crime did not
know what -- if anything -- was evidence of criminal
activity.
Therefore, they intruded on a small business without a
reasonable
basis for believing that a crime had been committed and
conducted a
search and seizure without looking for
"particular" evidence, in vi-
olation of the Fourth Amendment of the Constitution.
Searches and seizures of such computer systems affect the
rights of
not only their owners and operators but also the users of
those systems.
Although most BBS users have never been in the same room
with the
actual computer that carries their postings, they
legitimately expect
their electronic mail to be private and their lawful
associations to
be protected.
The community of bulletin-board users and computer
networkers may be
small, but precedents must be understood in a greater
context. As
forums for debate and information exchange, computer-based
bulletin
boards and conferencing systems support some of the most
vigorous
exercise of the First Amendment freedoms of expression and
association
that this country has ever seen. Moreover, they are
evolving rapidly
into large-scale public information and communications
utilities.
These utilities will probably converge into a digital
national public
network that will connect nearly all homes and businesses
in the U.S.
This network will serve as a main conduit for commerce,
learning,
education and entertainment in our society, distributing
images and
video signals as well as text and voice. Much of the
content of this
network will be private messages serving as
"virtual" town halls,
village greens and coffeehouses, where people post their
ideas in public
or semipublic forums.
Yet there is a common perception that a defense of
electronic civil
liberties is somehow opposed to legitimate concerns about
the
prevention of computer crime. The conflict arises, in
part, because
the popular hysteria about the technically sophisticated
youths known as
hackers has drowned out reasonable discussion.
Perhaps inspired by the popular movie _WarGames_, the
general public
began in the 1980s to perceive computer hackers as threats
to the
safety of this country's vital computer systems. But the
image of
hackers as malevolent is purchased at the price of
ignoring the
underlying reality -- the typical teenage hacker is simply
tempted by
the prospect of exploring forbidden territory. Some are
among our best
and brightest technological talents: hackers of the 1960s
and 1970s,
for example, were so driven by their desire to master,
understand and
produce new hardware and software that they went on to
start companies
called Apple, Microsoft and Lotus.
How do we resolve this conflict? One solution is ensure
that our scheme
of civil and criminal laws provides sanctions in
proportion to the
offenses. A system in which an exploratory hacker receives
more time in
jail than a defendant convicted of assault violates our
sense of
justice. Our legal tradition historically has shown itself
capable of
making subtle and not-so-subtle distinctions among
criminal offenses.
There are, of course, real threats to network and system
security. The
qualities that make the ideal network valuableQits
popularity, its
uniform commands, its ability to handle financial
transactions and its
international access -- also make it vulnerable to a
variety of
abuses and accidents. It is certainly proper to hold
hackers
accountable for their offenses, but that accountability
should never
entail denying defendants the safeguards of the Bill of
Rights,
including the rights to free expression and association
and to free-
dom from unreasonable searches and seizures.
We need statutory schemes that address the acts of true
computer crim-
inals (such as those who have created the growing problem
of toll and
credit-card fraud) while distinguishing between those
criminals and
hackers whose acts are most analogous to noncriminal
trespass. And we
need educated law enforcement officials who will be able
to recognize
and focus their efforts on the real threats.
The question then arises: How do we help our institutions,
and
perceptions, adapt? The first step is to articulate the
kinds of values
we want to see protected in the electronic society we are
now shaping
and to make an agenda for preserving the civil liberties
that are
central to that society. Then we can draw on the
appropriate legal
traditions that guide other media. The late Ithiel de Sola
Pool argued
in his influential book Technologies of Freedom that the
medium of
digital communications is heir to several traditions of
control: the
press, the common carrier and the broadcast media.
The freedom of the press to print and distribute is
explicitly
guaranteed by the First Amendment. This freedom is
somewhat limited,
particularly by laws governing obscenity and defamation,
but the thrust
of First Amendment law, especially in this century,
prevents the
government from imposing "prior restraint" on
publications.
Like the railroad networks, the telephone networks follow
common-car-
rier principles -- they do not impose content restrictions
on the
"cargo" they carry. It would be unthinkable for
the telephone company to
monitor our calls routinely or cut off conversations
because the
subject matter was deemed offensive.
Meanwhile the highly regulated broadcast media are
grounded in the
idea, arguably mistaken, that spectrum scarcity and the
pervasiveness
of the broadcast media warrant government allocation and
control of
access to broadcast frequencies (and some control of
content). Access
to this technology is open to any consumer who can
purchase a radio or
television set, but it is nowhere near as open for
information
producers.
Networks as they now operate contain elements of
publishers,
broadcasters, bookstores and telephones, but no one model
fits. This
hybrid demands new thinking or at least a new application
of the old
legal principles. As hybrids, computer networks also have
some features
that are unique among the communications media. For
example, most
conversations on bulletin boards, chat lines and
conferencing systems
are both public and private at once. The electronic
communicator speaks
to a group of individuals, only some of whom are known
personally, in a
discussion that may last for days or months.
But the dissemination is controlled, because the
membership is limited
to the handful of people who are in the virtual room,
paying attention.
Yet the result may also be "published" -- an
archival textual or voice
record can be automatically preserved, and newcomers can
read the
backlog. Some people tend to equate on-line discussions
with party (or
party-line) conversations, whereas others compare them to
newspapers
and still others think of citizens band radio.
In this ambiguous context, freespeech controversies are
likely to
erupt. Last year an outcry went up against the popular
Prodigy comput-
er service, a joint venture of IBM and Sears, Roebuck and
Co. The
problem arose because Prodigy management regarded their
service as
essentially a newspaper" or "magazine," for
which a hierarchy of
editorial control is appropriate. Some of Prodigy's
customers, in
contrast, regarded the service as more of a forum or
meeting place.
When users of the system tried to protest Prodigy's
policy, its editors
responded by removing the discussion. then the protestors
tried to
use electronic mail as a substitute for electron-
assembly,
communicating through huge mailing lists. Prodigy placed a
limit on the
number of messages each individual could send.
The Prodigy controversy illustrates important principle
that belongs on
civil liberties agenda for the future: freedom-of-speech
issues will not
disappear simply because a service provider has tried to
impose a
metaphor on its service. Subscribers sense, I believe,
that freedom of
speech on the networks is central for individuals to use
electronic
communications. Science fiction writer William Gibson once
remarked
that "the street finds its own uses for things."
Network service pro-
viders will continue to discover that their customers will
always find
their own best uses for new media.
Freedom of speech on networks will be promoted by limiting
content-based
regulations and by promoting competition among providers
of network
services. The first is necessary because governments will
be tempted
to restrict the content of any information service they
subsidize or
regulate. The second is necessary because market
competition is the
most efficient means of ensuring that needs of network
users will be
met.
The underlying network should essentially be a
"carrier" -- it should
operate under a content-neutral regime in which access is
available to
any entity that can pay for it. The information and forum
services would
be "nodes" on this network. (Prodigy, like GEnie
and CompuServe,
currently maintains its own proprietary infrastructure,
but a future
version of Prodigy might share the same network with
services like
CompuServe.)
Each service would have its own unique character and
charge its own
rates. If a Prodigy-like entity correctly perceives a need
for an
electronic "newspaper" with strong editorial
control, it will draw an
audience. Other less hierarchical services will share the
network with
that "newspaper" yet find their own market
niches, varying by format and
content.
The prerequisite for this kind of competition is a carrier
capable of
highbandwidth traffic that is accessible to individuals in
every
community. Like common carriers, these network carriers
should be seen
as conduits for the distribution of electronic
transmissions. They
should not be allowed to change the content of a message
or to discrim-
inate among messages.
This kind of restriction will require shielding the
carriers from legal
liabilities for libel, obscenity and plagiarism. Today the
ambiguous
state of liability law has tempted some computer network
carriers to
reduce their risk by imposing content restrictions. This
could be
avoided by appropriate legislation. Our agenda requires
both that the
law shield carriers from liability based on content and
that carriers
not be allowed to discriminate.
All electronic "publishers" should be allowed
equal access to networks.
Ultimately, there could be hundreds of thousands of these
information
providers, as there are hundreds of thousands of print
publishers
today. As "nodes," they will be considered the
conveners of the
environments within which on-line assembly takes place.
None of the old definitions will suffice for this role.
For example,
to safeguard the potential of free and open inquiry, it is
desirable
to preserve each electronic publisher's control over the
general flow
and direction of material under his or her imprimaturQin
effect, to give
the "sysop," or system operator, the
prerogatives and protections of a
publisher.
But it is unreasonable to expect the sysop of a node to
review every
message or to hold the sysop to a publish er's standard of
libel.
Message traffic on many individually owned services is
already too
great for the sysop to review. We can only expect the
trend to grow.
Nor is it appropriate to compare nodes to broadcasters (an
analogy
likely to lead to licensing and content-based regulation).
Unlike the
broadcast media, nodes do not dominate the shared resource
of a public
community, and they are not a pervasive medium. To take
part in a
controversial discussion, a user must actively seek entry
into the
appropriate node, usually with a subscription and a
password.
Anyone who objects to the content of a node can find
hundreds of other
systems where they might articulate their ideas more
freely. The danger
is if choice is somehow restricted: if all computer
networks in the
country are restrained from allowing discussion on
particular subjects
or if a publicly sponsored computer network limits
discussion.
This is not to say that freedom-of-speech principles ought
to protect
all electronic communications. Exceptional cases, such as
the BBS used
primarily to traffic in stolen long-distance access codes
or credit-card
numbers, will always arise and pose problems of civil and
criminal
liability. We know that electronic freedom of speech,
whether in public
or private systems, cannot be absolute. In face-to-face
conversation and
printed matter today, it is commonly agreed that freedom
of speech
does not cover the communications inherent in criminal
conspiracy,
fraud, libel, incitement to lawless action and copyright
infringement.
If there are to be limits on electronic freedom of speech,
what
precisely should those limits be? One answer to this
question is the
U.S. Supreme Court's 1969 decision in Brandenburg v. Ohio.
The court
ruled that no speech should be subject to prior restraint
or criminal
prosecution unless it is intended to incite and is likely
to cause
imminent lawless action.
In general, little speech or publication falls outside of
the
protections of the Brandenburg case, since most people are
able to
reflect before acting on a written or spoken suggestion.
As in
traditional media, any on-line messages should not be the
basis of
criminal prosecution unless the Brandenburg standard is
met.
Other helpful precedents include cases relating to
defamation and
copyright infringement. Free speech does not mean one can
damage a
reputation or appropriate a copyrighted work without being
called to
account for it. And it probably does not mean that one can
release a
virus across the network in order to "send a
message" to network
subscribers. Although the distinction is trickier than it
may first
appear, the release of a destructive program, such as a
virus, may be
better analyzed as an act rather than as speech.
Following freedom of speech on our action agenda is
freedom from unrea-
sonable searches and seizures. The Steve Jackson case was
one of many
cases in which computer equipment and disks were seized
and held some-
times for months -often without a specific charge being
filed. Even when
only a few files were relevant to an investigation, entire
computer
systems, including printers, have been removed with their
hundreds of
files intact.
Such nonspecific seizures and searches of computer data
allow "rummag-
ing," in which officials browse through private files
in search of
incriminating evidence. In addition to violating the
Fourth Amendment
requirement that searches and seizures be
"particular," these searches
often run afoul of the Electronic Communications Privacy
Act of 1986.
This act prohibits the government from seizing or
intercepting elec-
tronic communications without proper authorization. They
also contravene
the Privacy Protection Act of 1980, which prohibits the
government from
searching the offices of Dublishers for documents,
including
materials that are electronically stored.
We can expect that law enforcement agencies and civil
libertarians
will agree over time about the need to establish
procedures for
searches and seizures of "particular" computer
data and hardware. Law
enforcement officials will have to adhere to guidelines in
the above
statutes to achieve Fourth Amendment
"particularity" while maximizing
the efficiency of their searches. They also will have to
be trained to
make use of software tools that allow searches for
particular files or
particular information within files on even the most
capacious hard
disk or optical storage device.
Still another part of the solution will be law
enforcement's abandonment
of the myth of the clever criminal hobbyist. Once law
enforcement no
longer assumes worst-case behavior but looks instead for
real evidence
of criminal activity, its agents will learn to search and
seize only
what they need.
Developing and implementing a civil liberties agenda for
computer net-
works will require increasing participation by technically
trained
people. Fortunately, there are signs that this is begining
to happen.
The Computers, Freedom and Privacy Conference, held last
spring in San
Francisco, along with electronic conferences on the WELL
(Whole Earth
'Lectronic Link) and other computer networks, have brought
law
enforcement officials, supposed hackers and interested
members of the
computer community together in a spirit of free and frank
discussion.
Such gatherings are beginning to work out the civil
liberties guidelines
for a networked society.
There is general agreement, for example, that a policy on
electronic
crime should offer protection for security and privacy on
both
individual and institutional systems. Defining a measure
of damages
and setting proportional punishment will require further
goodfaith
deliberations by the community involved with electronic
freedoms, in-
cluding the Federal Bureau of Investigation, the Secret
Service, the
bar associations, technology groups, telephone companies
and civil
libertarians. It will be especially important to represent
the damage
caused by electronic crime accurately and to leave room
for the valuable
side of the hacker spirit: the interest in increasing
legitimate under-
standing through exploration.
We hope to see a similar emerging consensus on security
issues. Network
systems should be designed not only to provide technical
solutions to
security problems but also to allow system operators to
use them
without infringing unduly on the rights of users. A
security system
that depends on wholesale monitoring of traffic, for
example, would
create more problems than it would solve.
Those parts of a system where damage would do the greatest
harm --
financial records, electronic mail, military data --
should be
protected. This involves installing more effective
computer security
measures, but it also means redefining the legal
interpretations of
copyright, intellectual property, computer crime and
privacy so that
system users are protected against individual criminals
and abuses by
large institutions. These policies should balance the need
for civil
liberties against the need for a secure, orderly,
protected electronic
society.
As we pursue that balance, of course, confrontations will
continue to
take place. In May of this year, Steve Jackson Games, with
the support
of the EFF, filed suit against the Secret Service, two
individual Secret
Service agents, an assistant U.S. attorney and others.
The EFF is not seeking confrontation for its own sake. One
of the
realities of our legal system is that one often has to
fight for a legal
or constitutional right in the courts in order to get it
recognized
outside the courts. One goal of the lawsuit is to
establish clear
grounds under which search and seizure of electronic media
is
"unreasonable" and unjust. Another is to
establish the clear
applicability of First Amendment principles to the new
medium.
But the EFF's agenda extends far beyond liagation. Our
larger agenda
includes sponsoring a range of educational initiatives
aimed at the
public's general lack of familiarity with the technology
and its
potential. That is why there is an urgent need for
technologically
knowledgeable people to take part in the public debate
over communica-
tions policy and to help spread their understanding of
these issues.
Fortunately, the very technology at stake -- electronic
conferencing
-- makes it easier than ever before to get involved in the
debate.
