صور الصفحة
النشر الإلكتروني



Can Privacy and Computer Coexist?


Special to The New York Times WASHINGTON, Nov. 4- Should a Federal agency have the right to search an employee's personal material filed in a Government computer?

Is such a search comparable to searching desk drawers to see if they contain personal notes or papers?

These were some of the questions that Larry Layten, a 39-year-old civilian computer official with eight year's experience at the Army's Matériel Development and Readiness Command, decided needed examina


So, a few weeks ago, Mr. Layten sat at his computer terminal and tapped out a message for the national electronic mail system established by the Defense Department to help scientists all over the country communicate with each other about nonclassified matters of common interest.

Complaint About Investigation He informed all those with access to what is called the ARPA Net, for Advanced Research Projects Agen

that his interest in these questions about such searches had been touched off by three instances where the Army's Criminal Investigation Division, sometimes in conjunction with the Federal Bureau of Investigation, had made total inspections "of our workplace computers without any type of court order or identification of what they are looking for other than wrongful use of Government proparty.'T

The investigators, he added, had limited their search to specific inIviduals or files.

The computer expert continued, ying that he knew of employees ho had been badgered by the invesgators for seemingly insignificant Holations of Government policy.

"They have read individuals their

rights and otherwise tried to intimidate them in two instances that I know of, once after finding a recipe in a message, and once, when a baby sitter's telephone number was found in a telephone number file." he said.

"I just thought some problems were raised that should be considered by the Government, academic and industry people who have access to ARPA Net," he explained Wednesday in an interview.

Tip About Misusing Computer An spokesman for the Army's Criminal Investigation, Division, Marilyn Love, refused to answer a list of specific questions raised by Mr. Layten's statement. She said it was against Army policy to comment on "on-going investigations." She added that the cases referred to by Mr. Layten were discovered as a result of a tip received by investigators in December 1982 that Army employees were misusing the computer.

Mr. Layten said in his message that the Army's legal staff had advised his supervisors that what is taking place is legal, by all precedents." He added, "They say that computer files do not have the same privacy protection that telephone usage has."

The message continued, "If in fact, the owner of a computer system has the right to search (in a witch hunt fashion) through all the files, with the threat of prosecution, then I too will refrain from using the system as I have in the past: as a note pad, telephone replacement, sounding board for ideas, etc."

Emphasizing that he was speaking for himself, and not the Army, he ended his message with this plea for Information: "Does anyone out there know where the law is heading in this type of issue? I would hope that "1984" is not as close as it appears."

responses he got were not very ing. Mark Crispin, who iden Innest! as being associated

with Stanford University in Califor nia, replied via the ARPA net that experiences suggested that freedoms or privacy that manage exist do so solely because of "the will of those in power," adding. grettably, many computer care are run by various flavors of petty dictators.

Several days later, Stephen Wolff, who did not mention the institution he worked for, chipped in that in the Government agency where he worked he was not permitted to make ba sitter arrangements during work hours. "I can loose my job for uni the taxpayers' telephone for any sonal business," he said. "It's hardship though, there's a perfectly good pay phone in another building not 200 yards from my office."

Matters of Ethics and Frand Geofrey S. Goodfellow, who also did not indicate where he worked, was more sympathetic. He sent through the ARPA net a parody of a rece news article in which a Govern department with the acronym "Dumbb" undertook an investis of "unauthorized desk conti which resulted in the dismissal eral employees when aspirin, personal letters and a bowling roster were found in their desks.

Despite the difficult ethical tions raised by the new computer tems, however, the Governme pushed ahead with its investig of computer-related fraud and

In testimony before the Senate ernment Affairs Oversight Su mittee, Richard P. Kusserow, spector general of the Departa Health and Human Services, a recent survey discovered in 12 different Federal a where Government computer used for outside busines

[blocks in formation]
[ocr errors][merged small]

Computer Communications Vulnerable

As Privacy Laws Lag Behind Technology


No federal law clearly makes it a crime to intercept computer transmissions or to
break into a computer system to look around or destroy information.

Then Citicorp vice president Rich

Coughenour wants to send

a memorandum to one of the bank's employees, he turns to a compact device on the corner of his desk that looks like a cross between a computer and a telephone. The machine, called a Displayphone, has the typewriter-like keyboard and video display screen of a computer and the touch sensitive key pad of a fancy telephone.

Coughenour hits a touch pad labeled EZmail and the machine dials the number to connect him with Citicorp's internal electronic mail system, the electronic tones softly tolling as the Displayphone runs through the digits. When the number is dialed, Coughenour hits a touch pad labeled connect and the screen lights up with commands. First it asks him to enter his mailbox number. Then it asks for his password.

To send a memo, Coughenour hits a touch pad labeled compose and pulls out the small keyboard from under the pad. He types out the message and hits the touch pad labeled send.

From his office at the tip of Wall Street, the message skitters across the bank's private fiber optic cables to Citicorp's Park Ave. office. From there, if it is traveling to a Citicorp office outside New York City, the message rides a microwave relay to a private earth station in New Jersey where it is transmitted 22.300 miles up to a satellite on which Citicorp owns space. From the satellite, the message returns to another Citicorp earth station and then along public or leased phone lines to the recipient's computer. All in a matter of seconds.


Although the message is easy to send, it is also easy to steal. With a large enough antenna, it is not difficult to intercept microwave transmissions.


Is anybody listening in? "I don't doubt it," said Coughenour, a former Air Force intelligence officer who runs Citicorp's mail services. "The Russians have a big mission at the United Nations and all that equipment on the roof; that's not all there to get Home Box Office. I don't wonder if [some of our competitors] are pointing some stuff at us too."

The information may be vulnerable in a legal sense as well. While the laws governing wiretapping clearly protect spoken communications essentially, ordinary telephone calls-many experts are concerned that no law makes it a crime to eavesdrop on communications between two computers, even though the information that passes between them is often highly sensitive.

The fuzziness of the laws protecting computer-to-computer communications is only one area where new computer or communications technologies, or merely new and aggressive applications of exist ing technologies, have exposed gray spots in the nation's laws governing privacy. "Our laws have not kept pace with the technology," said attorney Ronald L. Plesser, former general counsel of the Privacy Protection Study Commission, which studied the nation's privacy laws for Congress in the mid-1970s. "The technology has been expanding so quickly that the laws written for one level of technology quickly become obsolete." Generally, the privacy implications of these technological changes have not received much political, legal or social at tention. "We're not even giving it serious, practical consideration," said University of Illinois political economy professor David F. Linowes, who chaired the privacy commission.

But with the arrival of George Orwell's nightmare year of 1984, these blind spots in the law and the general issue of privacy are beginning to receive increased scru

tiny. New York Times reporter David Burnham has reignited a debate on the potential threat to privacy posed by the use of computers with a controversial new book, The Rise of the Computer State. Robert W. Kastenmeier, D-Wis, who chairs the House Judiciary Subcommittee on Courts, Civil Liberties and the Administration of Justice, has begun & wide-ranging series of hearings on the state of civil liberties, including the im pact of new technology on privacy Ser eral other committees are examining the laws safeguarding computer information. Universities and other organizations across the country, such as the Smithso nian Institution, are holding conferences on Orwell, technology and 1984. And the American Civil Liberties Union is plan ning a major conference on privacy

Many of these forums will be used to criticize the Reagan Administration's policies on release of government in formation, classification of government documents and law enforcement. But most of these groups are also examining different issue: where has new technology outflanked the privacy laws? ELECTRONIC MAIL

A new technology almost entirely unaddressed by existing law is electrons mail. For years, communications experts have considered electronic mail-gener ally defined as the electronic transfer of written information--to be a tool of tre mendous potential. Electronic mail ab lows an executive such as Coughenour to send messages instantly to employees around the world, far faster than by any courier service.

But the potential of electronic mail has largely been unrealized. Private elec tronic mail services did only about $40 million worth of business in 1983, and the few companies with their own interna! systems, of which Citicorp is considered a

[ocr errors][merged small][ocr errors][ocr errors][ocr errors][ocr errors]

leader, sent about an equivalent number of messages, estimates Kenneth G. Bossomworth, president of International Resource Development Inc., an elecronic mail consulting firm. Growth has been slow because the electronic mail ystems have generally required both the ender and recipient of a communication ot only to have computers but also to bscribe to the same system.

Industry observers expect that elecronic mail will take off with MCI Comunications Corp.'s entry into the busiess. In September, MCI launched an ectronic mail service that allows anyone ith a computer terminal, or even an ectronic typewriter, to send a message anyone else in the United States. If the cipient does not have a terminal, the essage is printed nearby and delivered ther by courier or the U.S. Postal Ser



MCI is predicting rapid growth for the stem: from 80,000 users today to 10,000 by 1985. And industry experts e inclined to agree. "The MCI entry transform the industry's revenue picre," said Bossomworth.

With the proliferation of computer ternals in the home and the office, elecnic mail could eventually siphon off a nificant chunk of both mail and teleone business. In 1982, the congreshal Office of Technology Assessment culated that ultimately at least twords of the Postal Service's annual vole of 110 billion pieces "could be hand electronically." By 1990, the office mated, more than 23 billion messages ld be sent through electronic mail or ctronic funds transfer systems. The ort predicted that conventional mail ume is likely to peak in the next dee and then decline.

Though the economic prospects for tronic mail may be starting to clear the laws covering it remain cloudy in basic areas: unauthorized entry into systems and requests by law enement officials for access to the rds of people's communications held electronic mail networks, such as The legal uncertainty underscores major privacy concern of electronic 's potential customers, who are worabout competitors reading their inal communications. "The fear ong possible users] is that somebody get access to the system's central puter and get access to their mes S." said computer consultant Walter rich, who chairs the new Electronic Association's committee on privacy. osecutors have complained that existing laws can be used against nals who use computers to commit . no law clearly makes it a crime to into a computer system to look

In a matter of seconds, Citicorp vice president Richard W. Coughenour sends
messages on his Displayphone from his office on Wall Street to bank employees
around the world. Although the message is easy to send, it is also easy to steal.

around or destroy information. Some le-
gal barriers are in place. About 20 states
have laws addressing unauthorized com-
puter break-ins, and some experts note
that if someone sought unauthorized en-
try into a computer system by misrepre-
senting himself as an authorized user he
could be prosecuted under the federal
wire fraud law.

But the electronic mail industry,
among other computer users, would like
clearer protection. The wire fraud law
"was not designed for the problem of
trespassing against someone's intellectual
or electronic property," said Jack
Greenberg, general counsel of GTE
Telenet Communications Corp. Telenet
runs a private electronic mail system used
by 130 companies that was broken into
repeatedly last summer, most notably by
a group of Milwaukee teenagers using
home computers.

Rep. Bill Nelson, D-Fla., and Sen. Paul S. Trible Jr., R-Va., have introduced identical bills (HR 1092, S 1733) that would make it a federal crime to "take something of value" from a computer or to damage the information in it. Nelson's bill has also been incorporated into legislation pending before the Judiciary Subcommittee on Crime that addresses credit card fraud. Both the Nelson and Trible bills, though, still would not make it a crime to enter a computer system and look at the data in it. An aide to Nelson said the bill's sponsors did not believe that should be a federal crime.

While Congress slowly considers these proposed legal barriers to computer break-ins, electronic mail companies have been beefing up their technical defenses. In October, the Defense Department split the 15-year-old ARPAnet, an

electronic mail network run by the Ad-
vanced Research Projects Agency, into
separate systems for military and unclas-
sified civilian research to further limit
access to military secrets. Unlike other
systems, the new MCI mail will not allow
users to pick their own passwords-which
are often no more sophisticated than the
name of the user's spouse. Instead the
new system assigns passwords that are
randomly generated.

The electronic mail operators have also
installed systems to prevent would-be in-
truders from programming their own
computers to repeatedly try possible pass-
words until one clicks. Usually, the sys-
tems disconnect a user after three unsuc-
cessful attempts at the proper password.
After three such disconnections, the MCI
system is programmed to notify the firm's
security department.

Citicorp's system has similar security protections. But no system is immune to penetration, said Coughenour, who noted that break-in attempts occur "all the time." The ultimate defense, he said, can only be to keep sensitive information out of the electronic mail system. "Users of the system understand it and know what to put on it," he said. Anyone breaking into Citicorp's electronic mail, he said, would find information of "only minimal" business value.

Even less clear than the law on breaking into an electronic mail system are the legal standards for access by law enforcement officials. For investigators, electronic mail records could be an extremely valuable source of information. "Electronic mail is tremendously attractive to people who are engaged in investigations," said attorney Plesser. "I think law enforcement officials are going to be



[ocr errors][ocr errors]

come more and more interested in electronic mail records."

Certainly electronic mail networks will contain a wealth of data about the communications of their users Telenet holds in its computers for anywhere from one day to two weeks copies of messages sent through the system MCI plans to hold copies of the messages for six months, in case questions arise about billing or customers accidentally erase their messages

Just the fact that MCI's computer capacity will enable it to hold the messages it transmits for six months makes "some customers nervous," said Marilyn M. Mouly, vice president for marketing of MCI Digital Information Services Corp., the subsidiary that runs MCI's electronic mail system. "When you mail a letter with the Post Office, they don't Xerox it. Generally people see us as carrying messages, not keeping a copy."

There are clear rules on when ordinary mail sent through the Postal Service can be opened. Most correspondence can be opened only after a search warrant is obtained. When law enforcement officials want the Postal Service to tell them from whom a specific individual is receiving mail, they request a mail cover from the chief postal inspector Under regulation, the inspector is supposed to approve requests only for the investigation of a felony, the location of a fugitive or a national security investigation. In 1983, the Postal Service approved 6,892 mail covers, up 56 per cent from a decade ago. Postal Service officials say these same rules would apply to mail sent through the Postal Service's electronic mail system, known as E-COM.

But the rules for access to privately transmitted electronic mail have not been established. "There is little, if any, legal protection for message information in the hands of private organizations," said Rand Corp. computer security expert Willis H. Ware in recent congressional testimony. In an interview, Ware said he was aware of no law that would prevent a private firm from releasing electronic mail records to police agencies-or any one else merely upon their request.

Both Telenet and MCI said they would not release the information to law enforcement officials on request alone and would require a search warrant or a subpoena. But those are voluntary decisions subject to change, and some in the industry would like to see clear legal standards. "It certainly is a gray area of what kind of protection a company has from federal government intrusion," said computer

consultant Ulrich.

Similarly, there are no laws governing requests by police officials for the records of the traditional courier services, such as Federal Express. Federal Express attor


Ronald L. Plesser. former general counsel of the Privacy Protection Study Commission: "Our laws have not kept pace with the [new computer or communications] technology."

ney Elizabeth McKanna said the firm generally would require a subpoena before releasing records, but in some cases, such as the investigation of a bank robbery, might not. "It certainly is not illegal for us to provide them with information," she said.


Also in dispute among experts in the field is whether any law protects an electronic mail transmission or any other communication between two computers, from unauthorized interception while it is

in transit.

Two laws govern the interception of telecommunications. Title III of the 1968 Omnibus Crime Control and Safe Streets Act bans the private interception of wire or spoken communications and estab lishes a process for approval of wiretaps by law enforcement officials. To wiretap a suspect, a federal law enforcement offcial must obtain the approval of the Attorney General and then a federal judge after demonstrating that there is "probable cause" that the suspect has committed or is about to commit one of a list of specified crimes. Approval is granted only for 30 days or less, and the law allows the judge to require reports on the investigation. These standards are much tougher than the rules governing search warrants or other investigative tools. The second law, the 1934 Communications Act, makes it illegal "to intercept any radio communication and divulge or publish" the contents.

The problem for computer Commut cations arises from the definition of intercept in the crime control law Though bans unauthorized intercepton, the le defines that as "aural acquisition of the contents of any wire or oral communica tion"-that is, the interception of a ve communication that could be understood by the human ear, as a wiretapper listening to an ordinary phone call would do But computers utilize non-aural comme nications that transmit data through a series of digitized bits that cannot be understood by the human ear. For that reason, they are not covered by the law No one is accusing the Justice Depart ment or FBI of abusing this provision of the law. Deputy assistant attorney gen eral for the Criminal Division John C. Keeney said in an interview that he has not seen any requests to intercept com puter transmissions. But computer users and civil libertanans are concerned that the potential for abuse remains unless computer transmissions are given the same legal protections as telephone con


G. Robert Blakey, a law professor at the University of Notre Dame, who was the principal author of Title III and sev eral other major crime bills when he was an aide on the Senate Judiciary Commit tee, said that the exclusion of computer communications was not an oversight. "Did we intend to exclude machine-based data? Yes we did," he said in an interview. Congress was worried about wiretaps, whose use had been severely limited by two Supreme Court decisions in the mid-1960s, not about computer privacy. Blakey said. "Congress wasn't prepared to step into computer privacy, and that's the reason we put that word ('aural"] there," he said. "Aural" is a neat little word It simply confines the bill to the consensus that was there" in Congress at the time.

The Justice Department agrees that computers are not covered and that federal officials would not have to go through the extended Title III process to intercept communications between two computers. In a 1978 case, U.S.. Sed litz, the U.S. Court of Appeals for the 4th Circuit also ruled that non-aural comme nications were not protected by Title III

That much seems clear. What is u clear is whether law enforcement officials have to go through any legal process before intercepting computer transmis


One answer comes from the courts' rulings on pen registers, devices that record the numbers dialed on a phone. but not the contents of the conversations themselves. In the mid-1970s, American Telephone & Telegraph Co. (AT&T) serted that the FBI had to receive a Title

[merged small][ocr errors]

III authonzation before the company would install pen registers. The FBI argued that an ordinary search warrant was sufficient. In December 1977, a sharply divided Supreme Court ruled, 5-4, that because the pen register was intercepting non-aural communications (the tones that indicate the number dialed) and legislative history made clear Congress intended to exclude pen registers, the FBI did not need a Title III warrant. In two subsequent cases, the Supreme Court and a federal appeals court have held that law enforcement officials did not even need a search warrant to install a pen register. Nonetheless, H. W. William Caming. AT&T's senior counsel on privacy issues, said the firm will not cooperate with pen register requests without a



But the signals captured by pen registers may be different from other computer transmissions. Because the caller knows that records of the numbers he dials will routinely be held by the phone company for billing purposes, he does not have the same expectation of privacy for that information as he does for the contents of his conversation.

In a transmission of information between two computers, though, the parties would have a reasonable expectation of privacy, several experts said. Legally that expectation puts the communication under the 4th Amendment's protection against unreasonable search and seizure, these experts argue. "In a computer-tocomputer transmission, there is a reasonable expectation of privacy, and any interception would be violative of a person's civil rights if done by law enforcement officials without a search warrant," said Caming

Moreover, a Senate expert on surveillance maintained that the 1978 Foreign Intelligence Surveillance Act, which covers national security wiretaps on foreign agents, limits the ability of federal law enforcement officials to tap non-aural communications. One section of the forgn intelligence law prohibits any federal iretapping not specifically authorized by statute, he argued; and Title III, because it does not mention non-aural interception, does not specifically authorize it. The foreign intelligence law provides a defense against that ban if law enforcement officials have obtained a court order

search warrant. Other experts, such as Caming, dispute that interpretation of he foreign intelligence law and maintain hat it has no bearing on domestic wire

[ocr errors][merged small]

Marilyn M. Mouly of the subsidiary that runs MCI's electronic mail system says the fact that MCI's computer capacity will enable it to hold messages it transmits for six months makes "some customers nervous."

intercept computer transmissions would not necessarily need a search warrantwhich requires probable cause-but a court order, for which they would have to meet a lesser standard of proof.

But Keeney said he could not make a blanket statement that all interceptions of computer transmissions would require even a court order. "I'm not ready to go that far, no." he said "You're dealing with a question of expectation of privacy. In some of these areas, there is no expectation of privacy. If you're putting something in the airwaves that almost anyone can pick out, there is no expectation of privacy."


The same kind of uncertainties arise over the laws prohibiting the private interception of computer transmissions. Again, it is clear that Title III's ban on private wiretapping does not protect computer communications, since they are non-aural. But does any other law apply?

Many experts are concerned that there are no clear federal laws prohibiting the private interception of computer transmissions. Other laws could be stretched to cover that situation, said AT&T's Caming: someone intercepting computer transmissions might be prosecuted under the federal wire fraud laws, or under computer protection statutes in the states that have them, and could even face civil liability for the theft of trade secrets. "But," he said, "that is not as strong a deterrent as a specific federal law."

An attorney for a private data transmission company said that the 1934 Communications Act, which bars the unauthorized interception of radio commu

nications, could protect some of these messages. Before 1968, this law had established the rules for interception of both wire and radio communications, but Congress removed wire communications from its scope with the passage of the crime control act.

Computer messages, though, like other telecommunications, often go through several steps to completion: along local phone wires, through microwave relays and off satellites. The attorney argued that the 1934 act's ban on intercepting radio communications would make it illegal to intercept computer communications during the microwave or satellite. though not the wire. portions of their journey.

At least two appellate court decisions cast doubt on that interpretation. In a 1973 case, the U.S. Court of Appeals for the 9th Circuit ruled that when any part of a communication is carried by telephone wires, the entire communication is covered not by the Communications Act but by Title III. In a 1975 case, the U.S. Court of Appeals for the 5th Circuit rejected the argument that long-distance calls carried over microwave relays were covered by the Communications Act.

AT&T's view, said Caming, is that both the microwave and satellite portions of a telephone communication fall under Title III's definition of a wire communication.

Blakey, though, argues that it is erroneous to assume that courts would come to these same conclusions about the coverage of the Communications Act if faced with a private interception of computer transmissions. In defining wire and radio communications, the courts have gener


« السابقةمتابعة »