COMPUTER PRIVACY VS. FIRST AND FOURTH AMENDMENT RIGHTS (By Michael S. Borella)
<Mike Borella received a bachelor's degree in Computer Science and Technical Communication from Clarkson University (1991). He is currently a graduate student and teaching assistant in Computer Science at U. Cal. at Davis. This paper is the result of an independent study sponsored by Susan Ross, an assistant professor in Technical Communication at Clarkson. e-mail borella@toadflax.eecs.ucdavis or sross@clutx.clarkson.edu>
I: What is Cyberspace?
"Cyberspace. A consensual hallucination experienced daily
by billions of legitimate operators, in every nation... A
graphical representation of data abstracted from the banks
of every computer in the human system. Unthinkable
complexity. Lines of light ranged in the nonspace of the
mind, clusters and constellations of data. Like city lights,
receding..."
- William Gibson, Neuromancer
Even after reading William Gibson's cyberpunk novels, one's
conceptualization of cyberspace, the electronic world of computers and
computer networks, can be insubstantial. Gibson describes cyberspace as
a world of simulated stimulation that a computer feeds to a "jockey"
(computer operator) via a "cyberspace deck" (human-computer interface).
Explorers in Gibson's cyberspace often have difficulty telling what is
real and what is not. Frequently, in our world, the novice computer
user has similar problems understanding how to use the potential wealth
of information at their finger tips. In Gibson's uncharted future,
people access computers by merging their thoughts with a database.
Today we can "enter" cyberspace through keyboard and modem. But what
actually is cyberspace? Is it real? What does it look like? What are
some of the personal and legal issues emerging from this vastly
uncharted new frontier? This paper will answer those questions and more
as we explore cyberspace, meet its frequenters, and discuss its
increasing role in the life of every human being, not just those who
actually use a computer.
Before we embark on our journey through the legal battles and
rights issues regarding cyberspace, we need a working knowledge of what
it is and how computer operators use it.
Envision a roadmap. Cities dot the otherwise sparse landscape
and roads branch out in all directions, connecting every city. This
network leaves no city unserviced. Although not every city is connected
to every other, it is possible to reach any one city from any other.
Like every other mass transit system, certain areas are more travelled
than others. Some cities are larger than others and some stretches of
road are more prone to traffic. The size and complexity of this roadmap
defies the imagination - it encircles the world.
But the cities are not actually cities. They are computers or
groups of computers. The roads are telephone lines or fiber-optic
cable. The system surrounds the globe in an electronic web of data.
The travellers on these 'virtual' roads are packets of information which
are sent from one city to another, perhaps via many. The roadmap is a
worldwide computer "network." Each city is a depot or terminal for the
packets, and is usually referred to as a "node." In reality they are
mainframes owned by universities, companies, or groups of computer
users. There are several worldwide computer networks currently in
existence.
Every individual who has an account on any mainframe in the
world has their own unique electronic address. It is not unlike a
mailbox, except that it can only receive mail of the electronic kind.
Electronic addresses are similar to postal addresses in that they
contain:
--a name, or user identification which corresponds to the
individual computer user who owns the particular address.
--a local machine name, which is the specific mainframe that the
userid is on. Local names are only used in the node consists of
more than one mainframe. This is not unlike a street address.
--a node name, which corresponds to the physical location of the
node that the userid belongs to. This is not unlike a city
address and/or zip code.
This is all a network needs to know before it can send
information from one mailbox to another. Just like postal mail, if the
user doesn't address mail correctly, the network will return it. In the
case of e-mail (electronic mail) a simple misspelling will cause the
network to return the mail, or send it to an improper destination. Each
of the several worldwide networks has its own unique but similar method
for addressing e-mail. Corresponding via electronic mail has been
available to some academicians for over 20 years, but today it is
possible for anybody with a computer and a modem to have their own
mailbox. For the sake of convenience, many useful physical objects have
been abstracted into cyberspace. Computerized filing systems
(databases), bulletin boards, and electronically published digests and
magazines proliferate in the virtual world of networks. Many of these
electronic items are being treated differently than their "real"
counterparts. Often, due to the convenience of having millions of
pieces of data available in seconds, individual privacy rights are
violated. This is leading to debate and litigation concerning the use
of various aspects of cyberspace. The next sections cover the
situations, people, and legislation of this untamed and largely
undefined frontier.
II: Databases
A database is a collection facts, figures, numbers, and words
that are sorted in a particular order and/or indexed. They are stored on
a computer so that retrieval is quick and simple. Often, databases are
used by the government, corporations, and private businesses to keep
track of the names, address, phone numbers, and other relevant data
about their clients, subscribers, members, etc. For example, most
public libraries have databases containing information of every person
who has a card at that library. Besides the name, address, and phone
number of the card holder, the library's database would also contain
information regarding what books the holder is currently borrowing,
whether they are overdue or not, and when each person's library card
expires.
Similarly, banks have databases containing information regarding
the persons they transact with. Again, name, address and phone number
is essential, but the bank would also be interested in social security
number, credit rating, assets, mortgage information, and so on. By
organizing this data on a computer, the bank increases its efficiency.
It is able to serve more customers in less time, and provide monetary
transactions within seconds. Anyone who has used a bank card at an
automated teller can attest to this.
But all databases are not used for such beneficial purposes. As
we will see in the next section, even the information stored in "benign"
databases can be used to violate privacy rights.
In 1967, J. Edgar Hoover, then head of the FBI, created the
National Crime Information Center (NCIC). This organization's purpose
is to use a computerized database containing the criminal record of
every United States citizen to increase the efficiency of all levels of
law enforcement by facilitating quick exchange of information. The
NCIC's federal databanks interface with over 64,000 state and local
governments' computer networks, and even with some criminal databases of
foreign countries. This widespread and far-reaching power is used by
everyone from top FBI investigators to county and municipal patrol
officers. For example, if a police officer pulls over a speeder in New
York, they can check, within a matter of seconds, if that person is
wanted in any other state, and if that person has a criminal record.
The NCIC contains records on every person arrested in the United
States, which amounts to approximately 40 million people, a number
equivalent to one-third of the work force (Gordon and Churchill, p.
497). It goes without saying that the holders of this information have
incredible power. However, at first glance, the existence of the NCIC's
databases seem completely beneficial; in fact they do much to protect
the privacy of the average American. Authorities can find out if an
individual is wanted for a crime and detain that person if necessary,
all with the push of a few buttons. Effective law enforcement does make
the country a safer place for its citizens. But, as we will see, the
current state of and uses for the NCIC do infringe upon individual
privacy.
There are many cases in which the NCIC databases have been
found to hold inaccurate and incomplete information. Keep in mind that
they only contain arrest records, not conviction records. If an
individual has been acquitted of a charge, it does not necessarily get
entered into the computers. An example of this was the legal battle
fought by Los Angeles native Terry Dean Rogan. After Rogan lost his
wallet, a man using his identification was linked to four crimes,
including two murders. Rogan was mistakenly arrested, and an NCIC file
was made about him. The file was inaccurate - it did not contain a
description of him. As a result, he was arrested four times for crimes
he didn't commit. Rogan successfully sued to city if Los Angeles in
1987 for violating his Fourth Amendment rights (Science Court Opinions,
p. 99). But some victims of NCIC errors don't get off so easily.
In 1979, Michael Ducross of Huntington Beach California made a
minor traffic violation on his way to the supermarket one day. The
police officer radioed for a check on Ducross. When a police station
desk clerk punched up the NCIC database to see if Ducross had a file, he
got a surprising result. Ducross was wanted for going AWOL from the
Marine Corps 10 years earlier. He was seized and held for five months
at Camp Pendleton. The Marine Corps eventually dropped the charges
because he had never actually gone AWOL. Ducross was a Native American,
and he had left the Corps on a special discharge program available only
to Native Americans and foreign citizens (Burnham, pp. 33-34).
But these are just two isolated examples, right? Wrong! A
study by the Congressional Office of Technology Assistance (OTA)
conducted in 1982 found that, "...as many as one-third of state records
lacked information about the disposition of the cases on file.
Therefore, an arrest in one state, which may have resulted in a
dismissal or an acquittal, could in another state influence the decision
to withhold bail or to prosecute the defendant as a 'career criminal.' "
(Gordon and Churchill, p. 514). The OTA study found that, at best, 49.5
percent of the NCIC Criminal History records were complete, correct, and
unambiguous (Burnham, p. 74).
It's bad enough that the NCIC files are largely inaccurate -that
your Fourth Amendment rights protecting unlawful search and seizure can
be lawfully violated if you have been previously arrested for a crime
you didn't commit - but these computerized criminal files are used for
much more than law enforcement, and are used by more than just law
enforcement agencies. Approximately 90 percent of all criminal
histories in the United States are available to public and private
employers (Gordon and Churchill, p. 515).
Nor is the NCIC without local competition. For example, one
Rhode Island data merchant, whose clients are mostly prospective
employers, keeps files on people who have been arrested but
no necessarily convicted of a crime. That merchant includes in the files
names of individuals taken from local newspaper stories (Consumer
Reports).
If arrest records but not conviction records are available,
might not they influence hiring decisions? For example, might not an
employer finding a record of arrests in the file of a person claiming a
"clean record" on an employment application question the credibility of
the applicant's claim and make a decision not to hire influenced by that
doubt? Given that the applicant would not be aware that such a database
had been consulted, he or she could not possibly mount a defense if the
information in the file was inaccurate (e.g., someone else's arrests) or
misleading (e.g. no arrests led to convictions).
Since 40 million US citizens have an arrest record, the
social cost is potentially high. In several states, including
California and Connecticut, more than half of the information requests
to criminal history databases were made by employers (Gordon and
Churchill, p. 515).
But the problems don't end there. In 1981, mainly because
of John Hinckley's attempt on then President Ronald Reagan's life, about
400 files were added to the NCIC database. These were of people who had
no criminal record and were wanted for no crime! Why were they being
entered into the computers? Because these individuals were considered
"a potential danger" by the Secret Service. Secret Service Director
John R. Simpson stated that listing these people would provide an
invaluable tool for tracking their location and activities (Epstein, p.
17). This shows that the government is only paying lip service to the
"innocent until proven guilty" precedent that our freedom is based on.
The "potential danger" would be to members of the FBI protectorate,
including the President, Congress members, and controversial political
and social figures such as Jacqueline Onassis. Considering how
"accurate" the files have been proven to be, one can imagine the
atrocities possible (and encouraged) under these provisions.
But there are more culprits to this mess than just the
government. The use of databases in the violation of privacy extends
into the corporate world. The U.D. Registry Inc. was formed in 1977 by
Harvey Saltz, a former deputy district attorney in Los Angeles. "Using
a computer to store information obtained from legal charges filed by
landlords in the courts, Saltz says he currently has compiled more than
a million records about such disputes all over the Los Angeles area.
Over 1900 landlords pay Saltz an annual fee ranging from $35 to $60...to
determine whether the individuals who come to them for housing have had
arguments with other landlords in the past." (Burnham, p. 34). And just
like the NCIC, Saltz's database was found to be less than reliable.
In 1978, Lucky Kellener paid the rent to his brother's
apartment. But when his brother was evicted, Kellener's name was
included in the U.D. Registry files, defining him as an undesirable
tenant. When Kellener went looking for a new apartment in 1981, he got
repeatedly turned down and brushed off. Finally, a landlord told him
that he had been blacklisted (Burnham, pp. 34-35).
Another victim was Barbara Ward, who moved to Los Angeles and
found that her newly rented apartment was infested with cockroaches.
When she gave her landlord a thirty day notice, he countered with an
eviction notice. When the landlord didn't show up in court, the judge
threw the case out. But Ward was entered in the U.D. Registry as having
an eviction notice, and when she wanted to rent an apartment later she
was unable to (Burnham, pp. 34-35).
In both cases, errors caused a major personal difficulty and
breach of privacy. Also, in both cases the victim did not know of the
U.D. Registry's existence. Therefore, neither could possibly confront
the unfavorable, electronically-stored data, analogous to a "false
witness," that led to their blacklisting.
Perhaps the grandest scale of gathering information about people
by a non-governmental agency was undertaken by the Lotus Development
Corp. in conjunction with Equifax Inc. Lotus and Equifax developed
"Marketplace: Households," a database of the names, addresses, and
marketing information on 120 million residents of the United States
(Fisher, p. C3). The purchaser of this information would probably be
large consumer goods companies specializing in mail order. Databases
like this are currently used by organizations to send unsolicited (junk)
mail to potential buyers. Imagine the volume of junk mail if the entire
business world had the names and addresses of almost half of the
country's population on-line!
Fortunately, on January 23, 1991, Lotus and Equifax announced
that they had cancelled plans to release "Marketplace: Households" due
to 30,000 letter and phone calls from individuals who wanted their
files deleted from the product. Apparently, the companies decided that
the privacy issues involved would make the product unviable. (Fisher,
p. C3.) Ironically, a similar product, "Marketplace: Business", which
contained database information on seven million U.S. businesses, was
discontinued the same day. "Marketplace: Business" has been shipping
since October 1990, but was not profitable without the revenues from
"Marketplace: Households" (Fisher, p. C3).
A similar example of the same type of database belongs to the
Phone Disc USA Corporation. This small, Massachusetts based company
has manually copied the names, addresses and numbers of 90 million
people out of the white pages of telephone books from across the nation.
They put this information on CD-ROM storage devices, and sell it to
mass-marketers. In a recent ruling, the Supreme Court decided that it
is legal to copy white pages listings because they are not copyrighted.
For the next version of the product, co-founder James Bryant plans to
copy every name from over 4000 sets of regional whites pages.
(Kleinfield) Unlike the Lotus/Equifax undertaking, Phone Disc USA shows
no signs of halting their product.
How many of these computer databases and networks exist that the
average American doesn't know about? Just about every government or
private agency that interacts with the public has its own computerized
index of names, addresses, social security numbers, etc. Every time you
open a bank account, apply for a credit card, attend a learning
institution, register at a hotel, get medical aid, or obtain a loan, a
new file is opened for you, without your explicit knowledge! And these
are the easy ones to track; there are many databases you get into
without anyone telling you. In fact, these "secret" records, not unlike
the U.D. Registry's, are more effective if the "victims" don't know
about them.
Now that we are aware of the problem, we can ask the question,
"What do we do?" First we must clarify one point - does the mere
existence of these databases and computerized records intrude upon the
individual's privacy, or does the use of them constitute privacy
invasion? The best way to do this is to find out if similar privacy
violations occurred before the advent of computerized files.
The Census Bureau's charter contains the provision, "in no case
shall information furnished under the authority of this act be used to
the detriment of the person or persons to which this information
relates." But, during World War I, the Justice Department was looking
for the names and addresses of young men who were trying to evade the
draft so they could track these dissenters down and prosecute them.
Under pressure from the military, the Census Bureau disclosed this
information (Burnham, pg. 24). Computers did were not used to record
information until the mid-forties. One of the first organizations to
use primitive databases (stacks and stacks of punch cards) for the
purpose of information gathering on a large number of people was the
Census Bureau.
The violation of privacy did take place before computerized
databases. The largest differences between a stack of papers and a
computer file are that the computer file is easier to use, faster to
find, able to be disseminated and/or transmitted quickly. An example of
how efficient computer files are at finding people is the case of the
California Locator Service. This database is used to track parents who
refuse to pay child support. The names of the wayward parents are filed
in the database. The database is compared to that of the Franchise Tax
Board. In the case of a match, the parent's tax refund is intercepted
and sent to the parent with custody (Burnham, pp. 30-33). The Locator
Service also has direct links to the Department of Motor Vehicles, the
Employment Development Board, criminal databases, and several other
computer networks to help locate the delinquent parent. According to
manager Richard Beall, the service is able to provide at least some sort
of information 62% of the time (Burnham, pp. 30-33). Imagine the
difference if the California Locator Service were run by pen, pencil, or
typewriter instead. The proper information on the wayward parent would
have to be sent to all the associate agencies, processed, and answers
given. The time to do this would be prohibitive enough to make the
service slow and negligibly effective. The computer facilitates this
sort of information sharing and retrieval.
We conclude that computers aren't the inherent evil, but they
help the government and other organizations to procreate the evil of
privacy infringement more easily than if computer databases weren't
used. So we can't necessarily eliminate the problem by eliminating the
databases. Often the computer database used for the questionable
activity is one that exists for a different purpose. Cases of this are
the Census Bureau's information, and the NCIC. Both of these databases
exist to serve beneficial purposes - population surveys and law
enforcement, respectively. Eliminating all computer databases
containing personal information would to too radical a step. Our society
would grind to a standstill as bank records, medical files, legal
reports, etc. (the list goes on indefinitely) would have to be hand
copied and disseminated.
Think of the examples of given at the beginning of this section
of a library and a bank. We saw how these organizations used databases
to improve their service to the public. These same databases can be
used to invade the privacy of the public. For example if library
databases are available to the public, they can be used to list the
books or type of books that an individual reads. A magazine or book
club might find library databases useful in deciding who to send
unsolicited subscription or membership information to. Bank records can
be used similarly to determine the financial status of an individual.
What is comes down to is that any database containing personal
information that is used for any other purpose than the one it exists
for is a potential violation of privacy. As a case in point, under
current law, our video rental histories have more protection than our
medical or insurance records. Under a 1988 law, video rental records may
only be released under court order. That law, often referred to as the
"Bork bill," was inacted after video rental information about a Supreme
Court nominee was made public in the press (Consumer Reports). Must we
wait for similar abuses related to the medical, library, or bank records
of persons in the public eye to similarly secure the privacy of these
records?
Is there a solution? Is there a middle ground where we can have
the databases, but control how they are used? In the January 1988 issue
of Omni magazine, experts from various legal and scientific fields were
asked to comment upon the Terry Dean Rogan case (see above). Some
responses were: (Science Court Opinions, p. 100).
Sheldon L. Glashow, Nobel laureate and professor of physics at Harvard
University: "A centralized computerized crime file is absolutely
necessary for crime control, but it does jeopardize the rights of
citizens...Under no circumstance but one should the NCIC files be made
available for non-crime related purposes: The exception is the right of
each citizen to examine his or her own file."
Melvin Konner, M.D., professor of anthropology at Emory University:
"Centralized data banks pose a new, probably serious threat to
privacy, yet such data banks are too valuable to be forsworn.
...challenges should result in the emergence of a system of check
and balances that will prevent the abuse of data."
John Money, professor emeritus of medical psychology and pediatrics at
Johns Hopkins University and Hospital: "...it becomes imperative
to have strictly enforced safeguards on the usage of such
[computerized] lists. One such safeguard would be a legally
guaranteed principle of freedom of information, so that an
individual could access his or her name on the list and correct
information falsely entered against it."
George B. Schaller, director of science for Wildlife Conservation
International: "...as a potential victim, I am pleased that the file
might help insure my privacy - that is my property and person.
The file should, however, be accessible for criminal matters only,
or it will be misused."
Furthermore, an interesting precedent may be set for privacy
rights in the United States by the new European Community. The European
Community is proposing a set of laws that would strictly limit how
database information is used and who has access to it. Basically, the
laws would instruct owners of databases to notify individuals of their
inclusion, and these individuals would be able to obtain copies of the
database information on them. Also, owners of databases would not be
allowed to sell the personal information of an individual without the
permission of that individual. "The proposals would prohibit...a
publisher from selling a list of subscribers to a real estate developer
- unless the subscribers agreed to be included. Banks would be required
to notify credit card holders before selling their names to mail-order
houses." (Markoff, p. D1). Interestingly enough, these proposed
regulations have the U.S. based companies complaining the loudest. IBM,
GTE, and AT&T claim that the proposed laws would strictly limit their
business abroad (Markoff, p. D1).
Privacy experts maintain that the companies are overreacting.
Some of the restriction that are under consideration include: (Markoff,
p. D1).
--Companies must register all databases containing personal
information with the countries...in which they are
operating...
--Corporations using personal data must tell the subjects of
their use...
--Private companies can only collect or process personal data
with the consent of the subjects.
--Companies would not be able to transfer data to another
country unless that country also offered adequate protection
of records.
Taking these experts' opinions and the precedents under
consideration by the European Community, we have a basis for legislation
concerning computer databases and the privacy of individuals. The
following guidelines are suggested:
1) All individuals who have personal information stored in a
computer database must be informed of this fact. They also
must be given a chance to review their file(s) and to
petition for changes if they find that the information held
within is incorrect.
2) When a person is arrested and/or brought to trial because of
the information in one of these databases, attention must be
given to the question of the file's accuracy and
completeness.
3) Files that exist for purposes of law enforcement (e.g., the
NCIC) should not be used for anything other than law
enforcement. A system of checks and balances should be
maintained to guarantee this.
4) Files that exist for marketing or statistical purposes should
inform all individuals who are included in the database of
their inclusion, and give them an opportunity to request that
their file be deleted.
The constitution was written as anticipatory democracy, but its
framers did not (and could not) anticipate the advent nor the power of
the computer. Although the ideals of individual privacy have not
changed over the last 200 years, the reality has. In the next section
other outdated legal concepts that are in danger of violating the First
and Fourth Amendment rights of every citizen are exposed.
III: The Printed Word vs. The Electronic Word
"The right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable searches
and seizures, shall not be violated and no warrants shall
issue but upon probable cause, supported by oath or
affirmation, and particularly describing the place to be
searched, and the persons or things to be seized."
- The Fourth Amendment to the Constitution of the
United States
On March 1st, 1990, Secret Service agents raided the offices of
Steve Jackson Games, a small role-playing game company. The agents
seized three computers, including one being used to run a bulletin
board, all company software in the proximity of these computers, and all
business records contained in the computers' storage.
Why would the government want to virtually shut down a game
company? Because Steve Jackson Games was just weeks away from
publishing a science-fiction role-playing game called Gurps Cyberpunk.
The game is set in a high-tech future society where the players use
human/computer interfaces to "enter" computer networks and infiltrate
(or hack) through defenses to valuable data. Playing the game does not
require the use of (or even the knowledge of how to use) a computer. A
Secret Service agent told Steve Jackson that the Gurps Cyberpunk playing
manual was a "handbook on computer crime." (Barlow).
As a result of losing their computing capabilities and data,
Steve Jackson Games temporarily shut down and had to lay off half of its
employees. For three months, the Secret Service retained the equipment
and data even though they had no evidence that the game or any other
Steve Jackson game violated any law. When some of the equipment was
finally returned in June, 1990, the Service kept the drafts of Gurps
Cyberpunk. The rest of the equipment was "lost." (Barlow).
According to the Fourth Amendment, the Secret Service agents
needed "probable cause" that criminal evidence will be at the scene of
the search to get a search warrant issued. The Fourth Amendment also
specifies that the search should be as narrow as possible (in other
words, the Secret Service should have known exactly what they were
looking for.) By taking all computer records, the Service not only
effectively shut Jackson down, but violated the Fourth Amendment.
The only "probable cause" that the Secret Service had for
seizing Jackson's computers was that Jackson had hired a former "hacker"
to work on Gurps Cyberpunk. A "hacker" is a member of an underground
subculture dedicated to breaking and entering computer systems. While
this is illegal, the hacker community in general frowns upon the
stealing of data for personal profit, but does it instead for bragging
rights and the thrill of gaining illicit access to a "guarded" area of
cyberspace. This is not unlike breaking the speed limit for kicks and
the excitement of defying authority. If this is indeed why the Service
raided Steve Jackson Games, this sets another frightening precedent
regarding privacy - will employers now check to see if applicants are
hackers along with the "normal" checks for arrest records? This may be
an effect that the Service was looking for. According to Steve Jackson,
the Secret Service suspected this staff member of wrongdoing at home,
not at Steve Jackson Games (Computer Underground Digest, 3.20).
At the time of this writing, the search warrant remained sealed.
If the object of the search, according to the warrant, was evidence of
the staffer's wrongdoing, only evidence of that crime should have been
retained. If the object was the game, the agents should have taken just
the hard copy and soft copy regarding Gurps Cyberpunk. By taking the
whole computer system of Steve Jackson Games, the FBI seriously hindered
the lawful commercial activities of the company. By holding the
computer equipment and software for three months, Steve Jackson Games
was almost put out of business. The non-relevant equipment and software
should have been returned promptly.
Along with the computer equipment and software seized, the
agents disconnected and confiscated Steve Jackson Games' BBS. A BBS,
or Bulletin Board System, is a centralized, information gathering and
dissemination point for many computer users. The BBS contains e-mail
from and for those users, who can access the system with their home
computer's modem through normal phone lines. Many users who don't
have network access through a university or the organization they work
for use a BBS to enter cyberspace. The BBS stores personal mail for
these users and enables them to read it when they are logged on. U.S.
postal mail is considered private. Electronic mail is the same as
physical mail in that it should be protected by the same privacy rights
that physical mail is. In the next section, the seizure of personal
mail is explored in detail.
Even though Steve Jackson Games did eventually publish Gurps
Cyberpunk, the company was hit hard by the loss of its information.
They had to recreate the game from rough drafts and memory. But, a
positive result did come out of the SJG case. Mitch Kapor, founder of
Lotus Development Corp, and associate John Perry Barlow, established the
Electronic Frontier Foundation (EFF) with the purposes of educating the
public about computer-based media and supporting litigation to extend
First Amendment rights into the computer world. The EFF intervened in
the Jackson case, pushing the government to restore SJG's equipment. In
April, 1991 the EFF in conjunction with Steve Jackson Games filed a
civil suit against the U.S. Secret Service and several of the
individuals responsible for the raid and the withholding of Jackson's
property. Unfortunately, at the time of this writing, more detail about
this precedent setting case was unavailable.
Although it will not set a legal precedent, there is a similar
case on the books. The Alcor Life Extension Foundation is an
organization that, for a large fee, will freeze an individual's body
upon death. In December, 1987, the Riverside County Coroner's Office
accused Alcor of hastening the death of cryogenic participant Dora Kent
by prescribing her a lethal dose of barbituates (Computer Underground
Digest, 1.04). In January 1988, law enforcement officers raided Alcor's
headquarters and confiscated its computer equipment. Like the Steve
Jackson Games case, the search warrant for the Alcor foundation did not
specify what information that should have specifically be confiscated.
The section of the warrant pertaining to computer seizures follows:
All electronic storage devices, capable of storing
electronic data regarding the above records, including magnetic
tapes, disk (floppy or hard), and the complete hardware
necessary to retrieve electronic data including CPU (central
processing unit), CRT (viewing screen), disc or tape drives,
printer, software, and operation manuals for the above said
computer, together with all handwritten notes or printed
material describing the operation of the computer
(Computer Underground Digest, 1.04).
In other words, the officers were directed to seize all
computers and computer equipment from the Alcor site. Even though the
warrant states that only computer equipment "...capable of storing
electronic data regarding the above records..." should be seized, this
can be interpreted as a warrant to seize all computer equipment because
any equipment is capable of holding data about Dora Kent. So once
again, the warrant was very wide reaching and vague, exactly what the
Fourth Amendment is supposed to protect against.
But in this case, the issue became more focused. H. Keith
Henson, a member of Alcor, claimed that personal e-mail belonging to
himself and 13 other Alcor members was "stolen" by the raiding officers.
Although Henson repeatedly tried to get the court to turn over the
private e-mail, on the account that it had no relevance to the Dora Kent
case, they would not return it. So Henson and his group sued the FBI
for not intervening on their behalf in this case (Computer Underground
Digest, 1.04).
The stealing of private e-mail like in the Alcor case is another
precedent that can have dangerous repercussions. This is the equivalent
of law enforcement officers obtaining a search warrant for a post office
because some of its employees were suspected of illegal activities, and
proceeding to seize all mail contained in the post office and reading
it, and not returning it to its intended recipients.
At the time of this writing, Alcor case was settled out of
court. The result of the settlement was not available.
As we can see from these examples, there is a fundamental
difference in how the legal community in the U.S. views printed and
electronic media. Print media is protected by the First Amendment;
electronic media is not. This is a difference that should not exist.
Almost all newspapers and magazines exist in electronic form before they
are printed. Electronic digests follow the same process, but they leave
out the final step - the actual printing. There have been cases of
electronic hacker magazines being shut down for publishing hacked
(stolen) documents.
However there is a hacker magazine called 2600 that doesn't
leave out the final step. Printed, not electronic, copies are sent to
subscribers. 2600 has included similarly hacked documents, but has
never been accosted. According to 2600 editor Emmanuel Goldstein, it is
because of the physical printing, "I've got one advantage. I come out
on paper and the Constitution knows how to deal with paper." (Barlow).
Computer based media and e-mail should have the same Constitutional
protection as the written word. But it doesn't. Why not?
We can answer this question by tracing history back to the late
1700's when the Framers were writing the Constitution. They had no
concept of computers or electronic communication at its current level.
Because of this excusable lack of foresight, the Constitution and Bill
of Rights do not contain specific provisions for computer based speech
and the computerized press. In fact, the word "press" implies the
printed press, not actual process of disseminating information to large
numbers of people. In the Fourth Amendment, an individual's "papers"
are safe from unreasonable search and seizure. Electronic, or
unprinted, "papers" are not specifically protected. In strict
interpretations of the Constitution, electronic media are not protected.
Of course, this is nonsense since the only difference between an article
in a newspaper or magazine and an article stored electronically, that is
intended to be printed, is the act of printing.
Using the Steve Jackson Games and Alcor cases as a basis,
it is proposed that the following guidelines be legislated:
1) If computer information is to be seized, the search warrant
must explicitly describe the data sought. The officers
carrying out the search should seize only the storage devices
(floppy disk, hard disk, magnetic tape) holding this
information.
2) If the storage device(s) seized contain other information as
well as the data described by the warrant, the wanted data
should be copied them the storage device should be promptly
returned.
3) If any electronic mail is confiscated, only the pieces from
or to suspects of the crime should be read. The rest should
be promptly returned unread to the addressees.
By following these guidelines, we can avoid many violations of
individual privacy that the Constitution, in its current wording,
allows. In the final section a somewhat radical step to help our
society into the information age is recommended.
IV: Where Do We Go From Here?
The untamed electronic frontier is an intimidating domain for
the computer illiterate. Many view this mysterious technology as
responsible for whittling away their personal rights and privacy. Thus
they find it fearful and intimidating. Ironically, the only way that
the electronic frontier can "dehumanize" an individual is if that
individual is ignorant of what it really is. We've seen that we can't
continue to function at our current level of society without computer
technology, but unless the users of this technology are monitored, they
can use it to invade the privacy of individuals. If the general
populace is educated, they will have the background to challenge these
intruders.
But where do we start? As we have seen before, the outdated
wording of the Constitution promotes this dread image of computers and
electronic media. Perhaps a good place to start would be with the
Constitution. The current wording of the Bill of Rights is archaic, and
it represents the mind-frame that many people still have. Computer
technology and cyberspace must not be viewed as separate from or outside
of laws protecting free speech and privacy.
The First and Fourth Amendments don't explicitly mention
electronic media. They should regard rights in the electronic world of
cyberspace as just as important as those in the physical world. A new
amendment stating that the rights guaranteed by the First, Fourth, and
any other amendment for that matter, apply to cyberspace would prevent
many of the violations we have discussed from happening. (As the final
revision of this paper was about to be printed, word was received that
Laurence Tribe of Harvard Law School had proposed discussion of just
such an amendment. However, this author's proposal was developed
independently of Tribe's.)
If a new amendment is a step too far, then legislation and
precedent setting legal decisions must be made. There seems to be a ray
of hope in the Steve Jackson Games case, but it will take several such
cases to approach the benefit of a Constitutional amendment.
The global village is just around the corner. Whether it is a
technological utopia of peace and freedom or an aspect of Orwell's
"1984" depends on decisions made now.
Bibliography
Article One: An Overview, (2600 Magazine, Spring 1990), pp.1-10.*
Burnham, David, The Rise of the Computer State, (1980, Vintage
Books).
Barlow, John Perry, Crime and Puzzlement. **
Computer Underground Digest, Volume 1.04, April 11th, 1990. *
Computer Underground Digest, Volume 3.20, May 12, 1991.*
Consumer Reports, "What Price Privacy," (May, 1991, pp. 356-360).
Epstein, Aaron, "The Shadow of Your File," The Progressive, (v47,
Jun., 1983), p. 17.
Fisher, Lawrence M., "Lotus Database Cancelled," (New York Times,
Jan 24, 1991), p. C3.
Gordon, Diana R. and Churchill, Mae, " 'Triple I' Will Be Tracking
Us," The Nation, (New York, v238, April 28, 1984), pp. 497, 513-
515.
Kleinfield, N.R., "The Man With All The Numbers," New York Times,
Sunday, April 14th, 1991.
Markoff, John, "Europe's Plan to Protect Privacy Worry Business,"
New York Times, Thursday, April 11th, pp. D1, D5.
Pool, Ithiel de Sola, Technologies of Freedom, "On free speech in
an electronic age," (1983, Harvard University Press).
Science Court Opinions - Case 6: Computer Privacy, Omni, (New
York, Jan. 1988, v10), pp. 99-100.
Wilson, Kevin, The Technologies of Control, (1988, University of
Wisconsin Press).
* These are electronic publications. If copies cannot be found,
feel free to contact the author.
** This document was originally disseminated electronically, then
was published in Harper's Magazine. The author used the
original version.
<Mike Borella received a bachelor's degree in Computer Science and Technical Communication from Clarkson University (1991). He is currently a graduate student and teaching assistant in Computer Science at U. Cal. at Davis. This paper is the result of an independent study sponsored by Susan Ross, an assistant professor in Technical Communication at Clarkson. e-mail borella@toadflax.eecs.ucdavis or sross@clutx.clarkson.edu>
I: What is Cyberspace?
"Cyberspace. A consensual hallucination experienced daily
by billions of legitimate operators, in every nation... A
graphical representation of data abstracted from the banks
of every computer in the human system. Unthinkable
complexity. Lines of light ranged in the nonspace of the
mind, clusters and constellations of data. Like city lights,
receding..."
- William Gibson, Neuromancer
Even after reading William Gibson's cyberpunk novels, one's
conceptualization of cyberspace, the electronic world of computers and
computer networks, can be insubstantial. Gibson describes cyberspace as
a world of simulated stimulation that a computer feeds to a "jockey"
(computer operator) via a "cyberspace deck" (human-computer interface).
Explorers in Gibson's cyberspace often have difficulty telling what is
real and what is not. Frequently, in our world, the novice computer
user has similar problems understanding how to use the potential wealth
of information at their finger tips. In Gibson's uncharted future,
people access computers by merging their thoughts with a database.
Today we can "enter" cyberspace through keyboard and modem. But what
actually is cyberspace? Is it real? What does it look like? What are
some of the personal and legal issues emerging from this vastly
uncharted new frontier? This paper will answer those questions and more
as we explore cyberspace, meet its frequenters, and discuss its
increasing role in the life of every human being, not just those who
actually use a computer.
Before we embark on our journey through the legal battles and
rights issues regarding cyberspace, we need a working knowledge of what
it is and how computer operators use it.
Envision a roadmap. Cities dot the otherwise sparse landscape
and roads branch out in all directions, connecting every city. This
network leaves no city unserviced. Although not every city is connected
to every other, it is possible to reach any one city from any other.
Like every other mass transit system, certain areas are more travelled
than others. Some cities are larger than others and some stretches of
road are more prone to traffic. The size and complexity of this roadmap
defies the imagination - it encircles the world.
But the cities are not actually cities. They are computers or
groups of computers. The roads are telephone lines or fiber-optic
cable. The system surrounds the globe in an electronic web of data.
The travellers on these 'virtual' roads are packets of information which
are sent from one city to another, perhaps via many. The roadmap is a
worldwide computer "network." Each city is a depot or terminal for the
packets, and is usually referred to as a "node." In reality they are
mainframes owned by universities, companies, or groups of computer
users. There are several worldwide computer networks currently in
existence.
Every individual who has an account on any mainframe in the
world has their own unique electronic address. It is not unlike a
mailbox, except that it can only receive mail of the electronic kind.
Electronic addresses are similar to postal addresses in that they
contain:
--a name, or user identification which corresponds to the
individual computer user who owns the particular address.
--a local machine name, which is the specific mainframe that the
userid is on. Local names are only used in the node consists of
more than one mainframe. This is not unlike a street address.
--a node name, which corresponds to the physical location of the
node that the userid belongs to. This is not unlike a city
address and/or zip code.
This is all a network needs to know before it can send
information from one mailbox to another. Just like postal mail, if the
user doesn't address mail correctly, the network will return it. In the
case of e-mail (electronic mail) a simple misspelling will cause the
network to return the mail, or send it to an improper destination. Each
of the several worldwide networks has its own unique but similar method
for addressing e-mail. Corresponding via electronic mail has been
available to some academicians for over 20 years, but today it is
possible for anybody with a computer and a modem to have their own
mailbox. For the sake of convenience, many useful physical objects have
been abstracted into cyberspace. Computerized filing systems
(databases), bulletin boards, and electronically published digests and
magazines proliferate in the virtual world of networks. Many of these
electronic items are being treated differently than their "real"
counterparts. Often, due to the convenience of having millions of
pieces of data available in seconds, individual privacy rights are
violated. This is leading to debate and litigation concerning the use
of various aspects of cyberspace. The next sections cover the
situations, people, and legislation of this untamed and largely
undefined frontier.
II: Databases
A database is a collection facts, figures, numbers, and words
that are sorted in a particular order and/or indexed. They are stored on
a computer so that retrieval is quick and simple. Often, databases are
used by the government, corporations, and private businesses to keep
track of the names, address, phone numbers, and other relevant data
about their clients, subscribers, members, etc. For example, most
public libraries have databases containing information of every person
who has a card at that library. Besides the name, address, and phone
number of the card holder, the library's database would also contain
information regarding what books the holder is currently borrowing,
whether they are overdue or not, and when each person's library card
expires.
Similarly, banks have databases containing information regarding
the persons they transact with. Again, name, address and phone number
is essential, but the bank would also be interested in social security
number, credit rating, assets, mortgage information, and so on. By
organizing this data on a computer, the bank increases its efficiency.
It is able to serve more customers in less time, and provide monetary
transactions within seconds. Anyone who has used a bank card at an
automated teller can attest to this.
But all databases are not used for such beneficial purposes. As
we will see in the next section, even the information stored in "benign"
databases can be used to violate privacy rights.
In 1967, J. Edgar Hoover, then head of the FBI, created the
National Crime Information Center (NCIC). This organization's purpose
is to use a computerized database containing the criminal record of
every United States citizen to increase the efficiency of all levels of
law enforcement by facilitating quick exchange of information. The
NCIC's federal databanks interface with over 64,000 state and local
governments' computer networks, and even with some criminal databases of
foreign countries. This widespread and far-reaching power is used by
everyone from top FBI investigators to county and municipal patrol
officers. For example, if a police officer pulls over a speeder in New
York, they can check, within a matter of seconds, if that person is
wanted in any other state, and if that person has a criminal record.
The NCIC contains records on every person arrested in the United
States, which amounts to approximately 40 million people, a number
equivalent to one-third of the work force (Gordon and Churchill, p.
497). It goes without saying that the holders of this information have
incredible power. However, at first glance, the existence of the NCIC's
databases seem completely beneficial; in fact they do much to protect
the privacy of the average American. Authorities can find out if an
individual is wanted for a crime and detain that person if necessary,
all with the push of a few buttons. Effective law enforcement does make
the country a safer place for its citizens. But, as we will see, the
current state of and uses for the NCIC do infringe upon individual
privacy.
There are many cases in which the NCIC databases have been
found to hold inaccurate and incomplete information. Keep in mind that
they only contain arrest records, not conviction records. If an
individual has been acquitted of a charge, it does not necessarily get
entered into the computers. An example of this was the legal battle
fought by Los Angeles native Terry Dean Rogan. After Rogan lost his
wallet, a man using his identification was linked to four crimes,
including two murders. Rogan was mistakenly arrested, and an NCIC file
was made about him. The file was inaccurate - it did not contain a
description of him. As a result, he was arrested four times for crimes
he didn't commit. Rogan successfully sued to city if Los Angeles in
1987 for violating his Fourth Amendment rights (Science Court Opinions,
p. 99). But some victims of NCIC errors don't get off so easily.
In 1979, Michael Ducross of Huntington Beach California made a
minor traffic violation on his way to the supermarket one day. The
police officer radioed for a check on Ducross. When a police station
desk clerk punched up the NCIC database to see if Ducross had a file, he
got a surprising result. Ducross was wanted for going AWOL from the
Marine Corps 10 years earlier. He was seized and held for five months
at Camp Pendleton. The Marine Corps eventually dropped the charges
because he had never actually gone AWOL. Ducross was a Native American,
and he had left the Corps on a special discharge program available only
to Native Americans and foreign citizens (Burnham, pp. 33-34).
But these are just two isolated examples, right? Wrong! A
study by the Congressional Office of Technology Assistance (OTA)
conducted in 1982 found that, "...as many as one-third of state records
lacked information about the disposition of the cases on file.
Therefore, an arrest in one state, which may have resulted in a
dismissal or an acquittal, could in another state influence the decision
to withhold bail or to prosecute the defendant as a 'career criminal.' "
(Gordon and Churchill, p. 514). The OTA study found that, at best, 49.5
percent of the NCIC Criminal History records were complete, correct, and
unambiguous (Burnham, p. 74).
It's bad enough that the NCIC files are largely inaccurate -that
your Fourth Amendment rights protecting unlawful search and seizure can
be lawfully violated if you have been previously arrested for a crime
you didn't commit - but these computerized criminal files are used for
much more than law enforcement, and are used by more than just law
enforcement agencies. Approximately 90 percent of all criminal
histories in the United States are available to public and private
employers (Gordon and Churchill, p. 515).
Nor is the NCIC without local competition. For example, one
Rhode Island data merchant, whose clients are mostly prospective
employers, keeps files on people who have been arrested but
no necessarily convicted of a crime. That merchant includes in the files
names of individuals taken from local newspaper stories (Consumer
Reports).
If arrest records but not conviction records are available,
might not they influence hiring decisions? For example, might not an
employer finding a record of arrests in the file of a person claiming a
"clean record" on an employment application question the credibility of
the applicant's claim and make a decision not to hire influenced by that
doubt? Given that the applicant would not be aware that such a database
had been consulted, he or she could not possibly mount a defense if the
information in the file was inaccurate (e.g., someone else's arrests) or
misleading (e.g. no arrests led to convictions).
Since 40 million US citizens have an arrest record, the
social cost is potentially high. In several states, including
California and Connecticut, more than half of the information requests
to criminal history databases were made by employers (Gordon and
Churchill, p. 515).
But the problems don't end there. In 1981, mainly because
of John Hinckley's attempt on then President Ronald Reagan's life, about
400 files were added to the NCIC database. These were of people who had
no criminal record and were wanted for no crime! Why were they being
entered into the computers? Because these individuals were considered
"a potential danger" by the Secret Service. Secret Service Director
John R. Simpson stated that listing these people would provide an
invaluable tool for tracking their location and activities (Epstein, p.
17). This shows that the government is only paying lip service to the
"innocent until proven guilty" precedent that our freedom is based on.
The "potential danger" would be to members of the FBI protectorate,
including the President, Congress members, and controversial political
and social figures such as Jacqueline Onassis. Considering how
"accurate" the files have been proven to be, one can imagine the
atrocities possible (and encouraged) under these provisions.
But there are more culprits to this mess than just the
government. The use of databases in the violation of privacy extends
into the corporate world. The U.D. Registry Inc. was formed in 1977 by
Harvey Saltz, a former deputy district attorney in Los Angeles. "Using
a computer to store information obtained from legal charges filed by
landlords in the courts, Saltz says he currently has compiled more than
a million records about such disputes all over the Los Angeles area.
Over 1900 landlords pay Saltz an annual fee ranging from $35 to $60...to
determine whether the individuals who come to them for housing have had
arguments with other landlords in the past." (Burnham, p. 34). And just
like the NCIC, Saltz's database was found to be less than reliable.
In 1978, Lucky Kellener paid the rent to his brother's
apartment. But when his brother was evicted, Kellener's name was
included in the U.D. Registry files, defining him as an undesirable
tenant. When Kellener went looking for a new apartment in 1981, he got
repeatedly turned down and brushed off. Finally, a landlord told him
that he had been blacklisted (Burnham, pp. 34-35).
Another victim was Barbara Ward, who moved to Los Angeles and
found that her newly rented apartment was infested with cockroaches.
When she gave her landlord a thirty day notice, he countered with an
eviction notice. When the landlord didn't show up in court, the judge
threw the case out. But Ward was entered in the U.D. Registry as having
an eviction notice, and when she wanted to rent an apartment later she
was unable to (Burnham, pp. 34-35).
In both cases, errors caused a major personal difficulty and
breach of privacy. Also, in both cases the victim did not know of the
U.D. Registry's existence. Therefore, neither could possibly confront
the unfavorable, electronically-stored data, analogous to a "false
witness," that led to their blacklisting.
Perhaps the grandest scale of gathering information about people
by a non-governmental agency was undertaken by the Lotus Development
Corp. in conjunction with Equifax Inc. Lotus and Equifax developed
"Marketplace: Households," a database of the names, addresses, and
marketing information on 120 million residents of the United States
(Fisher, p. C3). The purchaser of this information would probably be
large consumer goods companies specializing in mail order. Databases
like this are currently used by organizations to send unsolicited (junk)
mail to potential buyers. Imagine the volume of junk mail if the entire
business world had the names and addresses of almost half of the
country's population on-line!
Fortunately, on January 23, 1991, Lotus and Equifax announced
that they had cancelled plans to release "Marketplace: Households" due
to 30,000 letter and phone calls from individuals who wanted their
files deleted from the product. Apparently, the companies decided that
the privacy issues involved would make the product unviable. (Fisher,
p. C3.) Ironically, a similar product, "Marketplace: Business", which
contained database information on seven million U.S. businesses, was
discontinued the same day. "Marketplace: Business" has been shipping
since October 1990, but was not profitable without the revenues from
"Marketplace: Households" (Fisher, p. C3).
A similar example of the same type of database belongs to the
Phone Disc USA Corporation. This small, Massachusetts based company
has manually copied the names, addresses and numbers of 90 million
people out of the white pages of telephone books from across the nation.
They put this information on CD-ROM storage devices, and sell it to
mass-marketers. In a recent ruling, the Supreme Court decided that it
is legal to copy white pages listings because they are not copyrighted.
For the next version of the product, co-founder James Bryant plans to
copy every name from over 4000 sets of regional whites pages.
(Kleinfield) Unlike the Lotus/Equifax undertaking, Phone Disc USA shows
no signs of halting their product.
How many of these computer databases and networks exist that the
average American doesn't know about? Just about every government or
private agency that interacts with the public has its own computerized
index of names, addresses, social security numbers, etc. Every time you
open a bank account, apply for a credit card, attend a learning
institution, register at a hotel, get medical aid, or obtain a loan, a
new file is opened for you, without your explicit knowledge! And these
are the easy ones to track; there are many databases you get into
without anyone telling you. In fact, these "secret" records, not unlike
the U.D. Registry's, are more effective if the "victims" don't know
about them.
Now that we are aware of the problem, we can ask the question,
"What do we do?" First we must clarify one point - does the mere
existence of these databases and computerized records intrude upon the
individual's privacy, or does the use of them constitute privacy
invasion? The best way to do this is to find out if similar privacy
violations occurred before the advent of computerized files.
The Census Bureau's charter contains the provision, "in no case
shall information furnished under the authority of this act be used to
the detriment of the person or persons to which this information
relates." But, during World War I, the Justice Department was looking
for the names and addresses of young men who were trying to evade the
draft so they could track these dissenters down and prosecute them.
Under pressure from the military, the Census Bureau disclosed this
information (Burnham, pg. 24). Computers did were not used to record
information until the mid-forties. One of the first organizations to
use primitive databases (stacks and stacks of punch cards) for the
purpose of information gathering on a large number of people was the
Census Bureau.
The violation of privacy did take place before computerized
databases. The largest differences between a stack of papers and a
computer file are that the computer file is easier to use, faster to
find, able to be disseminated and/or transmitted quickly. An example of
how efficient computer files are at finding people is the case of the
California Locator Service. This database is used to track parents who
refuse to pay child support. The names of the wayward parents are filed
in the database. The database is compared to that of the Franchise Tax
Board. In the case of a match, the parent's tax refund is intercepted
and sent to the parent with custody (Burnham, pp. 30-33). The Locator
Service also has direct links to the Department of Motor Vehicles, the
Employment Development Board, criminal databases, and several other
computer networks to help locate the delinquent parent. According to
manager Richard Beall, the service is able to provide at least some sort
of information 62% of the time (Burnham, pp. 30-33). Imagine the
difference if the California Locator Service were run by pen, pencil, or
typewriter instead. The proper information on the wayward parent would
have to be sent to all the associate agencies, processed, and answers
given. The time to do this would be prohibitive enough to make the
service slow and negligibly effective. The computer facilitates this
sort of information sharing and retrieval.
We conclude that computers aren't the inherent evil, but they
help the government and other organizations to procreate the evil of
privacy infringement more easily than if computer databases weren't
used. So we can't necessarily eliminate the problem by eliminating the
databases. Often the computer database used for the questionable
activity is one that exists for a different purpose. Cases of this are
the Census Bureau's information, and the NCIC. Both of these databases
exist to serve beneficial purposes - population surveys and law
enforcement, respectively. Eliminating all computer databases
containing personal information would to too radical a step. Our society
would grind to a standstill as bank records, medical files, legal
reports, etc. (the list goes on indefinitely) would have to be hand
copied and disseminated.
Think of the examples of given at the beginning of this section
of a library and a bank. We saw how these organizations used databases
to improve their service to the public. These same databases can be
used to invade the privacy of the public. For example if library
databases are available to the public, they can be used to list the
books or type of books that an individual reads. A magazine or book
club might find library databases useful in deciding who to send
unsolicited subscription or membership information to. Bank records can
be used similarly to determine the financial status of an individual.
What is comes down to is that any database containing personal
information that is used for any other purpose than the one it exists
for is a potential violation of privacy. As a case in point, under
current law, our video rental histories have more protection than our
medical or insurance records. Under a 1988 law, video rental records may
only be released under court order. That law, often referred to as the
"Bork bill," was inacted after video rental information about a Supreme
Court nominee was made public in the press (Consumer Reports). Must we
wait for similar abuses related to the medical, library, or bank records
of persons in the public eye to similarly secure the privacy of these
records?
Is there a solution? Is there a middle ground where we can have
the databases, but control how they are used? In the January 1988 issue
of Omni magazine, experts from various legal and scientific fields were
asked to comment upon the Terry Dean Rogan case (see above). Some
responses were: (Science Court Opinions, p. 100).
Sheldon L. Glashow, Nobel laureate and professor of physics at Harvard
University: "A centralized computerized crime file is absolutely
necessary for crime control, but it does jeopardize the rights of
citizens...Under no circumstance but one should the NCIC files be made
available for non-crime related purposes: The exception is the right of
each citizen to examine his or her own file."
Melvin Konner, M.D., professor of anthropology at Emory University:
"Centralized data banks pose a new, probably serious threat to
privacy, yet such data banks are too valuable to be forsworn.
...challenges should result in the emergence of a system of check
and balances that will prevent the abuse of data."
John Money, professor emeritus of medical psychology and pediatrics at
Johns Hopkins University and Hospital: "...it becomes imperative
to have strictly enforced safeguards on the usage of such
[computerized] lists. One such safeguard would be a legally
guaranteed principle of freedom of information, so that an
individual could access his or her name on the list and correct
information falsely entered against it."
George B. Schaller, director of science for Wildlife Conservation
International: "...as a potential victim, I am pleased that the file
might help insure my privacy - that is my property and person.
The file should, however, be accessible for criminal matters only,
or it will be misused."
Furthermore, an interesting precedent may be set for privacy
rights in the United States by the new European Community. The European
Community is proposing a set of laws that would strictly limit how
database information is used and who has access to it. Basically, the
laws would instruct owners of databases to notify individuals of their
inclusion, and these individuals would be able to obtain copies of the
database information on them. Also, owners of databases would not be
allowed to sell the personal information of an individual without the
permission of that individual. "The proposals would prohibit...a
publisher from selling a list of subscribers to a real estate developer
- unless the subscribers agreed to be included. Banks would be required
to notify credit card holders before selling their names to mail-order
houses." (Markoff, p. D1). Interestingly enough, these proposed
regulations have the U.S. based companies complaining the loudest. IBM,
GTE, and AT&T claim that the proposed laws would strictly limit their
business abroad (Markoff, p. D1).
Privacy experts maintain that the companies are overreacting.
Some of the restriction that are under consideration include: (Markoff,
p. D1).
--Companies must register all databases containing personal
information with the countries...in which they are
operating...
--Corporations using personal data must tell the subjects of
their use...
--Private companies can only collect or process personal data
with the consent of the subjects.
--Companies would not be able to transfer data to another
country unless that country also offered adequate protection
of records.
Taking these experts' opinions and the precedents under
consideration by the European Community, we have a basis for legislation
concerning computer databases and the privacy of individuals. The
following guidelines are suggested:
1) All individuals who have personal information stored in a
computer database must be informed of this fact. They also
must be given a chance to review their file(s) and to
petition for changes if they find that the information held
within is incorrect.
2) When a person is arrested and/or brought to trial because of
the information in one of these databases, attention must be
given to the question of the file's accuracy and
completeness.
3) Files that exist for purposes of law enforcement (e.g., the
NCIC) should not be used for anything other than law
enforcement. A system of checks and balances should be
maintained to guarantee this.
4) Files that exist for marketing or statistical purposes should
inform all individuals who are included in the database of
their inclusion, and give them an opportunity to request that
their file be deleted.
The constitution was written as anticipatory democracy, but its
framers did not (and could not) anticipate the advent nor the power of
the computer. Although the ideals of individual privacy have not
changed over the last 200 years, the reality has. In the next section
other outdated legal concepts that are in danger of violating the First
and Fourth Amendment rights of every citizen are exposed.
III: The Printed Word vs. The Electronic Word
"The right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable searches
and seizures, shall not be violated and no warrants shall
issue but upon probable cause, supported by oath or
affirmation, and particularly describing the place to be
searched, and the persons or things to be seized."
- The Fourth Amendment to the Constitution of the
United States
On March 1st, 1990, Secret Service agents raided the offices of
Steve Jackson Games, a small role-playing game company. The agents
seized three computers, including one being used to run a bulletin
board, all company software in the proximity of these computers, and all
business records contained in the computers' storage.
Why would the government want to virtually shut down a game
company? Because Steve Jackson Games was just weeks away from
publishing a science-fiction role-playing game called Gurps Cyberpunk.
The game is set in a high-tech future society where the players use
human/computer interfaces to "enter" computer networks and infiltrate
(or hack) through defenses to valuable data. Playing the game does not
require the use of (or even the knowledge of how to use) a computer. A
Secret Service agent told Steve Jackson that the Gurps Cyberpunk playing
manual was a "handbook on computer crime." (Barlow).
As a result of losing their computing capabilities and data,
Steve Jackson Games temporarily shut down and had to lay off half of its
employees. For three months, the Secret Service retained the equipment
and data even though they had no evidence that the game or any other
Steve Jackson game violated any law. When some of the equipment was
finally returned in June, 1990, the Service kept the drafts of Gurps
Cyberpunk. The rest of the equipment was "lost." (Barlow).
According to the Fourth Amendment, the Secret Service agents
needed "probable cause" that criminal evidence will be at the scene of
the search to get a search warrant issued. The Fourth Amendment also
specifies that the search should be as narrow as possible (in other
words, the Secret Service should have known exactly what they were
looking for.) By taking all computer records, the Service not only
effectively shut Jackson down, but violated the Fourth Amendment.
The only "probable cause" that the Secret Service had for
seizing Jackson's computers was that Jackson had hired a former "hacker"
to work on Gurps Cyberpunk. A "hacker" is a member of an underground
subculture dedicated to breaking and entering computer systems. While
this is illegal, the hacker community in general frowns upon the
stealing of data for personal profit, but does it instead for bragging
rights and the thrill of gaining illicit access to a "guarded" area of
cyberspace. This is not unlike breaking the speed limit for kicks and
the excitement of defying authority. If this is indeed why the Service
raided Steve Jackson Games, this sets another frightening precedent
regarding privacy - will employers now check to see if applicants are
hackers along with the "normal" checks for arrest records? This may be
an effect that the Service was looking for. According to Steve Jackson,
the Secret Service suspected this staff member of wrongdoing at home,
not at Steve Jackson Games (Computer Underground Digest, 3.20).
At the time of this writing, the search warrant remained sealed.
If the object of the search, according to the warrant, was evidence of
the staffer's wrongdoing, only evidence of that crime should have been
retained. If the object was the game, the agents should have taken just
the hard copy and soft copy regarding Gurps Cyberpunk. By taking the
whole computer system of Steve Jackson Games, the FBI seriously hindered
the lawful commercial activities of the company. By holding the
computer equipment and software for three months, Steve Jackson Games
was almost put out of business. The non-relevant equipment and software
should have been returned promptly.
Along with the computer equipment and software seized, the
agents disconnected and confiscated Steve Jackson Games' BBS. A BBS,
or Bulletin Board System, is a centralized, information gathering and
dissemination point for many computer users. The BBS contains e-mail
from and for those users, who can access the system with their home
computer's modem through normal phone lines. Many users who don't
have network access through a university or the organization they work
for use a BBS to enter cyberspace. The BBS stores personal mail for
these users and enables them to read it when they are logged on. U.S.
postal mail is considered private. Electronic mail is the same as
physical mail in that it should be protected by the same privacy rights
that physical mail is. In the next section, the seizure of personal
mail is explored in detail.
Even though Steve Jackson Games did eventually publish Gurps
Cyberpunk, the company was hit hard by the loss of its information.
They had to recreate the game from rough drafts and memory. But, a
positive result did come out of the SJG case. Mitch Kapor, founder of
Lotus Development Corp, and associate John Perry Barlow, established the
Electronic Frontier Foundation (EFF) with the purposes of educating the
public about computer-based media and supporting litigation to extend
First Amendment rights into the computer world. The EFF intervened in
the Jackson case, pushing the government to restore SJG's equipment. In
April, 1991 the EFF in conjunction with Steve Jackson Games filed a
civil suit against the U.S. Secret Service and several of the
individuals responsible for the raid and the withholding of Jackson's
property. Unfortunately, at the time of this writing, more detail about
this precedent setting case was unavailable.
Although it will not set a legal precedent, there is a similar
case on the books. The Alcor Life Extension Foundation is an
organization that, for a large fee, will freeze an individual's body
upon death. In December, 1987, the Riverside County Coroner's Office
accused Alcor of hastening the death of cryogenic participant Dora Kent
by prescribing her a lethal dose of barbituates (Computer Underground
Digest, 1.04). In January 1988, law enforcement officers raided Alcor's
headquarters and confiscated its computer equipment. Like the Steve
Jackson Games case, the search warrant for the Alcor foundation did not
specify what information that should have specifically be confiscated.
The section of the warrant pertaining to computer seizures follows:
All electronic storage devices, capable of storing
electronic data regarding the above records, including magnetic
tapes, disk (floppy or hard), and the complete hardware
necessary to retrieve electronic data including CPU (central
processing unit), CRT (viewing screen), disc or tape drives,
printer, software, and operation manuals for the above said
computer, together with all handwritten notes or printed
material describing the operation of the computer
(Computer Underground Digest, 1.04).
In other words, the officers were directed to seize all
computers and computer equipment from the Alcor site. Even though the
warrant states that only computer equipment "...capable of storing
electronic data regarding the above records..." should be seized, this
can be interpreted as a warrant to seize all computer equipment because
any equipment is capable of holding data about Dora Kent. So once
again, the warrant was very wide reaching and vague, exactly what the
Fourth Amendment is supposed to protect against.
But in this case, the issue became more focused. H. Keith
Henson, a member of Alcor, claimed that personal e-mail belonging to
himself and 13 other Alcor members was "stolen" by the raiding officers.
Although Henson repeatedly tried to get the court to turn over the
private e-mail, on the account that it had no relevance to the Dora Kent
case, they would not return it. So Henson and his group sued the FBI
for not intervening on their behalf in this case (Computer Underground
Digest, 1.04).
The stealing of private e-mail like in the Alcor case is another
precedent that can have dangerous repercussions. This is the equivalent
of law enforcement officers obtaining a search warrant for a post office
because some of its employees were suspected of illegal activities, and
proceeding to seize all mail contained in the post office and reading
it, and not returning it to its intended recipients.
At the time of this writing, Alcor case was settled out of
court. The result of the settlement was not available.
As we can see from these examples, there is a fundamental
difference in how the legal community in the U.S. views printed and
electronic media. Print media is protected by the First Amendment;
electronic media is not. This is a difference that should not exist.
Almost all newspapers and magazines exist in electronic form before they
are printed. Electronic digests follow the same process, but they leave
out the final step - the actual printing. There have been cases of
electronic hacker magazines being shut down for publishing hacked
(stolen) documents.
However there is a hacker magazine called 2600 that doesn't
leave out the final step. Printed, not electronic, copies are sent to
subscribers. 2600 has included similarly hacked documents, but has
never been accosted. According to 2600 editor Emmanuel Goldstein, it is
because of the physical printing, "I've got one advantage. I come out
on paper and the Constitution knows how to deal with paper." (Barlow).
Computer based media and e-mail should have the same Constitutional
protection as the written word. But it doesn't. Why not?
We can answer this question by tracing history back to the late
1700's when the Framers were writing the Constitution. They had no
concept of computers or electronic communication at its current level.
Because of this excusable lack of foresight, the Constitution and Bill
of Rights do not contain specific provisions for computer based speech
and the computerized press. In fact, the word "press" implies the
printed press, not actual process of disseminating information to large
numbers of people. In the Fourth Amendment, an individual's "papers"
are safe from unreasonable search and seizure. Electronic, or
unprinted, "papers" are not specifically protected. In strict
interpretations of the Constitution, electronic media are not protected.
Of course, this is nonsense since the only difference between an article
in a newspaper or magazine and an article stored electronically, that is
intended to be printed, is the act of printing.
Using the Steve Jackson Games and Alcor cases as a basis,
it is proposed that the following guidelines be legislated:
1) If computer information is to be seized, the search warrant
must explicitly describe the data sought. The officers
carrying out the search should seize only the storage devices
(floppy disk, hard disk, magnetic tape) holding this
information.
2) If the storage device(s) seized contain other information as
well as the data described by the warrant, the wanted data
should be copied them the storage device should be promptly
returned.
3) If any electronic mail is confiscated, only the pieces from
or to suspects of the crime should be read. The rest should
be promptly returned unread to the addressees.
By following these guidelines, we can avoid many violations of
individual privacy that the Constitution, in its current wording,
allows. In the final section a somewhat radical step to help our
society into the information age is recommended.
IV: Where Do We Go From Here?
The untamed electronic frontier is an intimidating domain for
the computer illiterate. Many view this mysterious technology as
responsible for whittling away their personal rights and privacy. Thus
they find it fearful and intimidating. Ironically, the only way that
the electronic frontier can "dehumanize" an individual is if that
individual is ignorant of what it really is. We've seen that we can't
continue to function at our current level of society without computer
technology, but unless the users of this technology are monitored, they
can use it to invade the privacy of individuals. If the general
populace is educated, they will have the background to challenge these
intruders.
But where do we start? As we have seen before, the outdated
wording of the Constitution promotes this dread image of computers and
electronic media. Perhaps a good place to start would be with the
Constitution. The current wording of the Bill of Rights is archaic, and
it represents the mind-frame that many people still have. Computer
technology and cyberspace must not be viewed as separate from or outside
of laws protecting free speech and privacy.
The First and Fourth Amendments don't explicitly mention
electronic media. They should regard rights in the electronic world of
cyberspace as just as important as those in the physical world. A new
amendment stating that the rights guaranteed by the First, Fourth, and
any other amendment for that matter, apply to cyberspace would prevent
many of the violations we have discussed from happening. (As the final
revision of this paper was about to be printed, word was received that
Laurence Tribe of Harvard Law School had proposed discussion of just
such an amendment. However, this author's proposal was developed
independently of Tribe's.)
If a new amendment is a step too far, then legislation and
precedent setting legal decisions must be made. There seems to be a ray
of hope in the Steve Jackson Games case, but it will take several such
cases to approach the benefit of a Constitutional amendment.
The global village is just around the corner. Whether it is a
technological utopia of peace and freedom or an aspect of Orwell's
"1984" depends on decisions made now.
Bibliography
Article One: An Overview, (2600 Magazine, Spring 1990), pp.1-10.*
Burnham, David, The Rise of the Computer State, (1980, Vintage
Books).
Barlow, John Perry, Crime and Puzzlement. **
Computer Underground Digest, Volume 1.04, April 11th, 1990. *
Computer Underground Digest, Volume 3.20, May 12, 1991.*
Consumer Reports, "What Price Privacy," (May, 1991, pp. 356-360).
Epstein, Aaron, "The Shadow of Your File," The Progressive, (v47,
Jun., 1983), p. 17.
Fisher, Lawrence M., "Lotus Database Cancelled," (New York Times,
Jan 24, 1991), p. C3.
Gordon, Diana R. and Churchill, Mae, " 'Triple I' Will Be Tracking
Us," The Nation, (New York, v238, April 28, 1984), pp. 497, 513-
515.
Kleinfield, N.R., "The Man With All The Numbers," New York Times,
Sunday, April 14th, 1991.
Markoff, John, "Europe's Plan to Protect Privacy Worry Business,"
New York Times, Thursday, April 11th, pp. D1, D5.
Pool, Ithiel de Sola, Technologies of Freedom, "On free speech in
an electronic age," (1983, Harvard University Press).
Science Court Opinions - Case 6: Computer Privacy, Omni, (New
York, Jan. 1988, v10), pp. 99-100.
Wilson, Kevin, The Technologies of Control, (1988, University of
Wisconsin Press).
* These are electronic publications. If copies cannot be found,
feel free to contact the author.
** This document was originally disseminated electronically, then
was published in Harper's Magazine. The author used the
original version.