University of
Florida Journal of Law and Public Policy
Fall, 1999
Note
PRIVACY AND THE
INTERNET: WELCOME TO THE ORWELLIAN WORLD
Allegra Knopf [FNa1]
Copyright © 1999
University of Florida Journal of Law and Public Policy;
Allegra Knopf
I.
CONSTITUTIONAL PROTECTION .... 81
A. Traditional Analysis .... 81
B. Katz in Cyberspace ...... 83
C. Technological Analysis .. 86
II. STATUTORY PROTECTION ......... 88
A. Interception ............ 89
B. Stored Communications ... 91
C. Provider Exceptions ..... 93
III.
RECOMMENDATIONS .............. 95
A. Encryption .............. 95
B. Passwords ............... 98
A recent
Federal Trade Commission report found 87% to 97% of Internet Web sites
collected personal information from those who accessed those sites, [FN1] but very few had
any policy concerning disclosure of the information collected. [FN2] Intel's new
Pentium III chip, which contains a Processor Serial Number capable of
disclosing a browser's identification, will ease the ability of Internet
providers to compile information regarding users and may enable tracking of a
browser's activity. [FN3] Even users of closed networks are
subject to scrutiny. The National Institute for Occupational Safety and Health
found twenty-six million workers were subject to computer surveillance. [FN4] Not
surprisingly, members of Congress and privacy groups have called for legislation to protect activity
on a computer network from unwarranted monitoring. [FN5] Nevertheless,
federal law lacks comprehensive protection. Courts have been left to rely on
common law interpretation of the Fourth Amendment [FN6] and
interpretation of Title III of the Omnibus Crime Control and Safe Streets Act
of 1968, as amended by The Electronic Communications Privacy Act of 1986;
collectively referred to as The Federal Wiretap Statute. [FN7]
The
malleability of the Fourth Amendment and the limitations of the federal wiretap
statute have led to inconsistent results regarding similar claims. The lack of
comprehensive law also has resulted in technologically driven outcomes to legal
disputes. Thus, as computer technology improves the ability to monitor other
users' activity, the privacy that courts award those users diminishes. This
decrease in privacy has favorable results when monitoring leads to locating and
prosecuting criminal activity, but has potentially detrimental effects when
monitoring leads to divulgence of an innocent user's private communications.
This Note explores the current state of federal law applicable to
computer communication privacy. [FN8] Part I discusses the application of
the Fourth Amendment to computer privacy concerns. Part II explores the federal
wiretap statute and its limitations. Part III concludes with a discussion of
how legislation may enhance computer privacy.
I. CONSTITUTIONAL
PROTECTION
The
Fourth Amendment protects individuals against unreasonable searches and
seizures. [FN9] The extent of
the Amendment's protection has changed as American society's values have
evolved. Whether technology alters society's values and thereby alters Fourth
Amendment protection is not clear. [FN10]
A. Traditional
Analysis
In
Katz v. United States, [FN11] the United States Supreme Court
considered whether the government's eavesdropping and recording of a criminal
defendant's conversations from a telephone booth violated any right to privacy
the defendant possessed with regard to those conversations. [FN12] The Court found
the defendant did have a right to private telephone conversations and the
government violated his right. [FN13] According to the Court the wiretap
was, in effect, a search and seizure subject to the restrictions of the Fourth
Amendment. [FN14] The Court held
the Fourth Amendment prohibition against unreasonable searches and seizures
protected a person's privacy where that person had a reasonable expectation of
privacy. [FN15] Justice Harlan's
concurring opinion introduced the two-fold test later used to determine when a
reasonable expectation of privacy existed: First, did the person have a
subjective expectation of privacy; and, second, was that expectation objectively reasonable? [FN16]
Where a defendant had a reasonable expectation of privacy, government
intrusion constituted a search and seizure under the Fourth Amendment. [FN17] A search and
seizure triggered the Fourth Amendment requirement that the search be
"reasonable." [FN18] (If the search was not reasonable,
the evidence obtained from the search was excluded under the Fourth Amendment.)
[FN19] Reasonableness,
in turn, required probable cause as expressed in a warrant, or circumstances
permitting an exception to the warrant, prior to a government search. [FN20] Katz held that a
reasonable expectation of privacy did not attach to that which a person knew
was susceptible to public exposure. [FN21] As a result, an examination of
anything to which a defendant could not attach a reasonable expectation of
privacy did not offend the Constitution because it did not constitute an
unreasonable search under the Fourth Amendment. [FN22]
In
O'Connor v. Ortega, [FN23] the United States Supreme Court
applied Katz to determine the extent of privacy an employee reasonably could
expect. [FN24] In that case, a
state employer conducted a search of an employee's office as part of an
investigation of alleged employee misconduct. [FN25] The Court distinguished those areas
and materials to which many people had access from the employee's office, where
only the employee's invitees may have had access, and where the employee
retained materials that were unrelated to the
employer's business. [FN26] The Court held that materials the
employee retained in his office which he did not share with other employees or
the employer were private. [FN27] As a result, the employer was not
entitled to examine those materials and violated the Fourth Amendment when it
did so. [FN28] The Court
included the employee's personal correspondence in the materials to which the
employee had a reasonable expectation of privacy. [FN29]
The
Katz analysis worked well in those cases where society established agreed upon
parameters. Such parameters distinguished, for example, an employee bulletin
board which was not private, even if private material was posted on it, from an
employee's handbag, the contents of which remained private. [FN30] Where society
has not established agreed upon parameters, as in cyberspace, the Katz analysis
lacks consistent application. [FN31]
B. Katz in
Cyberspace
Cyberspace presents privacy problems because it is accessible by many.
Since anyone can log onto the World Wide Web, an expectation of privacy on the
Web is not reasonable. On the other hand, where a network is limited to
specified users, or one is sending a message to a discrete address, an
expectation of privacy may be reasonable.
In
United States v. Simons, [FN32] a government employer discovered that an employee was using his computer at work
to access the Internet and download pornography. [FN33] The employer
made the discovery after the network manager (who claimed merely to be checking
system capabilities at the time) checked logs of Internet connections and used
the keyword "sex" to find inappropriate connections made to the
Internet. [FN34] Using the Katz
analysis as employed in O'Connor, the district court interpreted O'Connor to
require reasonableness when an employer conducted a search rather than probable
cause as required in a law enforcement search. [FN35] The court found
that the employer's searches of the employee's hard drive, initially from a
remote computer, were reasonable since the employer had reason to suspect the
employee was engaging in misconduct. [FN36] The court found that the remoteness
of the initial search indicated the search was reasonable in light of O'Connor
"because there was no entry into Defendant's office." [FN37] Thus, under the
Simons analysis, surveillance of employees by computer creates no Fourth
Amendment violation.
The
Simons court found the initial search of the employee's computer was valid
under the O'Connor reasonableness standard. [FN38] As a result, the court held the
evidence obtained thereby was admissible in a subsequent criminal proceeding
against the employee. [FN39] The court rejected the employee's
contention that evidence obtained from searches conducted without a warrant was
inadmissible in the criminal case because: 1) the employer and its investigators conducted the search; 2) the
employer had a policy of monitoring computer activity; and 3) the employee
could not objectively expect privacy when engaging in activity over the
Internet. [FN40]
Under different circumstances, courts have upheld employee privacy on
the Internet. In McVeigh v. Cohen, [FN41] the district court granted an
employee's motion for an injunction to remain in the United States Navy pending
litigation of his privacy claim. [FN42] A Navy volunteer who subscribed to
America Online (AOL) deciphered from an e-mail she received (from a user named
"boysrch") and AOL's member profile directory that the sender was
enlisted in the military and was homosexual. [FN43] The Navy then contacted AOL to
obtain information linking the e-mail and profile to McVeigh, who was enlisted
in the Navy. [FN44] The Navy began
proceedings to discharge McVeigh for violating the "don't ask, don't
tell" policy because his AOL profile referred to his homosexuality. [FN45]
The
court concluded that the Navy violated McVeigh's privacy and engaged in illegal
discovery when it obtained information from AOL without a warrant. [FN46] Rather than
considering anything placed on the Internet to be public and therefore not
subject to an objective expectation of privacy, the court held McVeigh's e-mail
signed "boysrch" was private and anonymous. [FN47] The court railed
against the Navy for conducting what it considered an unreasonable
investigation into an enlisted man's private life. [FN48]
In another military case, United States v.
Maxwell, [FN49] the United
States Court of Appeals for the Armed Forces held that a reasonable expectation
of privacy existed where Maxwell, an AOL subscriber, used different passwords
and screen names to remain anonymous. [FN50] The Air Force court-martialed the
defendant after the FBI learned he had transmitted indecent e-mail. [FN51] The court agreed
with Maxwell that AOL violated his Fourth Amendment rights by divulging his
Internet activity to the FBI. [FN52] The court concluded that the
content of Maxwell's e-mail and the fact that it was transmitted by a privately
owned network (AOL) indicated he had a reasonable expectation of privacy. [FN53]
Unlike Simons, McVeigh and Maxwell were off duty when they used their
computers to engage in the communications at issue. [FN54] The different
contexts in which the claims in Simons, McVeigh, and Maxwell arose indicate
that employees' constitutional privacy to computer communications depends upon
a variety of factors such as when and where employees access the Internet, what
steps employees take to hide their identities, and the reasonableness of the
actions their employers take to discover their identities. McVeigh and Maxwell
are rare, however, in the broad protection they afforded the employee. More
often, courts have held the nature of computer technology destroys privacy
expectations.
Katz noted that the Fourth Amendment protects people, not places. [FN55] Nevertheless,
courts have entertained a place-oriented approach in concluding that cyberspace
is a place where no privacy exists. [FN56] Where bulletin boards are at issue,
the privacy analysis involves a simple analogy of computer bulletin boards with
traditional bulletin boards posted in public places. [FN57] As a result,
courts have upheld searches against Fourth Amendment privacy claims where law
enforcement searched computer bulletin boards for illegal activity. [FN58]
Courts also have treated chat rooms as public places which do not
provide an objective expectation of privacy. [FN59] In United States v. Charbonneau, [FN60] the court upheld
a search conducted after Florida Department of Law Enforcement officers
monitored and recorded conversations that took place in an AOL chat room which
indicated users were trading child pornography. [FN61] The officers
traced the defendant (who was supplying the chat room users pornography) to
Ohio where they conducted a search of his home. [FN62] The court
summarily rejected the defendant's claim of privacy in the chat room. [FN63]
While it may seem obvious that bulletin boards and chat rooms are
sufficiently public that a reasonable person could not entertain expectations
of privacy, where the privacy of e-mail is at stake, the determination of what is public and what is private becomes
difficult. In Charbonneau, for example, the court struggled with the Fourth
Amendment analysis as applied to e-mail. [FN64] The defendant had sent the
pornographic material at issue via e-mail. [FN65] The court allowed the place to
determine the extent of privacy. [FN66]
Although the court noted that e-mail was the equivalent of posted mail,
it held that mail sent by computer diminished the sender's Fourth Amendment
rights "incrementally." [FN67] The court distinguished mail sent
from mail received. [FN68] It held that once transmission of
e-mail took place, all privacy attached to it vanished, and users of the
Internet transmitted e-mail at the risk of law enforcement intercepting and
using the e-mail against the sender. [FN69] The court's analysis hinged upon
the defendant's use of a chat room to send mail. [FN70] To support its
analysis, the court looked to Hoffa v. United States, [FN71] where the Court
held statements overheard by an undercover agent were not private. [FN72] In other words,
e-mail seen by government agents was akin to overhearing a conversation. [FN73]
E-mail seized incidental to computer seizure also lacks protection. The
courts have allowed technology to form the analysis where e-mail is not a part
of the crime but incidental to it. In Davis v. Gracey, [FN74] for example, law
enforcement officers seized computer equipment used to transmit obscene CD-ROM
images via a bulletin board. [FN75] Private subscribers used the bulletin board to communicate. [FN76] The officers
seized a computer that contained 150,000 e-mail messages which subscribers had
posted but which had not been read by the addressees. [FN77] The defendant
alleged the e-mail was the private correspondence of the bulletin board users
and not subject to the search. [FN78] The defendant also noted that there
was no probable cause to justify a search of e-mail that was not connected to
the crime alleged to have occurred. [FN79] Nevertheless, the United States
Court of Appeals for the Tenth Circuit held that since the computer was an
instrumentality of the crime, everything within it was subject to a search. [FN80] In discussing
the legality of incidental seizure of e-mail, the court noted "the obvious
difficulties attendant in separating the contents of electronic storage from
the computer hardware during the course of a search." [FN81]
The
foregoing indicates that traditional Fourth Amendment analysis provides little
protection for communications in cyberspace. Although the Fourth Amendment's
protection is limited, federal wiretap law protects against wrongful
interception and access of computer messages. [FN82] As the discussion below indicates,
the federal wiretap law is complicated and counsel often err in the portion of
the wiretap law they invoke or the protection they believe the wiretap law
provides. Therefore, it is critical for practitioners to study carefully the
federal wiretap statute and cases interpreting it to determine what portion of the statute, if any,
applies to their case.
II. STATUTORY
PROTECTION
Following Katz, Congress enacted Title III of the Omnibus Crime Control
and Safe Streets Act of 1968 (the federal wiretap statute). [FN83] The federal
wiretap statute, in part, provided criminal and civil penalties for the
intentional, unauthorized interception or disclosure of a private
communication. [FN84] Congress
intended the federal wiretap statute to codify the reasonable expectation of
privacy principle which the Court had enunciated in Katz. [FN85]
When Congress enacted the federal wiretap statute, it was concerned with
illegal wiretaps on telephones, the issue Katz had presented. [FN86] As a result, the
federal wiretap statute only applied to "aural" interception and did
not contemplate digital communication. [FN87] As electronic communication
developed, Congress rectified the federal wiretap statute's limitation by
enacting the Electronic Communications Privacy Act (ECPA) in 1986. [FN88] The ECPA added
communication by electronic means to those communications the federal wiretap
statute protected. [FN89] In addition, Congress enacted the
"Stored Communications Act" [FN90] in 1986 to punish the unauthorized,
intentional access of information stored following its electronic transmission.
A. Interception
Title I of the ECPA [FN91] addresses interception. An
interception under the statute requires receiving or recording the
communication while it is being transmitted. [FN92] As a result, retrieving communication
already sent, such as voice mail or pages, is not an interception. [FN93]
Similarly, there is no interception if e-mail is retrieved after it
reaches its destination. [FN94] In Steve Jackson Games, Inc. v.
United States Secret Service, [FN95] the Secret Service seized a
computer as part of an investigation of an unauthorized distribution of Bell
Company text files. [FN96] The seized computer operated a
bulletin board containing private subscriber e-mail that was unrelated to the
offense originally investigated. [FN97] After the Secret Service read and
deleted the private e-mail, the bulletin board provider alleged the Secret
Service violated Title I of the ECPA prohibiting the unlawful interception of
electronic communications. [FN98] Because the Secret Service did not
access the e-mail contemporaneously with its transmission, but accessed it
after it reached its destination, the United States Court of Appeals for the
Fifth Circuit held the Secret Service did not violate Title I of the ECPA. [FN99]
The
ECPA is not a strict liability statute. Liability under the statute does not
exist unless the offender had intent (or knowledge if the violation was disclosure) [FN100] and the offender
intruded upon a reasonable expectation of privacy. [FN101] As a result,
inadvertent access to e-mail is not an offense under the statute. [FN102] In Wesley
College v. Pitts, [FN103] for example, the court refused to
find a systems operator guilty of interception when he read e-mail someone
accidentally sent to his station for printing. [FN104] In another case,
the court held no liability existed where there was insufficient evidence to
prove the alleged offender acted "deliberately and purposefully." [FN105]
Whether a privacy interest existed when the interception occurred
depends upon whether the sender had a reasonable expectation of privacy. [FN106] In Wesley v.
WISN Division, [FN107] the court
addressed interception of verbal communications and held the reasonableness of
a privacy expectation depended upon the probability of interception. [FN108] Therefore,
employees who shielded their conversations from being overheard by speaking in
hushed tones could reasonably expect the conversations to remain private and
would receive privacy protection. [FN109]
This reasoning, when applied to computer communications, allows
technology to diminish privacy because it is reasonable to expect that
communications on a network may be intercepted by the network provider and
other network users in the absence of encryption or password protection. Where
an employer has the ability to access employee terminals via a network, the
employee does not have a reasonable
expectation of privacy. [FN110] If, however, a court uses the
reasoning of Charbonneau, that communication sent over a network is akin to a
letter being mailed, then a reasonable expectation of privacy does attach to
computer communications en route to their destination. [FN111] An interception
also is not a violation if there was consent, which may be implied. [FN112] Those who work
in places where recording communications is routine, such as a police station,
are deemed to have consented to interception. [FN113]
B. Stored
Communications
Title II of the ECPA [FN114] addresses stored communications. [FN115] Accessing stored
communications is not an interception and, therefore, does not impose liability
under Title I of the ECPA. [FN116] The protection Title II provides
stored communications is different and narrower than the protection Title I
affords communications in transit. [FN117] First, mere unauthorized access
does not create liability. [FN118] Second, electronic communications
service providers are excluded from liability under Title II unless a provider
knowingly divulges the contents of a stored communication in a manner not
permitted. [FN119]
Title II permits electronic communications service providers to divulge
contents of a stored communication for a variety of reasons, including divulging the communication to law enforcement
authorities if the service provider accidentally locates information which
appears to pertain to criminal activity. [FN120] In addition, "contents"
of an electronic communication, as used in Title II, has a narrow meaning. In
Jessup-Morgan v. America Online, Inc., [FN121] the court held that
"contents" consisted of the substance of a communication and not user
identification. [FN122] At issue was
AOL's disclosure, pursuant to a subpoena, of a user's identification and
profile. [FN123] The court used
an exception in Title II which allows a service provider to disclose subscriber
information "to any person other than a governmental entity," and
held that the disclosure did not violate Title II of the ECPA. [FN124]
Unauthorized access of an electronic communications service facility is
a violation under Title II of the ECPA, but accessing an individual's private
communication is not. [FN125] The narrow scope of Title II of the
ECPA prohibits only an electronic communications service provider from
disclosing contents of a communication. [FN126] It does not prohibit a private
party from disclosing the stored communications of another. [FN127] This dichotomy
has resulted in the leakage of information with potentially harmful results. [FN128]
In
Anderson Consulting LLP v. UOP, [FN129] for example, adversary litigants
published e-mail belonging to Anderson Consulting without its consent in the Wall Street Journal. [FN130] The court held
that the parties who published the information, UOP and its lawyers, were not
liable because they were not electronic communications service providers within
the meaning of Title II of the ECPA and, therefore, were not barred from
disclosing stored communications. [FN131] The disclosed e-mail had been
stored on UOP's network while Anderson was working on UOP's system. [FN132] The court held
that a company-wide network did not qualify as an electronic communications
service provider because it did not provide communication services to the
public at large. [FN133] As noted below, however, the
electronic communications service provider requirement of Title II of the ECPA
is open to interpretation.
C. Provider
Exceptions
The
ECPA does not define what an electronic communications service provider is. [FN134] Coverage under
both titles of the ECPA depends upon whether the party who engaged in the
proscribed action was an electronic communications service provider. [FN135] Title I of the
ECPA excludes from its coverage prohibiting interception "an operator ...
or an officer, employee, or agent of a provider of wire or electronic
communication service ... while engaged in any activity which is a necessary
incident to the rendition of his service." [FN136] Title II of the
ECPA has a similar provision excluding electronic communications service providers from its
prohibition against accessing stored communications, but allows anyone, except
an electronic communications service provider, to divulge stored
communications. [FN137]
The
lack of a definition of electronic communications service provider and the
importance of an offender's status as a service provider has resulted in
inconsistent interpretations. [FN138] In Anderson Consulting, the court
held that a company's network had to be available to the public at large in
order for the company to be a service provider. [FN139] In Bohach v.
City of Reno, [FN140] the court did
not consider public access to a network necessary to qualify the network
provider as an electronic communications service provider under the ECPA. [FN141] The variance in
statutory interpretation, in turn, has led to inconsistent holdings. In
Anderson, the court applied a definition of electronic communications service
provider which enabled a network provider to leak information under Title II by
defining provider so narrowly that the network provider did not come under the
ECPA's prohibition against providers divulging contents of stored information. [FN142] In Bohach,
however, the court defined electronic communications service provider so
broadly (anyone who provides personnel with the ability to send or receive
electronic communications) that a police department was held to be a provider
and, as a result, was not liable for accessing the stored communications of its
employees. [FN143]
The manipulation of definitions and
statutory provisions can reduce privacy for employees. If a court deems an
employer who supplies the means of electronic communication to be a provider,
then that employer can access its employees' stored messages and use them in
subsequent actions against an employee. [FN144] In United States v. Mullins, [FN145] the court held
American Airlines was an electronic communications service provider and did not
act unlawfully when it monitored activity over the SABRE network. [FN146] The court held
this was the case even though American Airlines did not own SABRE, but simply
provided its agents access to the SABRE system which other airlines also used. [FN147] The court's
purpose in defining American Airlines as an electronic communications service
provider was to uphold American's actions in locating and prosecuting illegal
activity which the defendants had conducted by using SABRE. [FN148]
Together, Anderson, Bohach, and Mullins reveal the failure of federal
law to provide consistent electronic privacy protection. Whether an entity is a
provider within the meaning of the ECPA depends upon what definition of
electronic communications service provider a court uses. Until the ECPA is
amended to define electronic communications service provider, the outcome of
cases will vary from court to court.
III.
RECOMMENDATIONS
Statutory amendment is needed to clarify the
meaning of an electronic communications service provider and to clarify when
computer communications are subject to a reasonable expectation of privacy.
Reliance on the ECPA, as currently enacted, leads to inconsistent results.
Reliance on the Fourth Amendment lacks certainty. Although the Fourth Amendment
has succeeded in permitting changes in privacy rights as those changes have
been needed for social advancement, the Fourth Amendment runs the risk of
becoming subordinate to technology if courts continue to hold no privacy exists
where technology makes privacy difficult to maintain.
A. Encryption
To
avoid such an outcome and provide some stability, members of Congress have
begun drafting legislation. [FN149] One proposed bill, the Security and
Freedom through Encryption (SAFE) Act, seeks to amend Title 18 of the United
States Code to permit encryption for lawful use. [FN150] Cryptography
already has been successful in protecting confidential consumer transactions
and government activity. [FN151] It promises to provide the same
protection to individuals without sacrificing the government's ability to locate
and punish those engaged in illegal computer activity.
In
April 1999, the Senate incorporated SAFE into a larger proposed bill, known as
the Electronic Rights for the 21st Century Act. [FN152] This bill, like SAFE, would permit the use, sale and
purchase of encryption code. [FN153] In addition, it would tighten
warrant requirements for computer wiretaps and require notification to the
party whose communications would be monitored pursuant to a warrant. [FN154]
The
push in Congress to formulate and pass amendments to Title 18 which would
permit encryption reflects a growing consensus that technology should cure the
privacy problems which technology created by use of cryptography. [FN155] The utility of
encryption is that it 1) indicates that the person who knowingly communicates
by encrypted code has a subjective expectation of privacy; and 2) renders that
expectation of privacy reasonable since anyone who accesses the communication
must decode it to understand it. [FN156] Despite its utility, however, the
United States government has sought to control the extent to which encryption
code may be used, particularly where it could be used to hide the secrets of
foreign governments. [FN157]
In
Bernstein v. United States Department of State [FN158] and Karn v.
United States Department of State, [FN159] district courts considered
challenges to executive branch controls on the export of encryption code. The
Bernstein court held that encryption code is speech protected under the First
Amendment. [FN160] As a result, the
court held the government could not prohibit the commercial use of encryption
code because such a prohibition would be a prior restraint on speech in
violation of the First Amendment. [FN161] Conversely, the
Karn court held regulation of encryption code was a constitutionally
permissible method of protecting national security. [FN162] It held the
regulations at issue were not based on the contentof the code, but security
concerns, and therefore did not implicate the First Amendment. [FN163] The only
appellate case addressing the issue to date is a decision from the United
States Court of Appeals for the Ninth Circuit which affirmed Bernstein and
stated in dicta that there may be a Fourth Amendment right to encrypt
communications. [FN164] A few months
after the Ninth Circuit issued its opinion, however, it withdrew the same
opinion and ordered that the case be reheard. [FN165]
Legislation proposed by Congress pertaining to encryption does not
prohibit executive branch control over the use of encryption technology
involving foreigners. [FN166] It does not set boundaries on the
government's ability to control use of encryption where the government claims
national security may be at stake. The proposed legislation also fails to
resolve ambiguities in current provisions of Title 18, like the electronic
communications service provider exception. The most serious drawback of the
proposed legislation is its failure to address warrantless searches. Congress
has not attempted to define public and private boundaries of computer
transmissions which could assist courts in determining whether a defendant has
a reasonable expectation of privacy. Instead, Congress has proposed legislation
that would increase the facilities which
could disclose information, [FN167] and looked to the use of warrants
and encryption to protect users against surveillance. [FN168] Congressional
efforts to address warrantless searches have failed to produce any drafted
legislation, [FN169] and legislation
currently under consideration does not even create any presumption of privacy
where encryption or passwords are used.
The
executive branch, in turn, has requested Congress consider its version of a
cyberspace bill entitled, The Cyberspace Electronic Security Act of 1999
(CESA). [FN170] CESA, while
acknowledging the importance of encryption for privacy, is concerned primarily
with decrypting communications related to criminal activity. [FN171] CESA would
permit law enforcement officers to decrypt data or communications without a
warrant, as long as the officers could obtain a warrant within forty-eight
hours of decryption, thereby reducing privacy in cyberspace. [FN172] Because Congress
has not agreed upon what rules should govern encryption, courts will have to
decide whether encryption is a legally permissible manifestation of an
expectation of privacy or a legitimate way to protect an existing right to
privacy.
B. Passwords
Password protection is another method by which technology can solve the
privacy problems which technology created. An attempt to prevent access to computer records or communications by password
protection may create a presumption that the user had a reasonable expectation
of privacy, but courts have not been consistent in their treatment of attempts
to protect privacy. [FN173] In Sega Enterprises, Ltd. v.
MAPHIA, [FN174] the court
rejected the contention that a bulletin board's password requirement protected
it from unauthorized access. [FN175] In United States v. Maxwell, [FN176] however, the
court found use of an alias indicated the user had a reasonable expectation of
privacy. [FN177] A statute which
recognizes an attempt to keep communications or data private (by the use of
passwords, aliases or encryption) as a manifestation of an expectation of
privacy; while punishing those who conceal illegal activity, would enable
courts to punish intrusive surveillance without sacrificing law enforcement
objectives.
Currently, neither Fourth Amendment principles nor federal statutes
provide protection that is comprehensive or consistent. Comprehensiveness and
consistency can be achieved through statutes that define computer users'
rights, the limitations of those rights, and remedies for the wrongful access
or use of computer communications. Given the increasing reliance upon computers
and the increasing ability to access computers, it is imperative that a
coherent set of rules regarding access to and use of private computer records
and transmissions be developed. Without a coherent set of rules, unrestrained
intrusion into private computer records or communications will continue to cause litigious and harmful results for unwary
computer users. These unfortunate results could lead computer users to distrust
the utility of computers to store or transmit private information.
[FNa1]. This note is dedicated to James
Kodilla for teaching me the importance of constitutional protection and
encouraging my study of law. This note received the Barbara W. Makar writing
award for Fall 1999.
[FN1]. See FEDERAL TRADE COMM'N, PRIVACY
ONLINE: A REPORT TO CONGRESS 23 (June,
1998) <http://www.ftc.gov/reports/privacy3/priv-23a.pdf>.
[FN2]. See id. at 27.
[FN3]. See Complaint and Req. for Inj.,
CENTER FOR DEMOCRACY & TECHNOLOGY, 1-2 (Feb. 26, 1999)
<http://www.cdt.org/privacy/intelcomplaint.shtml>. The Pentium III chip
is not the first to raise concerns about computer privacy. See Wyman P.
Berryessa, Escrowed Encryption Systems: Current Public Policy
May Destroy Valued Constitutional Protections, 23 U. DAYTON L. REV. 59, 68
(1997). The Clipper Chip, which the government designed to protect
computer privacy by encrypting communications, was abandoned following a storm
of protest. See id. at 67-68. The public
rejected the Chip because it was designed to enable the government to monitor communications to and
from a computer in which the Chip was installed by a mechanism called the Law
Enforcement Access Field (LEAF). See id. at 67. Civil rights and privacy groups
worried that the government would require all computers to be manufactured with
a Clipper Chip, resulting in unprecedented government monitoring of personal
communications. See id. at 67-68.
[FN4]. See 139 CONG. REC. S6122 (daily
ed. May 19, 1993) (statement of Sen. Simon).
[FN5]. See id.; 139 CONG. REC. E1077-78
(daily ed. Apr. 29, 1993) (statement of
Rep. Williams); Electronic Privacy Information Center, Protect Your PC's
Privacy (visited Feb. 27, 1999) <http://www.bigbrotherinside.com>.
[FN6]. See U.S. Const. amend. IV. "The right
of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated ...." Id.
[FN7]. See 18 U.S.C. § §
2510-2521 (1998).
[FN8]. For information regarding state
privacy law, see Kevin J. Baum, E- Mail in
the Workplace and the Right of Privacy, 42 VILL. L. REV. 1011, 1018-21 (1997);
see also Lyrissa Barnett Lidsky, Prying, Spying and Lying: Intrusive Newsgathering
and What the Law Should Do About It, 73 TUL. L. REV. 173, 193- 216 (1998) (discussing
common law privacy claims).
[FN9]. See U.S. Const. amend IV.
[FN10]. See Frederick Schauer, Internet Privacy and the Public-Private
Distinction, 38 JURIMETRICS J. 555, 562-63 (1998) (arguing that
notions of privacy change as technology changes because technology changes our
expectations). The prospect of technology eradicating current notions of
privacy as technology enables greater access to information has caused concern
which some courts are beginning to discuss. See, e.g., United States v. Cusumano, 83 F.3d 1247, 1254
(10th Cir. 1996) (McKay, J., dissenting in part and concurring in part)
(discussing the Fourth Amendment problems which the use of thermal imaging to
conduct a search has raised):
[I]f we permit information obtained by thermal imaging to be considered
waste, abandoned, or to be characterized as having some other non-protected
legal status, then we not only permit unwarranted invasions by the police but
analytically destroy civil remedies against privacy invaders such as the
paparazzi and tabloid photographers. Our failure to draw the line at this first and primitive warrantless invasion would
make it particularly difficult to protect against the use of
"passive" devises of the future that would invade the privacy of our
chambers or that would re-create the full range of the activities in our homes
by way of computer-assisted images broadcast at the station house, at the
newsroom of the local press or television station, or on the Internet. This
modest parade of the horribles is not fanciful: Any user of the Internet or
follower of the news media is aware of the fact that the Brave New World is at
hand.
Id.; see also Wesley v. WISN Div., 806 F. Supp. 812, 814 (E.D.
Wis. 1992) (rejecting the plaintiff's privacy claim, but noting,
"we do not have to assume that as soon as we leave our homes we enter an
Orwellian world of ubiquitous hidden microphones").
[FN12]. See id. at 348-49.
[FN13]. See id. at 352-53.
[FN14]. See id. at 353.
[FN15]. See id. at 351-52.
[FN16]. See id. at 361. Subsequent use
of the reasonable expectation test occurred in: O'Connor v. Ortega, 480 U.S. 709, 718 (1987); California v. Ciraolo, 476 U.S. 207, 211 (1986); Oliver v. United States, 466 U.S. 170, 177 (1984); Smith v. Maryland, 442 U.S. 735, 740 (1979); United States v. White, 401 U.S. 745, 752 (1971).
[FN17]. See Katz, 389 U.S. at 353.
[FN18]. See Michelle Skatoff-Gee, Changing Technologies and the Expectation of
Privacy: A Modern Dilemma, 28 LOY. U. CHI. L.J. 189, 191 (1996).
[FN19]. See id.
[FN20]. See id. at 191 n.18.
[FN21]. See Katz, 389 U.S. at 351.
[FN22]. See Skatoff-Gee, supra note 18, at
191.
[FN24]. See O'Connor, 480 U.S. at 718.
[FN25]. See id. at 712-13. The Fourth Amendment
applied to the employer because the employer was a state hospital and,
therefore, a government entity subject to the limitations of the Fourth
Amendment as applied to the states under the Fourteenth Amendment. See id. at 714. The Court noted,
"The strictures of the Fourth Amendment, applied to the states through the
Fourteenth Amendment, have been applied to the conduct of governmental
officials in various civil activities." Id.
[FN26]. See id. at 718.
[FN27]. See id.
[FN28]. See id. at 719.
[FN29]. See id. at 718.
[FN30]. See id. at 716.
[FN31]. See Note, Keeping Secrets in Cyberspace: Establishing Fourth
Amendment Protection for Internet Communication, 110 Harv. L. Rev. 1591, 1599
(1997). "Because the architecture of cyberspace is
dissimilar to most conventional notions of place, analogizing cyberspace to a
place for purposes of the Fourth Amendment has serious limitations." Id.
[FN32]. 29 F. Supp. 324 (E.D. Va. 1998).
[FN33]. See id. at 326.
[FN34]. See id. at 325-26.
[FN35]. See id. at 327.
[FN36]. See id. at 328.
[FN37]. See id.
[FN38]. See id.
[FN39]. See id. at 325,
328.
[FN40]. See id. at 327-28.
[FN41]. 983 F. Supp. 215 (D.C. Cir. 1998).
[FN42]. See id. at 216.
[FN43]. See id. at 217.
[FN44]. See id.
[FN45]. See id. The court's opinion was
based upon its disagreement with the military's "don't ask, don't
tell" policy. See id. at 221.
[FN46]. See id. at 219-20. The warrant
requirement arose under 18 U.S.C. §
2703 of the Electronic Communications Privacy Act (ECPA) of
1986 discussed below. See id.
[FN47]. See id. at 219.
[FN48]. See id. The
court noted that statements posted on the Internet often lack reliability since
cyberspace "invites fantasy and affords anonymity ...." Id. When
referring to the Navy's failure to comply with the warrant requirement of the
ECPA, the court said in dicta, "In these days of 'big brother,' where
through technology and otherwise the privacy interests of individuals from all
walks of life are being ignored or marginalized, it is imperative that statutes
explicitly protecting these rights be strictly observed." Id. at 220.
[FN49]. 45 M.J. 406 (C.A.A.F. 1996).
[FN50]. See id. at 417.
[FN51]. See id. at 410, 414. The defendant
sent the offensive e-mail from his private computer at home. See id. at 411.
[FN52]. See id. at 422-23. Although the FBI
issued a warrant, AOL divulged to the government information that it had
compiled independent of the warrant, not pursuant to the warrant. See id. at 421.
[FN53]. See id. at 417. The court
compared e-mail to a telephone call and said:
[T]he maker of a telephone call has a reasonable expectation that police
officials will not intercept and listen to the conversation .... Drawing from
these parallels, we can say that the transmitter of an e-mail message enjoys a
reasonable expectation that police officials will not intercept the
transmission without probable cause and a search warrant.
Id. at 418 (citations omitted). The Maxwell
court also rejected the idea that e-mail files were subject to plain view
because they had to be opened prior to seeing the contents. See id. at 422.
[FN54]. See McVeigh, 983 F. Supp. at 219; Maxwell, 45 M.J. at 411.
[FN55]. See Katz, 389 U.S. 351.
[FN56]. See United States v. Charbonneau, 979 F. Supp. 1177,
1185 (S.D. Ohio 1997); Sega Enter. Ltd. v. MAPHIA, 948 F. Supp. 923, 930
(N.D. Cal. 1996).
[FN57]. See, e.g., Sega, 948 F. Supp. at 927-30, 939 (holding a
bulletin board operator was liable for copyright and trademark infringement
after posting pirated Sega software for downloading). The Sega court noted that
the bulletin board was open to the public
and, therefore, the bulletin board operator could not claim information stored
on it was private. See id. at 927, 930.
[FN58]. See Davis v. Gracey, 111 F.3d 1472, 1478-79 (10th Cir.
1997) (rejecting defendant's privacy
claim to seized computer equipment because the defendant used the equipment to
post pornographic material on a bulletin board).
[FN59]. See Charbonneau, 979 F. Supp. at 1185.
[FN60]. 979 F. Supp. 1177 (S.D. Ohio 1997).
[FN61]. See id. at 1179, 1184.
[FN62]. See id. at 1179.
[FN63]. See id at 1184. The court merely
stated, "Defendant did not have a reasonable expectation of privacy while
using AOL." Id.
[FN64]. See id.
[FN65]. See id. at 1179.
[FN66]. See id. at 1184.
[FN67]. See id.
[FN68]. See id.
[FN69]. See id. at 1184-85. The court
noted that privacy to the e-mail one sent diminished when received because the
recipient of the e-mail then could send it to others on the Internet. See id.
at 1185.
[FN70]. See id. The defendant in Charbonneau
also raised a First Amendment claim which the court rejected outright as
meritless. See id. at 1184. In light of Reno v. ACLU, 521 U.S. 844, 117 S. Ct. 2329, 2345,
2351 (1997), material transmitted by Internet which is offensive
but may not be obscene, is protected under the First Amendment.
[FN72]. See Charbonneau, 979 F. Supp. at 1184.
[FN73]. See id. at 1184-85.
[FN74]. 111 F.3d 1472 (10th Cir. 1997).
[FN75]. See id. at 1476.
[FN76]. See id. at 1475.
[FN77]. See id. at 1476.
[FN78]. See id.
[FN79]. See id. at 1480.
[FN80]. See id.
[FN81]. Id. The court compared the
computer to a container used to store contraband. See id.
[FN82]. See 18 U.S.C. § §
2510-2521 (1998).
[FN83]. See 18 U.S.C. § §
2510-2520 (1998).
[FN84]. 18 U.S.C. §
2511 (1998).
[FN85]. See Skatoff-Gee, supra note 18, at
197.
[FN86]. See Thomas R. Greenberg, E-Mail and Voice Mail: Employee Privacy and the
Federal Wiretap Statute, 44 AM. U.L. REV. 219, 227 (1994); Skatoff-Gee,
supra note 18, at 193-94.
[FN87]. See Greenberg, supra note 86, at
227.
[FN88]. See Baum, supra note 8, at
1021-22. The ECPA and its predecessor, Title III of the Omnibus Crime Control
and Safe Streets Act of 1968, contained exceptions to liability for
interception of communications. See Greenberg, supra note 86, at 235-36.
Omnibus permitted monitoring another call by extension telephone if done in the
ordinary course of business and the extension was provided by a communications
carrier in the ordinary course of business. See id. at 235. How the
"ordinary course of business" exception applied was disputed among the circuits. See
id. at 235 n.88. The ECPA altered the language of the exception to permit an
interception by a device which "'a provider of wire or electronic
communication service"' furnished in the ordinary course of business
"and used by [a] subscriber 'in the ordinary course of its
business."' See id. at 236. Arguably, the language broadened the category
of monitoring excluded from the statute because any private employer network
may contain a device provided by a wire or electronic communications service
provider in the ordinary course of business which the employer could use in the
ordinary course of business to monitor employee activity and efficiency. See
id. However, courts may distinguish using a communications device for business
purposes and using it to spy. See George v. Carusone, 849 F. Supp. 159, 164 (D.
Conn. 1994) (holding, "If a person surreptitiously records a
telephone conversation, then the [ordinary course of business] exception does
not obtain").
[FN89]. See 18 U.S.C. §
2510 (1998), as amended in 1986 by Pub. L. No. 99-508, 100 Stat. 1848,
commonly referred to as the "Electronic Communications Privacy Act of
1986."
[FN90]. See 18 U.S.C. § §
2701-2711 (1998).
[FN91]. See 18 U.S.C. § §
2510-2521 (1998).
[FN92]. See Payne v. Norwest Corp., 911 F. Supp. 1299, 1303
(D. Mont. 1995).
[FN93]. See United States v. Reyes, 922 F. Supp. 818, 836-37
(S.D.N.Y. 1996); Payne, 911 F. Supp. at 1303.
[FN94]. See Steve Jackson Games, Inc. v. United States Secret
Serv., 36 F.3d 457, 460 (5th Cir. 1994).
[FN96]. See id. at 458-59.
[FN97]. See id. at 459.
[FN98]. See id.
[FN99]. See id. at 461-62.
[FN100]. See 18 U.S.C. § §
2511, 2701 & 2702 (1998); United States v. Townsend, 987 F.2d 927, 930 (2d
Cir. 1993).
[FN101]. See Payne v. Norwest Corp., 911 F. Supp. 1299, 1304
(D. Mont. 1995); Skatoff-Gee, supra note 18 at 201-03.
[FN102]. See Wesley College v. Pitts, 974 F. Supp. 375, 384 (D.
Del. 1997).
[FN103]. Id.
[FN104]. See id. at 379, 389-90. The court
in Pitts also differentiated between the computer screen, which it considered
just a medium, and the wire by which a message is transmitted, to determine
that an interception could not occur unless information was tapped while moving
across the wire. See id. at 384. The court noted, "Simply put, Congress
had in mind more surreptitious threats to privacy than simply looking over
one's shoulder at a computer screen when it passed the ECPA." Id.
[FN105]. See Thompson v. Dulaney, 838 F. Supp. 1535, 1542 (D.
Utah 1993) (following United States v. Townsend, 987 F.2d 927, 930 (2d
Cir. 1989)). In Thompson, the
court also refused to find guilt for disclosure of intercepted information
where the plaintiff failed to prove the person who disclosed the information
knew or should have known the information had been obtained by illegal wiretap.
See id. at 1541.
[FN106]. See Wesley v. WISN Div., 806 F. Supp. 812, 814 (E.D.
Wis. 1992)..
[FN107]. Id.
[FN108]. See id. Following the reasoning of
Katz, the court held that if a person knew their comments could be detected
artificially with ease, then there is no reasonable expectation of privacy. See
id. at 815. Some courts have
rejected the theory that an expectation of privacy is based on the ability to
protect privacy. See Dunlap v. County of Inyo, 121 F.3d 715, 717 (9th
Cir. 1997) (unpublished disposition). In Dunlap, the Ninth Circuit
held that even where a police department routinely recorded conversations over
one of its telephone lines, the employee who used it could have a reasonable
expectation of privacy while using it. See id. The court stated, "The
capability of monitoring does not create implied consent to any monitoring that
occurs. Cellular telephones and electronic mail are both technologies of
questionable privacy, but we nonetheless
reasonably expect privacy in our cell phone calls and e-mail messages."
Id.
[FN109]. See Wesley, 806 F. Supp. at 814.
[FN110]. See United States v. Simons, 29 F. Supp. 2d 324, 327
(E.D. Va. 1998).
[FN111]. See United States v. Charbonneau, 979 F. Supp. 1177,
1184 (S.D. Ohio 1997).
[FN112]. See Payne v. Norwest Corp., 911 F. Supp. 1299, 1303
(D. Mont. 1995); George v. Carusone, 849 F. Supp. 159, 164 (D. Conn.
1994); Thompson v. Dulaney, 838 F. Supp. 1535, 1543 (D.
Utah 1993). 18 U.S.C. §
2511(2)(d) eliminates liability where there was consent if the
interception was not used in furtherance of illegal activity. See 18 U.S.C. §
2511(2)(d) (1998).
[FN113]. See George, 849 F. Supp. at 164. But see Dunlap,
121 F.3d at 717 (holding that police department employee did not consent to
monitoring even though the department routinely monitored communications over
the telephone line the employee used).
[FN114]. 18 U.S.C. § §
2701-2711 (1998).
[FN115]. See Steve Jackson Games, Inc. v. United States Secret
Serv., 36 F.3d 457, 462 (5th Cir. 1994). In Steve
Jackson, the district court held, and the Secret Service did not challenge,
that the Secret Service violated Title II of the ECPA by reading and destroying
the private e-mail the Secret Service seized. See id.
[FN116]. See id. at 460.
[FN117]. See, e.g., Greenberg, supra note
86, at 248-49 (discussing the irrationality in the difference between Title I
and Title II of the ECPA).
[FN118]. See 18 U.S.C. §
2701 (1998) (imposing liability where someone
intentionally gains unauthorized access of a "facility through which an
electronic communication service is provided ... and thereby obtains, alters or
prevents authorized access ....").
[FN119]. See 18 U.S.C. § §
2701(c), 2702 (1998).
[FN120]. See 18 U.S.C. § §
2702(b), 2703 (1998).
[FN121]. 20 F. Supp. 2d 1105 (E.D. Mich. 1998).
[FN122]. See id. at 1108.
[FN123]. See id. at 1107.
[FN124]. See id. at 1108; 18 U.S.C. §
2703(c) (1998). 18 U.S.C. §
2703 contains requirements for government access of
electronic communications. See 18 U.S.C. §
2703 (1998). Generally, a warrant, court order, or
grand jury or trial subpoena is required for government access. See id.
However, a service provider can divulge contents of a communication to law
enforcement if the provider notices illegal activity. See 18 U.S.C. §
2702(b). Also, the exceptions to the warrant requirement
applicable in warrantless searches under the Fourth Amendment apply under the
warrant requirement of 18 U.S.C. §
2703. See United States v. Reyes, 922 F. Supp. 818, 837
(S.D.N.Y. 1996).
[FN125]. See 18 U.S.C. §
2702(a) (1998).
[FN126]. See 18 U.S.C. §
2702 (1998).
[FN127]. See Wesley College v. Pitts, 974 F. Supp. 375, 389
(1997), noting "a person who does not provide an
electronic communication service ... can disclose or use with impunity the
contents of an electronic communication unlawfully obtained from electronic
storage." Id.
[FN128]. See Anderson Consulting LLP v. UOP, 991 F. Supp. 1041,
1042 (N.D. Ill. 1998); Sega Enter. Ltd. v. MAPHIA, 948 F. Supp. 923,
930-31 (N.D. Cal. 1996) (holding that subsequent use of stored
e-mail obtained without authorization was permissible because it was obtained
from bulletin board that did not qualify as provider of electronic
communications service to public).
[FN129]. 991 F. Supp. 1041 (N.D. Ill. 1998).
[FN130]. See id. at 1042.
[FN131]. See id. at 1043.
[FN132]. See id. at 1042.
[FN133]. See id. at 1043.
[FN134]. 18 U.S.C. § §
2511(2), 2701-2710 (1998); see also Baum,
supra note 8, at 1023-25 (discussing confusion regarding the provider
exception).
[FN135]. See 18 U.S.C. § §
2511(2), 2701-2710 (1998).
[FN136]. 18 U.S.C. §
2511(2)(a)(i) (1998).
[FN137]. See 18 U.S.C. § §
2701(c), 2702 (1998).
[FN138]. Compare Anderson Consulting, 991 F. Supp. at 1043, with Bohach v.
City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996).
[FN139]. See Anderson Consulting, 991 F. Supp. at 1043.
[FN140]. 932 F. Supp. 1232 (D. Nev. 1996).
[FN141]. See id. at 1236. The court held
the computer network which the city provided its employees made the city a
provider within the meaning of the statute
because the "terminals, computer and software, and the pagers it issues to
its personnel, are, after all, what provide those users with 'the ability to
send or receive' electronic communications." Id.
[FN142]. See Anderson Consulting, 991 F. Supp. at 1043.
[FN143]. See Bohach, 932 F. Supp. at 1236.
[FN144]. See id. at 1236.
[FN145]. 992 F.2d 1472 (9th Cir.), cert. denied, 113 S. Ct. 2997
(1993).
[FN146]. See id. at 1478. A SABRE network
is an airline's computerized reservation system. See id. at 1474. Airline agents
log onto a SABRE network by password and identification codes and then can
obtain flight information and make or alter reservations through the use of
Passenger Name Records (PNRs). See id.
[FN147]. See id. at 1478.
[FN148]. See id. The
defendants stole frequent flyer miles that were noted as available on SABRE in
order to obtain free tickets which they then sold, reaping a profit of over $1
million. See id. at 1474-75.
[FN149]. See Security and Freedom through
Encryption (SAFE) Act, H.R. 850, 106th Cong. (1999) reprinted in <http://
www.cdt.org/legislation/106th/encryption/safe.html> (visited Aug. 15, 1999);
Staff Discussion Draft of the Online Privacy Protection Act of 1999 (visited
Mar. 19, 1999) <http://www.senate.gov/burns/private.htm>; 139 CONG. REC.
E2102 (daily ed. Sept. 8, 1993) and E1077 (daily ed. Apr. 29, 1993) (statements
of Rep. Williams).
[FN150]. See H.R. 850.
[FN151]. See Berryessa, supra note 3, at
66.
[FN152]. See 145 CONG. REC. S4041-S4044
(daily ed. Apr. 21, 1999) (statement of
Sen. Leahy).
[FN153]. See 145 CONG. REC. S4044-S4045
(daily ed. Apr. 21, 1999) (statement of
Sen. Leahy). The proposed legislation would also permit forced decryption pursuant to a warrant during a
criminal investigation. See id.
[FN154]. See 145 CONG. REC. S4043-S4045
(daily ed. Apr. 21, 1999) (statement of
Sen. Leahy). The proposed legislation permitting encryption would allow
decryption of communications pursuant to a warrant. See id. at S4044- S4045.
[FN155]. See Wayne Madsen et al.,
Cryptography and Liberty: An International Survey of Encryption Policy, 16 J.
Marshal J. Computer & Info. L. 475, 479 (1998) (discussing the Global
Internet Liberty Campaign to protect on- line rights by encrypting
communication). A survey of seventy-six countries showed the majority of
countries do not regulate cryptography. See id. at 482. In addition, the
Organization for Economic Cooperation and Development and the European Union
are relaxing controls of cryptography to enhance commercial encryption
technology development. See id. at 482-83.
[FN156]. See Berryessa, supra note 3, at
63. Encryption disguises a message by using an algorithm to translate a
computer's code into meaninglessness. See id. Depending upon whether the
encryption system uses a "public key" or "private key," the
encryption code may be deciphered by the public or just the users. See id. at
64 (providing a detailed explanation of encryption technology).
[FN157]. See Bernstein v. United States Dep't of State, 974 F.
Supp. 1288, 1292-93 (N.D. Cal. 1997).
[FN158]. See id. at 1291-96.
[FN159]. See 925 F. Supp. 1, 4 (D.D.C. 1996).
[FN160]. See Bernstein, 974 F. Supp. at 1306. Following the
breadth of First Amendment protection the Supreme Court granted to Internet
communications in Reno v. ACLU, 521 U.S. 844 (1997), the Bernstein
court stated, "not only is the distinction between print and electronic
media increasingly untenable, but ... the Internet is subject to the same
exacting level of First Amendment scrutiny as print media." Id. at
1306-07.
[FN161]. See id. at 1306.
[FN162]. See Karn, 925 F. Supp. at 10; see also Junger v. Daley, 8 F.Supp.2d 708 (E.D. Ohio 1998) (holding
encryption code, although sometimes expressive, does not deserve protection
under the First Amendment).
[FN163]. See id. The regulations at issue
in Karn and Bernstein included the Arms Export Control Act (22 U.S.C. § §
2751-2796d) and the International Traffic in
Arms Regulations (22 C.F.R. § §
120-30). See Bernstein, 974 F. Supp. at 1291; Karn, 925 F. Supp. at 3.
[FN164]. See Bernstein v. United States Dep't of State, 176
F.3d 1132, 1141, 1146 (9th Cir. 1999).
[FN165]. See Bernstein v. United States Dep't of Justice, 192
F.3d 1308 (9th Cir. 1999).
[FN166]. See 145 CONG. REC. S4044 (daily
ed. Apr. 21, 1999) (statement of Sen. Leahy). The proposed legislation permits
"any person within the United States, and for any any United States person
in a foreign country" to use encryption, but does not seek to prohibit control
over the exportation of encryption code. Id.
[FN167]. See id. (proposing a new provision
in 18 U.S.C. §
2703 permitting a "domain name registration
service" to disclose customer or subscriber records).
[FN168]. See, e.g., 145 CONG. REC. S4043
(daily ed. Apr. 21, 1999) (statement of
Sen. Leahy) (proposing government access to electronic communication by warrant
or subpoena).
[FN169]. See, e.g., 144 CONG. REC. S8236
(daily ed. July 15, 1998) (statements
of Sen. Lott, et al.); 139 CONG. REC. S6122 (daily ed. May 19, 1993) (statement
of Sen. Simon); 139 CONG. REC. E1077 (daily ed. Apr. 29, 1993) (statement of
Rep. Williams) (discussing the need to pass a "Privacy for Consumers and
Workers Act" which would ban hidden monitoring).
[FN170]. See President's Message to the
Congress Transmitting the Proposed
"Cyberspace Electronic Security Act of 1999," 35 WEEKLY COMP.
PRES. DOC. 1760 (Sept. 16, 1999).
[FN171]. See Cyberspace Electronic Security
Act of 1999, reprinted in <
http://www.cdt.org/crypto/CESA/CESArevised.shtml> (visited Sept. 24, 1999).
[FN172]. See Cyberspace Electronic Security
Act of 1999, reprinted in <
http://www.cdt.org/crypto/CESA/CESArevised.shtml> (visited Sept. 24, 1999).
[FN173]. Compare Sega Enter. Ltd. v. MAPHIA, 948 F. Supp. 923, 930
(N.D. Cal. 1996), with United States v. Maxwell, 45 M.J. 406, 417
(C.A.A.F. 1996).
[FN174]. 948 F. Supp. 923 (N.D. Cal. 1996).
[FN175]. See Sega, 948 F. Supp. at 930. "There is
no evidence that the intent of requiring passwords is to protect the system
from use by those other than the original user ...." Id.
[FN176]. 45 M.J. 406 (C.A.A.F. 1996).
[FN177]. See Maxwell, 45 M.J. at 417
END OF DOCUMENT