Privacy Rights of BBS Users
PRIVACY RIGHTS OF BBS USERS
February 21, 1994 (Updated)
* * * * * * * *
The Privacy Rights Clearinghouse is a nonprofit consumer
education service funded by the California Public Utilities
Commission through its Telecommunications Education Trust.
It is administered by the University of San Diego School of
Law's Center for Public Interest Law.
* * * * * * * *
Today, anyone with a computer and a modem has potential
access to a multitude of online communications sources.
These online services range from the ubiquitous Internet to
the thousands of privately operated bulletin board services
(BBS). They may be commercial, pay-as-you-go services like
Compuserve and Prodigy, or non-profit services with no user
fees and few online rules.
While these services can bring information, interactivity,
and communication to every home or office, they also raise a
host of questions concerning the privacy of the information
gathered and the messages transmitted and stored by the
systems. How private are the messages posted on computer
BBSs and commercial online services? May a BBS system
operator (sysop) monitor or disclose E-mail communications
between users? May the sysop disclose information
concerning a user's online activity, such as the fact that a
user has posted controversial messages or is active in a
forum devoted to a potentially embarrassing topic? May he
or she sell lists of users' names and addresses to direct
marketing businesses? Must law enforcement personnel be
granted ready access to those communications?
Some of these questions lead to further debate matching
First Amendment rights to free speech against the right of
sysops to prohibit or censor defamatory or derogatory "hate
speech."
Because online communications services are relatively new
technologies, there are no definitive answers to most of
these questions. In fact, there is very little applicable
case law addressing BBS privacy, and surprisingly little
dialogue on this issue in legal literature. This discussion
will attempt to outline the existing restrictions upon the
access and disclosure of personal information and
communications contained within BBS and commercial online
services. One caveat: this discussion is not intended as
legal advice or even an analysis of the legal duties of
electronic communications services providers or the legal
rights of users. Any questions concerning those duties or
rights should be discussed with an attorney.
THE ELECTRONIC COMMUNICATIONS PRIVACY ACT
One of the few existing laws governing online communications
privacy is the federal Electronic Communications Privacy Act
of 1986 (ECPA). This Act (18 U.S.C. 2510 et seq.)
specifically protects "any wire, oral, or electronic
communications" from intentional interception, disclosure or
use. A federal district court recently found that a BBS is
a "remote computing device" and therefore subject to the
limitations on disclosure provided for in the ECPA. In that
case (_Steve Jackson Games_, 816 F.Supp. 432 (1993)) the
court found that the ECPA was violated when Secret Service
agents seized all of the electronically stored information,
including both public and private communications, contained
in a BBS, in an attempt to find one document believed to be
held illegally within the system.
The ECPA provides for varying degrees of privacy protection,
depending upon the nature of the communication. Three types
of information related to online services are addressed by
the Act: public messages, records pertaining to a subscriber
or customer of the service, and private communications.
Public Messages
There is no limitation on intercepting or accessing messages
available to the general public. Section 2511(2)(g)(i) of
the Act states "it shall not be unlawful ... for any person
to intercept or access an electronic communication made
through an electronic communication system that is
configured so that such electronic communications is readily
accessible to the general public." This is a common sense
provision that would seem to cover public forums and
publicly accessible information on BBSs and commercial
online services.
Records of Subscriber Activity
A second type of information addressed by the ECPA is the
record of user or subscriber activity. The Act expressly
states that "a provider of electronic communication service
or remote computing service _may disclose_ a record or other
information pertaining to a subscriber of such service ...
to any person other than a governmental entity" (s.
2703©). The provider must disclose these records to a
government entity if a properly obtained warrant, court
order or subpoena is used, or if the consent of the
subscriber who posted the message is obtained.
This section seems to allow disclosure of any records of a
subscriber to the system, including personally identifiable
information (but not including the contents of private
communications; see infra). This means that any record of a
customer or subscriber's use of the BBS or commercial
service may be disclosed by the service provider. Lists of
BBS users' names and addresses are currently available to
direct marketers. It further appears that there is nothing
in the ECPA to prevent a sysop from disclosing sensitive
information concerning a user's activity within forums with
potentially embarrassing topics, short of divulging the
actual contents of messages being transmitted.
"Private" E-Mail
The third type of communication addressed by the ECPA is the
contents of communications which are not readily accessible
to the general public. This would appear to include E-mail
messages and other non-public communications. The ECPA
provides substantial protection against access or disclosure
of the contents of these communications, particularly with
respect to law enforcement access. Generally, the Act
requires a sysop to disclose the contents of an electronic
communication only if a properly issued warrant has been
obtained (s. 2703). If the communication has been in
storage on the BBS for more than 180 days, disclosure may be
compelled through a court order or subpoena, if the sysop
has been given notice. The sysop has 14 days after such
notice to contest the disclosure (s. 2704(b)). Furthermore,
the court in _Jackson Games_ held that the ECPA only compels
disclosure of specific, questionable communications, and
that the seizure of all communications on a BBS in the
course of a search for one illegal document was improper.
Notwithstanding the protection provided against government
search and seizure of non-public electronic communications,
the Act allows broad exceptions for monitoring and
disclosure of those communications by the sysop or service
provider. It is not unlawful for a provider of an
electronic communication service to "intercept, disclose, or
use that communication ... while engaged in any activity
which is a necessary incident to the rendition of his
service or to the protection of the rights or property of
the provider of that service..." (s. 2511(2)(a)). This
section does prohibit a service provider from "random
monitoring" except for "mechanical or service quality
control checks."
Section 2702 of the ECPA also prohibits the service provider
from disclosing the contents of any communication carried,
maintained, or stored by an electronic communication
service. However, exceptions to this provision include
disclosures made with the lawful consent of one party to the
communication, disclosures which are authorized under
section 2511(2)(a), and disclosures to a law enforcement
agency, if the message was inadvertently obtained by the
service provider and appears to pertain to the commission of
a crime.
Furthermore, a BBS operator may have the right to monitor
private messages through the "business use" exception to the
ECPA. Section 2510(5)(a)(i) excludes telecommunications
equipment "furnished to the subscriber or user ... in the
ordinary course of its business, and being used by the
subscriber or user in the ordinary course of its
business..." This exception is used by businesses to
justify unconsented monitoring of calls from the business by
employers. However, the exception does not apply to
personal calls made from the business. There is nothing in
the ECPA to suggest that this provision should not apply to
BBS and commercial online services. Until a court is asked
to determine the scope of this act as applied to disclosures
made by sysops and service providers, these questions will
remain open.
OTHER PRIVACY PROTECTIONS
Two other possible limitations may apply to disclosure of
personal communications and information which exists on BBS
and commercial online services. The first arises under
contract law. If a service provider or sysop expressly
guarantees that specific information or communications will
not be disclosed, and subsequently discloses such
information, the service provider might be liable for
damages arising from the disclosure. While a determination
of this issue would require the application of principles of
contract law, and therefore falls outside the scope of this
discussion, the presence of such a privacy guarantee might
raise a user's expectation of privacy, and might be evidence
of the existence of a contractual duty not to disclose
(likewise, the express statement that a service is not
private might limit a user's privacy protections).
The second alternative source of privacy protection may
arise under state law. A few states, such as California,
have an express right to personal privacy as a state
constitutional guarantee. In California, this right has
been held to protect against both government and business
intrusions on personal privacy (See _Wilkinson v. Times
Mirror Corp._, 215 Cal. App. 3d 1034). There are currently
several cases in California state courts which seek to limit
an employer's broad discretion to monitor and disclose
employee's private E-mail messages. Whether these cases
will serve to limit employer monitoring, and whether the
decisions may be extended to provide protection for users of
BBS and commercial online services has yet to be determined.
In conclusion, unless there is an explicit guarantee of
privacy, it is probably necessary to assume that all
communication on a BBS or other online service is subject to
monitoring by the operator. It is also necessary to assume
that, unless the operator provides specific guarantees to
the contrary, records of user activity on the system are
also subject to disclosure. Each BBS will probably have its
own guidelines regarding the monitoring and disclosure of
personal information and communications.
Therefore, to ensure that private information remains
private, it may be advisable to do some research before
providing it to an online communication service. We suggest
that, when logging on to a BBS for the first time, users
should contact the sysop and inquire into the privacy policy
of the BBS. Also, it is a good idea to post a public
message on a regularly used BBS, inquiring whether any other
users have had good or bad experiences with the new BBS.
* * * * * * * *
Privacy Rights Clearinghouse
University of San Diego
Center for Public Interest Law
5998 Alcala Park
San Diego, CA 92110-2492
619-260-4806
Fax 619-260-4753
Hotline:
(Calif. only) 800-773-7748
or 619-298-3396 (all other locations)
|