defamation liability of computerized bulliten board operators

8/6/2019 Defamation Liability of Computerized Bulliten Board Operators

1/38

D E F A M A T I O N L I A B I L I T YO F

C O M P U T E R I Z E DB U L L E T I N B O A R D O P E R A T O R S

A N D P R O B L E M S O F P R O O F

John R. KahnCHTLJ CommentComputer Law SeminarUpper Division WritingFebruary, 1989

---D E F A M A T I O N L I A B I L I T Y

O F

C O M P U T E R I Z E DB U L L E T I N B O A R D O P E R A T O R SA N D P R O B L E M S O F P R O O F

John R. KahnCHTLJ Comment/Upper Division Writing/Computer Law Seminar

February, 1989

_________________________________________________________________

I. INTRODUCTION

A computer user sits down at her personal computer,turns it on, and has it dial the number of a local computerizedbulletin board service (BBS) where she has been exchangingopinions, information, electronic mail, and amicableconversation with other users. Upon connecting with the BBS, sheenters a secret "password", presumably known only to herself andto the bulletin board operator, so as to gain access to thesystem.

To her surprise, she finds herself deluged with lewdelectronic mail from complete strangers and hostile messagesfrom persons with whom she believed she was on friendly terms.

The messages read: "Why did you call me a worthless son-of-a ----- yesterday? I really thought we could be friends, but I guess Iwas wrong"; "Hey, baby, I liked your fetish you were telling meabout yesterday: call me at home, or I'll call YOU"; and, "Whydidn't you get around to telling me about your venereal diseasesooner?". Yet our user has not called this BBS in weeks and hasnever made any of these statements. Dismayed and angered, the

---Defamation Liability of Computerized BBS Operators& Problems of Proof (C) 1989 John R. Kahn 2----------------------

user comes to realize that she is the victim of computerizedbulletin board abuse.


2/38

A personal computer hobbyist (hereafter "SYSOP") whooperates a computerized bulletin board system notices a rash ofheated arguments, profanity and complaints being reported to himby users on what had been a forum for the peaceful exchange ofideas. Investigating the complaints, he discovers thatpreviously responsible users have suddenly anduncharacteristically been leaving insulting, rude and false

messages about other users on the bulletin board. One user is soenraged about a public message accusing her of sexualmisadventures that she is threatening to sue the computerhobbyist in libel for having permitted the message to appear.The SYSOP realizes that both he and his subscribers havesuffered computerized bulletin board abuse.

The aggravating force behind both the above situationsis most likely a third user (known hereafter as "themasquerader") who maliciously exploits both his computerknowledge and his access to BBSes. Since the masquerader hasdiscovered the password and name of the regular user, and uses

them to access bulletin boards, he appears for all intents andpurposes to be that regular user. The computer thus believes ithas admitted a legitimate subscriber to its database when it hasin fact given almost free reign to a reckless hacker. Themasquerader, posing as another legitimate user, is then free toportray that user in whatever light he pleases and also toharass other users of the bulletin board.


When validated users later discover that someone elsehas been impersonating them, they invariably cancel theirsubscriptions to that BBS and often bring a defamation actionagainst its SYSOP for the smearing of their good names.Conversely, the SYSOP, in an effort to avoid liability,reluctantly engages in monitoring each and every piece ofinformation posted daily by hundreds of users. If the SYSOPchooses instead to stop running his BBS altogether, anotherefficient and valuable forum for ideas is lost.

What sort of defamation action may be maintained by thewrongfully disparaged user? Is the computerized bulletin boardoffered by the SYSOP subject to the stricter self-scrutiny ofnewspapers, or does it operate under some lesser standard? Howmay the initial party at fault - the masquerader - be heldaccountable for his computerized torts?

The scope of this Comment will be to examine thedefamation liability of computerized BBS operators andevidentiary proof issues that arise in tracing computerizeddefamation to its true source. Other possible Tort causes ofaction - intentional infliction of emotional distress, invasionof privacy, trespass to chattels - are not addressed. It isassumed throughout that the plaintiff is a private person and

that the issues involved are not matters of "public interest" asdefined in Gertz v. Robert Welch, Inc.1


3/38

A. Background

Computerized BBSes exist as a quick, easy and efficientway to acquire and exchange information about the entire

---

Defamation Liability of Computerized BBS Operators& Problems of Proof (C) 1989 John R. Kahn 4----------------------

spectrum of interests.2 The growing popularity of theseelectronic forums was demonstrated in a recent study whichnumbered BBSes at more than 3,500 nationwide.3 The size andcomplexity of computerized BBSes range from relatively simpleprograms, run on privately-owned microcomputers with a fewhundred subscribers, to vast, multi-topic database systems withnationwide lists of subscribers and operated for profit.4

The process of reaching, or "accessing" one of thesebulletin boards is quite simple: all that is required is acomputer, a computer program that allows the computer tocommunicate over the phone lines, and a "modem" (a device whichconverts the computer's electrical signals into acousticimpulses, defined infra).5 Once she has accessed the BBS, thecaller is free to trade useful non-copyrighted computerprograms, exchange ideas on a host of topics, post electronicmail for later reading by others, and much more.6 The ease withwhich most BBSes may be accessed and the wealth of interests tobe found there ensure that they will continue to be importantsources of information and discourse.

However, the speed and efficiency of computerized BBSesalso subject them to serious, wide-ranging civil and criminalabuse. Recently a young computer user paralyzed several majorcomputer systems across the nation by sending a harmful computerprogram (or "worm") to them over telephone lines. The wormquickly replicated itself in the computers' memories and thusdecreased their output capacities.7 Further, certain computerabusers (known as "hackers") use the power of the computerized


forum to ply illegal copies of copyrighted programs, bilkhundreds of millions of dollars annually from credit card andphone companies, and to wrongfully access others' data files.8 Aminority of other BBSes exist mainly to circulate racistideologies.9

What is more, it now appears that the ancient tort ofdefamation is actively being practiced through the use ofcomputerized BBSes.10 Due to the almost ethereal waycomputerized BBSes operate - one person may conveniently leavean electronic message for others to respond to at their leisure

and there is no need for the parties to converse directly oreven to know each other11 - the risk of detection when the BBSis abused is lower than that for defamation practiced in the


4/38

print media.12 Difficulties arise with identifying the trueparty at fault and with authenticating the computer records asevidence of the defamation.13 Adding to this problem is anuncertainty in the laws concerning the appropriate liability ofSYSOPs for defamatory messages on their BBSes of which they wereunaware.14

B. Definitions

The following are brief definitions of some importanttechnical terms connected with electronic BBSes:

SYSOP: An abbreviation for "System Operator", this isthe individual generally responsible for organizing informationand for trouble-shooting on a computerized bulletin board. Onlarger bulletin boards covering hundreds of topics, severalSYSOPS may be in charge of maintaining information contained in


separate discrete fields.15 But when the BBS is privately ownedand operated, a single SYSOP may very well oversee all aspectsof the board's operations, in addition to being able to accessall his users' passwords and personal information.16

Modem: An abbreviation for "Modulator/Demodulator".This is a device which links a computer to an ordinary phoneline and converts computer signals to auditory phone signals. A

computer modem on the other end of the transmission thenreverses the process. Computers using modems transfer datarapidly across phone lines and thus share information.17

Validation: Basically this is a set of procedures usedby responsible SYSOPs to do everything reasonably possible toverify that the personal information supplied by a user is trueand correct. Common sense and emerging legal standards dictatethat the SYSOP should not merely rely on the name provided by apotential user when the SYSOP does not personally know thatindividual. The SYSOP may be required to independentlycorroborate the prospective subscriber's information by firstasking the potential user's name, address and phone number andthen by checking that information with directory assistance.18These procedures will hopefully aid the operator in identifyingwrongdoers if misuse occurs;19 however, as will be seen, theseprocedures are by no means foolproof.

Database: Any collection of data in a computer forpurposes of later retrieval and use, i.e., names, addresses,phone numbers, membership codes, etc.

User: Anyone who accesses a computerized bulletin board

---



5/38

system and is exposed to the information stored there. Users maybe identified by their true names, by an assigned numericalcode, or by colorful "handles", or "usernames."20

Operating System: This is a program which controls thecomputer's basic operations and which recognizes different

computer users so that their actions do not interfere with oneanother.21 For example, most multi-user operating systems willnot allow one user to delete another's data unless the seconduser gives explicit permission.22 BBS system software programsperform this function through their use of "accounts" and"passwords":23 private electronic mail sent to a particular usermay not be read or deleted by others. The BBS' operating systemis also designed to deny access to those attempting to log onunder an unvalidated or unrecognized name.24

Account/Username: As another part of BBS systemsecurity, each user chooses an "account", or "username",

consisting of one to eight letters or numbers.25 The BBS'operating system then will not allow commands issued by one userof one account to modify data created by another account;26 norwill it grant access to an account that has been terminated orinvalidated.

Password: Yet another aspect of BBS system security isthe use of "passwords" as a prerequisite to accessing thecomputer system. Most operating systems require the user toenter both her account name and password to use the account.27Because electronic mail cannot be sent without the username towhich it is being addressed, and because the account cannot be


used without knowledge of the password, usernames are generallypublic knowledge while passwords are a closely-guarded secret,known only to the user and the operating system.28

Teleprocessing: This is defined as accessing a computerfrom a remote location, usually over a telephone line or similarcommunications channel.29

Uploading/Downloading: For purposes of exchangingcomputer programs or electronic mail over the phone lines, theprocess of transferring information from one's personal computerto the bulletin board is called uploading. The reverse process -transferring information from a bulletin board to a personalcomputer - is known as downloading.30

II. DEFAMATION LIABILITY OF COMPUTERIZED BBS OPERATORS

A. Computerized Defamation: Libel or Slander?

Libel is the "publication of defamatory matter by

written or printed words, by its embodiment in physical form, orby any other form of communication that has the potentiallyharmful qualities characteristic of written or printed words."31


6/38

Publication of a defamatory matter is "its communicationintentionally or by a negligent act to one other than the persondefamed."32 A communication is defamatory if it "tends to soharm the reputation of another as to lower him in the estimationof the community or to deter third persons from associating ordealing with him."33 The difference between libel and slanderhas traditionally depended upon the form of the communication:

oral defamation generally is considered slander, while written


defamation is generally considered libel.34 The distinction isimportant, because libel requires no proof of special damagesand is actionable by itself, while slander generally requiresproof of special damages in order to be actionable.35

However, with the advent of electronic media, thetraditional libel/slander distinctions as they apply to sightand hearing are no longer valid. For example, passing defamatorygestures and signals, though visible to sight, were consideredslander;36 an ad-libbed statement on a telecast impugning aperson's financial status was found to be libel.37

It has been suggested that the real distinction betweenlibel and slander is the threat and magnitude of harm toreputation inherent in the form of publication.38 Libel has beenhistorically associated with writings because (1) a writing ismade more deliberately than an oral statement; (2) a writingmakes a greater impression to the eye than does an oral

statement to the ear; (3) a writing is more permanent thanspeech; and (4) a writing has a wider area of dissemination thanspeech.39 These four qualities inherent in a writing made thepossible harm to reputation greater than mere spoken words. Inapplying libel to the new form of computerized communicationused on BBSes, the potentiality for harm to reputation issignificant, and should again be considered the controllingfactor.

In our hypothetical situation, the user discovered thatanother user (the masquerader) had usurped her account name andpassword, causing her great embarrassment and humiliation. The


act of prying into and taking another's computer information tomisuse it elsewhere would indicate a certain deliberation on theactor's part to spread defamatory messages. Secondly, thedefamatory message is displayed to other users on their computermonitors in the form of electronic characters, making a visualimpression. Third, this electronic defamation is more permanentthan mere words because it is stored in the BBS' memory until

erased by the user or SYSOP. Finally, the message arguably has awider area of dissemination than a one-to-one spoken defamationbecause, as a message on an electronic BBS, it has the potential


7/38

of being viewed by hundreds, perhaps thousands, of users eachday. Based on these four criteria, the capacity for harm to ouruser's reputation due to the masquerader's activities is indeedgreat enough to be considered libellous.

B. Defamation Liability of the SYSOP

Having established the electronic message as beinglibellous, the next issue is to determine the extent ofliability for the SYSOP who unknowingly permits the message tobe communicated over his BBS. Case law indicates that theSYSOP's liability depends upon the type of person defamed and onthe subject matter of the defamation.

1. Degree of fault required

The United States Supreme Court has addressed moderndefamation liability in two major decisions. Both conditionedthe publisher's liability on the type of person defamed and on

the content of the defamation. In New York Times v. Sullivan,40the Court determined that in order for a public official to


recover damages in a defamation action, the statement must beshown to have been made with "actual malice", i.e., withknowledge of its falsity or with reckless disregard for itstruth.41 Due to society's interest in "uninhibited, robust andwide-open" debate on public issues, neither factual error nor

defamatory content sufficed to remove the First Amendment'sshield from criticism of an official's conduct.42

The Supreme Court further elaborated on defamationliability standards in the private and quasi-private sphere whenit decided Gertz v. Robert Welch, Inc.43 In Gertz, the publisherof a John Birch Society newsletter made certain false andinaccurate accusations concerning an attorney who represented adeceased boy's family. The family had civilly sued the policemanwho murdered the boy. In rebutting what he perceived to be asecret campaign against law and order, the publisher labelledthe family's attorney a "Leninist" and "Communist-fronter".44 Inaddition, the publisher asserted that the attorney had been amember of the National Lawyers Guild, which "'probably did morethan any other outfit to plan the Communist attack on theChicago police during the 1968 Democratic Convention.'"45 Inpublishing these statements throughout Chicago, the managingeditor of the Birch Society newsletter made no effort to verifyor substantiate the charges against the attorney.46

The Supreme Court held in Gertz that while FirstAmendment considerations protect publications about publicofficials47 and about "public figures"48, requiring a showing of"actual malice" before defamation damages could be recovered,

---Defamation Liability of Computerized BBS Operators& Problems of Proof (C) 1989 John R. Kahn 12


8/38

----------------------

the same was not true for defamation suits brought by privatecitizens49, a group to which the attorney was held to belong.50Private citizens were seen as deserving more protections fromdefamation than public officials or public figures, so they werenot required to show "actual malice" as a precondition to

recovery.51 The Court then left it to the states to decide theprecise standard of liability for defamation of privateindividuals, so long as liability without fault was not thestandard.52

By Gertz, then, the appropriate standard of liabilityfor publicizing defamation of private parties falls somewherebelow actual malice and above strict liability. The problem withdefining the defamation standard for computerized BBS operators,however, is a lack of uniform standards. In such circumstances,the objective "reasonable person" standard will likely beapplied to the SYSOP's actions.53 Several cases may be usefully

applied by analogy.

The court in Hellar v. Bianco54 held that a barproprietor could be responsible for not removing a libellousmessage concerning the plaintiff's wife that appeared on thewall of the bar's washroom after having been alerted to themessage's existence.55 The court noted that "persons who invitethe public to their premises owe a duty to others not toknowingly permit their walls to be occupied with defamatorymatter.... The theory is that by knowingly permitting suchmatter to remain after reasonable opportunity to remove [it],the owner of the wall or his lessee is guilty of republication


of the libel."56 The Hellar court then left the ultimatedetermination of the bar owner's negligence to the jury.57 Thisholding seems to be in accord with the Restatement of Torts,which provides:

PUBLICATION:

(2) One who intentionally and unreasonablyfails to remove defamatory matter thathe knows to be exhibited on land orchattels in his possession or under hiscontrol is subject to liability for itscontinued publication.58

Contrarily, however, the Ohio court of appeals in Scottv. Hull59 found that the building owner and agent who hadcontrol over a building's maintenance were not responsible forlibel damages for graffiti inscribed by an unknown person on anexterior wall.60 The court distinguished Hellar by noting thatin Hellar the bartender constructively adopted the defamatory

writing by delaying in removing it after having been expresslyasked to do so:


9/38

"It may thus be observed from these casesthat where liability is found to exist it ispredicated upon actual publication by thedefendant or on the defendant's ratificationof a publication by another, the ratificationin Hellar v. Bianco...consisting of at leastthe positive acts of the defendants in

continuing to invite the public into theirpremises where the defamatory matter was onview after the defendants had knowledge ofexistence of same."61

The Scott court held that defendants could only beresponsible for publishing a libellous remark through a positiveact, not nonfeasance; thus, their mere failure to remove thegraffiti from the building's exterior after having it called to

---Defamation Liability of Computerized BBS Operators

& Problems of Proof (C) 1989 John R. Kahn 14----------------------

their attention was held not to be a sufficient basis ofliability.62

A situation similar to Scott arose recently in Tackettv. General Motors Corporation.63 There, an employee brought alibel suit against his employer for, inter alia, failing toremove allegedly defamatory signs from the interior wall of itsmanufacturing plant after having notice of their existence. Onelarge sign remained on the wall for two to three days while asmaller one remained visible for seven to eight months.64

Instead of focussing on the Scott malfeasance/nonfeasancetest,65 the Tackett court considered defendant's impliedadoption of the libellous statement to be the correct basis ofliability.66 While saying that failure to remove a libellousmessage from a publicly-viewed place may be the equivalent ofadopting that statement, and noting that Indiana would followthe Restatement view "when the time comes,"67 the Tackett courtheld that the Restatement view could be taken too far. CitingHellar, the court wrote:

The Restatement suggests that a tavern ownerwould be liable if defamatory graffitiremained on a bathroom stall a single hourafter the discovery [Citation to Hellar]. Thecommon law of washrooms is otherwise, giventhe steep discount that readers apply to suchstatements and the high cost of hourlyrepaintings of bathroom stalls [Citation toScott]. The burden of constant vigilanceexceeds the benefits to be had. A person isresponsible for statements he makes oradopts, so the question is whether a readermay infer adoption from the presence of astatement. That inference may be unreasonablefor a bathroom wall or the interior of a

subway car in New York City but appropriatefor the interior walls of a manufacturing


10/38


plant, over which supervisory personnel

exercise greater supervision and control. Thecosts of vigilance are small (most will beincurred anyway), and the benefitspotentially large (because employees mayattribute the statements to their employermore readily than patrons attribute graffitito barkeeps).68

According to this reasoning, then, the location and

length of time the libel is allowed to appear plays an integralpart in determining whether a given defendant has adopted thelibel, and thus has published it.

An application of the foregoing analysis to the issueat hand highlights the need for greater care in allowing theposting of electronic mail messages on a BBS. The Tackett courtnoted that while the content of graffitti scrawled on bathroomwalls might be subject to healthy skepticism by its readers, thesame might not be true for other locations such as interiors ofsubway cars or manufacturing plant walls.69 If this is true,then it is reasonable to assume that a defamatory messagedisplayed in a forum for the exchange of ideas is more apt to betaken seriously by its readers - especially when the libellous

---


message purports to be written by the subject of the libel.70

Further, the Tackett court indicated that the high costof repainting bathroom stalls by the hour outweighed itsperceptible benefits. The same is not true for electronic BBSes,where the costs of prevention are minimal in light of the threatof widespread harm to users' reputations.71

2. Damages

Once the plaintiff establishes that the SYSOP failed toact reasonably in removing statements known to be libellous fromhis BBS or in negligently failing to prevent their appearancethere,72 no proof of special damages is necessary as libel isactionable per se.73 The state's interest in protecting privatereputations has been held to outweigh the reduced constitutionalvalue of speech involving matters of no public concern such thatpresumed and punitive damages may be recovered absent a showingof actual malice.74

The proper gauge of liability has again raised some

questions.75 One writer has noted that if the burden of proof is

---


11/38


to rest on the plaintiff, she may be at a disadvantage inproducing sufficient evidence to demonstrate negligent conducton the part of the SYSOP.76 Solutions to this problem have

ranged from a rebuttable presumption of negligence in favor ofthe plaintiff77 to adoption of a set of standards similar tothose set out in the Federal Fair Credit Reporting Act.78 Ineither event, damage awards for computer abuse have beenaddressed both by federal and state law.79

3. Suggestions

Because computerized BBSes are still a relatively newtechnological phenomena, consistent standards for SYSOPs' dutieshave yet to be developed.80 However, at least one users' grouphas adopted a voluntary code of standards for electronic BBSes,

applicable to both users and SYSOPs of boards open to thegeneral public:

SCOPE:

This Minimum Code of Standards applies toboth users and SYStem Operators (SYSOPs) ofelectronic bulletin boards available to thegeneral public.

FREEDOM OF SPEECH AND IDEAS

Each user and SYSOP of such systems shall

actively encourage and promote the freeexchange and discussion of information,


ideas, and opinions, except when the contentwould:- Compromise the national security of the

United States.- violate proprietary rights.- violate personal privacy,- constitute a crime,- constitute libel, or- violate applicable state, federal or

local laws and regulations affectingtelecommunications.

DISCLOSURE

Each user and SYSOP of such system will:- disclose their real name, and

- fully disclose any personal, financial,or commercial interest when evaluationany specific product or service.


12/38

PROCEDURES

SYSOPS shall:

- review in a timely manner all publiclyaccessible information, and

- delete any information which they knowor should know conflicts with this codeof standards.

A 'timely manner' is defined as what isreasonable based on the potential harm thatcould be expected. Users are responsible for:

- ensuring that any information theytransmit to such systems adheres to thisMinimum Code of Standards, and

- upon discovering violations of theMinimum Code of Standards, notifying theSYSOP immediately.

IMPLEMENTATION

Electronic bulletin board systems that chooseto follow this Minimum Code of Standardsshall notify their users by publishing thisMinimum Code, as adopted by the [Capitol PCUsers Group], and prominently display thefollowing:'This system subscribes to the Capitol PC

Users Group Minimum Code of Standards forelectronic bulletin board systems.'81

While non-binding on publicly-accessible BBSes, theabove guidelines furnish sound basic policies that all SYSOPsmight use in shielding themselves from defamation liability. Ourhypothetical at the beginning of this Comment described asituation where a malicious intruder was able to access and


masquerade as a validated user on a BBS; the following are someadditional computer security measures that the reasonable SYSOPcould conduct to avoid that situation:

a. Special "screening" software: One writer hassuggested discouraging potential BBS misuse through programmingthe BBS to reject those messages containing common defamatoryand obscene language;82 such a program would discard a messagecontaining any of those terms and would presumably notify theSYSOP of their presence. Drawbacks to this procedure are thatcomputer programs cannot understand all the nuances of libellous

messages83 and would thus lead to the rigid deletion of manyotherwise legitimate messages.84


13/38

b. Unique passwords: A more fundamental andeconomical approach would be for the SYSOP to both notify allnew users about the potential for computerized BBS abuse and toencourage their use of a unique password on each BBS they call.This would have the practical effect of keeping a masqueraderfrom using the names and passwords found on one BBS towrongfully access and masquerade on other BBSes. A drawback to

this procedure is that the truly malicious masquerader may stilldiscover a BBS' most sensitive user records by way of a renegadecomputer program called a "trojan horse".85 However, one couldspeculate that the SYSOP acts reasonably in informing potentialusers of the existing threat and in helping them avoid it.

c. Encryption: This is essentially a way for theSYSOP to make the users' passwords unique for them. The power ofthe computer allows complex algorithms to be applied to data to



encode it in such a way that, without the key to the code, it isvirtually impossible to decode the information.86 This techniquewould have the added benefit of forcing the masquerader, uponaccessing the BBS with a trojan horse program, to search for thesecret decoding algorithm in addition to the BBS' secret userfiles. Indeed, it is conceivable that a special encryption orpassword could be devised to allow only the SYSOP access to theBBS' decoding algorithm. However, encryption involves asignificant overhead - impractical for most small, privately-operated BBSes - and is more frequently used to protect messages

from one system to another where the data is vulnerable tointerception as it passes over transmission lines.87

d. Prompt damage control: In accord with Hellar,88the Restatement (Second) of Torts,89 and possibly Tackett,90 aSYSOP acts reasonably in promptly assisting the libelled user topartially reverse the effects of the masquerader's actions.Recall that in those instances a defendant was held to haveimpliedly adopted a defamatory statement by acting unreasonablyslowly in removing it from his property once having been madeaware of it.91 While it may be unreasonable to expect the SYSOPto monitor each message posted every day - especially where thedefamatory message appears to have been left by the true user -it is not too much to require the SYSOP to quickly remedysecurity flaws in his BBS as they are pointed out to him.92 Tothis end, the SYSOP has several options. In situations where thedefaming user libels another without masquerading as thelibelled party, the SYSOP could simply delete the defamer's


account. In situations where a user masquerading as another

posts a libellous message, the SYSOP could publish a retractionto all his subscribers, urging them to use a different passwordon each BBS they call. Further, where a masquerader published


14/38

the libel, the SYSOP should offer his full cooperation to themaligned user in tracking down the time and date the libellousmessage was posted93 in order to better limit the SYSOP'sliability.

Certain BBS SYSOPs claim that holding them liable forinformation appearing on their BBSes violates their First

Amendment rights by restricting their right to free speech94 andby holding them responsible for the libel perpetrated by the

From kadie Sat Oct 12 09:53:46 1991To: cafb-mail~Subject: Computers and Academic Freedom mailing list (batch edition)Status: R

Computers and Academic Freedom mailing list (batch edition)Sat Oct 12 09:53:27 EDT 1991

[For information on how to get a much smaller edited version of thelist, send email to [email protected]. Include the line:send acad-freedom caf

- Carl ]

In this issue:

:

The addresses for the list are now:[email protected] - for contributions to the list

or [email protected]@eff.org - for automated additions/deletions

(send email with the line "help" for details.)[email protected] - for administrivia

-------------------

masquerader. It has been suggested that the SYSOP should be heldto the same standard of liability as a neighborhood supermarketwhich furnishes a public bulletin board:95 just as thesupermarket would not be liable for posting an advertisement forillicit services, so should the BBS SYSOP escape liability forlibellous messages left on his board, especially when its posterappears to be a validated user.96

However, this comparison lacks merit for the reasonsgiven by the Seventh Circuit in Tackett v. General MotorsCorporation.97 The defendant's liability in that case rested onits publication of libel by implicitly adopting the statement.98Defendant's failure to remove a defamatory sign painted on oneof the interior walls of its factory for seven or eight monthsafter discovering its presence was such that "[a] reasonableperson could conclude that Delco 'intentionally and unreasonably


----------------------

fail[ed] to remove' this sign and thereby published its


15/38

contents."99

There would certainly be accomplice liability if thesupermarket unreasonably delayed removing an advertisement forillegal services from its bulletin board once it was made awareof it. The market could be seen as having adopted the ad'sstatements by not acting responsibly to its viewing public.

Similarly, a SYSOP would be liable for defamatory messagesposted on his BBS - even by what appears to be the true user -if he fails to act reasonably by using his computer skill toeviscerate the libel.100 While the computerized BBS may benothing more than a hobby of the SYSOP, the speed with which itcan disseminate potentially damaging information among its usersdemands the standards of responsibility described above.

C. Defamation Liability of the Masquerader

1. Degree of fault required

It should be noted that the liability and proof issuesconcerning the SYSOP and masquerader are inverse. As to theSYSOP who allows libellous messages to be posted on his BBS, hisliability may be inferred simply by those messages havingappeared there;101 however, his degree of fault - actual maliceor simple negligence - is subject to debate.102 Conversely,while the masquerader's degree of fault is clearly evident,103tracing that fault back to him is a more elusive matter.104 Therequisite degree of fault for masqueraders is set out in federaland state law.105

2. Damages


Assuming arguendo that the masquerader's defamatorypublications have been successfully traced back to him by theplaintiff, actual and punitive damages may then be recoveredfrom him based on his knowledge of the publication's falsity orreckless disregard for its truth.106 Federal and state law havealso specified certain remedies.107

III PROBLEMS OF PROOF

A. Proof of SYSOP's Actions

We have seen that while the appropriate degree of faultfor a SYSOP to be liable for defamatory messages appearing onhis BBS is subject to dispute,108 a showing that the defamationappeared there due to the SYSOP's negligence is much morecapable of resolution.109 The jury should be made aware of theactual validation/security procedures practiced by the SYSOP andshould weigh them in light of the prevailing practice.110Several facets of an emerging standard of care for SYSOPs have

already been suggested in this Comment,111 and the SYSOP'sadherence to them could be shown through users' testimony.


16/38

B. Proof of Masquerader's Actions

In contrast with the degree of fault required toestablish the SYSOP's publication of the libellous message, thedegree of fault for the masquerader is much less subject todebate. The masquerader's actions are not likely to beconsidered merely inadvertent or negligent.112 However, because

the masquerader has intentionally discovered and usurped theuser's name and password, he appears to be that user on all


computer records. Tracing the masquerader's defamatorypublication back to him thus encounters some importantevidentiary barriers: the maligned user is forced to rely oncomputerized records produced by the BBS and phone company in

trying to link the masquerader's libellous publication back tohim.113 We turn now to consider the evidentiary hurdles to beovercome in tracing the libellous communication to its truesource.

1. The Hearsay Rule & Business Records Exception

The first evidentiary obstacle to connecting themasquerader with his libellous publication is the hearsay rule.As defined by the Federal Rules of Evidence, hearsay is "astatement, other than one made by the declarant while testifyingat the trial or hearing, offered in evidence to prove the truthof the matter asserted";114 as such, it is inadmissible as

evidence at trial.115 Computer-generated evidence is subject tothe hearsay rule, not because it is the "statement of acomputer", but because it is the statement of a human being whoentered the data.116 To the extent the plaintiff user relies oncomputer-generated records to show that a call was placed fromthe masquerader to the BBS at the time and date in question,then, her evidence may be excluded.

However, numerous exceptions to the hearsay rule havedeveloped over the years such that evidence which mightotherwise be excluded is deemed admissible. The most pertinenthearsay exception as applied to computerized evidence is the"business records exception", which admits into evidence any


records or data compilations, so long as (1) they were madereasonably contemporaneously with the events they record; (2)they were prepared/kept in the course of a regularly conductedbusiness activity; and (3) the business entity creating theserecords relied on them in conducting its operations.117 Theveracity of the computer records and of the actual business

practices are shown by the record custodian's or other qualifiedwitness' testimony, unless the circumstances indicate lack oftrustworthiness.118 The term "business" as used in this rule


17/38

includes callings of every kind, whether or not conducted forprofit.119

Statutes and judicial decisions in several states havegradually recognized that the business records exception extendsto include computer-generated records.120 This is largely due to(1) modern business' widespread reliance on computerized record-

keeping, (2) the impracticability of calling as witnesses everyperson having direct personal knowledge of the records'creation, and (3) the presumption that if a business was willingto rely on such records, there is little reason to doubt theiraccuracy.121

Using this exception to the hearsay rule, plaintiffuser would most likely seek to admit the BBS' computer-generatedusername/password log-in records plus the phone company's callrecords to establish the connection between the masquerader'stelephone and the BBS at the precise instant the libellousmessage was posted.122 As an initial matter, however, plaintiff


must first lay a foundation for both the BBS' and phonecompany's computer-generated business records.

A sufficient foundation for computer-generated recordswas found recently to exist in People v. Lugashi.123 There, theCalifornia Court of Appeal affirmed a conviction of grand theftbased on evidence adduced from computer-generated bank records.

Defendant, an oriental rug store owner, had been convicted offraudulently registering thirty-seven sales on counterfeitcredit cards. The issuing banks became suspicious of criminalactivity when charge card sales data from defendant's storeshowed 44 fraudulent uses of charge cards at defendant's storewithin only five weeks.124 As each fraudulent credit cardtransaction was completed, defendant registered the salesimultaneously with the banks' computers.125 Each night, asstandard bank practice, the banks then reduced the computerrecords of credit card transactions to microfiche. Informationgleaned from these microfiche records was entered againstdefendant at trial.126

The California Court of Appeal recognized the trialcourt judge's wide discretion in determining whether asufficient foundation to qualify evidence as a business recordhas been laid.127 It held that defendant's allocations of errorwere without merit since defendant himself had acknowledged thatthe bank's computer entries memorialized in the microficherecord were entered simultaneously as they occurred in theregular course of business.128 Further, the Court of Appealsdismissed defendant's claim that only a computer expert could




18/38

supply testimony concerning the reliability of the computerrecord:

Appellant's proposed test incorrectly presumes computerdata to be unreliable, and, unlike any other businessrecord, requires its proponent to disprove thepossibility of error, not to convince the trier of factto accept it, but merely to meet the minimal showing

required for admission....The time required to produce this additional [expert]testimony would unduly burden our already crowded trialcourts to no real benefit.129

The Lugashi court then followed the bulk of otherjurisdictions adopting similar analyses and upholding admissionof computer records with similar or less foundational showingsover similar objections.130

As to admission into evidence of telephone companies'computer-generated call records under the business recordsexception, courts have evinced a similar attitude to that inLugashi. In State v. Armstead,131 a prosecution for obscenephone calls, the trial court was held to have properly admittedcomputer printouts showing that calls had been made fromdefendant's mother's telephone, despite defendant's contentionthat the witness who was called to lay the foundation had notbeen personally responsible for making the record.132 Becausethe printout represented a simultaneous self-generated record ofcomputer operation, the court held it was therefore nothearsay.133

In an Ohio prosecution for interstate telephoneharassment, it was held no error was committed in admittingdefendant's computerized phone statement under the BusinessRecords exception which showed that telephone calls had been


made from defendant's phone in Ohio to various numbers inTexas.134 A sufficient foundation for the admission of businessrecords under Federal Rules of Evidence 803(6) was establishedwhen a telephone company witness identified the records asauthentic and testified they were made in the regular course ofbusiness.135

Applying the foregoing analyses to BBSes, the plaintiffuser would establish a foundation for the correlated BBS136 andtelephone company phone logs by showing that (1) they were madecontemporaneously with the posting of the libellous message;137(2) they were prepared/kept in the course of a regularlyconducted business activity, since both the BBS and telephonecompany consistently maintain accounts of all persons who usetheir services; and (3) the BBS and telephone company relied on

those records for billing purposes.138 Once such a foundation islaid, the trial court has wide discretion in admitting businessrecords into evidence.139


19/38

2. Authentication & the Voluminous Records Exception

The second evidentiary barrier encountered in tracingthe masquerader's libellous messages back to him is proving hisauthorship of the libel, or "authenticating" the computerizedrecords.140 The computer-generated phone and BBS records showing

that a call from a certain phone number at a particular date andtime resulted in a libellous message being published mustsomehow be linked to the masquerader.

The Federal Rules of Evidence provide in pertinent


part:

(a) General provision. The requirement ofauthentication or identification as a conditionprecedent to admissibility is satisfied byevidence sufficient to support a finding that thematter in question is what its proponent claims.

(b) Illustrations. By way of illustration only, andnot by way of limitation, the following areexamples of authentication or identificationconforming with the requirements of this rule:...(6) Telephone conversations. Telephone

conversations, by evidence that a call wasmade to the number assigned at the time bythe telephone company to a particular person

or business, if(A) in the case of a person, circumstances,

including self-identification, show theperson answering to be the one called,or

(B) in the case of a business, the call wasmade to a place of business and theconversation related to businessreasonably transacted over thetelephone....141

The question of whether a writing is properlyauthenticated is primarily one of law for the court; if thecourt decides the question affirmatively, it is ultimately forthe jury.142 The court will make no assumptions as to theauthenticity of documents in deciding their initialadmissibility.143 The difficulty presented here is that theFederal Rules of Evidence seem to require authentication oftelephone calls by reference to their specific content.144 Thespecific content of a given phone call is not demonstrated byphone logs showing merely the date and time the call occurred.

The authentication of extrinsic documents may besubject to a "best evidence rule" objection. As stated inFederal Rule of Evidence 1002:

REQUIREMENT OF ORIGINAL: To prove the contents of a

---


20/38


writing, recording, or photograph, the original of thatwriting, recording, or photograph is required, unlessprovided otherwise in these rules or by an act of

Congress.145

Since its introduction in the 18th century, variousrationales have been posited for this rule.146 While earlierwriters asserted that the rule is intended to prevent fraud,most modern commentators agree that the rule's main purpose isto convey to the court the exact operative effect of thewriting's contents.147

However, at least one jurisdiction has implicitly

equated compliance with the business records exception with theBest Evidence Rule. In Louisiana v. Hodgeson,148 the defendantin a manslaughter trial contended that a printout of hertelephone bill, offered to show communications between her and athird party, was not authenticated.149 The court, while makingno specific reference to the authentication point, rejecteddefendant's contention, noting that the information from thecomputer's storage was the company's business record and that itwas accessible only by printout.150

Similarly, in an Indiana bank robbery prosecution,151the state offered microfiche copies of the telephone company'scomputerized records showing certain telephone calls from

defendant. On appeal, defendant argued that these documents werenot authenticated because they were not the "original or firstpermanent entry," and that they therefore should not have beenadmitted into evidence. The court disagreed, saying that aduplicate was admissible to the same extent as an original


unless a "genuine issue" were raised as to the authenticity ofthe original.152

By these precedents, then, provided plaintiff userestablishes that both the telephone and BBS user records wereprepared in accordance with the business records exception,153the fact that a call from the masquerader's phone is shown tohave occurred at the same instant the libellous message wasposted may be sufficient to authenticate that the call was madeby the masquerader. Other circumstantial evidence adduced byplaintiff user would strengthen this inference.154

Another authentication hurdle in plaintiff's case isthe requirement that the entire original record sought to be

authenticated be produced.155 This requirement can prove highlyimpractical in situations where there are vast numbers ofindividual records extending over long periods of time.156


21/38

Requiring plaintiff to produce the entire body of these recordswould be unduly expensive and time-consuming. What is more, ifplaintiff were to attempt to summarize vast computerizedbusiness data compilations so as to introduce those summariesinto evidence without producing the complete body of computerrecords, such summaries might not be admissible on the groundsthat they were not made "in the regular course of business."157

However, an exception to strict authenticationrequirements of the Federal Rules of Evidence has beendeveloped. Rule 1006 provides:

The contents of voluminous writings, recordings, orphotographs which cannot conveniently be examined incourt may be presented in the form of a chart, summary,


----------------------

or calculation. The originals, or duplicates, shall bemade available for examination or copying, or both, byother parties at reasonable time and place. The courtmay order that they be produced in court.158

In Cotton v. John W. Eshelman & Sons, Inc.,159summaries of certain computerized records were held properlyadmitted into evidence on the theory that "[w]hen pertinent andessential facts can be ascertained only by an examination of a

large number of entries in books of account, an auditor orexpert examiner who has made an examination and analysis of thebooks and figures may testify as a witness and give summarizedstatements of what the books show as a result of hisinvestigation, provided the books themselves are accessible tothe court and to the parties."160 Under this precedent,plaintiff user would only need to produce the pertinent parts ofthe computerized records, as determined by an impartial auditor.IV. CONCLUSION

It is difficult to overestimate the ease with whichcomputers now enable us to compile and exchange information.Computerized "bulletin boards" run on personal microcomputers byprivate persons and businesses are examples of this enhancedform of communication. Users can trade computer programs andexchange a wealth of ideas, opinions, and personal informationthrough such forums.

The advantages of this process break down, however,when malicious users abuse the system and BBS SYSOPSintentionally or negligently allow this to occur. The nature ofcomputerized data is such that tortious misinformation may




22/38

easily be spread to thousands of users before it is discovered.Because the potential for harm to reputation is so tremendous,appropriate standards of liability and methods of proof must beaddressed.

The requisite degree of fault in libelling privatepersons is less than that for libelling public officials/public

figures, and may be established as against a SYSOP by a simpleshowing of his negligent failure to observe reasonably minimalcomputer security measures. The basis of liability for amasquerader who intentionally misappropriates another's privateinformation is even less subject to debate.

Two main evidentiary hurdles face the plaintiff seekingto link the masquerader with his libellous message throughreliance on computer-generated records. First, the hearsay ruleautomatically excludes all evidence produced out-of-court thatis being offered to prove the truth of the matter at hand.Second, the authentication requirement demands that the

masquerader's connection to the entire body of profferedcomputer records be established.

However, certain exception to both of these limitationsease the plaintiff's burden. First, the business recordsexception to the hearsay rule admits computer records intoevidence if they (1) were made reasonably contemporaneously withthe events they record; (2) were prepared/kept in the course ofa regularly conducted business activity; and (3) the businessentity creating these records relied on them in conducting itsoperations. Both BBS and telephone company records may come

---


under this exception. Second, the voluminous writings exceptionallows the contents of voluminous computerized records whichcannot conveniently be examined in court to be presented in theform of a summary. So long as the original records or duplicatesthereof are available for examination by other parties atreasonable times and places, the entire data compilation neednot be produced. Plaintiff should employ both of theseexceptions in an effort to convince a jury by a preponderance ofthe evidence that the masquerader has abused his computer skillsand has damaged plaintiff's reputation.

==============================================Resent-Message-Id:

id AA20305; Fri, 20 Apr 90 12:46:45 PDT~Date: Fri, 20 Apr 90 12:42:02 PDT~From: Lang Zerner Message-Id: ~Subject: Sysops and libel liability -- endnotesResent-Date: Sat, 21 Apr 90 0:05:23 CDTResent-From: [email protected]: [email protected]

Status: ROHere are the endnotes to the paper I submitted in a separate message.Be seeing you...


23/38

==Lang=======


ENDNOTES

1. 418 U.S. 323, 94 S.Ct. 2997, 41 L.Ed.2d 789 (1974).

2. These interests can cover anything from science fictionto gourmet cooking. Uyehara, Computer Bulletin Boards:Let the Operator Beware, 14 Student Lawyer 28 (1986).

3. Id., at 30.

4. The data service Compuserve is one such national BBS

run for profit by business organizations. Uyehara, at28. Other examples of large databases of interest tothe legal profession are computerized research servicessuch as LEXIS and WESTLAW.

5. Uyehara, at 28; Manning, Bulletin Boards: Everybody'sOnline Services, Online, Nov. 1984, at 8,9. "Modem" isdefined infra, note 17 and accompanying text.

6. "...computer bulletin boards offer their usersimportant benefits. An individual can use a bulletinboard to express his opinion on a matter of publicinterest. He may find a review of a product he is

considering buying. He may find a useful piece ofsoftware. An individual might also use the bulletinboard to ask a technical question about a specificcomputer program." Note, Computer Bulletin BoardOperator Liability For User Misuse, 54 Fordham L.Rev.439, 440 (1985) (Authored by Jonathan Gilbert); seealso Lasden, Of Bytes And Bulletin Boards, N.Y.Times,August 4, 1985, sec. 6, at 34, col. 1, where the authornotes computer users may now use BBSes to voice theiropinions directly to State Senators' offices.

7. "Virus" Hits Nation's Research Computers, San JoseMercury News, Nov. 4, 1988, at 1, col. 1.

8. "It is estimated that the theft of long-distanceservices and software piracy each approximate $100million a year; credit card fraud via computers costsabout $200 million annually." Pittman, ComputerSecurity In Insurance Companies, 85 Best's Rev. - Life-Health Ins. Edition, Apr. 1985 at 92.

9. Schiffres, The Shadowy World of Computer "Hackers,"U.S. News & World Report, June 3, 1985, at 58.

10. Pollack, Free Speech Issues Surround Computer Bulletin

Board Use, N.Y. Times, Nov. 12, 1984, note 1, at D4,col. 6.


24/38


11. Note, 54 Fordham L.Rev. 440-441 (1985).

12. Poore and Brockman, 8 Nat'l L.J. 14, (1985).

13. See infra, Topic III, Problems of Proof.

14. The uncertainty revolves around how to define BBSes.When viewed as analogous to newspapers and other media,SYSOPS would be responsible for any message posted ontheir systems, much as newspaper editors areresponsible for articles appearing in their medium.Uyehara, 14 Student Lawyer 30 (1986). But when BBSesare compared to a bulletin board found in a public hallor supermarket, the liability issue is focused more on

those actually posting the messages rather than on theboard's owner. Id., at 30. This Comment suggests thatBBS SYSOPs be held to a reasonable standard of careemerging specifically for their endeavors. See infra,Topic II.

15. Poore and Brockman, 8 Nat'l L.J. 14, (1985). Anotherwriter has noted that Compuserve now has over 200,000users making use of nearly 100 diverse databases.Lasden, Of Bytes And Bulletin Boards, N.Y. Times,August 4, 1985, sec. 6, at 34, col. 1.

16. Poore and Brockman, 8 Nat'l L.J. 14 (1985).

17. 14 Am Jur. POF 2d Computer-Generated Evidence Sec. 11(1977).

18. Note, 54 Fordham L.Rev. 439, 446 (1985).

19. Id.

20. See "Account," infra, note 25 and accompanying text.

21. Garfinkel, An Introduction to Computer Security, 33Prac. Law.41-42 (1987).

22. Id.

23. See infra, notes 25 and 27 and accompanying text.

24. Some more sophisticated operating systems providegreater access control by (1) recording unauthorizedattempts at entry; (2) recording those attempts andsending a warning to the perpetrator; and (3) keepingthe perpetrartor off the system permanently untilhe/she is reinstated by the computer's securityadministrator or SYSOP. Balding, Computer Breaking andEntering: The Anatomy of Liability, 5 Computer Lawyer,

Jan. 1988, at 6.---Defamation Liability of Computerized BBS Operators


25/38


25. Garfinkel, An Introduction to Computer Security, 33Prac. Law. 42 (1987).

26. Id.

27. Id. "A password is a secret word or phrase that shouldbe known only to the user and the computer. When theuser first attempts to use the computer, he must firstenter the password. The computer then compares thetyped password to the stored password and, if theymatch, allows the user access."

28. Id., at 42 and 46.

29. 14 Am. Jur. POF 2d Computer-Generated Evidence Sec. 11(1977).

30. 54 Fordham L.Rev. 439, note 2 (1985).

31. Restatement (Second) of Torts Sec. 568(1) (1976).


33. Restatement (Second) of Torts Sec.559 (1976).

34. Veeder, The History and Theory of the Law ofDefamation, 3 Colum. L.Rev. 546, 569-571 (1903).

35. Restatement (Second) of Torts Sec. 622 (1976).

36. Restatement, Torts Sec. 568, comment d (1938).

37. Shor v. Billingley, 4 Misc.2d 857, 158 N.Y.S.2d 476(Sup. Ct. 1956), aff'd mem., 4 App.Div. 2d 1017, 169N.Y.S.2d 416 (1st Dep't. 1957).

38. Torts: Defamation: Libel-Slander Distinction:Extemporaneous Remarks Made on Television Broadcast:Shor v. Billingley, 4 Misc. 2d 857, 158 N.Y.S.2d 476(Sup.Ct. N.Y. County 1957), 43 Cornell L.Q. 320, 322(1957) (Authored by Stephen A. Hochman).

39. Id.

40. 376 U.S. 254, 84 S.Ct. 710, 11 L.Ed.2d 686 (1964),motion denied 376 U.S. 967, 84 S.Ct. 1130, 12 L.Ed.2d83.

41. 376 U.S. 254, 273.

42. 376 U.S. 254, 280.

43. 418 U.S. 323, 94 S.Ct. 2997, 41 L.Ed.2d 789 (1974).


26/38


44. Gertz v. Robert Welch, Inc., 418 U.S. 323, 326.

45. Id.

46. Id., at 327.

47. "...those who hold governmental office may recover forinjury to reputation only on clear and convincing proofthat the defamatory falsehood was made with knowledgeof its falsity or with reckless disregard for thetruth." Gertz v. Robert Welch, Inc., 418 U.S. 323, 342."An individual who decides to seek governmental officemust accept certain necessary consequences of thatinvolvement in pubic affairs. He runs the risk of

closer public scrutiny than might otherwise be thecase." Id., at 344.

48. "...[A]n individual may attain such pervasive fame andnotoriety that he becomes a public figure for allpurposes and in all contexts. More commonly, anindividual voluntarily injects himself or is drawn intoa particular public controversy and thereby becomes apublic figure for a limited range of issues. In eithercase such persons assume special prominence in theresolution of public questions." 418 U.S. 323, 351.

49. "Even if the foregoing generalities do not obtain inevery circumstance, the communications media areentitled to act on the assumption that public officialsand public figures have voluntarily exposed themselvesto the increased risk of injury from defamatoryfalsehood concerning them. No such assumption isjustified with respect to a private individual. He hasnot accepted public office or assumed an 'influentialrole in ordering society.' Curtis Publishing Co. v.Butts, 388 U.S., at 164 ...He has relinquished no partof his interest in the protection of his own good name,and consequently he has a more compelling call on thecourts for redress of injury inflicted by thedefamatory falsehood. Thus, private individuals are notonly more vulnerable to injury than public officialsand public figures; they are also more deserving ofrecovery." Id., at 345.

50. "...[P]etitioner was not a public figure. He ...plainly did not thrust himself into the vortex of thispublic issue, nor did he engage the public's attentionin an attempt to influence its outcome." Id., at 352.

51. Justice Powell noted for the Court that

"[T]he communications media are entitled to act onthe assumption that public officials and publicfigures have voluntarily exposed themselves to


27/38

increased risk of injury from defamatory falsehood---Defamation Liability of Computerized BBS Operators& Problems of Proof (C) 1989 John R. Kahn 39----------------------

concerning them. No such assumption is justifiedwith respect to a private individual. He has not

accepted public office or assumed an 'influentialrole in ordering society....' He has relinquishedno part of his interest in the protection of hisown good name, and consequently he has a morecompelling call on the courts for redress of injuryinflicted be defamatory falsehood. Thus, privateindividuals are not only more vulnerable to injurythan public officials and public figures; they arealso more deserving of recovery." Id., at 345.

52. Id., at 347.

53. Keeton, Dobbs, Keeton and Owen, Prosser and Keeton onTorts, sec. 32, p.174. See also Vaughn v. Menlove, 3Bing. (N.C.) 467, 132 Eng.Rep. 490 (1837).

54. 111 Cal. App. 2d 424, 244 P.2d 757, 28 ALR2d 451(1952).

55. 111 Cal. App. 2d 424, 427.

56. Id., at 426.

57. Id, at 427.


59. 22 Ohio App.2d 141, 259 N.E.2d 160 (1970).

60. Scott v. Hull, 259 N.E.2d 160, 162 (1970).

61. Id., at 161.

62. Id., at 162.

63. 836 F.2d 1042 (7th Cir. 1987).

From kadie Sat Oct 12 09:54:35 1991To: cafb-mail~Subject: Computers and Academic Freedom mailing list (batch edition)Status: R

Computers and Academic Freedom mailing list (batch edition)Sat Oct 12 09:54:16 EDT 1991

[For information on how to get a much smaller edited version of thelist, send email to [email protected]. Include the line:

send acad-freedom caf


28/38

- Carl ]

In this issue:

:

The addresses for the list are now:

[email protected] - for contributions to the listor [email protected]

[email protected] - for automated additions/deletions(send email with the line "help" for details.)

[email protected] - for administrivia

-------------------

64. Id., at 1047.

65. The Court of Appeals noted the Restatement view and

observed that Indiana law had neither embraced norrejected that approach. Id., at 1046.

66. Id.

67. Id.

68. Id., at 1046-47.

69. Id.

70. Recall that in our hypothetical a third user


masquerading as another is transmitting messages toothers, revealing embarassing and false information.

71. BBS systems security and other preventative measuresare discussed more fully infra, Topic 3.d.

72. Issues in proving the SYSOP's role in publishing thelibellous statement are discussed more fully in TopicIII. A., infra.

73. Sydney v. MacFadden Newspaper Publishing Corp., 242N.Y. 208, 151 N.E. 209, 44 A.L.R. 1419 (1926). See alsoRestatement (Second) of Torts Sec. 621 (1976) ("One whois liable for a defamatory communication is liable forthe proved, actual harm caused to the reputation of theperson defamed.")

74. Dun & Bradstreet, Inc. v. Greenmoss Builders, Inc., 472U.S. 749, 86 L.Ed.2d 593, 105 S.Ct. 2939 (1985).

75. See supra, note 53 and accompanying text.


29/38

76. Note, Protecting the Subjects of Credit Reports, 80Yale L.J. 1035, 1051-52, n.88 (1971).

77. Gertz did not rule out an assumption of defendant'snegligence. See Eaton, The American Law of DefamationThrough Gertz V. Robert Welch, Inc., and Beyond: AnAnalytical Primer, 61 Va. L.Rev. 1349 (1975).

78. 15 U.S.C.A. Sec. 1681 et seq. (1974). Two standards areproposed there: the first, willful noncompliance, isdefined as equivalent to the New York Times "actualmalice" standard, and violators are liable for actualand punitive damages. Sec. 1681(n), supra. Presumablythis would apply to the situation where the SYSOP isdilatory in removing the libellous message. The secondproposed standard, negligent noncompliance, occurs inthe absence of willfulness and results in liabilityonly for actual damages. Sec. 1681(o), supra.Situations where the SYSOP failed to adopt reasonable

computer security measures might come under thiscategory.

79. 18 U.S.C.S. Sec. 2707(b),(c) (Law. Co-op 1979 & Supp.1988) provides in pertinent part:(b) Relief. In a civil action under this section,

appropriate relief includes -(1) Such preliminary and other equitable or

declaratory relief as may be appropriate;(2) damages under subsection (c); and(3) a reasonable attorney's fee and other

litigation costs reasonably incurred.(c) Damages. The court may assess as damages in a


civil action under this section the sum of theactual damages suffered by the plaintiff andany profits made by the violator as a resultof the violation, but in no case shall aperson entitled to recover receive less thanthe sum of $1,000.

18 U.S.C.S. Sec. 2707(e) (Law. Co-op 1979 & Supp. 1988)limits the civil action under this section to two yearsafter the date upon which the claimant first discoveredor had a reasonable opportunity to discover theviolation.As to damage provisions supplied by state law, seeCalifornia Penal Code 502(e)(1),(2) (West Pub. 1988):(e)(1) In addition to any civil remedy available,the owner or lessee of the computer, computersystem, computer network, computer program, or datamay bring a civil action against any personconvicted under this section for compensatorydamages, including any expenditure reasonably andnecessarily incurred by the owner or lessee to

verify that a computer system, computer network,computer program, or data was not altered, damaged,or deleted by the access. For purposes of actions


30/38

authorized by this subdivision, the conduct of anunemancipated minor shall be imputed to the parentor legal guardian having control or custody of theminor, pursuant to the provisions of Section 1714.1of the Civil Code.(2) In any action brought pursuant to thissubdivision the court may award reasonable

attorney's fees to a prevailing party.

80. A lawsuit recently filed in the United States DistrictCourt for the Southern District of Indiana may breaknew ground in enunciating precisely what BBS SYSOPs'reasonable duties of care are. Thompson v. Predaina,Civil Action #IP-88 93C (S.D. Ind. filed 1988). Thecomplaint alleges, inter alia, invasion of plaintiffuser's privacy, libel, and wrongful denial of access tothe BBS in violation of U.S.C. Title 18, ss 2701(a)(2). As to statutory damages available, see infra,

note 105.

81. Gemignani, Computer Law 33:7 (Lawyers Co-op 1985, Supp.1988) (quoting Capitol PC Users Group Minimum Code ofStandards for electronic Bulletin Board Systems,reprinted in 4 Computer Law Reptr. 89).

82. Note, 54 Fordham L.Rev. 439, 449 (1985) (Authored byJonathan Gilbert).

83. Id., at 449.

84. Id., at 449-50.


85. A "trojan horse" program takes control of the BBS andallows its sender to access and steal its mostsensitive information. Fites, Johnston and Kratz, TheComputer Virus Crisis, Van Nortrand/Reinhold (1989), at39 and 45.

86. Balding, Computer Breaking and Entering: The Anatomy ofLiability, 5 Computer Law. (January 1988), at 6.

87. Id.

88. Hellar v. Bianco, 244 P.2d 757. See supra, note 54 andaccompanying text.

89. Restatement (Second) of Torts Sec. 577(2) (1976). Seesupra, note 58 and accompanying text.

90. Tackett v. General Motors Corporation, 836 F.2d 1042(7th Cir. 1987). See supra, note 63 and accompanyingtext.

91. See note 53, supra, and accompanying text.


31/38

92. It has been suggested that this would be the roughequivalent of a newspaper publishing a retraction afterdiscovering what it had printed was defamatory. Note,54 Fordham L.Rev. 439, note 55 (1985). BBS operatorsshould not be held liable in this situation insofar asthey did not know of the nature of the statement at the

time it was made. Restatement (Second) of Torts Sec.581 (1977).

93. Proving the masquerader's actions is discussed morefully infra, Topic III. B.

94. Stipp, Computer Bulletin Board Operators Fret OverLiability for Stolen Data, Wall St. J. Nov. 9, 1984, at33, col. 1.

95. Id.

96. See Topic I., supra, where the masquerader hasdiscovered and uses the password and name of theregular user; he appears for all intents and purposesto be that regular user.

97. 836 F.2d 1042 (7th Cir. 1987).

98. Id., at 1047.

99. Id.

100. Indeed, U.S.C. Title 18, Sec. 2702 (Law. Co-op 1979 &---


Supp. 1988) proscribes the knowing dissemination of anelectronically stored communication by the SYSOP:Sec. 2702. Disclosure of contents(a) Prohibitions. Except as provided in subsection

(b)-(1) a person or entity providing an

electronic communication service to thepublic shall not knowingly divulge to anyperson or entity the contents of acommunication while in electronic storageon that service; and

(2) a person or entity providing remotecomputing service to the public shall notknowingly divulge to any person or entitythe contents of any communication whichis carried or maintained on that service-(A) on behalf of, and received by means

of electronic transmission from (orcreated by means of computerprocessing of communicationsreceived by means of electronictransmissions from), a subscriber or

customer of such service; and(B) solely for the purpose of providing

storage or computer processing


32/38

services to such subscriber orcustomer, if the provider is notauthorized to access the contents ofany such communications for purposesof providing any services other thanstorage or computer processing.

A similar provision is embodied in Cal. Pen. Code sec.502(c)(6) (West Pub. 1988), which provides:

(c) Except as provided in subdivision (i),

any person who commits any of thefollowing acts is guilty of a publicoffense:(6) Knowingly and without permission

provides or assists in providing ameans of accessing a computer,computer system, or computer networkin violation of this section.

101. The doctrine of res ipsa loquitor, or "the thing speaksfor itself" warrants the inference of the SYSOP'snegligence, which the jury may draw or not as itsjudgement dictates. See Sullivan v. Crabtree, 36Tenn.App. 469, 258 S.W.2d 782 (1953).

102. See discussion under Topic II. B., supra.

103. As someone who intentionally accesses confidentialpassword information to masquerade as other users on

other BBSes, the masquerader falls well within the pale


of "actual malice" defined in Gertz v. Robert Welch,Inc., 418 U.S. 323, 342, supra, note 43 andaccompanying text (a defamatory falsehood was made withknowledge of its falsity or with reckless disregard forthe truth).

104. Evidentiary problems involved with proving themasquerader's actions are discussed more in Topic III.B., infra.

105. 18 U.S.C.S. Sec. 2707(a) (Law. Co-op 1979 & Supp. 1988)describes the masquerader's fault thus:(a) Cause of action. Except as provided in section

2703(e), any provider of electroniccommunication service, subscriber, or customeraggrieved by any violation of this chapter inwhich the conduct constituting the violationis engaged in with a knowing or intentionalstate of mind may, in a civil action, recover

from the person or entity which engaged inthat violation such relief as may beappropriate.


33/38

California Penal Code sec. 502(c) et seq. (West Pub.1988) is even more specific:(c) Except as provided in subdivision (i), any

person who commits any of the following actsis guilty of a public offense:(1) Knowingly accesses and without permission

alters, damages, deletes, destroys, orotherwise uses any data, computer,computer system, or computer network inorder to either(A) devise or execute any scheme or

artiface to defraud, deceive, orextort, or

(B) wrongfully control or obtain money,property or data.

* * *(3) Knowingly and without permission uses or

causes to be used computer services.

(4) Knowingly accesses and without permissionadds, alters, damages, deletes, ordestroys any data, computer software, orcomputer programs which reside or existinternal or external to a computer,computer system, or computer network.

* * *(7) Knowingly and without permission accesses

or causes to be accessed any computer,computer system, or computer network.

106. Gertz v. Robert Welch, Inc., 418 U.S. 323, 342.

107. In addition to the remedies set forth in note 105,---Defamation Liability of Computerized BBS Operators& Problems of Proof (C) 1989 John R. Kahn 45----------------------

supra, the following federal and state penalties mayapply:18 U.S.C.S. Sec. 2701(b),(c) (Law. Co-op 1979 & Supp.1988):(b) Punishment. The punishment for an offense

under subsection (a) of this seciton is -(1) if the offense is committed for purposes

of commercial advantage, maliciousdestruction or damage, or privatecommercial gain -(A) a fine not more than &250,000 or

imprisonment for not more than oneyear, or both, in the case of afirst offense under thissubparagraph; and

(B) a fine under this title orimprisonment for not more than twoyears, or both, for any subsequentoffense under this subparagraph; and

(2) a fine of not more than $5,000 orimprisonment for not more than sixmonths, or both, in any other case.


34/38

(c) Exceptions. Subsection (a) of this sectiondoes not apply with respect to conductauthorized-(1) by the person or entity providing a wire

or electronic communications service;(2) by a user of that service with respect to

a communication of or intended for that

user; or(3) in section 2703, 2704, or 2518 of this

title.

For an example of state-mandated damages provisions onthis subject, see California Penal Code sec. 502(d) etseq. (West Pub. 1988).

108. See discussion under Topic II. B., supra.

109. See note 101, supra.

110. "Custom...bears upon what other will expect the actorto do, and what, therefore, reasonable care may requirethe actor to do, upon the feasibility of takingprecautions, the difficulty of change, and the actor'sopportunity to learn the risks and what is called forto meet them. If the actor does only what everyone elsehas done, there is at least an inference that the actoris conforming to the community's idea of reasonablebehavior." Keeton, Dobbs, Keeton and Owen, Prosser andKeeton on Torts, sec. 33, p.194. See also James,Particularizing Standards of Conduct in NegligenceTrials, 5 Vand. L. Rev. 697, 709-714 (1952); Ploetz v.Big Discount Panel Center, Inc., 402 So.2d 64 (Fla.

App. 1981).---Defamation Liability of Computerized BBS Operators& Problems of Proof (C) 1989 John R. Kahn 46----------------------

111. See notes 80-93, supra, and accompanying text.


113. See Pfau and Keane, Computer Logs Can Pinpoint IllegalTransactions, Legal Times of Washington, vol. 6, p.16(May 14, 1984): "Computers can monitor their own use.Unlike other such forms of physical evidence such asguns, computers can keep track of individual users andother identifying data. Imagine a gun that logs everyinstance it is fired or even handled, and shows thedate, time, and activity. Recovery of such a weaponwould be essential to the prosecution."Most computers have long had built-in loggingcapabilities....The log function was designed tofacilitate billing for the use of computer resourcesrather than to assist crime detection. To the extentthat the owner of a smaller computer does not charge

for its use, he or she has no incentive to purchase aself-executing log. Still, such logs keep surprisinglyaccurate records of who is using the computer."


35/38

114. Fed. R. Evid. 801(c).

115. Fed. R. Evid. 802: "Hearsay is not admissible except asprovided by these rules or by other rules precribed bythe Supreme Court pursuant to statutory authority or byAct of Congress." Exclusion of hearsay evidence is

grounded on: (1) nonavailability of the declarant forcross-examination and observance of demeanor; (2)absence of an oath by the person making the statement;amd (3) significant risk that the person that thewitness may report proffered statements inaccurately. 2Bender, Computer Law, sec. 6.01[2].

116. Gemignani, The Data Detectives: Building A Case FromComputer Files, 3 Nat'l L.J. 29 (1981).

117. Fed. R. Evid. 803(6). See also 2 Bender, Computer Law,sec. 6.01[4] (1988).

118. Fed. R. Evid. 803(6).

119. Id. In current practice records kept by nonprofitorganizations, such as churches, have long been held tobe admissible. Ford v. State, 82 Tex.Cr.R. 638, 200S.W. 841 (1918). It is at least arguable that acomputerized BBS, although run as a hobby, falls underthe same classification.

120. See Iowa Code Ann. Sec. 622.28; People v. Lugashi, 252Cal.Rptr 434 (Cal.App. 2 Dist. 1988).

---


121. See 14 Am.Jur. POF2d Sec. 15 (1977, Supp. 1988). Cf.United States v. De Georgia, 420 F.2d 889, 2 CLSR 479,484 (1969, CA9 Ariz), where it was held that it isimmaterial whether a business record is maintained in acomputer rather than in company books regardingadmissibility of those records, so long as (1) thetrial court requires the proponent of the computerizedrecords to lay a foundation as to theirtrustworthiness, and (2) the opposing party is giventhe same opportunity to inquire into the computer'saccuracy as he would have to inquire into the accuracyof written business records.

122. The BBS program run on the SYSOP's computer ordinarily"stamps" the date and time of day each user logs ontothe BBS. A corresponding record is automaticallyaffixed to each piece of electronic mail posted so thatthe reader knows when it was added to the database.Similarly, the telephone company maintains copiousrecords of the date and time each phone call isconnected in its dialing area. The caller has no

control over either of these processes.

123. 252 Cal.Rptr. 434 (Cal.App. 2 Dist. 1988).


36/38

124. Id., at 437.

125. Id.

126. Id.

127. Id., at 439.

128. Id., at 437.

129. Id., at 440.

130. Id., at 442. See also United States v. Russo, 480 F.2d1228 (CA6 Mich, 1973), cert den 414 U.S. 1157, 94 S.Ct.915, 39 L.Ed.2d 109; Capital Marine Supply, Inc. v. M/VRoland Thomas II, 719 F.2d 104 (1983 CA5 La), 104 FedRules Evid Serv 731; Peoples Cas & Coke Co. v. Barrett,118 Ill.App.3d 52, 73 Ill. Dec. 400, 455 N.E.2d 829

(1983).

131. 432 So.2d 837 (La., 1983).

132. Id., at 839-40.

133. Id., at 839.

134. United States v. Verlin, 466 F.Supp. 155 (ND Tex,1979).


----------------------

135. Id., at 158.

136. The reasonable SYSOP should offer his full cooperationin aiding the maligned user to regain her good name byproviding her with his BBS' phone-in records made atthe time the libellous message appeared. See note 93,supra.


138. Cf. note 118, supra. As to an electronic BBS beingclassified as a "business" for hearsay purposes, seenote 120, supra.


140. Authentication has been broadly described thus: "[W]hena claim or offer involves impliedly or expressly anyelement of personal connection with a corporeal object,that connection must be made to appear...." Wigmore,Evidence, Sec. 2129 at 564 (2d ed. 1972). Thisrequirement is also known as the "Best Evidence Rule."

141. Fed. R. Evid. 901(a),(b)(6).

142. 2 Bender, Computer Law, sec. 5.03[1][a] (1988).


37/38

143. Id.

144. See Fed. R. Evid. 901(b)(6): "(6) Telephoneconversations. Telephone conversations, by evidencethat a call was made to the number assigned at the timeby the telephone company to a particular person or

business, if *** (B) in the case of a business, thecall was made to a place of business and theconversation r

defamation liability of computerized bulliten board operators

Documents