|
Grex > Oldcoop > #240: Subpoenas and Similar Inquiries. | |
|
| Author |
Message |
| 25 new of 106 responses total. |
tod
|
|
response 75 of 106:
| 
Feb 16 20:18 UTC 2005 |
Sounds like a great idea. Will the policy include a remedy for rogue staffers
that ignore it?
|
aruba
|
|
response 76 of 106:
|
Feb 16 22:11 UTC 2005 |
I suggest the board appoint someone whose job it is to take the point
position on any subpoenas that come in, rather than automatically making
that person be the president.
|
tod
|
|
response 77 of 106:
|
Feb 16 23:55 UTC 2005 |
Isn't the point position of the BoD the president by default?
|
richard
|
|
response 78 of 106:
|
Feb 17 04:18 UTC 2005 |
re #74 dpc, shouldn't any proposed policy re: subpoenas be subject to
a member vote? I don't think the board members should reserve the
right to make this decision themselves. This is a new company policy
being suggested. Don't submit it at the board meeting. Request a
membership wide vote!
|
other
|
|
response 79 of 106:
|
Feb 17 12:34 UTC 2005 |
In this case, I think the value of having a policy in place sooner
exceeds the value of having the entire membership enact one.
Of course, if a member wants to propose a policy for member vote, why
wait for the board meeting to happen?
|
mary
|
|
response 80 of 106:
|
Feb 17 14:06 UTC 2005 |
Please lets not let this become the uproar of the week. Have we
even finished with the long login ID crisis yet?
The proposed action really doesn't do anything to protect users or
establish a way to consistently handle subpoenas. The last and only
ones we've had, two total, both were handled fine. One was from law
enforcement an account hoarding scads of credit card numbers. Our
staff had already frozen the account. The second was looking for ID
on an account that was 100% pseudo. Not sure if there was anything
there that would have been useful. We couldn't have even contacted
to user to do an internal investigation. All staff and board were
in on these issues, at least those who were reading their mail.
The proposed policy goes backwards, leaving this up to one person to
handle as they see fit. Yucko. I'd like to continue to see all
available staff and board in on these discussions. And the policy
crafted, carefully, getting input from everyone who cares to
contribute and looking at how others systems have proceeded. We do
not need to rush. We're not in crisis mode here. We've got time to
do it right.
|
remmers
|
|
response 81 of 106:
|
Feb 17 16:54 UTC 2005 |
Definitely not crisis -- my memory jibes with Mary's; the grand total of
subpoenas that Grex has received in its 13+ years of existence, to the
best of my knowledge, is T W O .
|
tod
|
|
response 82 of 106:
|
Feb 17 16:57 UTC 2005 |
re #81
I think it warrants discussion but not immediate policy making.
|
naftee
|
|
response 83 of 106:
|
Feb 17 17:41 UTC 2005 |
Nothing on GreX should warrant policy making!
|
aruba
|
|
response 84 of 106:
|
Feb 17 18:08 UTC 2005 |
There was one other subpoena, from Best Buy, alleging that a user had posted
the Black Friday sales prices on his Grex website. It turned out the prices
were a year old, so I just called the lawyer who issued the subpoena, she
checked, and then said we didn't need to do anything.
|
richard
|
|
response 85 of 106:
|
Feb 17 19:56 UTC 2005 |
The fact that there have been only two or three subpoenas served in
the past is not necessarily an indication of what will happen in the
future. Grex wants to establish a blogosphere and blogging will
probably bring more people here and create the potential for more such
issues.
Perhaps this issue can be avoided by use of a good mail encryption
program, that has a second password to the mail program which triggers
the de-encryption process, so that even staff using root can't see
anything in mail text that isn't encrypted. Staff then could have a
policy that if at any time they have to reset the mail password, the
resetting of the pw will trigger a bulk erasing of any mail files
stored on the system. The idea is to render a subpoena pointless by
making it so even the staff can't retrieve unencrypted mail text, only
delete it.
This protects staff in cases like the one mary mentioned where
somebody was storing credit card numbers. Law enforcement could
easily have jumped to the conclusion that any member of staff with
root could have accessed all those credit card numbers, and thus
requested subpoenas for all the staff logins to see if any of those
credit card numbers were moved around.
|
tod
|
|
response 86 of 106:
|
Feb 17 21:16 UTC 2005 |
Please don't dilute the discussion by mixing civil and criminal subpoenas.
|
other
|
|
response 87 of 106:
|
Feb 18 04:00 UTC 2005 |
Dave's proposal doesn't preclude the staff dealing with something (if
the president so desires), but it does identify a responsible
individual, and it does allow us to make it clear that we do have a
policy, and therefore, that we have given the concern appropriate
consideration.
|
tod
|
|
response 88 of 106:
|
Feb 18 19:08 UTC 2005 |
I do not think the appropriate consideration has been given to: The Electronic
Communications Privacy Act (ECPA) nor the Privacy Protection Act (PPA).
Here's an example: The PPA prohibits searches and seizures of material that
an individual intends to publish or broadcast (including documentary
material.) Exceptions to that PPA prohibition could be criminal contraband,
fruits of a crime, or property designed to commit crime; searches needed to
prevent imminent death or injury; child porn; etc..
With that knowledge I've just furnished you, if you were to "disclose"
contents of my home directory to an attorney that asks for it by subpoena
because he represents someone who is doing discovery to find if it's viable
to sue me because I called him a fuckhead then I would by all means have the
authority to seek civil liability damages against the officers and corporation
of Cyberspace for not protecting material I intended to publish.
I appreciate that many are hesitant to consult with an attorney on developing
a policy but I think they are not fulfilling their duties as members of the
BoD when they say "We've done enough. Sweep it under the rug."
(I apologize for my lack of punctuation, btw.)
|
mary
|
|
response 89 of 106:
|
Feb 18 19:28 UTC 2005 |
That's what our policy should address. Advising users on what our
actions will be when served a subpoena. Users should know up-front
and then exercise caution on what information they give us or store
here.
|
tod
|
|
response 90 of 106:
|
Feb 18 19:59 UTC 2005 |
And writing the policy should not be enough. I think it should be made clear
on a regular basis to all users. Maybe a reminder in the motd that disappears
after a user has logged in a few times and then it reappears a year later to
remind them again.
|
richard
|
|
response 91 of 106:
|
Feb 18 20:41 UTC 2005 |
tod said:
"With that knowledge I've just furnished you, if you were to "disclose"
contents of my home directory to an attorney that asks for it by
subpoena because he represents someone who is doing discovery to find
if it's viable to sue me because I called him a fuckhead then I would
by all means have the authority to seek civil liability damages
against the officers and corporation of Cyberspace for not protecting
material I intended to publish."
The problem with that is I don't think that the simple fact of your
storing a file on grex's computer system is sufficient proof that you
intended to publish that information. Obviously not all files stored
here are done so for the intent of publishing, now or in the future
and I doubt the court would make broad assumptions or let you claim
every file you have is intended for publication. If you can "intent
to broadcast" for every line of every file you store on any computer
system, you succesfully overextend the intent of the law.
The ECPA also says:
"It shall not be unlawful under this chapter for an
operator of a switchboard, or on officer, employee, or agent of a
provider of wire or electronic communication service, whose
facilities are used in the transmission of a wire or electronic
communication, to intercept, disclose, or use that communication
in the normal course of his employment while engaged in any
activity which is a necessary incident to the rendition of his
service or to the protection of the rights or property of the
provider of that service"
Doesn't that mean that any staffer has the right to delete or dislose
to outside parties any file or files or communications on its system,
that are necessary to continued rendition of service, or protection of
the rights annd property of that service?
So are you saying that by simply claiming "intent to publish", you can
circumvent the above section of that act and sue anybody who deletes
or turns over your files without having criminal cause?
|
richard
|
|
response 92 of 106:
|
Feb 18 20:57 UTC 2005 |
What Grex needs to be concerned about IMO is the Children's Online
Privacy Protection Act, which has been toughened in recent years and
lays out specific rules for web sites-- commercial or otherwise-- that
knowingly or otherwise allow access from children under 13 and collect
personal data from children under 13.
The act says:
"An operator must post a link to a notice of its information practices
on the home page of its Web site or online service and at each area
where it collects personal information from children."
Grex's newuser program prompts for name, birthdate and other stats,
even if giving such info is not mandatory. Children under 13 running
newuser who give grex this information make grex subject to this act.
It also says"
"Parents have the option to agree to the collection and use of the
child's information"
It also says:
"When operators want to disclose a child's personal information to
third parties or make it publicly available (for example, through a
chat room or message board), the sliding scale requires them to use a
more reliable method of consent, including:
getting a signed form from the parent via postal mail or facsimile;
accepting and verifying a credit card number in connection with a
transaction;
taking calls from parents, through a toll-free telephone number
staffed by trained personnel;
email accompanied by digital signature"
Grex does not of these things does it, even when aware that a newuser
has identified himself/herself as being under age 13.
If a child under 13 creates a new user login and grex displays in the
child user's .plan, their personal information (birthdate, address,
whatever they put in there), without getting consent from their parent
(s), grex is in violation of the CPPA and could be subject to heavy
fines.
So I think the newuser program needs to be revised, I think newuser
should no longer prompt for any such personal information, even if it
is being asked for voluntarily and even if the user has the option not
to display it.
The Bush Admninistration has dramatically toughened CPPA requirements
and other such related to web sites that allow child usage, so I think
grex should certainly consult a lawyer to determine how vulnerable it
will be in continuing to allow non-verified access to the system.
Grex may legally need to know in the future that its new users are
over a certain age, or have consent from their parents to use this
system if they are not.
|
richard
|
|
response 93 of 106:
|
Feb 18 21:14 UTC 2005 |
information grex should no longer be asking for in newuser:
"What is your full name"
"Enter your address"
"Enter your telephone number"
"What is your birthdate"
"What is your sex?"
Even though newuser gives the user the option to hide all that
information, or in the sex and birthdate prompts the option to not
answer at all, a child user under 13 doesn't have the right to make
the decision to give that information or not, without their parents
permission. A child under 13 cannot legally make that information
viewable over the internet without the permission of their parents.
If a child user creates a newuser login, and makes their .plan
viewable and grex is suddenly publishing to anyone who reads this
user's .plan the child's name, address and telephone number, grex is
opening itself to a lawsuit from the child's parents. All grex needs
is for some young child to create a new login, with their personal
info viewable in their .plan, and then to go on party and meet the
wrong person. Then the wrong person reads their .plan, goes and finds
them and kidnaps them. Grex then opens itself up to serious legal
liabilities.
I think Grex needs to either remove the option to make .plan personal
info viewable for everyone, or just don't ask those questions at all.
|
tod
|
|
response 94 of 106:
|
Feb 18 22:19 UTC 2005 |
re #92
So are you saying that by simply claiming "intent to publish", you can
circumvent the above section of that act and sue anybody who deletes
or turns over your files without having criminal cause?
First, let's get one thing straight. There are civil subpoenas which have
NOTHING to do with criminal law nor compel ANYONE.
Second, to answer your question, YES, if you claim and PROVE "intent to
publish" then you can sue for damages if the material has made it into the
public eye or hands of those you do not wish. If I have text files of stories
I've written, editorials I've copywritten, or research material on
documentaries or whatever that I'm putting into print, then, yes, it could
potentially cause problems for Cyberspace.
The point I'm making is that the PPA covers digital material being stored on
an ISP's system.
|
richard
|
|
response 95 of 106:
|
Feb 18 22:33 UTC 2005 |
#94 okay I understand, I was just saying how can you prove intent to
publish? What are the legal standards to prove that? Just because
you have typed something into a private file on an ISP doesn't
automatically prove that you intended to later move it to a public
file or otherwise publish it. Do you think a judge is simply going to
take your word that "at some point I intended to publish this" and
award you damages? I'd think you'd have to have some outside way of
verifying that what you had stored on file was going to be published
or made public later. Some people write poems and stories for their
own entertainment and with no intent whatsoever to publish them or
post them anywhere. So maybe you are overstating the potential for
problems to be caused, because before grex could be sued, you'd have
to satsify the courts on how the information in the files under
question should be categorized.
|
richard
|
|
response 96 of 106:
|
Feb 18 22:44 UTC 2005 |
And as regards the issues with child users, here's a relevant question:
What if the lawyer of a parent of a child using grex, comes to grex
with a subpoena saying, 'this parent's child established a login with
your system without the parent's permission, the parent demands
his/her child's password or in some manner access to his/her child's
files and his/her child's email'" The new cppa laws I believe give
the parents of children 13 and under the right to ask for such
things. In the case of children 13 and under, there doesn't have to
be evidence of any misdeeds or specific need for a parent to request
such access. But acting on such a subpoena would cause grex to
violate its own privacy rules. The problem is that grex doesn't
require proof of age, so it has no legal way of knowing whether this
child user actually is 13, or under 13, or not. But by asking for
age, it ends up with users who have voluntarily given indication to
grex that they are under age. Which makes grex vulnerable legally.
|
tod
|
|
response 97 of 106:
|
Feb 18 23:25 UTC 2005 |
re #95
#94 okay I understand, I was just saying how can you prove intent to
publish? What are the legal standards to prove that?
If I'm a writer, a simple call to my literary agent to fax you a copy of my
latest contract for a documentary or editorial would be sufficient. The
burden is not IF a person has actual literary works in progress but HOW the
BoD of Cyberspace decides to mitigate problems in the future after being aware
of such a seemingly possible risk. I do not know why you are so quick to
dismiss that anyone on Grex could possibly have anything in their directory
other than to stick your head in the sand so you can "bury the discussion."
A sweeping policy stating any and all content in home directories is up for
grabs by subpoena may not be the right wording. I believe the opinion of an
attorney is a good idea if such a policy is going to exist.
|
richard
|
|
response 98 of 106:
|
Feb 19 00:10 UTC 2005 |
tod wrote:
"A sweeping policy stating any and all content in home directories is
up for grabs by subpoena may not be the right wording. I believe the
opinion of an attorney is a good idea if such a policy is going to
exist."
But a sweeping policy is exactly what is needed to protect Grex.
Something like the following should be put in the newuser program:
"It is understood that cyberspace communications inc. is granting you
a login on grex for your private use. cyberspace communications inc.
reserves the right to assert control of all files and material posted
on grex. This includes, but is not limited to, the right of staff to
delete files or content in any user's login that is determined to be
in violation of grex's rules or is determined to constitute a threat
or potential threat to grex's system security. Cyberspace
communications further reserves the right to turn over any and all
materials contained in user files to legal authorities if said
authorities have showed cause in court and obtained legal subpoenas.
By acceptance of and use of a login on grex, the user acknowledges the
rules stated above, and fully indemnifies cyberspace communications
inc., the board and staff of cyberspace communications inc. and any
organization affiliated or providing service to cyberspace
communications, from any legal challenges or requests for damages as a
result of staff actions to enforce these stipulations.
The user is then prompted for their name and date again and at that
point newuser goes ahead with login creation.
|
tod
|
|
response 99 of 106:
|
Feb 19 01:03 UTC 2005 |
Cyberspace
communications further reserves the right to turn over any and all
materials contained in user files to legal authorities if said
authorities have showed cause in court and obtained legal subpoenas.
That wording still doesn't cover civil subpoena. Any joker lawyer can serve
you a subpoena for your files for any reason they want. I also find it a bit
disturbing that such a decision to tender the request of a subpoena would go
right through staff without touching the hands of directors of Cyberspace.
|