From time to time, Cyberspace Communications, Inc, is served with subpoenas. In general, the matters are straightfoward, not requiring separate items. So this one item is intended as the catchall for reporting the occurrences.106 responses total.
This week, we were served with a subpoena in a civil matter, requesting identifying information for one of our users. We provided the information we had a available.
Are you going to tell us the parties or was it one of those subpoenas you aren't allowed to disclose to the person involved?
I think we'd be allowed to but it wouldn't be the right thing to do. This person may be innocent of whatever is being investigated, for all we know. If someone is interested they can search court records.
But you sure thought it was the right thing to do when you went to the police, eh, mary ?
Yeah, you flapping, eh, cuntlip?
Can you at least tell us WHICH court?
Can the board say whether they are under a gag order?
Todd! I'm uploading the top =secret= thing for you to the top =secret= place right now!
what!
The eagle will land in 30 minutes.
What ever happenedto the first supoena?! What ever happened to my understanding of how to spell that word?!
IT "SUB"MERGED ! AHAHAHAHAHAAHAH
No, we aren't under a gag order. I'll provide the court name from the subpoena when I get home.
22nd Judicial Court, 101 E. Huron, Ann Arbor, MI 48107.
What ever happened to the first subpoena? It was from months back, and there were promises of revelation. Reveal, dammit!
re #14 No PO BOX?? ;)
PO BOX 8645
I am *not* pleased with the way this latest subpoena was handled. Gelinas got the subpoena and furnished the information to the Ann Arbor attorney who issued the subpoena *without* getting the permission of the Board. The subpoena is part of an ordinary civil lawsuit in local Washtenaw County Circuit Court. There is no gag order. I think the Board *should* decide what to do about each separate subpoena on an individual basis. At the very least, the Board should get a copy of the complaint in the case and find out what the case is about. The Board also should decide whether or not to contest the subpoena, based on the nature of the case and the privacy rights of the user involved. In this case, Gelinas just coughed up all the info requested. A local judge might easily have cancelled the subpoena or narrowed the amount of info we were required to produce if we had contested it.
Then gelinas acted inappropriately. The Grex board needs to get a policy in place ASAP. Ladies and gentlemen, you have your assignment for this month.
Joe sent the board mail as soon as he got the subpoena and then telling us what little information we had to offer and that he would be handing it over. There wasn't a lot of lead time, for sure, but that wasn't Joe's fault. Maybe you didn't see your mail because of system mail problems? I also don't think we should handle each case differently. If we get a court order we should comply. We shouldn't play judge by asking for the specifics of the situation, looking at whether it was a law we like or not, or whether it involves a member or user. If we don't like the way the law works we should work to change the law, as we've done in the past. I never want to put Grex in jeopardy, either the equipment or our budget, because we played Law and Order. And I'm going to go on record here that we should not consider Dave as qualified to be Grex's legal counsel. Not without the board being in agreement that that's what we'd like to do. I had a feeling this would probably need an open discussion, at some point. Just didn't think it would come up so soon.
I think that the points Dave raises would have been more helpful if raised sooner, in mail, before the subpoena was due. The board was notified by email about the subpoena several days before it was due. That's plenty of lead time. At some point 'baff' started to be copied on the mail as well, so I saw it too. No board member responded with any concerns until the night before the subpoena was due, if I recall correctly. As I see it, Joe - who's not a legal expert - had to make a judgement call under time pressure. In the absence of a timely response from the board, I don't think it's fair to lay the blame entirely on Joe for any mishandling. Coincidentally, I ran across a "civil subpoena" policy on another website earlier today. Maybe something like it is suitable for Grex as well. Here's the full URL: http://www.godaddy.com/gdshop/legal_agreements/show_doc.asp?se=%2B&pageid=C IVIL% 5FSUBPOENA Or if that's too much of a mouthful, try: http://tinyurl.com/6apy3
The humorous thing about all this is that officers and directors are not liable in tort liability. ALL of Cyberspace, Inc is. Read this as: Mary's nightmare could come true if there was any harm caused to someone and retribution could encompass an award of hardware and assets to the plaintiff. So, if Joe wants to do damage on behalf of Cyberspace,Inc by acting on his own then everyone on the ship goes down with him. Personally, I am with Dave on this and think it should have been discussed. It might have been too big of a reach in said subpoena. Also, without a gag order, it should at the very least make it publically into the minutes. If staff is handing over info for civil cases then the membership has a right to know.
re #21 I like the part in their legal agreement which addresses privacy laws: "Upon the receipt of a valid civil subpoena, Go Daddy will promptly notify the customer whose information is sought" Please let us know if Grex extended the same courtesy at the time the info was rendered to the courts.
This all just happened, within the last week. We haven't had a board meeting to discuss it where it could have hit the minutes. We had very little information on this user and most of that looked like it was false but worked to get him or her through newuser. I agree everyone needs to know Grex will be answering subpoenas, that's what this item and earlier discussions have been about. I agree that the person involved should be notified but first they have to give us a way to do that by leaving valid information. Grex is it risk for whatever we do in situations such as this. So we go with a predictable, clearly understood response which gives us the best chance of keeping Grex clear of trouble. In my opinion.
Was the user cc'ed in e-mail with the info given to the courts? That seems like it should be a given. We're not talking about a Patriot Act subpoena but Civil Court.
I'm not sure if he/she was or not. In instances where the account has been frozen for whatever reason, that probably wouldn't be helpful. And in this case the person hasn't logged in to Grex for a while and the alternate email address is bogus. But it couldn't hurt to send something off anyhow and document that we did so. I like the way this other system has a clearly written policy on how such things should be handled. For the longest time subpoenas were a non-issue for Grex. But that seems to be changing and it's probably time we codified something. Let's see what comes of this discussion and then try to put it into a policy. Sound good to you, Todd?
Absolutely. With tools like lynx available for abuse then a policy for handling complaints and subpoenas seems reasonable.
How does one abuse with lynx?
AHAHAA, CLASSIC KEESAN that was almost too funy
Oh dear !@ I'm laughing so hard I can't spell
I think it's appropriate for Grex to respond to a subpoena quickly. Grex is not a "data haven", and it's not appropriate for us, the users, to put the board in the position of having to decide whether to comply wih a subpoena based on the details of the case. If it's not clear what the subpoena is asking for, or whether it's legal, those are items for the board to discuss before complying. But, frankly, we're not paying them enough to go to bat for every user who does something that causes a sbpoena to be issued against him. And we're certainly not paying them enough to stand up to law enforcement. So I think the policy should be that Grex complies with legitimate subpoenas. And I think everyone should know that. Sounds to me like Joe did a pretty good job. Thanks Joe.
re #28 Credit card mischief via browser with Grex as the only traceable source
I am certainly not Grex' legal counsel. I am merely a member of the Board who happens to be a lawyer. My big issue is that the Board was never given a chance to decide what to do about this subpoena in an orderly way. If there is a deadline in the subpoena, then all we have to do is call up the lawyer who issued the subpoena and say we need a bit more time in order for our corporation to determine our position. No, the user was not notified as far as the e-mail I got from gelinas indicated. Suppose a subpoena comes asking for all records on a bunch of users. Is anyone who happens to visit the PO box and get the subpoena authorized to run around and gather the info and turn it over to the subpoena issuer? Hardly. People should know that once a case begins in the Michigan court system, *any lawyer* involved can send out a subpoena. A judge never sees these things unless someone challenges the subpoena. If the Board ever adopted a policy that we should automatically do whatever a subpoena asks us to do, that's news to me. As aruba points out, the Board is not paid. So what? We still have duties to the corporation, and to our users. Yes, we need a policy on subpoenas.
Aruba, you're failing to make a very important distinction between subpoenas relating to criminal and civil cases. In civil matters, our obligations to our users likely outweigh any obligations to blindly comply (note: IANAL) with the subpoena. A salient point that Dave makes is that a lawyer can subpoena any information from any source. That ability does not imply a legal obligation to provide any and all information thusly requested. There are definitely possible scenarios in which blind compliance with a civil subpoena would expose us to severe legal liability. To formulate a comprehensive policy, we need informed legal opinion. To operate in absence of policy opens us up to significant risk. We can mitigate this risk by making it a mandatory part of opening a Grex account to agree to terms of use which specify our policy on the matter and giving potential users the choice up front to use Grex or not with that information available at the time the decision is made. Similarly, once a policy is implemented, there should be a warning somehow distributed to all users of Grex that informs them of the specifics of the policy and declares that continued use of Grex conveys explicit acceptance of the terms of the policy. This may all sound hauntingly familiar to anyone who has joined web forums or subscribed to web services of just about any kind. The legal disclaimers you see in just about every instance are for exactly this purpose. The Board of Grex has a responsibility to the organization to take at very least the minimal step of issuing this kind of warning, disclaimer or terms of use to all users current and future. We've been lucky so far.
"So I think the policy should be that Grex complies with legitimate subpoenas" And exactly how do you determine what is "legitimate" without legal advice or an established board policy?
Eric, your opinion... what should the board be obligated to do upon receiving a civil subpoena?
Re #35: I don't know how to determine if a subpoena is legitimate. But I don't think we should consult a lawyer each time we get one. That's making a much bigger deal out if it than it has to be, I think. I guess I'm warming up to the idea of a usage policy for Grex. Grex has always tried to have as few rules as possible, so the decision not to have one is deliberate. But maybe it's time.
We've had a usage policy statement for a while
(http://cyberspace.org/cgi-bin/grex-limits), but maybe it's time to
revisit it.
Two properties I'd want to see for any usage policy:
(1) Conform to the KISS (Keep It Simple, Stupid) principle. I'm a
minimalist. I'm also allergic to excessive bureaucracy.
(2) Don't make unenforceable rules.
Like ones that /etc/passwd files raen't allowed. root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:100:sync:/bin:/bin/sync games:x:5:100:games:/usr/games:/bin/sh man:x:6:100:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh postgres:x:31:32:postgres:/var/lib/postgres:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh operator:x:37:37:Operator:/var:/bin/sh list:x:38:38:SmartList:/var/list:/bin/sh irc:x:39:39:ircd:/var:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh dah:x:1000:1000:David A. Hoffman,,,:/home/dah:/bin/tcsh sshd:x:100:65534::/var/run/sshd:/bin/false naftee:x:1001:1001:,,,:/home/naftee:/bin/bash jlamb:x:1002:1002:,,,:/home/jlamb:/bin/bash
#37 of 39: by Mark A Conger (aruba) on Thu, Feb 10, 2005 (09:37): Re #35: I don't know how to determine if a subpoena is legitimate. But I don't think we should consult a lawyer each time we get one. That's making a much bigger deal out if it than it has to be, I think. Huh? A subpoena IS a big deal. It may be in Grex's best interest to construct a policy that meets the approval of one or two lawyers in order for Cyberspace to CYA. These are EXACTLY the situations where a director of the board needs to be proactive. Don't leave it up to staff or wait for it to come back around to bite us in the butt.
The first step, in my opinion is to implement a plan to make clear the policy, whatever it is, to ALL users of the system so that Grex can legitimately claim due diligence in defense of any claims that might arise from our policy. That gives potential users the knowledge up front, so they can opt not to use Grex if they feel that the policy is not to their liking. Then, once we have a policy, or if ever that policy changes, we will have the mechanism in place to inform all existing users to the extent practicable and to the extent required to establish a good faith effort in the eyes of the courts. How we deal with civil subpoenas is not an area I am competent to address beyond saying that we by rights ought to make the information available to a user whose information has been subpoenaed as soon as humanly possible in civil cases, and to the extent that we are not compromising a criminal investigation in other cases. Civil cases are disputes between individuals, and our primary responsibility in those matters is to the party with whom we have an existing relationship. Ultimately, that is Grex's decision, but to choose otherwise would be to wave a big "FUCK YOU" flag to anyone considering joining our community.
I disagree with Eric - saying "we won't go to the mat for you if someone brings the weight of the legal systm to bear on us" is a long way from saying "FUCK YOU" in all caps.
Nobody has suggested implementing a wimpy policy that invites all subpoenas in civil cases, right?
If I understand your question, the answer is yes. I have. I don't want Grex to be put in the position of treating each subpoena on an individual basis, of asking for more time to check the merits of a case, or to interview those involved and their attorneys. Rather, we should have a policy that clearly states all court subpoenas will be complied with promptly, period. This policy should be published where all of our users can see it. Anytime we are served with a subpoena Grex will, if allowed by law, notify the person whose information is being sought, and notify the Grex community that we have acted on such a document. Anyhow, I'm still doing some research on subpoenas, but that's my opinion at this point.
So you're going to hand over someone's email to any lawyer that asks? That's a wreckless approach. On the other hand, I guess if you want people to know there is no privacy whatsoever on Grex and there is a form of due diligence to make everyone aware of that fact then the BoD is pretty much in the clear. I don't use Grex mail for personal e-mail very often so it would not offend me but I can imagine there are others who may feel differently.
Email is protected, by law, and cannot be included under a civil suit subpoena.
Well, let's be clear about what exact information we're talking about. If we're subpoenaed for information that is already publicly available on the system, then our policy should simply be to provide pointers to the information, leaving the impetus for gathering on the people who want it. If it is information that is not publicly available, then we should be making every user of Grex aware up front of the nature of that information and why it is stored and what the risks are that are associated with storing it, such as that it might be subpoenaed and that if so we will hand it over and unless legally bound otherwise will alert the affected user specifically and the public at large to the fact as soon as possible.
I think we should know what kind of information is provided. You say email is protected , but what bout if we save some email in a file in our home directory? Will that be disclosed ?
Here are two URLs that may be helpful. The first is AOL's policy on civil subpoenas. The second is the applicable law. http://legal.web.aol.com/aol/aolpol/civilsubpoena.html http://assembler.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002701-- --000-.html
The third is url.rexroof.com
I used to be of the opinion that grex should take the high ground and fight any subpoenas, because how can grex succeed as an open access non-validation open system without protecting its users anonymity? But grex does not have the money to withstand even one real legal challenge. Even one court case that gets off the ground that requires grex to hire lawyers will bankrupt this place. Sometimes the desire to do the right thing is trumped by fiscal reality.
That is why Grex better be sure that honoring ALL subpoenas won't infring somebody's privacy. AOL is the LAST pace I woud like for a divining rod. The more important reality is that Grex has a volunteer staff and should be willing to back the staff by having a BoD with a spine that will not bury the staff in frivolous civil subpoenas.
AOLOL
tod said: "The humorous thing about all this is that officers and directors are not liable in tort liability. ALL of Cyberspace, Inc is." The members of grex are not stockholders. If member contributions were defined as fees or were defined as being paid in exchange for stock in the company, it would be different. But they are defined as voluntary donations. Therefore the legal definition of "All of Cyberspace Inc." IS the officers and directors of the company, because those are the only ones taking legal status at any specific time in the company. This is why several years back when Michigan passed its version of the communications decency act, there was a legitimate question of liability in the event the law was enforced against grex. There was a long contentious item at that point where the suggestion was debated that if the heat came, that the entire board should resign. Why? Because if the entire board resigned, grex would have no officers and thus there would be nobody the state of Michigan could liable for grex's violation of the cda. In fact when board elections occur, I don't think it is emphasized enough to prospective new board members that being officers of a company does make them liable for actions against the company.
This response has been erased.
#54, How is that?. How is Arbornet different than Cyberspace Communications? Arbornet is just its directors, and Cyberspace is all of the members? Why are the members meaningless at Arbornet? The bylaws are questionable. Article 7 says in part: "The Corporation assumes all liability to any person other than the Corporation or its members for all acts or omissions of a volunteer director incurred in good faith performance of their duty as an officer" That is not a full indemnity clause. It covers "liability to any person" The government is not a person. So the corporation in fact does not assume all liability to the government or any other legal body for acts or omissions of its volunteer directors. The bylaws say only that the corporation is "organized on a membership basis" But nowhere does it specifically say that the members own the corporation. In fact if grex got sued in court, the judge might well find that the definition of who owns this company is insufficiently addressed in the bylaws. Apparently the bylaws were left sufficiently vague on that issue. This is why when the CDA stuff was going on, the issue of the board members resigning came up. The board members are the only ones who, for all practical purposes, CAN be held liable for the company's actions. And as stated above, the bylaws have the corporation indemnifying the board members only against liability to "any person", not to any outside group, organization or entity (i.e. the government) The bylaws don't define the members as owners. I used to have a membership in National Geographic. Does that mean I was an owner of National Geographic and can be held liable for the company actions? Of course not. Also the bylaws in item #1 still list the registered agent as Michael Smerza and give his old address. Does he still even live there? It is entirely possible that he gets mail at that address for grex, which could include subpoenas conceivably. I think the bylaws item needs to be updated with the current registered agent info.
Richard - FWIW, I am currently the registered agent for Cyberspace Communications.
#57, I realize that Aruba, but some outside party looking to find that info. so as to know who to serve subpoenas to, might read the bylaws and conclude-- since it doesn't say otherwise-- that Smerza is still the registered agent. This could lead to an issue where the company might not realize that its served with a subpoena because the paperwork was sent to the wrong place (Smerza's address in the bylaws to be specific)
These posts are a good illustration of why grex should have legal counsel.
This response has been erased.
This response has been erased.
re #59 Agreed
jp2 said: "56: It has to do with the articles of incorporation of each. M- Net's are so written such that membership is meaningless and member rights can be suspended without recourse. Grex's are not." Why would the membership of Arbornet vote to put in the bylaws that the board can supercede or eliminate their own voting rights? In any case, grex's bylaws, and you'd see that jp2 if you read them, don't define the members as the owners of the company. In fact it specifically says that the corporation is organized on a non-stock basis. Meaning that no stock, or equivalent conferrence of ownership shares, are given out in exchange for membership. It simply says that the corporation is "organized" on a membership basis. The members wanted to organize it, the members wanted to run it, but nobody wanted to own it. Okay then, what if you are the government and grex is blatantly violating the CDA or some other new law, simply by its normal operations, and you as the government want to fine cyberspace communications? Who do you levy the fine against? The corporation of course. But what if the corporation lacks the funds to pay the fine? The same thing would happen that happens when the government hits a company thats broke for heavy fines, which is if they can't go after the company, they go after the owners. Only in this case, the bylaws of cyberspace communications don't define its members as owners, don't confer stock or any other designation of ownership in exchange for member dues. So can the government go after the members? I don't think so, not when they aren't legally the owners. So who can the government go after, if not the corporation (which lacks the funds to pay the fine) and not the members (who are not legally responsible for the company since they don't own it)? The answer is that they'd have to go after the only people who are taking an official, legal role in the company. The company's board of directors. What I'm saying is that while the company bylaws indemnify the board members against damages brought by "any person", it does not indemnify against damages brought by "any organization or legal entity" Since Grex doesn't have much money in the bank, if the government ever gets restrictive laws passed and grex gets fined or sued for violation of those laws, the board members are sitting ducks. Grex probably ought to buy some form of insurance to protect the board members and the company itself in the future should grex accrue fines and legal expenses.
Government or civil suits can go after ASSETS.
Re #63 2nd to last paragraph:
Amend the Bylaws to indemnify the board members against damages brought
by organizations, governments, companies, and anything else that can bring
damages as well as people.
Kinda late, isn't it?
This response has been erased.
#67, the bylaws state that the corporation is an organization "organized by its members" It does NOT say that it is a corporation composed of its members. That would imply the members, by virtue of their membership, have ownership in the company. They expressly do not. The members who founded grex did not want ownership. The "corporation" is an entity that the bylaws define as existing separately from its members, and which would exist-- at least in theory-- even there were no members left. If every member dropped their membership, the corporation would still exist until such time as the corporate paperwork was not renewed.
Poor richard :(
There are a lot of good thoughts in this item. I'm pleased to see that we are taking a high-level approach. I hope that the BoD will discuss possible policies on subpoenas and related issues at this Friday's (2/18) BoD meeting. Yes, I think Grex should consult an attorney in this area before we actually adopt a policy. While I am an attorney, and I would donate my services to Grex on this matter, I am not sure I am the right person to consult. Just to further muddy the waters, in civil matters there are at least two kinds of subpoenas: Trial subpoenas, ordering someone to show up at a trial and testify, with or without documents. Discovery subpoenas, ordering someone to either show up at a deposition and testify (with or without documents), or just ordering someone to produce documents. The fun part about discovery subpoenas is that the information sought must be "reasonably calculated to lead to admissible evidence," or words to that effect. Yes, lawyers in civil suits can go on "fishing expeditions," but they can't order people to testify, or show up with documents, unless the testimony/ documents is/are "reasonably calculated," etc. So if Grex gets a *discovery* subpoena, we certainly have the right (and perhaps to duty) to only disclose information if it is "reasonably calculated," etc. I have not seen the recent subpoena, but my guess is that it was a discovery subpoena. Ergo, there was plenty of opportunity for us to figure out whether or not we wanted to disgorge everything requested, or just some of it, or make a motion to cancel or limit the subpoena. This sounds complicated, but it really isn't. Discovery is a quibblefest, that's all.
But why should Grex get into a quibblefest? I agree with Mary - respond and get it over with.
Whatever policy we end up with should be clear, allow for consistency, ask for a response within the limits of what we *can* do, and be fair to our users. All our users.
Coming from a core GreXer such as you, mary, this is sad, seeing as GreX has very few formal policies, and, according to Jan Wolter, perhaps the core of core GreXers (certainly a father of GreX), it has been stated that these formal policies are not wanted on the system of GreX.
Here is a policy that I will ask the BoD to adopt at our Friday meeting: "If Cyberspace Communications, Inc., receives a subpoena or other request for information in a pending judicial matter, the president of Cyberspace Communications, Inc., after such consultations as s/he thinks appropriate, shall decide how to proceed." Yes, this puts slynne in the hot seat. But after all, what is a president for? 8-) If we adopt this policy, then at least we will have something in place. Trying to figure out anything more elaborate in time for its adoption at this meeting will probably not result in anything workable.
Sounds like a great idea. Will the policy include a remedy for rogue staffers that ignore it?
I suggest the board appoint someone whose job it is to take the point position on any subpoenas that come in, rather than automatically making that person be the president.
Isn't the point position of the BoD the president by default?
re #74 dpc, shouldn't any proposed policy re: subpoenas be subject to a member vote? I don't think the board members should reserve the right to make this decision themselves. This is a new company policy being suggested. Don't submit it at the board meeting. Request a membership wide vote!
In this case, I think the value of having a policy in place sooner exceeds the value of having the entire membership enact one. Of course, if a member wants to propose a policy for member vote, why wait for the board meeting to happen?
Please lets not let this become the uproar of the week. Have we even finished with the long login ID crisis yet? The proposed action really doesn't do anything to protect users or establish a way to consistently handle subpoenas. The last and only ones we've had, two total, both were handled fine. One was from law enforcement an account hoarding scads of credit card numbers. Our staff had already frozen the account. The second was looking for ID on an account that was 100% pseudo. Not sure if there was anything there that would have been useful. We couldn't have even contacted to user to do an internal investigation. All staff and board were in on these issues, at least those who were reading their mail. The proposed policy goes backwards, leaving this up to one person to handle as they see fit. Yucko. I'd like to continue to see all available staff and board in on these discussions. And the policy crafted, carefully, getting input from everyone who cares to contribute and looking at how others systems have proceeded. We do not need to rush. We're not in crisis mode here. We've got time to do it right.
Definitely not crisis -- my memory jibes with Mary's; the grand total of subpoenas that Grex has received in its 13+ years of existence, to the best of my knowledge, is T W O .
re #81 I think it warrants discussion but not immediate policy making.
Nothing on GreX should warrant policy making!
There was one other subpoena, from Best Buy, alleging that a user had posted the Black Friday sales prices on his Grex website. It turned out the prices were a year old, so I just called the lawyer who issued the subpoena, she checked, and then said we didn't need to do anything.
The fact that there have been only two or three subpoenas served in the past is not necessarily an indication of what will happen in the future. Grex wants to establish a blogosphere and blogging will probably bring more people here and create the potential for more such issues. Perhaps this issue can be avoided by use of a good mail encryption program, that has a second password to the mail program which triggers the de-encryption process, so that even staff using root can't see anything in mail text that isn't encrypted. Staff then could have a policy that if at any time they have to reset the mail password, the resetting of the pw will trigger a bulk erasing of any mail files stored on the system. The idea is to render a subpoena pointless by making it so even the staff can't retrieve unencrypted mail text, only delete it. This protects staff in cases like the one mary mentioned where somebody was storing credit card numbers. Law enforcement could easily have jumped to the conclusion that any member of staff with root could have accessed all those credit card numbers, and thus requested subpoenas for all the staff logins to see if any of those credit card numbers were moved around.
Please don't dilute the discussion by mixing civil and criminal subpoenas.
Dave's proposal doesn't preclude the staff dealing with something (if the president so desires), but it does identify a responsible individual, and it does allow us to make it clear that we do have a policy, and therefore, that we have given the concern appropriate consideration.
I do not think the appropriate consideration has been given to: The Electronic Communications Privacy Act (ECPA) nor the Privacy Protection Act (PPA). Here's an example: The PPA prohibits searches and seizures of material that an individual intends to publish or broadcast (including documentary material.) Exceptions to that PPA prohibition could be criminal contraband, fruits of a crime, or property designed to commit crime; searches needed to prevent imminent death or injury; child porn; etc.. With that knowledge I've just furnished you, if you were to "disclose" contents of my home directory to an attorney that asks for it by subpoena because he represents someone who is doing discovery to find if it's viable to sue me because I called him a fuckhead then I would by all means have the authority to seek civil liability damages against the officers and corporation of Cyberspace for not protecting material I intended to publish. I appreciate that many are hesitant to consult with an attorney on developing a policy but I think they are not fulfilling their duties as members of the BoD when they say "We've done enough. Sweep it under the rug." (I apologize for my lack of punctuation, btw.)
That's what our policy should address. Advising users on what our actions will be when served a subpoena. Users should know up-front and then exercise caution on what information they give us or store here.
And writing the policy should not be enough. I think it should be made clear on a regular basis to all users. Maybe a reminder in the motd that disappears after a user has logged in a few times and then it reappears a year later to remind them again.
tod said: "With that knowledge I've just furnished you, if you were to "disclose" contents of my home directory to an attorney that asks for it by subpoena because he represents someone who is doing discovery to find if it's viable to sue me because I called him a fuckhead then I would by all means have the authority to seek civil liability damages against the officers and corporation of Cyberspace for not protecting material I intended to publish." The problem with that is I don't think that the simple fact of your storing a file on grex's computer system is sufficient proof that you intended to publish that information. Obviously not all files stored here are done so for the intent of publishing, now or in the future and I doubt the court would make broad assumptions or let you claim every file you have is intended for publication. If you can "intent to broadcast" for every line of every file you store on any computer system, you succesfully overextend the intent of the law. The ECPA also says: "It shall not be unlawful under this chapter for an operator of a switchboard, or on officer, employee, or agent of a provider of wire or electronic communication service, whose facilities are used in the transmission of a wire or electronic communication, to intercept, disclose, or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service" Doesn't that mean that any staffer has the right to delete or dislose to outside parties any file or files or communications on its system, that are necessary to continued rendition of service, or protection of the rights annd property of that service? So are you saying that by simply claiming "intent to publish", you can circumvent the above section of that act and sue anybody who deletes or turns over your files without having criminal cause?
What Grex needs to be concerned about IMO is the Children's Online Privacy Protection Act, which has been toughened in recent years and lays out specific rules for web sites-- commercial or otherwise-- that knowingly or otherwise allow access from children under 13 and collect personal data from children under 13. The act says: "An operator must post a link to a notice of its information practices on the home page of its Web site or online service and at each area where it collects personal information from children." Grex's newuser program prompts for name, birthdate and other stats, even if giving such info is not mandatory. Children under 13 running newuser who give grex this information make grex subject to this act. It also says" "Parents have the option to agree to the collection and use of the child's information" It also says: "When operators want to disclose a child's personal information to third parties or make it publicly available (for example, through a chat room or message board), the sliding scale requires them to use a more reliable method of consent, including: getting a signed form from the parent via postal mail or facsimile; accepting and verifying a credit card number in connection with a transaction; taking calls from parents, through a toll-free telephone number staffed by trained personnel; email accompanied by digital signature" Grex does not of these things does it, even when aware that a newuser has identified himself/herself as being under age 13. If a child under 13 creates a new user login and grex displays in the child user's .plan, their personal information (birthdate, address, whatever they put in there), without getting consent from their parent (s), grex is in violation of the CPPA and could be subject to heavy fines. So I think the newuser program needs to be revised, I think newuser should no longer prompt for any such personal information, even if it is being asked for voluntarily and even if the user has the option not to display it. The Bush Admninistration has dramatically toughened CPPA requirements and other such related to web sites that allow child usage, so I think grex should certainly consult a lawyer to determine how vulnerable it will be in continuing to allow non-verified access to the system. Grex may legally need to know in the future that its new users are over a certain age, or have consent from their parents to use this system if they are not.
information grex should no longer be asking for in newuser: "What is your full name" "Enter your address" "Enter your telephone number" "What is your birthdate" "What is your sex?" Even though newuser gives the user the option to hide all that information, or in the sex and birthdate prompts the option to not answer at all, a child user under 13 doesn't have the right to make the decision to give that information or not, without their parents permission. A child under 13 cannot legally make that information viewable over the internet without the permission of their parents. If a child user creates a newuser login, and makes their .plan viewable and grex is suddenly publishing to anyone who reads this user's .plan the child's name, address and telephone number, grex is opening itself to a lawsuit from the child's parents. All grex needs is for some young child to create a new login, with their personal info viewable in their .plan, and then to go on party and meet the wrong person. Then the wrong person reads their .plan, goes and finds them and kidnaps them. Grex then opens itself up to serious legal liabilities. I think Grex needs to either remove the option to make .plan personal info viewable for everyone, or just don't ask those questions at all.
re #92 So are you saying that by simply claiming "intent to publish", you can circumvent the above section of that act and sue anybody who deletes or turns over your files without having criminal cause? First, let's get one thing straight. There are civil subpoenas which have NOTHING to do with criminal law nor compel ANYONE. Second, to answer your question, YES, if you claim and PROVE "intent to publish" then you can sue for damages if the material has made it into the public eye or hands of those you do not wish. If I have text files of stories I've written, editorials I've copywritten, or research material on documentaries or whatever that I'm putting into print, then, yes, it could potentially cause problems for Cyberspace. The point I'm making is that the PPA covers digital material being stored on an ISP's system.
#94 okay I understand, I was just saying how can you prove intent to publish? What are the legal standards to prove that? Just because you have typed something into a private file on an ISP doesn't automatically prove that you intended to later move it to a public file or otherwise publish it. Do you think a judge is simply going to take your word that "at some point I intended to publish this" and award you damages? I'd think you'd have to have some outside way of verifying that what you had stored on file was going to be published or made public later. Some people write poems and stories for their own entertainment and with no intent whatsoever to publish them or post them anywhere. So maybe you are overstating the potential for problems to be caused, because before grex could be sued, you'd have to satsify the courts on how the information in the files under question should be categorized.
And as regards the issues with child users, here's a relevant question: What if the lawyer of a parent of a child using grex, comes to grex with a subpoena saying, 'this parent's child established a login with your system without the parent's permission, the parent demands his/her child's password or in some manner access to his/her child's files and his/her child's email'" The new cppa laws I believe give the parents of children 13 and under the right to ask for such things. In the case of children 13 and under, there doesn't have to be evidence of any misdeeds or specific need for a parent to request such access. But acting on such a subpoena would cause grex to violate its own privacy rules. The problem is that grex doesn't require proof of age, so it has no legal way of knowing whether this child user actually is 13, or under 13, or not. But by asking for age, it ends up with users who have voluntarily given indication to grex that they are under age. Which makes grex vulnerable legally.
re #95 #94 okay I understand, I was just saying how can you prove intent to publish? What are the legal standards to prove that? If I'm a writer, a simple call to my literary agent to fax you a copy of my latest contract for a documentary or editorial would be sufficient. The burden is not IF a person has actual literary works in progress but HOW the BoD of Cyberspace decides to mitigate problems in the future after being aware of such a seemingly possible risk. I do not know why you are so quick to dismiss that anyone on Grex could possibly have anything in their directory other than to stick your head in the sand so you can "bury the discussion." A sweeping policy stating any and all content in home directories is up for grabs by subpoena may not be the right wording. I believe the opinion of an attorney is a good idea if such a policy is going to exist.
tod wrote: "A sweeping policy stating any and all content in home directories is up for grabs by subpoena may not be the right wording. I believe the opinion of an attorney is a good idea if such a policy is going to exist." But a sweeping policy is exactly what is needed to protect Grex. Something like the following should be put in the newuser program: "It is understood that cyberspace communications inc. is granting you a login on grex for your private use. cyberspace communications inc. reserves the right to assert control of all files and material posted on grex. This includes, but is not limited to, the right of staff to delete files or content in any user's login that is determined to be in violation of grex's rules or is determined to constitute a threat or potential threat to grex's system security. Cyberspace communications further reserves the right to turn over any and all materials contained in user files to legal authorities if said authorities have showed cause in court and obtained legal subpoenas. By acceptance of and use of a login on grex, the user acknowledges the rules stated above, and fully indemnifies cyberspace communications inc., the board and staff of cyberspace communications inc. and any organization affiliated or providing service to cyberspace communications, from any legal challenges or requests for damages as a result of staff actions to enforce these stipulations. The user is then prompted for their name and date again and at that point newuser goes ahead with login creation.
Cyberspace communications further reserves the right to turn over any and all materials contained in user files to legal authorities if said authorities have showed cause in court and obtained legal subpoenas. That wording still doesn't cover civil subpoena. Any joker lawyer can serve you a subpoena for your files for any reason they want. I also find it a bit disturbing that such a decision to tender the request of a subpoena would go right through staff without touching the hands of directors of Cyberspace.
okay then, try this: "Cyberspace communications further reserves the right to turn over any and all materials contained in user files to legal authorities if said authorities have showed cause in court and obtained legal subpoenas. It is understood that such actions can be taken by staff in response to criminal and/or civil subpoeanas, and that the user accepts the rights of the board and staff of cyberspace communications to protect Grex by undertaking these actions. By acceptance of and use of a login on grex, the user acknowledges the rules and stipulations stated above, and fully indemnifies and holds harmless cyberspace communications inc., the board and staff of cyberspace communications inc. and any organization affiliated or providing service to cyberspace communications, from any legal challenges or requests for damages as a result of staff actions to enforce these stipulations or enforcement of any of grex's stated rules. The user agrees in perpetuity to waive his rights to pursue any legal action, including civil damages, against grex that arise from the board and staff of cyberspace communications taking proper action to preserve this system."
Richard proves over and over why Grex needs legal counsel. You cannot force users to waive their legal rights simply by way of a posted disclaimer saying "you have no rights because this is what Grex intends to do." Hell, sometimes a person's rights can't even be waived in a writing they sign. Just ask the A2 School System, which had to pay out tons of money to substitute teachers based on (misplaced) reliance on just such waivers. Tod makes some very good points. It's about time people around here started listening instead of acting like his ideas are a mere inconvenience that can be remedied by a few magic words in the MOTD.
What would it cost Grex to have legal counsel?
A night with your mother.
#102 it could cost a lot to retain legal counsel, which is why it might be a good idea for grex to look into legal insurance or some kind of pre-paid legal plan. Whereby grex makes small regular payments to a law firm in exchange for an agreement that they can get occasional counsel from the lawyer and retain the lawyer's full services in the future if necessary.
Hey guys! Looks, it's tsty !@ http://jewsagainstzionism.com/images/Rabbis/belz.jpg
TROGG IS DAVID BLAINE
You have several choices: