Given the Thomas conviction in California and some interesting questions re

[David Farber <farber () central cis upenn edu>]

SEX AND THE SINGLE SYSADMIN:
The risks of carrying graphic sexual materials.
Column: Internet World
Approx: 3700 words
March/April 1994 issue




By Mike Godwin
(mnemonic () eff org)




It's the kind of nightmare that will cause any sysadmin to bolt upright in
bed, shaking, gripping the sheets with white-knuckled fingers.




In this nightmare scenario, the facts are simple: you hear a knock at the
door, you answer to discover grim-faced law-enforcement agents holding a
search warrant, and you are forced to stand by helplessly while they seize
your system to search it for obscene or child-pornographic images.




In some versions of the nightmare, you may not even have known your hard
disk contained such images; in others, your lack of knowledge may prove to
be no defense in a criminal prosecution for possession of child
pornography.




 A wave of concern about porn




In recent months, the Legal Services Department here at EFF (the
Electronic Frontier Foundation) has faced a wave of concern in the United
States about the legal issues raised by online obscenity and child
pornography. Most recently, a nationwide federal investigation into the
importing of child-pornographic computer files led first to several
well-publicized searches and seizures of computers and bulletin-board
systems (BBSs) and later to a number of indictments of computer users on
charges relating to possession or distribution of this material. One
result has been that a large number of BBS operators and network site
administrators have contacted EFF with questions and concerns about their
potential liability under obscenity and child-pornography laws.




Why so much concern? Partly, it's that, thanks to the availability of
cheap image scanners, fast modems, and capacious hard disks, a large
number of this country's BBSs and network sites carry GIF (Graphic
Interchange Format) files or other kinds of graphic images with sexual
content. These images can range from centerfold-type nudes to "hard-core"
pornography. (For the sake of simplicity, I will refer to all
graphic-image files as GIFs, although there are a number of other formats
commonly available.)




Just as the growth of the consumer VCR market was linked to a growth in
the market for adult videos, the increasing availability of certain kinds
of consumer computer technology has led to a rapid increase in GIF-file
traffic. System operators who might never consider opening an adult book
or video store have either allowed or encouraged sexually oriented images
to be exchanged on their systems. To understand this difference in
attitudes one has to understand how online conferencing systems are
generally run--as forums for their users to talk to each other, and to
trade computer programs and files with each other.




 How porn gets online




Although these problems pervade the world of the Internet, the easiest
case to understand is the microcomputer-based BBS. The operator of a BBS
typically dedicates a computer and one or more phone lines at her home or
business for the use of a "virtual community" of users. Each user calls up
the BBS and leaves public messages (or, in many cases, GIFs) that can be
read by all other users or private mail (which may include GIFs) that can
be read by a particular user or both. BBSs become forums--digital public
houses, salons, and Hyde Park corners--for their users, and users with
similar interests can associate with one another without being hindered by
the accidents of geography. By some estimates, there are currently in
excess of 40,000 BBSs throughout North America, randing from low-end
free-access BBSs with only one or two phone lines to BBSs run by
companies, government agencies, user groups, and other organizations.




A step up from the BBS in complexity is the conferencing system or
information service. These systems differ in capacity from BBSs: they have
the capability of serving dozens, or hundreds, of users at the same time.
But they're like BBSs in that uploaded files can be found at a fixed
geographic location. A further step up are entities like Fidonet and
Usenet, which, because they're highly distributed, decentralized
conferencing systems, add complications to the legal issues raised by the
computerization of sexual images.




Internet nodes and the systems that connect to them, for example, may
carry such images unwittingly, either through uuencoded mail or through
uninspected Usenet newsgroups. The store-and-forward nature of message
distribution on these systems means that such traffic may exist on a
system at some point in time even though it did not originate there, and
even though it won't ultimately end up there. What's more, even if a
sysadmin refuses to carry the distributed forums most likely to carry
graphic images, she may discover that sexually graphic images have been
distributed through a newsgroup that's not obviously sexually oriented.




Depending on the type of system he or she runs, a system operator may not
know (and may not be able to know) much about the system's GIF-file
traffic, especially if his or her system allows GIFs to be traded in
private mail. Other operators may devote all or part of their systems to
adult-oriented content, including image files.




Regardless of how their systems are run, though, operators often create
risks for themselves under the mistaken assumption that a) since this kind
of material is commonplace, it must be legal, and b) even if it's illegal,
they can't be prosecuted for something they don't know about. EFF's Legal
Services Department has been working actively to educate system operators
about the risks of making these assumptions.




 What counts as "obscene"?




First of all, we've explained that the fact that graphic sexual material
is common on BBSs doesn't mean that it's not legally obscene and illegal
in their jurisdiction.




As Judge Richard Posner comments in the October 18, 1993, issue of THE NEW
REPUBLIC, "Most "hard-core" pornography--approximately, the photographic
depiction of actual sex acts or of an erect penis--is illegal." even
though it is also widely available. (Let me emphasize the word
"approximately"--Posner knows that there are countless exceptions to this
general rule.) That is, distribution of most of this material is
prohibited under state or federal anti-obscenity law because it probably
would meet the Supreme Court's test for defining obscenity.




But what precisely is the Court's definition of obscenity? In Miller v.
California (1973), the Court stated that material is "obscene" (and
therefore not protected by the First Amendment) if 1) the average person,
applying contemporary community standards, would find the materials, taken
as a whole, arouse immoral lustful desire (or, in the Court's language,
appeals to the "prurient interest"), 2) the materials depict or describe,
in a patently offensive way, sexual conduct specifically prohibited by
applicable state law, and 3) the work, taken as a whole, lacks serious
literary, artistic, political or scientific value.




This is a fairly complex test, but most laymen remember only the
"community standards" part of it, which is why some system operators are
under the mistaken impression that if the material is common and
available, "community standards" and the law must allow it.




In layman's terms, a jury (or a judge in a nonjury case) would ask itself
something like these four questions:


1) Is it designed to be sexually arousing?
2) Is it arousing in a way that one's local community would consider
unhealthy or immoral?
3) Does it depict acts whose depictions are specifically prohibited by
state law?
4) Does the work, when taken as a whole, lack significant literary,
artistic, scientific, or social value?




If the answer to all four questions is "yes," the material will be judged
obscene, and it will be Constitutional to prosecute someone for
distributing it. (It should be noted in passing that pictures of the
"hardness" of Playboy and Penthouse photography have never been found to
be obscene--their appearance in digital form on Usenet sites may create
copyright problems, but they won't create obscenity problems.)




 The perils of online obscenity




In theory, most "hardcore" pornography qualifies as "obscenity" under the
Supreme Court's test. Yet theoretically obscene material is commonly
available in many urban areas--this signifies, perhaps, that the relevant
laws, when they do exist, are underenforced. At EFF, however, we have been
telling system operators that there is no *legal* basis for their assuming
that the laws will remain underenforced when it comes to online forums.




For one thing, most of this country's law-enforcement organizations have
only recently become aware of the extent that such material is traded and
distributed online--now that they're aware of it, they're aware of the
potential for prosecution. In a recent case, an Oklahoma system operator
was charged under state law for distribution of obscene materials, based
on a CD-ROM of sexual images that he'd purchased through a mainstream BBS
trade magazine. He was startled to find out that something he'd purchased
through normal commercial channels had the potential of leading to serious
criminal liability.




Still another issue, closely related to obscenity law, is whether an
online system creates a risk that children will have access to adult
materials. States in general have a special interest in the welfare of
children, and they may choose to prohibit the exposure of children to
adult materials, even when such materials are not legally obscene. (Such
materials are often termed "indecent"--that is, they violate some standard
of "decency," but nevertheless are Constitutionally protected. If this
category seems vague, that's because it is.) In Ginsberg v. State of New
York (1968), the Supreme Court held a state statute of this sort to be
Constitutional.




Although there is no general standard of care for system operators who
want to prevent children from having such access, it seems clear that, for
a system in a state with such a statute, an operator must make a serious
effort to bar minors from access to online adult materials. (A common
measure--soliciting a photocopy of a driver's license--is inadequate in my
opinion. There's no reason to think a child would be unable to send in a
photocopy of a parent's driver's license.)




It's worth noting that, in addition to the risk, there are also some
protections for system operators who are concerned about obscene
materials. For example, the system operator who merely possesses, but does
not distribute, obscene materials cannot Constitutionally be
prosecuted--in the 1969 case Stanley v. Georgia, the Supreme Court held
the right to possess such materials in one's own home is Constitutionally
protected. Thus, even if you had obscene materials on the Internet node
you run out of your house, you're on safe ground so long as they're not
accessible by outsiders who log into your system.




And, in the 1959 case Smith v. California, the Court held that criminal
obscenity statutes, like the great majority of all criminal laws, must
require the government to prove "scienter" (essentially, "guilty
knowledge" on the defendant's part) before that defendant can be found
guilty. So, if the government can't prove beyond a reasonable doubt that a
system operator knew or should have known about the obscene material on
the system, the operator cannot be held liable for an obscenity crime.




In short, you can't constitutionally be convicted merely for possessing
obscene material, or for distributing obscene material you didn't know
about.




 Child pornography--visual images that use children




When the issue is child pornography, however, the rules change. Here's one
of the federal child-porn statutes:


 18 USC 2252: Certain activities relating to material involving
 the sexual exploitation of minors.


 (a)Any person who--


 (1) knowingly transports or ships in interstate or foreign commerce
 by any means including by computer or mails, any visual depiction, if--


    (A) the producing of such visual depiction involves the use of a
 minor engaging in sexually explicit conduct; and


    (B) such visual depiction is of such conduct; or


 (2) knowingly receives, or distributes, any visual depiction
 that has been transported or shipped in interstate or foreign
 commerce by any means including by computer or mailed or
 knowingly reproduces any visual depiction for distribution
 in interstate or foreign commerce by any means including by
 computer or through the mails if--


    (A) the producing of such visual depiction involves the use of a
 minor engaging in sexually explicit conduct; and


    (B) such visual depiction is of such conduct;


 shall be punished as provided in subsection (b) of this section.




 (b)Any individual who violates this section shall be fined
 not more than $100,000, or imprisoned not more than 10 years,
 or both, but, if such individual has a prior conviction under this
 section, such individual shall be fined not more than $200,000,
 or imprisoned not less than five years nor more than 15 years,
 or both. Any organization which violates this section shall be
 fined not more than $250,000.




(N.B. For the purposes of federal law, "minor" means "under age 18"--it
does not refer to the age of consent in a particular state.)




This statute illustrates some of the differences between the world of
obscenity law and that of child-pornography law. For one thing, the
statute does not address the issue of whether the material in question is
"obscene." There's no issue of community standards or of "serious"
artistic value.  For all practical purposes, the law of child pornography
is wholly separate from the law of obscenity.




Here's the reason for the separation: "obscenity" laws are aimed at
forbidden expression--they assume that some things are socially harmful by
virtue of being expressed or depicted. Child-porn laws, in contrast, are
not aimed at *expression* at all--instead, they're designed to promote the
the protection of children by trying to destroy a market for materials the
production of which requires the sexual use of children.




This rationale for the child-pornography laws has a number of legal
consequences. First of all, under the federal statute, material that
depicts child sex , but in which a child has not been used, does not
qualify as child pornography. Such material would include all textual
depictions of such activity, from Nabokov's novel LOLITA to the rankest,
most offensive newsgroups on Usenet, all of which are protected by the
First Amendment (assuming that, in addition to not being child
pornography, they're also not obscene).




Secondly, the federal child-porn statute is limited to visual depictions
(this is not true for all state statutes), but does not apply to *all*
visual depictions: computer-generated or -altered material that *appears*
to be child pornography, but which did not in fact involve the sexual use
of a real child, would not be punishable under the federal statute cited
above. This makes sense in light of the policy--if real children aren't
being sexually abused, the conduct these statutes are trying to prevent
has not occurred. Although prosecutors have had little trouble up to now
in proving at trial that actual children have been used to create the
child-porn GIF images at issue, we can anticipate that, as
computer-graphics tools grow increasingly powerful, a defendant will
someday argue that a particular image was created by computer rather than
scanned from a child-porn photograph.




Third, since the laws are aimed at destroying the market for child
pornography, and since the state has a very powerful interest in the
safety of children, even the mere possession of child porn can be
punished. (Compare: mere possession of obscene materials is
Constitutionally protected.)




The fourth consequence of the child-protection policy that underlies
child-porn statutes is that the federal law, as interpreted by most
federal courts, does not require that the defendant be proved to have
known that a "model" is a minor. In most jurisdictions, a defendant can be
convicted for possession of child porn even if he can prove that he
believed the model was an adult. If you can prove that you did not even
know you possessed the image at all, you should be safe. If your knowledge
falls somewhere in between -- you knew you had the image, but did not know
what it depicted, or that it was sexual in its content -- the law is less
clear." (In other words, it's not yet clear whether it is a defense for a
system administrator to claim he didn't even know he possessed the image,
either because it had been uploaded by a user without his knowledge, or
because it had appeared in "pass-through" mail or through a Usenet
newsfeed.)




In sum, then, the child-porn statutes create additional problems for the
system administrator who wants to avoid criminal liability and minimize
the risk of a disruptive search and seizure.




 What you can do




The first thing to do is not to overreact at this discussion of the risks.
It would amount to a serious "chilling effect" on freedom of expression if
a sysadmin--in order to eliminate the risk of prosecution for distribution
of obscenity, or for possession or distribution of
child-pornography--decided to eliminate all newsgroups with sexual
content. The textual content of such newsgroups is constitutionally
protected, as is much of the GIF content.




What's worse is that the tactic wouldn't eliminate the risks--it's always
possible for someone to post illegal material to an innocuous newsgroup,
like sci.astro or rec.arts.books, so that it would get to your system
anyway. Similarly, an illegal image might be uuencoded and included in
e-mail, which, if you're a system covered by the Electronic Communications
Privacy Act, you're not allowed to read.




You should begin with the knowledge that nothing you can do as a sysadmin
will eliminate altogether the risks of prosecution or of a disruptive
search and seizure. But a few sensible measures can reduce the risks of a
search or an arrest, and at the same time preserve the freedom of
expression of your users and of those users who transmit material through
your system.




* If you plan to carry graphic sexual material, look up your state's
obscenity laws. A lawyer or librarian can help you find the relevant state
statutes. Find out what, specifically, your state tries to prohibit. (If
the state statute seems inconsistent with what I've written here, consider
seeking legal advice--it may be that the statute predates the Supreme
Court's decisions on obscenity and child pornography but has not yet been
challenged.) You may also want to consult local adult bookstores--they
often have clear, practical information about avoiding obscenity
prosecutions.




* If you're running an online forum local to your system, and that forum
has an upload/download area, prescreen graphic images before making them
publicly available for downloads. While "calendar" and "foldout" images
are Constitutionally protected, you may want to consider deleting
"hardcore" images that might be found "obscene" in your community. You
also want to delete anything that looks like child pornography.




* If you're running a Usenet node, and you are informed by users that an
obscene or child-porn image has been posted to a newsgroup you carry,
examine it and consider deleting it. If there's any ambiguity, err on the
conservative side--remember, if you guess wrong about the age of the
model, you can be convicted anyway.




* Take pains on your system to limit childrens' access to adult material,
even if that material is not legally obscene (it may still be "indecent").
This includes textual material dealing with adult topics. Hint: asking for
a photocopied driver's license in the mail is probably not an adequate
safeguard--too easy for industrious minors to circumvent. A good set of
rules to follow is spelled out in an FCC regulation applicable to
phone-sex providers--47 CFR 64.201. The easiest FCC suggestions for a
for-pay BBS, online service, or Internet access provider is to require
payment by credit card; the easiest for a nonpay system is have an
application process that reasonably ascertains whether an applicant for
access is an adult, and to have a procedure whereby one can instantly cut
off that access when informed that a user is in fact a minor.




* Don't delete discussions of sexual topics--they're Constitutionally
protected. And even though the Supreme Court has not limited the
definition of "obscenity" to visual depictions, as a practical matter,
there is little legal risk in carrying textual narratives ("stories") on
sexual themes.




* Don't inspect individuals' e-mail without their consent--unless they're
employees of your company, their mail is probably protected by the
Electronic Communications Privacy Act.




* If you're a university site, or if you're simply interested in the law
of freedom of speech, consult the Computers and Academic Freedom (CAF)
archive, which is part of the EFF archive at ftp.eff.org. If you have
gopher, the archive is browsable with the command "gopher -p academic/law
gopher.eff.org"; if you are limited to e-mail access, send e-mail to
archive-server () eff org, and include the line




 send acad-freedom/law




where  is a list of the files that you want (start with README,
a detailed description of the items in the directory). The CAF archive has
a number of instructional materials that deal with obscenity and
child-pornography law.




-----




These measures won't guarantee that you'll never have legal
troubles--nothing can guarantee that. (And if you have particular legal
worries, you should consult a lawyer in your jurisdiction.) But they can
reduce the risks you face as a system administrator and as a carrier and
distributor of information. At the same time, they'll minimize the extent
to which you interfere with your users' freedom to communicate--which is,
after all, one of the chief reasons they're online in the first place.








Mike Godwin (mnemonic () eff org) is online counsel for the Electronic
Frontier Foundation, where he advises users of electronic networks about
their legal rights and responsibilities, and instructs criminal lawyers,
law-enforcement personnel, and others about computer civil-liberties
issues.




For info on EFF mailing lists, newsgroups & archives, mail eff () eff org. To
browse EFF's archives, use FTP, gopher, or WAIS to connect to ftp.eff.org,
gopher.eff.org, or wais.eff.org respectively.  Look in /pub/Eff. To get
basic EFF info send a message to info () eff org. Send detailed queries to
ask () eff org.  For membership information, mail membership () eff org.


Thanks for your support. I hope to be back again. If there is information
that you want this page to access, or you want to send me any comments,
please send me email at Dan Robbins, dcr () cs brown edu , 1994 Daniel C.
Robbins