Liability of System Administrators

Sam Hartman



Cyberspace has provided an ever increasing number of computer users over the last twenty years with a community they could claim as their own.Recently, Cyberspace has begun a cultural transformation as it expands, no longer encompassing just those computer enthusiasts who founded it, but growing to bring society into the new communications medium. Now, society is feeling the shock waves of this expansion, as our society struggles to legal and ethical implications of Cyberspace.

Unlike other industries, where owners of businesses can easily find out what is legally expected of them, Cyberspace system operators (sysops) quickly come to realize exactly how little precedent relates to computers and computer crime. In fact, the few cases that have been decided, like Cubby, Inc. v. CompuServe, Inc. or Steve Jackson Games, Inc. v. United States Secret Service are district-court cases, setting binding precedent in only one part of the country. However, by combining cases like these with important cases from other areas of the law, it is possible to gain a fairly detailed picture of the responsibilities and risks associated with being a sysop of a single, disconnected system.

Unfortunately, the great benefits of Cyberspace lie in the interconnection of many small machines into large networks like Usenet or the Internet. Issues like a sysop's responsibility for postings that do not originate on his system are just now starting to become important. Even groups like the Electronic Frontier Foundation have little concrete legal advice in these areas.

This paper starts by taking a look at issues sysops of single systems face, focusing on the rationale for various points of view where there is disagreement. Then, these issues are expanded to include problems specific to networks. Finally, conclusions are drawn.

Responsibilities of the Single Sysop

Since the advent of scanners, computers have been used to distribute digitized versions of sexually explicit pictures. These pictures create three problems: copyright infringement, distribution of obscene material, and possession and distribution of child pornography. According to Miller V. California, a work that
  1. "when taken as a whole, appeals to the prurient interest;"
  2. " depicts or describes, in a patently offensive way, sexual conduct specifically defined by the applicable state law;" and
  3. "taken as a whole, lacks serious literary, artistic, political, or scientific value,"
is not subject to first amendment protection and can be regulated by the states. (Loundy 122) In addition, the court has held that the federal government can prevent obscene material from "entering the stream of commerce" both through public carriers (like US mail) or private carriers (like the phone system). (Loundy 123)

These regulations impose a significant responsibility on sysops of systems that carry sexually explicit material: they are responsible for making sure their material is not obscene in any of the fifty states where it could be used. (Loundy 122) While this problem may appear to be insurmountable, 1-900 services have always dealt with the diversity of community standards

Even if a sysop's material is not obscene, it may be indecent. Indecent language is language that "describes, in terms patently offensive as measured by community standards ... sexual or excretory activities and organs . . . ." (Loundy 124, quoting F.C.C. V. Pacifica probably insufficient. He suggests that for-pay systems require payment by credit card. According to Loundy, F.C.C. phonesex regulations also allow indecent material to be transmitted scrambled in such a way that a descrambler is required, or a password can be sent by mail after age verification. (143)

Another potential danger is child pornography. Materials that visually portray minors engaged in "sexually explicit conduct," is child pornography. (Godwin "Sex") Since these statutes are designed to prevent exploitation of children, images of children engaged sexually explicit conduct, generated without using real children, are not illegal under the federal child pornography statute. Obviously, a sysop is responsible for child pornography that he knows is on his system, or that he knowingly distributes. What about child pornography that is on the computer system unbeknownst to the sysop?

According to Loundy, the statute criminalizes "anyone who knowingly possesses " three or more copies of child pornography and the knowing transportation of child pornography. (102) This requirement should insulate sysops from the activities of users that they are not aware of. However, sysops are probably obligated to remove any child pornography they find. This requirement of knowledge should alleviate the concerns of sysops whose systems fall under the Electronic Communications Privacy Act (ECPA). (Godwin "Sex") Since these sysops aren't expected to read email, they are unlikely to know of any child pornography passing through their system's electronic mail.

Besides concerns about adult-oriented material, sysops also have to be concerned about their liability for defamation. In Cubby V. Compuserve, a district court ruled that because Compuserve had no knowledge of defamatory comments in one of their forums, they were not accountable for this comment. (Godwin "Internet") In his opinion, the judge likened Compuserve to a book store, referring to Smith v. California, an obscenity case in which a book store owner was not held liable for a small number of books that he didn't realize were obscene. (Loundy 128--129) While this case did not set the standard of liability for the book store owner, a later decision established a "know or have reason to know," standard. Presumably, if the distributor analogy is extended to computer systems, then a sysop would only be liable for content that he could reasonably know.

Because the judge relied on a obscenity case to base his opinion on a defamation case, it is likely that the same logic could be applied to a obscenity case involving computers. A sysop must not exercise editorial control over the forum in which the libelous material is published in order to be protected by this argument. For example, this excludes services like Prodigy that make a practice of editing their fora. (Godwin "Internet")

The final area of concern is the great void of copyrights. Unlike crimes like obscenity, child pornography and defamation, there is no requirement that someone have reason to know that they are infringing a copyright before they are held accountable. (Loundy 126) Exceptions to the copyright act allow public archives such as libraries to make material available for the public to copy. (Loundy 129) In addition, the fair use doctrine allows end users to make copies of this information under some conditions.

While these exceptions to the copyright act may give sysops protection in some situations, particularly when end users make improper use of material legally provided on a system, they hinge on the sysop having legally obtained a copy of the material. Thus, the sysop's liability for software uploaded by a user without knowledge of the sysop is unclear. (Loundy 125) To understand the issues involved, take the example of the Washington University Archive ( while their README for MSDOS uploads admonishes users not to upload pirated software, uploads are available for download as soon as they are completed. It is often difficult to find a user, or prove that they uploaded a particular copyrighted work. If the sysop is not responsible for infringing material on his system, then the copyright holder may find it difficult to recover damages.

While this argument is new to copyright cases, it is common in defamation cases: publishers are generally held liable in addition to authors, because they are more likely to have resources to compensate the victim. (Godwin "Libel") According to Loundy, one author proposed extending the idea to computer bulletin boards, even when the sysop is not acting as a publisher. (154)

The case may provide a first step in determining some of these legal questions. LaMACCHIA, while a MIT junior, ran an Internet service that allowed users to anonymously upload and download files. The indictment alleges:

Defendant David Lamachia . . . set up . . . operated and participated in the operation of a computer bulletin board system . . . to permit and facilitate, on an international scale, the illegal copying and distribution of copyrighted software, without payment of software licensing fees or the software purchase price.
Depending on how this case is resolved, a legal opinion on sysop liability for copyright infringement.

Networks and Sysop Responsibility

Two features of networks effect the legal accountability of sysops. First, First, the individual sysop finds that if they want to grant access to the majority of the net, they quickly lose the ability to limit access to specific information on the net. This leads to the second problem: who has jurisdiction over a user's actions? The issue of pornography on the net provides an excellent case study, although the legal and ethical problems can be expanded to other areas where sysops have liability.

Several Usenet news groups, like, and were created to transport sexually explicit images. A large portion of the hard-core pornography distributed in these groups is illegal. (Godwin "Sex") However, unlike a file section on a single-user bulletin board, no one sysop has control over these news groups. There is enough traffic on these news groups that it is unlikely that the average system administrator has time to monitor the traffic in these news groups to delete obscene articles. When a sysop becomes aware of an obscene article, she can delete the article from her system. However, she is probably aware that at least some articles at a given time are legally obscene. Should she be liable for these articles? Under the know or have reason to know standard, the answer is unclear: she is aware that there are violations of the law, but has not taken time to discover these violations.

In order to avoid these sticky issues, some sights decide not to carry these news groups. In a single-system environment this works well, and the user's access to these materials is restricted. However, it isn't that simple on the Internet: many sights allow users to use FTP or to reconfigure news reading software to use a non-default server. Since there are public access news servers that carry these news groups, and pornographic FTP sights, it is trivial for users to circumvent these restrictions. The Internet is designed to stay open; no central access control mechanisms exist. Also, there are multiple paths to the same information. In order for a system to make it impossible to get to unhealthy or illegal information, it must limit the user's access to a well defined set of sanitized information. In many cases, this is unacceptable.

The problem of jurisdiction is also serious. Obscenity law depends on community standards. However, the Internet and other large networks span many communities and are influenced by their community standards. This became important in a recent federal obscenity case: the prosecution of the sysops of the Amateur Action BBS, a system run out of California. However, the sysops were prosecuted under Tennessee law because their material was accessible there. Soon after a guilty verdict was announced, there was discussion of what this meant for Internet sights. In, Karl Denninger, sysop of MCSNet, an Internet service provider in Chicago expressed his concerns with the decision:

This is a serious case folks. We're going to be talking to the lawyers IMMEDIATELY here, as the ramifications of this may be that we can no longer sell accounts to users across state or even local boundary lines -- or we may have to drop all the erotic material on the net!

Within Chicago what is on the net wouldn't violate community standards, especially given what I can rent at the local video store . . . In Memphis, on the other hand....... (Denninger)

The problem of jurisdiction is minor in the US, when compared to other countries. For example, if an erotic image is requested by someone in Britain from a server in Finland, and the packet is routed through Iraq, whose laws apply?


The Internet, and Cyberspace in general, transcend geopolitical boundaries: it's almost as easy to connect to a system half way around the world as to a system across the room. In order to work smoothly and coexist with Cyberspace, laws will have to recognize the triviality of geopolitical distinctions on Cyberspace.

It is unlikely in the near future that a legal system will develop and be accepted that are independent of geopolitical distinctions. However, crimes can be viewed in the jurisdiction where they were committed. For example, when a file is uploaded, the uploader should be liable for transmitting the file in his or her own jurisdiction. If the sysop keeps the file, he should be liable for it. Downloaders should be liable for moving the file into their jurisdiction, but not the sysop. In other words, it would be illegal to upload a file that is obscene in the uploader's jurisdiction, and illegal to download the file into a jurisdiction where it is illegal. With this system, there is still significant room for gray areas, but it is a step in the right direction.


Cubby, Inc. v. CompuServe, Inc., 776 F. Supp. 135 (S.D.N.Y. 1991).

Denninger, Karl. ``AA BBS trial--jury out'' Usenet news groups:, et al.

F.C.C. v. Pacifica Foundation, 438 U.S. 726, reh'g denied, 439 U.S. 883 (1978).

Godwin, Mike. " Internet Libel: Is the provider responsible?" Internet WOrld, Nov./Dec., 1993.

Godwin, Mike. "Libel, Public Figures, and the Net" Internet World, June 1994.

Godwin, Mike. " Sex and the Single Sysadmin: The Risks of Carrying Graphic Sexual Material." Internet World, Mar/Apr, 1994.

Loundy, David. "E-LAW: LEGAL ISSUES AFFECTING COMPUTER INFORMATION SYSTEMS AND SYSTEM OPERATOR LIABILITY." Albany Law Journal of Science and Technology, Vol. 3, Number 1. pp. 79--154

Steve Jackson Games, Inc. v. United States Secret Serv., 816 F. Supp. 432 (W.D. TEX. 1993).

UNITED STATES OF AMERICA V. David M. Lamachia. CR. No. 94-10092-RGS. The David Lamachia Defense Fund has placed several documents about the case on the web, including the indictment, a motion to dismiss filed by the defense, a press release by the U.S. attorney, and the defense's response.