Newsletter

The Sixth Conference on Computers, Freedom, and Privacy


Liability Issues for System Administrators

By Sam Hartman

System administrators are no longer faced only with technical problems, according to Edward Cavazos, an attorney with the Houston-based law firm Andrews and Kurth L.L.P. Acts and omissions can create legal liability for the system administrator.

Cavazos, in his CFP96 tutorial on liability issues, said that it isn't necessary for an administrator to be perfect. "People who sue sysadmins look for sysadmins who do the sloppiest jobs. The goal is to posture yourself so that you aren't as interesting a target as other administrators", Cavazos said.

The fast pace of change in the communications industry may create precedents and understandings that no longer apply. For example, many current computer-related precedents arise out of cases involving online services or bulletin boards. Cavazos said there were important differences between these environments and the Internet; getting judges to understand these differences may be difficult.

E-mail privacy

E-mail privacy is one of the few areas were a strong body of statutory law tailored to electronic communications exists. In 1986, Congress passed the Electronic Communications Privacy Act. Even so, Cavazos said many system administrators are unaware of their legal responsibilities under this law.

Under the act, there are two categories of communications: wire or electronic communications and stored communications. Penalties are provided for intercepting wire or electronic communications and for disclosing the contents of stored communications. However, penalties are much higher for interception of wire or electronic communications than for disclosure of stored communications.

The Fifth Circuit court held that obtaining undelivered e-mail while it is not actively being transmitted does not count as interception, but only as a potential disclosure of stored communications.

System administrators must respect the provisions of the ECPA when examining other users' e-mail. However, exemptions are provided for several situations, including delivering mail to the intended recipient and protecting the system and its property.

Cavazos said while the ECPA probably doesn't apply to a small isolated network of computers that are not open to the public, it probably does apply to enterprise-wide networks within corporations.

Defamation

Another area where system administrators may face liability is when someone is defamed, Cavazos said. A republisher of a defamatory statement can be held liable.

On the other hand, system administrators may not be acting as republishers when they have no editorial control. In these situations, the analogy of a bookseller may apply. Booksellers are one liable for redistribution of defamitory statements if they know or have reason to know that the defamitory statement is in their product. Cavazos said that the model the courts choose to apply may depend on the amount of editorial control the system administrator has.

Copyright issues

Copyright law provides both civil and criminal penalties for infringement. The criminal penalties do not create special considerations for system administrators.

However, administrators may be responsible for contributory infringement. For example, if a system doesn't have a substantial non-infringing use, it may be held civily liable for contributing to copyright infringement.

This may pose a liability issue for administrators: the administrator may contribute to the infringement of copyright by allowing copyrighted works to be placed in a public area. There may not be a substantial non-infringing use of these works, Cavazos said.


[ CFP96 Newsletter | CFP96 | CFP | general info ]

Comments and bug reports to Daniel C. Stevenson