[vcf-midatlantic] Culpability and Provenance

jsalzman at gmail.com jsalzman at gmail.com
Fri Jan 15 03:51:19 UTC 2021

Some very interesting thoughts on the disposition of private data on old

First, I want to say that the advice received on this thread was certainly
informative. However, some of the advice leads us to believe that we, as
collectors, are implied to be held legally responsible for all content we
receive... and I cannot fully subscribe to that line of thinking.

It's one thing if we stole the computer. It's another if it was abandoned
by the original or subsequent owners, through trade or sale, and they
failed in their due diligence to delete what they feel is content of a
sensitive nature. And yes, their data is THEIR responsibility.

That being said. None of us collectors can expect to be privy to the chain
of ownership of the device. As I implied in my original post, I was at
least two degrees away from its original owner. So there may not be an
option to go through the chain of ownership to find out from the content
creator what they want done with files I found. But is it always illegal to
possess what others have abandoned, even recklessly? I don't think so.

HIPAA was brought up as one aspect. Technically, HIPAA only applies to
"covered entities" such as those who use a person's medical information to
provide medical services to the individual. It does not lock down all
personal medical information in electronic form in all possible
circumstances. You, the individual, have a right to handle and distribute
your medical information as you see fit. If you see fit to apply poor
practices in its distribution.. that's all on YOU! For example, you can put
PDF files pertaining to your doctor's visits that you downloaded from your
insurance company's website onto a USB drive and hand it to a friend,
intentionally or accidentally, and it is not a HIPAA violation. That's
because YOU, the individual, has the right to distribute your medical
information as you desire... even if doing so is done accidentally and/or
is a security risk. So if you did not wipe your old laptop of your medical
information before you sold it to a Facebook buyer, that buyer's possession
of the information is not a HIPAA violation. If the buyer reads the
information they received, it is also not a HIPAA violation. A covenant of
sale cannot be made to impart any responsibility or obligation on the buyer
for the disposition of the property being transferred to the buyer outside
of anything in a WRITTEN and SIGNED contract of sale. In other words, If
the seller left their bank account information on the computer they sold,
cash on the barrelhead, the buyer's possession of any information on the
computer in that context is not illegal. The buyer's only legal obligation
was to pay the agreed asking price. However, if the buyer uses that bank
information in an illegal way (theft, extortion, etc.) THEN the information
possessed becomes an illegal instrument in the commission of a crime, and
an entirely different set of laws come into play.

Legality of data on legally acquired computers is not a black and white
issue. The legality stems from the use of the content. Other examples
included installed software. That would fall under licensing agreements. Is
it illegal to possess a copy of WordStar on an old CP/M machine, or is it
only illegal to use a copy of WordStar on an old CP/M machine? That's all
governed by whatever license agreement is in effect for the software. I'm
pretty sure 99.9% of us very loosely imply that it's OK to use WordStar due
to its general abandonware nature. But I will say this... if you say you
don't use unlicensed software, you're a damn liar and you know it!

As for the other content I mentioned. For example, the Last Will and
Testament files. Officially, LW&Ts are public records if and only if the
testator dies and the LW&T is filed in probate court. But a file of any
random name then becomes a Shrodinger's Cat of a LW&T. You don't know for
sure what it is until you open the file. As a buyer of a computer with
unknown content, I doubt if you're still bound to any legalities, even if
you actually view the content of the file. Tony addressed a couple of
notions on this situation. One, that if a file on a legally acquired disk
is unrecognizable for its purpose, you could simply delete it. Two, if you
have an intention to offer a previous owner of the computer a copy of their
data back, you need to open it to know what's in there to perform that

Again, I cite these examples to show that any legal obligation of a current
owner of content contained in a legally acquired computer system is not a
black and white issue. Personally, LW&T files mean little to me. I'd much
rather have the space they take up instead of the file. As for other items,
like resumes that may be found, resumes are marketing documents intended to
market the individual to those who could potentially lead the individual to
employment. So, who can be defined as one who could POTENTIALLY lead an
individual to employment? Again, not a black and white issue. "Bobby" can
give copies of his resume to his friend "Billy" and tell him to give them
to people he thinks might be hiring.

Is the content of that resume private? Is it illegal to possess a copy of
someone else's resume? I seriously doubt it based solely on intent. It was
the intention of the individual to get their name, contact information, and
a brief history of their job history out into the world in hopes it could
lead to employment. If the resume source file contained the term
"confidential", that would change things a bit. But as far as the legality
of a resume file as a private document, one would be hard pressed to assert
such a fact. But in this case, the person who is named in the resume I
found on my Kaypro had died in the late 2000s. I determined that from
public information that noted his death, along with employment history
matching the content of the resume. So from my point of view, the resume
file certainly implies a lot for the computer's provenance, but it's hardly
a secret for its content.

Overall, an underlying point shared by those who responded is this... we do
have a degree of obligation in regards to the disposition of the content of
computers we acquire. However, we will always disagree at some level to the
extent of that obligation. As for the legal status of the content, it's not
a blanket issue equally covering everything contained on the disk. Each
"file" most likely is governed by a different set of laws pertaining to its
content and/or use. Ethics is more likely the doctrine to be applied to
content disposition. Legality is only a part of the decision making process
while applying ethics to the problem.

Jeff Salzman

On Thu, Jan 14, 2021 at 6:10 PM Herb Johnson via vcf-midatlantic <
vcf-midatlantic at lists.vcfed.org> wrote:

> Well, while I have a lot I could post on these matters, I won't. I'm not
> a lawyer and these are legal matters. The rest is discussion not advice.
> Certain content one might obtain from others accidentally on an
> abandoned computer, is outright illegal to own and distribute. Delete it
> - period. Other content is proprietary and still in distribution, thus
> an actionable issue by the active producers of that content.
> And of course, most of us with a clue know what is "private
> information". Nobody here is "researching" people's private information.
> This is a vintage computing discussion. Private information must be
> deleted, copies only to owners who want it and are given opportunities
> to ask. Most people seem to be indifferent; some are not.
> The rest, is about technical content of old programs out of use, and
> possibly original programming done (as in sources, binaries). These
> things are, in my opinion, the business of those of us in vintage
> computing.
> What to do about finding that stuff, has been in discussion for decades.
> There's common practices about that content. While owners could take
> actions, many owners are disinterested in doing so, or "unavailable", or
> in some cases have released their published works. Owners have rights,
> and the right to say "delete". At least they used to, when content
> resided in their own hands. Another subject.
> Informing former owners about discovered content beyond impersonal
> programs and documents, has some merits both to us and to the prior
> owners. Tony shares his experience, that he's informed some owners about
> protecting their data.
> All that said, I'm informed by the posts on this subject, from persons
> who identify their sources of authority on their decisions (Tony
> mentioned HIPAA compliance for instance). And by various experiences
> discussed.
> Authority and or experience matters to me, when I see advice, certainly
> when I give it. I don't say I have much authority, other than years of
> practices; I have no authority on legal matters, little on business. I'm
> a technologist by training and historian by circumstance.
> Myself: I preserve the history of development of certain programs and
> hardware on my Web site. Much of that is published information,
> descriptions and repairs of hardware, documentation, sources or
> disassemblies. Some of it is biographical information from public
> sources and personal correspondence (republished by me with permission).
> Generally I have permissions, as owners of content have the rights to
> say "no", and privacy rights.
> Over the decades: I've been contacted by content-owners or their heirs
> or their associates and customers. Most thank me  for recognizing those
> known to them, a few for recognizing themselves! Some provide more
> information. Some people want their privacy, or at least used to when
> privacy existed. And some, are no longer interested in certain past works.
> So it seems to me:
> If the VCF Inc. chooses to, they might gather some informed and
> authoritative opinions and recommendations and practices, and make that
> information available, as a service. They may also choose to do so, to
> inform their officers and volunteers as to "best practices" within the
> VCF collection.
> One service might be, to identify kinds of content - such as I and
> others have identified - and suggest the kinds of practices one might
> take. That service alone, may help persons in deciding what to do, where
> to seek advice.
> But I'm not credentialed in most of these matters. I have certain
> practices I follow. Mostly I tell people "this is at your own risk. Seek
> professional, legal or more experienced advice. I'm not responsible for
> your consequences. Make your own choices." Otherwise I lead by example
> and effort and results, I hope.
> regards, Herb Johnson
> --
> Herbert R. Johnson, New Jersey in the USA
> http://www.retrotechnology.com OR .net
> preserve, recover, restore 1970's computing
> email: hjohnson AT retrotechnology DOT com
> or try later herbjohnson AT comcast DOT net

More information about the vcf-midatlantic mailing list