[vcf-midatlantic] Culpability and Provenance

Dean Notarnicola dnotarnicola at gmail.com
Fri Jan 15 04:13:29 UTC 2021

I agree with Jeff’s statements in general. My post was more about moral
obligation rather than law. Tony said it best; if we want people to trust
us with their old computers, then we should act responsibly.

On Thu, Jan 14, 2021 at 10:52 PM Jeff Salzman via vcf-midatlantic <
vcf-midatlantic at lists.vcfed.org> wrote:

> Some very interesting thoughts on the disposition of private data on old
> computers.
> First, I want to say that the advice received on this thread was certainly
> informative. However, some of the advice leads us to believe that we, as
> collectors, are implied to be held legally responsible for all content we
> receive... and I cannot fully subscribe to that line of thinking.
> It's one thing if we stole the computer. It's another if it was abandoned
> by the original or subsequent owners, through trade or sale, and they
> failed in their due diligence to delete what they feel is content of a
> sensitive nature. And yes, their data is THEIR responsibility.
> That being said. None of us collectors can expect to be privy to the chain
> of ownership of the device. As I implied in my original post, I was at
> least two degrees away from its original owner. So there may not be an
> option to go through the chain of ownership to find out from the content
> creator what they want done with files I found. But is it always illegal to
> possess what others have abandoned, even recklessly? I don't think so.
> HIPAA was brought up as one aspect. Technically, HIPAA only applies to
> "covered entities" such as those who use a person's medical information to
> provide medical services to the individual. It does not lock down all
> personal medical information in electronic form in all possible
> circumstances. You, the individual, have a right to handle and distribute
> your medical information as you see fit. If you see fit to apply poor
> practices in its distribution.. that's all on YOU! For example, you can put
> PDF files pertaining to your doctor's visits that you downloaded from your
> insurance company's website onto a USB drive and hand it to a friend,
> intentionally or accidentally, and it is not a HIPAA violation. That's
> because YOU, the individual, has the right to distribute your medical
> information as you desire... even if doing so is done accidentally and/or
> is a security risk. So if you did not wipe your old laptop of your medical
> information before you sold it to a Facebook buyer, that buyer's possession
> of the information is not a HIPAA violation. If the buyer reads the
> information they received, it is also not a HIPAA violation. A covenant of
> sale cannot be made to impart any responsibility or obligation on the buyer
> for the disposition of the property being transferred to the buyer outside
> of anything in a WRITTEN and SIGNED contract of sale. In other words, If
> the seller left their bank account information on the computer they sold,
> cash on the barrelhead, the buyer's possession of any information on the
> computer in that context is not illegal. The buyer's only legal obligation
> was to pay the agreed asking price. However, if the buyer uses that bank
> information in an illegal way (theft, extortion, etc.) THEN the information
> possessed becomes an illegal instrument in the commission of a crime, and
> an entirely different set of laws come into play.
> Legality of data on legally acquired computers is not a black and white
> issue. The legality stems from the use of the content. Other examples
> included installed software. That would fall under licensing agreements. Is
> it illegal to possess a copy of WordStar on an old CP/M machine, or is it
> only illegal to use a copy of WordStar on an old CP/M machine? That's all
> governed by whatever license agreement is in effect for the software. I'm
> pretty sure 99.9% of us very loosely imply that it's OK to use WordStar due
> to its general abandonware nature. But I will say this... if you say you
> don't use unlicensed software, you're a damn liar and you know it!
> As for the other content I mentioned. For example, the Last Will and
> Testament files. Officially, LW&Ts are public records if and only if the
> testator dies and the LW&T is filed in probate court. But a file of any
> random name then becomes a Shrodinger's Cat of a LW&T. You don't know for
> sure what it is until you open the file. As a buyer of a computer with
> unknown content, I doubt if you're still bound to any legalities, even if
> you actually view the content of the file. Tony addressed a couple of
> notions on this situation. One, that if a file on a legally acquired disk
> is unrecognizable for its purpose, you could simply delete it. Two, if you
> have an intention to offer a previous owner of the computer a copy of their
> data back, you need to open it to know what's in there to perform that
> action.
> Again, I cite these examples to show that any legal obligation of a current
> owner of content contained in a legally acquired computer system is not a
> black and white issue. Personally, LW&T files mean little to me. I'd much
> rather have the space they take up instead of the file. As for other items,
> like resumes that may be found, resumes are marketing documents intended to
> market the individual to those who could potentially lead the individual to
> employment. So, who can be defined as one who could POTENTIALLY lead an
> individual to employment? Again, not a black and white issue. "Bobby" can
> give copies of his resume to his friend "Billy" and tell him to give them
> to people he thinks might be hiring.
> Is the content of that resume private? Is it illegal to possess a copy of
> someone else's resume? I seriously doubt it based solely on intent. It was
> the intention of the individual to get their name, contact information, and
> a brief history of their job history out into the world in hopes it could
> lead to employment. If the resume source file contained the term
> "confidential", that would change things a bit. But as far as the legality
> of a resume file as a private document, one would be hard pressed to assert
> such a fact. But in this case, the person who is named in the resume I
> found on my Kaypro had died in the late 2000s. I determined that from
> public information that noted his death, along with employment history
> matching the content of the resume. So from my point of view, the resume
> file certainly implies a lot for the computer's provenance, but it's hardly
> a secret for its content.
> Overall, an underlying point shared by those who responded is this... we do
> have a degree of obligation in regards to the disposition of the content of
> computers we acquire. However, we will always disagree at some level to the
> extent of that obligation. As for the legal status of the content, it's not
> a blanket issue equally covering everything contained on the disk. Each
> "file" most likely is governed by a different set of laws pertaining to its
> content and/or use. Ethics is more likely the doctrine to be applied to
> content disposition. Legality is only a part of the decision making process
> while applying ethics to the problem.
> Jeff Salzman
> On Thu, Jan 14, 2021 at 6:10 PM Herb Johnson via vcf-midatlantic <
> vcf-midatlantic at lists.vcfed.org> wrote:
> > Well, while I have a lot I could post on these matters, I won't. I'm not
> > a lawyer and these are legal matters. The rest is discussion not advice.
> >
> > Certain content one might obtain from others accidentally on an
> > abandoned computer, is outright illegal to own and distribute. Delete it
> > - period. Other content is proprietary and still in distribution, thus
> > an actionable issue by the active producers of that content.
> >
> > And of course, most of us with a clue know what is "private
> > information". Nobody here is "researching" people's private information.
> > This is a vintage computing discussion. Private information must be
> > deleted, copies only to owners who want it and are given opportunities
> > to ask. Most people seem to be indifferent; some are not.
> >
> > The rest, is about technical content of old programs out of use, and
> > possibly original programming done (as in sources, binaries). These
> > things are, in my opinion, the business of those of us in vintage
> > computing.
> >
> > What to do about finding that stuff, has been in discussion for decades.
> > There's common practices about that content. While owners could take
> > actions, many owners are disinterested in doing so, or "unavailable", or
> > in some cases have released their published works. Owners have rights,
> > and the right to say "delete". At least they used to, when content
> > resided in their own hands. Another subject.
> >
> > Informing former owners about discovered content beyond impersonal
> > programs and documents, has some merits both to us and to the prior
> > owners. Tony shares his experience, that he's informed some owners about
> > protecting their data.
> >
> > All that said, I'm informed by the posts on this subject, from persons
> > who identify their sources of authority on their decisions (Tony
> > mentioned HIPAA compliance for instance). And by various experiences
> > discussed.
> >
> > Authority and or experience matters to me, when I see advice, certainly
> > when I give it. I don't say I have much authority, other than years of
> > practices; I have no authority on legal matters, little on business. I'm
> > a technologist by training and historian by circumstance.
> >
> > Myself: I preserve the history of development of certain programs and
> > hardware on my Web site. Much of that is published information,
> > descriptions and repairs of hardware, documentation, sources or
> > disassemblies. Some of it is biographical information from public
> > sources and personal correspondence (republished by me with permission).
> > Generally I have permissions, as owners of content have the rights to
> > say "no", and privacy rights.
> >
> > Over the decades: I've been contacted by content-owners or their heirs
> > or their associates and customers. Most thank me  for recognizing those
> > known to them, a few for recognizing themselves! Some provide more
> > information. Some people want their privacy, or at least used to when
> > privacy existed. And some, are no longer interested in certain past
> works.
> >
> > So it seems to me:
> >
> > If the VCF Inc. chooses to, they might gather some informed and
> > authoritative opinions and recommendations and practices, and make that
> > information available, as a service. They may also choose to do so, to
> > inform their officers and volunteers as to "best practices" within the
> > VCF collection.
> >
> > One service might be, to identify kinds of content - such as I and
> > others have identified - and suggest the kinds of practices one might
> > take. That service alone, may help persons in deciding what to do, where
> > to seek advice.
> >
> > But I'm not credentialed in most of these matters. I have certain
> > practices I follow. Mostly I tell people "this is at your own risk. Seek
> > professional, legal or more experienced advice. I'm not responsible for
> > your consequences. Make your own choices." Otherwise I lead by example
> > and effort and results, I hope.
> >
> > regards, Herb Johnson
> >
> >
> > --
> > Herbert R. Johnson, New Jersey in the USA
> > http://www.retrotechnology.com OR .net
> > preserve, recover, restore 1970's computing
> > email: hjohnson AT retrotechnology DOT com
> > or try later herbjohnson AT comcast DOT net
> >

More information about the vcf-midatlantic mailing list