Slashdot Mirror
E-Mail, Privacy and the Law
Not From Me writes, "sendmail.net has an eye-opening article about how 'private' e-mail is in the eyes of lawyers and courts, called E-Mail, Privacy and the Law. Scary stuff, and important to know."
← Back to Stories (view on slashdot.org)
"... it can be demanded as potential evidence during litigation."
Isn't this one of the things that has got Microsoft into so much trouble throughout the court case? I wonder how much of what they now stand accused of would not even have seen the light of day without forcing them to disclose their emails?
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
Perhaps a email protocol which allows for self destruction and prevention of forwarding of emails needs to be created (not patented). I send an email to a co worker about how I think this and that about another employee, set to destruct in 1 day. Then, when a court case comes up, this email is long gone.
perl -e "print(pack('H37','4d65726b7572795a40676e7572642e6e6574'))"
Actually, it's easier to destroy a letter. All you have to do is stick a lighter under it, and you're done. With email, you have to actually destroy the binary data of the section of the hard drive it's on.
That would be ALL hard drives. Which means:
1) The sender's hard drive
2) The sender's ISP's mail hard drive
3) Your ISP's mail hard drive
4) Your hard drive.
and for every cc:, the number jumps up.
and don't even bother trying, if there was a bcc:
Despite the article's premise that it doesn't matter how many layers of encryption, etc are used to protect e-mail, it is all discoverable. Now, I'm not a lawyer, but my understanding of current US law is that the TEXT of any e-mail is discoverable: if the sender encrypted it, there is no current law on the books that would force surrender of the key. This changes a bit if only the servers encrypt the data -- which is a strong argument for public use of encryption.
On a side note, however, it is important to realize that if the authorities wish to take the time to track down the senders and recievers of e-mail messages, the plaintexts of even encrypted messages can be subpoenaed (sp?), so caution in what is said is still important.
This brings up one last issue, too: with the revision of Yahoo!'s ToS to state that they own all IP expressed over thier services, even instant messaging logs could be subject to this kind of discovery. Write your congressperson, as per usual...
In the meanwhile, encrypt, encrypt, encrypt! At least we'll make them work for the data. :)
--
Never underestimate the power of very stupid people in large groups
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
We all know that e-mail should be private, the but the question is, "Why isn't it?"
E-mail can't be used to "prove" anything. It's disturbingly easy to forge. A printout of an e-mail could easily have simply been typed. There are no signatures, no postmarks, just bytes of data that can be forged by anyone who has half a clue what they're doing.
ICQ: 49636524
snowphoton@mindspring.com
Got Rhinos?
What is it over there in the land of the free that creates such draconian laws ? Giving Lawyers as much power as the likes of the FBI and other elements of the goverment is way beyond bizarre.
Time to have another revolution guys.
An Eye for an Eye will make the whole world blind - Gandhi
The problem with encrypting everything is that you can have your key subpoenaed too. If you don't turn over that you get hefty fines (for the defendant) or you case gets forfetured. (for the prosecuter) Encryption just doesn't do a single thing for you, except allow you to swallow those hefty fines if it's worth it. (company secrets might be worth keeping even if you have to pay millions in fines of course)
Destroying email will help you out quite a lot. Make sure that no email gets saved. And make sure that all deleted email is securely overwritten. Don't make backups and if you really need to save something hide it.
Perhaps the best idea that I have is to simply have a convincing fake on hand to lure would be lawyers into thinking something else when it's really not the case.
Woah. I think you might be on to something here.
I'm not a crypto guru. I barely understand public key encryption as it is, but here goes:
What if an encryption scheme were devised where the plaintext is encrypted with two or more pivate keys (belonging to one person), plus the other key. The encrypted would decrypt to two or more different texts, depending which key is used.
So, I could encrypt "Meet me at midnight." and "Happy birthday, Ed." With two keys, into one block of encrypted text. Then, if I use my private key A, it returns "Meet me at midnight." and if I use my private key B, it returns "Happy birthday, Ed."
If we could somehow make the number of original plaintexts undetectable, could supply keys to those who demand them, where they would decrypt our code to get "Happy birthday, Ed." when the REAL secret was "Meet me at midnight."
I know I could've worded that better, but is this a possibility? Is it already being done? I know it's a little along the lines of Steganography, where the encrypted text is inserted into a piece of digital media, making it look less like an encrypted message.
Summary:
If we could encode, say, 4 strings into one crypto block, and have it return different unencrypted text for 4 different keys, while keeping the number of original strings undeterminable, the party decyphering the string would never know if they have ALL of they keys, thus they would never know if they have the data that the sending party doesn't want them to see.
I followed the incredibly interesting link from this article regarding the "Really Bad Attitude" newsgroups that Netscape had setup, and that Microsoft subpeonaed (at http://www.jwz.org/gruntle/rbarip.html).
... how many companies out there do this to avoid liability, or is there a different reason for it?
I noticed this quote :
In hindsight, complying with the company's Document Retention Policy (which at Netscape was basically, ``shred anything within 90 days unless you can't get your job done without it'') might have been a good idea.
How many major companies actually have a policy ilke this for electronic information? Most backups are tape/DLTs which last eternity, and is the only purpose of this policy to prevent liability with stuff lying around?
This sounds like it worked with paper-based archiving systems, where space simply doesn't exist to archive forever, and non-essential documents are destroyed, but none of the people I've done work for have had a similar policy at all.
So the question is
I'd think you could refuse to disclose your encryption keys on the grounds that there could be something encrypted by them that could incriminate you. Maybe there is, maybe there isn't, but there could be.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
-----BEGIN PGP SIGNED MESSAGE-----
/want/ my personal mail coming through to work at all; that's why I ssh out to read it and don't let anything remotely sensitive go through, just "in case" someone happens to be listening. If it's really private then it gets GPG-encrypted, or if I think there's a clueless twerp on the other end (see "easyspace" under the domain registration article!) then it gets GPG-signed so they can't doctor it.
:)
F 0AJAr6gzT0L528wx
Hash: SHA1
Hmmm. You're very right on the self-control things.
Me, I don't
It would be interesting to have a "slashdot" public key floating around...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAji+jB0ACgkQh3MeQyZWueSbuACeMEsZyyf
oF0AoIqi5q6xpU0p588mBPz9Yk+gvrmT
=n/x7
-----END PGP SIGNATURE-----
~Tim
--
Rushing on down to the circle of the turn
The article explained that an email is "discoverable" because it fits all the legal definitions of a "document", and documents are discoverable. That much I can follow.
Then it went on to say that encryption won't help, because your key can be subpoenaed; but no legal grounds for this were given. If I've committed my key to memory, it certainly doesn't seem to fit any definition of "document" (unless legal definitions are even crazier than I thought possible). So what are the legal grounds for forcing me to reveal something that exists only in my head?
Could someone with some legal expertise comment on this?
As I remember the Co$-vs-the-Net war, $cientology subpoenaed computer files from Grady Ward (who most certainly was not Scamizdat). So he turned over a bunch of files, including PGP-encrypted files, and that was that. He was never even asked for a key, IIRC. The Co$ went on to hire a Special Master who attempted to decrpyt the files, much to the continuing amusement of all observers.
The Co$ notoriously uses every legal means available to get what it wants. So if they didn't even ask for a key, I'd very surprised if there is any legal grounds for doing so at all.
Always keep a sapphire in your mind
Yes we have a 5th amendment that is supposed to protect the accused from all self-incrimination in criminal trials. But we also have a Supreme Court that in recent years has been rather fond of undermining civil liberties like these. The 5th amendment won't protect you from having to submit a urine sample for chemical analysis, and that's the line of argument the government will likely use if the crypto-key issue gets tested. Something like "Revealing the key isn't the same as forcing you to incriminate yourself. It just lets us understand a document where you already committed the self incrimination." This stands in stark contrast to other systems of law (particularly Jewish Law) where all self-incriminations are disregarded, without regard for how or why they were made.
Remember, the "land of the free and the home of the brave" is the same place where the highest court of the land looks poised to rule that anonymous tips are sufficient for giving probable cause to government agents to stop and frisk citizens on the streets. "Hey Bob, the person over there who looks like he's a member of a disfavored racial minority group looks like he could be carrying some drugs (or even a bomb!). Why don't you step into that phonebooth and call the station and leave an anonymous tip so we can go over there and get medieval on his civil rights! And remember, anonymity means zero accountability."
We're also the country where, right after the Diallo verdict came back, police three blocks from Diallo's house went and shot another unarmed black man at point-blank. But at least this time he had a sketchy criminal record and the whole thing was just a big mistake, so that makes it justified, right? Right? I hate this place.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
What I find interesting is the way a subpoena for email might be worded and what actions it might require of the person holding data.
:-)
I work for a large government agency where all email is saved forever because everyone is accountable for everything they do for all time. That's fine. We're public sector law enforcement; we should have such rules. Recently, though, an employee sued the agency and requested all email files. Our lawyers argued that such a subpoena would be overbroad and would reveal a great many private things shouldn't be made public. The judge agreed and a compromise was worked out. Several years worth of Microsoft Exchange backup tapes were sequentially reloaded on a system set up for the purpose. Each time a tape was restored, all files were searched for a text string matching the name of the woman who brought the suit. Then, all emails that contained her name were *printed out* and delivered to her lawyers. Not surprisingly, lots of folks had been jabbering about this woman in email, so there were boxes and boxes of printouts. It took the poor admin assigned the task literally weeks to complete, but at least there was no way for all sorts of extraneous data to go public.
Contrast that situation with the situation of the airline employees who found their computers seized. Were they entirely without recourse? Were they not given a chance to produce the documents without having to turn over their hardware? I don't know, but I do know that if such a thing happened to me, I'd be less than happy. I have lots conventionally encrypted files that are relatively safe since the only copy of the password is in my head. But would I be willing to sit out a contempt citation to protect that data? Talk about feeling conflicted!!
Short side note: There are a zillion different circumstances when testimony *can* be compelled. I'm surprised by the number of posters who don't understand that 5th amendment protections are often non-existent, especially in civil actions. They can even be circumvented in criminal actions rather easily, assuming you aren't the primary target of the prosecution. I guess high school civics classes aren't what they used to be.
IANAL, of course.
Business e-mail is a completely different thing. A court order to view *corpotate* mail is definitely OK. Wether or not they can "prove" anything.
People will just have to learn to separate their personal and professonal e-mails. Perhaps companies should insist on digital signatures on business mail, informing employees that business mail is company property.
STOP Hold the flame thrower! Of course, they ought to provide a semi-private mail account too, for company (or personal) mattter "off the record".
Hey, it works for snail mail. If I write to:
TheCompany Ltd
att: Anonymous Coward
Someville
It is understood that my letter is meant primalily for the company, and simply adressed to AC. If AC is not there, I expect someone else to take care of it.
OTOH If I write:
Anonymous Coward
TheCompany Ltd
Someville
It is understood that the content meant for AC and not to be opened by someone else.
Why should not the same thing work for e-mail? (if laws are applied wisely, that is)
All opinions are my own - until criticized