Slashdot Mirror
Appeals Circuit Ruling: ISPs Can Read E-Mail
leviramsey writes "The US Court of Appeals for the First Circuit (covering Massachusetts, Maine, New Hampshire, and Rhode Island) has ruled that e-mail providers are not violating the law by reading users' e-mail without the user's consent. The decision finds that the Wiretap Act does not cover interception of communications where the communications are being stored, not transmitted. Perhaps OSDN should send the defendant, accused in 2001 of reading users emails in order to find out what they were interested in purchasing from Amazon, a T-shirt from ThinkGeek?"
More words: This most certainly has to be overturned on a privacy bill of some sort. Imagine the widespread mail-reading that is now determined -at least in the mentioned juridstictions- to be legal. I wonder what ever happened to the privacy laws and how they match up to this new ruling (the ones that say a conversation is deemed to be confidential and cannot be disclosed outside of the circle in which it originated?)
I completely agree with "And he acknowledged that "the line that we draw in this case will have far-reaching effects on personal privacy and security."
... to start using strong crypto for our email? The technology has been available for free for years now, so what's stoping us? Why this inertia?
There are people that don't run their own mail servers? Well, I suppose that might change now.
It has been ruled that ISPs are simply a carrier, but they can read the email?
"Derp de derp."
We don't need to say that this is like opening postal mail, or that RAM holding the email temporarily is like a modem caching the data. We don't need to compare this to anything to explain it.
It is plainly and utterly stupid and wrong.
Enough said.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
google isn't an ISP :D
If ISPs are not breaking any laws reading users stored email without consent, then why was there a huge fuss about Google using a parsing engine to do the same?! I would have thought that a parsing engine was more in line with privacy than someone reading your mail!!
I feel a tremendous schizm forming within the ranks of the American Legislature over this, with one side determined to force restrictions upon 'publicised' companies in an effort to make names for themselves, while the other side making rulings like this that will bearly make the main press. Something tells me not everyone is singing off the same hymnsheet.
Something died a little today. That something was common sense.
Oh god now they will know about my massive addiction to penis enlargers! seriously i don't use my isp account for anything important if they wanna know about penis enlarging treatments go fer it.
For The Best Jazz/Hip-hop fusion > COlD DUCK
If ISPs can read your emails, that stops them from being a common carrier anymore doesn't it? Which then means that they could be held legaly liable for any damages caused by illegal activity via email couldn't they?
T Money
World Domination with a plastic spoon since 1984
Email is plain text. clear text. not encrypted. Now if this covered IPS right to read their users mail if it were encrypted, then that would be something else.
It's clear text though, what do you expect?
encrypt it
I think it may be a good time for people to start looking into ecryption.
Even the samurai
have teddy bears,
and even the teddy bears
get drunk
http://gnupg.org
Most email clients support it nowadays (thunderbird and Mail.app both have free extensions) and the only reason not to use it is the initial cost of collecting keys for everyone you want to talk to. Well, think again!
Fortunatly...
:-))
1) I'm not in USA;
2) I use gpg;
3) I'm wearing that t-shirt.
This is just as wrong as stupid: makes me remember how 2600 lost in court making links to illegal stuff illegal, when, after, others won in the same court prooving linking is just linking, not illegal (good for Google
It's frustrating when we clearly see that the laws are just bendable...
Mind Booster Noori
The decision finds that the Wiretap Act does not cover interception of communications where the communications are being stored, not transmitted
So now the loophole is telecomms carriers can store messages, and by storing messages they're allowed to listen to them.
Of course, it's no use just to listen to a message to get info on what a subject is up to, it has to be stored for later use, so simply the fact of listening in to a phone conversation and recording it for later use makes it legal to listen to and store for later use.
bah
And to those who think encrypting your email is the answer - it's not. The email sent to you can still be read, and many sites like Amazon, which is mentioned in the article, send automated emails to whatever address you provide them, making your communications easy pickings for unscrupulous ISPs.
Of course, on the other hand, I'm sure some people here won't be surprised, and will in fact welcome such intrusion into their email, as evidenced by the enthusiasm here and elsewhere in geek circles for Google's Gmail service, which at least as intrusive and does the exact same thing with a user's emails (i.e. reads them for the purposes of marketing other products they think the user would be interested in). I'm still not sure what causes this cognitive disconnect in the technical community, but it is both puzzling and worrisome.
Software piracy is victimless theft.
will be using Ray Romano's encryption scheme:
I ehat het su ourtc fo ppealsa!!
It's time to start skimming the gene pool
And to think I used to read all the cute girls emails at school when I was a temp sysadmin... it was all legal! w00t... I wonder if the extortion I did using the information I gleaned from their emails was equally as legal... oh well, I guess I'll never know... besides, how else is a geek supposed to get action in highschool? :P
---
Programming is like sex... Make one mistake and support it the rest of your life.
grep -i -n -A 3 username * > password_list
thanks for that
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The US Court of Appeals for the First Circuit (covering Massachusetts, Maine, New Hampshire, and Rhode Island) has ruled that e-mail providers are not violating the law by reading users' e-mail without the user's consent.
In a way, I suppose, this ruling is a good thing, because it underscores the need for a comprehensive privacy and data retention law.
What's needed is something along the lines of The European Union's privacy law: that is, something that is explicitly mandated, rather then the "penumbras" of privacy that some judges can, and some judges won't, see lurking between the lines of the Ninth Amendment.
We can hope that this defeat in the courts can be -- with our hard work -- turned into a victory in the U.S. Congress.
Opinions on the Twiddler2 hand-held keyboard?
Simply include a picture of the goatse guy or tubgirl in every email and they will be sorry they ever read it.
I Am My Own Worst Enemy
Email is not mail it's a post card at best. I see peoples mail regularly as part of work as it's going down the wire, it's not illegal as I'm performing maitence and troubleshooting for the companies that own the routers. Same goes for a random sys admin that needs to say fix an email box or generaly run the system. Your service provider has allways been able to do this. The post office can read your mail if they need to what do you think dead letter offices are for? Dont like it encrypt the contents and use anon remailers.
No sir I dont like it.
I'm speaking here about an average user, rather than the tech-saavy crowd that populates Slashdot.
Software piracy is victimless theft.
How long does an email (or for that matter a voice mail) need to remain at 0 momentum before it is considered storage?
I make my face look like this and concerned words come out.
You're a little late for the funeral. It's been dead for some time now. B-)
I have 3656.9 Bogomips. How many Bogomips do you have?
In theory, I find this to be extremely uncool. It's akin to SBC employees listening in to your phone call to grandma, or a US Postal Service employee ripping open your cable bill to see which pornos...er, I mean, G-rated family films...you've been ordering.
In practice, however, I'm pretty indifferent about the whole thing. I figure, what kind of bigshot do I think I am, that I'm worried about some giant ISP reading my lame-ass e-mails? Let 'em read. They probably don't even know who the hell I am (beyond the fact that my customer # is 1234567-890 and my bill is 3 months in arrears).Just once I'd like someone to call me 'Sir' without adding 'You're making a scene.'
Have you ever heard the expression, "Behind every sleazy lawyer is a sleazy client"?
And what about the ECPA provision on unauthorized access to stored communications (Steve Jackson case)? Don't they apply here?
So you could legally make a wire tap by putting a computer on the wire, converting the previously single wire into two separate segments. Then, have the computer temporarily store the information in RAM before transmitting it on to the destination (and also store the data to the disk and thereby have a legal wire tap).
If an ISP that hosts your email can read your email. - why can't a search engine that hosts your email read your email?
(or scan it - whatever)
I don't think the judge understood what he was saying. In ruling that email messages are being stored, not transmitted he completely ignores the fact that the only reason that email is sent to an ISP is so that it will be transmitted. The asynchronous method of delivery really shouldn't enter into it. However, if that is the language of the law, then that is that...
This ruling would also mean that you voicemail at your cellphone provider is wide open to being listened to as well... Nice...
Lets try to be a little rational here. I know that everyone is going to scream in the typical slashdot style about "invasion of privacy!!!!!", but lets really look at the problem.
The first thing is to understand what the Judicial Branch's job is. It is to interpret the meaning of existing laws! And looking at the law, it seems that they did a pretty good job of this.
So does this mean that I want my ISP's reading my email? Of course not!
The problem is that the legislative branch is not creating laws that keep up to speed with the ethical problems presented by technology. Lets not get on the Judges' cases for the ISPs reading our email, get on the LEGISLATORS.
In fact, I want to congratulate the judges in this case for making the ruling. Even though it is obvious that it is absurd that the ISPs are reading people's email, the judge did not overstep his authority by trying to create laws, rather than interpret them. This is one of the largest tyrannies that happens in US Politics, judges effectively creating legislation.
So here is a call to all legislators: GET ON THE BALL! New technology has created many new ethical dillemas, and we need the legislators to start dealing with them.
Wow. This is a huge, huge, huge deal.
Among other things, this means:
* Email, the dominant form of online communication, which most of us have regarded as fairly secure, is now grabable by federal authorities or police *without a warrant*.
* Your employer may now read all your email -- previously, he had to at least inform you that he was going to monitor your network traffic ahead of time (admittedly, including such a clause in the usage policy was depressingly common, but still).
* Free email providers like Yahoo, Microsoft, and Google now are free to do anything they want with all the mail that you've ever sent or has been sent to you.
I'm sure that the EFF is scrambling to try and do something at the moment -- it'll be their most important case yet.
*IF* this is not overturned, it means that it is *impossible* to have legal privacy protection for any form of communication that is asynchronous across hosts. This affects a vast number of potential protocols.
This means that voicemail systems are *not* protected by federal wiretapping law. If you *ever* leave a message for anyone, your privacy protections are out the window.
It's debatable over whether or not this applies to web caching -- if police and federal agents can now swipe the content of your ISP's web cache (yeah, the transparent proxy that your cable ISP uses, even though you don't think you're using a proxy), they can obtain web browsing data without warrant.
This is the biggest argument I've seen yet for use of PGP. If you are not using PGP, you *have* no privacy.
May we never see th
I've got a better idea for a T-shirt - "I read your SMSs and listen to your voicemail".
Disclaimer: Although I work for a mobile telco, I don't do this. However, the UK government might.. The guy in that story works for the same company I do too.
Get your own free personal location tracker
It is also stupid. Those who are already sending out emails regarding dodgy things are probably already encrypting the email. What this is doing is getting all sorts of other people to do the same thus making it more difficult for the law-enforcers to identify the GENUINE dodgy emails.
Web Sig: Eddy Currents
Just because it's legal does not prevent a user from hiring Johhny Cochran to haul the email provider's ass into court for some good ol' suing. Sure the provider may have fine print in their terms of service agreement but if you hire a big enough lawyer service agreements are just a technicality. If some companies inisist on being rude to customers than it's only a matter of time before the customers pull a class action lawsuit.
So, basically they are saying that it's OK because it is not contemplated in the WireTap act. That' just wrong. And people were concerned about GMail... LOL! For some reason, I trust Google more than I trust Comcast or Verizon.
-----BEGIN PGP SIGNED MESSAGE-----
/ Oz 7a8MKE1QCgwYx3
- ----END PGP SIGNATURE-----
Hash: SHA1
It is called GPG. If you're that worried about your privacy then you shouldn't be sending your emails around in plain unencrypted text. (And, if you cared, you'd know that I edited this message after generating my signature key)
Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
iD8DBQFA4ysB3YxiXhUBOVoRAl8fAJ9RyODBM1IOZEpjnM/
ItBFAxORjYx4AZRVqYH8It8=
=ugwf
Downsize DC Today!
This is why you should encrypt your email. Further, if they can read it, then they can probably store it, and after 180 days, it is no longer considered private information, and thus all it takes is a subpoena to get at them.
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
Now my ISP will know I have a small penis, credit card debt, hair loss and can't function sexually.
Chris.
I ask for a car and I get a computer. How's about that for being born under a bad
The decision finds that the Wiretap Act does not cover interception of communications where the communications are being stored, not transmitted.
That's nice. So now they can use this precedent to listen to your voicemails.
And if we move to VoIP on the telecom's backbone, then they can listen to your conversations... since it is being stored in the router's buffers alone the way.
Does this mean I could host a webserver and sell webspace and email out to people, then read all their email and take all their customer's information and well as code/databases they may create because its in my ram?
Nice troll, you're sure to get a few bites on the worm.
Spare bedroom in Canada.
Must not mind loud music which has been legally downloaded. Should like the occasional smell of pot (which is virtually legal.) Run own mail server with GPG on it. Free spindle of 100 CDRs to first successful renter.
Trolling is a art,
Funny how in the same day, Canadian courts rule that ISP's are not responsible for user content, and American courts decide that they somehow are. Oh how sweet it is to be truly living in the Land of the Free again!
so is there anyone out there who actually thinks your email to me is actually private and won't be read by an admin of a server that queues it for delivery somewhere along the way??
it's email. there should not be any real expectation of privacy. deal with it.
"We are not tolerant people. We prefer drastically effective solutions"
God forbid an automated machine look for keywords. Apparently only ISP employees should be able to peruse your mail.
It was being transmitted. There's no set "speed limit" for the transit, therefore, no speed may be used to make a determination. There's no set exact determination of particlar hardware used, either AFAIK. "oops, sorry, your email took one more hop and lasted .009 milliseconds longer than what we feel is transit, it was stored for a short time so now you can look at it". It don't matter if it's milliseconds or minutes, when emailer A mashes send to recipient B, it's "in transit". When you get a package shipped from fedex, even when the truck driver stops for lunch, your package is still "in transit".
Typical corrupt black robed bogusness. More big brother crap. They will use this ruling to let the government do similar, even moreso than they do now. THAT is the reason they ruled as they did. The rest of it is FUD. These goofs get told how to rule now, they are all global big government appointed lackeys at that level, puppets.
The Wiretap Act's purpose was, and continues to be, to protect the privacy of communications. We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communications. Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology. We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes. However, it is not the province of this court to graft meaning onto the statute where Congress has spoken. As a lawyer, I am too amazed and shocked to comment on the stupidity of this opinion. I will have to come back to it later. However, you guys should read the dissenting opinion that is included in the pdf. It makes more sense. Sheesh!
By this judge's logic, it's legal to tap a phone conversation as long as you don't actually capture it on the "wire"? Does he even realize that his phone calls are only one the "wire" for the first thousand feet or so from his house to the CO? Where it's promptly digitized into RAM? And as it flows thru the ATM network it's stored in RAM temporarily in every switch it passes thru? So if I somehow get access to an ATM switch carrying phone traffic and convince it to cram an OC-3 worth of voice out a monitor port that's all legal? This judge got snookered plain and simple.
Interesting... I'd prefer to use a compression number of 629145600 for a 600 MB file, though.
Maybe this ruling will finally convince people to use freely avaiable encryption. I PGP as many messages as I can (I don't have anything to hide, I just don't like the idea of people snooping on me), but not many of the people I email use PGP.
"Do I dare disturb the universe?"
Doesn't the post office store your letters until they are delivered? Does this mean the post office can read your mail because they are storing it....
the judge made a decision baised upon the law as it currently stands. that is his job. and he did it well, in addition to that (at the bottom of the article) he notes that this law is being used for things other than what congress intended. which is also great, The outrageous nature of this decision will now most likely be over ruled by a higher court, and hopfully congress will get-a-clue(tm) and start writing laws that are designed to handle ne emerging technologies. In the mean time all we can do is write letters and bring this loonacy to the attention of those who can do something about it (write to your congressman, i bet they actually read at least some of those letters)
at least I hope they do.
This is completely off-topic, but neverless, I'm going to comment on that.
:-)
1) Using a compression number of 10 or more is completely useless (even harmfull) since you're just adding a floatpoint... (this if you're willing to make a base 10 division, as I think you're saying regarding to your post);
2) Turning everything in a binary-stream is cost-expensive: try turning a binary into a binary-stream (a large string of 0's and 1's) and then compare the size!
3) Even if you're trying to compress a binary stream, dividing it by 2 will at most create one decimal algarism, if you try dividing for 4 you'll at most get 2 decimal algarisms, but if you try to do it with a number not multiple of 2 you're doomed...
4) It's stupid. Deal with it
Mind Booster Noori
Exactly who gets to read the email? Low level employees at their lesiure? Filtering robots? Could i get a job at an ISP then start legally reading emails and finding out things about people that they would ratther not have me know? Could a corprate spy get a job at an ISP and read competetior's email as a form of corprate espionage?
Heck, an old boss of mine (one Neil Peiman, former owner of the now-bought-out Internet Access Group, Inc. (iag.net)) was reading employees' and who knows who ELSE's email. Everytime I see someone with that ThinkGeek shirt on, I ask them if they are related to Neil...
In my opinion, Neil was the most morally bankrupt, self-serving, and egotistical bastards alive. he didn't even have the balls to fire me on his own - he tried to get another co-worker to do it for him. You see, he was scared of me. I knew his dirty little secret; I knew he was fscking his sexy little secretary Sarah LaRosa. I also knew he was regularly rummaging through employee emails (looking to see if anyone "knew", I would imagine). I knew he was giving his customers the runaround and using his techs to cover his a$$.
Sorry...was I ranting?? Anyways, so if Neil is running an ISP somewhere else now, he can read everyone's email legally....great, I feel _so_ much better.
+that's funny...I don't FEEL tardy.+
Snake oil.
Read why here. Get the info in Claude Shannon's own words here.
did the appeals court give them the super powers necessary to read encrypted email too? I'm safe otherwise. Eat that, US court system!
-------
1. Enjoy your job
2. Make lots of money
3. Work within the law
Choose any two.
This keeps coming up again and again, and every time I tell people: use https://www.hushmail.com!
Free webmail, as easy to use as any other free webmail. The user interface could use a little work (I want to be able to use nicknames instead of typing in the whole address!) but other than some fluff it just works.
Schneier reviewed their security and gave it the OK, so you know it's secure.
Suddenly, ISP-run antivirus filters and spam filters could make them liable for invading people's privacy. After all, even though these filters are automated, the server admins need to be able to verify they are working correctly.
Plus, if nobody is allowed to read the mail, what about automated data miners? It's a slippery slope in both directions.
What about analog signal delay chips? What about digital phone systems that temporarily store signals in RAM? And if volatile memory is considered transmission instead of storage, what if they used MRAM in the future?
Others summed it up with "stupid", but "stupid" just doesn't seem to come close.
I'll bet some ISPs are madly looking at what they have that they could market to the tabloids. Anyone out there have some Senators or Representatives as clients? Publishing all of their email might get a law out quicker than you can say "stupid".
I know Mr. Councilman. He was a selectman in the town of Montague, MA and ran an ISP (www.valinet.com). The ISP was initially running on DEC Alphas and one day it went poof. It came back the next day running Linux on intel. The ISP claimed they went down due to a software upgrade gone wrong. What really happened was the FBI raided their office and took all of the hardware. I remember the call from the FBI agent in charge when he wanted to have me look over some files they found on the computers. It turns out that not only was Mr. Councilman reading peoples e-mails, He was also hacking into all of the other local ISPs to steal their customer lists. The FBI agent showed me a particial list of my /etc/passwd file. I could date it by looking into billing to find when the customers were created. I remember sitting in small claims court trying to get money from a customer when our servers crashed because of his hacking. I remember when Mr Councilman forwarded my CERT report of the event to a local newspaper and I recieved a call by an over zealous reporter. I remember when he was arrested and fined $250,000. I thought it was sweet justice for the greif he caused me and the other ISPs in the area. Mr. Councilman is not only a theif but a hacker. It is a shame that all he got was a slap on the wrist. His old ISP was purchased by another company and is still around. They purchased it about a month before the arrest.
I really wished he saw some jail time. The guy is a jerk.
If snooping emails waiting to be downloaded is not interception of correspondence in transit, then it surely is trespassing, just like invading one's computer with spyware or any other form of trojan horse.
Maybe we deserve this world ?
I guess all those voice mails that are stored in fixed and mobile networks can now be listened to by anybody working at the network operator. There has to be some really interesting bits in there.
Come to think of it, store-and-forward is a popular way to transmit faxes in mobile networks: instead of having your phone (or the PDA attached to it) negotiate a fax session directly with the fax you attempt to reach, it contacts a store-and-forward application in the mobile network, which in turn contacts the destination fax machine (much better to avoid timeouts, among other things). I guess all these faxes can be read freely by the telecom operators now...
I guess it doesn't stop there either (what about SMS, MMS, etc. ?).
I hope this gets overruled or something soon, even though I don't live in the US myself.
I'm in RI so I guess this applies to me.. oh well good luck reading my email. with all the spam i cant even read it.. i use bayesian filtering and it works good but i can never trust any filters so i still have to go through all the spam each day. argh
Being that I've worked at an ISP for the past 5 years, I regulary come in contact with customers email. I'm glad to see I can't be held legally liable for viewing mail stored on a server. However, I still regulary pick up pieces of peoples email while using ethereal to diagnose various problems. This email isn't stored, its being transferred across the wire. I'm not spying on their mail, however I am intercepting it while in transmission...It makes me wonder what my (or my employer's) legal liability is given I have no malicous intent.
--Gentoo Baby!
Seems like the charge under the Wiretap Act was not enforceable, but a charge of violation of the Electronic Communications Privacy Act should be:
t ml
http://www4.law.cornell.edu/uscode/18/pIch119.h
Why didn't they t also charge a violation of the ECPA? Seems like the ISP would have gotten slammed into the ground on that one.
ISPs can read e-mail? Finally. Now maybe someone at an ISP will reply to the several dozen "One of your customers is sending me spam" messages. It's about time ISPs got around to reading e-mail.
Now to read the article ...
How about lame cable companies that do stupid shit like block ports, especially email ports? Cox, I'm talking about you. They have done this at the request of AOL and M$, or so said their tech when they finally blocked outgoing mail. The chain of devolution from At Home was:
M$ and AOL threatened to blackmail all mail from Cox if they did not do take the last steps, and I'm sure they pressured them on the first few too. How disgusting that they would force a competitor to spend money to degrade their service.
How are you supposed to build a crypto email system whey you can't run your own email server? Don't give me BS about using other ports, they will block whatever people want to use. If you don't run it, you can't trust it. Even when you do run it you need to be careful you are not owned.
Email servers are easy to make and I'm sure there would be a market for them, as appliances, if there was legal certainty to the application. As it is, broadband ISP is monopoly ISP and they can do and charge what they want. Any popular service can be owned and charged for.
Think the legal framework is an accident? Ask yourself how Carnivore would work if everyone could just go buy a $100 encrypted mail server from Best Buy. I hate the direction my government is going. We beat the Soviet Union so we could act like them?
The situation must be changed to respect individual privacy and dignity.
Friends don't help friends install M$ junk.
The solution is to replace SMTP. This will be neither easy nor quick, but it is the best way to solve all the problems in a manner that people won't mind using.
Software piracy is victimless theft.
Oh yeah, big momma got some dirty bits for your ass!
If you don't read the court document, you might believe the subject of the slashdot story, "ISPs Can Read E-Mail". This is in fact not what the court decided. It decided that the Wiretap Act does not prevent ISPs from reading email. They have not considered whether ISPs can read email under other laws, such as the Stored Communications Act, because the plaintiff did not bring this up.
It seems the Wiretap Act has very narrow definitions (which is a good thing to prevent Government nosing around where it doesn't belong). Maybe the Wiretap Act should be rewritten to cover modern communication better, but that's up to the politicians, not the judges.
On a different subject, this decision could affect the phone system. Aren't phone communications sent in routed packets, now? In which case, could conversations be intercepted in the routers fall outside the protection of the Wiretap Act?
Let's dismiss common sense for a minute and think like a lawyer: Fact: The Wiretap Act deals with phone calls, which are, technical nit-picking aside, real-time communications. It was the prosecutions error to take an issue based on a communications protocol that is defined as "best effort", and try to argue it in the context of the Wiretap Act. (E-mail is UDP, so there is no confirmation at the network layer of delivery, and no guarantees of transit time.) Per some other posts here, they should have looked at laws that apply to snail mail, where the analogy is closer. They probably would have won. IANAL, but I don't think it's the judge's place to say, "your argument is not valid, but I find the defendant guilty of "
Yes, this is suck-tastic. I don't like the idea of someone having the legal ability to go around and look at my crud.
But then again, in my accounts where they are not on a server I personally manage, I have nothing of real importance or private matter. There is a reason my company has our own private e-mail and I have my really personal stuff on my own. So, go ahead and look at what you want. You'll find a backlog of 6 months worth of spam.
I've read several people questioning why the general public hasn't started using email encryption en masse. The problem is that email encryption will not gain critical mass unless the following things happen.
1) The encryption software is built in to their default mail client
2) Its easy to use
3) Its turned on by default
4) Its compatible with everyone elses.
And anyone who thinks it is illegal for the mailman to read postcards he is delivering is deluding himself.
"I do not agree with what you say, but I will defend to the death your right to say it"
Okay Thunderbird, here's your chance to shine. Make sending and receiving of encrypted e-mail as easy as regular e-mail is now.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Years ago, I took a trip on a bus the day after the Supreme Court decided that a warrant was not needed to search public transportation. The guy in front of me was trying to pick a fight with the guy behind me. The guy in front was a DEA agent. I had seen his badge and gun before we boarded the bus. The guy behind me was fresh out of prison and had a gun also. He was bragging about it and showed it to another ex-convict that was sitting across from us that he had just met.
While at a lunch stop, I asked the DEA agent if he knew that the guy he was jawing on had a gun. His response was "Yeh, don't worry, just stay low if he pulls it. After the ruling yesterday, we've all been assigned to take trips and catch those who haven't heard yet that we can now search the bus without a warrant. I could arrest him now before he gets off at Memphis, but there's less paperwork if I just shoot him."
The agent was pretty rugged and I believed him. Don't know what happened because they ended up jawing each other into riding on to New Orleans on some sort of dare.
I'll bet there's a similar effort on right now. The wire tapping law is the only thing that has held the FBI back from email not transmitted via international satellite to date and is at least temporarily out of service. Bet they are working overtime.
I tell people that they should assume that every email they send is being read (unless encrypted). I tell my employees that they should not send any email that they wouldn't want their wife/mother/minister/girlfriend/boss/customer/supp lier/employees/etc to see. We routinely mail sensitive information around the company, but I am really against anything confidential going out over the internet (w/o encryption).
A few years ago one of my employees received an email of a joke that would be very offensive to most women. She recalled her training that said she should delete the message and ask the sender to not send inappropriate material to her work email address--then forwarded the message to several of her friends. One of the "friends" she forwarded it to was a female VP in HR whose name was only one letter different from the employees actual friend. Needless to say, I heard about that. I have also seen confidential pricing information emailed by mistake. The only good thing about it was that everybody involved was a woman.
I would pay extra for a practical email system that was secure and would be easy for everyone in the company to use.
it would certainly be easy enough to have a plugin that automatically decrypted rot13 emails if they were detected. Then ISPs would have a clear indication that the email should not be read, Hell, if I remember correctly, almost every usenet client from back in the day had a rot13 decrypter.
RandomAndInteresting.comdefending the world from stupidity since 1979
It doesn't work because people aren't willing to deal with encryption protocols first hand.
I wonder if ISPs can now be held responsible for what passes over their network? An interesting collision between their Common Carrier status and their ability (perhaps implying responsibility) to read email.
Just browse over to Thawte for a free S/MIME cert (your choice of Outlook or Mozilla), install it, and start sending encrypted e-mail. (Yeah, S/MIME has Closed Source Cooties. Tough. It works.)
There are three reasons that more people don't encrypt their mail:
1. Some mailers won't handle S/MIME, and behave badly when they come across it (refusing to let you read a signed message, for example).
2. People's e-mail rituals don't include signing/encrypting mail. They don't do it because they don't do it.
3. Security mavens tend to run in full Paranoid Nazi mode. They tend to insist on solutions that are only needed if you insist on full anybody- to- anybody communication with a guarantee of no man in the middle. They also seem to think that "security" is synonymous with "how many times can we make the user type in his password?"
Because of #2 above (the real killer) nothing will be done until businesses start insisting on using secure mail. If I remember correctly, Microsoft Exchange has the capability to enforce this, as well as generating certs. No excuse for not using it.
Welcome to the Turing Tarpit, where everything is possible but nothing interesting is easy.
This means I can sniff e-mail communications off the wire without violating the wire-tap act right?
It is "stored" on the wire in much the same way it's "stored" in RAM.
How did they make that distinction?
Shouldn't "in transit" mean "moving between it's source and it's intended destination"?
Maybe after they receive a couple of million ads for Swedish penis enlarger pumps they will rethink (or think) that.
When do my armband and jackboots get here?
Wouldn't this automatically solve Gmail's potential legal problems, at least within Fifth Circuit jurisdiction?
Now all we need is the Nineth Circuit ruling the same thing... ;-)
I'm surprised that more people haven't mentioned this.
Microsoft Windows is, fittingly, the official Desktop OS of Olig
[opens the door; behind it, three mail carriers sit at a table, searching letters for cash]
Mail Carrier #1: Bingo! Birthday card!
Mail Carrier #2: Graduation!
Mail Carrier #3: Ding-ding-ding! Wedding!
From Sunday, Cruddy Sunday
I find it highly ironic that prior case work used to support this ruling was from Steve Jackson Games vs United States Secret Service.
Poor Steve got screwed then, and now the screwing continues.
"Electronic Storage" my ass. I suppose it's legal to read the snail mail in my neighbor's mailbox, I mean, it's in storage and is at it's final destination.
I think the court contradicted itself:
"Once the e-mail is accessible to the recipient, final delivery has been completed.The final delivery process places the message into storage in a message store area. Often, a separate Mail Delivery Agent ("MDA") will be required to etrieve the e-mail from the MTA in order to make final delivery."
procmail is a MDA, so final delivery has not been completed. Further, "accessible to the recipient" is not accomplished until a MUA is used!
Clearly this is a judical problem, from a poor ruling a long time ago.
Anything is possible given time and money.
This ruling is just plain wrong. Here's text directly from the Electronic Communications Privacy Act. Straight from the definitions:
(1) "wire communication" means any aural transfer made in
whole or in part through the use of facilities for the
transmission of communications by the aid of wire, cable, or
other like connection between the point of origin and the point
of reception (including the use of such connection in a switching
station) furnished or operated by any person engaged in providing
or operating such facilities for the transmission of interstate
or foreign communications for communications affecting interstate
or foreign commerce and such term includes any electronic storage
of such communication;
and then later...
(17) "electronic storage" means--
(A) any temporary, intermediate storage of a wire or
electronic communication incidental to the electronic
transmission thereof; and
So, it pretty clearly states that wire communications includes storage incidental to the communication, such as the email temporarily existing in RAM on a system before being sent. Given that RAM is typically volatile, I don't see how you could NOT call it temporary, intermediate storage.
There are no exemptions that I can find in the ECPA that might give this scumbag a way out of this. Either the judges are smoking crack, or the prosecutors failed to use the ECPA properly. I suspect it's more of the latter, as even the dissenting judge said that "the law has failed to adapt to the realities of Internet communications." This simply isn't true, because it's quite well defined in the law. The law HAS adapted to the realities of the Internet, and the ECPA is mostly quite adequate.
Here's a mirror of the full ECPA text for those curious:
ECPA text
.... does this mean we are going to get better spam filtering from teh ISP now?
Why do you expect your employer to not read you emails? It is the company's PC, server, bandwidth, etc. These are supplied to you to perform your duties as an employee, which is the definition of your employer's business.
My employees sign a user agreement that acknowledges the company's right to read emails and any information stored on a company computer. I tell the employees that the email system is like the company's phone system: a few personal emails is OK, but abuse will not be tolerated.
Ok. What I don't get: Why did they go after the guy with wiretap charges in the first place?
There are two different laws for two different things:
(1) Wiretap: covers communication on the wire
(2) Electronic Privacy Act: covers stored messages on a server
An ISP is allowed to look at neither unless there are some special exemptions (and getting a better deal from Amazon is not one of them). The Privacy Act is actually much stricter in some cases then the wiretap act.
---- join dshield.org Distributed Intrusion Detec
I use Cisco equipment so all your messages are belong to me.
Step 1: Start an ISP and claim that under no circumstances will you read your customers' emails. Give a free email encryption client to your users.
Step 2: Start advertising this fact, comparing to the competition who makes no such claim.
Step 3: Paranoid people everywhere who d/l pr0n or do anything they consider private flock to your ISP -> Profit!
Thank you Mario! But our princess is in another castle!
Since every digital line (relay) used for telephone communications contains repeaters and other processors, this decision makes telephone wiretap totally legal if it is done by copying the data while it is "not in transit" within the repeater.
That is, each of your "frames" (or messages) of data are received by the repeater, packet-switched or regenerated or whatever "in the resident RAM" and then retransmitted to the next destination.
This is the same as having your email "messages" (or frames) stored on a computer before they are "retransmitted" to you via the browser, mailer agent, or whatever.
This ruling, if not challenged, essentially repeals the wiretap act for anything but a pure-analog telephone link.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Actually, if insurance or medical records are involved, HIPAA laws apply and the fines are big enough to make any company shudder.
I tell you, if a company discloses any personal info of mine even with a subpeona involved, they can expect one heck of a long and vicious lawsuit.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
It doesn't say that an ISP can read customer's email legally...
all it says is that the WIRETAP laws do not apply.
Now that US law allows employers to read employees' email, and ISPs to read any subscriber's email, SMTP has been revealed as the system analogous to a postcard carried by a relay team of hippies that it always has been. Email encryption, anyone?
--
make install -not war
From a recent post on NANOG:
/etc/passwd file (this was hacked from me back in '95,'96). I was happy when the arrested him, he is a jerk. The ISP he ran has since been sold to another company, still local and run as an honest business.
Date: Wed, 30 Jun 2004 17:35:54 -0400
From: Matthew Crocker
To: "'nanog@merit.edu'"
Subject: Re: E-Mail Snooping Ruled Permissible
I know Brad Councilman, This all happened in my back yard. He ran a competing ISP with me (www.valinet.com). Not only was he reading his customers e-mail and harvesting Amazon.com orders he also hacked into 4 of the local area ISPs. I still remember the day I received a call from the FBI office in Boston. 'Sir, you are not in trouble but we would like to talk to you about an important matter. I'll be out tomorrow, when will you have time?' He came in with a old copy of my
Sorry for the rant, I just wish he got more than a slap on the wrist. They didn't prosecute him on the hacking attempts because the e-mail theft was a bigger crime.
Grrrrr
-Matt
I disagree. I was a big proponent of PGP back in the old days (mid-90's). Back then, it was more cumbersome than complicated. Regardless of the effort to set it up, it still required too much effort on my part to encrypt or sign or decrypt each and every message. My circle of co-workers, contractors, and friends gave up on it after a short while.
Recently, I have begun using Enigmail with GPG. It integrates quite nicely with Thunderbird, and I assume it would with Mozilla as well. We use it companywide, with Macs and PCs (ie OSX and Windows), and we convinced a contractor that uses Linux to use it as well.
While the initial configuration did require some degree of effort, it was not too tough. Encrypting, decrypting, signing, and verifying is almost automatic now, requiring very little effort per message. My PGP (I mean GPG) password is queued for 15 minutes, so from time to time I have to re-enter it. All my messages are signed, and if the recipients are in my keychain, it is encrypted as well.
I think if it is set up by a Slashdot-type person (and let's face it-- that's what most of us are paid to do), an "average" user should have no problem with it.
Thank the Gods!
In Canada, it is not legal for a company to read your private email, as email is treated like snail mail. This applies even if they are your employer!
I really hope the US courts get a clue about privacy!
ttyl
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
If stored == buffered, then all VoIP falls into this category as well. Good times, good times.
As others have said:
If you pick up your phone and talk into it your voice is stored in the digital memory of your phone, then converted to ditigal signals, then sent to the box down the street where it is stored and checked to ensure accuracy, then sent to the larger box down the street where it is stored and checked for accuracy, then finally sent to the main system, then back down the line to your connection at the other end. When the phone system went from analog to digital (starting about 20 years ago) no one used the south end of a north bound donkey to say the transmission could be intercepted anywhere along the path from Person A to Person B.
Now we have a judge who is kissing the south end of a north bound donkey and saying that just because we are talking about private e-mail that goes through tens (if not hundreds) of different boxes (just like a phone call does) that it is somehow unique or different from any other electronic transmission.
I realize that justice is slow - I just didn't know it was all that stupid. You don't need new laws - you need judges who can use common sense and apply it to those laws which are already on the book. That is the idea behind many laws. That they are general enough and broad enough to give a judge the leeway to apply them properly. But there always has to be some jerk who just has to go against everything just because "if it isn't a part of the law - that means it doesn't work that way." Well, that is what is called a "Rules Lawyer." A term coined from when D&D first started out. There were these jerks who tried to torque around the rules of D&D as much as they could "Because it wasn't written down in the book that you couldn't do it this way."
Get real! Use common sense! I know that means actually thinking about the issues - but use common sense! Equate! If it works like A for one thing - then it should work in a similar manner for B, C, D, E, and the rest of the alphabet.
And I know! This is a flame! But Damn! How many idiot people are there out? I'm sure where ever his teachers are out there they are just groaning over this destruction of the fundamental rights which were already fought over and won by the people of the U.S.. Why not just rip out the Bill of Rights and flush them down the toilet. Man - I guess this means another letter to my Congressman and Senator.
Someone put a black hole in my pocket and now I'm broke.
I've been concidering offering my entire family e-mail accounts on my personal servers, but they don't like the idea that I can read everything. So I've proposed a strict policy of having incoming messages automatically encrypted, if not already, upon delivery. The mail server would have access to only the public keys to do so. Private keys would reside only with e-mail client-ware on personal laptops and workstations beyond my control. Additionally the policy would forbid any redirection or copying of incoming and outgoing messages off the normal transmission path, or the permanent storage of temporary files in periodic backups. The list of restrictions would be lengthy, but worth it if only to provide a secured repository for my family. Setting up gpg or pgp on each server and client may be tedious, but is far from impossible. The final challenge would be teaching them to protect and preserve their private keys. Is any body already doint this?
At all points in a digital communication the packets composing the message are stored in the memory of the devices involved in transmission (albeit for a short period of time). So does this mean that the wiretap law does not apply to any form of digital communication other than point-to-point where the end-points are owned by the communicating parties? It's fun when non-technical people create laws about technology....
People made the same argument when satellite and cable broadcasters began encrypting their signals. That didn't stop the Federal Government from criminalising a private individual from viewing information freely intercepted trespassing on his property.
Really the only distinction in this case is related to time - stored email is static information; cable/satellite broadcasts stream.
Does this mean that I'm free to decrypt and view bursted content? Unfortunately not - even if this ruling were applied to corporate media, we've still got the bloody DCMA.
'Course, if one's email were copy-protected, however weakly, one could smack down anti-circumvention criminal charges against everwhat ISP attempted reading one's email. DCMA cuts both ways, baby!
4 replies and no one has solved the troll. Very impressive. Go slashdot crowd.
For those who are counting on your fingers at home trying to figure out why this doesn't work, remember that the amount of data storable in a binary string increases EXPONENTIALLY, not linearly.
I feel like starting an ISP and offering free email accounts to congressmen, judges, FBI agents, etc...
The time difference between an embarrassing email leak and legislation outlawing reading another's email is left as an exercise for the reader....
The society for a thought-free internet welcomes you.
anyone with some sence has their own domain name (even dyndns would work here, static ip's ya know)
and their mail delivered to a box THEY own, in THEIR house, and encrypted whenever possible.
We have seen that living things are too improbable and too beautifully "designed" to have come into existence by chance.
Judging by my Yahoo inbox, all they will get from this is the world's most gigantic penis.
sic transit gloria mundi
Simple, just use your own (or alternative) email provider.
That the companies can read our credit card numbers, get our social security numbers, get all our personal information, unless we encrypt. And since 99% of email users don't encrypt, that means they can mine massive amounts of personal data and sell it off to some guy in nigeria who's going to use it to rip people off.
The USAPATRIOT act reworded to wiretap laws so that stored electronic communications are no longer protected, as in emails or depending on how you read it, even packets in a queue. The suspected purpose of this is to enable interception of data on a network by law enforcement without the need for a wiretap. This effectly renders the entire wiretap law null, so long as law enforcement is willing to jump through the right hoops, which are now technical rather than judicial. The couple sentences of the Patriot act that did this were perhaps the most significant in the entire document, but so benign in appearance that they would be overlooked by many and the act would be passed by congress. Today in the USA, protections against nearly all the forms of privacy invasion that we had just 5 years ago are now mostly just illusions. Every privacy law I know of now has some loophole which allows the government to circumvent requirements of probable cause and judicial approval. This is why we should not reelect Bush. I was a registered Republican in 2000, but they are not looking out for any of us.
Notice that many router manufactures (eg Cisco) have plans to integrate lawful interception features into their products, in anticipation of future demands of the US or other governments.
If I understood correclty, the court argues as follows:
1) for interception to happen the communication must be "caught" or "intercepted" WHILE it's on transit on the wire/cable/accessory mechanisms that let the transfer happen.
2) if even for a pico-second the communication is "caught"/copied WHILE in "storage" it's not an interception, because the communication is not on the wire on transit.
Point is the court assumes that, because the communication is passing in RAM and/or hard-disk, then it must be stored (even if for a pico-second)
This could be true (in an abstract sense) if the CPU was processing other data before sending the communication (and therefore the whole communication was refreshed and held "in a loop" inside the RAM in a queue) that doesn't necessarily happen for ALL emails ; it may as well be that, when an email is sent, it is the first element of a queue of data going into the RAM and, therefore, it's not stored in the RAM "in a refresh loop" but goes directly to CPU and back to RAM and back to the network card instantl with no queueing/storing occurring.
If that happens, the communication is still happening in the mechanisms that is part of the "wire" at least logically ; if that happens the RAM is just a medium, exactly like the wire is a medium. In such an instance the sniffer program is sniffing the email "while it's on the wire" and that's a clearly breach of law.
Looking over the ruling, it seems that this was based on an anomaly in writing the laws. Specifically, the section on 'Wire Communications' includes the phrase '... and such term includes any electronic storage of such communication...', whereas the section on 'Electronic Communication' (which includes e-mail) does not.
As noted in the decision, a standard of court interpretation of law is that, if restriction X is mentioned in context Y, but not in context Z, the restriction does not apply to context Z. Thus, although any Wire communication cannot be intercepted even if they are in storage (*whew - voicemail is safe*), anything else can be. The law only protects it while it is moving, not while it is stored.
So, what we got bit by here is a flaw in the amendment to the law. Instead of adding a section defining Electronic Communications, then stating "All restrictions on interception of Wire Communications enumerated in Section X.Y also apply to Electronic Communications. In addition...."
Congress likes being verbose. Instead of referencing, they 'cut and paste'd... badly.
*sigh*
We are the Music Makers, and We are the Dreamers of Dreams...
Direct Line motor insurance
Try getting a policy without going through HTTPS, which sends 'garbled alpha-numeric characters' using the same idea as pgp.
thank God the internet isn't a human right.
We- the technical community- can demand a similar switch for email. Unfortunately the use rate of encryption for email is ridiculously low (less than 10% of incoming to Diffie or Zimmerman, they once said). So we've ended up in this strange zone where email could be encrypted as a matter of course, but it isn't. There is no inherent reason why email has to be public, but by our design (or lack thereof), this major massive system of communications is practically (and with this ruling- legally) public, and for what benefit? Why do people so casually accept the non-privacy of email? Its like we were still using party lines 120 years later.
At the core of it, because privacy is a fundamental human right every communication system we use should have privacy built in. If its not, there should be a very good reason why not. "Oh no, it will take extra computational cycles" is not a good reason (not with crypto like ECC around). "Oh, Ashcroft doesn't want it" is even a worse reason. "Perfect encryption is too hard for the public to use": also bad.
Crypto does need to become easier to use. As Templeton wrote here on what email crypto needs:
Problem is, the current UI and ease of use for encryption add-ons aren't so good. It makes it a tough choice to use it other than with other geeks. Not that you force everyone to use crypto in email, but it should be as easy to choose it as to not choose it. As an analogy, if I say "lets start building doors and doorjams with locks built in," that doesn't equal "force everyone to lock their door." It does mean "its now as easy to choose to lock your door as to keep it unlocked." To me choice means the two alternatives are sitting there, equally available... If there were big "Send: This is Private" and "Send: This is Public" buttons on every email program. Right now the "choice" is "Send" vs "Spend hours retrofitting your system and writing to your recipient to explain to them how to read your email, and getting your grandpa to use it- just give up trying to go there..."Encrypt Sensitive Email
I'm sure this has probably been mentioned, but since I'm too lazy to read the comments....
Thankfully, I host my own SMTP server (admittedly in violation of my ISPs rules). Since the ruling covers stored e-mail, not transmitted, I should be safe - although it passes over their wire, the ISP doesn't store it anywhere. Indeed, it never goes near their servers but is simply routed to me across their networking gear.
Oh, go on. Indulge me: Why is it illegal to tamper with or just read (snail) mail intended for others? Remember, you can't cite privacy since you apparently don't think that's the reason.
There is a solution out there. Get rid of your Hotmail and Yahoo accounts for something with some serious security. Hushmail boasts complete end-to-end 2046-bit encryption. No way ISPs can read that!
http://www.hushmail.com
Couldn't you also say that mail gets stored in the post office prior to delivery? You could say it's being stored when you drop it in the postbox at the end of the street.
I guess that means the post office can open any mail that stops moving for more than a second then...
This all goes back to the Steve Jackson Games decision of 1994. The Secret Service had seized a BBS belonging to Steve Jackson Games, and SJG sued because the computer also held some unretrieved private email. However, SJG lost on the same grounds as in this case, that email in storage is not protected by the literal language of the Wiretap Act. It may be a technicality, but it's been the law for over ten years.
(c) Exceptions.
Subsection (a) [Offense] of this section does not apply with respect to conduct authorized -
(1) by the person or entity providing a wire or electronic communications service;
Since the person in question was the "... person ... providing a wire or communications service", the Offense section of the act does not apply to him, if he authorized the access. No offense, no crime.
We are the Music Makers, and We are the Dreamers of Dreams...
I use PgP. It works great. Your next challange will be to get all your email contacts to start using it too. Problem that has already been stated is the email sent back to you from Company X that is wide open for the world to see now. Need a login? Password? Account Verification? UPS Tracking key? How bout that nifty 75 digit key for that new high dollar software you just purchased. . . .
But average joe lawyer doesn't even know about encryption it seems.
I hate to say it, but it would probably take something like M$ making encryption standard in apps like outlook and exchange.
I am sure this would violate the new, HIPPA Act.
Weedled out this nugget from the US Gov, web site.
I'm sure it can be added to or clarified further.
http://www.hhs.gov/news/facts/privacy.html
"In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care." -also-
"Confidential communications. Under the privacy rule, patients can request that their doctors, health plans and other covered entities take reasonable steps to ensure that their communications with the patient are confidential."
My cat's picked up a Hammer. HEY! Put down that Hammer. Put Down that Hamm...THUNK!
The chief argument against a lot of attempts to make content carriers censor their users' content has often been that the carrier of the content can't be held accountable for content because it order to be held accountable, it would have to evesdrop on all messages, and that's not allowed. Now that it *is* allowed, I fear more for what might happen to this argument against censorship. Once it is *allowed* that a content carrier can read your messages, there's going to be cases where they get sued over things people have said in their messages, and suddenly they're going to have to censor just to cover their own butt from lawsuits.
Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
The Court also said that part of the problem is that the law is lagging behind technology, and that it is up to Congress to revisit the relevant laws. Under *current* law, however, the Court had no alternative but to dismiss the charge. (However, there *was* a very good and reasoned dissent from the majority ruling.)
Note that the company in this case was *not* an ISP, but, in providing the ability to receive email at their address, was acting somewhat like an ISP. However, they were a rare-book service and not techically an ISP; their primary business was not the providing of internet access.
Like just about every poster here, I find the ruling ridiculous. We all know, as sysadmins, that reading someone else's email -- *especially* to gain a commercial advantage -- is just wrong; we only do it as a last resort, and then only in order to correctly route it. The fact that the email was "in storage" rather than "in transmission" is, to us, a difference that makes no difference; unfortunately, the justices chose to read the law very narrowly and found that those two possible states that email could be in were *different enough* to make a difference in the prosectution of the case.
In any case, the ruling was very narrow and arcane; I don't think this ruling is going to be cited in future as a precedent for *anything*. But *we* certainly should use this as a reason to harass our congresspeople to close this little loophold, before some businessperson builds a business model around it. Oh wait ... Gmail...
I think that I'll start adding a little disclaimer at the bottom of *my* email: "If you are reading this and are not the intended recipient, you hereby agree to waive any protection from prosecution for violating my Fifth Amendment rights. "No person shall...be deprived of life, liberty, or property, without due process of law..."; you are, by reading this email, depriving me of my intellectual property without due process of law.
DNA is a Turing machine. You, however, being dynamic and emergent, are not.
But they are a small non-profit, and only a fraction of Slashdot readers are EFF members (because otherwise the EFF would have a membership count closer to the ACLU's, say). That's a lot of free riders, or a lot of people who think that none of these issues will ever affect them. 99% of other lawyers / civil rights groups are just going to hear "I work in technobabble, and now I'm being sued for technobabble because of technobabble..." when you call them up with your 'intersection of technology with legal rights' legal problem. The EFF will actually understand the issue and will want to help you. And, if they can afford to help you they will- but for that they need donations. That's why you should support the EFF.
to monitor traffic to a certain extent to know how one's service is being used.
How else do you think service providers find out about TOS violations?
Users get overzealous in their actions which attracts the attention of a sysadmin which results in an investigation.
Then it's simply a matter between the user and the service provider. No third parties are involved. Hence, no invasion of privacy.
Ben
Work Safe Porn
> I could care less
It's I could *NOT* care less - dammit!
If you could care less, then you might care a lot!
Why do people keep getting this wrong!?!?!
Tsk.
Would this same logic apply to voice mail if you are purchasing it from your telco provider? In that case it resides on the providers server or other such system, and is no longer in transit. Can the telco snoop in there to find out if their competition is leaving you messages about switching? Can the USDJ walk in and ask to listen in just to find out what you're up to?
Another thing, in many modern switched telco networks, at some-point the data being transmitted is probably in some sort of buffer somewhere - does that count as in transit - or can it be freely snooped?
It's one thing to be a strict constructionist, it's another to be altogether stupid - or evil. I don't really see how this could be construed as within the spirit of the law, let alone the word.
The only redeeming factor here is that the decision does at least imply a reasonable understanding of the technology, it's just an unfortunate outcome. Maybe it's a case of understanding just enough to do damage. . . .
\Drew National Data Director, John Edwards for President
Because the people who needlessly block your ports would needlessly block your gpg attachments. How far do you want to go around the problem rather than fix it right to begin with? The email I run costs less to my ISP than the server they run and it's more secure too. It's also way more secure than the garbage (M$ Windoze) most people hook to their network.
Friends don't help friends install M$ junk.
Let me get this straight, Google gets in trouble for reading your email WITH YOUR PERMISSION and yet this ISP is ok to read it without your consent. Gotta love that...
Unless you run your own mail server and use TLS...
There are some notes on setting this up on Fedora with Postfix on my local LUGs wiki.
Of course the SMTP server at the other and needs to support TLS also...
Check out MKDoc a mod_perl CMS
If ISPs can read your email then what about me? Can I read your email? Does this mean that reading other people's email without consent is not a crime, or are only ISPs allowed to do it?
The US Court of Appeals for the First Circuit are a bunch of fucking morons.
I guess all that BS over Google's Gmail looks pretty silly compared to this.
I actually agree with the ruling, for several reasons.
1: This will bring more attention to privacy tools like any OpenPGP-compatible program, such as the GNU Privacy Guard, than any law preventing law-abiding citizens from thumbing through your emails.
2: The ISP is providing a service using their own equipment. While laws might help, remember that it IS their OWN damn equipment, and if they choose to, there's little you can do if you're not aware of it.
3: The ISP is not the only point in which any mail can be read. Any number of mail backbones can also store a message for perusing later. This is especially true in the case of those undeliverables that are logged for later review. To focus the blame on an ISP is a fallacy.
Personally, I think that people should have little fire lit under them to get themselves protected. I will admit that it's a bit of a bother now, but as soon as vendors see the market value of such systems, how long until it's easy enough for aunt Maude?
The Penguin Producer
One rarely needs to read a user's spool file. In the rare cases where it does need to be done one generally gets permission from the user beforehand and uses grep and similar tools to show only the information that one is looking for. I feel it is ethical to perform limited examination of user's email without the user's express consent as part of troubleshooting, etc. provided that no personal information (e.g. message bodies) is viewed. Similar guidelines apply for packet sniffing. That being said, actively reading other's emails and/or harvesting private information from them is highly unethical.
Accept Eris as your Fnord and personally sate her
encryption
Troll, Troll, go away and flame again some other day
baseball bat?
My analysis is very simple. I am not going to put in all of the legalize because you do not need it. If you want legalize, read the opinion. You should focus on the dissent that begins on page 17. Sometimes, the dissent is the correct interpretation of the law. I believe this is one of those times. What this case turns on is the correct analysis of what is a stored communication verses realtime ephemeral communication. And, what is interception. Congress has decided that real time communications such as a telephone call or a communication between point A and point B happening contemporaneously, should have better privacy protection than stored communications which can sit in a location for a long period of time. Unfortunately, the definition of electronic communications in the Federal statutes is very broad and does not help with this specific issue. Most Internet communications (including e-mail) are electronic communications. (Oops, I put in legalize, sorry but I have to here.) 18 U.S.C. 2510(12) defines "electronic communication" as any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature, transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include (A) any wire or oral communication; (B) any communication made through a tone-only paging device; (C) any communication from a tracking device . . . ; or (D) electronic funds transfer information stored by a financial institution in a communications system used for the electronic storage and transfer of funds; Crap, I should have known! Now that I have calmed down and started reviewing the material closely, I understand the majority's opinion. Damn! Okay, both sides are right and both sides are wrong. The problem is that Congress did not understand the inner workings of email. As the dissent suggests, Congress intended to protect "voice mail" as a form of real time communication. However, email is stored along the same lines as voice mail. I do not mean technically, I mean in spirit. Hmmm.. Congress screwed up. I was wrong. I really hate that. For anyone interested as to why I was so shocked regarding the opinion and now why I understand that I was wrong, let me explain. I am bound by very strict rules regarding the investigation of emails. It has been reinforced over and over again that all email that has not been read by the recipient will be considered as an interception by our investigators therefore putting it in the same light as a real time communication. As a matter of fact the 9th circuit defined "intercept" as: entail[ing] actually acquiring the contents of a communication, whereas the word 'access' merely involves being in a position to acquire the contents of a communication. Now, I see the flaw in these arguments. Cringe.... I hope that Congress looks at these ambiguities and fixes them.
Show me the link or point me to the article.
Find your own damn link - google is available to everyone. It is not my responsibility to educate you. Of course, if you had indicated any notion of appreciation for someone attempting to help you I would have gladly looked up the link. As it is, I have no desire to help you further.
Yes, technically, "ISPs" would be covered by the ruling, since their users' email is virtually guaranteed to land at least briefly in storage.
However, IMHO the larger (and more shocking) consequence is that it's legal for your mail to be read by any email "provider", which is a much larger category.
I worry about cases like the one at hand -- a vendor who reads users' mail for competitive reasons -- more than I'd worry about a communications carrier. An ISP would have to be liability-reckless to commonly engage in this, because they would lose the "plausible deniability" defense to a charge of "your customer was planning crime xyz, and you should have known and called the police".
MUCH MORE TROUBLESOME: based on the court's "you store it, you can read it" logic, my email can legally be examined by ANYONE in the "storage chain", from BOFHs to the third-party off-site-backup provider. Yes, those miscreants would be vulnerable to actions from the ISP, but (IANAL) it sounds like you or I would have no recourse against anyone.
Keep in mind that it is the job of the court to interpret the laws that already exist, not to "legislate from the bench" (which, unfortunately, happens all too often). As outrageous as it is for an ISP to be able to read email, don't bash the court -- bash the legislators for not fixing the law.
Thinkgeek should create a new shirt design.
Front:
i read your email.
Back:
legally.
SPAM
Ahh..the Highly Increased Paperwork for (medical) Administrators Act.
...
A while back I consulted with an office (in this case, dental) to ensure that they were in compliance with the Act before it took effect. One thing I found was that the office's actual privacy practices didn't (and didn't need to) change one bit - information is only allowed to be given out in the same special circumstances as before, e.g. releasing information to a legal guardian, pursuant to court order, or in certain cases for the purpose of identifying a body via dental records.
What the Act DID do is roughly double the amount of paperwork that has to be retained and dealt with for each patient. This went from "charts" to "charts + HIPAA disclosure notice and signature + any special requests or deviations as required"
Caveat Emptor is not a business model.
I GPG-sign all of my email.
I encrypt to others who use GPG.
Very seldom do people recognize a cryptographically signed mail as such; most of them suspect it of being some kind of virus or a corrupted attachment. My boss quit using crypto altogether for that reason; it just wasn't worth her while when no one else seemed to be using it.
Maybe this will help to shed a little light on the importance of encrypted mail. Even if you think you can trust your email provider, don't.
Encrypt your mail.
There are many comments here about how the judges must be stupid and dont understand the technology, and thats why they ruled this way, etc. etc.
I find it obnoxious that many of the commenting /.ers apparently never bothered to read the opinion or try to understand what the court is really deciding and the grounds for their decision. The article submitter is himself one of the greatest sinners in this respect.
Listen to me. Unless you try to understand what the law is and how judges are supposed to apply the law and read this decision carefully, you are not giving them the level of respect that you expect them to give to you, the technical community. The judges work with a technically complex and intricate art, much like us programmers. Moreover, the judges actions have profound consequences: they send people to jail and make people pay millions of dollars to each other with their pronouncements. Thats an awesome responsibility. Do you really think they are stupid just because you may not understand their decision at first glance?
Here's what's going on in this case.
First, this is a criminal case. The government is charging the defendant ISp with violating the Electronic Communications Privacy Act (ECPA) or commonly called the wiretap act. In a criminal case, the courts try to construe the statute as narrowly as possible so that they make sure the government is only sending people to jail when its clear thats what Congress intended. That the courts are careful in this manner is a good thing if you value our freedom.
Next, the court looked at the statute carefully and found that it defines two types of communication: wire communication and electronic communication. It then noted that the statute clearly gave different levels of protections for the two. Wire communication is given a lot more protection than electronic communication. Whereas interception of wire communications while in transmission and while in electronic storage is clearly illegal, only interception of electronic communication is made illegal. The statute made it clear that obtaining an electronic communication while its in electronic storage is not covered as a punishable crime. Congress quite clearly meant for different treatment to be given to wire communication versus electronic communication. Electronic communication in electronic storage are just not covered by the statute.
Thus, the court ruled that the government couldnt prosecute the defendant under the ECPA.
THAT'S IT! Okay? That's all the court held. Just that the government can't prosecute the defendants under this particular law. They are not saying "ISPs Can Read Your Email" -- as the headline sensationally claims. They are not saying privacy is not important. They are not saying emails are equal to postcards. They are just saying that this particular law did not cover what the defendants did. That's all
And quite honestly, the court is doing its job correctly. For the court to rule the way most of you would like here, the judges would be making law, and whats worse, making a criminal law. Most of us would be appalled by that idea. Congress should do so, not the courts.
Let me be clear, the judges here understood what was going on technologically very well. They recognize the force of your arguments and concerns about privacy, but their hands are tied. They lament, quite movingly, that it may well be that the protections of the Wiretap Act have been eviscerated as technology advances and go on to say, We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes. This is a clear call for Congress to do something about the problem.
They are interpreting the law as they should, and the ancient wiretap act clearly was made at a time when people didnt care much about electronic communication and it is our duty to convince Congress to change the law so that the courts will have the power to hand out justice to these privacy violators.
I actually know the defendant in this case, Brad Councilman, personally (although it's been quite a few years since I've had any significant contact with him.) He's a good guy and he pretty much had his life torn apart for several years by overzealous prosecutors looking to make a name for themselves by looking tough on "computer crime." What he did wasn't necessarily right, but he certainly didn't deserve to be treated as a criminal for it. I'm not going to get into a debate with anyone about this right now - I doubt I'm going to change anyone's minds, but think about this: if this guy had the words "accused hacker" before his name in these headlines, how many of you would be rallying to his defense instead of looking to crucify him? If his name were Kevin Mitnick, how many of you would be complaining about how this country is turning into a police state instead of acting like some sysadmin reading your e-mail is a human-rights violation on a par with the Rodney King beating?
Of course they'll love grepping through their emails, what would suck would be actually reading them. grep for product, harvest targets.
wonderful.
We've already seen that privacy policies are void because most people don't read them (don't have the link..)..
and now e-mail can be read by service providers?
Why does it seem like the USA is the most un-free country in the free world?
I am the maverick of Slashdot
I'd wager a simple technical solution would be to ROT13 the body of a message. Keep the headers in the plain (ala the outside of an envelope), but require effort to actually inspect the contents. It's trivial effort, but effort that can be protected by law.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
* New revenue opportunities in insider trading - lots of people send work email through an ISP - a sales guy going "I just got a big deal" would be interesting.
* New revenue opportunities in blackmail - threatening to expose an affair or a drug buy
* New revenue opportunities in spam - so you trusted the Nigerian General, here's one from Ethiopia.
* New revenue opportunites through targetd marketing - so your mom has cancer, time to send the miracle-cure ads.
* New stalking opportunities - gee, that customer sounds hot in her instant messages. wonder where she's partying this weekend.
I'm sorry, but this decission is along the lines of allowing Mailboxes Etc. to read your postal mail because it is stored there, this will be overturned (I hope).
[insert 1984 reference]
KeS
Thank God for having my own MTA. And GnuPG. Yay for open source encryption.
Not a sentence!
*My* inbox is full of my correspondence with gentlemen in Nigeria. My ISP better not get any funny ideas about muscling in...
Ever heard of FBI's Carnivore and its litigation. ??? This is been happening from a long long time. In todays modern and small planet you cannot expect privacy even inside your toilet. Somebody is already out there.
Use Miranda with SecureIM and you can encrypt your messages in ICQ, AIM, MSN, YAHOO, Jabber.. whatever protcol you want to use...
Everyone should have his own conspiracy
"Hi, I'm from your ISP. Can I interest you in our MailSecure service where we don't forward the, shall we say... interesting mail to your spouse? If you are not interested we can recommend a good devorce lawyer, it's almost just as cheap!"
Time to move to a third world country with illiterate ISPs.
cpghost at Cordula's Web.
point one: I'm an advocate of digital privacy, of course, but, on the other hand... Maybe this is the push people need to start encrypting their e-mails, and then i can just filter out everyone who's key i dont trust (spammers!). point two: Sending an e-mail is more like a postcard than a letter. The envelope is the encryption, and people just dont lick enough on the internet!
Question
http://www.ironfroggy.com/
What's to stop a disgruntled employee from reading, then copying and archiving ton's of customers e-mails for his/her own villainous use. Their conscience? Obviously not. The amount and types of information contained in e-mail is astounding.
Most notably passwords for other Internet services like free e-mail and posting to online forums are sent through e-mail. Even Slashdot sends forgotten passwords through e-mail. They could easily takes someone's online identity for e-mail and posting. Besides passwords, regular e-mail should not be allowed to be read by the e-mail provider at their leisure. Obviously new laws by congress will have to be created to prevent the e-mail provider from reading e-mails will-nilly and without oversight.
For those who don't care about e-mail privacy, why don't you stop using envelopes for regular mail because you have nothing to hide right?
Finally, what is it about cynical posters on slashdot? Sneering comments about the naivete of others about e-mail privacy or online privacy is totally obnoxious. Yeah, I know online privacy is a myth, as internet users can be tracked by cookies, their IP address, etc. But the whole point is to IMPROVE online privacy and not to state that there isn't any and to do absolutely NOTHING. That's what makes cynical posters completely useless in the scheme of things.
Those posters who would give up e-mail privacy to e-mail providers so easily deserve absolutely NONE. They should have there real names (not login name) displayed for every forum they post to, every e-mail address that they have, and when they send regular postal mail - NOT be allowed to put it in an envelope so the post office can read it.
Websites such as: http://thelysts.com/ provide e-mail accounts. Their advantage is they're small which means people generally know each other to a degree, which means a trust can form.
To be honest, I am much more trusting of the owner of TheLysts then my ISP.
Having said that I don't know what the laws view in Australia is on the matter.
Ooh! Thanks, that's looks useful!
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
In comparing email to snail mail many people think that it's like a postcard where it's obviously and simply readable by anyone in view.
I submit that this is a false analogy.
A better one is that an email is equivalent to a letter inside an envelope.
A letter is not readable without going to the trouble of deliberatly opening it up. An email is not readable without going to the trouble of deliberatly opening the file.
The case where a sys admin would see the contents in working on the system is more equivelent to a technician who might see the contents of your letter while repairing a automatic feeder mechanism and pulling your mangled letter from the works.
The simple fact is that due to technology, it's much easier for someone to pry into (what should be private) communications, but just because it's easy shouldn't encourage a judge to make it legal. Someone should have mentioned that the us postal service does hire private contractors to move mail, should his decision be taken to mean those contractors can read his mail?
When it comes to encryption, well It's a GOOD IDEA. And with the technology that can be tossed at snail mail these days, it's anot a bad idea there either.
I'm all in favor of encryption being more and more of the default as well as being less and less noticable or any sort of a bother.
Ward
. Silence! Be thankful thy species is unpalatable! .
The article says, "But the court found that because the e-mails were already in the random access memory, or RAM, of the defendant's computer system when he copied them, he did not intercept them while they were in transit over wires and therefore did not violate the Wiretap Act, even though he copied the messages before the intended recipients read them. The court ruled that the messages were in storage rather than transit."
So, does this mean that if snail mail gets delivered to my house accidently and it's being stored in my mailbox and/or house I can open it up?
- Kevin
A suggestion....
Host your own email. I've been hosting my own email for about 4 years now.
I was gonna ask you why you stole my .sig, but then I realized it's just a quote, and if anyone owns it, Voltaire does. So I'm not b*tching per se, just a little territorial. Btw, I'm curious if you got it from me... I can't tax you, I'd just be gratified to know that someone copied /me/. If you didn't, that's fine too. Yes, I do plan to sabotage my High School reunion. Think flesh eating bacteria.
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
"GPG" is an acronym, not a word
The bad guys are always on the job 7-24. Its impossible to stop them from commiting an act of 'not cool'; it is their nature.
The problem lies in the fact that the bad guys are allowed to repeat their past. It also appears that the good guys are unwittingly disinfranching themselves from us all.
What does this mean for Voip and specifically VOICEMAIL. After all, this is temporary electronic storage.
This sort of thing happens with snail mail all the time. At one time, the postman was caught reading my grandmother's subscription to a popular tabloid magazine before delivering it. The bottom line is that if mail is sent in unprotected form, expect that it WILL be read by someone. You wouldn't send your credit card application through the postal system without an envelope nor should you send private email without encryption.
With some of the encryption tools available now, there is absolutely no excuse not to encrypt email. Unfortunately, it's very difficult to get a non-tech friend to even consider using encryption. The excuse is usually something along the lines of "why bother, I am not a terrorist!"
Then there are companies who will send you your private information via email if you sign up online. Just about any online subscription service requires a confirmation email which usually contains personal information. This is not to mention PASSWORDS being sent via email.
Maybe this ruling will bring some of this to light and more people will start accepting encryption as a requirement for privacy.
Holy Mother of Fudd!
What happened to the Electronic Communications Privacy Act (ECPA)? Doesn't it apply??
I'll have to go dig it up again, but if I remember correctly, it was written to cover this sort of situation.
Could this be a case of prosecution under the wrong law?
uh Clem
PGP
ok, ok. Above was my first post. I DID search for "ECPA" and did not find any hits. I see there are good explainations posted.
ECPA = Wiretap Act and does not appear to cover storage of e-mail. Looks like the problem is CONgress did not keep up with PROgress.
Clem
And this ruling has nothing to do with it, because the Wiretap Act doesn't cover messages sent on paper.
Don't blame me; I'm never given mod points.
Because you people are totally short sighted.
So how the hell am I supposed to STOP the spam you people are whining about if I can't read an email that's in queue - or in a suspected spammers INBOX?
"I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
saying it twice makes you twice as stupid.