Slashdot Mirror
Appeals Circuit Ruling: ISPs Can Read E-Mail
leviramsey writes "The US Court of Appeals for the First Circuit (covering Massachusetts, Maine, New Hampshire, and Rhode Island) has ruled that e-mail providers are not violating the law by reading users' e-mail without the user's consent. The decision finds that the Wiretap Act does not cover interception of communications where the communications are being stored, not transmitted. Perhaps OSDN should send the defendant, accused in 2001 of reading users emails in order to find out what they were interested in purchasing from Amazon, a T-shirt from ThinkGeek?"
If ISPs can read your emails, that stops them from being a common carrier anymore doesn't it? Which then means that they could be held legaly liable for any damages caused by illegal activity via email couldn't they?
T Money
World Domination with a plastic spoon since 1984
Holy SHIT is right..
This is complete Bullshit..
OK so Joe Blow from AOL just saw the email i was writing to a customer and then writes to that same customer and offers them a better deal.
The posibilities for abuse are rediculious
".. to start using strong crypto for our email? "
Screw that. Use instant messaging. The reason why ISPs can read the mail is because it sits on their servers. Find an IM program that doesn't use a server to store the messages (i.e. I think that rules out ICQ...) and you're set. The only real problem then is packet sniffing.
"Derp de derp."
And what about the ECPA provision on unauthorized access to stored communications (Steve Jackson case)? Don't they apply here?
I don't think the judge understood what he was saying. In ruling that email messages are being stored, not transmitted he completely ignores the fact that the only reason that email is sent to an ISP is so that it will be transmitted. The asynchronous method of delivery really shouldn't enter into it. However, if that is the language of the law, then that is that...
This ruling would also mean that you voicemail at your cellphone provider is wide open to being listened to as well... Nice...
Wow. This is a huge, huge, huge deal.
Among other things, this means:
* Email, the dominant form of online communication, which most of us have regarded as fairly secure, is now grabable by federal authorities or police *without a warrant*.
* Your employer may now read all your email -- previously, he had to at least inform you that he was going to monitor your network traffic ahead of time (admittedly, including such a clause in the usage policy was depressingly common, but still).
* Free email providers like Yahoo, Microsoft, and Google now are free to do anything they want with all the mail that you've ever sent or has been sent to you.
I'm sure that the EFF is scrambling to try and do something at the moment -- it'll be their most important case yet.
*IF* this is not overturned, it means that it is *impossible* to have legal privacy protection for any form of communication that is asynchronous across hosts. This affects a vast number of potential protocols.
This means that voicemail systems are *not* protected by federal wiretapping law. If you *ever* leave a message for anyone, your privacy protections are out the window.
It's debatable over whether or not this applies to web caching -- if police and federal agents can now swipe the content of your ISP's web cache (yeah, the transparent proxy that your cable ISP uses, even though you don't think you're using a proxy), they can obtain web browsing data without warrant.
This is the biggest argument I've seen yet for use of PGP. If you are not using PGP, you *have* no privacy.
May we never see th
Maybe this ruling will finally convince people to use freely avaiable encryption. I PGP as many messages as I can (I don't have anything to hide, I just don't like the idea of people snooping on me), but not many of the people I email use PGP.
"Do I dare disturb the universe?"
I see nothing wrong with this. You are paying the provider to use their mail server. You are storing your mail on THEIR machines. It is THEIR machine they may do whatever they like with it. It's like when you rent a house, the landlord may come by at any point and perform an inspection of the property. It is a private network. Likewise they are completely within their bounds to block mail from say all of AOL or EARTHLINK. Customers may not like it, but it's a PRIVATE NETWORK that you have payed for access to.
Suddenly, ISP-run antivirus filters and spam filters could make them liable for invading people's privacy. After all, even though these filters are automated, the server admins need to be able to verify they are working correctly.
Plus, if nobody is allowed to read the mail, what about automated data miners? It's a slippery slope in both directions.
What about analog signal delay chips? What about digital phone systems that temporarily store signals in RAM? And if volatile memory is considered transmission instead of storage, what if they used MRAM in the future?
Others summed it up with "stupid", but "stupid" just doesn't seem to come close.
I'll bet some ISPs are madly looking at what they have that they could market to the tabloids. Anyone out there have some Senators or Representatives as clients? Publishing all of their email might get a law out quicker than you can say "stupid".
E-Mail is less of a letter and closer to a postcard since a letter is sent sealed and a postcard is a message sent in the clear. It wouldn't surprise me in the least if a postcard was read by every person that it comes in contact with.
"I use a Mac because I'm just better than you are."
Seems like the charge under the Wiretap Act was not enforceable, but a charge of violation of the Electronic Communications Privacy Act should be:
t ml
http://www4.law.cornell.edu/uscode/18/pIch119.h
Why didn't they t also charge a violation of the ECPA? Seems like the ISP would have gotten slammed into the ground on that one.
Okay Thunderbird, here's your chance to shine. Make sending and receiving of encrypted e-mail as easy as regular e-mail is now.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I wonder if ISPs can now be held responsible for what passes over their network? An interesting collision between their Common Carrier status and their ability (perhaps implying responsibility) to read email.
Wouldn't this automatically solve Gmail's potential legal problems, at least within Fifth Circuit jurisdiction?
Now all we need is the Nineth Circuit ruling the same thing... ;-)
I'm surprised that more people haven't mentioned this.
Microsoft Windows is, fittingly, the official Desktop OS of Olig
If this thing is not overturned, how does it impact VOIP? Does this mean that any federal/state agency or ISP can listen to all of your conversations without any kind of prior court approval?
And this is all ignoring that telephone and US mail have specific privacy laws attached to them, due to their being government-sponsored monopolies, and thus come with an expectation of privacy. E-mail, on the other hand, is not covered by the same laws, is not a government-sponsored monopoly, and thus there should be no expectation of privacy.
Maybe you want the government to be your babysitter, but I'll take my freedom like a big boy, thanks.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
Actually, if insurance or medical records are involved, HIPAA laws apply and the fines are big enough to make any company shudder.
I tell you, if a company discloses any personal info of mine even with a subpeona involved, they can expect one heck of a long and vicious lawsuit.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
From a recent post on NANOG:
/etc/passwd file (this was hacked from me back in '95,'96). I was happy when the arrested him, he is a jerk. The ISP he ran has since been sold to another company, still local and run as an honest business.
Date: Wed, 30 Jun 2004 17:35:54 -0400
From: Matthew Crocker
To: "'nanog@merit.edu'"
Subject: Re: E-Mail Snooping Ruled Permissible
I know Brad Councilman, This all happened in my back yard. He ran a competing ISP with me (www.valinet.com). Not only was he reading his customers e-mail and harvesting Amazon.com orders he also hacked into 4 of the local area ISPs. I still remember the day I received a call from the FBI office in Boston. 'Sir, you are not in trouble but we would like to talk to you about an important matter. I'll be out tomorrow, when will you have time?' He came in with a old copy of my
Sorry for the rant, I just wish he got more than a slap on the wrist. They didn't prosecute him on the hacking attempts because the e-mail theft was a bigger crime.
Grrrrr
-Matt
We- the technical community- can demand a similar switch for email. Unfortunately the use rate of encryption for email is ridiculously low (less than 10% of incoming to Diffie or Zimmerman, they once said). So we've ended up in this strange zone where email could be encrypted as a matter of course, but it isn't. There is no inherent reason why email has to be public, but by our design (or lack thereof), this major massive system of communications is practically (and with this ruling- legally) public, and for what benefit? Why do people so casually accept the non-privacy of email? Its like we were still using party lines 120 years later.
At the core of it, because privacy is a fundamental human right every communication system we use should have privacy built in. If its not, there should be a very good reason why not. "Oh no, it will take extra computational cycles" is not a good reason (not with crypto like ECC around). "Oh, Ashcroft doesn't want it" is even a worse reason. "Perfect encryption is too hard for the public to use": also bad.
Crypto does need to become easier to use. As Templeton wrote here on what email crypto needs:
Problem is, the current UI and ease of use for encryption add-ons aren't so good. It makes it a tough choice to use it other than with other geeks. Not that you force everyone to use crypto in email, but it should be as easy to choose it as to not choose it. As an analogy, if I say "lets start building doors and doorjams with locks built in," that doesn't equal "force everyone to lock their door." It does mean "its now as easy to choose to lock your door as to keep it unlocked." To me choice means the two alternatives are sitting there, equally available... If there were big "Send: This is Private" and "Send: This is Public" buttons on every email program. Right now the "choice" is "Send" vs "Spend hours retrofitting your system and writing to your recipient to explain to them how to read your email, and getting your grandpa to use it- just give up trying to go there..."Hopefully, if the Supreme Court doesn't overturn this decision, then at least people will get outraged enough that they will write to their lawmakers to quickly remedy this problem. It's not just Slashbots that worry about privacy in email, this is a clear enough danger that I'm sure the non-IT public would be shocked if they heard about what was going on.
Ha ha ha ha!
You want to know how lawmakers will "fix" it? Go look at what happened with analog cell phones and radio scanners. Instead of forcing the cell companies to protect their customer's voice traffic via encryption, they outlawed the devices which were able to eavesdrop on the plaintext transmissions.
Now, imagine them applying that same tortured logic to SMTP and e-mail.
Wolde you bothe eate your cake, and have your cake?
Agreed, I administer several webmail systems (not any of the biggies) and it is necessary to sometimes go into people's mailboxes if they are suspected of spamming/scamming etc. Naturally this is in the T&Cs at sign up.
:)
We have two things that trigger an account check, one is if lots of emails with lots of recipients are sent in one session (particularly if they put lots of addresses in the BCC field) we will check that they aren't spamming. The other trigger to check an account is when someone complains.
While will come across to many as a privacy invasion it is sadly the only way to catch and prevent spammers and scammers. We must have deleted over 200 people trying to do Nigerian scams over the past few months. Normally we replace their account with an auto-response so anyone responding to the scam gets a message from us explaining the con.
It could be worse, we could be like Hotmail and delete accounts without even checking they have been used for abuse.
One guy tried to get us to delete an account claiming it was being used by someone to bid on Ebay auctions without paying. A quick inspection of this mail account revealed it was being used by an Ebay scambuster, and thanks to him the guy complaining had all of his scam auctions closed.
Email doesn't need to be "handled" by anyone - the software can do it all.
Except when the software doesn't, and then someone (usually read as "sys admin") may have to look at it to see what the problem is. Which happens rather more often than, say, the Post Office having to open a letter to figure out the addressee (or sender) because the front of the envelope smeared. (Had to do that today, as a matter of fact -- a bunch of undelivered messages stuck in the mail queue.)
Furthermore, "the software" can -- and frequently does -- also scan all the email looking for items of interest before reporting same to its human master(s). This could be something gov't mandated like Carnivore, or benign like a virus filter, or questionable like a corporate-mandated scan of outgoing email for certain keywords (trade secrets, spam, pr0n, whatever), but it happens. (In the latter case, encrypted email might just be blocked except from certain authorized users.)
-- Alastair
The post office probably doesn't do that. Employees of the telephone company, on the other hand, are permitted to listen to any call for maintainnance purposes, and generally have a lot of discretion in determining exactly what maintainance is.
Thinkgeek should create a new shirt design.
Front:
i read your email.
Back:
legally.
SPAM
The problem is, and IANAL but my brother is, and this is what he tells me, that under the US constitution only the government can violate your rights, not private individuals or corporations. Therefore having a right to privacy, or anything else for that matter doesn't help you very much against your ISP or even telco.
I've just realised something though. Technically every email you write is copyrighted to you, and therefore your ISP storing it or archiving it is a breach of copyright. Anyone got a view on that?
You can't win Darth. If you mod me down, I shall become more powerful than you could possibly imagine