Court Upholds Warrantless Internet Snooping

amigoro writes to let us know about an appeals court ruling on Friday that holds that federal agents can snoop on an individual's web surfing, email and all other forms of Internet communication habits without a warrant. The court found recording this kind of information to be analogous to the use of a pen register. In 1979 the Supreme Court ruled that this technique did not constitute a search for Fourth Amendment purposes.

And what happened

[Bananatree3]

with the anti-wiretapping laws passed several decades ago? Please fill me in, do those have any effect or did they just sweep past them and make them irrelevent?

Re:And what happened

They're saying that those don't apply in this case because they're not tapping wires, they're looking at logs.

Re:And what happened

[PopeRatzo]

And what happened..with the anti-wiretapping laws passed several decades ago?

George Bush and Dick Cheney have used them to wipe their asses.

Here we are, more than 6 years into this calamity called the Bush Administration, and the most sincere and decent Republicans are only now starting to stand up and say "I had no idea". Well, better late than never. The ones I worry about are the dead enders who are so heavily invested in never being wrong that they cannot admit that they let themselves be led gaily into a meatgrinder for the middle-class, clapping and laughing all the way. They bear more than a passing resemblance to the fanatic jihadis, willing to self-detonate in order to keep the 21st century at bay.

I'm convinced that those who are finally coming around and denouncing the Administration will be embraced by an angry but forgiving majority who have taken the brunt but who are willing to let bygones if it means we can move forward, but that "final fourth" that are still stubbornly marching behind the butt-naked Emperors, shriveled dicks swaying in the wind, will pay a heavy karmic price.

Re:And what happened

[mysidia]

But the logs they are looking at are generated by equipment that taps into the wires. And the contents of the logs are not public knowledge, the contents of the second inner envelope are a private matter between a user and their service provider.

They are much more detailed than a list of phone numbers called. They are much more detailed than the address on an envelope.

The logged URL provides more information than the destination address on the packet.

In fact, even knowing that what was sent was a TCP/IP packet requires much more information than merely the source and destination of a Link Layer Packet.. the rough equivalent to a "Pen Register" for Ethernet is discovering a source and destination MAC Address sent over a certain wire, which is fairly uninteresting -- in fact, there is no precise equivalent to a PEN Register, because the header of the MAC frame is indistinguishable from the data signal, and it is not sent at a different frequency, it is necessary to listen on the actual content to hear the headers.

No PEN register is feasible for Ethernet, _without_ examining the data. If dialing signals were indistinguishable from the conversation on ordinary lines, do you suppose PEN registers would ever be allowed in the first place?

If you use the logic that "It's not wires, it's logs" to say it's not wiretapping, then any voice conversations can potentially be monitored, the only thing that needs to stop them from being considered "wiretapping" is to record the conversation, law enforcement agencies could then partner with major telcos, and arrange for them to "log" random bits and pieces of the PCM data for later review.

Think of a web connection as mailing a friend a letter that contains their address, but inside this outer envelope there is one or more second "inside" envelope that the friend has agreed to mail out. Then the address on these second "inner envelopes" is not public knowledge, and it cannot be easily seen by anyone other than the recipient of the outer envelope.

You can have several nested layers of envelopes -- then only the final recipient knows the real destination address (and that there are not more envelopes to be sent out to other addresses).

The first few envelopes are for your ISP's eyes only.. your ISP is a party to this conversation.

The next envelope (the actual TCP/IP packet contents) is for a destination host's eyes only.

Followed by the HTTP envelope which is for the web server's eyes only.

The contents of the innermost envelope are a private matter between a user and the TCP/IP service the user has connected to.

You can certainly listen in on these conversations if you are not the destination, such as packet sniffing, or by inserting a firewall or switch that digs in deeply and logs things.

But to not consider all these activities "tapping" the wire for the purposes of wiretap law is scary, since it in effect means monitoring can be accomplished on a packet switched network without it being considered wiretapping.

All you have to do is convince an interim provider to log packets as they are forwarding them to another agent. The fact that they only arbitrarily log the URL (which generally provides enough information to re-construct what the user saw), doesn't mean they can't in the future log more.

Chances are good these logs (especially for e-mail) also provide information on the unique message id and content length, which can also be used to discover (or verify) the contents of a message matches a candidate specimen [i.e. can confirm the message received was X].

Re:And what happened

[IdleTime]

Wow!

Now I understand why Americans are screaming about their freedom all the time, it's to convince yourself that you have freedom, which of course is bollocks.

Americans wouldn't know what freedom was if it hit them in the head, but they sure like to brag about their non-existent freedom

Re:And what happened

[PopeRatzo]

C'mon fellas, we're gonna have to learn to get along if this country's going to move forward in a post-impeachment America.

And it's been years since I've set foot in a coffee shop.

Bad conclusion

[CaptainPatent]

FTA:

Federal agents do not need a search warrant to monitor a suspect's computer use and determine the e-mail addresses and Web pages the suspect is contacting, a federal appeals court ruled Friday. Because obviously we don't have a right to, nor would we want to keep any of that information private. Just because the decision was based upon an analogous situation doesn't mean the initial decision was necessarily correct in the first place.

Re:Bad conclusion

[ari_j]

Results-oriented justice, your friend in the 21st century. *sigh*

Re:Bad conclusion

[delong]

Because obviously we don't have a right to, nor would we want to keep any of that information private

The inquiry is whether you have a reasonable expectation of privacy, that is whether your expectation of privacy is objectively reasonable. The Fourth Amendment prohibits unreasonable searches and seizures, not searches and seizures that offend the most hypersensitive in the population.

Maybe it is the same. But I'm not convinced.

[khasim]

With a "pen register" all they get is the phone number you called.

That would be analogous to the IP address that you connected to (and maybe the port).

The question is how are they capturing the IP addresses? If they're capturing the packets, that's the same as a wiretap.

Encryption. Learn it. Love it. Live it.

Re:Maybe it is the same. But I'm not convinced.

[ScrewMaster]

Encryption. Learn it. Love it. Live it.

Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

Re:Maybe it is the same. But I'm not convinced.

[iminplaya]

Encryption. Learn it. Love it. Live it.

Soon to be blocked at the government's "request". You can bet the ISPs will be more than happy to comply.

Re:Maybe it is the same. But I'm not convinced.

[Cap'nPedro]

simply make it illegal to withhold your keys from government agents It's worse than that. You can be arrested for not just withholding keys, but by simply being unable to provide a key. A brief hypothetical to illustrate my point; I build an uber-warez-downloading rig. My TrueCrypt key is set on install to be the contents of /dev/random. My PC is on the world's greatest UPS with a backup generator etc. etc. As long as the PC is enver powered down, it works like a regular PC. However, kill the power and the encryption key is lost and by data is effectively worthless.

My PC is taken in (and unplugged) as evidence. The fuzz demands to know my key. Which is impossible to be told as it is now gone and nobody knew what it was in the first place. Even if they have no definite proof that there was anything illegal on my PC, as I cannot decrypt the contents of the HDD for them, I am arrested.

But this is purely hypothetical, remember.

Re:Maybe it is the same. But I'm not convinced.

[bobdotorg]

Encryption. Learn it. Love it. Live it.

Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

Even in the scenario where you are required to surrender your keys, encryption is still quite useful in the context of this article / warrantless searches. The authorities would need a warrant to make you surrender your keys, and you would know you were being spied upon.

Re:Maybe it is the same. But I'm not convinced.

[CaptainZapp]

Yeah, but it's sort of hard to encrypt URLs that you enter into you browser.

Re:Maybe it is the same. But I'm not convinced.

[ScrewMaster]

No kidding. I doubt they'll be able to block it too effectively (all those work-at-home types using corporate VPNS would be royally pissed off and so would their employers) but they can sure make it illegal. That way, anyone using encryption would have to register with their ISP (and thus with the Feds) and if you aren't registered you're presumed to be doing something illegal. An extension of the morally-bankrupt "if you've nothing to hide ..." principle.

I can't see Comcast or AT&T telling the Feds to screw off. They might tell the customer that he's been squealed upon ... but then again, they might not. Probably not, now that I think about it.

Re:Maybe it is the same. But I'm not convinced.

[AnyoneEB]

I am pretty sure that with HTTPS you can only tell what server the client is connecting to, not what URL on that server they are accessing.

Re:Maybe it is the same. But I'm not convinced.

[sofla]

They are capturing more than i.p. addresses, they are inspecting packets, to the point where they can determine which web pages ("page number" in the article ) you visited. So the analogy to the "pen register" (which is the device they use to sniff the telephone #'s on a phone call - according to the article anyway) is false. Hopefully we will see an appeal on that basis.

Re:Maybe it is the same. But I'm not convinced.

[Ngwenya]

Even if they have no definite proof that there was anything illegal on my PC, as I cannot decrypt the contents of the HDD for them, I am arrested.

It's not quite that simple. They do have to be able to demonstrate to the court that there was a high likelihood that you were in possession of the key within a reasonable time frame (ie, if you were receiving emails encrypted with that key until yesterday, and responding with emails which were also self-encrypted under that key) then the court might hold that you had the private key until recently.

Note also: if you revoke a key with a note saying "The coppers served a decrypt notice on me" - that's an offence. If you revoke it, people ask why, and you reply "I am unable to answer that question" - that's perfectly OK. Like there would be any other reason you would answer that! Talk about dumb!

However, in the scenario you outlined (the ephemeral key in RAM), you would be able to explain the arrangement to the court. It would be up to the prosecution to prove that you were lying. You are still presumed innocent. You cannot be prosecuted for being unable to provide a key you don't have - you can be prosecuted for failing to provide a key when evidence exists to prove that you did have it, and that you could reasonably lay hands on it. Since precious little case law exists to back any of this up, there's not much guidance to go by.

Note: the RIP Act really sucks. It's a stupid law, crappily written, with a lousy code of practice with so many holes in it, it's not even funny. And that, I suspect is why you'll never receive a decryption notice. I reckon there will be precious few decryption/key seizure notices served - because the coppers are terrified that the notices will be faulty. They'll probably serve them on a bunch of people using PGP when they've already got evidence on them from other sources. That way, if any of them do the "no such key" defence, they'll rely on the jury thinking "Yeah, but they're a bunch of shifty Muslim types, so they must also be guilty of that". Or it'll be some paedophile who would attract zero public sympathy. They won't use it on marginal cases - too risky.

--Ng

Re:Maybe it is the same. But I'm not convinced.

[Ngwenya]

Until they illegalize it.

Extremely unlikely. You'd be trashing the entire electronic commerce infrastructure which relies on solid encryption. And there's no way a corporately oriented government system is going to do that.

Anyway - you've got no worries. If the USG tried that, you'd use all those wonderful 2nd-amendment protected firearms to overthrow it? :-) OK - snarky Brit comment over. Back to the normally scheduled stuff.

Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

You mean the United Kingdom. Sadly Scotland is also sucked into RIP silliness.

The police and other law enforcement agencies still need a judicially signed warrant to obtain those keys. There's all sorts of stupidities in there - but let me ask a question: Why should you be able to refuse to obey a properly formed court order? If they served a legitimate court order to hand over they keys to your house, should it be legal to flip them the finger? If you think that encryption keys are somehow immune to warranted seizure, you have to say why. Alternatively, if you think that all court seizure orders are wrong, then you probably have to defend that one even more!

I don't have a problem with warranted search and seizure. I have a huge problem with the LEAs thinking that privacy is solely a cover for people to do evil things.

--Ng

Re:Maybe it is the same. But I'm not convinced.

[hacker]

Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

As I wrote about almost exactly 2 years ago to the day, this is our calling.

How do we answer?

Withhold your keys, indefinitely.

Let them keep asking for them. Keep saying NO! If they jail you for it, go. If they keep asking, keep saying NO.

Stand up for what you know is wrong, and let millions of others do the same.

Remember, we put our government into place to represent our best interests. When they fail to do so, they should step down themselves, or we should replace them.

Re:Maybe it is the same. But I'm not convinced.

[Threni]

> The question is how are they capturing the IP addresses? If they're capturing the packets, that's the same as a wiretap.

I wouldn't be in the least surprised if the CIA (or whoever) had a major presence in the backbone of the USA and has been able to routinely capture/search all internet traffic in the last 10 or so years.

Re:Maybe it is the same. But I'm not convinced.

[ScrewMaster]

And you especially say "No!" if you happen to have anything in your encrypted storage that would put you in jail anyway.

Of course, the government response to such reasoning would probably be to make withholding encryption keys a crime of such magnitude that you'll gladly give in to avoid more time in the pen than any ordinary criminal activity would land you. They justify that kind of abuse because, obviously, if you won't give them your keys you have something to hide, and the more you resist the more serious your "crime" must be.

The problem with all forms of social protest is that they are costly to the protesters. Social protest can be valuable to society as a whole (and sometimes not, think about how we treated Viet Nam veterans, and the popular reactions against nuclear power and science in general) but it frequently results in the instigators flushing themselves down the tubes. Think Tianamen Square. Think War of Independence. A lot of those people died.

I agree that what you're saying is the right thing, the correct thing, the proper thing to do to keep government in line. However, if you force someone to make a choice between the good of all, and the good of themselves and their immediate family ... it's not at all clear which is the best option. It's easy to say to someone, "do what's right no matter what the cost." It's a lot harder to do it yourself. What it really comes down to is that we had a chance to put our collective foot down after World War II, before things got too far out of whack, but it was easier to do nothing. Now things are so far out of hand that any attempt at correction is going to be very expensive indeed.

Re:Maybe it is the same. But I'm not convinced.

[hacker]

Then the government will just have the NSA super computers brute force it in a matter of minuets AND you get thrown in jail.

Not quite.

I can generate a key that would take them longer than several lifetimes to crack, and encrypt my data with that. By the time they crack it, assuming they can brute force it, the data they get will be out of date and useless.

Remember, computers are still limited by physics, and we know what the maximum speed is; the speed of the electron.

Re:Maybe it is the same. But I'm not convinced.

[hacker]

Now things are so far out of hand that any attempt at correction is going to be very expensive indeed.

Personally (and if you read my blog entry on it), its a cost I'm willing to bear.

What I believe in, and my morals are not subject to compromise.

Re:Maybe it is the same. But I'm not convinced.

[stinerman]

Withhold your keys, indefinitely.

Shit, most of the time you don't know your encryption key. I have no clue what encryption key was used when I sent my last email to Gmail's SMTP servers. I use TLS, so I don't have the foggiest idea. Same with any website where you use SSL. Doing any offshore banking? I guarantee you don't know your session encryption key; it's pseudo-randomly derived and then thrown away.

Re:Maybe it is the same. But I'm not convinced.

[beyondkaoru]

Why should you be able to refuse to obey a properly formed court order? well, personally i think it's different from not giving over a key since, well, even though they're very similar, a physical key is an object and an encryption key or password is a tiny piece of knowledge. my opinion is that since it's data it ought to be treated differently. i know not everyone will agree with me there :) i guess we just differ in opinion. my opinion is that keeping quiet might not be the right thing to do in some situations, but never should be illegal (though the laws in most countries are otherwise).

also, from what i hear, generally searches tend to be quite disruptive, and people don't really complain about them since they don't happen to most people. i don't have any first hand experience on the topic, heh.

i suppose the most appropriate analogy, rather than the key to one's house (something easy to break into and look around), would be if you had a safe that for whatever reason was secure enough that an attacker could not look inside of, and so should the police, with a warrant, be allowed to imprison someone who doesn't give the combination? or another example which is further but still vaguely relevant, suppose some crime occurs, and they can't find some important piece of evidence, and they ask a suspect that they have reason to believe knows it, "where is $FOO?", to which he replies "i don't know". in the us, we have for example the 4th amendment, which says basically that oughtn't be forced to make yourself guilty -- though, like all elements of our constitution, it is up to a judge's opinion what's covered.

in the case of many encryption protocols today, the key is cycled quickly and is never known personally by the communicators, so it wouldn't be unreasonable for a computer to have forgotten what key it used last week. it gets weirder if we consider the case of 'hidden volumes' -- that is, data on a hard drive that looks random (like, leftovers from deleted files, or just how the drive was when you got it, or whatever), but with the password can be revealed as otherwise; it is extremely difficult to figure out if that unused data is, in fact, a hidden volume without using the key. so in this case, the police would have great difficulty proving that there is something hidden at all.

anyway, the financial institutions won't have much to care about if the government can forcibly ask for an encryption key, since they have a lot of maneuverability within the law, while the commoner has less power legally (ie, can't hire lawyers and lobbyists). furthermore, there is a strong opinion amongst my countrymen (fellow usa dwellers) that you have nothing to hide if you've done nothing illegal.

on the subject of making encryption illegal, it's not too far fetched to make it pseudo-illegal. there was the whole clipper chip thing a while ago... luckily, it was shown to be buggy, and so wasn't forced on people :) the idea behind the clipper chip is that any crypto you use it for, the only people who could read it would be you, anyone you are communicating to, and the police. then, it would be possible to make general purpose encryption illegal with only information-privacy nuts like me complaining.

Re:Maybe it is the same. But I'm not convinced.

[ScrewMaster]

What I believe in, and my morals are not subject to compromise.

That's good. Stay with it, you have the right idea. You just need to convince fifty or sixty million other citizens to think the same way. If you can, why, we'll have a genuine movement on our hands.

Making changes to the way a government works is less a matter of general principle (most Americans believe in what you're saying, I know I do) but of motivation and a willingness to take measured risks. You need to get people en-masse to get up off their collective asses and take a chance at improving their governance. That is not an easy thing to do. Just getting people to write their Congressman in useful numbers is hard: nobody wants to get involved. Let someone else do it. Me, I've written my Congresscritters on numerous occasions: even received some nice form letters in return, but that's as far as I've gone.

So then, once you've got people all riled up ... what comes next? Not everyone's moral compass points in the same direction. Not everyone will want the same kind of changes made that you do: many will think you're full of hooey. The issues may be simple but people are not ... like I said, this is going to be expensive. I don't think we're going to have much choice though, not if we don't want to lose everything our ancestors built for us.

Re:Maybe it is the same. But I'm not convinced.

[syousef]

Extremely unlikely. You'd be trashing the entire electronic commerce infrastructure which relies on solid encryption. And there's no way a corporately oriented government system is going to do that.

How about introducing a license to employ encryption. One where the banks and electronic trade organizations covered had a license that covered the end user. Anything done to employ encryption that hasn't been approved by an organization with a license is illegal. That'd make using PGP to send messages illegal for the guy on the street, but using a web browser to view an encrypted Internet banking page legal for the same guy.

Scary but doable I'm afraid.

Re:Maybe it is the same. But I'm not convinced.

[Ngwenya]

How about introducing a license to employ encryption. One where the banks and electronic trade organizations covered had a license that covered the end user. Anything done to employ encryption that hasn't been approved by an organization with a license is illegal. That'd make using PGP to send messages illegal for the guy on the street, but using a web browser to view an encrypted Internet banking page legal for the same guy.

Scary but doable I'm afraid.

Not really. As Ron Rivest illustrated with the winnowing and chaffing procedure, any one way hash function can be turned into a key based discriminator. In other words. you can send text in the clear, but with so much chaff that it is computationally impossible to determine the true text. At that point you'd field the defence that "Hey, I didn't encrypt anything. I just spammed a load of garbage packets into the stream". Would the law then become "Don't do anything we think might be suspicious"? At that point, you're saying the US government becomes an arbitrary entity, abandoning all constitutionally based jurisprudence - and the courts are happy to go along with it. On a purely practical level, since all existing OSes have crypto built in, how would you enforce this? Remember - it's not just web sites. IMAP servers, LDAP servers etc. all on the net have crypto built in. How do you enforce a rule saying that all of these systems must now comply with the no crypto law? Would the USG indemnify all service providers who suffered loss as a result of removal of transport level security? That might be a bill the US taxpayer is unlikely to wish to settle!

As for the licensed crypto, you would also have to ensure that such legislation was effectively global, or people would just use a proxy based outside of the host country. Of course, you could shut down all international Internet contacts (a la Great Firewall of China), but the cost to the economy of that would be massive.

The crypto genie is out of the bottle - it would be practically impossible to put it back in. The NSA and other TLAs tried (and succeeded) to hinder its widespread adoption within the civilian community. But in the end, the only real success was to hand crypto and security development to teams in Europe and Israel. A nice gift from Uncle Sam for us damn furriners, but not much good for the security of the USA.

--Ng

Re:Maybe it is the same. But I'm not convinced.

[Ngwenya]

well, personally i think it's different from not giving over a key since, well, even though they're very similar, a physical key is an object and an encryption key or password is a tiny piece of knowledge. my opinion is that since it's data it ought to be treated differently. i know not everyone will agree with me there :)

Not everyone, indeed. Including most judiciaries in the world! :-)

I think most states would treat a password as like the combination to a safe. You cannot be physically tortured into revealing the combination, but refusal to obey a court order to perform the action may be taken as evidence to adduce guilt. But if the court was faced with a refusal with the statement "I don't know the combination", it would still be the prosecution's burden to prove that the refuser did know the combination. You cannot ask the recipient of the order to prove he doesn't know - that's impossible - but if there's reasonable evidence to suggest he did know it (ie, CCTV footage of his opening the safe yesterday, or production of documents which were in the safe a short while ago), then most juries would think that the recipient was lying. In the case of a crypto key, the fact that ciphertext exists on your hard disk is no evidence of key knowledge at all - any number of computer security experts would testify to that in a heartbeat.

If you have a key discipline regime which relies on rapid key changing, and you claim no knowledge of the key, then that's might well be a valid defence.

--Ng

Re:Maybe it is the same. But I'm not convinced.

[Sloppy]

simply make it illegal to withhold your keys from government agents

At least, at that point, you know it's happening. Someone can't put a gun to your head and demand your passphrase, without cluing you into what's happening. (Well, ok, barring rohypnol or something like that. ;-)

The British system sucks, but at least it keeps [that type of] surveillance "personal." When you force attackers to take active measures to thwart your privacy (i.e. make them make you give up keys, make them do MitM attacks instead of merely passively snooping, etc) you can really cut down on "fishing."

Re:Maybe it is the same. But I'm not convinced.

[syousef]

Would the law then become "Don't do anything we think might be suspicious"? At that point, you're saying the US government becomes an arbitrary entity, abandoning all constitutionally based jurisprudence - and the courts are happy to go along with it.

You mean like the US president's little habbit of wiretapping without a warrant, or your CIA's little habbit of spiriting people off to foreign countries and holding them without charge for almost 5 years? Or how about the whole thing with the RIAA/MPAA decide to financially ruin someone because they think one of their private dicks found an IP address somewhere in a log that may have belonged to them. I think you're being a bit naive.

As for the licensed crypto, you would also have to ensure that such legislation was effectively global, or people would just use a proxy based outside of the host country.

So they'd transmit in the clear (which could be intercepted) to a remote (read slow) proxy? What'd be the point if you're transmitting the information unencrypted to begin with? That makes no sense.

Re:Maybe it is the same. But I'm not convinced.

[Ngwenya]

As for the licensed crypto, you would also have to ensure that such legislation was effectively global, or people would just use a proxy based outside of the host country.

So they'd transmit in the clear (which could be intercepted) to a remote (read slow) proxy? What'd be the point if you're transmitting the information unencrypted to begin with? That makes no sense.

Sorry - not being sufficiently clear. The point was that the license that the GP suggested would apply to website owners (banks, government offices, etc.) - but that unlicensed service providers (in the USA) could not deploy encryption technology. It would be just impossible to require every US citizen to acquire a crypto license which would force their computers to adhere to US government IT restrictions. Thus, the foreign servers (whether for finance or other matters requiring confidentiality) would still have to use SSL or the like. And how would you prevent those external services being proxies (short of the USA declaring war on the entire world)? So the beleaguered US citizen would use SSL to the proxy server, and then tunnel SSL within that connection. Perfectly doable using existing setups.

Your other examples of administrative abuse don't really bear on this matter. It's one thing to go after a small group of individuals whose behaviour distinguishes them from the masses. It's another thing entirely to require wholesale filtering and mandatory spyware installation on the entire population's computer systems. It might have been possible 20 years ago, prior to widespread home Internet access. It's just not remotely plausible now.

--Ng

Subject Misleading

[RhadamanthosIsChaos]

The article says that they're allowed to monitor the addresses of the websites and email you use, but not neccesarily the content of the page itself. For example if you went to a website you had to log in to, they wouldn't be able to find out what was on those pages without a warrant.

Still sucks, since getting the address of a webpage is pretty much equivalent to getting the page itself 99% of the time.

More specifically

[Shadow+Wrought]

They are allowed to look at the sender information on your e-mails and domain of websites you are looking at. The contents of the e-mails and which pages of a website, ie the URL, are still off limits.

Re:More specifically

[ColdWetDog]

I, for one, welcome our Federal email and HTML sniffing overloads.

Re:More specifically

[CODiNE]

Yikes, so then technically everyone who visits the Pirate Bay would automatically be suspected of seeking out child porn. Visit video.google.com and you have been engaged in activities consistent with someone looking for child porn. Let's say someone posts nasty stuff to Youtube which is later removed, it doesn't matter because that site is now flagged and anyone who visits it now has probable cause for a full-on investigation.

What this is really, is a legal way of labeling everyone on the internet as a potential criminal. Oh... so you didn't know someone put some illegal files on Wikipedia? Your problem.

Re:More specifically

[BoberFett]

And how exactly do they retrieve just the domain name? I imagine it has to parsed out of the full URL from the HTTP header. And as the courts of ruled before for copyright purposes, they think that having a copy of something in memory is legally the same as having a copy on the hard drive. What's good for the goose is good for the gander, so this should be considered making copies of the entire HTTP header including all URL data and possibly even POST data. That's clearly beyond just having the domain name.

Re:More specifically

[BoberFett]

"courts of ruled?" Sorry I just woke up. "courts have ruled"

Re:More specifically

[Dunbal]

What this is really, is a legal way of labeling everyone on the internet as a potential criminal.

      Well, from a law enforcement point of view, everyone IS a potential criminal.

      However I wish them luck drowning in their ocean of data. And hopefully the false positives will be able to prove their innocence (isn't it supposed to be the other way around?) and avoid going to jail.

Re:More specifically

[jon_anderson_ca]

According to Wired (thought I'd never say that), it's even less information than that: they get the IP address, not the domain name.

So, all they may know is that subject X visited one of the 4,000 websites hosted by a particular hosting company.

Re:More specifically

[that+IT+girl]

The contents of the e-mails and which pages of a website, ie the URL, are still off limits.

For the moment...

Re:More specifically

[0x0000]

Fwiw, I find it odd that this URL/content info which Law Enforcement [within the 9th Circuit, at least] is not allowed to collect without a warrant is routinely collected with impunity by tracking cookies, "transparent" proxies, and so on. If this decision is going to stand, there should be some impact on legislation anti-spyware and private monitoring of internet activity by advertisers and ISPs.

Also, if I understand the situation correctly, e.g. Google already tracks all this information about their users, and more. The fact that the information they harvest remains technically "anonymous" is dependent wholly on their corporate "goodwill" right now. How is it that it is not legal for a cop to get this info, but it is legal for Google to use the same info to target users with advertising? It reminds me of statement in the news a few years ago (around the time the Department Homeland Security came into being) that FBI agents were not allowed to "use the Internet" [i.e. public search engines] to collect data [evidence] in the course of an and invesitgation up until that point (the merging of "intelligence" operations within the Federal government).

Finally, what burden does this place on me as an internet hosting provider to e.g. destroy [without looking at, analyzing,or otherwise extracting user data from] the log files I can collect which can provide me with varying levels of detail about the visitors to my site, depending upon just how much trouble I want to go to track them? If it's not legal for Law Enforcement to collect that information and track those users, is it legal for me to do so? If so, that doesn't seem to jibe very well with this whole "Rule of Law" thing that some of us have been trying to get put in place... And what about email? If I use my root privileges on my server to discover illegal activity by reading my users' emails [disregarding for a moment the morality of such an act], is that admissible? Is it legal? Could I be prosecuted for it? And again, where does that leave Google [Gmail] - and soon to be Yahoo and MSN, if they're not already doing it - with their "we're keyword parsing your email, but we don't read it" business stance?

Re:Nothing to see here... move along...

[r_jensen11]

From TFA: "The search is no more intrusive than officers' examination of a list of phone numbers or the outside of a mailed package, neither of which requires a warrant, Judge Raymond Fisher said in the 3-0 ruling."

I don't see what all the hoopla is all about. They're not opening the emails or reading any content. At least, they should not be. ;)

Take your foil hats off...

Cheers. Except that, as far as I know, it's not illegal to post something without a return address on it.

Address implies content

[Harmonious+Botch]

From TFA

...the court said, although the government learns what computer sites someone visited, "it does not find out the contents of the messages or the particular pages on the Web sites the person viewed."

The search is no more intrusive than officers' examination of a list of phone numbers or the outside of a mailed package, neither of which requires a warrant, Judge Raymond Fisher said in the 3-0 ruling. I think that his honor missed something here. He seems to be saying that knowing the address of a web page is like knowing the address on an envelope, and in either case the contents is not being snooped upon. In the case of the letter he would be right, for a letter can contain anything ( I could mail a recipe for braised goat's eyes to Bin Laden ).
But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here.

Re:Address implies content

[Anonamused+Cow-herd]

But a web address often has a 1-to-1 corespondence with its contents.
Exactly. Knowing the to/from ADDRESS is one thing; knowing the _content_ of the request is another thing. This ruling allows things like:

• Monitoring search behaviors (since search contents are contained in GET URLs)
• Near-full auditing of all Web content viewed, down to individual comments/forum pages
• For some systems, warrantless snooping of usernames and passwords (when such information is contained in the URL)

Yeah. Bad idea.

Re:Address implies content

[mi]

But a web address often has a 1-to-1 corespondence with its contents.

Often is the key word here. You ignore it in one of your examples (regular mail), but stress it in the other (web addresses). You would not be mailing to Bin Laden often — not any more often, than you would connect to a jihadist web-site to post "terrorists are swine" on it.

I think, the judge is right...

Re:Address implies content

[Anonamused+Cow-herd]

Hmm. Turns out the SF gate article is misleading. Disregard the above. http://blog.wired.com/27bstroke6/2007/07/appeals-c ourt-r.html

Re:Address implies content

[Wrath0fb0b]

But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here. Heavens I wouldn't want the feds to know I had visited http://mail.google.com/mail/ or https://www.paypal.com/us/cgi-bin/webscr?cmd=_acco unt - then they could figure out all my email and PayPal transactions! Address only implies content for publicly available resources - resources in which you have no reasonable expectation of privacy. If you want to keep something private, stick a login screen in front of it or encrypt it.

As far as your statement that this "search" (which it isn't) is unconstitutional, I defy you to show me where in the constitution the government is restricted from determined to whom a person is writing letters. We are guaranteed privacy for the content of the letter not anonymity in writing letters. These are not synonymous! The constitution is a very specific document - please do not pretend that it forbids practice X just because you think X is incompatible with your normative view of a free society.

Re:Address implies content

[dirk]

Well, the first thing is that they can not get the URL, only the web site address. So they can find out you went to Slashdot.org, but not that you went to a specific article. And while there is often a 1-1 correlation between the web address and figuring out the content, the same can be said for phone numbers. If I know you called Planned Parenthood, I know just as much as if I know you went to their web site. All I know is you have some interest in something they do. It does narrow it down a bit, but is far from conclusive, especially since I don't know what exactly you looked at on the page.

I'm not a fan of the pen register rule, but this seems like a completely logical and fair expansion of the rule to cyberspace.

Re:Address implies content

[Firethorn]

Knowing person X emailed person Y can also contain just about anything. As for the webpage - that can be very dynamic. For example, you won't know what accounts I have at my bank simply because I log in there. That'd take more research.

I'm kinda conflicted on this issue. On the one hand, this is an invasion of privacy, just like recording who I send mail to, even if they don't read the contents. On the other hand, I can understand how this would be a valuable tool in law enforcement for things like drug trafficking and terrorism.

I oppose the war on drugs, but I like seeing terrorists caught. If they confined the analysises to intelligence operations in the military sense, treating the 'war on terror' as a war, not a criminal matter, I'd be more ok with it.

Re:Address implies content

[Tuoqui]

Unfortunately for you, it is possible to write a letter anonymously. You simply do not include a return address. The contents are guaranteed to be private and since there is no return address, who sent it is also private.

Unfortunately in an Internet world you need to stamp a return address on every packet you send out in the form of an IP address.

Re:Address implies content

[iminplaya]

It shouldn't matter if it's "constitutional" or not. We simply should vote thoughtfully and not elect people who practice these abuses. The politicians won't hold up the law if we don't force them to with our votes, constitution or no. BUT you have a bunch of people who think this is perfectly okay, and in fact necessary, and they will continue to vote for the corrupt politicians as long they promise another tax cut or some phony health plan.

Re:Address implies content

[Kadin2048]

The GP was wrong in his interpretation of the court's decision.

They actually realized that a log of IP addresses and a log of URLs are two very different things, and convey different levels of information. This was actually mentioned in a footnote (quoting from the Wired article):

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com/ whereas a technique that captures URLs would also divulge the particular articles the person viewed.

An example is the difference between a log that shows "http://en.wikipedia.org/wiki/Surface-to-air_missi le, http://en.wikipedia.org/wiki/Missile_guidance" and one that shows "http://66.230.200.100". The latter is analogous to the numbers I'd dial into a phone in order to connect me to someone; the former is more indicative of the content of the communication.

Furthermore, just because a resource is "publicly available" doesn't mean that there's "no reasonable expectation of privacy." I expect that my Wikipedia browsing habits are between me, my ISP, and Wikipedia (and anyone else snooping on the line), likewise, although my Google searches are sent via GET URLs, that doesn't mean that they're public. (Particularly given that there's no alternative method, at least that I'm aware of, to use most search engines.) Libraries are public, also, but that doesn't mean that everyone's records are public information.

Re:Address implies content

[mrchaotica]

Not to mention that the "address" of a web page is the IP address or domain name, not the full URL!

Re:Address implies content

[sumdumass]

The thing is, Nothing has changed with the Internet since it's inception except people's understanding of it. If they don't like it, use other means for communications. We have known for ages that your not really anonymous on the thing and we have had many programs attempt to allow the anonymity people are looking for.

Don't act like something has been taken away. It hasn't. If anything, it has only been cleared up once and for all. This has been a question that has been out there since Clinton authorized Echelon, or was it green lantern or something similar? Now, I suggest using TOR or something if your still concerned, but I wouldn't suggest continuing the use of something you know is being looked at and expect it to remain private when it never was in the first place. For the majority of US, we won't need to.

Re:Address implies content

[sumdumass]

Your not going to find a politician who isn't corupt in this sense. Even the third party candidate say one thing to their base to get funding and another to get votes. Of course this is assuming that is a level of corruption.

And yes, you do have a bunch of people who don't see this as the end of the world. there are more important things on their minds. When going to the polls, you aren't voting for the best man, you are voting for the lessor of two evils. The best men (women) for the jobs aren't even running. And I don't blame them with all the personal attacks and the constant "we gotta find something to ruin their creditability" going on. Any sound, honest, informed person capable of doing the job will pass that up in a heart beat. What we will be left with is the lessor of two (or three) evils that we have to decide for. We are picking from close to the bottom of the barrel when it comes to politicians.

Re:Address implies content

[slashqwerty]

Something to keep in mind. The internet isn't so different from the mail. Simply knowing who someone communicated with provides the government with enough knowledge to track down someone who leaks embarrassing information to the press. From the U.S. Postal Museum in Washington, D.C.

At the beginning of the new America, nearly all the news came by mail. When the Constitution was signed, it was rushed by post riders to every town that had a printing press. And that's how the newspapers were able to bring the resounding news of how we were to govern ourselves. The newspapers knew of it first by mail.

In England, for centuries, the mail was frequently scrutinized by agents of the Crown or of the Parliament. It could be worth your life to write a letter that might be seen as having the seeds of treason. This did not happen here. From the beginning, by and large, the U.S. mails have been free of eyes other than our own and those of the sender.

To the framers of the Constitution, the mail made the engine of democracy run--along with the newspapers. And newspapers then printed a good deal of correspondence. Rufus Putnam, a key military figure in the Revolutionary War, said, "The knowledge diffused among the people by newspapers, by correspondence between friends" was crucial to the future of the nation. "Nothing can be more fatal to a republican government than ignorance among its citizens."

As a journalist, I have sometimes been asked where my leads for stories come from. Much of the time, they come from opening the mail. Readers from all over the country send personal stories, newspaper clippings, local court decisions, and student newspaper editorials arguing for the First Amendment rights of students. There is no other way I would have known about these stories except through the mail. It is through letters that I often receive highly confidential stories about unfairness in the justice system from people who would not trust any other form of communication.

The framers of the Constitution knew how vital the mail would be when Article I was written to protect privacy of communication through the mail.

Re:Address implies content

[TheGavster]

It gets them MORE; the public success of a witch-hunt is measured in the gross number of people accused, not the net number actually guilty of anything.

Re:Address implies content

[iminplaya]

We are picking from close to the bottom of the barrel when it comes to politicians.

To me that puts the blame for this entire mess squarely on our shoulders. I saw a great poster the other day that says, "Child prostitutions exists because YOU pay for it." I apply the same rules to spam and politics. The sellers are the serpent. The buyers are the sinners.

Re:Address implies content

[hacker]

I think that his honor missed something here. He seems to be saying that knowing the address of a web page is like knowing the address on an envelope, and in either case the contents is not being snooped upon.

The difference ends in the description.

If I was going to snoop on the contents of an envelope, it would be obvious that it was opened (except in the case of a professional de-sealing, of course).

With the URL of a webpage (or the IP it originates from), it is more akin to a postcard than an envelope. How can you tell if I've only looked at the front of the postcard to read the address, and not flipped it over to read the back?

Answer: You can't, and therefore, this can't be trusted or allowed.

Re:Address implies content

[delong]

But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here

No, they aren't. Just as dialing a specific phone number may be very indicative of the content of the call, given the person on the other end, the URL and email addresses one is contacting are addressing info. Just because there is some incidental indication of content is not the same as actually searching content. The constitutional inquiry is on whether you have a reasonable expectation of privacy in the subject of the search. You may have a reasonable expectation of privacy in the content of an email, like a phone call, but you certainly do not have a reasonable expectation of privacy in the content of a public web page or the addressing information, ie. URLS.

Re:Address implies content

[coolGuyZak]

That would be the fourth amendment, chief:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

From the wikipedia article:

In Katz v. United States,[7] Justice Harlan issued a concurring opinion articulating the two-part test later adopted by the Court as the definition of a search for Fourth Amendment purposes: (1) governmental action must contravene an individual's actual, subjective expectation of privacy; (2) and that expectation of privacy must be reasonable, in the sense that society in general would recognize it as such.

As society at large has a reasonable expectation of privacy in sealed communications (i.e. letters), the contents of such are constitutionally protected.

Re:Address implies content

[sumdumass]

Sure, I don't see how I could disagree if I tried.

The problem is that if you don't participate, at least with the politics, you end up with worse then you want. You can't stop buying because it directly effects most of us and indirectly effects all of us.

Re:Address implies content

[qzulla]

A little further down was:

Expert evidence in Alba's case showed that the Web addresses obtained by federal agents included page numbers that allowed the agents to determine what someone read online, Crowley said.

So our judges are still a little unclear on the concept. Well, plus the page numbers here but at least they got closer. I guess the "page number" where I am at at the moment is comments.pl.

But still, page numbers from an expert?

qz

Re:Address implies content

[qzulla]

It is true the sfgate article is more misleading but that is the one most will read. Not many will seek out Wired or other sources to clear this up.

qz

Re:Address implies content

[beckerist]

If someone is going to www.i-am-a-terrorist.com/forum/post.php. CHANCES ARE you know EXACTLY what he was looking at when he went to the site. Combine that with an "ah, I see he visited on Thursday at 7PM" and you've got a very good idea of what Mr. Terrorist posted. The point is that even though you can read the outside of a letter and know where it's going and where it came from, you still require a warrant to be able to examine it any further. Information posted to the internet does not have the same protection.

But then again, anyone posting on a public forum has to be aware of that fact. Anyone posting incriminating material on a public forum (ie: the internet) is an idiot...

Re:Address implies content

[Anonamused+Cow-herd]

That's true. It's why I actually spelled out the text of the article in another post -- I was just trying to clear up a wrong post I'd made earlier.

Re:Address implies content

[MrLizardo]

Unfortunately in an Internet world you need to stamp a return address on every packet you send out in the form of an IP address. Yes, but it only needs to be *your* IP address if you want a response back. IIRC, you could sit their and send out UDP packets with spoofed source IPs all day long to some friendly host. It's not really a commonly accepted practice, but there's no one stopping you from doing it...

-Mr. Lizard

Re:Address implies content

[iminplaya]

I'm not saying don't participate. Just don't deal with snakes in the grass(or the trees as it may be). They're easy to spot. They don't seem so easy to resist, but then that's our problem. Only if we police these people(and our own desires) will there ever be any kind of hope of change. Because I will always believe that politicians in any country with somewhat free elections are a very accurate reflection of the voters. All looking for easy money and advantage over others. Besides there will always be a strong resistance to change. Look how difficult it is to get people to switch from Windows to another clearly superior OS. 95%...hmmm, about the same as the re-election rate in congress. Coincidence? That's what they want you to think :-)

Re:Address implies content

[rtb61]

However, there really is a problem in the definition of what is and is not the public obtaining of a connection. Really for an ADSL enabled phone line, your obtaining a connection is the original connection between your modem and the ISP that you choose, all data transmitted there after constitute part of the electronic transmission that represent the communications between you and your ISP, so they a really wire tapping the communications between you and your ISP whether it be a hard copy printed log (no different to a written transcript of a conversation), or a digital file (no different to a analogue voice recording).

As for the email, well I suppose if they were allowed to enter post offices and record all the address details of all the post going through the system, and where no return address was on the back of the envelope, open the envelope in order to try to ascertain the return address, what you say that is not legal, hmm. So for email, fine, legally you send it to your ISP (your ISP is the from address) and they send it to the recipients ISP (that ISP being to the address), the receiving ISP 'opens' the electronic transmission comprising the email to ascertain to whom it needs to be forwarded and does an automated non-invasive check for spam or viruses.

The whole thing is just so stupid, consider this, if a person who might commit a crime, suddenly finds out they are under scrutiny by law enforcement, they will very likely cease the criminal conspiratorial activities, hence no crime is committed, and no additional tax dollars are diverted prosecuting and imprisoning someone, everybody wins. Unless this is some crazy scheme to watch all of us criminals all of the time, basically anybody to poor to afford privacy (anybody not a member of the upper class, the political class or senior representatives of the military/law enforcement classes and of course their families) should not be legally entitled to any.

Re:Address implies content

[Tim+C]

I think it really depends on the nature of the request. If all that's being read is a static page, then your analogy is good. If on the other hand information is being submitted to the web site (such as this comment), then merely knowing the URL doesn't tell you what was posted at all.

Not that I necessarily support the ruling, mind.

Re:Address implies content

[Tim+C]

No, that's the address of the server, the web page's address most certainly is the full URL - that's how you find it. Similarly, the address of a person living in a flat includes the flat number/name, not just the address of the building the flat is part of.

Re:Address implies content

[hacker]

If on the other hand information is being submitted to the web site (such as this comment), then merely knowing the URL doesn't tell you what was posted at all.

But capturing the POST data (which would have to happen anyway, in the context of the transaction across the routers, through the wire-level sniffers), would certainly have that data.

Again, its like me walking through your house, and saying I only looked at your walls, but not at anything else in your residence, after I opened your door with the knob. The fact that we allow them to "open the door", means anything they "see" inside, is impossible to prove or disprove, therefore... we shouldn't even allow them to open the door.

But because people don't understand the technologies, they just let them in.

Re:Address implies content

[poser101]

What if someone just used a proxy changing site to access www.i-am-a-terrorist.com -- like www.hidemyass.com -- the LE would only get the IP for the hide my ass website and wouldn't have a clue where you were... right?

Re:Address implies content

[lessermilton]

if a person who might commit a crime, suddenly finds out they are under scrutiny by law enforcement, they will very likely cease the criminal conspiratorial activities, hence no crime is committed, and no additional tax dollars are diverted prosecuting and imprisoning someone, everybody wins. Actually, that might stop 90% of the people. 10% will just find a way around... As lockpicks and hackers alike are fond of repeating - there's no lock one man created, that another cannot break. Plus because they know the system and the system believes they're invulnerable, the underdogs get further, deeper, faster.

Re:Address implies content

[computational+super]

compare an ecstasy drug-ring to a champion of civil liberties?

Did you expect the next landmark civil liberties supreme court decision to revolve around correspondence between heart surgeons discussing the best way to save the lives of starving African orphans? If civil liberties only apply to people above suspicion in the first place, there's not much point in having them, now, is there?

Re:Address implies content

[beckerist]

touche!

Great!

[schmidt349]

So they won't mind if I start encrypting everything then.

Re:Great!

[/dev/trash]

As loing as you send them the keys first. You know in case children are involved or terrorists.

Ninth Circuit

Circuit Courts of Appeals only have jurisdiction over cases arising in their proper Circuit. This decision is not applicable anywhere but the Ninth Circuit.

http://upload.wikimedia.org/wikipedia/commons/thum b/d/df/US_Court_of_Appeals_and_District_Court_map. svg/620px-US_Court_of_Appeals_and_District_Court_m ap.svg.png

Editors, please.

Re:Ninth Circuit

[iknownuttin]

Circuit Courts of Appeals only have jurisdiction over cases arising in their proper Circuit. This decision is not applicable anywhere but the Ninth Circuit.

Yeah, but don't judges and lawyers in other districts use the decision as a precedent - I think that's the legal term.

Re:Ninth Circuit

[HadouKen24]

It's precedent, but not binding precedent. It's used sort of like advice. Other courts can take the advice, but they don't have to.

Re:Ninth Circuit

[ravenshrike]

Stare Decisis. And they'll use it if it suits them, but otherwise they won't. Or they'll use it if they can ignore/twist the meaning all out of proportion(see almost every single fucking case that cites US V Miller except for the recent Parker decision.) Until the Supremes either take a case and define it or take a case using it and say it's proper, it's not truly Stare Decisis.

Misleading Summary

[logicnazi]

What the ruling held was that the header information of your email (and web browsing I believe) is subject to exactly the same standards as the information about what phone numbers you dial. Mostly this seems like an appropriate and totally correct extension of offline legal standards to the online world. The only reason that it is more problematic is that an email header includes things like the subject which contains a little bit of the content.

Still all things considered this seems like the correct rule. Subject lines don't contain that much information and if you are concerned you can just use an unrevealing subject. Moreover, we already contemplate the possibility that someone who happens to glance at the recipients screen might notice the title so it really doesn't seem like we have the same expectation of privacy for the title of the message as we do for the body.

Anyway for a better more interesting discussion about this case you can check out Orin Kerr's comments over at the Volokh Conspiracy.

The price of Freedom ...

[khasim]

People died for the Freedom that too many of us seem willing to trade away.

If the worst thing that happens to you is some jail time because you refused to reveal your keys, consider yourself ahead of the game.

Fascism begins when the efficiency of the Government becomes more important than the Rights of the People.

Re:The price of Freedom ...

[WilliamSChips]

No, Fascism begins when people decide that fighting Communism is more important than protecting rights.

Re:The price of Freedom ...

[ScrewMaster]

I don't know what idiot modded you "Flamebait", because you're right. However, it's not really "efficiency" that we're talking about. What is efficient law enforcement? That's when the cops catch bad guys with a minimum of fuss and a minimum of disruption to the lives of the ordinary citizenry. What our government is doing now is not efficient: the cultural and economic impact of their activities is already significant, and increasing with every poor legal decision that gets handed down.

Re:The price of Freedom ...

[raehl]

No, Fascism begins when people decide that fighting Communism is more important than protecting rights.

s/Communism/Terrorism/g

Re:The price of Freedom ...

[syousef]

If the worst thing that happens to you is some jail time because you refused to reveal your keys, consider yourself ahead of the game.

Lovely ideal but the practical considerations of having your life fall apart - job, marriage, family, friends all gone - say hi to your new cellmate who's hobbies include anal penetration of yourself aren't so nice.

How this mess developed

[Animats]

This mess developed over time.

All this stems from a distinction in wiretap law that goes back to the dial telephone era. Listening to voice requires a warrant, because that info belongs to the parties of the call only. But information used by the telephone company itself to route the call, like dial digits, can be requested from the telephone company. A "pen register" was classically a little electromechanical gadget that recorded dial pulses as dashes on a paper tape. There was no way to extract voice info with a pen register.

Then came Touch-Tone. Now the switching data was in the voice channel. After some court decisions, it was established that listening to the voice channel and extracting tones was OK, if done with "minimal" access to the voice channel.

Over time, this led to the "pen register" exception being extended to content the telco didn't process, including tones sent during a call to third-party services like voice mail, packet headers, E-mail headers, cellular location data, etc. Then came a "lower standard for stored messages", which included SMS messages and E-mail. Then came bulk interception via CALEA. Then the Patriot Act.

/me brags about Canada

[Schraegstrichpunkt]

In Canada, the police need a warrant (CanLII link) to get a dialled-number recorder placed on someone's phone (though apparently such a warrant is easier to get than a wire-tapping warrant), so extending this to the Internet wouldn't really be all that scary.

I think Quebec's general unwillingness to trust the federal government probably helps a lot here.

Re:/me brags about Canada

[delong]

I think Quebec's general unwillingness to trust the federal government probably helps a lot here

It also helps that Canada doesn't have the Fourth Amendment. The Fourth Amendment only bars unreasonable searches and seizures, and the reasonableness jurisprudence is obviously different than whatever you guys have concocted in Canada from general English common law principles.

So...

[BlueParrot]

Time to start using:
http://en.wikipedia.org/wiki/Tor_(anonymity_networ k)
and
http://en.wikipedia.org/wiki/GNU_Privacy_Guard

The alternative would be to vote the idiots out of office, but it doesn't seem as if that will happen any time soon.

Re:So...

[Rod+Beauvex]

The problem is they're all idiots, so when you vote one out, another comes in.

Re:So...

[SpaceLifeForm]

An even worse problem is that there are now corrupt
individuals making legal decisions that you didn't vote for.

Your elected representatives did.

The problem was, your elected representatives were not paying attention,
were too scared to think straight, and voted for people and legislation in a hasty manner.

An example would be those that voted for the Patriot Act without even reading it.

It would depend upon HOW they got that info.

[khasim]

But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents.

Exactly.

Now, there are possible ways to get the IP addresses that you connect to WITHOUT getting any more information than that (and such information is just about useless).

But I don't trust the government to put any effort into protecting MY Freedoms and privacy when it is so much easier for them to abuse such.

There is a huge difference between knowing that I connected to 66.35.250.150 on port 80
and
Knowing that I connected to http://yro.slashdot.org/comments.pl?sid=247095&cid =19790551

Re:It would depend upon HOW they got that info.

[PingPongBoy]

easier for them to abuse

Well, for one, they are probably not after people who have antipolitical views, but have much larger fish to fry, like terrorists |) Still, it makes you wonder how you are judged because you can't really tell what the Internet is doing against your reputation, especially if some website is rigged to send data to the wrong places.

On the one hand, given today's connectedness, one might be tempted to build snoop technology just to see if it's safe to go downtown--and does the ruling ok this? On the other hand, it may be best to surf behind an anonymous server and systematically eliminate all physical ties to society...

The middle ground is to obfuscate. Not sure how to do that and surf with any fun. Is obfuscation and disguise the new terrorist strategy? Are they wolves in sheep's clothing? Can you believe that some people go through the trouble to become doctors before building car bombs? The government has its hands full, though I fail to see how snooping on the Internet is going to catch the big ones. Some of these characters have some brains and are unlikely to tip their hand, and the most shocking thing is that they killed no one innocent in the UK with those cars.

Article is misleading... here's one from wired.

[Anonamused+Cow-herd]

That article is completely misleading. The ruling covers IP addresses only. Here's a better article from Wired. For the lazy, here's the text content:

--
Appeals Court Rules No Privacy Interest in IP Addresses, Email To/From Fields

The Ninth Circuit Court of Appeals ruled Friday in United States vs. Forester that IP addresses and the To/From fields in emails are the legal equivalent of dialed phone numbers and the government can get a court order to obtain them without showing probable cause as would be needed in a search one's house.

The Court extended to the internet a 1979 case known as Smith vs. Maryland, where the Supreme Court found that individuals have no reasonable expectation of privacy in the phone numbers they dial because they transmitted them to the phone company in order to complete the call. However, under Smith, the contents of the calls could not be listened in on without proving probable cause to a judge.

The Ninth Circuit, ruling in an appeal of an Ecstasy-drug ring conviction found that emails' To/From fields and visited IP addresses were the internet's equivalent of phone numbers. For example, the government could get a log that said a person visited to http://66.230.200.100/ (Wikipedia's address). However, the court suggested that knowing full urls are very close to content (e.g. http://en.wikipedia.org/wiki/Ecstasy) and would likely require a higher burden of proof to obtain than mere IP addresses.

From a footnote in the decision:

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com/ whereas a technique that captures URLs would also divulge the particular articles the person viewed.

Professor Orin Kerr questions whether the decision is about getting this information from an ISP or whether it was from a device installed on a computer surreptitiously. He suggests the latter should require a higher standard, but I'm not sure why? Perhaps it's because that might require law enforcement to enter a person's house?

Re:Article is misleading... here's one from wired.

[etymxris]

Professor Orin Kerr questions whether the decision is about getting this information from an ISP or whether it was from a device installed on a computer surreptitiously. He suggests the latter should require a higher standard, but I'm not sure why? Perhaps it's because that might require law enforcement to enter a person's house? Because to install surreptitious monitoring you have to enter a person's home. Then everything in plain sight can be used as evidence against that person, such as paraphernalia on the coffee table. Normally the police would require a warrant to enter someone's home without their permission. This would allow warrantless walkthrus of peoples homes by the police.

Re:Article is misleading... here's one from wired.

[Anonamused+Cow-herd]

I agree -- it didn't seem like a hard concept to grasp to me.

Re:Nothing to see here... move along...

[eck011219]

I think you're missing a key point -- an e-mail has a subject line, while a phone number or a letter mailed by post does not. Even without reading the contents of the message (and I don't believe for a minute that they don't -- call me paranoid), you can see what the message is about. Not true of a phone call or letter.

Also, as stated elsewhere, any web address has a direct relationship to the contents of a web page. This is more information than just a phone number or address on a letter.

Personally, I'm not sure why they're being so lazy -- generally courts will give warrants fairly easily. And it's not the time lag involved in obtaining a warrant, either -- I think you can get a warrant after the fact if time is of the essence. Given other actions of our current government, I'm more inclined to believe that they want as little paper trail related to some of these searches as possible. I don't typically tend toward such paranoid thinking, but past behavior offers a strong suggestion of current and future behavior.

So what?

[ratboy666]

I send email signed with GPG. Mess with the headers, sure, but the BODY can't be tampered with. Read, yes, tamper, no.

If something must remain confidental (source code, thoughts, company plans), it is put onto a server, and a reference sent via email (with GPG signing). The recipient can CERTAINLY go to the web page, where she will be redirected to an SSL page.

As soon as the SSL connection is set up, I use Apache Basic Authentication. Give me a user name and password. And these are reasonably secure. At least, I can detect hacking attempts, and take down the server if needed.

Won't tell anyone anything, really... And, for good measure, the server isn't in the US (and if I *were* in the US, it would be located out of the US anyway).

And, yes, I am paranoid.

The laws are technologically obsolete

[hey!]

The laws were written with specific technologies in mind.

For example a wiretap is conceptually, if not legally, tied to telephony. In order to be a wiretap, a communication must have an aural component. Thus intercepting an email being sent over WiFi is not a wiretap, but a VoIP intercept is. Likewise intercepting an email with a voice mail attachment (such as might be generated by a voice mail/email gateway on a system like Asterix) might qualify as a wiretap.

There are provisions for controlling the reading of text messages, but the law is written for a system like the old Telex system, in which the messages are ephemeral,but stored in temporary buffers at various stages of delivery. Thus while intercepting an email in a transfer agent queue is questionable, once it is delivered to your email box at the ISP, it becomes fair game. It is no longer in transit, but stored on a server. In the days of Telex, you'd take your message of the teleprinter, read it, and shred it, knowing that it was gone forever, not recoverable from your mail box or from backup tapes.

The third part of the ECPA laws deals with something called a Pen Register: a device that is attached to an old fashioned phone line to capture the in-band signaling of the phone numbers being called. Even though the privacy concerns for email or web proxy logs are identical, these situations are not covered by the Pen Register Act.

The underlying problem is this: although attempts were made in the laws to make them independent of a specific technology, those efforts failed because US law (unlike EU law) does not recognize a fundamental right to private communication. There are packages of specific rights secured by the Bill of Rights, statutes and common law privacy concerns, but these rights are much less than a true right of private communication. The reason is that you can't have a meaningful right to private communication when that communication is mediated by a third party like an ISP or a telephone company, not unless you have a fundamental right to informational privacy.

Without a right to information privacy, anything that falls into the hands of a third party is fair game. This includes information ISPs or telephone companies store in order to route and deliver a message, up to and including the entire content of the message. ECPA, which consists of the Wiretap Act, the Stored Communications Privacy Act and Pen Register Act, closed these loopholes in its time, but as of today those loopholes are wide open again.

This process will repeat itself forever, no matter how many times we close the loophole, until a fundamental right of informational privacy is recognized. We could do that be adopting into law the EU Data Directive. The reason we don't is that this would hurt US companies which are flourishing by exploiting the America's backwater status when it comes to privacy.

Re:The laws are technologically obsolete

[10101001+10101001]

The reason is that you can't have a meaningful right to private communication when that communication is mediated by a third party like an ISP or a telephone company, not unless you have a fundamental right to informational privacy.

There's a more insidious problem that this ruling creates. One important aspect of the ECPA, that created the modern Pen Registry, is a requirement that private parties not access the Pen Registry unless it's a necessary part of business. This was almost certainly created as a means to punish common carriers who would otherwise snoop or conspire through a Pen Registry, as well as provide a means for a common carrier to prove their lack of involvement in a conspiracy. On the other hand, if every single IP is in fact a part of a Pen Registry, then it suddenly becomes necessary to make careful steps in regards to the proper handling of logging, displaying, or otherwise using an IP address.

Having said all that, clearly the ECPA is unconstitutional. If the ECPA and other similar common carrier protection laws didn't exist, common carriers would demand a warrant before handing over information. To do otherwise would open themselves up to nearly endless conspiracy and neglect suits, as they could be claimed to being intentionally ignorant of the crimes that used their network as part of a scheme to make money (look no further than napster); after all, if law enforcement is capable of using the Pen Registry as part of information on an indictment or as probable cause, then it stands to reason that the common carrier themselves should be capable of reaching the same sort of conclusion. Of course, the resolution to that (which would still allow phone companies to exist) would have to involve removing a lot of the negligent and conspiracy laws. Funny how quickly unequal application of the law and purely unconstitutional law creates such nasty constructs.

Re:Law Reform

[Dunbal]

The constitution isn't divine. I call for a reform.

      Be careful what you wish for - the "reform" might not be quite what you wanted, citizen.

Especially where...

[Newer+Guy]

Especially where the URL in question links to an email message! Many webmail services use URLs to access individual emails. Snooping these addresses can actually OPEN email messages. How can this be allowed?

Re:Especially where...

[Kadin2048]

Well, although I agree with your general point -- that URLs are a whole lot more information than IPs -- however, I think the example of webmail is probably wrong. All non-trivial email systems, and all the public ones that I'm aware of, use some form of authentication besides just having hard-to-guess URLs.

So just knowing that I went to a particular webmail URL wouldn't let someone else gain access to it without also knowing my password, or having some other way to snoop the authentication. (Maybe copying the cookie from my PC, or some other method.)

Anyway, so I agree with you in general, but there are better examples.

Everyone ELSE is, why not?

[WheelDweller]

Keygrabbers, bots, password snooping...and that's just the guys from Microsoft! :>

If this stops building from exploding, it's fine with me. It's not like the net's been private for over ten years...

Want something private? Create an ssh tunnel.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Nothing to see here... move along...

[Hatta]

Sorry but this is bad news. Suppose you read an article on Fark, some guy gets busted making explosives or smoking salvia or anything crazy like that. You, being the curious type, do a little research and end up on some sites devoted to spreading information the application of which would be illegal. Whether or not you do anything illegal, you make some friends and hang around on their message board or IRC channel where 95% of the talk is off topic anyay.

Now the feds using their tap into the AT&T backbone and their data mining software pull your IP address as going to www.illegal.com repeatedly, and maybe looking at some lab glassware on ebay or whatever. This could amount to probable cause to raid your ass and seriously ruin your day.

The court is missing the point......

[budword]

Here is a little snippet from the Fine ruling..... Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com/ whereas a technique that captures URLs would also divulge the particular articles the person viewed. They seem to be saying it's more problematic if this surveillance technique is capable of yielding any useful information. Please explain why the government would even want to use any technique that's not useful ? Well, ok, some hypothetical other government, not the incompetent boobs we are stuck with. But you get my point. Another point to consider, the 9th circuit is the most frequently overturned court in the countryhttp://www.realclearpolitics.com/articles/2 006/11/supreme_court_cleans_up_after.html If reviewed by the supreme court, it very well might not stand.

This is great news!

[hacker]

Great news comes in strange forms sometimes...

Now we can all begin converting our internal infrastructure to using very strong, protocol-based encryption, end-to-end. Bittorrent for http, secure, anonymous, private networks wrapped around our standard applications and more.

Begin now, if you're not using strong encryption.. you should be. Don't let the government WE put into place, tell you what YOU can do with your own Internet time.

If the government we put into place is not representing your best interests, its time to replace them with one that does.

Lock everything down and keep prying eyes out.

Possibly.

[khasim]

What is efficient law enforcement? That's when the cops catch bad guys with a minimum of fuss and a minimum of disruption to the lives of the ordinary citizenry.

The way I look at it, if you could catch one more "bad guy" a day ... just by skipping some of the procedures and processes that we have to protect our Rights ... how many people would support that?

Lots.

As opposed to Ben Franklin's:

That it is better 100 guilty Persons should escape than that one innocent Person should suffer, is a Maxim that has been long and generally approved.

They'd rather follow Otto Bismark's opinion:

It is better that ten innocent men suffer than one guilty man escape.

The problem is that it is the Government that chooses what "crime" and what "evidence" will be used to charge a person.

And the Government is composed of people. Sometimes honourable. Many times petty and vindictive if not outright criminals. Which is why our country was founded upon the belief that you cannot trust the Government. That we had to limit the Government's authority and protect the Rights of the People.

It's all about how you view Rights and whether you are with Franklin or Bismark.

Re:Possibly.

[vuffi_raa]

personally I think that both of these quotes are off since the rational as it is is more like:
"let everyone suffer and let those connected with the establishment escape"

Not applicable anywhere but the Ninth Circuit

[glrotate]

Not exactly. While the decision isn't binding anywhere but in the Ninth, it is persuasive authority everywhere. And given that the 9th is the most liberal circuit in the nation, how could a judge elsewhere decide that the decision isn't liberal enough?

Re:What's the problem?

[goarilla]

says the coward without the guts to even post on a real account

2nd Amendment

[sconeu]

Re: crypto...

GP: Until they illegalize it.

PP: Anyway - you've got no worries. If the USG tried that, you'd use all those wonderful 2nd-amendment protected firearms to overthrow it? :

Actually, you could make a Second Amendment argument to the court. Is strong crypto still on the ITAR list? If so, it's a "munition" and the Second Amendment guarantees your right to it.

Re:2nd Amendment

[Ngwenya]

Actually, you could make a Second Amendment argument to the court. Is strong crypto still on the ITAR list? If so, it's a "munition" and the Second Amendment guarantees your right to it

I can't remember all the details, but ISTR that most publically available crypto systems were placed under the EAR (Export Administration Regulations) under the Department of Commerce, rather than the munitions list. The change happened under the Clinton administration, I think.

Anyway, I think the second amendment guarantees the right to bear arms (which various courts have indicated means firearms that can be personally carried), not all munitions in general. I'm pretty sure that your defence counsel would be less than happy arguing that your canister of nerve gas or your napalm flamethrower fell under the 2nd amendment. Good luck in trying, though! :-)

--Ng

Who said the other stuff was right?

[twitter]

The question is how are they capturing the IP addresses? If they're capturing the packets, that's the same as a wiretap.

That's a valid point, supported by disturbing evidence. What I think they want you to think is that they can require ISPs to keep the information and demand it at any time. TIA was planned before 911 and is largely in place, despite overwhelming popular objections and Congressional disaproval.

There are objections to the other practices as well.

Re:Who said the other stuff was right?

[whit3]

>The question is how are they capturing the IP addresses? If they're capturing
>the packets, that's the same as a wiretap.

It's a subtle point; when you phone your co-conspirator in the plot
to lob banana cream pies at cement trucks, you

(1) take the phone off-hook
(2) wait for the 'it's off hook' message to be received and for the
      telco to respond with a dial tone
(3) type out a number to connect to
(4) yak with Bob about the "Soupy Sales project"

The first three steps were communication with THE PHONE CARRIER and that's not protected
by the full force of the law. Because there are bombs that can be set off by calling a
rigged phone number, it's unclear that those steps SHOULD be protected against snoops.
In any case, Congress, should they believe there is a problem, could change the applicable
law.

The fourth amendment provisions against 'unreasonable search' had to be
interpreted after the advent of telephony, and that was left to Congress. The
court in this case just decided that step (4) is protected by statutes, but not
steps (1), (2), (3). Same goes for e-mail; the content is private, the address
is not.

CORDLESS phones 100% unprotected by law

[ThinkTwicePostOnce]

| And what happened with the anti-wiretapping laws passed several decades ago?

A court called household cordless phone calls "radio broadcasts" as I recall, so anyone can listen
in on them legally -- whether LE or a nosy neighbor kid.

Still true?

bogus judgement

[talledega500]

Likewise, the court said, although the government learns what computer sites someone visited, "it does not find out the contents of the messages or the particular pages on the Web sites the person viewed."

Unbelievable statement.

Anyway stop whining and do something about it.

http://www.mysecureisp.com/

Welcome to the USSA

[EEPROMS]

USSA (United Soviet States of America) were democracy is waved like a flag but never actually used.

Read the ruling - IP *AND* e-mail addresses

[SpaceLifeForm]

Ruling [PDF]

Alba challenges the validity of computer surveillance that enabled the government to learn the to/from addresses of his e mail messages, the Internet protocol ("IP") addresses of the websites that he visited and the total volume of information transmitted to or from his account. We conclude that this surveillance was analogous to the use of a pen register that the Supreme Court held in Smith v. Maryland, 442 U.S. 735 (1979), did not constitute a search for Fourth Amendment purposes. Moreover, whether or not the surveillance came within the scope of the then-applicable federal pen register statute, Alba is not entitled to the suppression of the evidence obtained through the surveillance because there is no statutory or other authority for such a remedy.

Note that the excuse for non-suppression is disengenious, as the judge should have been the remedy.

Also note that if e-mail addresses were obtained, that means that more than just the IP headers were being looked at. Packet inspection had to be done in order to obtain the e-mail addresses from within the packet.

This ruling effectively is a precedent for the illegal NSA spying.

I skim too much...

[Antarius]

I read the headline as "Court Upholds Warrantyless Internet Shopping," and thought "Big deal. That's like buying something off of Ebay."

I guess that a misread like that might hint that it's almost time for me to consider going to sleep. Next thing I know, I'll be misreading reports of Microsoft making partnerships with novels, people buying Praystations, people going mad for IPphones and Gnus for Nerds.

Or maybe my brain has just gone offline from reading too many articles on the SCO case. I'm gonna get my lawyer onto Dril McBirde! I'll Suse!

Re:If the laws are obsolete, what do we do?

[Slard+Le+Soupio]

I like the passion and analysis of this entry, but I am always saddened to see so frequently a defeatist strain running through the commentaries here. I frequenlty see assertions as to a basic rights on slashdot, that while I may agree with, I can also see that reasonable people coulld disagree with. I could propose many rights that would be quite popular, but might give people pause if they thought that it was a consitutional right. Some countries (someone help me out and find this? The Economist had a great article on this several years ago) have enshrined a more social set of rights, such as everyone having enough food, healthcare, etc.

While many would think those are fundamental rights, many would not want the government ot be responsible for ensuring all have those rights, at least amongst many US citizens. These reasonable disagreements is why we have the Constitution, which is what we have to hang our hats on, and is why we have Article V to change it when we need to. And sure, someone will probably point out the 10th amendment, but that talks about people retaining power, not asserting rights, which I believe is a subtle but important distinction.

Anyway, with all the energy I see here that goes into asserting fundamental rights, (one of privacy in this case) I was glad to see an entry that alludes to the basic problem. I would contend though that an assumption that it can't be changed because of "corporate America" takes away so much of its potential. If the world really is different because of technology, and this InterWeb thingy, then go the grassroots route. It is done here on many issues. And I think that I sense a defeatist attitude because of past failures (for instance, in securing a fundamental fair-use right interpretation that would be favorable to end users). If you don't like how laws are being intepreted, then fight for new legislatoin to clarify in explicit detail what is needed. Grass-roots campaigns that are against major money interests have shown signs that they could be very effective in a relatively short period of time. Take the story of Porkbusters, for instance. While all of its goals have not been met yet, in a short order of time, they have raised awareness and gotten promises (but to little action yet unfortunatley) that their "demands" are met.

And I think people should aim higher though. I would love to see a grass-roots campaign emerge from a place like Slashdot, that would push for something like a right to "privacy" . For instance, something like "The right to privacy, being fundamental to a right of free though, shall not be abridged, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing . . . " (I would guess something about the time of the records in which one searched, but I just can't make it concise, like I think all rights should be stated) Maybe one could not get to the point of passing a Constitutional Amendment, but I could easily envision a movement centered around such a right to be embraced by a large group of people. From there, given that much of the audicence would be techno-philes, and this InterWeb thingy, you have the seeds of an inevitable Viral Marketing campaign which would almost inevitably result in some senators and congressment sponsoring at least to strenghten privacy in our laws.

That's what the 2nd Admendment is for...

[js290]

http://daviddfriedman.blogspot.com/2005/12/differe nt-argument-for-right-to-bear.html

Don't forget all your Little Brothers

[Sloppy]

Encryption. Learn it. Love it. Live it.

Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

One other thing to remember: while governments do tend to be the biggest threat to freedom and happiness, they're not all you have to worry about. Even that UK law only says you have to give your keys to the government, not just anyone who asks. You don't have to give your keys to Google, for example, so that they can scan your emails to give you better ads. You don't have to give your encryption keys to your neighborhood network-sniffing burglar so that he knows that you RSVPed to a party and you won't be home at a certain time.

Even if encryption doesn't protect you from active attacks by the government, you should be using it anyway. "Learn it, love it, live it" indeed!

Encryption doesn't help much. :-(

[TerranFury]

It doesn't matter if I say,

"Hey Bob-The-Anarchist, let's go be subversive!"

or

"Hey Bob-The-Anarchist, KJLJALIUHFFLKAJHSLSAUFRGGFGFGJEUCJDKUEUD"

Even if they can't decode the second one, anyone listening still knows I was talking to the "Enemy of the People," Bob.

So, seeing how what's at issue in this article is who you're talking to more than what you're saying, encryption is, unfortunately, not super relevant.

I think the only technical solution here is to use steganography and communicate through a very large (unwitting) third party -- like Slashdot: one might post reasonable-sounding forum posts containing hidden information. And even this solution is low-bandwidth, high-latency, and precariously-secure at best (were it high-bandwidth, it would come to dominate the traffic to and from that third party [Slashdot], and then the communication would become obvious). So basically, it's a pretty crappy compared with what we're used to.

I agree with your premise that we should routinely encrypt stuff; I'm all for encryption. But here I don't think it helps in particular, and, sometimes, a false sense of security is worse than no security at all.