Slashdot Mirror
Where To Draw the Line When Punishing Email Snooping?
CWmike writes "While it might seem like a practical joke or a harmless, furtive glance, e-mail snooping could land you in more hot water than you'd ever expect — you could be charged with a federal crime. The recent case of a Philadelphia TV news anchor charged with breaking into his co-anchor's e-mail accounts shines a light on the seriousness of such snooping. Scott Christie, a former federal prosecutor who headed up the computer hacking section at the U.S. Attorney's Office, said, 'You look over someone's shoulder and read a personal letter and that's not a crime, so how can it be a crime to access someone's e-mail? It's not the same thing, of course... What you're doing when you're accessing e-mail is affirmatively exceeding your access to electronic documents and systems.' He adds: 'Usually, you're doing that by pretending to be that person to break into their account.'"
It's worth noting that the Philadelphia man accessed his co-worker's email over 500 times, and his use of the information he found was hardly harmless. However, the rules and conventions for email privacy are much less familiar to most people than the laws regarding snail mail. At what point does a privacy breach demand punishment?
Wasn't privacy declared dead some time ago? So, no punishment, I guess...
He is alleged not only to have accessed her account 100's of times, but he is also accused of leaking emailed conversations she had with her lawyer.
You could say that it is stupid to have such conversations over email, but this was hardly "just looking over your shoulder."
It is making for some drama in Philly.
The other FA goes on to state that the reporter being charged accessed his coworker's email over 500 times ! So IMO it is really not possible to "go too far" punishing someone with that level of utter disregard for the rights of others. According to wiki.answers:
"The deliberate withholding and/or opening of US mail that is addressed to another party is a violation of federal law. The penalty for tampering with US mail is a maximum of 5 years in a federal facility and/or a $250,000 fine."
Sounds reasonable to me. The thing I find incredible is that people aren't making that correlation between email snooping and tampering with the mail? Oh well, ignorance of the law has never been an excuse for violating it. Maybe after a few people get big sentences and fines for their asshattery everyone will know it is illegal.
Caveat Utilitor
.... anothers snailmail?
then of course email should be treated the same, as it is private communication between sender and receiver.
You look over someone's shoulder and read a personal letter and that's not a crime, so how can it be a crime to access someone's e-mail
Talk about apples to oranges.
If you read somebody's letter over their shoulder, not a crime. If you read somebody email over their shoulder, same thing.
If you break into their postbox and open their mail, that would be more comparable to actually entering somebody's account without permission to read email...
Just make the deterrent/punishment the same as accessing someone's paper mail without permission.
Sure, in some cases you have to pretend "to be that person to break into their account", in which case you might throw a bit of "fraud" at them as well, but in most cases, accessing snail mail and accessing physical mail are similar enough.
If you are reading something over someone's shoulder, they can tell you to piss off, cover it up or whatever. The difference is actually going to the mail box (whether it be physical or electronic) and accessing what is in it.
Oh yeah, I guess it might be slightly harder to prove that someone has accessed the electronic box (because they don't have to open any envelopes), but considering you should be treating email as you would post cards anyway... (That is, anyone between you and the destination can read it, unless you take measures to encrypt it or something.)
-----
Disclaimer, I don't believe the state should exist. However, my opinions expressed above are given on the condition that my belief is suspended for the time being.
I wank in the shower.
That seems like a silly argument. The default is usually every 10 minutes or more, isn't it? I would expect most mail servers to block an IP scheduling a check every minute. I know mine would.
Caveat Utilitor
Email snooping doesn't exclusively occur in the workplace- what if this furtive reading of emails occurs within the home? i.e. in the midst of a divorce, one party accesses the others email in an attempt to get material to use against them in court? Is that means for punishment as well?
It's your dong, silly git!
Caveat Utilitor
After beating my head against the wall trying to get my company to enforce strong passwords, I instead started advising my employer to not put anything in an email he doesn't want someone else to read. Use the phone and FAX instead.
What this guy did was obviously against the law (the impersonating part, not the email reading part), but if he gets a good lawyer he'll get off with a small fine and some community service time counseling kids not to put anything in email they don't want others to see.
Oh, Mendte wasn't checking automatically, it was a webmail account. The logs were made public, and revealed that Mendte was quite obsessive about checking Lane's mail.
Mendte apparently put a physical keylogger on one of the computers Lane used in the newsroom, and got her account details. The only reason he got caught was because he got sloppy-- in (IIRC) March, he left a computer in the newsroom logged into Lane's webmail. Someone else working at the station saw it, thought it odd since Lane had been fired in January, and reported it.
This has been ridiculously huge news in Philadelphia and even managed to push the "hot chick and her boyfriend who stole people's identities" stuff off the front page for a while.
It should be the same as physically opening up someone else's mail from the snail-mail box. Being electronic changes nothing.
Sec. 1702. - Obstruction of correspondence
Whoever takes any letter, postal card, or package out of any post office or any authorized depository for mail matter, or from any letter or mail carrier, or which has been in any post office or authorized depository, or in the custody of any letter or mail carrier, before it has been delivered to the person to whom it was directed, with design to obstruct the correspondence, or to pry into the business or secrets of another, or opens, secretes, embezzles, or destroys the same, shall be fined under this title or imprisoned not more than five years, or both.
Gone!
Sigh. They are NOT repeat NOT talking about looking over someone's shoulder, or a furtive glance. They're talking about logging into another's email account and making the (damaging) contents public. But hey, this sort of confusion is what I expect from journalists - doesn't matter if they work for the New York Times or the Daily Shopper, they're all pretty much the same.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
The "looking over the shoulder" vs. "read someone's email" analogy is flawed. This would need to be two separate analogies. Looking over their shoulder to read a letter vs. looking over their shoulder to read an email on the screen, and accessing someone's email account vs. breaking onto their house and reading the letters they keep in a drawer in their bedroom.
The former is rude, but not generally prosecuted. The latter is a crime.
Alica Lane was busted in NYC after getting into a fight with a woman who turned out to be an undercover cop.
I suspect that this is the only reason why the monitoring even came to light. And if the conversations with the lawyer hadn't been leaked, this propably wouldn't have become such a big deal.
Make it prosecutable on the first offense, and pursue those cases vigorously. That is the only way that people will learn to not fuck with someone else's e-mail.
An earlier AC posted some info that definitely isn't in TFA... Maybe an inside source? http://yro.slashdot.org/comments.pl?sid=634517&cid=24457275
You read someone's snail mail without permission - it is an action punishable by law. You read someone's electronic mail without permission - it should very much be punishable by law, because the punishable action of reading snail mail is not that you read a letter written on paper, but that you read information addressed to someone else than you.
And privacy is only as dead as anyone wants it to be. If you say, go ahead, here are my login and password, read my mail, fine. But you know what? Some politicians in Germany have argued in favour of the infamous law for mass data retention. They have done so on this exact argument, that "on the Internet, everybody gives away all private information anyway."
Bullshit!
The grass is always greener on the other side of the light cone.
US Mail and E-Mail are fundamentally different. With snailmail, the government guarantees the timely and confidential delivery of your message, and it is a federal crime for a third party to interfere with that contract. Contrast that against E-Mail, where confidentiality is never guaranteed - consider every virus scanner and Junk Mail filter along the transmission path. However, when a third party breaks into an email account, a different crime is being committed - identity theft.
Laws that specifically protect US Mail should not apply to crimes involving electronic mail. The act of impersonating the victim should be sufficient for prosecuting the offender.
I can't believe you actually made one post without once mentioning Windows or Microsoft. So, who the hell are you and what have you done with the real Twitter?
It is a miracle that curiosity survives formal education. - Einstein
So, if something isn't guaranteed (privacy), then it should be perfectly legal to do so? Confidentiality is guaranteed at times. Third-party services such as virus scanners and junk mail filters usually have privacy policies that guarantee you a certain level of privacy. US snail mail doesn't guarantee 100% privacy. Mail can and does get opened up on occasion if certain conditions are met (jail, military, etc.). So, even US snail mail has conditions on the privacy, as does email. Why are they fundamentally different? It's a breach of privacy and should be treated as such.
A weak password does not waive the expectation of privacy and security at all. The fact that it is a password (read security access device) should clue you in to that. Bad argument.
Your defenses are still weak in general. If I give someone a key to my house, it doesn't mean I give them the right to come in whenever they want. If I have a key lock on my door that is easily cracked, it also doesn't mean my expectation of people not coming in is waived.
I can't believe you actually made one post without once mentioning Windows or Microsoft. So, who the hell are you and what have you done with the real Twitter?
Twitter hasn't been real ever since he started posting more than 140 characters.
The real twitter has been found dead, it appears he has been bludgeoned to death with a chair. His /. account is now a microsoft sockpuppet.
Lawyers live by e-mail, so it wasn't stupid of her to use a supposedly secure personal web mail account in her situation.
Larry Mendte installed a hardware keystroke logger on her work computer to steal her username and password. Then, he started leaking embarrassing information to a reporter for the Daily News (one step above a tabloid in Philly).
When Alicia Lane (the victim) got into a scuffle in New York, the arresting officer exaggerated the charges; Lane entered a deal that would see the charges dropped after several months of good behavior. But with all the negative personal publicity from Mendte's leaks, the station fired her.
As part of her lawsuit against the station, her attorney contacted the FBI with a suspicion that someone was accessing her account and leaking information and the focus quickly turned to Mendte, who obsessively viewed her as a rival. The FBI decided to pursue it as a criminal case because it resulted in substantial damage (loss of an $800,000 per year job and serious damage to her reputation).
It isn't like she was using the company e-mail system to work with her lawyer. She was using a private web mail account. Her legal problems (and Mendte's leaks) threatened her job.
the NSA doesn't like competition.
So it is illegal for you to read someone else's email, or for them to read yours. Unless you work for the government or a telco. Then you don't need a warrant, permission, or even a reason, and you can do so without fear of repercussion. Thank you, Mr. Bush, for a lovely eight years....
Why haven't they just extended the laws for snail mail to cover email as it serves the same purpose. It's not like there isn't a major set of federal laws already on the books protecting the privacy of mail. Whether snail mail or email, it's still mail! Do it to a lot of things instead of creating new laws to do the same thing. Problem fixed, no new abusive laws need to be passed, of course then congress would have nothing to do and rail at or use to screw us out of our rights. For the paranoid, the laws are defined pretty well so there would be little likelyhood of extension into other areas leading to a potential totalitarian state. They kindof make it up as they go along anyway, whether lawmakers, judges, or prosecutors so whats the difference. Just look at the last few scotus decisions, or get inappropriately arrested for just standing on a corner and refusing to give id.(papers please) -- hogans heroes
Privacy is highly over rated. Much can be done for the greater good when the very concept of privacy vanishes. The really important idea is that all entities should be free to study and accumulate all information. That puts government, the citizen and business on equal footing.
From the past I wonder just how much privacy an American Indian who spent his entire life with a tiny tribe experienced. Chances are everyone knew every little thing about every other member of the tribe. Did harm flow from that? I sort of doubt it.
There's something weird about the summary... there's an undercurrent of 'well people don't think it's wrong, but it is'
Hell yes it's wrong. Where do you draw the line? Why do you draw the line?
Especially because in this case it contained conversations with her lawyer. Why would anybody be going 'oh, well, we need to be careful to not overpunish here'...? I'd be worried about underpunishing.
It's like reading someone else's snail mail without their permission (a felony IIRC) except worse because you (almost) can't trace it and you can do it for every email
I hope he gets butthurt for this, and I still don't see why this is a question.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
I disagree, giving someone a key to your house DOES give them the right to enter. Maybe not ethically without knocking, but they do legally have a right to enter your home.
I have a T-shirt that reads "I read your email".
Everyone who knows me has seen me wear that shirt at one time
or another.
I consider it fair warning.
You know, my mailbox doesn't even have a lock on it, all anyone has to do is open it to read all the letters inside. It's still a federal offense to do so. 'Expectation of privacy' applies to mail no matter how weakly it's protected.
Isn't this the same government that reads our e-mails as a matter of course and tells the courts that intercepting electronic communications isn't as serious as reading someone's mail?
Lacking <sarcasm> tags,
if you look over the shoulder of your co-worker, it does not matter if hes watching a screen or a paper. If you break into his locked desk or hacking a password, this alone is a crime. If you open his unopened snail mail letter, in Germany this is also a crime, i think something similae may apply in US - i would appreciate if the lawa for e-mail could match this. If you use information from this act, well you could be facing all kinds of funny things, most likely civil charges (e.g. you forwarded his e-mails, which he sent privately to your boss, without beeing properly instructed to do so, snd the guy gets fired and you promoted imagine there may be something in that for him). And inside then company, there is only one way to handle it - if somebody spys on his coworkers withoput that beeing part of his job (by the rules and the laws), fire him. No second chance, There are a lot of things where you could be lenient. Surfing privatly etc.. But for reading the colleagues e-mail, the person has to go. If he was an admin, make sure he does not find another job easily.
$800.000 per year?
Cry me a river.
If I was her I'd just take the money from the previous years and call it a life.
Regardless of the e-mail snooping (which should be punished regardless) I think you deserve what you get when you make 800 grand a year on your looks and manners, yet throw it all away by calling a Cop (of all people) "a f---ing dyke".
These kind of articles make me think that (owning lots of) money must seriously melt your brain. I mean just look at that chick's face in the photo. Blown up to 800 grand meets Darwin I say. Yes, pun intended.
The details will depend on jurisdiction, but no--the right to enter your home at any time does not necessarily come with the voluntarily-given key. If I gave the maid a key so she could clean once a week, she would be committing trespass if she used the key to enter my house at four in the morning. If I fired the maid but forgot to take my key back, she would be trespassing if she used the key again--even if she showed up on Tuesday morning and cleaned my kitchen. More generally, when a key is given it is often accompanied (explicitly or implicitly) by conditions determining the situations wherein its use would be appropriate. Mere possession of a key is not necessarily sufficient to grant the would-be trespasser the rights and privileges of an invitee.
~Idarubicin
Well, at least were I come from, you're taught as a child that it's completely immoral to read someone else's mail without that person's consent. And I can't see why there should be any difference between snail mail and email. Reading someone's mail is on a par with breaking (seriously made) promises and oaths or being disloyal to friends when it has severe consequences for them. Decent people just don't do it, be it legal or not.
>So, if something isn't guaranteed (privacy), then it should be perfectly legal to do so?
Yes, as long as you have a legal right to be where you are, what you witness is perfectly acceptable.
I know there are gray areas like looking into windows from the road, and so on. But if you have a legal right to be where you are, what you witness from there is acceptable, and can be used as evidence.
If you do your "email snooping" while burglarizing an office, that's a crime.
-fb Everything not expressly forbidden is now mandatory.
OK, I know that when you sign up the fine print gives them to right to study your emails. And I know that it's not a human being, but an automaton reading the email, and directing spam toward your screen. The Telcos are drifting in that direction. Ha, the NSA has plenty of company. And what happens when their (Google, Verizon, and the NSA) software gets good enough to be called intelligent?
Even if prosecutors aren't interested if you sign your right to privacy away, but this a good place to discuss the bigger picture.
At what point does a privacy breach demand punishment?
The problem's in the question.
If you look for a single point, you create a system where it reinforces bad behavior...
Minor breach: "You pesky perisher, you!" "Hmm, guess I can do it again, no consequences."
Medium breach: "Tut, tut, very naughty!" "Hmm, guess I can do it again, no consequences."
Major breach: "That was very naught!" "Hmm, still no consequences, this shit really is risk free."
Marginally less major breach that someone makes an issue of, "YOU ARE EVIL, YOU MUST DIE!" "WHOA! That's kind of unfair. No one had an issue before!"
Instead of reinforcing that a behavior is consequence free, how about an escalating scale that allows for minor infractions to be punished suitably, ensuring most people learn before major punishments become necessary and those that do get the major punishments truly deserve them.
Make every case of a snooping ex punishable by a $500, easy to obtain, civil judgment in small claims - with more serious ones slowly gaining criminal records, probation, jail time, etc. Let them know that there are consequences there and then you likely won't have them learning it's OK and your giving a sudden and apparently inconsistent sentence when they do it hundreds of times, accessing more sensitive information.
Any access through an insecure email service (Hotmail, Gmail both do not use https for anything other than for login credentials as far as I can tell) is just asking for this to happen to you. The fact he used a keylogger is irrelevant. He could have just as easily been 2 routers upstream sniffing traffic with wireshark and done the same thing.
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
The company owns the computers and network, that gives them a right to monitor it and decide who gets access to what. It is the same at your house, in many (most?) states. I can, if I wish, bug my house. I can have cameras record everything, I can tap my own phones, etc. It's my house, so I can do what I please. However I can't bug YOUR house, at least not without your permission. To do so is a fairly serious crime.
Basically, I have an expectation of privacy in my house, but you don't. Likewise you have an expectation of privacy in your house, but I don't. If it is your stuff, you get to determine how it is used, how it is watched and so on. You don't get to make that determination for someone else though. Thus a company can monitor what you do at work, but not at home. If they want to install monitoring software on your work computer, that's their right. If they try to install it on your home computer without your permission, that's breaking the law.
The protocol at IBM used to be swiveling around when a user was entering their password(s), towards the end (of my career) I noticed that the young crowd no longer did this but seemed to watch intently everything you typed. I wrote up (disciplined) several trainee techs for this. While your tinfoil hat may or may not be necessary, those privacy screen gizmo's are a good idea and if anybody is standing where they can see your keyboard move to block their view when typing passwords, etc.
I killed da wabbit -Elmer Fudd
Gmail will use SSL for the actual email IF (and only if) you get to it by typing https://www.gmail.com/ rather than http://www.gmail.com/ (this gives you a certificate error though, you really need to use https://mail.google.com/ - it will stay on whatever protocol you initially access it with.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
And handily, if you PGP your mail (or S/MIME, if you must) that protects the data at rest _and_ the data in motion. The only benefit of using SSL then it to protect your password, and if you're not using either APOP or one of the MD5 IMAP authentication styles then indeed it's worth doing. But the PGP is numbers one, two and three on your list.
ian
If it's enforced against civilians though, I want it enforced against government employees and contractors who do the same thing without warrants.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
A couple of area's they get upset with your for Vid-Cam usage is the bathroom and any bedroom. Otherwise you're fine to bug/video monitor any public area of your own home.
Mod me up/Mod me down: I wont frown as I've no crown
They also typically contribute less to political campaigns.
Even once is too much. Break into someone else's account, even if doing so is easy, and go to jail. It really must be that simple, as this is unconscionable behavior.
Disclaimer: Posting as AC so that current employer will not recognise me.
here in switzerland, there is no legal distinction between email and snail mail. Both of them are covered by a law known as breifgeheimnis, and opening or viewing either belonging to another person will get you into serious legal trouble.
I was accused in a previous job of accessing the boss' email (I was a sysadmin, and he had actually asked me to look why his email wasn't functioning correctly). It was pretext to fire me and I had of course looked at his email having been asked to do so, and he denied having asked me to do so.
In the end I couldn't defend myself and he couldn't prosecute (after my lawyer contacted his lawyer) but I had to go in any case.
Moral: Be VERY careful when accessing other people's email. Make sure, that if you do because you are asked to, that there are witnesses.
Got to be careful. There are a number of laws that you can get busted on in this one. If you really can't resist snooping into email, then get into Information Security or systems administration. Then you can do it legally, if your policies are set up properly.
Open Source: Eroding the Digital Divide
Twitter never mentions Windows or Microsoft--he only mentions Windoze and Micro$haft.
A fool and his lamb are worth two in the bush.
The lawyers for EFF and ACLU made an initial mistake when suing about privacy.
They should have equated reading email as similar to postal mail except it is speedy.
This is similar to how railroads established acquiring legal rights of corporations as a person.
If ACLU and EFF had set a couple of precedents for email as faster postal mail (ya, it is dumb, but then judges need a precedence), then it would be easier to sue governments for opening up mail.
Instead these two organisations tried to make it as a new front, thus enabling the government and corporates to use their muscle to remove email from postal mail snooping laws.
Otherwise, Amex and VISa would long have been criminally convicted for mail snooping.
"Doing what i can, with what i have." ~ Burt Gummer
if we couldn't snoop on our cow-orkers email, the Terrorists (tm) would win!
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.