Slashdot Mirror
Virginia High Court Wrong About IP Addresses
The first 20 pages of the decision, which are all about legal standing, jurisdiction, and overbreadth, made my eyes glaze over. I'm not analyzing those at all except to point out that on most of those issues, the lower court came to exactly the opposite conclusion from that of the Virginia Supreme Court, and there is no reason to think that the higher court is any more likely to be "correct" than the lower court (even granting the assumption that there is an objectively "correct" answer to these questions). Any time you feel intimidated by "experts," it's helpful to step back and ask whether the alleged experts even agree with each other.
Page 21 is where the technical stuff starts that we can tear apart directly. The decision says, in talking about the transmission of e-mail:
The IP address and domain name do not directly identify the sender, but if the IP address or domain name is acquired from a registering organization, a database search of the address or domain name can eventually lead to the contact information on file with the registration organizations. A sender's IP address or domain name which is not registered will not prevent the transmission of the e-mail; however, the identity of the sender may not be discoverable through a database search and use of registration contact information.
These are statements that are only true if you play some kind of parlor game to
find a way to read them as "true," not statements that indicate the court knew
what was going on. To review: IP addresses in the U.S. are generally allocated
by ARIN in blocks to Internet service providers
and Web hosting companies; these
companies then lease the IP addresses to their customers. You can
look up an IP
address with ARIN to determine which ISP or hosting company has been assigned
that particular block, but the ISP or hosting company generally won't tell you
the identity of their customer who has leased it from them. And anybody
can register a domain, but most domain registrars give you the option of registering
the domain anonymously, so that only the registrar knows the owner's true identity.
So the court's statement that a database search "can eventually lead" to contact
information is correct only if you clarify that it "can" lead there, but it usually
won't. As a finding of fact, this is 100% true, and about as useful as "Obama might
win in November. Or he might not."
But it's impossible to defend what the court says next:
As shown by the record, because e-mail transmission protocol requires entry of an IP address and domain name for the sender, the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name. Therefore ... registered IP addresses and domain names discoverable through searchable data bases and registration documents "necessarily result[] in a surrender of [the speaker's] anonymity."
Now, there are two possible definitions of "anonymity" to consider: (1) you can be anonymous
to the extent that ordinary citizens reading your content cannot determine your identity
without a subpoena; or (2) you can be anonymous to the extent that even the government,
armed with subpoenas and wiretaps, can never find out who you are. But under either
interpretation of the word, the court's statement that "the only way such a speaker can publish
an anonymous e-mail is to enter a false IP address or domain name," is wrong.
By default, almost all Internet users are already anonymous in the first sense, even without
using forged headers or other tricks in their e-mails. When you send e-mail through your own
Internet service provider's mail server, or when you log on to Hotmail and send messages from
a Hotmail account, or when you lease a dedicated server from a Web hosting company and use it
to send mails, the messages don't contain any more information about your true identity than
you decide to put in them. Only the government could ordinarily discover your identity in those
cases, by looking at the IP address that the message was sent from, and subpoenaing the Internet
service provider or hosting company for the identity of the person using that IP address at that
time.
But there are even ways to be anonymous in the second sense -- such that not even the
government could identify you -- without resorting to forged e-mail headers. You can create
Hotmail and Gmail accounts without giving the providers any of your true information. When
you send messages through those services, they pass along the IP address that you used to
connect to their Web sites, but you can obscure your IP address as well, by using an anonymizing
proxy or a service like Tor.
Elsewhere in their decision, the court indicated that what they really wanted to protect
was the right to send anonymous bulk e-mails that were political or otherwise
non-commercial. But even by that standard, it's still possible to use Hotmail and Gmail
together with an anonymizing proxy (the mail services do
impose limits on how many messages
each account can send in a day, but if you want to send bulk mails badly enough, you can always
sign up for multiple accounts). And if you only care about staying beyond the reach of U.S.
subpoena power, you can always sign up for a dedicated host overseas and send the bulk mails
from there.
Apart from the court's misstatement that forged headers are the only way to publish anonymously
in e-mail, there is the incorrect presumption that forged headers actually do afford
anonymity in either of the senses given above. The court wrote, "[T]he only way such a
speaker can publish an anonymous e-mail is to enter a false IP address or domain name."
But while it is possible to enter any domain you want in your return e-mail address
when you send an e-mail, the court apparently didn't know what it was talking about when it
referred to "entering a false IP address." You can't just "enter" any arbitrary IP address
when sending an e-mail. If user@domain name.com receives an e-mail, the mail server at
domain name.com has to receive the message over a connection made from some other machine,
and the domain name.com mail server can always see the IP address of the machine on the other
end of the connection. Normally, this machine on the other end would be the mail server of
the sender's Internet service provider. Or if the sender has leased a dedicated machine at
a hosting company, that dedicated machine would be the one connecting to the domain name.com
mail server. Some desktop spamming programs let you turn your home computer into the sending
mail server, so that it connects directly with the remote mail server to send the message.
In all of these cases, the receiving mail server can see the IP address of the sending
machine, so a government subpoena would usually be enough to determine the sender's identity.
(I know you all know this, but I have delusions that some helpful clerk will print out this
article and explain this to the judge.)
When spammers "enter" false IP addresses in sending mails, that usually means entering made-up
IP addresses in headers that are sent along with the contents of the message. However, these
would normally only have the effect of throwing someone off the trail who opened the message
sent to user@domain name.com and was reading the headers manually. Perhaps they would see some
random IP addresses scattered in the headers, would go to ARIN and look up the hosting company
or ISP that those IP addresses were assigned to, and would mistakenly file a complaint with
that company. But the domain name.com server can always see the true IP address that the message
was received from, and for people who know how to read the headers properly, that IP address
will be indicated in the headers as the address that connected to the domain name.com mail server
to send the mail.
So the court's statement that "the only way such a speaker can publish an anonymous e-mail is
to enter a false IP address or domain name" is doubly wrong: because it's easy to send e-mails
anonymously without using forged headers, and because forged headers do not in fact provide the
level of anonymity that the court said should be protected anyway. The only way to truly
obscure your identity by hijacking a third-party IP address without permission, would be to
hack into a third party's computer, by infecting a user's home computer with a Trojan horse for
example, and
using it to send mail.
Presumably the court was not contemplating that such an
activity should be considered legal, even as a means of sending political speech.
It would presumably be unconstitutional for an anti-spam law to prohibit anonymous political
e-mails which attempted to hide the sender's identity -- that is after all what
"anonymous" means! You couldn't pass a law outlawing Tor, for example. But the Virginia
law doesn't apply to senders merely trying to hide their identity, it applies only
to the use of computers
"to falsify or forge electronic mail transmission information or other routing
information in any manner in connection with the transmission of unsolicited bulk electronic mail"
(emphasis added). There is a difference between obscuring one's identity (which Tor and anonymous
remailers allow you to do), and actively trying to frame an existing third party by using
forged headers to make the mail appear that it came from somewhere else, especially when
sending bulk mail, which is likely to generate complaints whether it's commercial or not.
By contrast, the
Washington anti-spam law
prohibits any mail which "misrepresents
or obscures" the origin of the message (emphasis added). This is broader and
could be construed to include a wider range of things, such as the use of overseas IP
addresses to send bulk mail on behalf of a U.S. company, or the use of anonymously registered
domains to hide the sender's identity. It would probably be unconstitutional to prohibit
these obscuring techniques for non-commercial anonymous e-mail, which is why the Washington
law specifically applies only to commercial messages.
But here I'm getting into issues like constitutional law where different experts might disagree.
The clear-cut technical fact is that, contrary to the court's ruling, forged e-mail headers do not
provide true anonymity when sending mail, whereas there are other, legal, ways of sending
mail that do make the sender truly anonymous.
What is frustrating about the court's misstatements about IP addresses, domain names,
and anonymity, is that the judge is obviously intelligent and could have understood
the concepts if they had been explained correctly to him. I held some misconceptions
for a long time myself about domain names and IP addresses, because the first explanations
I read were incomplete or wrong, or I didn't understand them.
But the mistakes in the ruling would have been caught if
the judge had just showed a draft to an Internet guru and said, "Hey, can you check if there's
anything wrong here?" I know, I know, that's "just not done" (and there are
probably
formal rules in most states
against showing a draft of a ruling to a third party before publishing it, even if the
third party reviewer is sworn to secrecy, as they should be).
But there's nothing stopping the judge from asking a technical expert during the trial,
"It seems to me that the only way to publish anonymously on the Internet would be to use
forged headers in e-mail. Can you tell me if that's right before I go too far down that
line of reasoning?"
I've appeared before judges in Small Claims court who did ask questions about any part of
the technical issues that they wanted to understand, and were even willing to revise
some prior misconceptions. But all of them, even the open-minded ones, proceed by gathering
information during the trial, and then in the conclusion, spell out their argument and their
ruling (during which time you're not allowed to interrupt), which is then set in stone unless you appeal.
I've never seen a judge say, "Here's the line of
reasoning in my head right now, and my tentative conclusion. Is there anything in that
chain of reasoning that you want to dispute, before I make it final? I am not
promising to change my mind just because you disagree with something. But I will take it
into account." This is essentially what scientists do when they submit their papers for peer review
before publishing them, to minimize the chance of making an error. Judges could do the same thing
-- if not formally, because they're not allowed to show opinions to third parties, then at least
informally, by running their ideas past the experts assembled in their courtroom -- to reduce
the chance of making a mistake. But have you ever heard of a judge doing that?
The Virginia judges probably did about as well as one could be expected to do, having learned
all these technical terms only recently, and then withdrawing to their chambers to form an
argument without any feedback from any technical experts. So, given the technical howlers
that ended up in the ruling, the moral is that forming an argument in isolation from experts
is probably not the right way to go about it.
Man, I was gonna read it, but I clicked and then by the time I scrolled down a bit, and a bit, I was too tired and/or bored to continue.
As much of the issue in this case seemed to involve forged headers, have any of the companies whose domain names were used in a forgery ever tried suing under slander laws?
Build it, and they will come^Hplain.
There was no such decision by the Supreme Court! I staged a man in the middle attack and FOOLED you with my forged headers!
If you aren't prepared to put your name to what you say, then I don't want to hear it.
It is my firm belief that I would tread on the rights of others to prevent spam. Spam is a cancer of ISPs and most importantly it is god damn annoying!
But the real problem is nigerian 419 spam. Those evil little pygmys have ripped off Americans and other bloats for a while. I think maybe the government should step in and do something about it. Too many old men think they are falling in love with a attractive online retailer entrepreneur and turning into stolen merchandise drop sites and distributors.
When will the government or hacker community do something about it?
Dr. D
If you aren't prepared to put your name to what you say, then I don't want to hear it.
Tell that to all the Iraq war protesters (when it first started) who had their houses vandalized and were assaulted because of their views.
Or the folks who disagree with their Governments and are being watched, were tortured or killed.
Or how about being an atheist in a theist country and trying to get work - outside of working for Bill Maher.
Just saying.
tl;dr
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
> ...which may enable the state to win on appeal.
This is the Virginia state supreme court ruling against Virginia state law. Just who do you think they are going to appeal to?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
This is the same court system that required a server's RAM to be held as evidence, since it was a data-storage device.
Someone will challenge this, and the State will lose. That's the way the system works.
I want to delete my account but Slashdot doesn't allow it.
spam != anonymous mail or free speech. for a start it's not anonymous by it's very nature - they WANT you to contact them and know who they are. it's also not free speech, because free speech means i'm free not to listen or help you in anyway. spam intrudes on my inbox.
If you mod me down, I will become more powerful than you can imagine....
First of all, I think anyone interested in sending anonymous emails containing criticism of the government will agree that opening up a Hotmail account won't cut it. Nor does it make sense to do this through Tor and hope that the service works correctly, has no security vulnerabilities, etc when you can just forge some headers and get direct access. Finally, what makes you think that people will only do this from their home PC? What if someone goes to a cafe, or rides by an unsecured wifi spot, or something like that? Not to mention that for some protocols (maybe not mail), you could spoof your IP address.
So they think IP addresses are like ID cards and nobody can spoof them... shows the sorry state of affairs and why we get so much spam and nobody is accountable for it and why they can't catch the spammers.
slashdot rocks
Virginia needs to consider the economic benefits of spam.
http://rocknerd.co.uk
IANALY, because I have another 1.5 semesters and a bar exam to go. However, I still know a lot more about the law than you, which is why I know things like this was a VA Supreme Court case, not a trial.
Appeals don't work like your small claims cases (thank the gods). You have written briefs from the parties and any interested amici curiae, which is where your technical experts come in. The "trial" is oral arguments before the justices (not "judges") of the VASC, where the two parties have fifteen minutes to emphasize certain parts of their cases while the justices interrupt with questions as the mood strikes them. Typically, this is where the justices ask for further explanations of the arguments in the brief, generally about things that seem not to make sense or could use further clarification. Sometimes, justices will ask questions that draw better arguments out of a party, so as to convince other justices around to their way of thinking.
A justice would never ask, "Well, I'm going to rule this way; what do you think," because that's not the appropriate language for the Court; you're confusing a peer-to-peer relationship with one that is decidedly not. The attorneys for the parties aren't peers of the justices, and the amici aren't peers of the justices. Your role as party or amici is to provide the justice with the information the justice wants in order to come to a conclusion. However, justices will ask questions to get at facts they need, and a skilled lawyer will be able to figure out where a justice is headed from a question, and explain why that reasoning is good or bad.
It's all well and good to have a layman's critique of the system, but it would help if the layman wasn't basing his opinions on completely irrelevant experiences and actually knew something about the system he was critiquing. Hell, even a quick Wikipedia search would have prevented basic misunderstandings about the nature of the court: http://en.wikipedia.org/wiki/Supreme_Court_of_Virginia
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
You take a bunch of old lawyers that have no concept of how technology works, mix in some ego, and have them make decisions on it. It's only going to be right by accident.
IP and MAC address can be spoofed, so that the ISP will not know the true address and location of the originating client endpoint. Also if WiFi is used, then it becomes easier to hide the true endpoint from the ISP and mail server.
A court is generally not supposed to know anything that's not brought to its attention in the case, other than legal issues which the court is supposed to know all about. If a court issues an opinion in which it is wrong about how e-mail and IP addresses work, that is simply because one of the following things went wrong:
On technical matters, when a court gets it wrong it is usually not the court's fault.
"Spam and other forms of abuse are not speech, just as a brick with an attached note thrown through a window is not publication." If that's correct, then the 1st Amend. doesn't apply and the whole argument can be tossed.
> The first 20 pages of the decision, which are all about legal standing, jurisdiction,
> and overbreadth, made my eyes glaze over.
So legal stuff makes your eyes glaze over and yet you are going to give us your legal opinion. Right.
> I'm not analyzing those at all except to point out that on most of those issues, the
> lower court came to exactly the opposite conclusion from that of the Virginia Supreme
> Court, and there is no reason to think that the higher court is any more likely to be
> "The first 20 pages of the decision, which are all about legal standing, jurisdiction, and overbreadth, made my eyes glaze over. I'm not analyzing those at all except to point out that on most of those issues, the lower court came to exactly the opposite conclusion from that of the Virginia Supreme Court, and there is no reason to think that the higher court is any more likely to be "correct" than the lower court (even granting the assumption that there is an objectively "correct" answer to these questions). correct" than the lower court (even granting the assumption that there is an
> objectively "correct" answer to these questions).
The Virginia Supreme Court is the ultimate authority on matters of Virginia state law. Where Virginia state law is concerned what the Virginia Supreme Court says is "objectively correct".
If the court had upheld the conviction then the defendant could appeal to Federal court on the grounds that the law violates the First Amendment. However, since the court overturned the conviction the state has no grounds for an appeal to Federal court because there is no Federal question.
I agree that there may be flaws in the court's reasoning, but the nearest thing to an appeal is for the state to ask the Virginia Supreme Court to re-hear the case.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
did anyone else wake up to 26,300 or so emails from false IP addresses in Stafford County, VA?
. . . which may enable the state to win on appeal.
What appeal? Think the US Supreme Court is going to take this case? Possible, but unlikely.
"We reject as false the choice between our safety and our ideals." --The American President (20.1.2009)
Comment removed based on user account deletion
But it's impossible to defend what the court says next:
As shown by the record, because e-mail transmission protocol requires entry of an IP address and domain name for the sender, the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name. Therefore... registered IP addresses and domain names discoverable through searchable data bases and registration documents "necessarily result[] in a surrender of [the speaker's] anonymity."
Impossible to defend? Just watch me.
You're overlooking a perfectly reasonable generalization that the judge is making. The IPv4 packet headers and the email headers, to the judge, are one and the same: Both can be used (indirectly) to identify the sender of the email, and both need to be "forged" in order to send anonymous email.
Keep in mind that tunnelling your packets through a proxy effectively "forges" the IPv4 source address, since the communication is actually originating at your computer, but on the receiving end, it shows up as being from the proxy, even though the communication actually originated elsewhere.
The judge was right to point out that you can't communicate on the Internet without including some kind of "sender address", and this address needs to be forged in order to use the Internet to communicate anonymously. As far as his argument is concerned, it doesn't matter whether the headers you're forging are specified in RFC 791 or in RFC 822.
http://outcampaign.org/
I don't know what this has to do with the subject at hand, but I agree with you to some extent. I don't agree that it has to do with people addicted to their jobs, although there are certainly people who are. There are also people addicted to the Internet, or addicted to TV viewing or going to those bars you mentioned. If the people who promote the abandonment of religion (and that would be the majority here on Slashdot) can't find a substitute better than just sitting all day hitting refresh on your browser, I don't think there is much hope for things improving.
I'm not saying necessarily that religion is the answer (although it certainly is an answer). But I see few alternatives presenting themselves. Marx said that The State would for a while become our religion, and I don't care what anyone here claims, we are going down the same path as the Soviet Union, only without a bloody revolution. Der Spiegel is today celebrating the death of capitalism and American dominance, except we haven't been practicing capitalism since the 1800s. Popular belief among American "intelligentsia" is that we now have the power to control every aspect of our society and I foresee that after the next election any failure of such control will simply engender a feeling that the controls weren't strict enough. That's what I'm seeing every day in the mainstream media.
That control, ever more sophisticated, will soon, even if it hasn't already, make anonymity impossible. The novel 1984 may have been a failure in terms of the timing, but I don't think it is far off the mark in terms of where we are going, and the direction as well as end-point to me seems fairly inevitable.
I think I have accidentally wandered back on-topic, my-bad.
The first 20 pages of the decision, which are all about legal standing, jurisdiction, and overbreadth, made my eyes glaze over. I'm not analyzing those at all except to point out that on most of those issues, the lower court came to exactly the opposite conclusion from that of the Virginia Supreme Court, and there is no reason to think that the higher court is any more likely to be "correct" than the lower court (even granting the assumption that there is an objectively "correct" answer to these questions). Any time you feel intimidated by "experts", it's helpful to step back and ask whether the alleged experts even agree with each other.
Well this quote really gets the article started off with a bang. First of all, the expertise of a trial court and a state supreme court should not be presumed to be equal. A trial court judge could be as fresh as the day is young, but a supreme court justice there has to be elected by the legislature and has to go through a vetting process that favors experience.
This sort of "all experts are equal" attitude confuses issues like global warming, where there are clearly people more knowledgeable about a subject than others, but the public is tricked into believing that "balance" demands we treat anyone with an opinion as equal to anyone else.
Now, there are two possible definitions of "anonymity" to consider: (1) you can be anonymous to the extent that ordinary citizens reading your content cannot determine your identity without a subpoena; or (2) you can be anonymous to the extent that even the government, armed with subpoenas and wiretaps, can never find out who you are.
For purposes of government action against citizens violating the law, the latter is the only one that matters. (Well, that plus what the government can't find out without violating the 4th Amendment.) The former is of little relevance. The courts shouldn't rest all First Amendment protections on whether or not the average person can figure out how you are instead of the bodies entrusted with the duty to enforce the laws against you. Otherwise, anonymity would be meaningless in a legal sense except as an excuse to provide a mirage of privacy for citizens.
But there are even ways to be anonymous in the second sense -- such that not even the government could identify you -- without resorting to forged e-mail headers. You can create Hotmail and Gmail accounts without giving the providers any of your true information.
Courts generally will not favor solutions that revolve around you fraudulently entering into an agreement with email service providers who require you to provide accurate information when signing up and agreeing to their service contracts.
Furthermore, you always have to give an email address for confirmation when signing up for such services, and eventually if you peel back enough layers of registration, the courts can find out an account where you had to give real information to someone (whoever you pay for your initial email account), so this is no guarantee of privacy at all.
In all of these cases, the receiving mail server can see the IP address of the sending machine, so a government subpoena would usually be enough to determine the sender's identity. (I know you all know this, but I have delusions that some helpful clerk will print out this article and explain this to the judge.)
Didn't you just completely defeat this argument by mentioning the use of Tor a few paragraphs above?
Also, while the court is interested in protecting legitimate political or commercial speech (and thus speech not made by illegal activities), most spammers "fake" IP addresses by sending mail from virus hijacked machines, so a government subpoena is useless to find their identity in the case of a real spammer.
It would presumably be unconstitutional for an anti-spam law to prohibit anonymous political e-mails which attempt
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
...Stop referring to links as "magical little links."
It's hokey.
Not trying to be an armchair-attorney here, but I don't think people arguing in front of a state (or federal for that matter) Supreme Court should expect the justices to know anything about how the Internet works. The attorneys making the case should have made it clear to them and if they deliberate with the wrong assumptions you're either making a bad case or your opponent makes a convincing lie.
But again, "IANAL but I play one on /." applies.
Seriously, you really have no clue what you are talking about.
I don't know where to start.
Here's what I have to say. You don't nitpick on a few lines in a long judgment and claim the decision is bad just because of that few lines.
It's like if I found a typo in your post and claimed it was all bullsh!t. Worse, I said it was boring and I only noticed the typo.
The rant is understandable, since somehow the law eludes many (although personally with hindsight it's not that hard to get), and most people don't know how their legal system works, but I really can't imagine this getting through the slashdot filter and posted. Yes, even by slashdot standards. (Yes Taco I'm talking about you)
Don't quote me on this.
Oh no! http://xkcd.com/386/
Cool, so does that mean fake ID is constitutionally protected so that I can preserve my anonymity when doing things in public?
Sometimes (well, quite often actually) judges rule on technology issues without really having nearly enough understanding of the underlying issues and what it means. It's amazing how a poorly misunderstood bit of technology can lead to a ruling which has absolutely no relation to how reality works.
And, just because you have the right to free speech, doesn't mean that I'm required to actually listen to you. Decreeing that allowing forged headers in order to allow the special case of some religious or political nut screaming in my ear is ludicrous. Your freedom to speak does not confer an obligation on me to listen.
Someone should start spamming this guy with several thousand emails with forged headers expounding the virtues of the Flying Spaghetti Monster, or calling him at home with forged caller id telling him to vote for the Nut Job Party so he can see the flaw in his reasoning.
If the analog is a phone call, you don't have the right to anonymously phone me over and over.
Cheers
Lost at C:>. Found at C.
So SPAM is different from anonymous random cold-calling that we can easily defer from by adding our phone numbers on the DNC list. Oh that's right, email isn't REAL, so it doesn't count the same way. SPAM as a statistic is 90% of all email traffic and yet it's not a problem. Do these judges not have/use email? Are they all so old and their ways old-fashioned that they don't see our inboxes stuffed with crap to the point where we have to pay for hardware(enterprise) or software(home) solution to end the SPAM madness? Legally and any other way I believe SPAM is wrong. The fact that a judge/judges that clearly has no understanding of the subject matter could rule one way or the other is and should be a case of malpractice. We are granted the right to a jury of our peers(despite what we really get) so why can't the judge be held to the same? If I ever went to could a la Terry Childs, I'd hope to have at least a few IT people on the jury. I know if it was a jury of CEO's I'd fry for such an infraction. In summation Judges + Technology = bad decision.
OMG! Ponies!!!
I don't know what this has to do with the subject at hand, but I agree with you to some extent. I don't agree that it has to do with people addicted to their jobs, although there are certainly people who are. There are also people addicted to the Internet, or addicted to TV viewing or going to those bars you mentioned.
The important difference in those is that the former addiction would appear to be actively endorsed by society in general, or could even be considered indirectly enforced.
upon the advice of my lawyer, i have no sig at this time
The submitter complains about factual issues, but appellate courts do not determine factual issues. Trial courts do. Before the case reached the VA Supreme Court (an appellate court), the trial court already made its findings of fact. The appellate court can only address the factual conclusions of the lower court if the lower court made a clear error in its analysis of the factual evidence presented. As the VA Supreme Court makes clear, it is analyising what is "shown by the record," not making its own declaration of how the internet works.
In order to know whether the VA Supreme Court should have overturned the lower court's findings, you would have to review the record on file with the court and read the testimony of the various expert witnesses that the parties called to testify. If there was no testimony at all to support the court's factual findings, then the VA Supreme Court could have overturned those factual findings, but only if there was no evidence or testimony to support the finding. If there is any evidence to support the trial court's factual findings, the appellate court has no choice but to go with them.
Courts make factual findings based on the evidence presented to them. Anything that is not obvious to pretty much everybody (I am paraphrasing the law here.) must be proven through evidence (including testimony of expert witnesses).
See here for more info.
This has actually been discussed on Groklaw to the end.
The situation is actually quite simple: The good lawmakers of Virginia passed a law that prevents _anybody_ from using forged headers etc. etc. , including good folks who need anonymity for good reasons protected by the US constitution. Therefore, the law as it stands is illegal. Now a judge _can_ decide that a law is unconstitutional and therefore cannot be used in any court case; a judge can _not_ decide how to fix this law. Therefore it _must_ go back to the lawmakers who have to fix it; as long as it isn't fixed, it cannot be used to convict any spammers.
The article comes up with all these arguments why the court decision is wrong. What he ignores is that the judge doesn't have the power to do that analysis. The only thing the judge can do is to say that the law is constitutional or not. The article claims that there are methods others than those disallowed by the law that make anonymous free speech possible. But that is not for the judge to decide. The law clearly restricts free speech that is protected by the US constitution (while also correctly restricting the rights of spammers to their "speech"), and that is not allowed.
Virginia law is definitely of the "release it now and patch it later" variety. We're a bit like EA that way....
> But the decision contains statements about IP addresses, domain names,
> and anonymity that are rather basically wrong, and which may enable
> the state to win on appeal.
There is no such thing as an appeal from a Supreme Court judgment. That's why it is Supreme! (Except in NY where they use weird names).
From the VA Supreme Court ruling, you have two options:
(1) Ask the VA Supreme Court to reconsider its decision. This rarely happens, but if the Court really did screw up, then it might.
(2) Seek a writ of certiorari from the US Supreme Court. These are also hard to get, but where a state Supreme Court really messes up First Amendment law, you probably have better odds.
The court is actually correct based upon how IPs work in that when ARIN assigns a block to an ISP, that is public info - any lawyer can get it. Once you know the IPS is known a simple court order can force them to divulge the account who was logged on and assigned that IP at the time the message was sent. Thus the full account, including billing information of the user to whom the IP was leased or assigned (as with dialup) at the time can be identified unless the IP can be obfuscated.
It is wrong to say there are no other ways in which an id can be masked. There are enough unsecured mail servers in the world that one can use with a little knowledge without the trail then actually leading back there PC. The trail would end at the unsecured server.
Origin relocation will work also... you need to be able to access a remote server, I won't say how - but lets assume you did it legally, then you can use the remote system to send a message without it directly leading back to you via IP... depending upon the system accessed and how you accessed it could lead to someone else, or back to you through a few more court orders...
This IP tracing back to the user via the ISP is EXACTLY how the music and entertainment lawyers have been finding people to persecute... yes I meant persecute....
This is just my humble opinion; however, I do NOT believe the arguments are strong enough to get the case over turned...
Also, I DID hear of a case where defamation was be claimed against a spoofer... but you have to find the spoofer first...
I traced several e-mails back to unsecured servers in China so there was no way to tell where they came from, I suspect Roswell's Aliens are behind it....
That law is in fact prohibiting speech. Even if it were rewritten to be more narrowly focused on spammers, it would still be the wrong approach.
The problem with spam is not a speech issue. It is a property issue.
The protection of free speech in the US Constitution does not grant speakers the right to steal property rights. You cannot steal my paper, ink, and printing press and justify the theft as enabling your freedom of speech.
Remember ... free as in free speech, not as in free beer.
Email costs more to the recipient than to the sender. The sending server only needs to store mail until it can exchange it with the recipient's MX host. In the case of spamming, this cost is virtually nil since the message tends to be the same for all recipients, so only the recipient email address is all that needs to be stored. The recipient server has to store each message individually, if it arrived individually. It also has to store the messages longer, until the recipient's user agent (client) picks up the mail. And that pickup is through yet another active service (IMAP, POP, Web).
Sending something to someone that doesn't want that is fundamentally wrong. It is a theft of computing resources. It can also be a theft of personal time. When this is done on a very small scale, such as trying to contact an old friend that has no interest in communicating with you, or asking someone a question about free software they wrote when they don't want to deal with such questions, then it's generally not a big deal. It's still wrong, but the scale of it doesn't rise to be a criminal interest.
Doing this sending in bulk, however, indicates the intent to benefit in some way from this theft, usually financially. Sometimes there are other forms of benefit, such as political.
It could be argued that existing property law already provides the proper protection. However, this would require a complex constructive argument in court, which might also be easy to knock down. Email, the internet protocols, and the way computers work, are complex issues that would have to be dealt with over and over in courts this way. What we need is a law clearly written to deal with the property theft aspect of spam. It needs to avoid any reference to what the content of a message is. It needs to focus on the means by which the sender is doing the theft in bulk (even if the case before a court is only one instance of what the spammer did). It needs to make clear that freedom of speech is about the right to say what one wants to say, not about giving the speaker a right to steal property from others to achieve that speech.
The law needs to make clear that sending email against the wishes of the recipient is theft. It needs to make clear that doing so in bulk raises the level of this theft to be criminal. It also needs to make clear that the definition of bulk can include sending any one given recipient just one copy.
Such a law should do better to stand within the protections of free speech in the First Amendment.
now we need to go OSS in diesel cars
I would like to point out that I am not a publishing house and that anyone who wants to have an email "published" must not to send it to me!
You can read about it here. Among other things, it says that an unsolicted commercial email cannot contain falsified headers.
The reason it did not apply in the Virginia case is that the crime was perpetrated before the act was made law in 2003.
So really this Virginia decision is largely irrelevant when it comes to spam. It is possibly very relevant when it comes to anonymity on the internet.
In the mean time, you have powerful interests (like the government of China) working to ensure that anonymity on the internet becomes impossible.
And that is a case-in-point of exactly why anonymity is necessary to protect free speech.
It's Virginia, for godsake! They only took "Family Reunion" off the official, Virginia Is For Lovers, list of "Best Places To Meet Hot Babes" last week.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Since when should free speech include a right to anonymity? Should we allow people to drive without license plates in the name of free speech (you know, so long as they're shouting "speech" out the window while driving of course) ?
People tend to be asses when they think they have full anonymity.
Here's my problem with the whole subject: spam, and email in general, should not be considered a free speech issue in the first place. This case talks about the act of "publishing" an email as a free-speech action. One does not publish an email, one sends it explicitly to targeted recipients. Publishing "speech" in the electronic sense would be something like posting to a message board or putting up a web page which a person may choose to view or not. Such speech, commercial or otherwise, is clearly deserving of protection.
Sending unsolicited email is not "publishing". It is more akin to breaking into a house and spraypainting your message on the wall. Such speech, commercial or otherwise, is clearly undeserving of protection -- and indeed should be punished severely. Telling the recipient that he is free to paint over the message without reading it is not good enough.
The obvious solution to "spam" is for the delivery of all email to be on an opt-in basis. If I haven't explicitly authorized you to send me email, then I shouldn't have to waste my time/energy/bandwidth attempting to filter out and throw away the undersired items. If I want to hear what you have to say, I'll let you know -- otherwise, stay out of my face.
I don't know what this has to do with the subject at hand...
Nothing. He/She/It's been blindly copy/pasting the same comment in every article. Ignore him/her/it.
Judges aren't usually supposed to ask the parties questions. They're supposed to decide issues of law and if a question needs to be asked, the lawyers are supposed to be smart enough to ask it. A jury is supposed to decide the facts, but whether it's a jury or a judge who decides the facts it is the job of the lawyers to ensure that evidence is presented to educate the fact-finder sufficiently to make the correct decision. I really don't want to live in a world where judges have to have technical expertise in every kind of case that comes before them - they'd have no opportunity to learn the law, and that's a hard enough area for them to get right as it is.
The purpose of an expert witness is to assist the trier of fact on matters beyond lay experience, as you know. You have certainly seen a pretty heinous example of a judge getting it wrong, but it sounds like the error got fixed "easily enough" (I put that in quotes because it's such a relative term, relative here to paying 25%+ annual interest). In general, though, there is a lawyer who did not sufficiently educate the judge for the decision he had to make.
Let judges dedicate their time to studying the law. It's critically important that they don't suck at making legal decisions.
This analysis misses an important element. Almost anyone EXCEPT the government may request and receive non-content based identifying information without any sort of court order whatsoever. The applicable statute is the Electronic Communications Privacy Act. Check it out.