Slashdot Mirror
An Inbox Is Not a Glove Compartment
Federal Judge Michael Mosman has ruled that the government can read your e-mails stored with a third-party provider like GMail, without notifying you that a search warrant has been executed (PDF) against your account. (Actually, the judge ruled that there is no "notice" requirement triggered at all, so that in theory, neither GMail nor the subscriber would have to be notified — but that seems only of theoretical interest, since in practice GMail would have to cooperate in order to execute the warrant, unless the government is planning to have ninjas sneak into their server farm at night. The substantive impact of the ruling is that e-mails can be read without notifying the subscriber.)
Now, as I said when writing about the possibility of undetectable encryption being installed on people's computers, at the risk of incurring the wrath of civil libertarian allies, I am not 100% in favor of limiting governmental power in cases like these. Restraints on governmental power have their pros and cons, and many people who are targeted by government investigations really are evil. There may be cases where the government can only prevent harm from being done, by gaining access to someone's e-mail account, and by preventing the subscriber from finding out that their e-mails are being read. However, all of these arguments are also true when applied to governmental seizure of property from someone's home — and yet we still have Fourth Amendment protections against warrantless searches of your house. So should they, and do they, legally apply to e-mail? And under the "third party doctrine," should the government have to notify the subscriber of the search, or only the ISP?
Law Professor Orin Kerr of George Washington University Law School has written an article [click on the link and then press the download button to download a draft] arguing that the Fourth Amendment does apply to e-mail. But he has also written another article arguing in favor of the third-party doctrine — essentially, that when the government seizes property that is in the possession of a third party, it only has to notify the third party, not the property owner. To the extent that this is relevant to the GMail case, the argument would appear to support Judge Mosman's ruling. However, Kerr's paper also acknowledges that the third party rule has been the subject of scorching criticism of other Fourth Amendment scholars, calling it "dead wrong" and "making a mockery of the Fourth Amendment."
It will probably be a long time before courts are issuing consistent rulings on the third-party rule as it applies to e-mail. In the meantime, though, one statement in Judge Mosman's ruling sticks out in particular:
"[T]he defendants voluntarily conveyed to the ISPs and exposed to the ISP's employees in the ordinary course of business the contents of their e-mails."
This was the basis for further reasoning that the defendants had less of an expectation of privacy in their e-mail contents, and hence that there was a strong case for allowing the government to read the e-mails without notice to the defendants. (In this he was drawing an analogy to a previous ruling in which a court held that a bank's customer has "no legitimate expectation of privacy" in his bank records because they were "voluntarily conveyed to the banks and exposed to their employees in the ordinary course of business.")
But as applied to ISPs, this is a statement of fact, not a statement of law, and as a statement of fact it's simply wrong. ISP employees, even the most highly placed ones, do not have access to customers' e-mails "in the ordinary course of business." And even in the non-ordinary course of business, in the case where e-mails have to be inspected to satisfy a subpoena requirement or to investigate an abuse report, only employees with the proper business justification can read the e-mails. (At the e-mail provider that I use, SpeakEasy, employees can only access accounts with the explicit permission of the customer, and only then by resetting the password or obtaining the password from the customer. When I worked in MSN accounts, most employees didn't have the security clearance to access customer accounts at all.)
This tracks with what customers reasonably expect from banks versus what they reasonably expect from ISPs. If I called my bank to ask about the status of my account, and the customer service representative noted that I had a high number of overseas wire transfers and asked if I wanted to upgrade to a business account with a reduced wire fee, it probably wouldn't even occur to me to be offended that she had looked at my transaction records. On the other hand, if I called SpeakEasy and asked them to add more space in my inbox, and the tech support guy said, "Dude, you could do a lot better than Chloe," I might think he was overdue for a review of their customer privacy policy.
Judge Mosman uses several more analogies in arguing that the third-party doctrine applies to e-mails (beginning on page 12 of the ruling), analogies between e-mail and real-world situations that most of us are familiar with, like leaving documents out in the open at someone else's house. Now, most of us don't have the expertise to comment on the legal technicalities. But in the game of analogies, we're all experts, insofar as we're qualified to comment on whether we feel that one thing is "like" another, or whether our "expectations of privacy" in the two areas are similar. And under the rules of that game, I would disagree with the judge's analogies for several reasons:
1. There is a difference between leaving property in someone else's possession because you don't care very much about keeping it private, and leaving property in someone else's possession because you have no choice. The judge cites precedents in which courts ruled, variously: (a) that when a suspect left documents at his mother's house and the police executed a warrant there, they only had to provide notice to the mother, not the suspect, even though the mother was not the owner of the documents; (b) that a defendant had no grounds to object to the search of another person's purse, when the search turned up drugs belonging to the defendant; and (c) that defendants 'could not make a Fourth Amendment claim regarding a search of someone else's car because they had no "legitimate expectation of privacy in the glove compartment or area under the seat of the car in which they were merely passengers."' But all of those cases involved property that the defendants chose to leave in the possession of someone else, rather than keeping on their person or in their own houses. In all of these cases, the person X who left the property in the possession of person Y, could not have expected that person Y would keep their eyes off of that property, or would shield it from the view of casual acquaintances who happened to see it there. So by allowing the notice only to be served on person Y, these three cases are just specific implementations of a general rule: "If person X leaves property with person Y, with no expectation that person Y would refrain from examining the property, then the notice of warrant only has to be served on person Y."
This rule does not generalize to GMail accounts. If I send and receive messages through a GMail account, I know that they're stored on Google's servers, but that's out of necessity in order for them to provide web-based e-mail that can be accessed from multiple locations. By allowing the e-mails to be stored on their servers, I haven't conveyed that I care any less about their private contents, because I didn't have a choice. Now, if I had printed out an e-mail from GMail and left it lying around at my Mom's house, or in a friend's glove compartment, then that could be interpreted to indicate that I had less interest in keeping that e-mail private, and it would be more analogous to the situations above. In fact if I had sent an e-mail to someone working at Google, I would understand that my expectation of privacy had been lowered significantly, and that the recipient might forward it to their friends or leave a printout on their desk, or that the police might request for him to show it to them without notifying me. Simply having an e-mail stored in a GMail account is not the same thing.
2. E-mails are not like bank records, because you have a greater expectation of privacy for e-mails, even from the institutions that hold them. It's true that bank transactions are more closely analogous to web-based e-mails, because they're both stored on company servers by the nature of the business, so this analogy isn't as badly flawed as the previous ones. But in addition to the fact mentioned above, that ISP employees do not have access to your e-mails "in the ordinary course of business" despite what Judge Mosman wrote, there is the "inside/outside" distinction that Orin Kerr describes in his paper on the Fourth Amendment and e-mail. Essentially, police don't need a warrant to observe what goes on outside your home — whatever is visible from a public street — but they would need a warrant to take their inspection inside. Kerr argues for extending this analogy to the "content/non-content" rule for Internet transactions, so that Fourth Amendment protection would apply to the contents of e-mails, but not necessarily to the "outside" information such as sender, recipient, and transmission time. (Actually that still seems like rather weak privacy protection, to say that the Fourth Amendment doesn't protect information about who we exchange e-mails with, but even this watered-down argument still implies stronger privacy protection for e-mail contents.) Bank transaction records would be more like "outside" information and less deserving of privacy protection, so the analogy doesn't hold.
3. By analogy to the expectation of privacy in people's homes, the expectation of privacy for the contents of e-mail is possibly greater. Judge Mosman writes, "The sanctity of the home is often cited as the central purpose for this notice requirement, but the requirement has not been explicitly limited to searches of homes," and quotes from another court decision: "[t]he mere thought of strangers walking through and visually examining the center of our privacy interest, our home, arouses our passion for freedom as does nothing else." Well, since he brought it up, if it's relevant to compare the "passion" that's "aroused" by the invasion of various spheres of privacy, if I had a choice I would rather have a stranger wander through my house and inspect everything except the computer, than allow them access to my browser history and all the e-mails I'd sent and received in the past year. (And that's not even taking into account the violations of other people's privacy that would be entailed by someone looking through all of my e-mails.) Applying the test of "What would you rather have people see?", most people who make more than casual use of e-mail, seem to care more about the privacy of their e-mail than about the privacy of what's visibly lying around in their house — if a good friend drops by unannounced, you can usually lead them through your house without worrying about what they'd see, but you probably wouldn't give the same person a complete record of all your e-mails in the past year. (Remember, according to the judge's quote, we're comparing "visually examining" your house vs. your e-mail, not actually physically taking anything.)
As I said, I'm not necessarily opposed to the government having the authority to obtain records of people's e-mails if they have an extremely good reason, without necessarily having to notify the subscriber that their e-mails had been read. But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails." I wonder if even Judge Mosman thinks that's true. If he got a call from his bank offering to upgrade his account based on recent transaction activity, he'd probably just politely get them off the phone like the rest of us. But if he got a call from his ISP tomorrow, saying that his e-mails were starting to sound cranky and they were wondering if there was anything they could do to cheer him up, would he just thank them for their concern and leave it at that?
you insensitive clod!
Their they're doing there hair.
This decision doesn't really change the common practice of law-enforcement agencies does it? Haven't we all already known that the government (and gmail/yahoo/hotmail/your boss etc.) is scanning our email pretty much whenever it wants to?
The mail to email analogy is almost perfect, which now frightens me. What does this judge know about the US Postal system that he isn't saying?
Email is not private. The sooner you stop pretending it should be and do nothing, the more quickly the citizens of this country can have a legitimate conversation about this and other issues of national importance.
Moral outrage in 3....2....1....
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
If the government wants access to my inbox they'll need to talk to me since I'm the admin of my mail server.
One flaw in this argument: ISP employees do in fact have access to your e-mail. Hopefully it's only a small number, sysadmins and others with root access, and ISPs usually promise not to use that access except in limited ways without the customer's permission, but that doesn't change whether they have access or not. And the courts are concerned with whether the ISP has access, not whether or not he's promised to use it.
A good analogy would be ordinary bank records vs. the contents of a safe-deposit box. The first the bank has access to, and the customer has limited expectation of privacy regarding them. The second the bank does not have access to, their key physically can't open the box alone, and the customer has a higher expectation of privacy about the contents. If you want an expectation of privacy in your e-mail, you need to insure that your ISP literally cannot access it's contents. A promise from them that they won't isn't sufficient if they can.
I'm just happy to see them actually realizing that it should require a warrant.
"Fortunately for everybody, this is not true — most ISPs do not allow their employees to read customer e-mails 'in the ordinary course of business' "
I disagree. When something starts filling /var/spool/mqueue it's common that customer e-mail get read.
- real hackers don't have sigs -
encryption
So how is it any different if I give an envelope to a USPS employee? It's no longer under my control, but I expect it to be private. Also the USPS has been know to open a package or two, so does that now mean all mail is no longer private? Like email, I have no choice but to let someone else handle my mail, IF I want it to be delivered.
Well there's really only one solution to all this government stupidity, Encrypt Every Thing Every Time.
Now if we could just make it pretty hassle free, so everyone would encrypt every thing every time, without having to think about it.
the hinge of the matter is that customer service/tech support *has* to when troubleshooting certain issues. I've worked for several ISPs and it's generally the same procedure. Verify but don't DO anything or leak anything out. Customers SHOULD have a feeling of privacy from other users but not ISP staff. Their email is sitting on OUR servers. Don't like it? Do it yourself. Or don't use email. Which is a better option. Email sucks.
Non impediti ratione cogitationus.
"But the justification should not rest on wrong-headed assumptions like the notion that ISP customers "expose to the ISP's employees in the ordinary course of business the contents of their e-mails.""
It might be a bit far reaching... but come on, system administrators have had access routinely to people's mailbox contents since forever (on most mail systems). Not that we go around snooping on your mail, but we can and do have access to it, if it's plaintext, at any time. If you are sending emails through any provider without encryption and assuming that some staff at that provider are not technically capable of reading and copying your emails, you are delusional.
This is not like snail-mail, where although you know the postman could open your mail, you also know he'd go to prison for it.
This is incorrect - you had a choice to host your own email server (doesn't cost a great deal) on which you could encrypt your data stores. You chose not to and went with a commercial email provider for... cost reasons? If you're not prepared to spend real money protecting/securing your documents and feel it's only worth $FREE$ then you are conveying, pretty strongly, that you don't really care about their contents.
Not that I agree with the judges decision, but this line is bolsheviks...
Though this may not be the ultimate solution to the problem I tend to "fetch" my mail, either using POP or IMAP and remove the copy from the server. Though this does not save me from being eavesdropped, I still have the feeling that it will reduce the amount of information about me on the server side in the long run.
So how is it any different if I give an envelope to a USPS employee? It's no longer under my control, but I expect it to be private.
I'm not sure about other types of mail, but media mail can be searched at any time, by any postal employee. The sign at my post office states this to be a fact, but I can't find the specifics on their website to give a link here.
Reply to That ||
As James Fallows asks in The Atlantic Are we naked in the cloud?
The answer he supplies is "yes" you have given up custody.
Best Slashdot Co
"An Inbox Is Not a Glove Compartment"
Yes, Mr. Stevens, we get that the Internet isn't a big truck.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
The Inbox Is Not a Glove Compartment, just like the Internet is not a truck?
AccountKiller
Because I use hotmail...
"[T]he defendants voluntarily conveyed to the ISPs and exposed to the ISP's employees in the ordinary course of business the contents of their e-mails."
What if we changed the third-party statements to the following:
"[T]he defendants voluntarily conveyed to the healthcare provider and exposed to the healthcare provider's employees in the ordinary course of business the contents of their medical records."
"[T]he defendants voluntarily conveyed to the financial institution and exposed to the financial institution's employees in the ordinary course of business the contents of their finances."
"[T]he defendants voluntarily conveyed to the landlord and exposed to the landlord's employees in the ordinary course of business the contents of their apartments."
I think, with all this laws and rulings, it should become clear to more and more people,
that the mail exchange containing relatively private data should be encrypted.
> ...the decision hinges on the assertion that ISP customers have lowered
> privacy interests in e-mail because they 'expose to the ISP's employees in
> the ordinary course of business the contents of their e-mails.' Fortunately
> for everybody, this is not true...
Yes it is. The fact that the employees might be fired for reading the mail does not alter the fact that they have the opportunity to do so. Unencrypted email is no more private than a postcard.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
... because pretty soon we're not going to have any rights online.
From the essay: "Now, most of us don't have the expertise to comment on the legal technicalities"
Mr. Haselton is, as far as I can determine, not an attorney and has no formal legal education. So bear in mind that the above statement applies to the author of this essay as well.
You know how Slashdot contributors often bemoan poor science journalism written by reporters who obviously don't understand the subject matter? The same danger exists when people like Mr. Haselton, who is a freelance programmer, try to analyze and report on legal issues.
Again, from the essay: "But in the game of analogies, we're all experts, insofar as we're qualified to comment on...whether our "expectations of privacy" in the two areas are similar."
The expectation of privacy is a legal term of art. It does not simply refer to the individual's subjective feeling about whether he or she, personally, expects that a given communication, act, etc will or should be private. So, no, we are not all necessarily qualified to comment on the similarity of the expectation of privacy in two areas because there is a second, objective component of the expectation of privacy. The objective component is highly context-dependent, and its contours have been defined over the years by numerous court cases, none of which Mr. Haselton has cited, distinguished, or applied here.
And this is the glaring issue with Mr. Haselton's essay: he has analyzed the opinion in a vacuum. He does not cite or apply any supporting precedent or statutes, nor does he distinguish the facts of the case from the precedents that the judge cited. This kind of reasoning is not legal reasoning, and it can easily lead to all kinds of errors.
Note that I have, apart from the meaning of 'expectation of privacy,' refrained from critiquing the substance of Mr. Haselton's argument. It is possible that his argument could well win the day in an appeal; on the other hand, perhaps it is hogwash. I merely want the readers here not to be mislead into thinking that this is a rigorous legal argument or that Mr. Haselton is some kind of expert on the subject matter. Indeed, his lack of citations or argument from precedent would probably get him laughed out of court.
Read on for the rest of Bennett's analysis.
Can't wait. When I want serious legal analysis, I turn to programmers, because being only an attorney myself, I need their help in figuring this stuff out.
But as applied to ISPs, this is a statement of fact, not a statement of law, and as a statement of fact it's simply wrong. ISP employees, even the most highly placed ones, do not have access to customers' e-mails "in the ordinary course of business."
Of course they do. Why on earth would you think they didn't?
And even in the non-ordinary course of business, in the case where e-mails have to be inspected to satisfy a subpoena requirement or to investigate an abuse report, only employees with the proper business justification can read the e-mails.
I am curious as to which law this is enshrined in.
Now, most of us don't have the expertise to comment on the legal technicalities.
You'd think so...
There is a difference between leaving property in someone else's possession because you don't care very much about keeping it private, and leaving property in someone else's possession because you have no choice.
There's a difference between storing apples and oranges; the question is really "is there a legal difference?" First, you're not addressing that, and secondly, factually that's not true. You have a choice to use gmail, just like you have a choice to use e-mail at all.
I shall then endevour to encrypt my napkins, tire gauge, pens, headphones, owners manual and the like.
"Restraints on governmental power have their pros and cons, and many people who are targeted by government investigations really are evil."
The argument is already flawed, assuming that mostly evil people will be targeted. Now we have another loophole to be exploited. This is yet another example of the bastardization of our legal system.
"Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin
Wrap that thing in an envelope for Cripe's Sake!
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
- e-mail is like snail mail: it transits through others to get to me. i DO have an expectation that my mail, and my email, is private
- I park my car on someone else's property daily. This does NOT mean I'm giving my car away, or I don't care what happens to it.
- In any case, blanket invasion of privacy without even having to go though a judge for each specific instance, or at least each specific individual for a certain time period, is unacceptable. I don't trust judges much more than politicians, but just needing 2 snoops instead of just one makes snooping exponentially harder.
Idiot and crooked politicians certainly cost us more money, and quite possibly more lives, than terrorism and drug gangs. Time to rein them in... and snoop on them. The public actually has much less reason to trust them than they have to trust the public. How about we put them under 24x7 public scrutiny ?
The Cloud - because you don't care if your apps and data are up in the air.
"One flaw in this argument: ISP employees do in fact have access to your e-mail."
In the same way that a landlord has access to the rented homes (has keys): it does not mean you have any less right to privacy in your (rented) home.
Sure, they just rip open your mail and read it at their leisure all the time. And they don't even need to know the account password to do so, just an ordinary letter opener. A paper envelope doesn't offer much expectation of privacy.
After indexing it for search and ad-serving purposes, it should then be encrypted on their disks.
This would circumvent the judge's argument.
If this sort of encryption is not done, all people and businesses that use software as a service to
for example write and store their intended-private documents are in legal jeopardy.
Where are we going and why are we in a handbasket?
Atleast the government is interested in the spam I get now...
Based on this argument, then, the govt. could seize your snail mail with out a warrant on the same basis. i.e. you're putting your correspondence in the hands of a third party. If anything, e-mail should be more inviolate because, it's not in any type of physical format that's "passing through the hands of a third party"
When you download email from Google, it's still cached on the local machine so you can view it. When you're downloading email from your own POP account, it has to be transferred across a firewall, switches, and so forth, some of which might cache the information. They would not have to contact you in order to obtain access to your email, and they would not have to contact your email provider or someone who you have entered into a secure agreement with. They would simply have to contact the person who controls the router between you and your email server. (Some of which are already controlled by the government.) In regard to SSL, some corporate firewalls are using the client key to decrypt the emails and web pages to transfer them more quickly through their networks since SSL is a huge taxing process on the system.
Whatever you do on the internet or in email is trackable and traceable. They don't have to touch your computer to find out what you are doing. Also since you are licensing your operating system from a company that makes operating systems, I'm sure there's another loophole there as well.
If you aren't doing anything wrong, then there is nothing to worry about.
The entire basis for this case is illegitimate. They are saying, since email is handled by a third party, the actual owner doesn't need to be notified. This would widely apply to damned near everything we do nowadays. My money is under the control of a third party, my bank. Does this mean they can get my bank records without notifying me? Does it mean they can search my house without notifying me? After all, I don't actually own it yet, the bank does.
Even if the contents of your inbox were revealed during the ordinary course of business, that doesn't mean they aren't private. During the ordinary course of business at the hospital I work in, people's medical information is "revealed" (to staff that have valid need of it). This doesn't mean that those staff members go into the local McDonald's and whisper to their friends: "You see Jim Smith there ordering the Egg McMuffin with extra sausage and bacon? He had a heart attack and a triple bypass just six months ago and his cholesterol was through the roof!" (And if they do say that, they'll be risking their jobs to do so.)
The information is revealed during the normal course of "business" and yet it is still considered private information. Why can't inbox contents be thought of the same way? Sure, the contents of your inbox might be revealed during a normal course of business (not sure what this normal business would be, but let's let that slide for the moment), but that doesn't make the contents any less private.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
The internet has certainly made life easier for everybody. And sadly that includes the bad guys. The benefits we all enjoy - instant communication, enormous growth in available information, enormous improvement in the timeliness of information, ability to get answers to many questions, unprecedented marketing and advertising possibilities - help the bad guys just as much.
Want a recent example? See this somewhat self-serving article by a "reformed" advertising scammer: http://www.techcrunch.com/2009/11/01/how-to-spam-facebook-like-a-pro-an-insiders-confession/
And I am not even talking of terrorists, pedophiles, and the like...
Having said that - its not repeat not enough of an argument to justify a policy of unrestricted search and seizure when data is stored at a third party. Some reasons:
the bad guys are clever at gaming the system; for example THEY do know how to encrypt their sensitive emails. So the damage will hit ordinary folks disproportionally while the crooks will often be able to evade
we all benefit from the growth of the internet, for example the recent surge in cloud computing. Do we really want to dampen this progress with legal concerns about privacy?
This is not to say that we should let the bad guys off the hook entirely. It may be new laws are needed.
Thankfully, I run my own mail server *and* I keep it in the glove compartment of my car...
It must have been something you assimilated. . . .
Yet another bad ruling that demonstrates that an average judge doesn't have enough technical knowledge to make a good ruling. They all make the same mistake: because they don't understand the tech, they try to force physical-world paradigms already familiar to them onto the digital world, regardless of the fact that its a terrible fit and causes massively incorrect conclusions to be made.
We can't continue to leave these vitally important infrastructure decisions to have-a-go judges. The damage already caused is massive. There needs to be a special court set up to hear technical cases, where the issue gets decided by technical experts, not some old duffer who is probably scared of computers and has secretaries for that sort of thing.
While written in an inflammatory manner, I really do agree with you.
Unfortunately, there will be new stupid morons to replace the old guard. Most people have no understanding of computers beyond how to use their favorite social networking site, to them the computer is a "magical" box which can do stuff and get them to the internets.
Does this been they only need to notify the bank if they want to look through a deposit box at a bank?
Well, not necessarily. A good backup client (I don't know about Carbonite or Sugarsync) should encrypt, with industry-standard algorithms, on the client side before sending it to the server.
In this case, you retain your data.
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
I understand Google is an American company. This is American legislation. I can't take anything from the article which would tell me anything about the access to non-US citizen email. Anyone dare to speculate? I'd say "We're reading everything ..."
I run my own IMAP server in my own basement. I can go and touch the machine that the mail is actually stored on.
Does this ruling have any implications for me? It looks to me like it doesn't.
Friend of mine used to work for Sympatico... They would read Customer e-mails when they got bored... Since Most mail now reside on the US side of the border, you can bet the OHS is using data mining software on ANY e-mail from anyone that has mail even remotely connected to a US server. Does it make it right ? huh, no. Fight the system ? Well I'm happy some people have the time to. Heck, we're being fooled into Win7 with a no win scenario and we're worried about e-mails ?
Why is the law based on what a person expects? Which person are we talking about here? I think it's fair to say that the average computer user considers e-mail to be like regular mail, where reading the contents requires that you "open" the e-mail. Heck, every e-mail program I can think of uses that metaphor! But I know that e-mail is more like a post-card, with the contents right out there in the open for anyone to see. Because of that, I don't expect a whole lot of privacy. Does that mean I deserve less protection under the law?
This shows the flaw in the idea that some information (to and from addresses, etc) is on the "outside" of the envelope while the contents are on the "inside". There is no "inside" when it comes to e-mail! Anyone who has access to the "outside" information has access to everything. What does it matter if the average user expects their e-mail to behave like regular mail when the reality is more like a postcard? Making the law fit people's perceptions seems like trying to impose some kind of schizophrenic world-view on our law-enforcement officers. They can't both read the e-mail headers and ignore the contents, that's a recipe that's just asking for abuse.
We need a reality check, people, and the solution seems painfully obvious to me: if you want privacy then use end-to-end encryption. It's the only way to be (reasonably) sure that no-one is reading your mail except for the intended recipient.
My host may have to allow warranted government searches of my data, but can Uncle Sam stop them from informing me that a search took place?
I wouldn't be nearly so worried about these searches if Google forwarded the warrants to me, ideally complete with search queries so I can see what they found.
I wonder how many more of these events will occur before the public starts using GPG? I have a feeling it will have to be a campaign similar in scope to what RIAA and MPAA did, which might never happen. Perhaps this could be a good thing in the long run if it does move the public in the detection of more secure communications.
You already had your email on a server you do not control.. Didja think no one else would read it??
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
What is then to stop an agency from executing a search warrent on servers located in colo's or cloud computing services? Since these are not on site, the argument could be made that these are no longer private and the expectation of privacy is no longer there since they are out of you constant watch. I dislike how the laws of yesterday are constantly trying to be shoehorned to fit the problems of today. The other thing about shared computing in regards to cloud or hosted solutions is still the problem in that if they hardware you are on gets siezed due to the activity of another user (say you are on a shared host and one of the other clients is under investigation) who is to say your data will remain private or is not in the path of the search since it is technically all on the same machine they got the warrent for?
how are these people federal judges, i feel if you cornered a child after a civics class they could offer a more reasonable opinion on this. Why emails wouldn't be afforded the same protections as, i dunno, physical mail is just beyond me. looks like I get to learn how to set up a mail server on my current music server...
It's not an inbox problem. It's a GMail long-term storage problem. It was settled in United States v. Councilman that the Electronic Communications Privacy Act applied to messages in "temporary storage". This decision
Also, this was a search with a court-issued search warrant. The question being litigated is whether the service provider has to tell the customer about the warrant.
That email is inherently insecure. Email is normally plain text, unless you use some form of email encryption or third party secure document service, you should automatically assume anything you put in an email could potentially be known to anyone and everyone. This is a big reason underground channels use encrypted, unlisted IRC channels as a form of comm(among other methods). This does not make the 4th Amendment issues any less, but if you have something worth looking into, be smarter about what you put in your emails in the first place.
"It's ok, I'm completely secure as long as my iron is off"
Does this mean they can get my bank records without notifying me?
Yes.
Does it mean they can search my house without notifying me? After all, I don't actually own it yet, the bank does.
Wrong, you do own your house. The bank simply has the legal option to seize it if you failure to pay on the loan, it is the secured collateral - how can it be collateral if you don't own it?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You're about the third post in this thread to mention homes, and the answers in your case are:
1. Yes, and it's actually done quite frequently.
2. Technically yes, although it's been done mostly in some limited cases under laws such as RICO, and 20 states have some protections for some other possible abuses.
Without sweeping legal reforms, the same bullshit that lets them make this call on e-mail has already let them get your financial information - they just use the same argument that banking info is handled by a third party and notify the bank, not you, of what they'd like to see. If you look at how the federal government has treated those eminent domain cases where a mortgage is involved, the situation is analogous there unless you live in one of the 20 states that have state constitutional protections that exceed the federal rules. (And there are similar risks even for fully owned property where no mortgage is in effect, although those don't involve the government using this third party trick for eminent domain).
Just think of how broad, nebulous 3rd party rules can be used in home privacy law. Either you rent, and the landlord is a third party, or you own with payments, and a financial institution becomes the third party, or it's all paid off, but you still have local taxes, and local governments or private property assessors can be used as third parties. Then there's meter readers, repairpersons, and such.
The RICO act lets various justice departments make fertile use of 3rd party access - for example, there was an obscenity case in the 90s where the police agency determined through financial institution records that a speedboat existed among the person's assets, and then used the boat as an excuse to extend a home search warrant to the separate property where that boat was kept. (That is, the written justification for searching the boathouse at a marina owned by the accused and located about 40 miles from the main business offices or the accused's home, wasn't that they had reason to believe obscene material had been either filmed or stored there, but that they had reason to believe obscene materials were produced or stored at other locations, and that an asset which might qualify to be seized under RICO was there and they needed to determine its condition. In other words, they searched the boathouse to see how much they could likely get for the boat at auction.).
Who is John Cabal?
I understand Google is an American company. This is American legislation. I can't take anything from the article which would tell me anything about the access to non-US citizen email. Anyone dare to speculate? I'd say "We're reading everything ..."
If it's in the US, in a jurisdiction that decides to follow this judge's reasoning, then sure. The citizenship of the mail isn't the point, it's who's storing it.
Yet another analogy:
"lowered privacy interests in e-mail because they 'expose to the ISP's employees in the ordinary course of business the contents of their e-mails.'"
Could the government search my house without notification, because I 'expose to the insurance company's employees in the ordinary course of business the [high-value] contents of my residence'?
I have read Mosman's decision (the first two paragraphs of the PDF) and skimmed through the background info, (the bulk of the rest of the document) and I have to say that I agree with him.
First, he's not saying that a warrant is not required for law enforcement to search your email. All he's saying is that they are not *required* to actually tell the account holder that the email has been searched. They still have to present the warrant to the email host.
This is exactly the state of affairs when it comes to physical searches of property stored at a 3rd party location. If I have stuff at a storage locker somewhere, police will take their warrant to the management office of the storage facility and say "Let us into the locker." Legally speaking, that's all they're required to do.
Now, in either case, I would expect to be notified by the host or storage facility that they complied with the search warrant. That's just good business.
Where the original case makes me uneasy isn't that the warrant was only given to the ISP. It's that the warrant included a supplemental gag order preventing them from telling anyone, INCLUDING THE ACCOUNT HOLDER, that they were complying with the search warrant.
IMHO, and I'm by no means a legal professional, they chose the wrong grounds upon which to try to appeal the decision. Rather than appeal on the grounds that they weren't notified of the search, they should have appealed on the grounds that the gag order was unjustified. I don't know that it would necessarily have gotten them anywhere, either, but it'd at least be a stance I can agree with.
Yet another interesting point is made in Mosman's discussion. In a normal, physical, search and seizure, they're required to leave a list of things they take. That way, you know what should be missing and can reclaim your property after the trial (if you're in a position to do so).
He argued that because nothing was actually *taken* -- the police simply made copies of their mail folders -- there was no need to leave a receipt, which would have served as a different means of alerting the account holder that their account had been searched.
This could have some potentially interesting consequences in physical searches as well. What if the police execute a search warrant for documents and rather than physically taking the papers to the police station, they instead set up a few high-speed duplex scanners and just scanned in the documents on the premesis? If that's all they do, they're not "depriving you of property" so there's no reason to leave a receipt.
If you're putting enterprise-critical data in the cloud without encrypting it first, you are a fool.
Get your teeth into a small slice: the cake of liberty
I'm busy. Can somebody wright a summary? Is this text interesting?
Doesn't Echelon already index all SMTP traffic anyway? I understand that this is yet another government agency trying to get at e-mail. Wasn't the DHS to allow the sharing of such information though?
It's a "yes it's media" or "no it's not someone is just trying to get a cheaper rate"
See, I had thought about it this way, particularly because of BenBoys post above, and it occurs to me that people attempting to get that cheaper rate must be mailing a sizeable amount of packages. The price difference is trivial in my experience (but I rarely send anything more than 1 to 3 packages per visit) and they would need to seriously not care about it poking along for what, 14 days to get to the destination?
Reply to That ||
So, a bunch of "stream-of-consciousness" musing from Bennett Haselton on a federal court ruling, complete with two (2) cites to admittedly-contradictory law-review articles by the same law professor, and this is what passes as "legal analysis" on Slashdot?
I have nothing personally against Bennett Haselton, but being a "frequent contributor" frankly doesn't qualify him for such endeavors. I've read thorough and rigorous analyses of federal court decisions before. This ain't one of those.
You don't think investigators can get a warrant to intercept and search regular mail without you knowing about it? I'm fairly certain they can and do. Just like a wire-tap. A warrant to intercept your communications without notifying you. What's wrong with this? I fail to see.
Over-the-top Response Guy! Giving "Over-the-Top Responses" since 1970.
What's the legal status of Canaries?
"Today I was not served..."
"Today I was not served..."
"Today I was not served..."
"Today I was not served..."
"Today I was not served..."
(... Crickets)
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Just encrypt your email. You'll get the noticed desired when the warrant is served for your encryption keys.
-CZ
So I rent space at a Public Storage facility that only I have the key to for $xx a month. In this 20'x20' storage facility, locker, room, whatever you want to call it are my personal belongings including boxes and boxes of personal financial statements, letters, etc. no different than if I had them at home in the attic had I the space.
Because I have my belongings stored with a "third party" they do not need a search warrant to search my off site storage facility? I thought they did. If they do, how is this different than me storing bits and bites in a storage facility owned by a third party? Because they're bits and bytes rather than phyiscal boxes of documents?
How is this different than my apartment? The storage facility labeled APT 2B in building six is owned by a third party. So the apartment where I live can be searched without a warrant? You know... My home is not paid for. Technically it's still owned by the bank, a third party...
As far as solving all this computer usage eavesdropping and abuse when (in the $@#%@#) are we as programmers going to make encryption ubiquitous. Nothing is on a drive, sent via whatever protocol in the TCP/IP stack, email, P2P that isn't encrypted. Upon OS installation, like the user password we ask for an user/OS passphrase or whatever it takes that nothing and I mean nothing is available in cleartext on the server, in the cloud or traveling over a wire? When? The ASCII standard is what should be made illegal. This is one problem we CAN solve.
JMHO
-[d]-
Does this mean the IRS will find out about the MILLIONS of dollars people in Nigeria have for me??
My taxes will go through the roof!!
It seems to me that the proper analogy lies with UPS and a phone company. I'm not fully up to speed on the law, but IMHO you should have to pass the same legal barriers as if you were to get phone records and open a package from UPS. Basically it should work like this. I need to use the same legal hurdles as if I were getting phone records. This gets me the all the email header info that falls within the applicable warrant (all correspondence between Mr X and me during November and December for example). Then you can take that one step further and get a warrant for the contents of one or many of those specific emails. That would seem perfectly reasonable to me. I'm sorry, but you have entrusted your data with a third party. I don't think you can really claim a privacy issue if a proper warrant has been obtained and served at the location the data exists. Of course there is always the possibility that the third party in question is perfectly happy to hand over all your emails without a warrant, and that (in the best of my understanding) would not break any laws.
A better analogy than those presented would be the expectation of privacy for post cards sent to a PO box. This is exactly what is going on with email sent without encryption over the internet.
Since, IANAL I don't know what the limits are for searching a PO box, but I'm sure there are precedents for this.
http://xkcd.com/538/
Law enforcement will break your physical security.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Learn to use comma's properly, you illiterate turdhounder.
So when media companies store their movies, music, book, on third party servers or data center the content no longer belongs to them and they give up their ownership of the content. I love this judge.
Hope is the currency of fools
I think that "experts" in a field can only really be called "experts" if they independently agree (at least more often than random chance) on their given conclusions. In other words, in this case, if you took 10 different federal judges and put them in separate rooms and asked them to decide this particular legal question, would most of them agree? Probably not. In that sense, they're not really "experts" so much as "designated decision makers". That's fine, we need designated decision makers in order to settle legal questions and move on. But that's not the same as true "expertise".
I think expertise is defined by the correctness of the conclusion that you reach, not by the memorized knowledge or credentials that you display on the way toward reaching that conclusion. And a good test of the correctness of the conclusion is whether similar credentialed experts reach the same conclusion.
So for example when I said that ISP employees do not "routinely", "in the ordinary course of business" read their customers' e-mails as a matter of company policy, and I'm citing credentials as an "Internet expert" in support of that statement, I mean that if you were to take 10 Internet experts and ask them independently, probably at least 8 of them would agree that was a true statement.
There is an alternative point of view, that "expertise" really is defined by your credentials and by the knowledge that you display while making an argument, not by the correctness of your answer. If that's your point of view, then you're absolutely right, there is no point in me critiquing a judge's decision. Of course in that sense there's no point in *any* non-lawyer *ever* critiquing anything in a judge's decision, no matter how absurd it seems to a layperson, so the whole issue is moot.
It's not a perfect analogy, but it does fit a little better ie.
Email - most employees won't have direct access to it, but the ISP can shut down your access...
Safe deposit box - user's key is required, but you still need to get into the bank vault or some similar room...
[All Your Fish Are Belong To Us]
I guess if the US government insists on snooping in your safe-deposit-box-like email account...the next step is to get a Swiss Email Account.
I wonder if Swiss banks would actually provide such accounts?
(T>t && O(n)--) == sqrt(666)
The bank does not own your house. If somebody slips on your front driveway, who is liable? Who pays the property tax? When's the last time you asked your bank for permission before doing home improvements? When's the last time an officer of the bank came into your home because hey, it's his property?
or the controlling doctrine, case law, etc. 'People Should be secure their persons, houses, papers and effects' IS the 4th amendment. It's been a part of common law for 500 years. A email is just a electronic letter, once again, a email is just a electronic letter, and they have no more right to it on am ISP server then they do reading letters at the post office.
Email never had an expectation of privacy anyway. Not that I think the government is doing the Right Thing here, but if you use email for communications that should remain private, you're an idiot if you don't encrypt.
Fortunately, strong encryption has been fairly easy for many years. I'm fairly aghast at how often this is forgotten. And I'd like to see a judge rule that cracking a GPG-encrypted email doesn't violate an expectation of privacy.
"The biggest problem with communication is the illusion that it has taken place."
Even more reason to inundate your email inbox with spam. Get some associates to send similar messages a few bytes at a time.
Uh, no, I'm not involved in a terrorist organization... .A,n4l slu.T,s .DA,te5 to Night! .W,i.N,in6s
I just love my
Vi.A,gra1!
Free mor.T,age es.T,imates!2
Ci.A,li3s
Ba.CK, door
Hot
Lotto
No use unless the people you are communicating with do the same. Even then, it doesn't help with traffic analysis.
Yes, if put an unsettled question of law to a collection of different legal experts, they'll likely come to different conclusions. That doesn't, however, mean that any schlub can craft the same level of legal analysis as a Justice of the Supreme Court. The difference is not the answer, but the process by which the answer is reached.
Consider mathematics, which you would surely agree is an area in which there are experts. If you were to ask a group of mathematicians about a question of unsettled math, you would likely get a set of different answers (though that set of answers might be constrained to a boolean set, depending on how the question was phrased). If someone then used that as an excuse to say that a thoroughly inadequate proof which nonetheless arrives at a "correct" answer is just as valid as those of expert mathematicians, it would be entirely appropriate for that person to be called out for their naivety.
Your interpretation could be correct. The problem is that you have glossed over so many important aspects of the question as to make your analysis completely worthless.
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
I think the difference is that even though mathematicians do sometimes disagree on areas of unsettled mathematics, when a mathematician declares that he has made a mathematical argument for something, it generally *is* true that other mathematicians would independently come to the same conclusion. That's not true of a legal conclusion.
I wasn't trying to make an alternative argument. I was only pointing out what I thought were flaws in the judge's logic and facts, in particular his asserted "fact" that ISP employees "routinely" look at customer e-mails.
"Grond" is quite right that if you make an argument in court based on facts and logic rather than on precedent, you will probably be laughed out of court. However, that doesn't necessarily mean there's something wrong with the argument, it could just as well mean that there's something wrong with the court.
But you think they are flaws in the judge's logic because you don't know what you're talking about. For instance, you don't understand that the fact that ISPs do not routinely *look* at customer emails does not mean that the contents of those emails are not routinely *exposed* to those same ISPs.
But please, keep tilting at windmills and insisting that you're the only sane man. If nothing else, it gives some of us some worthwhile entertainment.
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
You are disagreeing over the meaning of a word (in this case, "exposed") and calling it a disagreement of fact or logic. First, I quoted the judge saying that the e-mails were exposed to the ISP's *employees*; you changed that in your above text to saying that the e-mails are exposed to the *ISPs*, which is different. Of course the e-mails are exposed to the "ISPs" as an abstract entity, but not to their individual employees, depending on what you mean by "exposed".
I was interpreting "exposed" to mean either (a) that the e-mails were available to employees as a matter of policy, or (b) that the employees were actually looking at them. Under either of those interpretations, the judge's statement would be wrong.
You seem to be interpreting "exposed" to mean that the employees had physical access to get the e-mails if they wanted to (regardless of the consequences for their job if they got caught). In that sense, yes you could say that the e-mails were "exposed" to some employees (although still only a tiny fraction of them).
The problem is that by that definition, any information that you store with *any* company is "exposed" to its employees in the sense that at least a small fraction of them would have physical access to it, regardless of company policy. Thus the meaning would apply too broadly to distinguish one situation from another and would become meaningless.
When's the last time you asked your bank for permission before doing home improvements?
I'd be really surprised by any mortgage written in the last twenty years that doesn't require having major modifications to the dwelling signed off by the bank.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'd be really surprised by any mortgage written in the last twenty years that doesn't require having major modifications to the dwelling signed off by the bank.
Yes, I do have such a clause in my mortgage terms, but that's not really what I'm talking about. Obviously the bank doesn't want you to decrease the value of their collateral. But a homeowner does NOT need to ask permission to do basic home repair. In an apartment I used to live in, I had to get permission to install a new showerhead in the bathroom.
Something like adding a second floor is a totally different matter (and really, all the bank cares about is that the contractor has appropriate insurance in case they damage the house).
Understanding the meaning of legally operative words is essential to understanding the logic or reasoning of a legal decision. That's one of those things you would understand if you bothered to listen to people in the field you keep trying to discuss.
When Judge Mosman writes that the e-mails are exposed to employees, it does not mean that employees are allowed to rummage through them as a matter of policy, or even that employees actually look at the e-mails. Consider California v. Greenwood, 486 U.S. 35 (1988), in which the Supreme Court ruled that individuals did not have a legitimate expectation of privacy in their garbage because it was exposed to the public, despite the fact that California law explicitly protected the rights of individuals to their garbage placed out for collection. Also consider Google's privacy policies, which allow Google to examine the contents of users' emails for advertising, preventing spam, or enforcing the terms of use. Gmail Privacy Notice, http://mail.google.com/mail/help/intl/en/privacy.html; Google Terms of Service, http://www.google.com/accounts/TOS. The fact that a user conveys their information to Google, and that Google has the ability to read that information (absent steps such as encryption), could easily be sufficient to "expose" these e-mails to Google under existing law.
Were you someone with a degree of skill in legal writing, you might have seen fit to do a little more research. Had you done so, you would have found a Sixth Circuit Court of Appeals case, Warshak v. U.S., No. 06-4092 (6th Circ. 2007), available at http://www.ca6.uscourts.gov/opinions.pdf/07a0225p-06.pdf (vacated en banc), which deals with this precise question. In its original panel discussion, the Sixth Circuit held that end users do have a reasonable expectation of privacy in their e-mails, highlighting prior decisions of the Fourth and Ninth Circuits coming out each way on the question dependent on their specific facts. Over a vigorous dissent, the Sixth Circuit overturned the decision in it's en banc review, Warshak v. U.S. No. 06-4092 (6th. Circ. 2008), available at http://www.ca6.uscourts.gov/opinions.pdf/08a0252p-06.pdf, arguing that the case was not yet ripe for review.
As I said previously, your interpretation could very well be correct. It's certainly my preferred outcome. That doesn't change the fact that your analysis was the work of a rank amateur whose writing shouldn't be treated as if it had merit.
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
I think you are judging the article according to your own standards, while I am arguing for a different set of standards.
I freely admit, up front, that what I wrote would probably not be persuasive to a judge and would not get a good grade from a law professor. Happy?
I was not trying to write a "legal argument". I was trying to make an argument *about* "legal arguments". Essentially, what I'm saying is that if a judge can write an opinion that meets all the criteria for a "good legal argument", and still says that Google employees accessing your e-mails is analogous to bank employees accessing your transaction records, or that "leaving" your e-mails on Google's servers is like leaving drugs in a friend's purse and tantamount to waiving your privacy rights in the same way, then maybe the standards for what makes a "good legal argument" are not stringent enough.
It was the same argument that I made about the Virginia High Court's ruling that forging IP address in e-mail headers was constitutionally protected, because it was "anonymous" speech. That makes no sense to anyone who knows about e-mail headers, because any human or program who knows how to read e-mail headers can see the real IP address that the mail came from. The real point of the essay was not just that the court was wrong about IP addresses, but that there should be ways to stop factual errors like that from sneaking into state-Supreme-Court level opinions. (And then I suggested some ways that those errors could be avoided, like having the opinions be reviewed by technical experts -- under oath, of course -- before they were published. People's objections amounted to, essentially, "That's not how courts do things." Yes, I know that's not how they do things. Why don't they?)
Nothing other than your own incompetence and or unwillingness to learn prevents you from making your arguments better so that you can not only present the arguments you are trying to present, but also do it in such a way as to actually be persuasive. You could, if you chose to do so, become familiar with the various legal terms of art within the context of privacy law and the First Amendment, so you would recognize that when a court talks about a "reasonable expectation of privacy," it does so in a historical context. Similarly, you could understand that, in the context of reasonable expectations of privacy with regard to third parties, the personal nature of the information conveyed doesn't generally matter; what matters is that the thing has been left in the possession of the third party.
You're clearly an intelligent guy, but it's frustrating as hell to continually see you make this ridiculous arguments because you refuse to learn about the systems you seek to discuss. For instance, consider your absurd idea of subjecting judicial opinions to a layer of technical review. People's objections did not, in fact, amount to "That's not how courts do things," so much as "There is a reason for how courts do things now, and if you want to change current operating practices, you should address those concerns."
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
The objections I read were of the "That's not how we do things" variety. If there were more thoughtful objections, they were buried under too many comments in the first category to find them. So then, you tell me: Whose interests are protected by not having judges' decisions proofread by technical experts who can call out errors in statements about things like how IP addresses work?
For one thing, the interests of the parties (and justice generally), by preserving the parties' ability to respond to expert testimony. There's a reason that judges are barred from engaging in ex parte communications with outside experts (with limited exceptions) - the case should be decided on the evidence in the record, not the opinions on matters of fact delivered by experts whose statements are not in the record and are not subject to cross-examination.
Judges are not detectives, going around trying to establish facts for themselves. Our justice system is built upon the fundamental premise of judges hearing evidence presented by adversarial parties and issuing decisions based on that evidence. This is not to say that an alternative system is impossible, but rather to say that your idea is incompatible with our existing system. As such, if you want to fundamentally change the way the judiciary works, you need to have something a bit more persuasive than a single VASC decision you don't care for.
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
OK so those are good points. First, I would say that despite the problems with receiving ex parte advice from experts, that's still no worse, and possibly better than, no third-party advice at all. Because if you're receiving advice from a technical expert, that *might* be wrong, and it's detrimental to justice that the parties to the case can't challenge it -- but the alternative is for the judge to rely on their own understanding already swirling around in their own head, which is *more* likely to be wrong, and which the parties *also* cannot challenge until it's too late. (This is assuming that the expert is disinterested. If the expert has a conflict of interest then their influence may well be worse than nothing.)
But then, rather than having this be fatal to the whole idea, this suggests a change that could cure those problems: Why not have the "proofreading" process happen in open court, or in briefs that both sides can review and respond to, before the judge makes the decision final? In other words, the judge essentially comes out with a "first draft" of their decision and shows it to both sides, challenging them -- or any technical expert retained by either side, or by the court -- to find anything wrong with it. Obviously, the judge doesn't have to agree to change anything that either party thinks is "wrong". But if either party convinces the judge that their understanding of a technical fact is wrong, the judge can change it before their decision becomes final.
Something like that *might* have prevented the Virginia court from issuing a judgment saying that spoofing the headers in an e-mail message is constitutionally protected "anonymous speech" because it hides the real IP address sending the mail.
What you appear to be having difficulty understanding is that the judge is not to base his or her decision on evidence not in the record or facts that could be properly judicially noticed (things that are both incontrovertible and common knowledge), including his or her own impression of the facts. See ABA Model Code of Judicial Conduct, Rule 2.9, available at http://www.abanet.org/judicialethics/ABA_MCJC_approved.pdf. If a judge decides a case based on his own understanding of facts that may not properly be judicially noticed, that judge is acting wrongfully. On the other hand, if that judge decides the case based on the evidence presented, but does so in a way that's seen as "wrong" to the majority of people in the field, that just means that the judge is lacking sound judgment. Both of these problems, however, are better solved by picking better judgments, rather than completely restructuring the nature of the American judiciary.
Assuming that the judge at issue is not simply making up facts as he goes, but rather is making his decision based on the evidence before him, your new iteration of your original bad idea is no better. The judge would have decided that one expert's understanding of the facts was better than the other's, and written a decision accordingly; the opposing party would naturally disagree, and the result would be re-litigation of the case in any case with expert testimony.
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
The idea behind reviewing the draft in advance and drilling down to specific points, is that it makes it harder for experts to misrepresent the truth about a particular point.
If the judge's draft were reviewed in advance and the experts simply commented on it as a whole, then sure, the expert for the winning side would approve and the expert for the losing side would disapprove.
But that's not what I'm suggesting. If the draft opinion contained a statement that putting junk IP addresses into the headers of an e-mail would somehow make it more "anonymous", one of the experts (probably the one whose side would be more harmed by this incorrect "point") would point out that this was wrong. The receiving mail server can always see the IP address of the machine that sent the message to them, and sprinkling other IPs into the headers would only fool human readers who don't read the headers carefully enough.
It would be much harder for the expert for the other side to disagree with that specific fact, than it would be for them to declare their disagreement to an entire multi-page opinion. If the first expert explained the point well enough, the judge would probably understand why that sentence needed to be fixed too.
Note, however, that all of this does depend on experts not being willing to lie outright, or on the courts being willing to punish them if they do. My first article about a court case was about a spam recipient who sued a spammer who was spamming him at his Hotmail address. The spammer hired an expert witness to declare that the only way to obtain a copy of the Hotmail messages as evidence, would be to obtain a clone copy of the recipient's entire hard drive. I submitted a brief explaining why this was wrong (Hotmail messages are not stored on your hard drive -- no, not even in the browser cache -- and even if they were, it would be ludicrous to claim that was the *only* way to get them, when the recipient could simply make a copy). The judge either didn't read the brief or didn't understand it, and signed the subpoena ordering the spam recipient to turn over a copy of his hard drive. Of course the plaintiff was unwilling to give a criminal spammer a cloned copy of everything on his hard drive, so he dropped the case. The "expert" who claimed that Hotmail messages were stored on a user's hard drive -- much less that the "only way" to get those messages was to get a cloned copy of the hard drive -- simply perjured himself.
Let me address your tangent first. As an initial matter, I'm curious, did you follow court rules for submitting an amicus curiae brief? If not, the court's not going to consider it. Assuming you did, and the court had some notice that the expert was dumb, the ruling certainly was bad. With that said, the exper probably didn't commit perjury, because it's generally hard to prove that someone was actually lying, rather than just testifying while being an idiot.
Moving on to your main point, if I understand you correctly, you're trying to institute a mechanism for the parties to tell the court that there is a greivous error in the court's decision. That's an excellent idea, and you'll be happy to learn that the mechanism already exists. It's generally known as a motion for reconsideration, but in the context of the VASC it's referred to as a petition for rehearing. Virginia Supreme Court Rule 5:39, available at http://leg1.state.va.us/cgi-bin/legp504.exe?000+scr+vscr-5Z39. While I can't say for certain, this being an edge case in the general field of civil procedure, I believe the appropriate standard of review for reconsideration on a factual issue would be clear error.
While you might think that the Court's understanding of IP addresses and e-mail is such an error, as with all things legal it's a more complicated analysis. For an error to be "clear," it must be both significant and obvious on the face of the record. If there was any creditable evidence in the prior rulings to support the judge's conclusion, then reversing for clear error wouldn't be justified. In this case, one of the experts probably testified that spoofing an IP address would make it harder to identify the sender. In a trivial sense that's true; as you say, it means you would need to look harder to do so. That would probably be enough to block a judge from finding a different set of facts.
While I haven't gone into any great detail on appellate practice here, I hope this is helping to demonstrate my initial point that your suggestions and analysis are hampered by your significant lack of knowledge as to how the systems you are critiquing actually work. I'll admit that your work at Peacefire helped inspire my interest in law all the way back in high school, but I understood that if I wanted to be a creditable voice for my ideas, I needed to have the training to more clearly understand the legal system. If you're serious about wanting to change the legal system for the better (rather than just occassionally ranting on Slashdot), perhaps you should give that some consideration?
I'm a lawyer, but not yours. I wouldn't represent someone who thinks taking legal advice from Slashdot is a good idea.
The brief I submitted was handled through the defendant's lawyer, who asked me to write it for him, so it was presumably submitted correctly. The expert in question listed extensive credentials claiming to be a longtime computer consultant, so you can say with about as much certainty as you can say about such things, that he knew it wasn't true that "Hotmail messages are stored on your computer."
:) ). But what I'm trying to convince people of is that you don't have to be an expert on the legal system to know that some of the conclusions it reaches are just wrong. Just as you don't have to read every book on Wicca to know that spell-casting is superstitious nonsense, if a court rules that "Hotmail messages are stored on a user's hard drive", sometimes that's all you need to know.
For all I know you might be right that what he said still did not meet the legal standard for "lying under oath". But in that case, I would say that that doesn't necessarily reflect on what he did; rather, it means there's something wrong with the legal standard for "lying under oath". What is the point of putting experts under oath and requiring them to show their credentials, if they can still make statements like that?
So, to your main point about motions for reconsideration. I don't know if you read it but I wrote an article a while ago [http://yro.slashdot.org/article.pl?sid=07/04/18/1247229] about an experiment where I submitted motions for reconsideration in some of my anti-spam cases, each about 4 pages long, with the middle two pages stuck together by a tiny sliver of paper that would break if the pages were turned, so that I could see after the fact if the judges actually read them before denying them. About half of them did not.
Suppose for the sake of argument that a Supreme Court judge would take their responsibilities more seriously and would actually read the briefs in such a case. You still have the same problem: you're asking the judge to essentially admit that they were wrong (at least in part) after they already published their opinion, and I think that's unreasonably optimistic. In one of my test cases where a judge did actually read the brief I submitted, he actually reversed himself -- the first time I'd seen that happen, and the clerk on duty (this was done in open court) said it was the first time he'd seen it happen -- and he'd worked in the court for 20 years!
I admit that in my proposal, where experts review a draft of the judge's argument before it's published, you're still asking a judge to admit they were wrong -- but in this case they'd only be admitting they're wrong about a tentative conclusion. Hopefully that would be easier for them to admit.
But the real point is that the safeguards you're describing, already exist, and they didn't stop the Seattle judge from endorsing the conclusion that "Hotmail messages are stored on the recipient's hard drive" and ordering the plaintiff to turn over his hard disk. I appreciate the good work that you do within the legal system (if you say I inspired you, then I presume you're on the right side