Slashdot Mirror
AOL Happily Releases Information to Cops
DigDug wrote in with a scary article about how
closely AOL cooperates with law enforcement agencies. In
the article, a local (Loudoun County, VA) Sheriff's Deputy is quoted as saying,
"AOL is extremely law-enforcement friendly ... they don't
hold anything back." While I'm sure we all want criminals
brought to justice, there are some serious privacy concerns
here. If you send e-mail to someone with an AOL account,
apparently you'd better be v-e-r-y careful about what you say.
(1) AOL's policy is located on the article page. In short, they only release emails on a warrant, and will release identities even in a civil action. Even if AOL never stated a policy and specifically contracted with you to withhold information even if presented with a court order, the contract would be null and void. Contracts that are in deference to the law infer no obligation on either party.
(2) If someone emails you with a credible intent to commit a murder, you're failure to present that to the police does not make you a de facto accessory. In the majority (but not all cases) a failure to act does not impose criminal liability. Most often, you have to give aid, or participate in the planning, with a culpable state of mind to be an accessory. If you go to an extra effort to withhold the evidence, you may be guilty of obstruction of justice. If you intentionally deceive and make false statements about the evidence, you could be charged under one of the many perjury derivatives. (Perjury usually requires a sworn statement, but there are satellite laws that cover filing false reports, etc.) You are correct that someone could come forward with the letter as evidence. This could be very persuasive toward establishing that you were part of a criminal conspiracy. This is especially true if coupled with other circumstantial evidence involving the crime. In mixed situations, your failure to disclose the letter or warn the intended victim could make you a liable for a tort against the victim (and subsequently his estate), or against his close family for wrongful death.
(3) I think you are correct. I have never had a personal account with AOL, but I was with a company that did business with them in '93. I do not recall there ever being a representation that your handle created anonymity. I don't know what AOL considers from their point of view, but it is in issue as to how cozy they are with authorities. The article seems to imply, without overtly stating, that AOL may cooperate in absence of a warrant. Furthermore, the issuance of these broad warrants in frequency and scope appear to tread real close to constitutional violations of search and seizure.
IMHO, I think what scares the pants off of these companies is that they do not kiss the a#$ of the authorities, a zealous prosecutor will hit them with RICO charges. I am not a personal fan of RICO, its too big a weapon in the prosecutors arsenal. Its scope for seizure of personal and corporate assets is far too large, and its burden of proof is entirely too small.
Thats IS the real issue.
:-)
Recently there was a big international company with a cracking/phreaking problem (the problem was really with a piss poor attitude by management to enforce a good security policy).
Their lawyer and CIO wanted to tie together all the intrusion detection systems, the firewalls, some sniffers, a certificate authority, and who knows what else, with the goal of providing a chain-of-evidence that they could hand (or email to) some prosecutor somewhere and have it stand up as evidence in court. Oh, and since the cracking attempts are coming from europe/russia/australia, can the system be completely international and stand up in any court.
"Looky here, Mr. State Attorney General, we were attacked by a ping flood from these IP addresses, and we carefully recorded each and every ping packet hitting our firewall in this log file. We want you to prosecute."
For some reason, Dilbert strips weren't funny for weeks after that episode
But on the flip side, imagine what a naive prosecutor would do if someone handed him a log file with some spoofed IP or email addresses in it, showing some kind of real world crime (drug dealing or car theft). Granted, there should be other evidence to back up any prosecution, but cases have gone to trial on less. That's the scary part.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
That would be my guess. Especially in an "ISP" full of net-newbies, said net-newbies probably crash their e-mail on a regular basis.
Hell, I've done it on my college account and had to get the sysadmin to do some really weirdoid stuff to get my unread mail back. (Learned some interesting lessons about VMS along the way, but that's another story.)
"Somebody exploded a letter-bomb today
Raytheon wanted to find out which of its employees were badmouthing the company in public via AOL, so they sued "John Doe," which means they filed a lawsuit which said, essentially, "We don't know who we're suing just yet, but by Ghod we're suing somebody." With the civil suit filed all nice and pretty, they typed up some subpoenas demanding the identities of the John Does, and carried them over to AOL, who turned over the true names behind the aliases.
Here's the absolute best part: as soon as Raytheon knew who the employees in question were, they dropped the lawsuit. Then they either fired or disciplined all the employees involved.
This is called a tactical lawsuit: it's one where you don't give any sort of damn what the suit's own outcome may be; you file it just to make sure there's a lawsuit in place so you can do things you ordinarily wouldn't be allowed to do. Here's how it works, fable2112: Say for example that I hate you and decide to kick your ass. If I ask servtech who you are, they will promptly tell me to go to hell, which is as it should be. Since that approach won't work, I'm going to file a lawsuit: I sue John Doe for inducing mental distress in a SlashDot article. Nevermind the suit is complete crap. Nevermind it will never see trial--a lawsuit is a lawsuit, and I can use it to start issuing subpoenas. I send a subpoena to servtech, demanding your name and billing address. Are they going to tell me to go to hell? Of course not! I've got a subpoena--a court order!--demanding to know who you are. So instead of fighting it, they turn over your billing information. Now that I know where you live, I can drop the bogus lawsuit and cheerfully proceed with the asskicking I've decided you deserve.
Is any of this bothering you yet? Keep in mind that up to the actual asskicking, everything I did was completely legal. The great big question here, whether it's about AOL or any other ISP, is how much cooperation should they have given me? The obvious answer is "none." The legally viable answer is somewhat more nebulous.
Just something to contemplate.
Disclaimer: I don't actually want to kick your ass.
--
This is not my sandwich.
The "free" AOL thing sounds like a wonderful idea, but it would never work. IMHO there are two primary reasons why AOL is so widely used. First is because it's simple. Now I do think that the linux community could make an easy to use online service. The second reason is because they have POPs EVERYWHERE. There is no way that an online service could have as many dialups as AOL w/o a huge ammount of money, then there is the cost of maintaining the equipment, in order to do that you need to either have someone disgustingly rich to donate a large ammount of money, or you need to charge your customers. Hrm...there goes the free(beer) aspect of it.
-matt
here's what you need:
http://www.zeroknowledge.com/
Have you seen Ironstayn vs Supergovernment yet?
Now, wait a minute. Any legitimate business of ANY kind (not just an ISP) tends to have to cooperate when court-ordered to release records pertaining to a possible crime.
But since the great polarization of all net issues is "the net is full of kiddie porn and hatred" vs. "our right to privacy is being taken away"
You know what really burns me about this article? It's perpetuating the link of "Internet user" to "child molester" in much the way that the media has in the past, say, linked "male preschool teacher" to "child molester." *sigh*
There are sickos out there, and plenty of them ARE on the net. However, most people on the net are NOT engaged in illegal activities beyond the rather generic sort that might be expected of a more-socially-liberal-than-average sector of the population (smoking a bit of pot here and there, breaking laws against consensual sodomy, providing alcohol to 18-20 year olds, "stealing" the occasional office pens and pencils, that sort of stuff).
And if people were seriously wasting their time prosecuting THAT, and using it as an excuse to read e-mail, then I'd worry. And the Raytheon bit does bother me. I'd've liked to see an article on that rather than this done-to-death "child molester" and "trench coat mafia" concern.
"Somebody exploded a letter-bomb today
Posted by Mike@ABC:
Looking at the outrage here, I have to admit it's a little surprising. It's been common knowledge that law enforcement hangs out in "questionable" chat rooms and that ISPs have to pony up info when ordered by a court.
The answer is pretty simple: don't say anything online or in e-mail you wouldn't want a police officer to hear in the first place. For most of us, that doesn't put a whole lot of restrictions on our daily conversations. And for those who are dumb enough to say anything otherwise, well, you most likely deserve to be busted anyway.
Of course, in the immortal words of Dennis Miller, that's just my opinion. I could be wrong.
Well, since I'm on AOL's mailstaff, I spose I can answer this one.
Unread mail is kept for 28-30 days (Depending on when that database is reaped). This gives people a decent amount of time to get online and read their stuff. I think you'd be pretty mad if you went away for a few days and your ISP wiped your mail spool cause it was 'too old'.
Read mail is kept available to be re-read/kept as new mail for about 48 hours. (again, dependent on the reaping schedule). I know this has saved MY butt a couple times when I forgot to save something.
Deleted mail (read or unread) is deleted after about 24 hours. (That reaping stuff again). Currently AOL members can't retrieve this mail (Much to some people's dismay), but this is changing in the forthcoming 5.0 client, which allows members to access the 'Previously Deleted' folder of their mailbox (What we here on staff call the Recycle folder)
Scott
AOL Spamdinista
For the record, as a Road Runner employee and admin, Road Runner's policy on it's cable modem service is to not disclose any login, email, or private service related info to "any" party without a court order. Just want to make that clear. =]
--------- The universe as we currently understand it: First there was nothing
I'd be the last person to defend AOL but the conditions under which information would be released, as described by the article, are really no different than any ISP. I'm sure the authorities could gain the same access to information by serving an individual with a search warrant and getting the information from his computer. What really should be questioned here is not AOL's policies for giving information in response to a "valid legal process" but the conditions under which such warrants and court orders are approved.
For a start, if you actually read the article it states...
AOL, the world's largest Internet service provider, or ISP, tells its nearly 18 million customers it won't read or disclose private communication or personal identifying information except under a "valid legal process."
This is standard practise for all ISP's, and for that matter any legitimate business... if the Authorities believe that you have information that will help them solve a crime, they will ask for your assistance...
For people to see this as a problem is ludicrous, or perhaps the people that see it as a problem have something that they are hiding. The ISP's do not sit there and monitor everything you do, but if they are presented with a warrant to release information to the authorities then they investigate.
Just chill out and get a sense of reality on this thing... it's for people's benefit...
-~ Given a choice between two theories, take the one which is funnier. ~-
AOL is just acting in the same way that any other common carrier operates. Which is every ISP in the US (along with phone companies and backbone providers). They only release information if there is a subpoena or a warrant and your local ISP probably operates the same way (or should legally). If the police (or anyone else for that matter) gets a warrant or subpoena for logs, user information, or anything else that an ISP keeps on their servers then the ISP has to legally give that information up. Did you actually read the article and realize that AOL's policy is just that? They only release information requested in a subpoena or warrant. It is not like they are giving it away. The only information which they do give out to the FBI is in their chat rooms. Additionally, that information is the screen name of the individual and what kind of complaint some other AOL user made against that person. Notice, an AOL user must make a complaint before they forward any information on to the FBI.
The only reason this even makes the news is because AOL is so huge. If you would actually read the article and understood even the basic laws that telephone companies and ISPs have to operate under then you would know that AOL is operating no differently then your mom & pop ISP shop in the middle of nowhere when it comes to dealing with the law. So if you would get your head out of your ass and actually think, you would realize that AOL is not the problem in following the laws, but the laws themselves are what are not protecting your privacy.
If you are really worried about your privacy and you are worried about who is giving out your personal information, then maybe you should find out how that information is protected (or is not, depending on your pov) and then work to have the laws fixed.
No, I don't have an AOL account, I don't care to have an AOL account, and I could care less if AOL lives or dies. But I have worked for ISPs in the past and I know how they are bound legally and what is stated as the AOL policy for giving out information to the authorities is precisely what is required by law.
The only reason I felt the need to even make this post was because the comments that I saw were so knee-jerk and unthinking that, aside from the lack of all-caps, they could have come from AOL users. If AOL was voluntarily giving out user information without the benefit of a warrant or subpoena then this would have actually been newsworthy.
--Andrew
A bunch of people have suggested solutions, from PGP to using real ISPs. That's cool for the /. audience, all of whom are at least slightly technically savvy. AOL's user base, on the other hand, consists mainly of people who know barely enough to stick one of the 68,000 CDs they were sent into the drive and crank it up. This isn't a criticism of these people; they simply don't use computers.
These people never heard of PGP, and as far as they're concerned, their email is private. These are the people about whom we should worry; the technologically ignorant are most at risk.
AOL is just the biggest name in the game of rolling over for law enforcement, so that is why they are getting the most attention. Anne Arundel cops have been able to just drive over to AOL headquarters and take anything they want, just by flashing a badge. No court order needed, just bring your laptop with a lot of disk space. There is even an office for cops in the building, but the cops have to schedule time in it since so many investigators try to use it.
Smaller ISPs are all learning the hard way the courts always rule for investigators, so at this point most don't even bother asking for a warrant before allowing access. I've watched it happen at a couple of ISPs where I've done business, where the cops wanted either a straight wiretap off a router, or a copy of all email from the main server and backup tapes.
Its not that difficult to direct traffic from a logon session through a specific port on a router, and I had one ISP pay me two days wages just to do it once (without breaking their network like they did). They had the cops camped in their offices waiting to capture all the traffic from a suspect's sessions, thinking he was dealing drugs from his email account or over IRC. He wasn't, but it took them a few weeks to figure that out. At first, they expected to have an exact copy of his screen based on IP packets going across the network, by the end they were happy enough with a tcpdump file. The guy just played on the web a bit, never even hit any pr0n sites.
So this doesn't surprise me at all. I'm surprised anyone is shocked by the revelation, tho.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
... you see, that wasn't the focus of the article.
I did read the Raytheon part. And I certainly don't like the implications of that.
However, is that where the article was focused? No, it is not. The article was focused on murder threats and kiddieporn on the one hand, and "loss of privacy" on the other hand.
That's what JoeAOL-UsingReader is going to come away with. And that's why I've got a problem with the article. Had it been focused on the Raytheon incident, that would have been another matter. THAT is actually worth focusing on.
Perhaps a compromise solution would be to disallow accessing ISP records for a civil suit?
*shrug*
"Somebody exploded a letter-bomb today
Trust me, I was fully aware of the focus of the article. However, the underlying problem here is that until the sensationalized faction war goes away, the REAL problems aren't going to be covered, or will, at best, be buried in articles about Intrusive Government vs. Child Molesters.
If this makes any sense, the real issue here is that the real issues are not being focused on.
:)
"Somebody exploded a letter-bomb today
Although I'm not very proud of it, I do know some things on the subject. (There once was a time when I purchased my first computer with a modem and didn't know any better.)
AOL employees as a whole don't stand out with their intelligence. I personally know of a few cases where accounts were compromised by just calling AOL tech support and telling them the password was forgotten. Although they're _supposed_ to ask you for full account information including the last 4 digits of the credit card number, some were happy with just some basic information like the name of the account holder and the address.
What I'm trying to say is that the information could be given out accidentally, against AOL's policies (although the press release doesn't seem to confirm this - that's what they were saying some time ago). When someone calls in and claims to be the Police or the FBI, a person's first reaction is probably to try to cooperate. Of course, if the information was disclosed after a court order, they really should have done that.
I think some of us may still remember the story about the homosexual marine who revealed his sexual orientation in his AOL profile. The Marine Corps (or whoever) called AOL, and they happily gave out his information without even confirming that they were indeed who they claimed to be. He was "honorably" discharged only because the media caught the story.
---
Hmmmm.
a) What is AOL's policy? I would think that the subscribers have to abide by some form of agreement stating what rights they can expect, and what conduct (on either part) is acceptable. If it specifically names illegal conduct as unacceptable -- as such an agreement probably would -- then AOL might be free to tip off the authorities, legally. I'm not sure that they could on their own, unless they monitor all involved mail, however.
b) If somebody states to another person, in uncertain terms, a *credible* intent to murder -- and it actually happens, then might not coming forward with said evidence constitute accessory?
c) Using an AOL handle might be considered more of a "vanity plate" deal instead of guaranteed anonymity. We drive partly anonymously, in the sense that our automobiles are generally not prominently labelled with our names; however, police may note a plate and get the state DMV to cough up our names. This might be a fair comparison, from AOL's POV.
Only the dead have seen the end of war.
I know where N'rundel county is, I used to live there. Its a short drive around the beltway to Sterling (except in late afternoon trafic :-)
The cop and I went to school together, we still keep in touch. This info is from last Christmas time. Do you think AOL has completely cleaned up their act since last winter?
Investigators from many jurisdictions hit up AOL for information all the time, there was even a story about someone being sued in TX because the message went through VA. AOL honors search warrants from any american court, they have to, its the law. They have also cooperated with scotland yard in england, in the big cross-atlantic child pr0n case a couple years ago.
And AOL has so many cops or DAs coming in with court orders, they don't even check them any more, or supervise what they collect. Many courts require chain-of-possession by an officer of their court, so the cop head into the crime scene (AOL headquarters), records the evidence, and then hand carries the evidence back to a court approved storage site. When the evidence is presented in court, there is a list of every person who handled it from collection point to the courtroom.
So the cops grab whatever they can while they have free reign on the system, even for cases they don't have a warrant for. Just because it cant be used as evidence in court doesnt mean they cant 'accidently' see some information which leads them to discover other evidence in a legal manner. A fairly common tactic by overworked cops. Only a serious investigation by a defense attorney can dig up the illegal origin of the evidence, and the cops are counting on major incompetence in most cases.
[And yes, the brits are bastards sometimes, but its the IRS (internal, not inland) that thinks it can tax people all over the world. Grrrr.]
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
People, what we should really be concerned about is not how readily AOL cooperates with law enforcement, but how readily law enforcement uses that information. Email and log files are not the same as finding someone's fingerprints. It's not physical evidence. These things are stored in databases. Databases which can be altered. No one in law enforcement that I know of seems to realize this.
Case in point. Do you remember the Melissa virus? It was traced back to a usenet posting made by an AOL user.
"Who was online at the time?" asked the feds.
"Um... Our logs say it was that guy" said AOL.
And as you probably saw on TV, he was dragged from his house. How hard would it have been to change a log file? It's just 1's and 0's. Is AOL asked to prove that the logs were not tampered with? Of course not. It's impossible to prove such a thing.
And if tampering is not suspected, what about simple errors. Flip one bit and your SSN becomes someone else's SSN. Anyone seen the movie Brazil? A computer glitch causes the wrong person's name to be printed on a warrant for arrest. Do you really believe such errors don't actually occur?
Finally, it scares me how quickly law enforcement agencies jump on people when there is a media frenzy in the air. It's like they smell blood. The local governor showed up when they arrested the alleged author of Melissa. He was pronounced guilty without any real evidence.
So, to restate my point, the real problem is not that AOL or any ISP cooperates with law enforcement agencies. The real concern here should be that 1's and 0's are treated like physical evidence by a public so ignorant of technology they actually believe that if they see it on their screen, if it's written in a file, it must be true.
"I do not fear computers. I fear the lack of them." - Issac Asimov
I am a regular on a telnet-to Citadel-based BBS called ISCABBS.
I know there have been a few HUGE flamewars related to "release of confidential information" to either a minor user's parents, UIowa campus officials (UI is where this thing is based), and/or outside law enforcement agencies. If I remember right, the most recent case allegedly had to do with a child molester (thereby polarizing everyone even more than if, say, it was some guy confessing to the net-at-large that he uses marijuana). Certain fora have also been killed due to possible conflicts with established law.
However, there IS a policy stating that confidential information would not be released for someone making a suicide threat. (I guess we had too many boys and girls crying wolf on THAT subject.)
I'm just very glad this never came up back when I used to sysop on The Far Side (another, much smaller, telnet CitadelBBS that is now defunct, unfortunately). Then again, considering that I was one of two American 'ops on an Australian BBS
"Somebody exploded a letter-bomb today