Slashdot Mirror
Bookseller Intercepted Email
jconley writes "In this somewhat scary story, an online rare book dealer,
Alibris,
intercepted e-mail between its clients and Amazon.com. It amounts to online wiretapping." Read the story at
CNET.
Alibris pled guilty but says (basically) it was a misunderstanding.
The penalty: a quarter-million dollar fine - are other corporations paying attention?
Hah! Amazon complaining about people not respecting privacy.
What next, TRUSTe complaining about ineffectual watchdog groups? eBay complaining about Usenet spam?
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
A quarter of a million dollars is a lot, but I'm surprised it wasn't more.
:)
I'm sure they learned their lesson, tho
I'd be (for some reason that hasn't occured to me) inclined to give them the benefit of the doubt in this case; after all, a rare-bookseller probably has little competition with someone like Amazon. However, an interesting line was
Alibris admits to the wrongdoing but said it gained no commercial advantage because it already knew what its customers were buying.
Hands up everyone out there who lets their email provider know what books they buy from Amazon.
The article didn't say much about the company's agreements with its clients. But unless they violate their stated privacy policy or otherwise violate thier legal agreements, is it really illegal? I mean, your boss can read your email at work and get away with it because they claim property over the network. It's a privacy invasion, but it's beyond the scope of the law. Now, if someone was reading network traffic on a network that they didn't own, that would be completely different. From the article, it looks like they were trying to have copies sent to them, and screwed up and had the mail sent only to them instead. I could see some sendmail newbie making that mistake pretty easily.
Actually, it was the predecessor to Alibris that did the intercepting, and it was on email accounts they offered to the clients. Apparently, that might be covered under some legal agreement. Anyway, the privacy you get these days is nil. If you have a credit card, own a home, rent an apartment, have a drivers liscense, or even a social security number, you've given up your privacy. It's just a matter of time until someone wants to take advantage of that fact.
(BTW, read the last two sentences...don't you wish everyone in government thought like that?)
Maybe I'm missing something here, but it sounds to me that the "intercepted" messages were ones sent to Alibris' email clients. Isn't it pretty standard by now for all email providers to say, "Hey, by the way, your email may be monitored"? Users know that their providers may be seeing their "private" messages. And anyone sending a message should understand that, too.
I understand the alleged motive, since they are a competitor of Amazon, but what if this had been messages from a non-competitor? Would they have been charged the same?
(If private companies can do this, who knows what the government is doing! Scary thoughts..)
My $0.02
According to chief executive Martin Manley, the company broke the law when it tried to rectify complaints from some clients who said they weren't receiving email messages from Amazon. In tracking such messages to determine the problem, the company unlawfully captured the messages, although Manley said it did not read them.
Okay, let's first set the ground rules here...
According to their web site, Alibris is not wholy a bookstore.
Alibris uses the Internet to enable hundreds of independent booksellers around the world to sell treasured books to consumers, libraries, wholesalers, and retail stores.
My guess is that the predecessor of Alibris mostly specialized in a book-finding service.. Anyone have any information on that?
Anyway, looks like the e-mail system they had allowed users to get an email with them to try to find old and rare books and so forth. Sounds kinda cool actually.
Probably they had some mail problems with Amazon, and set the thing to intercept messages to see what was wrong.
I'd give them the benefit of the doubt. An e-mail provider must be able to look at messages to resolve problems in routing or what have you. Perhaps not actual message content, but that's hard to distinguish, since the info they need and the info that should be private are not wholly separated.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
If you have a credit card, own a home, rent an apartment, have a drivers liscense[sic], or even a social security number, you've given up your privacy. It's just a matter of time until someone wants to take advantage of that fact.
I haven't "given up" jack. Had take from me, through deception, coercion, or force perhaps, but I in no way "willingly and knowingly" gave anyone permission to poke around in my private affairs, much less give or sell that information to others. But, living in the US of A, my privacy was sold against my will to every mass mailer and spammer on the planet long ago. (Indeed, I was getting junk mail years before I was an adult, and therefor too young by law to enter into any agreement allowing anything of the kind. Not that that stopped them, mind you.)
If you think I'm going to take such invasions of my privacy lying down, you have a rather nasty surprise in store.
See Private Citizen on how to at least curb one particular invasion of privacy which is all too common. (My only affiliation with them is as a very satisfied, paying "member"). It was the best $30.00 I ever spent, eliminating all of my junk mail and junk phone calls in one fell swoop.
The Future of Human Evolution: Autonomy
It still bothers me. Blocking e-mail altogether wouldn't be that far off, had this corporation not been taken to task. And even though they were, what's to prevent an e-mail provider from putting a clause in the contract so they could intercept at will? The PR would be something along the lines of:
Even better - a quick look up at the header of this message will show that I've got Hotmail as one of my e-mail providers. What if, suddenly, I had difficulty sending mail to linux-related sites? In view of what's happened here, I don't think that a step like what I'm envisioning is too far away, and that bothers me more than anything else.
-Denor
The 'book reseller' also owned an operated a small ISP. The FBI found files on their systems from several other area ISP's. They had managed to break into the sites and steal /etc/passwd and /etc/shadow. The had several thousand 'access codes' in their possession. I think the $250k fine was enough.
One of the people invovled is a selecmen for a nearby town. It is amazing what some people will stoop to to get ahead in business.
I know all this because I live in the area...
Really, a fine of $250,000 is just a cost of doing business. The only thing is it's not deductible, due to being a fine.
...
Expect more of this - this is just the tip of the iceberg, the lone case where they got caught, not the majority of cases.
Just because you're paranoid, doesn't mean they're not spying on you
Will in Seattle
$250,000 for about 40,000 messages. Hey, if anyone's listening, I'll let you read my mail for sixty bucks a message too!
The government cares about such invasions of privacy on the part of individuals and corporations because, quite frankly, it encroaches upon the prerogative of the state. Just as the state is to have a monopoly on violence in society, so is the state wish to have a monopoly on the invasion of privacy: Echelon, et al. Just as common murder challenges the king's authority as the only legitimate source of death within his realm, so does common wiretapping do as much in this matter.
Hopefully, we can concentrate all of these atrocities within the state and then geld the state with constitutional amendments, as we have in the US concerning torture and the constitutional prohibition against cruel and unusual punishments. Alas, my cynicism would counsel otherwise.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
They're lying through their teeth. They should be shot. You should be shot for reading this. Bite me, jackass. Whatever man. I'm living in the past, man. I gotta get with the times man.
Bite me, jackass. Yes, very hard. Bite it.
Does this mean I can't examine what's inside packets passing over my land? I am a leaf on the 'net, not a node.
Wrong on both counts.
You should have read the fine print on the form you signed to get health insurance, which essentially gives your insurers (and anyone they choose to share it with) full access to your medical records.
Likewise, there are no laws prohibiting video-only surveilance in the USA. There are laws that state your likeness can't be used for commercial purposes without your permission, but that's not the same thing, and is a property, rather than privacy protection. It doesn't give you the right to compensation, for example, if your image appears in a news photograph.
There is virtually no privacy protection in this country, beyond the (mostly gutted) Fourth Amendment.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
Sounds like a waste of everyone's time.
Now, let's see what happens if you generalise to the usual extremes politicians, the media and the more vocal populace love to do. Should radio telescopes and SETI be banned, in case they accidentally intercept e-mails or other private communications? Never mind their setup can't process any such information, but sufficiently litigenous plebs with good enough lawyers might give it a go.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you send something via FedEx, do you expect to have it read?
Of course, that is slightly different, because in that case, your parcel is sealed, and FedEx would have top breck that seal. Now, at least, it is obvious that an email has the same protection - this decision (it seems to me) means that your ISP must get your permission to read it, even to diagnose network faults.
Yes, this is slightly unrealistic for plaintext emails, but the point is that now you have a degree of protection against unauthorised reading of emails.
When you send email from work, that is different - by using the work facilities, you are acting as an agent of your company, and which means that all access to your emails is handled by company policy - in the same way a company can make a rule about its employees not reading thing in other peoples offices.
PS: I'm not a lawyer, so basically I made all this up. It might be somewhat correct, though.
--Donate food by clicking: www.thehungersite.com
This should be a wake up call to all the e-tailers out there that to protect your customers you should offer some kind of privacy enhanced e-mail / PKI solution. PGP seems the logical choice. Amazon could have a place to paste in your public key on your user profile so any correspondence could be encrypted if desired. Sure most people wouldn't use it, but at least it would be due diligence on the part of Amazon.
-DS
"Any sufficiently advanced technology is indistiguishable from magic." - Arthur C. Clarke
there was no guarantee to privacy in plaintext (non-encrypted) email. Do people really not realize they're essentially sending postcards?
I think that regardless of fault or motive in this case, it underscores an essential point that has been lost in all the new economy, "all services will be free and subsidized by advertising", hype: trust.
As email becomes an increasingly important tool of the masses (this is your dad's email!), we're going to see more issues like this. When someone signs up with Juno or Hotmail or Email.com or Yahoo! mail or any of 200 other free email services, they are putting all that personal, private data in someone else's hands. I argue this point with many people, and they say, "I don't care... there's nothing important in my email, anyway." They are, of course, missing the point. What if you're emailing your doctor about your HIV infection and your email provider (or an employee within them... the company doesn't have to be the culprit necessarily) turns you in for a bounty to your insurance company. I mean, really, it's like using a company phone... you're personal correspondence is on resources that you do not control. Needless to say, this doesn't surprise me in the least and I think this is only the tip of the iceberg. As we have seen in the excellent accounts of the failures of Truste, these companies are willing to go to great lengths to collect this data, and I wouldn't put it past to change their "privacy" policy to include the fact that they can use the content of your messages for whatever they choose; they would take this step and not bother to inform their users.
I don't want to get off on a rant here... so I won't. I was beginning to get a little too lunatic fringe there.
The point is that people need to made aware they need to have trust in their providers. Call me a little paranoid, but my email ends up on a box sitting on one end of DSL line in a friend's apartment. The box runs OpenBSD and is tighter than a frog's ass. I know who runs the box. I know who has accounts on the box. I trust them.
I'm not advocating an "everything must be encrypted" stance (but I wouldn't call it a bad idea). This is not a security issue so much as it is an issue of understanding the nature and motives behind the relationships this new age is birthing.
--
--
"In Cyberspace, no one can hear you be sarcastic"
Many people would pay more to intecept business mail, heck, they could pay $250k upfront just to have 5 min look at some emails.
As has been said, by George Carlin, I believe, there is no problem big enough that Americans can't find a way to completely ignore it.
I am uncertain how the company is at fault. It seems like they offer email as a service to customers, and are being blamed for debugging their service.
I can also recall a time before the internet, when users were warned that public and private messages stood the chance of being monitored or reviewed at any time. I don't see how this case is different.
My concern with this, is that plaintext e-mail isn't the same as post office e-mails. Those are sealed. I would argue that plaintext e-mail is akin to a postcard, anyone on the network CAN read it. In fact, the ISP HAD to intercept the e-mail electronically (there machines had to see a copy of it), so it's just a question of them logging it. If they log all the bits coming across their network, is that also a wire tap? It is THEIR network, how is it illegally wire tapping for them to monitor stuff on their network?
On the other hand, this makes the case for a need to replace plaintext e-mail. Plaintext e-mail may serve a purpose (you're out of town and go to a Cybercafe and fire off a quick, all is good, we arrived safely, take care, message), but real e-mail should be encrypted (placed in a sealed envelope) and signed.
Alex
Read the contract you "signed" for the service. Most ISPs frown on that sort of thing -- of course, that doesn't mean it cannot be done. Most modern cable modem hardware doesn't decode stuff not destined to it (MAC address filtering.)
Once when I was in college, the head sysadmin (bone head) had set his IP address to be the broadcast address. He was somehow surprised when I told him the root passwords.
You know if they government (NSA/CIA/FBI/etc) was accountable for this then they'd all be in the electric chair!!! $250,000 for this??? Wow, the government would go through the ringer if you look at what all they tap.
Citizens should not respect privacy laws either. I like privacy but I feel that privacy is going to need to be violated even more if we are ever to wake up to the real threat. The ECHELON system should be taken apart and it's pieces given away to individuals and the people responsible for abusing it should be publically executed! If government violates the law then so will I! I know, I know, this is flamebait, troll, offtopic, etc, but I'd just like to point out that what these people did was nothing compared to what the government has been doing to people for DECADES but yet they go unpunished!
Anyone who has administered email servers has to feel a real shiver going up the spine on reading this, because it is impossible to keep email flowing without engaging occasionally in just this sort of thing. When email starts behaving erratically you have to check oout the headers. With Sendmail type MTAs that means capturing and reading the email messages, because that's where they are found. And no matter how hard you try, you are going to read at least some of the content in some of those messages.
If this comes to be seen as illegal, it could mean very bad things for Internet email admins, and a lot of us who don't even admin anymore could find ourselves in deep doodoo.
Information is not Knowledge
I want to see what's inside of those packets. tcpdump doesn't show the meat of the stuff; just the headers. I don't think there's much stuff going past my node, though.
Alibris themselves say that they did nothing except debug their service.
The U.S. Attorney, on the other hand, charged them with "unauthorized possession of passwords with intent to defraud", among other things (ref. CNN ). I assume there were some grounds for the charges, but since they were settled without a trial or conviction, we'll probably never know the truth of the matter.
--
If users are having trouble sending mail, you better believe sysadmins investigate the messages. That's not interception, any more than the post office is "intercepting" your mail when it examines the envelope.
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
I used to run a BBS, and as many of you older BBSers would know the system operator is prosecutor, not the actual offender.
So, with almost EVERY request for a user account, you would get displayed a copy of the electronic privacy act.
So, if you wanted your messages encrypted you did it yourself, that way the system operator would not be at fault, as the offender took specific measures to slip past the operators' "view".
So, use encryption, use PGP, but don't expect others to act to a "code of privacy", especially if guys with badges start coming into their offices.
FYI: On www.privatecitizen.com they talk about:
"We also send our members a copy of a little known Postal Service form that many call `The Ultimate Junk Mail Weapon'."
That form is PS Form 1500, available at any US Post Office. It was actually designed to stop porn, but the Supreme Court ruled that it applies to any mail, or, to put it another way, offensive is in the eye of the beholder.
Competition Good, Monopoly Bad.
Me thinks it's appropriate ...
--
You're absolutely right, everyone needs to start using encrypted email. A PKI (Public Key Infrastructure) will also be necessary - however, PGP doesn't provide one.
PKIs are designed to solve the problem of key exchange - we all trust a central authority to sign my key and verify that it actually belongs to me. PGP doesn't solve this problem. It relies on the user to establish his own unspoofable channel (e.g. face-to-face exchange) for verification of keys.
If you plan to use someone's PGP public key you MUST verify the signature with that person in an unspoofable way or the whole system falls apart. Thus PGP can't work for widespread communications security (Don't get me wrong - I use it and love it). Instead we need a real, traditional PKI. Which introduces many more problems (Who gets to sign certificates and who doesn't? If I notify them that my key has been compromised, how do they notify everyone who has that key? And so on.)
There's a whole industry built around this (and I work in it). There's no simple solution.
/* The beatings will continue until morale improves. */
No seriously, it's obvious that the poster you're responding to is aware of the impossibility of finding an original manuscript from Plato ... it was just a funny example ...
--
Thanks!
Folks running ISPs and services like Alibris really should pay attention to the Electronic Communications Privacy Act of 1986. People sending mail, using cell phones and so forth actually DO have some privacy rights. It basically gives carriers the right to debug their services, but anyone disclosing or reading content like Alibris may have been in the absence of a court order is breaking the law.
While there is no rational expectation of Internet privacy because of the open nature of Internet protocols, it isn't a wide open free-for-all either.
That article was very unclear. Several other people have pointed this out as well, but I've got some insight on a personal level.
ASFAIK it's still fairly common practice for ISPs to include in their usage agreements something along the lines of "You can be monitored, and there really isn't much you can do about it". Not that I'm saying that's the way things should be, but I'd expect to see some lawsuits challenging the validity of those agreements. Have there been any that any one has heard of? What were the outcomes, if any?
What I mainly am worried about is the criminal implications this may have. I don't know a lot about criminal law, so somebody please correct me if I'm wrong. Isn't it a current legal precedent for ISPs and other people in similar situations to basically be held legally responsible for what's on their servers? I think that's at least the case for web pages, I don't know if maybe there's an exception to the rule for email, since it's supposedly "private". I'm just scared that if sometime in the near future (god forbid, but for argument's sake) if Joe Terrorist blows up a building somewhere in the U.S. and it's determined that he planned the whole thing using email.
Now, if the ISP who handled the email can be found criminally negligent for letting such material go across their network, yet can also be sued for invading someone's privacy if they monitor it, where does that leave us?
Also, what about mail admins? I used to work for a pretty big ISP and I got hundreds of bounced messages (that get bounced to postmaster) sent to me every day. Most of them I just deleted, but I did have to look through them to attempt to diagnose certain problems. And it's pretty hard to look through a message and not notice the body, sure it can be done, but you don't really think about it at the time. Especially if the contents of said message are "Please transfer $1.5 Million into account XXX-XXX-XXX from account XXX-XXX-XXX" (that was actually in a bounced message I saw once). I mean that just opens up a whole world of hurt if you're in that position. Hopefully just seeing it wouldn't violate any laws, but this whole area of law is so murky...
Something to think about I guess.
Also not mentioned in the article is the subsidiary ISP (www.valinet.com) which they owned and operated and the hacking they attempted in the area. The ISP has recently been sold to another party, I hope they don't get killed because of the bad press.
The local press here (Western MA) is having a field day with this
The internet is two things. 1) A place where are ideas are freely express and one of the few free zones left in the world. 2) A place where some people will do anything do get what they want anyway they can. For the internet to hold its current integrity both well have to remain.
Do not wright in this space.
It is amazing to me as a Canadian to look at Americans and see the total fear and distrust that you have for your government. In Canada, especilly out west, we dislike our government, and feel out of control, but we do not fear or distrust it.
Both governments have their flaws, but both are very democratic. If anything, the power that the Canadian federal government has over it citizans is more than that of its American counterpart. The American government is also better suited to avoid situations of abuse of power, while the Canadian system emphsises on speed.
This leads me to wonder why Americans fear their government so much. The only explanation that I can find on the side of the government is that, because of the size and power of the country, it has the potental to do so much. However i have difficulty believing that this is the cause.
This leads me to believe that it is not the government that causes this fear and distrust, but the overall attitude of the people. From a fairly liberal, outsider perspective, it would seem that the parinoia that Americans see, is not caused by abuses of the government, but by the fear of the people that they will happen.
If you look at your arguments, they have no reason. Why does the state want violence, why do they want to spy on you, why do they want a monopoly on this. when there are really, rational answers, then your idea may have grounds, but for now it's just heresay.
I buy stuff on there all the time. If they're pulling any crap I am going somewhere else ASAP.
--- Grow a pair, liberals... stop letting the Republicans bully you!
I thought the same thing when I read this-namely that maybe they really were debugging a problem and captured the emails.
;)
This made me think of a question:
If you were having problems with snail mail getting routed to your house the post office would have to investigate, and to do so they would have to maybe look at your mail--not the contents mind you, but the envelope. It seems to me that there is a need for a similar protection for email.
Yes, encryption is an option, and had everyone been using it, they couldn't have claimed a privacy invasion
But seriously, what would the technical difficulty be for an addition of what amounts to a protocol version of envelope glue. In other words, something in the header that allows de-cryption of the body--but only once. That way the receiver does not have to publish a key, and yet has knowledge that their mail was tampered with. Something like an extension of a digitial signature.
Is this at all practical? Is this even different from a signature? I am not fully versed in the nuances of encryption, and I know that many here are, so I thought I would put this out as an idea.
The advantage of such a scenario would be that online companies such as Amazon could seal their emails, and not have to have their recipients do anything.
We are agents of the free
My radio scanner picks up cell phone calls that are BROADCASTED IN THE CLEAR. This is legal (I'm in BC, Canada). Why shouldn't it be legal to listen in on data BROADCASTED OVER THE INTERNET IN THE CLEAR?
I suppose this would make potential lost messages unrecoverable, but the problem could be identified and solved without loss of privacy.
Anyone know if they were able to demonstrate that there had been a problem somewhere? Perhaps they accidentally interrupted the Amazon e-mail when they installed their sniffer!
both of you are basically trying to seperate the routing info needed to debug MTA problems from the contents of an email....
This seperation is already in place. per the RFC responsible for mail formating and stream protocol (eight hundred and something I think) the format of a message is:
From ???@???
[headers]
[blank line]
[body]
.
where [headers] is zero to one headers of the form key=value, with second and higher lines of a multiline entry begining with a tab.
and [blank line] is defined as exactly that... an empty line. [body] then is whatever is in your email.
The top half of that, [headers] is the part needed for debugging; there are even scripts that will strip out everything except the headers for this very purpose. I think sendmail even has a configure option that will copy the headers of all messages to a log file.
However, ISPs have not been granted common carrier status. As such, they are simply private companies who sell a pipe to other companies (and eventually to users) to carry data. They fully own the network cabling and have every right to examine the data they're paying to transport. ISPs have been shut down for having kiddie pr0n and w4r3z on their news spools. So if they're responsible, why not have the RIGHT TO SNOOP?
Gov't wants to have it in their favor both ways (duh). They want ISPs to be held accountable for content (a la CDA) yet want them not to snoop and to open their lines up to competitors (see AOL attempt to require cablemodem providers to open their lines). A decision must be made. Give a free ride to the peddlers of pedo pr0n and w4r3z exchange, of give ISPs the right to listen in on everything. What's it gonna be Mr. Fed?
ASFAIK it's still fairly common practice for ISPs to include in their usage agreements something along the lines of "You can be monitored, and there really isn't much you can do about it".
It may be in your agreement, but the Electronic Communications Privacy Act of 1986 (ECPA) overrides it for e-mail. An ISP cannot monitor or intercept your e-mail. This is different from businesses; ECPA applies only to the ISP-customer relationship, not the employer-employee relationship. "Necessary incident[s] to the rendition of service" are exempted (e.g. the aforementioned sendmail queue debugging), as is protecting the rights or property of the ISP.
Isn't it a current legal precedent for ISPs and other people in similar situations to basically be held legally responsible for what's on their servers?
The other way around. Section 230 of the Telecommunications Act of 1996 states that ISPs cannot be held liable for their members' actions, pages, etc. See Doe v. AOL and Zeran v. AOL.
I used to work for a pretty big ISP and I got hundreds of bounced messages (that get bounced to postmaster) sent to me every day.
If it was your own default sendmail config that sent all copies of bounces to postmaster, including contents, then yes, I'd say that's pretty risky. If other sites were sending you these as "bounced bounces", then you weren't the one doing the intercepting.
Jay Levitt
Chief Architect, AOL Mail
Drawing on my job, but speaking for myself
As a person who is regularly after rare stuff, and also as a person that understands that sending an e-mail is like sending a postcard, I'd have to say that I can't believe anyone cared about the action, nor can I believe the fine imposed.
I believe, even expect, that any buying patterns I display at any store will be bought and sold like a commodity. What's more, any place that can actually supply the obscure stuff I'm after is a God-send.
When I'm after a product and I send some e-mails off, I want them to cross as many desks as possible in the hope that someone can help me obtain the item.
Are stores no longer allowed to pass one requests to other organisations? "I asked you for this product, I didn't give you permission to ask anyone else on my behalf." That's nuts.
What happened to a community working together? Is networking illegal? Why does everyone want to be an island? Why are people so quick to sacrifice the good effects of sharing data just on the off-chance that something "private" reaches "bad" people...?
--
Actually, doing something like this would only add
a false sense of security. If I were a mailicious mail admin, I could capture a copy of your message, use the info in the header to unwrap the message, and you'd never be the wiser.
The reason this analogy breaks down is that in physical postal mail, there is one physical object being delivered. In e-mail, it is a stream of data that is being replicated across many systems (and generally deleted from each system after it gets passed to the next one).
Frankly, if it is illegal to look at email messages for the purpose of debugging mail routing problems, I'm in deep doo-doo, because I and my staff do it on a regular basis. We have no interest in the content of the message, and we have no intent to monitor content, but the fact is that 99% of e-mail messages have plaintext content attached to the headers that we need to read to be able to debug routing issues.
the french are a bunch of pansy punkasses