Bookseller Intercepted Email

jconley writes "In this somewhat scary story, an online rare book dealer, Alibris, intercepted e-mail between its clients and Amazon.com. It amounts to online wiretapping." Read the story at CNET. Alibris pled guilty but says (basically) it was a misunderstanding. The penalty: a quarter-million dollar fine - are other corporations paying attention?

As if Amazon's an angel...

[seebs]

Hah! Amazon complaining about people not respecting privacy.

What next, TRUSTe complaining about ineffectual watchdog groups? eBay complaining about Usenet spam?

It's possible...

[rde]

I'd be (for some reason that hasn't occured to me) inclined to give them the benefit of the doubt in this case; after all, a rare-bookseller probably has little competition with someone like Amazon. However, an interesting line was

Alibris admits to the wrongdoing but said it gained no commercial advantage because it already knew what its customers were buying.

Hands up everyone out there who lets their email provider know what books they buy from Amazon.

This is pretty unclear

[SendBot]

The article didn't say much about the company's agreements with its clients. But unless they violate their stated privacy policy or otherwise violate thier legal agreements, is it really illegal? I mean, your boss can read your email at work and get away with it because they claim property over the network. It's a privacy invasion, but it's beyond the scope of the law. Now, if someone was reading network traffic on a network that they didn't own, that would be completely different. From the article, it looks like they were trying to have copies sent to them, and screwed up and had the mail sent only to them instead. I could see some sendmail newbie making that mistake pretty easily.

intercepted messages

[mmmmbeer]

Maybe I'm missing something here, but it sounds to me that the "intercepted" messages were ones sent to Alibris' email clients. Isn't it pretty standard by now for all email providers to say, "Hey, by the way, your email may be monitored"? Users know that their providers may be seeing their "private" messages. And anyone sending a message should understand that, too.

I understand the alleged motive, since they are a competitor of Amazon, but what if this had been messages from a non-competitor? Would they have been charged the same?

Sounds like a screwup

[Otto]

According to chief executive Martin Manley, the company broke the law when it tried to rectify complaints from some clients who said they weren't receiving email messages from Amazon. In tracking such messages to determine the problem, the company unlawfully captured the messages, although Manley said it did not read them.

Okay, let's first set the ground rules here...

According to their web site, Alibris is not wholy a bookstore.

Alibris uses the Internet to enable hundreds of independent booksellers around the world to sell treasured books to consumers, libraries, wholesalers, and retail stores.

My guess is that the predecessor of Alibris mostly specialized in a book-finding service.. Anyone have any information on that?

Anyway, looks like the e-mail system they had allowed users to get an email with them to try to find old and rare books and so forth. Sounds kinda cool actually.

Probably they had some mail problems with Amazon, and set the thing to intercept messages to see what was wrong.

I'd give them the benefit of the doubt. An e-mail provider must be able to look at messages to resolve problems in routing or what have you. Perhaps not actual message content, but that's hard to distinguish, since the info they need and the info that should be private are not wholly separated.

---

I did not give up my privacy, I had it stolen

[FreeUser]

If you have a credit card, own a home, rent an apartment, have a drivers liscense[sic], or even a social security number, you've given up your privacy. It's just a matter of time until someone wants to take advantage of that fact.

I haven't "given up" jack. Had take from me, through deception, coercion, or force perhaps, but I in no way "willingly and knowingly" gave anyone permission to poke around in my private affairs, much less give or sell that information to others. But, living in the US of A, my privacy was sold against my will to every mass mailer and spammer on the planet long ago. (Indeed, I was getting junk mail years before I was an adult, and therefor too young by law to enter into any agreement allowing anything of the kind. Not that that stopped them, mind you.)

If you think I'm going to take such invasions of my privacy lying down, you have a rather nasty surprise in store.

See Private Citizen on how to at least curb one particular invasion of privacy which is all too common. (My only affiliation with them is as a very satisfied, paying "member"). It was the best $30.00 I ever spent, eliminating all of my junk mail and junk phone calls in one fell swoop.

Re:Not quite

[SlydeRule]

If you have a credit card, own a home, rent an apartment, have a drivers liscense, or even a social security number, you've given up your privacy.

You have given up your anonymity, not your privacy.

The two are separate concepts. For example, your medical records are private but not anonymous. And someone distributing a "hidden cam" video of you violates your privacy even though you remain anonymous.

As we lose our anonymity, we must insist that it be replaced by privacy.

**shudders**

[Denor]

Why does this give me a very bad feeling? More than the realJukebox thing, in fact (I never use that program anymore) I think the big issue here is of the intercepted e-mail. If I read the article correctly, they didn't prevent the mail from going where it needed to, they just read it and used it in their statistical surveys.

It still bothers me. Blocking e-mail altogether wouldn't be that far off, had this corporation not been taken to task. And even though they were, what's to prevent an e-mail provider from putting a clause in the contract so they could intercept at will? The PR would be something along the lines of:

ISP: We're doing this so we can catch those dirty, dirty pornographers trying to ensnare the innocents of the world.
REPORTER: You have pornographers on your network? ISP: Er... of course not! But they're a sly bunch, so we have to watch out for them!

Even better - a quick look up at the header of this message will show that I've got Hotmail as one of my e-mail providers. What if, suddenly, I had difficulty sending mail to linux-related sites? In view of what's happened here, I don't think that a step like what I'm envisioning is too far away, and that bothers me more than anything else.

They also broke into several small ISP's in area

As one of the people involved in this (on the good side)...

The 'book reseller' also owned an operated a small ISP. The FBI found files on their systems from several other area ISP's. They had managed to break into the sites and steal /etc/passwd and /etc/shadow. The had several thousand 'access codes' in their possession. I think the $250k fine was enough.

One of the people invovled is a selecmen for a nearby town. It is amazing what some people will stoop to to get ahead in business.

I know all this because I live in the area...

Cost of doing business

[WillAffleck]

Really, a fine of $250,000 is just a cost of doing business. The only thing is it's not deductible, due to being a fine.

Expect more of this - this is just the tip of the iceberg, the lone case where they got caught, not the majority of cases.

Just because you're paranoid, doesn't mean they're not spying on you ...

Here's why the government cares

[/]

The government cares about such invasions of privacy on the part of individuals and corporations because, quite frankly, it encroaches upon the prerogative of the state. Just as the state is to have a monopoly on violence in society, so is the state wish to have a monopoly on the invasion of privacy: Echelon, et al. Just as common murder challenges the king's authority as the only legitimate source of death within his realm, so does common wiretapping do as much in this matter.

Hopefully, we can concentrate all of these atrocities within the state and then geld the state with constitutional amendments, as we have in the US concerning torture and the constitutional prohibition against cruel and unusual punishments. Alas, my cynicism would counsel otherwise.

Re:Here's why the government cares

[lordsutch]

The monopoly of violence comes from the basic historical theory of how political units originally came to pass. I can't give any great citations, but the basic outline is:

1. Man lives in a state of nature. He uses violence to protect his property.
2. Men join together to collectively ensure their security.
3. Some man becomes the ruler.
4. This man, to consolidate this position, decides that only he can permit the use of violence to settle disputes. At least, I'm pretty sure how this theory works. It may come from Hobbes' The Leviathan. I know Locke makes similar points.

   Incidentally, I think the author has an interesting theory, and it would seem consistent with the government's actions with regard to crypto (which, after all, seeks a monopoly on the legitimate use of truly secure communications).

False!

[isaac]

You have given up your anonymity, not your privacy.

The two are separate concepts. For example, your medical records are private but not anonymous. And someone distributing a "hidden cam" video of you violates your privacy even though you remain anonymous.

Wrong on both counts.

You should have read the fine print on the form you signed to get health insurance, which essentially gives your insurers (and anyone they choose to share it with) full access to your medical records.

Likewise, there are no laws prohibiting video-only surveilance in the USA. There are laws that state your likeness can't be used for commercial purposes without your permission, but that's not the same thing, and is a property, rather than privacy protection. It doesn't give you the right to compensation, for example, if your image appears in a news photograph.

There is virtually no privacy protection in this country, beyond the (mostly gutted) Fourth Amendment.

-Isaac

Sounds like this is taken out of context

[JTB]

If I understand correctly, what happened went like this:

• The defendent provides a service to help people find rare books, via email. For example, Customer X tells the defendant, "I want an original manuscript of Plato's Republic. Please contact online booksellers and have them contact me if they have this book."
• The defendent contacts many online booksellers telling anyone with an original manuscript of Plato's Republic to email Customer X.
• Customer X doesn't get any responses from Amazon, and contacts the defendant saying, "Hey, I'm not getting any messages from Amazon."
• After several Customer Xs complain, the defendant attempts to figure out why messages from Amazon aren't going through, so they capture messages sent from Amazon to their users. Not for the purpose of reading them (because we already know what Customer X wants to buy), but for the purpose of seeing where the messages die.
• Someone throws a hissy-fit, a federal judge steps in, and $250,000 later, we can all go back to being productive.

Sounds like a waste of everyone's time.

Interesting

[jd]

But how will this play out, in the longer term? In this case, any interception was not only unnecessary (even if you believe the defence), illegal, but also utterly unethical, at best.

Now, let's see what happens if you generalise to the usual extremes politicians, the media and the more vocal populace love to do. Should radio telescopes and SETI be banned, in case they accidentally intercept e-mails or other private communications? Never mind their setup can't process any such information, but sufficiently litigenous plebs with good enough lawyers might give it a go.

Not at all

[Dacta]

If you send something via FedEx, do you expect to have it read?

Of course, that is slightly different, because in that case, your parcel is sealed, and FedEx would have top breck that seal. Now, at least, it is obvious that an email has the same protection - this decision (it seems to me) means that your ISP must get your permission to read it, even to diagnose network faults.

Yes, this is slightly unrealistic for plaintext emails, but the point is that now you have a degree of protection against unauthorised reading of emails.

When you send email from work, that is different - by using the work facilities, you are acting as an agent of your company, and which means that all access to your emails is handled by company policy - in the same way a company can make a rule about its employees not reading thing in other peoples offices.

PS: I'm not a lawyer, so basically I made all this up. It might be somewhat correct, though.

--Donate food by clicking: www.thehungersite.com

Can anyone say PKI?

[Dwarf_Sibling]

This should be a wake up call to all the e-tailers out there that to protect your customers you should offer some kind of privacy enhanced e-mail / PKI solution. PGP seems the logical choice. Amazon could have a place to paste in your public key on your user profile so any correspondence could be encrypted if desired. Sure most people wouldn't use it, but at least it would be due diligence on the part of Amazon.

-DS

Lessons Learned

[regs]

I think that regardless of fault or motive in this case, it underscores an essential point that has been lost in all the new economy, "all services will be free and subsidized by advertising", hype: trust.

As email becomes an increasingly important tool of the masses (this is your dad's email!), we're going to see more issues like this. When someone signs up with Juno or Hotmail or Email.com or Yahoo! mail or any of 200 other free email services, they are putting all that personal, private data in someone else's hands. I argue this point with many people, and they say, "I don't care... there's nothing important in my email, anyway." They are, of course, missing the point. What if you're emailing your doctor about your HIV infection and your email provider (or an employee within them... the company doesn't have to be the culprit necessarily) turns you in for a bounty to your insurance company. I mean, really, it's like using a company phone... you're personal correspondence is on resources that you do not control. Needless to say, this doesn't surprise me in the least and I think this is only the tip of the iceberg. As we have seen in the excellent accounts of the failures of Truste, these companies are willing to go to great lengths to collect this data, and I wouldn't put it past to change their "privacy" policy to include the fact that they can use the content of your messages for whatever they choose; they would take this step and not bother to inform their users.

I don't want to get off on a rant here... so I won't. I was beginning to get a little too lunatic fringe there.

The point is that people need to made aware they need to have trust in their providers. Call me a little paranoid, but my email ends up on a box sitting on one end of DSL line in a friend's apartment. The box runs OpenBSD and is tighter than a frog's ass. I know who runs the box. I know who has accounts on the box. I trust them.

I'm not advocating an "everything must be encrypted" stance (but I wouldn't call it a bad idea). This is not a security issue so much as it is an issue of understanding the nature and motives behind the relationships this new age is birthing.

--

Re:Lessons Learned

[DiningPhilosopher]

I don't understand why control of the actual mailbox is so important when you can't possibly control all of the intermediate sites which relay your mail from one place to another... Okay, your ISP doesn't have direct access to the mail you've already received, but they could easily have records of everything coming and going one level up...

The only real solution is encryption. Any number of people can read your email as it goes through their servers - unless they need a key to do so. Until the use of strong encryption is widespread we'll all be sending our mail on postcards.

privacy on BBS's/web-hosted email

[anonymous+loser]

I am uncertain how the company is at fault. It seems like they offer email as a service to customers, and are being blamed for debugging their service.

I can also recall a time before the internet, when users were warned that public and private messages stood the chance of being monitored or reviewed at any time. I don't see how this case is different.

Need for secure e-mail

[alexhmit01]

My concern with this, is that plaintext e-mail isn't the same as post office e-mails. Those are sealed. I would argue that plaintext e-mail is akin to a postcard, anyone on the network CAN read it. In fact, the ISP HAD to intercept the e-mail electronically (there machines had to see a copy of it), so it's just a question of them logging it. If they log all the bits coming across their network, is that also a wire tap? It is THEIR network, how is it illegally wire tapping for them to monitor stuff on their network?

On the other hand, this makes the case for a need to replace plaintext e-mail. Plaintext e-mail may serve a purpose (you're out of town and go to a Cybercafe and fire off a quick, all is good, we arrived safely, take care, message), but real e-mail should be encrypted (placed in a sealed envelope) and signed.

Alex

Re:tcpdump shows all sorts of stuff on my cablemod

[Cramer]

Read the contract you "signed" for the service. Most ISPs frown on that sort of thing -- of course, that doesn't mean it cannot be done. Most modern cable modem hardware doesn't decode stuff not destined to it (MAC address filtering.)

Once when I was in college, the head sysadmin (bone head) had set his IP address to be the broadcast address. He was somehow surprised when I told him the root passwords.

This really is scary

[webster]

Anyone who has administered email servers has to feel a real shiver going up the spine on reading this, because it is impossible to keep email flowing without engaging occasionally in just this sort of thing. When email starts behaving erratically you have to check oout the headers. With Sendmail type MTAs that means capturing and reading the email messages, because that's where they are found. And no matter how hard you try, you are going to read at least some of the content in some of those messages.

If this comes to be seen as illegal, it could mean very bad things for Internet email admins, and a lot of us who don't even admin anymore could find ourselves in deep doodoo.

It's YOUR responsibility

[Erik+Hollensbe]

I used to run a BBS, and as many of you older BBSers would know the system operator is prosecutor, not the actual offender.

So, with almost EVERY request for a user account, you would get displayed a copy of the electronic privacy act.

So, if you wanted your messages encrypted you did it yourself, that way the system operator would not be at fault, as the offender took specific measures to slip past the operators' "view".

So, use encryption, use PGP, but don't expect others to act to a "code of privacy", especially if guys with badges start coming into their offices.

Postal form to stop junk mail

[Larry_Dillon]

FYI: On www.privatecitizen.com they talk about:

"We also send our members a copy of a little known Postal Service form that many call `The Ultimate Junk Mail Weapon'."

That form is PS Form 1500, available at any US Post Office. It was actually designed to stop porn, but the Supreme Court ruled that it applies to any mail, or, to put it another way, offensive is in the eye of the beholder.

A 'socialist' country's policy

[Nicolas+MONNET]

In France, the penalty for snooping on someone's email, be he your boss, your ISP, your neighbour or a policeman (w/o a warrant, of course) is ... jail time. If I remember properly, up to three years -- since according to the jurisprudence, which was established years ago thanks to the Minitel, it's considered to be the same as robbing one's snail mailbox.

Me thinks it's appropriate ...

--

PGP != PKI

[DiningPhilosopher]

You're absolutely right, everyone needs to start using encrypted email. A PKI (Public Key Infrastructure) will also be necessary - however, PGP doesn't provide one.

PKIs are designed to solve the problem of key exchange - we all trust a central authority to sign my key and verify that it actually belongs to me. PGP doesn't solve this problem. It relies on the user to establish his own unspoofable channel (e.g. face-to-face exchange) for verification of keys.

If you plan to use someone's PGP public key you MUST verify the signature with that person in an unspoofable way or the whole system falls apart. Thus PGP can't work for widespread communications security (Don't get me wrong - I use it and love it). Instead we need a real, traditional PKI. Which introduces many more problems (Who gets to sign certificates and who doesn't? If I notify them that my key has been compromised, how do they notify everyone who has that key? And so on.)

There's a whole industry built around this (and I work in it). There's no simple solution.

Re:PGP != PKI

[MikeBabcock]

I take it that you don't understand the web of trust model. The idea that PGP implements is to allow anyone to trust anyone else, regardless of their 'status' -- that is, there are no certificate authorities. However, because I can trust your signed keys, I can inherently trust a key that has your signtature attached. In fact, I could trust someone's key because it was signed by someone whose key was signed by someone whose key was signed by you (who I trust). This kind of 'friend trusts friend trusts friend' model is very useful if a large number of people are using the system. Within a closed system such as a company, keys get signed quickly because of close proximity to each other. Each of these people may know and trust a few other people on the Internet (say, 3). If there are 50 people at a company using PGP who have all signed each others' keys and trust those people to sign others' keys responsibly (two different trust settings), then there is an automatic infrastructure of 150 people trusting each other through the company people (not including the latter group).

With high percentages of PGP/GPG usage, there is a good web of trust established and a public key infrastructure in the hierarchial sense is not needed. However, a trusted "root" authority can establish themselves (Thawte is one such authority) and sign PGP keys, allowing everyone to trust their key, and implicitly trust others' keys.

Both models are usable under a web of trust model; don't discount PGP so easily.

- Michael T. Babcock <homepage>

Re:PGP != PKI

[DiningPhilosopher]

I most certainly do understand the web of trust model. I'm a PGP user and I develop cryptographic software professionally.

The PGP trust model is quite clever and works well for groups of people (e.g. friends, coworkers, etc.). I personally find PGP to be very good at what I use it for. However, the web of trust is no substitute for a real PKI with one or more trusted roots. Every time you contact someone with whom you've never communicated (and with whom the people you trust have never communicated) you need to establish a secure channel, like a phone call. This gets very tiresome if secure communications are widespread. If you don't believe me, think of the trouble of contacting a tech support organization or operating a large mailing list...

Worse yet, try explaining all of this to your grandmother, who has just acquired a new email account. She may not understand the concept of "mouse", let alone public key cryptography. If we want everyone on the system it has to be self-operating. PGP just isn't. (By the way, if you need to trust an organization like Thawte to sign keys you've stepped into the realm of PKI)

Electronic Communications Privacy Act

[the+eric+conspiracy]

Folks running ISPs and services like Alibris really should pay attention to the Electronic Communications Privacy Act of 1986. People sending mail, using cell phones and so forth actually DO have some privacy rights. It basically gives carriers the right to debug their services, but anyone disclosing or reading content like Alibris may have been in the absence of a court order is breaking the law.

While there is no rational expectation of Internet privacy because of the open nature of Internet protocols, it isn't a wide open free-for-all either.

Very Unclear

[chown]

That article was very unclear. Several other people have pointed this out as well, but I've got some insight on a personal level.

ASFAIK it's still fairly common practice for ISPs to include in their usage agreements something along the lines of "You can be monitored, and there really isn't much you can do about it". Not that I'm saying that's the way things should be, but I'd expect to see some lawsuits challenging the validity of those agreements. Have there been any that any one has heard of? What were the outcomes, if any?

What I mainly am worried about is the criminal implications this may have. I don't know a lot about criminal law, so somebody please correct me if I'm wrong. Isn't it a current legal precedent for ISPs and other people in similar situations to basically be held legally responsible for what's on their servers? I think that's at least the case for web pages, I don't know if maybe there's an exception to the rule for email, since it's supposedly "private". I'm just scared that if sometime in the near future (god forbid, but for argument's sake) if Joe Terrorist blows up a building somewhere in the U.S. and it's determined that he planned the whole thing using email.

Now, if the ISP who handled the email can be found criminally negligent for letting such material go across their network, yet can also be sued for invading someone's privacy if they monitor it, where does that leave us?

Also, what about mail admins? I used to work for a pretty big ISP and I got hundreds of bounced messages (that get bounced to postmaster) sent to me every day. Most of them I just deleted, but I did have to look through them to attempt to diagnose certain problems. And it's pretty hard to look through a message and not notice the body, sure it can be done, but you don't really think about it at the time. Especially if the contents of said message are "Please transfer $1.5 Million into account XXX-XXX-XXX from account XXX-XXX-XXX" (that was actually in a bounced message I saw once). I mean that just opens up a whole world of hurt if you're in that position. Hopefully just seeing it wouldn't violate any laws, but this whole area of law is so murky...

Something to think about I guess.

Re:Very Unclear

[TheGreek]

Especially if the contents of said message are "Please transfer $1.5 Million into account XXX-XXX-XXX from account XXX-XXX-XXX" (that was actually in a bounced message I saw once).

Watch it, buster! You may be fined $250,000!!!!!

This was no accident

The article makes it sound like the email capturing was by mistake. I know everyone involved. and I know it was not done by accident. The sys-admins did do many bone-headed things in the past but they didn't screw up and capture e-mail by accident.

Also not mentioned in the article is the subsidiary ISP (www.valinet.com) which they owned and operated and the hacking they attempted in the area. The ISP has recently been sold to another party, I hope they don't get killed because of the bad press.

The local press here (Western MA) is having a field day with this

Atrocities within the state?

[THB]

It is amazing to me as a Canadian to look at Americans and see the total fear and distrust that you have for your government. In Canada, especilly out west, we dislike our government, and feel out of control, but we do not fear or distrust it.

Both governments have their flaws, but both are very democratic. If anything, the power that the Canadian federal government has over it citizans is more than that of its American counterpart. The American government is also better suited to avoid situations of abuse of power, while the Canadian system emphsises on speed.

This leads me to wonder why Americans fear their government so much. The only explanation that I can find on the side of the government is that, because of the size and power of the country, it has the potental to do so much. However i have difficulty believing that this is the cause.

This leads me to believe that it is not the government that causes this fear and distrust, but the overall attitude of the people. From a fairly liberal, outsider perspective, it would seem that the parinoia that Americans see, is not caused by abuses of the government, but by the fear of the people that they will happen.

If you look at your arguments, they have no reason. Why does the state want violence, why do they want to spy on you, why do they want a monopoly on this. when there are really, rational answers, then your idea may have grounds, but for now it's just heresay.

Re:Atrocities within the state?

[THB]

Or maybe it's an understanding of history. In this century more people have been killed by their own governments than by all wars combined.

I would really like to know one time in the history of you country, or mine for that matter, when large numbers of people have been killed by the government against the will of the people.

The only real time that I can think of would have been when the United States expanded west, but there was really no objection to it on a large scale, even though people knew about it. It would also be difficult to say that this was not a war, as the people they were fighting did not want to be part of the country. I have not studied American history to a great extent, but if it did happen, please enlighten me.

I do however still stand by my original point, and the fact that a democratic government is only a refection of the people who elect it.

Re:Atrocities within the state?

[THB]

Very interesting, however i must point out that in every case that you mentioned of governments that turned the will of the people into something bad, of which I could name several more, including Nazi germany and pinochets(sp?) rule, were all radical regimes of which the United States is not. It is easy to complain about how slow your governmnet is, but it has maintained stability under uncertain conditions for over 200 years which is a very important accomplishment.

Re:Atrocities within the state?

[lordsutch]

If anything, the power that the Canadian federal government has over itz citizens is more than that of its American counterpart.

I suspect that the Canadian federal government actually has less power over its citizens than the American one. Many perogatives that the US federal government has arrogated onto itself (particularly in the field of social insurance) are jealously guarded by Canadian provinces. Canada's federal government basically governs by carrot (big cash handouts to the provinces), whereas America's mostly governs by the stick. Granted, there are exceptions (the 21-year drinking age was nationalized in the US by tying it to federal transportation funding).

In any event, the RCMP hasn't taken to the practices of shooting pregnant women, leading assaults against non-traditional religious groups, and bursting into peoples' homes and killing elderly men for no reason, all in the supposed interest of protecting society from the evils of guns and drugs. I suspect if the RCMP behaved as our "law enforcement" authorities did, many more Canadians would be afraid of their government (and particularly of their efforts to disarm the populace, in order to further ensure the state's monopoly of violence).

seperate parts of messages

[cabbey]

both of you are basically trying to seperate the routing info needed to debug MTA problems from the contents of an email....

This seperation is already in place. per the RFC responsible for mail formating and stream protocol (eight hundred and something I think) the format of a message is:

From ???@???
[headers]
[blank line]
[body]
.

where [headers] is zero to one headers of the form key=value, with second and higher lines of a multiline entry begining with a tab.

and [blank line] is defined as exactly that... an empty line. [body] then is whatever is in your email.

The top half of that, [headers] is the part needed for debugging; there are even scripts that will strip out everything except the headers for this very purpose. I think sendmail even has a configure option that will copy the headers of all messages to a log file.

Re:seperate parts of messages

[gorilla]

The "From ???@???" isn't part of the RFC822 message, it's added by the local delivery agent to convert a RFC822 message to mbox format.

This isn't to be confused with the 'From:' header, which is of course part of the RFC822 message.

Legalities of interception

[Jay+L]

ASFAIK it's still fairly common practice for ISPs to include in their usage agreements something along the lines of "You can be monitored, and there really isn't much you can do about it".

It may be in your agreement, but the Electronic Communications Privacy Act of 1986 (ECPA) overrides it for e-mail. An ISP cannot monitor or intercept your e-mail. This is different from businesses; ECPA applies only to the ISP-customer relationship, not the employer-employee relationship. "Necessary incident[s] to the rendition of service" are exempted (e.g. the aforementioned sendmail queue debugging), as is protecting the rights or property of the ISP.

Isn't it a current legal precedent for ISPs and other people in similar situations to basically be held legally responsible for what's on their servers?

The other way around. Section 230 of the Telecommunications Act of 1996 states that ISPs cannot be held liable for their members' actions, pages, etc. See Doe v. AOL and Zeran v. AOL.

I used to work for a pretty big ISP and I got hundreds of bounced messages (that get bounced to postmaster) sent to me every day.

If it was your own default sendmail config that sent all copies of bounces to postmaster, including contents, then yes, I'd say that's pretty risky. If other sites were sending you these as "bounced bounces", then you weren't the one doing the intercepting.

Jay Levitt
Chief Architect, AOL Mail
Drawing on my job, but speaking for myself

Would many real users of such a service care?

[Kris_J]

As a person who is regularly after rare stuff, and also as a person that understands that sending an e-mail is like sending a postcard, I'd have to say that I can't believe anyone cared about the action, nor can I believe the fine imposed.

I believe, even expect, that any buying patterns I display at any store will be bought and sold like a commodity. What's more, any place that can actually supply the obscure stuff I'm after is a God-send.

When I'm after a product and I send some e-mails off, I want them to cross as many desks as possible in the hope that someone can help me obtain the item.

Are stores no longer allowed to pass one requests to other organisations? "I asked you for this product, I didn't give you permission to ask anyone else on my behalf." That's nuts.

What happened to a community working together? Is networking illegal? Why does everyone want to be an island? Why are people so quick to sacrifice the good effects of sharing data just on the off-chance that something "private" reaches "bad" people...?