Slashdot Mirror
Bookseller Intercepted Email
jconley writes "In this somewhat scary story, an online rare book dealer,
Alibris,
intercepted e-mail between its clients and Amazon.com. It amounts to online wiretapping." Read the story at
CNET.
Alibris pled guilty but says (basically) it was a misunderstanding.
The penalty: a quarter-million dollar fine - are other corporations paying attention?
I'd be (for some reason that hasn't occured to me) inclined to give them the benefit of the doubt in this case; after all, a rare-bookseller probably has little competition with someone like Amazon. However, an interesting line was
Alibris admits to the wrongdoing but said it gained no commercial advantage because it already knew what its customers were buying.
Hands up everyone out there who lets their email provider know what books they buy from Amazon.
The article didn't say much about the company's agreements with its clients. But unless they violate their stated privacy policy or otherwise violate thier legal agreements, is it really illegal? I mean, your boss can read your email at work and get away with it because they claim property over the network. It's a privacy invasion, but it's beyond the scope of the law. Now, if someone was reading network traffic on a network that they didn't own, that would be completely different. From the article, it looks like they were trying to have copies sent to them, and screwed up and had the mail sent only to them instead. I could see some sendmail newbie making that mistake pretty easily.
Maybe I'm missing something here, but it sounds to me that the "intercepted" messages were ones sent to Alibris' email clients. Isn't it pretty standard by now for all email providers to say, "Hey, by the way, your email may be monitored"? Users know that their providers may be seeing their "private" messages. And anyone sending a message should understand that, too.
I understand the alleged motive, since they are a competitor of Amazon, but what if this had been messages from a non-competitor? Would they have been charged the same?
According to chief executive Martin Manley, the company broke the law when it tried to rectify complaints from some clients who said they weren't receiving email messages from Amazon. In tracking such messages to determine the problem, the company unlawfully captured the messages, although Manley said it did not read them.
Okay, let's first set the ground rules here...
According to their web site, Alibris is not wholy a bookstore.
Alibris uses the Internet to enable hundreds of independent booksellers around the world to sell treasured books to consumers, libraries, wholesalers, and retail stores.
My guess is that the predecessor of Alibris mostly specialized in a book-finding service.. Anyone have any information on that?
Anyway, looks like the e-mail system they had allowed users to get an email with them to try to find old and rare books and so forth. Sounds kinda cool actually.
Probably they had some mail problems with Amazon, and set the thing to intercept messages to see what was wrong.
I'd give them the benefit of the doubt. An e-mail provider must be able to look at messages to resolve problems in routing or what have you. Perhaps not actual message content, but that's hard to distinguish, since the info they need and the info that should be private are not wholly separated.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
You have given up your anonymity, not your privacy.
The two are separate concepts. For example, your medical records are private but not anonymous. And someone distributing a "hidden cam" video of you violates your privacy even though you remain anonymous.
As we lose our anonymity, we must insist that it be replaced by privacy.
The 'book reseller' also owned an operated a small ISP. The FBI found files on their systems from several other area ISP's. They had managed to break into the sites and steal /etc/passwd and /etc/shadow. The had several thousand 'access codes' in their possession. I think the $250k fine was enough.
One of the people invovled is a selecmen for a nearby town. It is amazing what some people will stoop to to get ahead in business.
I know all this because I live in the area...
The government cares about such invasions of privacy on the part of individuals and corporations because, quite frankly, it encroaches upon the prerogative of the state. Just as the state is to have a monopoly on violence in society, so is the state wish to have a monopoly on the invasion of privacy: Echelon, et al. Just as common murder challenges the king's authority as the only legitimate source of death within his realm, so does common wiretapping do as much in this matter.
Hopefully, we can concentrate all of these atrocities within the state and then geld the state with constitutional amendments, as we have in the US concerning torture and the constitutional prohibition against cruel and unusual punishments. Alas, my cynicism would counsel otherwise.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Wrong on both counts.
You should have read the fine print on the form you signed to get health insurance, which essentially gives your insurers (and anyone they choose to share it with) full access to your medical records.
Likewise, there are no laws prohibiting video-only surveilance in the USA. There are laws that state your likeness can't be used for commercial purposes without your permission, but that's not the same thing, and is a property, rather than privacy protection. It doesn't give you the right to compensation, for example, if your image appears in a news photograph.
There is virtually no privacy protection in this country, beyond the (mostly gutted) Fourth Amendment.
-Isaac
I am not a lawyer, and this is not legal advice. For Entertainment Purposes Only.
Sounds like a waste of everyone's time.
I think that regardless of fault or motive in this case, it underscores an essential point that has been lost in all the new economy, "all services will be free and subsidized by advertising", hype: trust.
As email becomes an increasingly important tool of the masses (this is your dad's email!), we're going to see more issues like this. When someone signs up with Juno or Hotmail or Email.com or Yahoo! mail or any of 200 other free email services, they are putting all that personal, private data in someone else's hands. I argue this point with many people, and they say, "I don't care... there's nothing important in my email, anyway." They are, of course, missing the point. What if you're emailing your doctor about your HIV infection and your email provider (or an employee within them... the company doesn't have to be the culprit necessarily) turns you in for a bounty to your insurance company. I mean, really, it's like using a company phone... you're personal correspondence is on resources that you do not control. Needless to say, this doesn't surprise me in the least and I think this is only the tip of the iceberg. As we have seen in the excellent accounts of the failures of Truste, these companies are willing to go to great lengths to collect this data, and I wouldn't put it past to change their "privacy" policy to include the fact that they can use the content of your messages for whatever they choose; they would take this step and not bother to inform their users.
I don't want to get off on a rant here... so I won't. I was beginning to get a little too lunatic fringe there.
The point is that people need to made aware they need to have trust in their providers. Call me a little paranoid, but my email ends up on a box sitting on one end of DSL line in a friend's apartment. The box runs OpenBSD and is tighter than a frog's ass. I know who runs the box. I know who has accounts on the box. I trust them.
I'm not advocating an "everything must be encrypted" stance (but I wouldn't call it a bad idea). This is not a security issue so much as it is an issue of understanding the nature and motives behind the relationships this new age is birthing.
--
--
"In Cyberspace, no one can hear you be sarcastic"
My concern with this, is that plaintext e-mail isn't the same as post office e-mails. Those are sealed. I would argue that plaintext e-mail is akin to a postcard, anyone on the network CAN read it. In fact, the ISP HAD to intercept the e-mail electronically (there machines had to see a copy of it), so it's just a question of them logging it. If they log all the bits coming across their network, is that also a wire tap? It is THEIR network, how is it illegally wire tapping for them to monitor stuff on their network?
On the other hand, this makes the case for a need to replace plaintext e-mail. Plaintext e-mail may serve a purpose (you're out of town and go to a Cybercafe and fire off a quick, all is good, we arrived safely, take care, message), but real e-mail should be encrypted (placed in a sealed envelope) and signed.
Alex
Read the contract you "signed" for the service. Most ISPs frown on that sort of thing -- of course, that doesn't mean it cannot be done. Most modern cable modem hardware doesn't decode stuff not destined to it (MAC address filtering.)
Once when I was in college, the head sysadmin (bone head) had set his IP address to be the broadcast address. He was somehow surprised when I told him the root passwords.
Anyone who has administered email servers has to feel a real shiver going up the spine on reading this, because it is impossible to keep email flowing without engaging occasionally in just this sort of thing. When email starts behaving erratically you have to check oout the headers. With Sendmail type MTAs that means capturing and reading the email messages, because that's where they are found. And no matter how hard you try, you are going to read at least some of the content in some of those messages.
If this comes to be seen as illegal, it could mean very bad things for Internet email admins, and a lot of us who don't even admin anymore could find ourselves in deep doodoo.
Information is not Knowledge
You're absolutely right, everyone needs to start using encrypted email. A PKI (Public Key Infrastructure) will also be necessary - however, PGP doesn't provide one.
PKIs are designed to solve the problem of key exchange - we all trust a central authority to sign my key and verify that it actually belongs to me. PGP doesn't solve this problem. It relies on the user to establish his own unspoofable channel (e.g. face-to-face exchange) for verification of keys.
If you plan to use someone's PGP public key you MUST verify the signature with that person in an unspoofable way or the whole system falls apart. Thus PGP can't work for widespread communications security (Don't get me wrong - I use it and love it). Instead we need a real, traditional PKI. Which introduces many more problems (Who gets to sign certificates and who doesn't? If I notify them that my key has been compromised, how do they notify everyone who has that key? And so on.)
There's a whole industry built around this (and I work in it). There's no simple solution.
/* The beatings will continue until morale improves. */
Folks running ISPs and services like Alibris really should pay attention to the Electronic Communications Privacy Act of 1986. People sending mail, using cell phones and so forth actually DO have some privacy rights. It basically gives carriers the right to debug their services, but anyone disclosing or reading content like Alibris may have been in the absence of a court order is breaking the law.
While there is no rational expectation of Internet privacy because of the open nature of Internet protocols, it isn't a wide open free-for-all either.
both of you are basically trying to seperate the routing info needed to debug MTA problems from the contents of an email....
This seperation is already in place. per the RFC responsible for mail formating and stream protocol (eight hundred and something I think) the format of a message is:
From ???@???
[headers]
[blank line]
[body]
.
where [headers] is zero to one headers of the form key=value, with second and higher lines of a multiline entry begining with a tab.
and [blank line] is defined as exactly that... an empty line. [body] then is whatever is in your email.
The top half of that, [headers] is the part needed for debugging; there are even scripts that will strip out everything except the headers for this very purpose. I think sendmail even has a configure option that will copy the headers of all messages to a log file.