homepage Welcome to WebmasterWorld Guest from 23.20.34.25
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Your ISP Can Legally Read Your Email
bakedjake




msg:361649
 6:32 pm on Jun 30, 2004 (gmt 0)

The First Court of Appeals in Massachusetts ruled that Bradford C. Councilman did not violate criminal wiretap laws when he surreptitiously copied and read the mail of his customers in order to monitor their transactions.

[wired.com...]

 

grelmar




msg:361650
 6:49 pm on Jun 30, 2004 (gmt 0)

That was the printer friendly version of the story, I'm guessing that has something to do with how the ads showed up. (it does look neat, thought). Wired proibably also gets leeway in how it presents Google Ads in ways the rest of us don't.

My first thought on this was "This is news?" My second thought was "Kinda makes the GMail controversy irrelevant."

RonPK




msg:361651
 10:44 pm on Jun 30, 2004 (gmt 0)

[..] he did not intercept them while they were in transit over wires and therefore did not violate the Wiretap Act[..]

Seems like a legal technicality to me, which can easily be fixed by amending the Act.

Off course, for that to happen, the US Congress would need to defy today's "anti-terror" hype.

plumsauce




msg:361652
 10:50 pm on Jun 30, 2004 (gmt 0)


I read the linked story, but not the judgement.

This seems to be a case of bad law where the argument was not sufficiently well prosecuted. Routers have storage, and yet would be easily understood to be a communications device. If the mail server had been properly presented as a *communications processing device*, in patent speak, then the case might well have gone the other way.

What the prosecutor failed to do was present the judges with a tenable hook upon which to hang a favourable judgement. In other words, the prosecutor failed to do his job properly.

The majority ruling was a very narrow interpretation of what a wire is. The dissenting judge had it right. Most readers here will understand the distinction, the courts have to catch up. Indeed, many members of the public can discern the intent of the law as opposed to this narrow interpretation.

It may well be that this was a low profile case that will go away once a higher profile case is litigated.

Teknorat




msg:361653
 11:23 pm on Jun 30, 2004 (gmt 0)

Time to invest in some encryption technologies.

kaled




msg:361654
 11:49 pm on Jun 30, 2004 (gmt 0)

Accordingly, voicemail can be legally tapped too by the telecoms companies. I wonder how the judges would feel about having their messages tapped.

Nevermind, in the UK, the Government tried to introduce a law a few years ago that would allow, amongst others, local government officers the right to view your emails, not to mention the police and fire service, without any sort of court warrant.

Kaled.

Andy_Abbott




msg:361655
 12:19 am on Jul 1, 2004 (gmt 0)

I find it unreasonable that a judge can suddenly become an electronics expert in defining that a message stored in RAM as not being in a wire in transit.

Digital computers are still circuits and circuits are 'wires' that conduct electricity, there is nothing that stipulates the speed of a piece of information moving in a wire is relevent.

If the data is in cached memory (swopped onto hard disk) there might be an arguement but this isn't particularly reasonable either.

ControlEngineer




msg:361656
 12:48 am on Jul 1, 2004 (gmt 0)

Reading over the decisionUS v Councilman [caselaw.lp.findlaw.com ] (US Court of Appeals, 1st circuit.) and the statutes, it looks like that the defendant could not be convicted. One of the most important principles is that the prosecution must prove beyond a reasonable doubt the facts of the case (not really in dispute here) and the law must clearly make the act illegal (it is far from clear). The wiretap law is about wiretaps. No wires were tapped.

There is also a law about "unlawful access to stored communications" (18 U.S.C. § 2701) but there is an exception at §2701(c)(1)that exempts "the person or entity providing a wire or electronic communications service".

The person who read the e-mail was not an ISP but was someone who ran a business (books) and provided e-mail service to others in the same business. A leason to be leaned is that you should not have e-mail service through someone who has a strong business motive to read your e-mail.

The law may be changed in the future. However, that would only do any good if the snoop was caught and the facts could be proved beyond a reasonable doubt.

It would also help to make sure any e-mail account was covered by a contract in which the provider agreed not to read or disclose the e-mail, with strong penalties as part of the agreement. The proof needed in civil cases is not as much as in criminal cases.

More importantly, if you are in the widget business, be very careful about using email provided as a service by someone else in the widget business. If you are an independent widget dealer and your email address ends in @bigwidgetcorp.com, don't be sure that bigwidgetcorp isn't reading your email. Send your business email through a real ISP (maybe even get your own domain).

digitalv




msg:361657
 12:58 am on Jul 1, 2004 (gmt 0)

Maybe I'm alone, but I am not opposed to this ruling. I think that as the owner of a piece of equipment, you SHOULD have the right to know what's on it.

I don't run an e-mail service, but I do give my employees an e-mail account and by no means is any right to privacy expressed or implied.

ControlEngineer




msg:361658
 1:05 am on Jul 1, 2004 (gmt 0)

digitalv,

If you are an employer there are circumstances where you might have a duty to review e-mail passed through your system, and could be liable for not doing so.

plumsauce




msg:361659
 7:09 am on Jul 1, 2004 (gmt 0)

I find it unreasonable that a judge can suddenly become an electronics expert in defining that a message stored in RAM as not being in a wire in transit.

That is quite reasonable. It is the place of expert witnesses to present this information, and the duty of the prosecutor to obtain these witnesses.

Quite simply, this case was not diligently prosecuted.

In the current state of technology, if I tap into a fiber run, is it a wiretap?

At least, as a consolation prize, Councilman's reputation as a service provider has probably been severely damaged in his line of business.

Mr_Brutal




msg:361660
 9:00 am on Jul 1, 2004 (gmt 0)

On the same note - if you tap into a 'wireless' transmission and read someones emails this would definately not be a 'wiretap' by defintion - right?

ControlEngineer




msg:361661
 1:44 pm on Jul 1, 2004 (gmt 0)

After more thoroughly reading the decision and dissenting opinion [caselaw.lp.findlaw.com] and the statutes [caselaw.lp.findlaw.com], I have to agree with the court. Councilman should not have been indicted for violating the wiretap law.

A few comments: The law is not antiquated; it has been amended several times since the development of the Internet and email, and the statutes specifically address electronic communications (defined at 18 USC 2510(12) to include “by a wire, radio, electromagnetic, photoelectronic or photooptical system”).

The question before the court that led to the dismissal of the charge was whether the wiretap violation (violating §2511) covered messages not intercepted in transmission but copied from computer storage.

The Electronic Communications Privacy Act has two parts. One covers interception of transmission; the other covers “stored communications” (§2701). Councilman was charged under the first part; not under the second. The fact that there are two parts, one for transmission interception and the other for stored communications indicates that they are separate; if the message is copied from storage it is not being intercepted in transmission.

Councilman could not have been charged with violation of the stored communications part; he would be covered by §2701(c)(1) that exempts "the person or entity providing a wire or electronic communications service".

Personally I think that the law should be amended to remove any exemption for ISPs and companies that are in the business of providing communications services for the public. That still would not apply to Councilman. He was not a public service provider but a book dealer that provided service to independent book sellers who did business with him.

We should be able to expect privacy in communications sent through most of the communications providers. However, communications sent though an employer’s email system are not private. Employers and others may have not only a right but often a duty to monitor email. This could also apply to others, such a companies that have independent sales people working under their name and their email system.

For example, a close relative is a stock broker with one of the major companies. I send him personal email about vacation plans, etc. but I have to know that others in the company are monitoring the email, so I would limit what is in the email to what I don’t consider private.

I guess I will have to write a long letter to my congressman.

plumsauce




msg:361662
 10:12 pm on Jul 1, 2004 (gmt 0)


So, on the one hand, it may be that no precedent was set other than "you gotta be charged with the correct offence".

But, on the other hand, if Councilman was using, say procmail to do this, was it properly "in storage" at the time? That is, had the email reached it's final state of storage at the time of the extraction/creation of a copy?

ControlEngineer




msg:361663
 5:09 pm on Jul 2, 2004 (gmt 0)

So, on the one hand, it may be that no precedent was set other than "you gotta be charged with the correct offence".

Correct. However, if Councilman had been charged with a stored communication (§2701) offense, he would have the defense of the (c)(1) exemption as the owner of the service.

But, on the other hand, if Councilman was using, say procmail to do this, was it properly "in storage" at the time? That is, had the email reached it's final state of storage at the time of the extraction/creation of a copy?

I think he was using procmail. However, even if the further transmission was taking place, he copied the email from storage, so the stored communications section would apply.

I am not defending what Councilman did. I think it was unethical, despicable, and just plain wrong. There may be civil action that others can take against him. I don't know, but I hope so.

I do think that what he did should be made illegal by amendment to the Electronic Communications Privacy Act. One change that would have to be made is to define public communications services (such as most ISPs and other public e-mail providers) to whom the stricter limitations would apply. Organizations and companies that provide e-mail under their domain name to employees and others with a business association should not be covered--they still may have a duty to monitor e-mail sent under their domain name.

digitalv




msg:361664
 5:53 pm on Jul 2, 2004 (gmt 0)

Was privacy implied or stated when the user signed up for the e-mail account?

People assume too much.

ControlEngineer




msg:361665
 12:16 am on Jul 3, 2004 (gmt 0)

Was privacy implied or stated when the user signed up for the e-mail account?

Probably it was not stated but was assumed by those with the e-mail accounts.

The people harmed by Councilman's actions, however, weren't as much as the e-mail account holders but other businesses when Councilman's company unfairly gained information that could be used to his advantage. Whether or not that could lead to a lawsuit, I don't know. I am not a lawyer, but I hope somebody who was affected does have a legal way (and willingness) to sue his butt off.

ergophobe




msg:361666
 2:34 am on Jul 3, 2004 (gmt 0)


Was privacy implied or stated when the user signed up for the e-mail account?
People assume too much.

Ha! Can't disagree with the last part!

I do think that people who contract out for an email account have a reasonable expectation of privacy.

My employer might justifiably consider my email account a corporate (or in my case university) resource. It's no more private than my desk or office or hard drive. In fact, a guy in my department just got fired for having child porn on his hard drive, and nobody doubted that the university IT staff had a right to look on his computer (they were actually just scheduled doing maintenance).

Why should I expect my paid email account to be private? Because without just cause,

- the phone company can't listen in on my phone calls
- the postal service can't read my letters
- UPS and FedEx can't open my packages

As digitalv says, people assume too much and analogies don't play so well in courts. I don't say people do or don't have a legal right to keep their email private from the ISP, but the expectation that this would be protected by current or future law is definitely reasonable.

ControlEngineer




msg:361667
 3:08 am on Jul 3, 2004 (gmt 0)

UPS and FedEx can't open my packages

I don't know about that. I hope that they don't have the right to open my package, but unless there is some law saying that they don't, or the contract on the back of a form I sign says they don't (and they write the contract), then I cannot assume that they don't have the right. (but if I found out that they did open a package without cause I would be on the phone with my lawyer very quickly).

but the expectation that this {e-mail privacy} would be protected by current or future law is definitely reasonable.

I don't think any such expectation is reasonable unless you know for sure that the law does give protection. Never assume that privacy is protected by law, or, even if it is, the person violating the privacy can be caught. And read all those lengthy contracts (the fine print on the back of the form) to see what rights you are giving up.

The law should give a greater amount of protection to users of ISP or other public e-mail. I will be asking my congressman to make a change, and suggesting specific amendments. However, I do not have a good record of getting what I ask Congress for.

If you really need privacy, consider encryption software. A few years ago an engineering client (chemical company) required me to use a public key encryption program on my e-mail. It was a real pain, but they knew that their e-mail was safe.

digitalv




msg:361668
 3:16 am on Jul 3, 2004 (gmt 0)

UPS and FedEx may not open your packages, but they're also not LIABLE when you ship stolen merchandise through them.

A server owner, on the other hand, can be held liable for whatever content is on their system even if they didn't put it there. You know, stuff like MP3's ...

I say CONGRATS ON YOUR VICTORY.

ergophobe




msg:361669
 3:33 pm on Jul 3, 2004 (gmt 0)

digitalv,

I hadn't thought of that. As insane as it is to hold a host legally responsible for what's on their server, as long as that's possible I guess you can't expect your information to be private.

Control Engineer,

I understand that. All I meant by saying there's a reasonable expectation is to point out that it's not surprising that people would assume that e-mail is protected by analogy.

If you read to the end of the post, I say that you may not have a legal right to something just because it makes sense and second digitalv that "people assume too much."

In other words, it would be sensible to
- consider e-mail private**
- consider that hosts are not liable for content placed on their servers by other parties.

Case law, however, works on precedent, whether sensible or not.

**I understand that if my employer supplies an account, it has a reasonable right to make sure that I'm not sending out neo-Nazi propaganda or viagra spam from an account @myemployer.edu. I'm referring to an account in my case that is @domain_that_I_own.

ControlEngineer




msg:361670
 5:16 pm on Jul 3, 2004 (gmt 0)

ergophobe,

Yes, I agree that it is reasonable to assume that many people assume things that are not reasonable to assume. You know what they say about "assume": "It makes an a** of u and me".

It is best to never assume that you have privacy in your communications unless you: (a) have trust in your encryption software, and (b) have trust in who you communicate with.

In many cases our privacy is protected by making its violation a criminal offense. That includes the interception of electronic communications or the copying of stored communications, with exceptions.

There are other cases where violation of our privacy is a civil offense and we can sue for damages, if we have tangible damages.

And there are many more cases where if we have a reasonable expectation of privacy certain information cannot be used in a criminal proceeding against us, but can still be made public and be on the evening news.

I certainly agree that a host should not be legally responsible for what's on there server as long as the host did not know what was on the server. Any law that made it a criminal offense for an owner or employee of a host to read communications would also have to remove any liability for what might be transmitted through or stored in their system.

More instructions to send to my congressman.

ergophobe




msg:361671
 6:54 pm on Jul 3, 2004 (gmt 0)


More instructions to send to my congressman.

And there's the crux of it isn't it? If people voted on privacy issues, it would be a slam dunk, but people let their information be "bought" for one of those stupid supermarket cards (incidentally, my market around the corner had to cancel those cards because they had so many complaints, so if people make noise....

Tom

ControlEngineer




msg:361672
 8:15 pm on Jul 3, 2004 (gmt 0)

...but people let their information be "bought" for one of those stupid supermarket cards

My supermarket is probably wondering why a 98 yr old female roofer from the other side of the country has a typical male shopping pattern (random trips for a few convenience items). Then there are other marketing people who are getting information about the 95 year old down hill skier and climber who lives in Key West.

Anybody who trusts marketing data deserves what they get.

ergophobe




msg:361673
 8:38 pm on Jul 3, 2004 (gmt 0)

I sometimes also wonder whether anyone is suspicious of my address

123 First Street
Sometown, USA 95999

Unfortunately, you can't always protect your information this easily. All they need to do is have you pay once by credit card and they have your real info, and lots of it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved