Forgot your password?
typodupeerror
Privacy Government The Courts The Internet Your Rights Online News

Appeals Circuit Ruling: ISPs Can Read E-Mail 527

Posted by timothy
from the odd-distinctions dept.
leviramsey writes "The US Court of Appeals for the First Circuit (covering Massachusetts, Maine, New Hampshire, and Rhode Island) has ruled that e-mail providers are not violating the law by reading users' e-mail without the user's consent. The decision finds that the Wiretap Act does not cover interception of communications where the communications are being stored, not transmitted. Perhaps OSDN should send the defendant, accused in 2001 of reading users emails in order to find out what they were interested in purchasing from Amazon, a T-shirt from ThinkGeek?"
This discussion has been archived. No new comments can be posted.

Appeals Circuit Ruling: ISPs Can Read E-Mail

Comments Filter:
  • Two words (Score:5, Insightful)

    by VinceWuzHere (733075) * on Wednesday June 30, 2004 @03:54PM (#9575182)
    Two words: HOLY SHIT!

    More words: This most certainly has to be overturned on a privacy bill of some sort. Imagine the widespread mail-reading that is now determined -at least in the mentioned juridstictions- to be legal. I wonder what ever happened to the privacy laws and how they match up to this new ruling (the ones that say a conversation is deemed to be confidential and cannot be disclosed outside of the circle in which it originated?)

    I completely agree with "And he acknowledged that "the line that we draw in this case will have far-reaching effects on personal privacy and security."

    • Re:Two words (Score:2, Interesting)

      by Anonymous Coward
      Holy SHIT is right..

      This is complete Bullshit..

      OK so Joe Blow from AOL just saw the email i was writing to a customer and then writes to that same customer and offers them a better deal.

      The posibilities for abuse are rediculious
    • Re:Two words (Score:4, Insightful)

      by aardvarkjoe (156801) on Wednesday June 30, 2004 @04:09PM (#9575412)
      More words: This most certainly has to be overturned on a privacy bill of some sort.

      Why? It seems much smarter to start encrypting your email than to simply trust a private company to not watch what is done with their equipment.
      • by pilgrim23 (716938) on Wednesday June 30, 2004 @04:32PM (#9575721)
        I think this is absolutely the ISP (or admin's) right to read whatever they need to in a customer's email to better provide service and further the casue of communication..
        -signed Apeals Court Sysadmin

        PS : Justice Smith: Zelda's email had some tech difficulties getting through, but what she said was:
        She couldn't get the chocolate stains out of her purple tutu so she will have to wear the red one for the usual Thursday session. be sure to wear your fishnets and don't forget the whips.
      • Re:Two words (Score:5, Insightful)

        by iammaxus (683241) on Wednesday June 30, 2004 @04:42PM (#9575831)
        Why? It seems much smarter to start encrypting your email than to simply trust a private company to not watch what is done with their equipment. That's ridiculous! Why don't you start filling out forms to sign up for auto insurance in garbled alpha-numeric characters and just tell them to get a verisign key? If you can't rely on a private company keeping your information safe, you are screwed. Just like an insurance company wouldn't dare give the kind of info you put on those forms to anyone else because of legal repercussions, an ISP wouldn't dare read your email if the proper laws were in place. Insightful my ass.
        • HIPAA (Score:3, Interesting)

          by charnov (183495)
          Actually, if insurance or medical records are involved, HIPAA laws apply and the fines are big enough to make any company shudder.

          I tell you, if a company discloses any personal info of mine even with a subpeona involved, they can expect one heck of a long and vicious lawsuit.
      • Re:Two words (Score:5, Insightful)

        by MrLint (519792) on Wednesday June 30, 2004 @05:34PM (#9576353) Journal
        I have to agree, but on more general grounds, I am still somewhat bewildered why nearly all internet traffic isn't encrypted by default in 2004? I mean only 'relatively' recently, has telnet been given the boot as default text connections to ssh. Its a mind shift that took a while to tip the balance. Why is everything else taking so long?

        Of course even in my earliest days on the internet i has always assumed that it was a given that the administrator can read any file on the system.
        • Re:Two words (Score:5, Insightful)

          by aardvarkjoe (156801) on Wednesday June 30, 2004 @05:59PM (#9576565)
          Because despite all the screaming on Slashdot, most people really don't care that much. I don't encrypt my e-mail because it makes no difference to me if someone reads it or not. (My comment was simply that if I did care, I'd take responsibility for it myself rather than asking the government to [ineffectively] protect me from the big bad ISP.)


          Like you said, it took forever for ssh to replace telnet, and that's a problem which system administrators thought was pressing. Nobody considers email, web surfing, IM, or whatnot to really be all that important, and so nobody's going to go to the trouble to secure it.

    • Re:Two words (Score:5, Insightful)

      by 0racle (667029) on Wednesday June 30, 2004 @04:09PM (#9575423)
      You mean that you can say with a straight face that you thought E-Mail was a private medium to begin with? Its sent plain text, through who knows how many intermediaries, then stored on a system you don't have control over. At any one of those points it could be read, even accidentally.
      • Re:Two words (Score:5, Insightful)

        by liquidsin (398151) on Wednesday June 30, 2004 @04:25PM (#9575620) Homepage
        You mean that you can say with a straight face that you thought snail mail was a private medium to begin with? Its sent plain text, through who knows how many intermediaries, then stored in a building you don't have control over. At any one of those points it could be read, even accidentally.

        • Re:Two words (Score:4, Interesting)

          by 0racle (667029) on Wednesday June 30, 2004 @04:31PM (#9575703)
          E-Mail is less of a letter and closer to a postcard since a letter is sent sealed and a postcard is a message sent in the clear. It wouldn't surprise me in the least if a postcard was read by every person that it comes in contact with.
        • Re:Two words (Score:5, Insightful)

          by AJWM (19027) on Wednesday June 30, 2004 @04:31PM (#9575705) Homepage
          Not quite. Most snail mail has an envelope, and it's a violation of federal laws to open that envelope unless you are or are authorized by the addressee (or warrant, etc).

          Postcards, however, are another matter. Unencrypted email is like postcards.
          • Re:Two words (Score:5, Insightful)

            by joranbelar (567325) on Wednesday June 30, 2004 @05:02PM (#9576036) Homepage
            But the issue here is not comparable - the guy in question wasn't reading the emails while they were "in transit" a la a postal worker glancing at a postcard coming through. A more accurate analogy is saying the guy went up to every user's physical mail box, opened it, rifled through the contents (whether they were postcards or not) and used the data he gained for his own purposes.

            Whether the email is encrypted or cleartext, the bottom line is that you have to go to a lot more trouble to read someone's email than to read someone's postcards. And since email is sorted, routed, and delivered without human intervention, there *IS* a valid expectation of privacy.
          • Re:Two words (Score:5, Insightful)

            by liquidsin (398151) on Wednesday June 30, 2004 @05:10PM (#9576127) Homepage
            But it's not like you often "accidentally" read email. It's understandable that you'd have no expectation of privacy with a postcard, since everyone who handles it could conceivable read it. Email doesn't need to be "handled" by anyone - the software can do it all. Going out of your way to read plain text email is like going out of your way to steam open envelopes (except that, apparently, the former is perfectly legal while the latter would land you in jail).
            • Re:Two words (Score:4, Interesting)

              by AJWM (19027) on Wednesday June 30, 2004 @07:09PM (#9577129) Homepage
              Email doesn't need to be "handled" by anyone - the software can do it all.

              Except when the software doesn't, and then someone (usually read as "sys admin") may have to look at it to see what the problem is. Which happens rather more often than, say, the Post Office having to open a letter to figure out the addressee (or sender) because the front of the envelope smeared. (Had to do that today, as a matter of fact -- a bunch of undelivered messages stuck in the mail queue.)

              Furthermore, "the software" can -- and frequently does -- also scan all the email looking for items of interest before reporting same to its human master(s). This could be something gov't mandated like Carnivore, or benign like a virus filter, or questionable like a corporate-mandated scan of outgoing email for certain keywords (trade secrets, spam, pr0n, whatever), but it happens. (In the latter case, encrypted email might just be blocked except from certain authorized users.)
      • Re:Two words (Score:5, Insightful)

        by flibuste (523578) on Wednesday June 30, 2004 @04:28PM (#9575652)
        There is still a huge difference between what you are ABLE to do and what your are ALLOWED to do.
        My company's database probably contains your credit card information - I am ABLE to access them - do you think I should be ALLOWED to use it?
        Let's face it - this court judgement is either a result of plain ignorance, or a lack of laws AND judgement.
        Again a nice example of freedom - brought to you by Big Corporation America. Thank whoever, I am not living there.
        Let freedom reign GW - June 2004
    • Re:Two words (Score:4, Interesting)

      by matth (22742) on Wednesday June 30, 2004 @04:20PM (#9575552) Homepage
      I see nothing wrong with this. You are paying the provider to use their mail server. You are storing your mail on THEIR machines. It is THEIR machine they may do whatever they like with it. It's like when you rent a house, the landlord may come by at any point and perform an inspection of the property. It is a private network. Likewise they are completely within their bounds to block mail from say all of AOL or EARTHLINK. Customers may not like it, but it's a PRIVATE NETWORK that you have payed for access to.
      • Re:Two words (Score:4, Informative)

        by flibuste (523578) on Wednesday June 30, 2004 @04:30PM (#9575683)
        > It's like when you rent a house, the landlord may come by at any point and perform an inspection of the property.
        I am not sure where you are from, but where I live, your landlord has absolutely NO RIGHT to come to your house - even for any kind of inspection. They are not even allowed to keep a copy of the keys. And if you find that he came to your home without your authorisation, it is considered breaking in and punished as a thief would be.
        Thanks whoever, I am not living at the same place as you do.
      • Re:Two words (Score:3, Insightful)

        by samantha (68231) *
        This is moronic. I am paying for email service. I am not paying for them to read my email for whatever reason or no reason whenever they wish. That it is their machine hasn't anything at all to do with it. They are providing a service that I pay for. They have already received compensation for use of their resources as per the contract. They have no justification for also mining the email they contracted to service. And no, it is very much NOT like renting a house. Please don't use worthless analog
    • Re:Two words (Score:5, Insightful)

      by Honest Man (539717) on Wednesday June 30, 2004 @04:21PM (#9575583)
      Holy Shit is right!

      I'll tell you what though - If we start having people at isp's reading email from the First Circuit's personal email accounts and using any information they receive thats interesting and forward 'tips' to the LA Times and Seattle Times reporters and see how long this kinda garbage legal action continues.

      I cant believe we have people this stupid working in our legal system...
    • Re:Two words (Score:5, Insightful)

      by NigritudeUltramarine (778354) on Wednesday June 30, 2004 @04:24PM (#9575611)
      Two words: HOLY SHIT!
      One word: Postcard.
      More words: ... Imagine the widespread mail-reading that is now determined -at least in the mentioned juridstictions- to be legal.
      More words: If you don't want people reading your mail, you use an envelope. If you don't want people reading your email, you use encryption. Simple as that. It's always been that way, from the days of ARPANET. Nothing's changed.
    • I wonder if ISPs can now be held responsible for what passes over their network? An interesting collision between their Common Carrier status and their ability (perhaps implying responsibility) to read email.
  • by Nea Ciupala (581705) * on Wednesday June 30, 2004 @03:55PM (#9575188)
    ... to start using strong crypto for our email? The technology has been available for free for years now, so what's stoping us? Why this inertia?
    • by NanoGator (522640) on Wednesday June 30, 2004 @04:00PM (#9575273) Homepage Journal
      ".. to start using strong crypto for our email? "

      Screw that. Use instant messaging. The reason why ISPs can read the mail is because it sits on their servers. Find an IM program that doesn't use a server to store the messages (i.e. I think that rules out ICQ...) and you're set. The only real problem then is packet sniffing.
    • The technologies for encrypting email that have been offered up, most notably PGP, require too much learning and intervention on the part of the user while offering far too few tangible benefits ("Why encrypt my email? I have nothing to hide!") to make it worth the effort.

      I'm speaking here about an average user, rather than the tech-saavy crowd that populates Slashdot.

      • by garcia (6573) * on Wednesday June 30, 2004 @04:09PM (#9575409) Homepage
        I'm speaking here about an average user, rather than the tech-saavy crowd that populates Slashdot.

        And the people that need to be encrypting their emails wouldn't be leaving them out in the open before this ruling anyway.

        Those that were concerned about privacy would have encrypted them or used their own service to deliver messages. I am *sure* ISPs are going to just love grepping through emails to look for whatever it is they are looking for.

        I seriously hope that ISPs have something better to do than that.

        [tinfoilhat]
        If anything, this was funded by the RIAA/MPAA/US Government to find out the subversive terrorists at the expense of those people that don't send important shit in email anyway.
        [/tinfoilhat]
      • Try Enigmail (Score:3, Informative)

        by RT Alec (608475) *

        I disagree. I was a big proponent of PGP back in the old days (mid-90's). Back then, it was more cumbersome than complicated. Regardless of the effort to set it up, it still required too much effort on my part to encrypt or sign or decrypt each and every message. My circle of co-workers, contractors, and friends gave up on it after a short while.

        Recently, I have begun using Enigmail [mozdev.org] with GPG [gnupg.org]. It integrates quite nicely with Thunderbird [mozilla.org], and I assume it would with Mozilla as well. We use it companywide, wit

    • by cutecub (136606) on Wednesday June 30, 2004 @04:05PM (#9575346)
      Why the inertia?

      Confusion
      Complexity
      Laziness
      Cluelessness


      For me its always been a tossup between complexity and laziness. None of my friends would know what to do with a GPG public key if it hit them in the head, nor would most of them bother learning how to use it. You got it right with "Inertia". Overcomming this is like pushing a black-hole up-hill.

      -Sean
    • by chill (34294)
      He was reading mail sent by Amazon. You expect Amazon to start using PGP for every e-mail query?

      No mention is made if he was reading other mail. I use GnuPG w/KMail regularly and I can't think of why I'd encrypt a book request to Amazon.

      I only use signatures and encryption on stuff that I think should have it.

      -Charles
      • by Tet (2721) *
        I can't think of why I'd encrypt a book request to Amazon.

        So that when you do need to encrypt something, it doesn't stand out like a sore thumb, but rather it looks just like every other message you send.

  • by Anonymous Coward on Wednesday June 30, 2004 @03:55PM (#9575193)
    There are people that don't run their own mail servers? Well, I suppose that might change now.
  • by NanoGator (522640)
    It has been ruled that ISPs are simply a carrier, but they can read the email?
    • Re:Eh? (Score:5, Insightful)

      by bladernr (683269) on Wednesday June 30, 2004 @04:03PM (#9575319)
      It has been ruled that ISPs are simply a carrier, but they can read the email?

      Wow, that got me thinking. ISPs are not held liable for piracy, hacking, etc, because they are a "common carrier." Common carriers have no knowledge of the traffic they carry, they are simply moving things from point A to point B. That limits their liability.

      Now, though, the court (in those jurisdictions) has ruled it is legal for ISPs to, at the least, read e-mail. Since it is ruled legal, and they are able, does that confer some responsibility to them?

      Thinking this through to conslusion, what are the odds that the ISP defending itself in reading the e-mail, has in fact increased its liability in all things its customer's do and have done to them?

  • by h4rm0ny (722443) * on Wednesday June 30, 2004 @03:55PM (#9575196) Journal

    We don't need to say that this is like opening postal mail, or that RAM holding the email temporarily is like a modem caching the data. We don't need to compare this to anything to explain it.

    It is plainly and utterly stupid and wrong.

    Enough said.
    • by drtomaso (694800) on Wednesday June 30, 2004 @04:44PM (#9575851)

      Sorry for not including citations of cases, but I believe the courts have held that email users have no expectation of privacy when sending mail over others systems (I think most pertained to University systems, but dont quote me). In fact, this makes sense- SMTP is inherently insecure, from a privacy perspective. If you want to compare it to snail mail, imagine mailing private letters with no envelope. Anyone between point A and B can read it. You cant complain if you later learn the postman read it when he was bored.

      That said, you must take the case in context- all that was ruled here was that a (technologically speaking) ancient wire tapping law didnt apply to this specific case of email, because the message was stored in RAM, not actually in transport. If the company had been snooping on packets coming from *your* mail server, I suspect the result might have been different. Further, no other law was tested here- the case was solely over this wiretap law.

      In a perfect world, no one would do this, and we'd all be sending encrypted mails anyway. What should be required is a privacy policy clearly stating the administrator's policy on email reading (ala Gmail), so that the educated consumer may choose the provider most suitable for his/her needs. If a company wants to read your mail in exchange for a free gig of mail space, I whole heartedly believe that to be within their rights, providing they are upfront about it. That this provider gave no warning of it was a non-issue as far as the case was concerned- only the wire tap law was ever used.

      Given the context of the case in regards to the wire tap laws, and the history of expectation of privacy in email, this ruling shouldnt suprise anyone. What we should be doing is pushing for European-style privacy acts and some sort of required disclosure for service providers pertaining to email snooping.

      I also dont see this as a danger to the common carrier status of ISP's-if indeed they ever had this status with regard to email. This ruling is very specific, and does not mandate that ISPs *must* read their users mail, only that if they do, they arent in violation of a specific wire-tap law. I believe what we have here is a judge who just refused to legislate from the bench.

  • good thing... (Score:2, Insightful)

    by chachob (746500)
    google isn't an ISP :D
  • by Richard_at_work (517087) * <richardprice AT gmail DOT com> on Wednesday June 30, 2004 @03:55PM (#9575201)
    If ISPs are not breaking any laws reading users stored email without consent, then why was there a huge fuss about Google using a parsing engine to do the same?! I would have thought that a parsing engine was more in line with privacy than someone reading your mail!!

    I feel a tremendous schizm forming within the ranks of the American Legislature over this, with one side determined to force restrictions upon 'publicised' companies in an effort to make names for themselves, while the other side making rulings like this that will bearly make the main press. Something tells me not everyone is singing off the same hymnsheet.

    Something died a little today. That something was common sense.
  • oh no! (Score:5, Funny)

    by 2057 (600541) on Wednesday June 30, 2004 @03:57PM (#9575226) Homepage Journal
    Oh god now they will know about my massive addiction to penis enlargers! seriously i don't use my isp account for anything important if they wanna know about penis enlarging treatments go fer it.
  • Wait a minute (Score:5, Interesting)

    by MoneyT (548795) on Wednesday June 30, 2004 @03:57PM (#9575232) Journal
    If ISPs can read your emails, that stops them from being a common carrier anymore doesn't it? Which then means that they could be held legaly liable for any damages caused by illegal activity via email couldn't they?
    • Re:Wait a minute (Score:3, Informative)

      by nate1138 (325593)
      You didn't read the article, did you? BAD SLASHDOTTER! BAD! BAD! Now go sit in the corner and think about what you've done.

      Seriously, if you had read it, you would realize that the headline was completely misleading. The company reading the emails isn't an ISP. They are a web site that sells books. They also offer a free email service. They were reading the emails of the customers that signed up for the free email service, looking for Amazon.com orders and using that data to figure out how to comp
  • by happyfrogcow (708359) on Wednesday June 30, 2004 @03:58PM (#9575238)
    Email is plain text. clear text. not encrypted. Now if this covered IPS right to read their users mail if it were encrypted, then that would be something else.

    It's clear text though, what do you expect?

    encrypt it [gnupg.org]
    • by happyfrogcow (708359) on Wednesday June 30, 2004 @04:02PM (#9575298)
      let me append this with the statement, don't put the government in a position to legislate something when we have the ability fix the problem ourselves.
  • Encryption (Score:3, Insightful)

    by funk_phenomenon (162242) on Wednesday June 30, 2004 @03:59PM (#9575258)
    I think it may be a good time for people to start looking into ecryption [gnupg.org].
  • by Mind Booster Noori (772408) on Wednesday June 30, 2004 @03:59PM (#9575264) Homepage
    Fortunatly...

    1) I'm not in USA;
    2) I use gpg;
    3) I'm wearing that t-shirt.

    This is just as wrong as stupid: makes me remember how 2600 lost in court making links to illegal stuff illegal, when, after, others won in the same court prooving linking is just linking, not illegal (good for Google :-))

    It's frustrating when we clearly see that the laws are just bendable...
  • by Amiga Lover (708890) on Wednesday June 30, 2004 @03:59PM (#9575265)
    The decision finds that the Wiretap Act does not cover interception of communications where the communications are being stored, not transmitted

    So now the loophole is telecomms carriers can store messages, and by storing messages they're allowed to listen to them.

    Of course, it's no use just to listen to a message to get info on what a subject is up to, it has to be stored for later use, so simply the fact of listening in to a phone conversation and recording it for later use makes it legal to listen to and store for later use.

    bah
  • It'll never stand (Score:5, Insightful)

    by Noose For A Neck (610324) on Wednesday June 30, 2004 @03:59PM (#9575267)
    Hopefully, if the Supreme Court doesn't overturn this decision, then at least people will get outraged enough that they will write to their lawmakers to quickly remedy this problem. It's not just Slashbots that worry about privacy in email, this is a clear enough danger that I'm sure the non-IT public would be shocked if they heard about what was going on.

    And to those who think encrypting your email is the answer - it's not. The email sent to you can still be read, and many sites like Amazon, which is mentioned in the article, send automated emails to whatever address you provide them, making your communications easy pickings for unscrupulous ISPs.

    Of course, on the other hand, I'm sure some people here won't be surprised, and will in fact welcome such intrusion into their email, as evidenced by the enthusiasm here and elsewhere in geek circles for Google's Gmail service, which at least as intrusive and does the exact same thing with a user's emails (i.e. reads them for the purposes of marketing other products they think the user would be interested in). I'm still not sure what causes this cognitive disconnect in the technical community, but it is both puzzling and worrisome.

    • Hopefully, if the Supreme Court doesn't overturn this decision, then at least people will get outraged enough that they will write to their lawmakers to quickly remedy this problem. It's not just Slashbots that worry about privacy in email, this is a clear enough danger that I'm sure the non-IT public would be shocked if they heard about what was going on.

      Ha ha ha ha!

      You want to know how lawmakers will "fix" it? Go look at what happened with analog cell phones and radio scanners. Instead of forcing t
  • Excellent (Score:4, Funny)

    by Quasar1999 (520073) on Wednesday June 30, 2004 @04:00PM (#9575274) Journal
    And to think I used to read all the cute girls emails at school when I was a temp sysadmin... it was all legal! w00t... I wonder if the extortion I did using the information I gleaned from their emails was equally as legal... oh well, I guess I'll never know... besides, how else is a geek supposed to get action in highschool? :P
  • cd /var/mail (Score:5, Insightful)

    by DrSkwid (118965) on Wednesday June 30, 2004 @04:00PM (#9575282) Homepage Journal
    grep -i -n -A 3 username * > password_list

    thanks for that

  • by orthogonal (588627) on Wednesday June 30, 2004 @04:01PM (#9575288) Journal
    The US Court of Appeals for the First Circuit (covering Massachusetts, Maine, New Hampshire, and Rhode Island) has ruled that e-mail providers are not violating the law by reading users' e-mail without the user's consent.

    In a way, I suppose, this ruling is a good thing, because it underscores the need for a comprehensive privacy and data retention law.

    What's needed is something along the lines of The European Union's privacy law: that is, something that is explicitly mandated, rather then the "penumbras" of privacy that some judges can, and some judges won't, see lurking between the lines of the Ninth Amendment.

    We can hope that this defeat in the courts can be -- with our hard work -- turned into a victory in the U.S. Congress.
  • No problem (Score:4, Funny)

    by nizo (81281) on Wednesday June 30, 2004 @04:01PM (#9575296) Homepage Journal
    Simply include a picture of the goatse guy or tubgirl in every email and they will be sorry they ever read it.
  • by silas_moeckel (234313) <{silas} {at} {dsminc-corp.com}> on Wednesday June 30, 2004 @04:02PM (#9575303) Homepage
    Email is not mail it's a post card at best. I see peoples mail regularly as part of work as it's going down the wire, it's not illegal as I'm performing maitence and troubleshooting for the companies that own the routers. Same goes for a random sys admin that needs to say fix an email box or generaly run the system. Your service provider has allways been able to do this. The post office can read your mail if they need to what do you think dead letter offices are for? Dont like it encrypt the contents and use anon remailers.
  • by phr2 (545169) on Wednesday June 30, 2004 @04:04PM (#9575331)
    VOIP packets are temporarily stored in ram at the different routers they visit as they travel the network. Does that mean that VOIP providers can listen in on phone conversations?

    And what about the ECPA provision on unauthorized access to stored communications (Steve Jackson case [tomwbell.com])? Don't they apply here?

    • by Jay L (74152) <jay+slashNO@SPAMjay.fm> on Wednesday June 30, 2004 @05:09PM (#9576112) Homepage
      How about VOIP providers? (Score:2, Interesting)
      by phr2 (545169) on Wednesday June 30, @05:04PM (#9575331)
      VOIP packets are temporarily stored in ram at the different routers they visit as they travel the network. Does that mean that VOIP providers can listen in on phone conversations?
      And what about the ECPA provision on unauthorized access to stored communications (Steve Jackson case)? Don't they apply here?


      I'm fairly sure they do - we always assumed we were bound by ECPA at AOL. It wasn't even questioned.

      I wonder if they just prosecuted the guy under the wrong law - wiretap instead of ECPA.
  • by Cytotoxic (245301) on Wednesday June 30, 2004 @04:05PM (#9575345)
    I don't think the judge understood what he was saying. In ruling that email messages are being stored, not transmitted he completely ignores the fact that the only reason that email is sent to an ISP is so that it will be transmitted. The asynchronous method of delivery really shouldn't enter into it. However, if that is the language of the law, then that is that...

    This ruling would also mean that you voicemail at your cellphone provider is wide open to being listened to as well... Nice...
  • by dan_sdot (721837) * on Wednesday June 30, 2004 @04:05PM (#9575348)
    Lets try to be a little rational here. I know that everyone is going to scream in the typical slashdot style about "invasion of privacy!!!!!", but lets really look at the problem.

    The first thing is to understand what the Judicial Branch's job is. It is to interpret the meaning of existing laws! And looking at the law, it seems that they did a pretty good job of this.

    So does this mean that I want my ISP's reading my email? Of course not!

    The problem is that the legislative branch is not creating laws that keep up to speed with the ethical problems presented by technology. Lets not get on the Judges' cases for the ISPs reading our email, get on the LEGISLATORS.

    In fact, I want to congratulate the judges in this case for making the ruling. Even though it is obvious that it is absurd that the ISPs are reading people's email, the judge did not overstep his authority by trying to create laws, rather than interpret them. This is one of the largest tyrannies that happens in US Politics, judges effectively creating legislation.

    So here is a call to all legislators: GET ON THE BALL! New technology has created many new ethical dillemas, and we need the legislators to start dealing with them.
  • This is insane (Score:5, Interesting)

    by 0x0d0a (568518) on Wednesday June 30, 2004 @04:05PM (#9575352) Journal
    Wow. This is a huge, huge, huge deal.

    Among other things, this means:

    * Email, the dominant form of online communication, which most of us have regarded as fairly secure, is now grabable by federal authorities or police *without a warrant*.

    * Your employer may now read all your email -- previously, he had to at least inform you that he was going to monitor your network traffic ahead of time (admittedly, including such a clause in the usage policy was depressingly common, but still).

    * Free email providers like Yahoo, Microsoft, and Google now are free to do anything they want with all the mail that you've ever sent or has been sent to you.

    I'm sure that the EFF is scrambling to try and do something at the moment -- it'll be their most important case yet.

    *IF* this is not overturned, it means that it is *impossible* to have legal privacy protection for any form of communication that is asynchronous across hosts. This affects a vast number of potential protocols.

    This means that voicemail systems are *not* protected by federal wiretapping law. If you *ever* leave a message for anyone, your privacy protections are out the window.

    It's debatable over whether or not this applies to web caching -- if police and federal agents can now swipe the content of your ISP's web cache (yeah, the transparent proxy that your cable ISP uses, even though you don't think you're using a proxy), they can obtain web browsing data without warrant.

    This is the biggest argument I've seen yet for use of PGP. If you are not using PGP, you *have* no privacy.
    • Re:This is insane (Score:5, Insightful)

      by alienw (585907) <alienw.slashdot@gm a i l . c om> on Wednesday June 30, 2004 @04:39PM (#9575792)
      which most of us have regarded as fairly secure

      True, if by "most of us" you mean "those of us who happen to be morons." Guess why nobody sends credit card numbers over e-mail?

      Your employer may now read all your email

      Most already do.

      Free email providers like Yahoo, Microsoft, and Google now are free to do anything they want with all the mail

      It's a free service. They should be able to do whatever the hell they feel like. Read the usage agreement.

      they can obtain web browsing data without warrant.

      If you think an ISP wouldn't cooperate with the FBI without a warrant, then you are a moron. If you happen to piss off the FBI, they can (after obtaining the warrant) seize all your computers and network equipment for analysis. This will pretty much mean the ISP won't exist anymore -- they generally take a few months to a few years to return the stuff.
    • Re:This is insane (Score:3, Insightful)

      by Rorschach1 (174480)
      Worse than that, where do you draw the line for 'storage'? IP uses packets. Between receiving a packet on one interface and sending it out another, a router STORES packets. Does it have to be non-volatile storage? Does that mean a mail server with a ramdisk spool isn't subject to this ruling? How long does a piece of information need to sit in one place during transit to be 'stored'?

      Looks like you're out of luck unless you've got a switched circuit all the way through to your destination.

      Let's hear i
  • by KillerCow (213458) on Wednesday June 30, 2004 @04:09PM (#9575420)
    The decision finds that the Wiretap Act does not cover interception of communications where the communications are being stored, not transmitted.

    That's nice. So now they can use this precedent to listen to your voicemails.

    And if we move to VoIP on the telecom's backbone, then they can listen to your conversations... since it is being stored in the router's buffers alone the way.
  • privacy? (Score:5, Insightful)

    by rhaig (24891) <rhaig@acm.org> on Wednesday June 30, 2004 @04:11PM (#9575447) Homepage
    so is there anyone out there who actually thinks your email to me is actually private and won't be read by an admin of a server that queues it for delivery somewhere along the way??

    it's email. there should not be any real expectation of privacy. deal with it.
  • by dmarx (528279) <dmarx@hus h m ail.com> on Wednesday June 30, 2004 @04:16PM (#9575508) Homepage Journal
    Maybe this ruling will finally convince people to use freely avaiable [pgpi.org] encryption [mailvault.com]. I PGP as many messages as I can (I don't have anything to hide, I just don't like the idea of people snooping on me), but not many of the people I email use PGP.
  • by RhettLivingston (544140) on Wednesday June 30, 2004 @04:29PM (#9575674)

    What about analog signal delay chips? What about digital phone systems that temporarily store signals in RAM? And if volatile memory is considered transmission instead of storage, what if they used MRAM in the future?

    Others summed it up with "stupid", but "stupid" just doesn't seem to come close.

    I'll bet some ISPs are madly looking at what they have that they could market to the tabloids. Anyone out there have some Senators or Representatives as clients? Publishing all of their email might get a law out quicker than you can say "stupid".

  • by Random BedHead Ed (602081) on Wednesday June 30, 2004 @04:33PM (#9575734) Homepage Journal

    ISPs can read e-mail? Finally. Now maybe someone at an ISP will reply to the several dozen "One of your customers is sending me spam" messages. It's about time ISPs got around to reading e-mail.

    Now to read the article ...

  • encryption (Score:3, Informative)

    by CrimsonAvenger (580665) on Wednesday June 30, 2004 @04:40PM (#9575809)
    This is why we have encryption software. This ruling pretty much reduces to "encrypt, or consider your email to be a postcard".

    And anyone who thinks it is illegal for the mailman to read postcards he is delivering is deluding himself.

  • by Nom du Keyboard (633989) on Wednesday June 30, 2004 @04:42PM (#9575827)
    Okay Thunderbird, here's your chance to shine. Make sending and receiving of encrypted e-mail as easy as regular e-mail is now.
  • by bug (8519) on Wednesday June 30, 2004 @04:56PM (#9575968)
    This ruling is just plain wrong. Here's text directly from the Electronic Communications Privacy Act. Straight from the definitions:

    (1) "wire communication" means any aural transfer made in
    whole or in part through the use of facilities for the
    transmission of communications by the aid of wire, cable, or
    other like connection between the point of origin and the point
    of reception (including the use of such connection in a switching
    station) furnished or operated by any person engaged in providing
    or operating such facilities for the transmission of interstate
    or foreign communications for communications affecting interstate
    or foreign commerce and such term includes any electronic storage
    of such communication;


    and then later...

    (17) "electronic storage" means--

    (A) any temporary, intermediate storage of a wire or
    electronic communication incidental to the electronic
    transmission thereof; and


    So, it pretty clearly states that wire communications includes storage incidental to the communication, such as the email temporarily existing in RAM on a system before being sent. Given that RAM is typically volatile, I don't see how you could NOT call it temporary, intermediate storage.

    There are no exemptions that I can find in the ECPA that might give this scumbag a way out of this. Either the judges are smoking crack, or the prosecutors failed to use the ECPA properly. I suspect it's more of the latter, as even the dissenting judge said that "the law has failed to adapt to the realities of Internet communications." This simply isn't true, because it's quite well defined in the law. The law HAS adapted to the realities of the Internet, and the ECPA is mostly quite adequate.

    Here's a mirror of the full ECPA text for those curious:

    ECPA text [floridalawfirm.com]

  • Karma Whoring (Score:3, Interesting)

    by bani (467531) on Wednesday June 30, 2004 @05:15PM (#9576173)
    From a recent post on NANOG [nanog.org]:

    Date: Wed, 30 Jun 2004 17:35:54 -0400
    From: Matthew Crocker
    To: "'nanog@merit.edu'"
    Subject: Re: E-Mail Snooping Ruled Permissible

    I know Brad Councilman, This all happened in my back yard. He ran a competing ISP with me (www.valinet.com). Not only was he reading his customers e-mail and harvesting Amazon.com orders he also hacked into 4 of the local area ISPs. I still remember the day I received a call from the FBI office in Boston. 'Sir, you are not in trouble but we would like to talk to you about an important matter. I'll be out tomorrow, when will you have time?' He came in with a old copy of my /etc/passwd file (this was hacked from me back in '95,'96). I was happy when the arrested him, he is a jerk. The ISP he ran has since been sold to another company, still local and run as an honest business.

    Sorry for the rant, I just wish he got more than a slap on the wrist. They didn't prosecute him on the hacking attempts because the e-mail theft was a bigger crime.

    Grrrrr

    -Matt
  • by farrellj (563) * on Wednesday June 30, 2004 @05:19PM (#9576207) Homepage Journal
    Thank the Gods!

    In Canada, it is not legal for a company to read your private email, as email is treated like snail mail. This applies even if they are your employer!

    I really hope the US courts get a clue about privacy!

    ttyl
  • by gillbates (106458) on Wednesday June 30, 2004 @05:41PM (#9576414) Homepage Journal

    I feel like starting an ISP and offering free email accounts to congressmen, judges, FBI agents, etc...

    The time difference between an embarrassing email leak and legislation outlawing reading another's email is left as an exercise for the reader....

  • good luck! (Score:3, Funny)

    by glwtta (532858) on Wednesday June 30, 2004 @05:46PM (#9576461) Homepage
    Judging by my Yahoo inbox, all they will get from this is the world's most gigantic penis.
  • How this happened (Score:3, Informative)

    by dtfinch (661405) * on Wednesday June 30, 2004 @05:57PM (#9576549) Journal
    The USAPATRIOT act reworded to wiretap laws so that stored electronic communications are no longer protected, as in emails or depending on how you read it, even packets in a queue. The suspected purpose of this is to enable interception of data on a network by law enforcement without the need for a wiretap. This effectly renders the entire wiretap law null, so long as law enforcement is willing to jump through the right hoops, which are now technical rather than judicial. The couple sentences of the Patriot act that did this were perhaps the most significant in the entire document, but so benign in appearance that they would be overlooked by many and the act would be passed by congress. Today in the USA, protections against nearly all the forms of privacy invasion that we had just 5 years ago are now mostly just illusions. Every privacy law I know of now has some loophole which allows the government to circumvent requirements of probable cause and judicial approval. This is why we should not reelect Bush. I was a registered Republican in 2000, but they are not looking out for any of us.

    Notice that many router manufactures (eg Cisco) have plans to integrate lawful interception features into their products, in anticipation of future demands of the US or other governments.
  • by geekotourist (80163) on Wednesday June 30, 2004 @06:09PM (#9576634) Journal
    Back in April this story [slashdot.org] covered Brad Templeton's essay on GMail, privacy and encryption [templetons.com]. I was suprised at the number of "email is public, get over it" comments. Why should I have to get over it just because encryption wasn't designed in from the getgo? Technologies have gone from public (non-private) to private and protected before. Consider the switch from party lines to private lines in the telephone system- we went from "all phonecalls are open/public unless you buy your own expensive line" to "all calls are private and its usually illegal for anyone else to listen."

    We- the technical community- can demand a similar switch for email. Unfortunately the use rate of encryption for email is ridiculously low (less than 10% of incoming to Diffie or Zimmerman, they once said). So we've ended up in this strange zone where email could be encrypted as a matter of course, but it isn't. There is no inherent reason why email has to be public, but by our design (or lack thereof), this major massive system of communications is practically (and with this ruling- legally) public, and for what benefit? Why do people so casually accept the non-privacy of email? Its like we were still using party lines 120 years later.

    At the core of it, because privacy is a fundamental human right [slashdot.org] every communication system we use should have privacy built in. If its not, there should be a very good reason why not. "Oh no, it will take extra computational cycles" is not a good reason (not with crypto like ECC around). "Oh, Ashcroft doesn't want it" is even a worse reason. "Perfect encryption is too hard for the public to use": also bad.

    Crypto does need to become easier to use. As Templeton wrote here on what email crypto needs [templetons.com]:

    The key to deploying encrypted mail is to make it happen with close to zero involvement by the user. This is hard, and requires some security compromises that have made cryptographers uneasy in the past.

    However, I have come down to the view that getting encryption widely deployed, even with some minor flaws, is better than getting perfectly designed encryption (if that's even possible) that hardly anybody uses.

    The reason is that I exchange mail with tons of people, not just my closest linux-using nerd friends. If I want my mail to be private, I have to get the general public encrypting. This is a particular concern with new laws just passed granting U.S. law enforcment the power to read the "header" of a message -- including the subject lines of E-mails without a warrant. In addition, other nations have always had such powers, and on top of it all, most ISP backbones and mail servers are poorly secured from snooping by almost any system cracker trying to invade your privacy [now including the ISP itself!]...

    Problem is, the current UI and ease of use for encryption add-ons aren't so good. It makes it a tough choice to use it other than with other geeks. Not that you force everyone to use crypto in email, but it should be as easy to choose it as to not choose it. As an analogy, if I say "lets start building doors and doorjams with locks built in," that doesn't equal "force everyone to lock their door." It does mean "its now as easy to choose to lock your door as to keep it unlocked." To me choice means the two alternatives are sitting there, equally available... If there were big "Send: This is Private" and "Send: This is Public" buttons on every email program. Right now the "choice" is "Send" vs "Spend hours retrofitting your system and writing to your recipient to explain to them how to read your email, and getting your grandpa to use it- just give up trying to go there..."
  • Steve Jackson Games (Score:3, Informative)

    by SiliconEntity (448450) on Wednesday June 30, 2004 @06:24PM (#9576756)
    This all goes back to the Steve Jackson Games decision of 1994. The Secret Service had seized a BBS belonging to Steve Jackson Games, and SJG sued because the computer also held some unretrieved private email. However, SJG lost on the same grounds as in this case, that email in storage is not protected by the literal language of the Wiretap Act. It may be a technicality, but it's been the law for over ten years.
  • by Vancouverite (227795) <brendt.hess@NOspAM.motosport.com> on Wednesday June 30, 2004 @06:25PM (#9576764)
    The calls for using the Stored Communications Act would probably have failed as well. Based on 18 USC 2701:

    (c) Exceptions.

    Subsection (a) [Offense] of this section does not apply with respect to conduct authorized -

    (1) by the person or entity providing a wire or electronic communications service;

    Since the person in question was the "... person ... providing a wire or communications service", the Offense section of the act does not apply to him, if he authorized the access. No offense, no crime.

    <bad music tune="Feelings">
    Loopholes,
    Nothing more than Loopholes,
    Trying to prevent those,
    Criminal Aaaaaaaaaaaaacts!
    </bad music>
  • I actually agree with the ruling, for several reasons.

    1: This will bring more attention to privacy tools like any OpenPGP-compatible program, such as the GNU Privacy Guard, than any law preventing law-abiding citizens from thumbing through your emails.

    2: The ISP is providing a service using their own equipment. While laws might help, remember that it IS their OWN damn equipment, and if they choose to, there's little you can do if you're not aware of it.

    3: The ISP is not the only point in which any mail can be read. Any number of mail backbones can also store a message for perusing later. This is especially true in the case of those undeliverables that are logged for later review. To focus the blame on an ISP is a fallacy.

    Personally, I think that people should have little fire lit under them to get themselves protected. I will admit that it's a bit of a bother now, but as soon as vendors see the market value of such systems, how long until it's easy enough for aunt Maude?
  • A new shirt design. (Score:3, Interesting)

    by BlueTooth (102363) on Wednesday June 30, 2004 @09:29PM (#9577881) Homepage
    Thinkgeek should create a new shirt design.

    Front:
    i read your email.

    Back:
    legally.
  • by pestie (141370) on Wednesday June 30, 2004 @10:07PM (#9578089) Homepage
    I actually know the defendant in this case, Brad Councilman, personally (although it's been quite a few years since I've had any significant contact with him.) He's a good guy and he pretty much had his life torn apart for several years by overzealous prosecutors looking to make a name for themselves by looking tough on "computer crime." What he did wasn't necessarily right, but he certainly didn't deserve to be treated as a criminal for it. I'm not going to get into a debate with anyone about this right now - I doubt I'm going to change anyone's minds, but think about this: if this guy had the words "accused hacker" before his name in these headlines, how many of you would be rallying to his defense instead of looking to crucify him? If his name were Kevin Mitnick, how many of you would be complaining about how this country is turning into a police state instead of acting like some sysadmin reading your e-mail is a human-rights violation on a par with the Rodney King beating?

The use of anthropomorphic terminology when dealing with computing systems is a symptom of professional immaturity. -- Edsger Dijkstra

Working...