Appeals Circuit Ruling: ISPs Can Read E-Mail

leviramsey writes "The US Court of Appeals for the First Circuit (covering Massachusetts, Maine, New Hampshire, and Rhode Island) has ruled that e-mail providers are not violating the law by reading users' e-mail without the user's consent. The decision finds that the Wiretap Act does not cover interception of communications where the communications are being stored, not transmitted. Perhaps OSDN should send the defendant, accused in 2001 of reading users emails in order to find out what they were interested in purchasing from Amazon, a T-shirt from ThinkGeek?"

When will people learn

[silas_moeckel]

Email is not mail it's a post card at best. I see peoples mail regularly as part of work as it's going down the wire, it's not illegal as I'm performing maitence and troubleshooting for the companies that own the routers. Same goes for a random sys admin that needs to say fix an email box or generaly run the system. Your service provider has allways been able to do this. The post office can read your mail if they need to what do you think dead letter offices are for? Dont like it encrypt the contents and use anon remailers.

Re:Isn't it about time...

[Nspace13]

and on top of that you can always use AIM Encrypt [aimencrypt.com]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Isn't it about time...

[Ark42]

You can leave a message offline using ICQ, and thats one of the biggest reasons I still use the ICQ network.

Re:Isn't it about time...

[nsandver-work]

The only real problem then is packet sniffing.

Even that's not an issue for GAIM users, thanks to the GAIM Encryption [sf.net] plugin.

Re:Isn't it about time...

[leviramsey]

True, but the storage on an intermediate server places the IM outside (at least at that point) any protection afforded by the Wiretap Act.

Re:Wait a minute

[nate1138]

You didn't read the article, did you? BAD SLASHDOTTER! BAD! BAD! Now go sit in the corner and think about what you've done.

Seriously, if you had read it, you would realize that the headline was completely misleading. The company reading the emails isn't an ISP. They are a web site that sells books. They also offer a free email service. They were reading the emails of the customers that signed up for the free email service, looking for Amazon.com orders and using that data to figure out how to compete more effectively. Immoral as hell? Yup. Illegal? Apparently not. ISPs, however, have different sets of rules, and it would probably be illegal for an ISP to do this.

I know this guy

[Anonymous Coward]

I know Mr. Councilman. He was a selectman in the town of Montague, MA and ran an ISP (www.valinet.com). The ISP was initially running on DEC Alphas and one day it went poof. It came back the next day running Linux on intel. The ISP claimed they went down due to a software upgrade gone wrong. What really happened was the FBI raided their office and took all of the hardware. I remember the call from the FBI agent in charge when he wanted to have me look over some files they found on the computers. It turns out that not only was Mr. Councilman reading peoples e-mails, He was also hacking into all of the other local ISPs to steal their customer lists. The FBI agent showed me a particial list of my /etc/passwd file. I could date it by looking into billing to find when the customers were created. I remember sitting in small claims court trying to get money from a customer when our servers crashed because of his hacking. I remember when Mr Councilman forwarded my CERT report of the event to a local newspaper and I recieved a call by an over zealous reporter. I remember when he was arrested and fined $250,000. I thought it was sweet justice for the greif he caused me and the other ISPs in the area. Mr. Councilman is not only a theif but a hacker. It is a shame that all he got was a slap on the wrist. His old ISP was purchased by another company and is still around. They purchased it about a month before the arrest.

I really wished he saw some jail time. The guy is a jerk.

Re:Two words

[flibuste]

> It's like when you rent a house, the landlord may come by at any point and perform an inspection of the property.
I am not sure where you are from, but where I live, your landlord has absolutely NO RIGHT to come to your house - even for any kind of inspection. They are not even allowed to keep a copy of the keys. And if you find that he came to your home without your authorisation, it is considered breaking in and punished as a thief would be.
Thanks whoever, I am not living at the same place as you do.

Re:There is a solution to this problem

[Anonymous Coward]

The grandparent authenticated his message, but didn't encrypt it. PGP offers encryption and a way to positively identify a person.

Re:Eh?

[leviramsey]

As the original submitter, I've seen nothing to indicate that the ruling does not cover those who provide internet connectivity. As far as the law is concerned, providing e-mail makes you an ISP.

Perhaps, in hindsight, it may have been more clear to say something like "e-mail providers" or "e-mail server operators."

The ruling is essentially that any operator of an e-mail server may read at their discretion any e-mail stored on said server. There's no distinction between, say, Comcast or Verizon and Hotmail for this purpose.

Re:Two words

[Anonymous Coward]

I dont see the big fuss here. From the point of view of a systems admin, I'll be honest. I look at users' email from time to time. Its not that I care, nor do i get some kind of voyeristic pleasure out of it. Its part of the debugging process at times. 99% of mail I've seen is completely uninteresting anyway.

Realistically, the only reason this should be an issue is in the case of someone specifically being targetted.

encryption

[CrimsonAvenger]

This is why we have encryption software. This ruling pretty much reduces to "encrypt, or consider your email to be a postcard".

And anyone who thinks it is illegal for the mailman to read postcards he is delivering is deluding himself.

Electronic Communications Privacy Act

[bug]

This ruling is just plain wrong. Here's text directly from the Electronic Communications Privacy Act. Straight from the definitions:

(1) "wire communication" means any aural transfer made in
whole or in part through the use of facilities for the
transmission of communications by the aid of wire, cable, or
other like connection between the point of origin and the point
of reception (including the use of such connection in a switching
station) furnished or operated by any person engaged in providing
or operating such facilities for the transmission of interstate
or foreign communications for communications affecting interstate
or foreign commerce and such term includes any electronic storage
of such communication;

and then later...

(17) "electronic storage" means--

(A) any temporary, intermediate storage of a wire or
electronic communication incidental to the electronic
transmission thereof; and

So, it pretty clearly states that wire communications includes storage incidental to the communication, such as the email temporarily existing in RAM on a system before being sent. Given that RAM is typically volatile, I don't see how you could NOT call it temporary, intermediate storage.

There are no exemptions that I can find in the ECPA that might give this scumbag a way out of this. Either the judges are smoking crack, or the prosecutors failed to use the ECPA properly. I suspect it's more of the latter, as even the dissenting judge said that "the law has failed to adapt to the realities of Internet communications." This simply isn't true, because it's quite well defined in the law. The law HAS adapted to the realities of the Internet, and the ECPA is mostly quite adequate.

Here's a mirror of the full ECPA text for those curious:

ECPA text [floridalawfirm.com]

Try Enigmail

[RT Alec]

I disagree. I was a big proponent of PGP back in the old days (mid-90's). Back then, it was more cumbersome than complicated. Regardless of the effort to set it up, it still required too much effort on my part to encrypt or sign or decrypt each and every message. My circle of co-workers, contractors, and friends gave up on it after a short while.

Recently, I have begun using Enigmail [mozdev.org] with GPG [gnupg.org]. It integrates quite nicely with Thunderbird [mozilla.org], and I assume it would with Mozilla as well. We use it companywide, with Macs and PCs (ie OSX and Windows), and we convinced a contractor that uses Linux to use it as well.

While the initial configuration did require some degree of effort, it was not too tough. Encrypting, decrypting, signing, and verifying is almost automatic now, requiring very little effort per message. My PGP (I mean GPG) password is queued for 15 minutes, so from time to time I have to re-enter it. All my messages are signed, and if the recipients are in my keychain, it is encrypted as well.

I think if it is set up by a Slashdot-type person (and let's face it-- that's what most of us are paid to do), an "average" user should have no problem with it.

My mail server is in Canada!

[farrellj]

Thank the Gods!

In Canada, it is not legal for a company to read your private email, as email is treated like snail mail. This applies even if they are your employer!

I really hope the US courts get a clue about privacy!

ttyl

How this happened

[dtfinch]

The USAPATRIOT act reworded to wiretap laws so that stored electronic communications are no longer protected, as in emails or depending on how you read it, even packets in a queue. The suspected purpose of this is to enable interception of data on a network by law enforcement without the need for a wiretap. This effectly renders the entire wiretap law null, so long as law enforcement is willing to jump through the right hoops, which are now technical rather than judicial. The couple sentences of the Patriot act that did this were perhaps the most significant in the entire document, but so benign in appearance that they would be overlooked by many and the act would be passed by congress. Today in the USA, protections against nearly all the forms of privacy invasion that we had just 5 years ago are now mostly just illusions. Every privacy law I know of now has some loophole which allows the government to circumvent requirements of probable cause and judicial approval. This is why we should not reelect Bush. I was a registered Republican in 2000, but they are not looking out for any of us.

Notice that many router manufactures (eg Cisco) have plans to integrate lawful interception features into their products, in anticipation of future demands of the US or other governments.

Steve Jackson Games

[SiliconEntity]

This all goes back to the Steve Jackson Games decision of 1994. The Secret Service had seized a BBS belonging to Steve Jackson Games, and SJG sued because the computer also held some unretrieved private email. However, SJG lost on the same grounds as in this case, that email in storage is not protected by the literal language of the Wiretap Act. It may be a technicality, but it's been the law for over ten years.

Not protected from your ISP as it is....

[Vancouverite]

The calls for using the Stored Communications Act would probably have failed as well. Based on 18 USC 2701:

(c) Exceptions.

Subsection (a) [Offense] of this section does not apply with respect to conduct authorized -

(1) by the person or entity providing a wire or electronic communications service;

Since the person in question was the "... person ... providing a wire or communications service", the Offense section of the act does not apply to him, if he authorized the access. No offense, no crime.

<bad music tune="Feelings">
Loopholes,
Nothing more than Loopholes,
Trying to prevent those,
Criminal Aaaaaaaaaaaaacts!
</bad music>

Re:Two words

[NigritudeUltramarine]

You seem to have missed my point entirely, I'm afraid.

You're talking about envelopes. Like I said, email is not like mail in envelopes.

Email is like postcards. It's sent as plain text that anyone along the way can read. Having a "law" that says people can or cannot read it doesn't change the technical reality.

If you want to do the equivalent of putting your email in an envelope, you've got to encrypt it.

Simple as that. And if you do it properly, neither your ISP nor your government can read it.

Re:The judges are neither stupid nor ignorant

[ky11x]

Sorry, first time through all my quotation marks and apostrophes were swallowed.

There are many comments here about how the judges must be stupid and don't understand the technology, and that's why they ruled this way, etc. etc.

I find it obnoxious that many of the commenting /.ers apparently never bothered to read the opinion or try to understand what the court is really deciding and the grounds for their decision. The article submitter is himself one of the greatest sinners in this respect.

Listen to me. Unless you try to understand what the law is and how judges are supposed to apply the law and read this decision carefully, you are not giving them the level of respect that you expect them to give to you, the technical community. The judges work with a technically complex and intricate art, much like us programmers. Moreover, the judges' actions have profound consequences: they send people to jail and make people pay millions of dollars to each other with their pronouncements. That's an awesome responsibility. Do you really think they are "stupid" just because you may not understand their decision at first glance?

Let me try to explain what is going on in this case.

First, this is a criminal case. The government is charging the defendant ISp with violating the Electronic Communications Privacy Act ("ECPA") or commonly called the "wiretap act." In a criminal case, the courts try to construe the statute as narrowly as possible so that they make sure the government is only sending people to jail when it's clear that's what Congress intended. That the courts are careful in this manner is a good thing , if you value our freedom.

Next, the court looked at the statute carefully and found that it defines two types of communication: "wire communication" and "electronic communication." It then noted that the statute clearly gave different levels of protections for the two. Wire communication is given a lot more protection than electronic communication. Whereas "interception" of wire communications while in transmission and while in "electronic storage" is clearly illegal, only "interception" of electronic communication is made illegal. The statute made it clear that obtaining an electronic communication while it's in electronic storage is not covered as a punishable crime. Congress quite clearly meant for different treatment to be given to wire communication versus electronic communication. Electronic communication in electronic storage are just not covered by the statute.

Thus, the court ruled that the government couldn't prosecute the defendant under the ECPA.

THAT'S IT! Okay? That's all the court held. Just that the government can't prosecute the defendants under this particular law. They are not saying "ISPs Can Read Your Email" -- as the headline sensationally claims. They are not saying privacy is not important. They are not saying emails are equal to postcards. They are just saying that this particular law did not cover what the defendants did. That's all.

And quite honestly, the court is doing its job correctly. For the court to rule the way most of you would like here, the judges would be making law, and what's worse, making a criminal law. Most of us would be appalled by that idea. Congress should do so, not the courts.

Let me be clear, the judges here understood what was going on technologically very well. They recognize the force of your arguments and concerns about privacy, but their hands are tied. They lament, quite movingly, that "it may well be that the protections of the Wiretap Act have been eviscerated as technology advances" and go on to say, "We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes." This is a clear call for Congress to do something about the problem.

They are interpreting the law as they should, and the ancient wiretap act clearly was made at a time when people didn't care much about "electronic communication" and it is our duty to convince Congress to change the law so that the courts will have the power to hand out justice to these privacy violators.