DustyShadow writes "In the case In re United States, Judge Mosman ruled that there is no constitutional requirement of notice to the account holder because the Fourth Amendment does not apply to e-mails under the third-party doctrine. 'When a person uses the Internet, the user's actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus 'private' information is actually being held by third-party private companies.""Updated 2:50 GMT by timothy: Orin Kerr, on whose blog post of yesterday this story was founded, has issued an important correction. He writes, at the above-linked Volokh Conspiracy, "In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers."
It's not about transportation, it's about destination. Plus there's no expectation that FedEx would (or should) have access to the *contents* of your mail, but an ISP-hosted email account, currently, does have full access to the content, with your tacit approval.
There are options, potentially, for the more privacy minded: * POP email with "delete from server" active will limit how much of your mail your ISP has access to. * Run your own mailserver. * Develop a mailserver that stores mail in an encrypted folder and requires your key to access.
That last one could also go a long way to helping solve the issue where private companies have to host their own mail and forbid employees from using other accounts solely to avoid the exposure of proprietary communications to third parties (the ISP). It also shouldn't be too difficult to set up...
I run my own mail server. Would this precedent then not apply to me? I have a reasonable expectation that I alone have access to my mail server.
This is a bad precedent regardless. When you send something via UPS or FedEx, you are giving your parcel to a 3rd party for storage and delivery. When you make a cell phone call, you are giving data packets representing your voice to a 3rd party for delivery. Extrapolating the argument further, would then the only way to have a reasonable expectation of privacy in your communication is when you are speaking face to face with the intended recipient?
The intentions of the 4th amendment need to be upheld in a rapidly changing world. Most people have only a minuscule understanding of the technology they use and most people DO expect their emails to be private communication. Precedent like this might move people to explore encryption, which I think law enforcement can overwhelmingly agree will make their job much more difficult.
Occasionally I am just absolutely struck fuck-dumb by the sheer level of pants on head retardedness displayed in decisions like this. Then I realise the 1st and 2nd amendments come into play.
Plus there's no expectation that FedEx would (or should) have access to the *contents* of your mail, but an ISP-hosted email account, currently, does have full access to the content, with your tacit approval.
So does the phone company regarding your phone calls. That doesn't mean that there isn't a reasonable expectation of privacy.
Let's say I send an email from my home mail server to a family member using gmail.
The email leaves my home network is sent to my personal mail server. This transfer uses TLS.
My mail server sends it to GMAIL. This transfer uses TLS.
Gmail stores it. Google promises to only disclose my information with my permission or with other controls on dissemination. See Google's privacy policy [google.com] and the Gmail privacy policy [google.com]
I have ensured my family members use https/pops to download from gmail.
How do I not have an expectation of privacy in that transaction?
Replying to my own post, but I see from RTFA that the judge addressed the privacy policies. However, he seems to have read them differently to me. He says that Gmail uses agree to google disclosing the information in response to a lawful request (ie, a subpoena) and somehow reads from this that users dont have any expectation of privacy.
Personally, I would think that expecting disclosure to require a warrant was pretty much an expectation or privacy. Otherwise, we can never have an expectation of privacy. Perhaps he means that because Google employees can read the emails, there is no expectation of privacy, but this is using a black and white test where is it not appropriate. I understand that Google employees can read my emails in gmail, but I have reason to expect that the contents won't go any further.
I understand that Google employees can read my emails in gmail, but I have reason to expect that the contents won't go any further.
That is where the judge gets the interpretation that there is no expectation of privacy. If you understand that Google employees can read your email in gmail, then you don't expect that your emails are private.
That is where the judge gets the interpretation that there is no expectation of privacy. If you understand that Google employees can read your email in gmail, then you don't expect that your emails are private.
And, following that logic, my banking details are not private because bank employees can read them, my medical details are not private because insurance company employees can read them, my phone calls are not private because telephone company employees can listen to them, etc..
No, there are explicit laws protecting that information through targeted legislation. That's actually part of the argument on why the CAN access your e-mail this way (if it's on a cental 3rd party system).
But, in contrast, they CAN subpeona your medical records, phone records, and more.... They do that every day!!!! This only extends that to e-mail. The difference is, you have no expectation of guaranteed privacy of e-mail as you do with medical records as those are protected by such targeted legislation and regulation, so they can subpeona access to it, and they don't have to provide you protection notice under the 4th amendment (though it does have to pass a judge's scritiny for them to get that subpeona). In other words, It;s not that they could not already get your e-mail through a court order, this just gives them the abiltiy to do so without first having to issue your lawyer notice (you can still fight to have the contents kept from a court case, it;s not public record, you still have rights).
Tacit approval? I cannot agree. Most people consider their email to be the same as their real mail. There is no reasonable cause to consider the technical details of the email process as the common user has no knowledge of such details and typically believes his email is secure whether or not that is actually the case.
This judge is simply wrong to assert that the technical details disqualifies email from having 4th amendment protection.
FedEx has the same access to the contents of the mail as an email host provider has to read a user's email. One has but to access it. We "trust" FedEx not to tamper with or damage our mail. We "trust" email service providers not to tamper with or damage our email. I see no cause for technical details to play as a factor primarily because the constitution makes no qualifications for protection and it is not for legislators, judges or presidents to add qualifications that aren't stated. I believe it is unconstitutional to attempt to do so.
Oh certainly, if everyone you get email from uses PGP, you're already good.
I'm talking about keeping all the plaintext and/or HTML mail you get from normal people/banks/mailing lists and having the mailserver know to automatically encrypt the content of new messages with your public key. An ISP running such a server could then HOST your normal mail without ever having access to it, or without ever implicitly getting your permission to access it.
I thought Hushmail did something like that. Like they store your email encrypted and your password decrypts it when you need access, so they can't read your mail even if they get a subpoena. I think it even sends it to your browser in its original encrypted form and the client decrypts the data.
What are they going to do, ignore a court order? The point is that they can give the court all of the customer's data but since it's all encrypted there's no harm.
I do remember something (probably on slashdot) about an easy web interface that let you send your password to the server for your data to be unencrypted over there for the session. They warned everyone "Don't use this because if we get a court order to keep logs on you, we'll log your password and hand it over to them."
This was because Hushmail was forced to either allow the Interpol (which has clout in Ireland and other places Hushmail has their servers) to read what the server decrypted via the Javascript client, or likely face shutdown for not cooperating.
There is absolutely nothing Hushmail's developers could have done once the judge in their area handed the search warrent papers. I still highly recommend using the service, not just for E-mail, but a decent place to store some documents offsite.
Yes and the spy sats can see through your roof and read what you are typing on your comp00ter right now!
Seriously, get a grip, they aren't watching you. REALLY, they aren't. If Echelon were reading those, don't you think it would be exactly the thing to obsfucate if you've got something to hide? And thats done with SSL, not PGP.
If you're going to suggest something for encryption, PGP is entirely not it on any number of levels. There are several reasons why only geeks use it, first being its obnoxious to keep your key data up to date, even with the key servers. This is a prime example of why the 'OMG DECENTRALIZEDQ%!@%!@%' crap people go for is retarded. You decentralize it, then add back centralized servers so you can make it usable again, but not usable enough that everyone is on the same page.
S/MIME is far more useful in the general sense of email since there are 3rd party 'trusted' stores for validating certificates AND revoke them.
PGP users are too into the idea of a decentralized web of trust which is fine for geeks who have 4 friends and thats the end of it, for those of us who communicate with others outside of our basement it falls apart. It was a great first implementation of encryption for the masses, but we're past that now, will you geeks please get over it. Its not going to take over the world, the general public isn't going to bother, hell I'm a geek who writes encryption software and I don't deal with PGP.
S/MIME is easiest to use within, or between, large organizations. Large companies can afford to give all their employees s/mime keys. S/MIME scales within an organization in a way that PGP does not. While individuals can get s/mime keys for free from a few places (NOT Thawte any longer), they're a pain to administer.
There's a reason everyone and their dog uses pgp keys, and not s/mime keys. e.g. http://w2.eff.org/Misc/EFF/?f=pgpkey.eff.txt http://www.kernel.org/signature.html http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
The trusted 3rd party broker and revoker offered by S/MIME is meaningless for most email communications, because Verisign and other CAs cannot cost-effectively vet individual email senders. PGP acknowledges this difficulty and offers an infrastructure for people to be as paranoid or as trusting as they want to be of others' keys.
Perhaps you can tell me the difference between a phone call and a email. Phone calls are protected by wiretapping laws, it is a criminal offence to listen in to private phone calls or record them without the permission of all parties involved. Both phone calls and email are simply digital transmission over wire, both pass through other parties to get to the final destination, the only difference is the hardware and coding to encode, decode and interpret them.
Face it, the judge is an idiot of the first order, I mean come on has the boob never heard of ADSL. It completely ignores the fact that email servers are completely automated and require no human intervention to reach their destination. It is time for email software to make use of the DMCA and, incorporate a simple encryption technique that prevents the email from being read as plain text but require a simple for legal reasons only decryption technique with a default warning if the person is not the intended recipient, for email where the default recipient email address does not match the target email address.
Basically am encryption technique that is no more secure than you typical envelope but still providing the full legal security of a typical envelope, with the added bonus of the DMCA to beat them over the head with.
Yes, and if the police show up and say "we wanna open this package" FedEx will say "I've gotta see a warrant or I'll be liable for you violating someone's 4th amendment rights". Or, at least, that's what will happen if the person the police are talking to actually speaks english...
I cannot see how this won't be overturned on appeal. People have a general expectation of privacy in regards to their e-mail, and the fact that it's being physically hosted somewhere doesn't defeat that.
Agreed, the appropriate analogy would be to physical mail where people have a clear expectation of privacy. Unfortunately, the attitude among judges frequently seems to be that "oh wow. That has do with that complicated internet-thingy. That must function in a completely different way. Never mind that we've had no problem seeing how new technologies fall under the Constitution before. This time it is clearly different. Besides, that web thing scares me."
More to the point, it is clearly no different than a bank safety deposit box, and those cannot be searched without a warrant. The mere fact that we are talking about data instead of physical objects should have no legal bearing on the requirement of a warrant for search and seizure. This is a clear case of bailment, and in bailment cases with a corporate entity, one can generally assume a right to privacy.
This will definitely get overturned on appeal unless the lawyers involved are inept.
Funny, in the UK we had police smash into almost 7,000 safe-deposit boxes.
More than 500 officers smashed their way into thousands of safety-deposit boxes to retrieve guns, drugs and millions of pounds of criminal assets. At least, that's what was supposed to happen."
It was a warrant-expansion, from one of those "seizure of criminals assests" laws, that were started first in the States. Gone ALL wrong, 'tho'.
"Many of the clientele were families who had fled turmoil, pogroms, coups and wars and long had a cultural preference for locking away money and jewels, building up a vehement distrust for the integrity of traditional banks. Here, stepping down the spiral staircase at the back to the darkened boxes below, they felt reassured that their most important possessions were safe."
A postcard isn't a good analogy. If I send a postcard, lots of people might see what is on it by simple chance. For example, the mail carrier might see it when they pick it up. In order for someone to read an email they need to go out of their way to access it in some form. That such access is easy doesn't say much. It is easy for someone to access physical mail often when people use a physical mailbox in the suburbs. Moreover, anyone in the postal service can easily access the internal contents of your mail without getting caught (steaming open a letter is really easy and hard to notice). That doesn't mean that the government has a right to read all my physical mail without a warrant. Just because something is possible doesn't mean that it is considered either normal or acceptable practice.
The way I've always heard it, regular email is just like a postcard - anyone in the chain who touches it can read it. Maybe decisions like this one will get more people using encryption for their email. My pet concept is the job of key generation, trust, and management should be handled by banks. After all, we all trust the banks with our money already.
Of course another option would be to get common carrier status for the internet, at least within the US. Yet another step would be for the US Postal service to run (TLS encrypted and authenticated) mail services. Not that I'm enamored of the Post Office doing the job, but that's the easiest way to grant legal protection to the content.
As a bit of an aside, does it matter if you try to make the data private via encryption?
There could be an interesting relationship here: If you claim (probably rightfully) that you own the copyright to the 'content' in question, and encrypt it, does this mean that it would be unlawful for anyone to try and decrypt it under the DMCA?
...your medical records aren't private, either. When you use a hospital or a doctor's office, you're not in your own home, and your records of the visit are stored at the facility. This judge is a moron.
by Anonymous Coward
on Thursday October 29, @07:04PM (#29918613)
when we send mail via USPS, since the mail isn't technically in our homes while it is sitting in the post office, that the government can read it without violating A4?
Recently in the second Circuit, it has been ruled that gmail users do have an expectation of privacy in their e-mail account. http://online.wsj.com/public/resources/documents/Bear1.pdf [wsj.com]. Here the Court ruled that the warrant was too broad since it didn't restrict the inspection of e-mails that were unrelated to the investigation.
In light of both rulings, it may not prevent the government inspection, but could be grounds to suppress. Furthermore, the Stored communications act prohibits a warrant for this type of information unless, "offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation."
When a person uses the Internet, the user's actions are no longer in his or her physical home... All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP
Yes, just like: - Mail - Safe deposit boxes - Bank accounts - Voice mails - Telephone conversations - Storage units
As far as I know, all of the above things are subject to the 4th amendment. WTF???!!!
Most those things have separate laws to cover them. Well some of them due, I do not think there are any such protections for safe deposit boxes other than the providers of said boxes have a reputation to maintain if they want people to use them. There aren't to my knowledge any such protections for storage units, although it may be covered as if it were your home by a different law.
Phones and mail have laws specific too them to protect them, nothing to do with the 4th admendment other than spirit and intention.
We're just going to have to get off our lazy asses and demand the same coverage for internet related communication.
The main difference with phones is historically, there has not been a recording of the call stored outside the persons home. The phone company doesn't record every conversation for you to listen too later. If they did, you'd be in a different arena. Its much easier for law enforcement to get records of your calls than it is to wire tap your calls, the records are already stored so you can be billed, and you and I demanded the phone company do so, as we expect detailed billing.
With email, ISPs DO record it for later, as part of the service, thats the way it works. Your email ISN'T private and its rather retarded that you think something stored on someone elses hard drive is private to you, regardless of the law.
The judge ruled that the warrant can be served on the third party without notifying the sender. This would be akin to serving a warrant to one's employer to search one's workspace.
Or, serving a warrant on your friend to access your friend's computer to get emails sent by you.
I think this ruling is on shaky ground due to the concept of "reasonable expectation of privacy".
The fine article refers to a ruling that says you don't have to be notified if your email is accessed. It doesn't talk about if it is legal or not to access your email. I guess the theory being that if your mail is stored "publicly" at an ISP and that someone has the legal right to look at your mail, they don't have to tell you that you have been snooped on.
The article doesn't seem to make the distinction between mail at rest (on a mail server) and mail in transit (passing on the wire) so I don't know if running your own mail server makes any difference here or not. It would at least reduce the exposure time for "snapshots" to be taken and disclosed. If your mail was on your own server you would at least have to be approached by a court with a subpoena or similar that demands access, which you would probably notice.
We've seen this sort of "logic" before, and often. The general principle is "When a computer becomes involved, all precedent is forgotten, and centuries of hard-learned lessons must be learned all over again." I've forgotten who first pointed this out, but it's a useful thing to remember.
It took many centuries, and many deaths, for the freedoms that most of the "first-world" countries have were encoded in their laws. But over and over, we've found that the courts don't apply those laws to anything that involves a computer. It takes a good list of horror stories about the actions of ISPs and other people in positions of power, plus new laws, to get the older Real World laws applied to anything involving a computer. This is just one example of many.
It's sorta funny that computers, which are the ultimate in relentless, unforgiving, mechanical logic, have an effect on humans that can be characterized as destroying our ability to use logic as simple as saying that everything we knew before still applies when there's a computer in the vicinity.
In most of the First World, it's illegal for a postal or other delivery employee to open a package and make notes on the content. There are good historic reasons for this. It's interesting to read the history of the concept of "common carrier", and understand why it came to be. People did literally die before these rules went into effect, as the result of people opening and reading the contents of messages in transit, and selling the information to interested parties. This history isn't a secret. But when its a computer transferring messages, the carriers are permitted to inspect the contents and sell the information to interested parties. This will eventually lead to laws applying the common-carrier rules to computerized communications. But this will only happen after the same sort of disasters that led to the common-carrier rules for written, printed and analog telephone communications.
The only scheme that's stable over the long term is that "carriers" of messages should not be allowed to use the contents of the messages for any purpose. In exchange for this, the people in power agree to not punish the carriers for the contents of any delivered messages. Anything else will eventually be a disaster for the people in power, when they learn too late that the carriers have made "commercial" use of the contents of messages to/from powerful people.
This isn't a hypothetical scenario; it is exactly what led to the common-carrier laws in the past. Things like this court decision just shorten the time until such disasters occur. And it's all due to our mysterious inability to remember and apply historic precedent when there's a computer involved.
The original author of the blog in the story has revised his analysis thus:
"In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers. I missed this because the reasoning closely resembles the argument for saying that the Fourth Amendment doesn’t apply at all, and I didn’t read the earlier section closely enough. That’s obviously a much narrower position, and I apologize for misunderstanding it the first time in the quick skim I gave it. Sorry about that: The fault is entirely mine."
of course, the 'ever so smart judge' does not know this fine nuance.
the fact that packets travel along routers, bridges and gateways means that some of your 'property' is stored/forwarded outside your 'house'. BUT SO WHAT??
US mail travels in a store-forward way. are they allowed to read your mail because its 'not in your house, at the time' ?
finally, why is this moran allowed to concluded that ALL mail sits on 'webservers' ? even if it IS web-based, oftentimes its pop/imapped to your home system and then deleted off the server. or maybe you run old style port25 mail and it truly does go point to point and never 'sits' on an ISP for more than transit-time.
I'm really annoyed by judges who make decisions based on FALSE assumptions and lack of understanding. this judge should be fired or even tried for treason. his crime is THAT great; its a threat to some fundamental privacy that the constitution (once) allowed us.
those who seek to over-rule constitutional laws ARE traitors. look it up.
Stop using FedEx (Score:5, Interesting)
Wow, best to stop using FedEx and other *private* companies to send mail then.
Not the same, in several aspects (Score:5, Insightful)
It's not about transportation, it's about destination.
Plus there's no expectation that FedEx would (or should) have access to the *contents* of your mail, but an ISP-hosted email account, currently, does have full access to the content, with your tacit approval.
There are options, potentially, for the more privacy minded:
* POP email with "delete from server" active will limit how much of your mail your ISP has access to.
* Run your own mailserver.
* Develop a mailserver that stores mail in an encrypted folder and requires your key to access.
That last one could also go a long way to helping solve the issue where private companies have to host their own mail and forbid employees from using other accounts solely to avoid the exposure of proprietary communications to third parties (the ISP). It also shouldn't be too difficult to set up...
Parent
Re:Not the same, in several aspects (Score:5, Insightful)
It's not about transportation, it's about destination.
Every PO-box is then unprotected under 4th amendment too?
Parent
Re:Not the same, in several aspects (Score:5, Interesting)
I was thinking the same thing about safety deposit boxes.
Parent
Re:Not the same, in several aspects (Score:4, Interesting)
I run my own mail server. Would this precedent then not apply to me? I have a reasonable expectation that I alone have access to my mail server.
This is a bad precedent regardless. When you send something via UPS or FedEx, you are giving your parcel to a 3rd party for storage and delivery. When you make a cell phone call, you are giving data packets representing your voice to a 3rd party for delivery. Extrapolating the argument further, would then the only way to have a reasonable expectation of privacy in your communication is when you are speaking face to face with the intended recipient?
The intentions of the 4th amendment need to be upheld in a rapidly changing world. Most people have only a minuscule understanding of the technology they use and most people DO expect their emails to be private communication. Precedent like this might move people to explore encryption, which I think law enforcement can overwhelmingly agree will make their job much more difficult.
Parent
Re:Not the same, in several aspects (Score:5, Interesting)
I rent an apartment, am I fucked as well?
Occasionally I am just absolutely struck fuck-dumb by the sheer level of pants on head retardedness displayed in decisions like this. Then I realise the 1st and 2nd amendments come into play.
Parent
Re:Not the same, in several aspects (Score:5, Interesting)
So does the phone company regarding your phone calls. That doesn't mean that there isn't a reasonable expectation of privacy.
Parent
Re:Not the same, in several aspects (Score:5, Informative)
Indeed, if you'd like a citation that agrees with you, http://cyberlaw.stanford.edu/packets001954.shtml [stanford.edu] is a good place to start.
Parent
Re:Not the same, in several aspects (Score:4, Interesting)
The email leaves my home network is sent to my personal mail server. This transfer uses TLS.
My mail server sends it to GMAIL. This transfer uses TLS.
Gmail stores it. Google promises to only disclose my information with my permission or with other controls on dissemination. See Google's privacy policy [google.com] and the Gmail privacy policy [google.com]
I have ensured my family members use https/pops to download from gmail.
How do I not have an expectation of privacy in that transaction?
Parent
Re:Not the same, in several aspects (Score:5, Insightful)
Parent
Re:Not the same, in several aspects (Score:4, Insightful)
I understand that Google employees can read my emails in gmail, but I have reason to expect that the contents won't go any further.
That is where the judge gets the interpretation that there is no expectation of privacy. If you understand that Google employees can read your email in gmail, then you don't expect that your emails are private.
Parent
Re:Not the same, in several aspects (Score:5, Interesting)
And, following that logic, my banking details are not private because bank employees can read them, my medical details are not private because insurance company employees can read them, my phone calls are not private because telephone company employees can listen to them, etc..
Parent
Re:Not the same, in several aspects (Score:4, Informative)
No, there are explicit laws protecting that information through targeted legislation. That's actually part of the argument on why the CAN access your e-mail this way (if it's on a cental 3rd party system).
But, in contrast, they CAN subpeona your medical records, phone records, and more.... They do that every day!!!! This only extends that to e-mail. The difference is, you have no expectation of guaranteed privacy of e-mail as you do with medical records as those are protected by such targeted legislation and regulation, so they can subpeona access to it, and they don't have to provide you protection notice under the 4th amendment (though it does have to pass a judge's scritiny for them to get that subpeona). In other words, It;s not that they could not already get your e-mail through a court order, this just gives them the abiltiy to do so without first having to issue your lawyer notice (you can still fight to have the contents kept from a court case, it;s not public record, you still have rights).
Parent
Re:Not the same, in several aspects (Score:5, Interesting)
Tacit approval? I cannot agree. Most people consider their email to be the same as their real mail. There is no reasonable cause to consider the technical details of the email process as the common user has no knowledge of such details and typically believes his email is secure whether or not that is actually the case.
This judge is simply wrong to assert that the technical details disqualifies email from having 4th amendment protection.
FedEx has the same access to the contents of the mail as an email host provider has to read a user's email. One has but to access it. We "trust" FedEx not to tamper with or damage our mail. We "trust" email service providers not to tamper with or damage our email. I see no cause for technical details to play as a factor primarily because the constitution makes no qualifications for protection and it is not for legislators, judges or presidents to add qualifications that aren't stated. I believe it is unconstitutional to attempt to do so.
Parent
PGP (Score:4, Insightful)
Oh certainly, if everyone you get email from uses PGP, you're already good.
I'm talking about keeping all the plaintext and/or HTML mail you get from normal people/banks/mailing lists and having the mailserver know to automatically encrypt the content of new messages with your public key. An ISP running such a server could then HOST your normal mail without ever having access to it, or without ever implicitly getting your permission to access it.
Parent
Re:PGP (Score:4, Interesting)
I thought Hushmail did something like that. Like they store your email encrypted and your password decrypts it when you need access, so they can't read your mail even if they get a subpoena. I think it even sends it to your browser in its original encrypted form and the client decrypts the data.
Parent
Re:PGP (Score:4, Informative)
What are they going to do, ignore a court order? The point is that they can give the court all of the customer's data but since it's all encrypted there's no harm.
I do remember something (probably on slashdot) about an easy web interface that let you send your password to the server for your data to be unencrypted over there for the session. They warned everyone "Don't use this because if we get a court order to keep logs on you, we'll log your password and hand it over to them."
Parent
Re:PGP (Score:4, Informative)
This was because Hushmail was forced to either allow the Interpol (which has clout in Ireland and other places Hushmail has their servers) to read what the server decrypted via the Javascript client, or likely face shutdown for not cooperating.
There is absolutely nothing Hushmail's developers could have done once the judge in their area handed the search warrent papers. I still highly recommend using the service, not just for E-mail, but a decent place to store some documents offsite.
Parent
Re:Not the same, in several aspects (Score:4, Informative)
Yes and the spy sats can see through your roof and read what you are typing on your comp00ter right now!
Seriously, get a grip, they aren't watching you. REALLY, they aren't. If Echelon were reading those, don't you think it would be exactly the thing to obsfucate if you've got something to hide? And thats done with SSL, not PGP.
If you're going to suggest something for encryption, PGP is entirely not it on any number of levels. There are several reasons why only geeks use it, first being its obnoxious to keep your key data up to date, even with the key servers. This is a prime example of why the 'OMG DECENTRALIZEDQ%!@%!@%' crap people go for is retarded. You decentralize it, then add back centralized servers so you can make it usable again, but not usable enough that everyone is on the same page.
S/MIME is far more useful in the general sense of email since there are 3rd party 'trusted' stores for validating certificates AND revoke them.
PGP users are too into the idea of a decentralized web of trust which is fine for geeks who have 4 friends and thats the end of it, for those of us who communicate with others outside of our basement it falls apart. It was a great first implementation of encryption for the masses, but we're past that now, will you geeks please get over it. Its not going to take over the world, the general public isn't going to bother, hell I'm a geek who writes encryption software and I don't deal with PGP.
Parent
Re:Not the same, in several aspects (Score:4, Informative)
S/MIME is easiest to use within, or between, large organizations. Large companies can afford to give all their employees s/mime keys. S/MIME scales within an organization in a way that PGP does not. While individuals can get s/mime keys for free from a few places (NOT Thawte any longer), they're a pain to administer.
There's a reason everyone and their dog uses pgp keys, and not s/mime keys. e.g.
http://w2.eff.org/Misc/EFF/?f=pgpkey.eff.txt
http://www.kernel.org/signature.html
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
The trusted 3rd party broker and revoker offered by S/MIME is meaningless for most email communications, because Verisign and other CAs cannot cost-effectively vet individual email senders. PGP acknowledges this difficulty and offers an infrastructure for people to be as paranoid or as trusting as they want to be of others' keys.
Parent
Re: (Score:3, Interesting)
I guess the 4th Amendment doesn't apply unless there is an unbroken chain of ownership between private parties.
Re:Stop using FedEx (Score:5, Insightful)
Perhaps you can tell me the difference between a phone call and a email. Phone calls are protected by wiretapping laws, it is a criminal offence to listen in to private phone calls or record them without the permission of all parties involved. Both phone calls and email are simply digital transmission over wire, both pass through other parties to get to the final destination, the only difference is the hardware and coding to encode, decode and interpret them.
Face it, the judge is an idiot of the first order, I mean come on has the boob never heard of ADSL. It completely ignores the fact that email servers are completely automated and require no human intervention to reach their destination. It is time for email software to make use of the DMCA and, incorporate a simple encryption technique that prevents the email from being read as plain text but require a simple for legal reasons only decryption technique with a default warning if the person is not the intended recipient, for email where the default recipient email address does not match the target email address.
Basically am encryption technique that is no more secure than you typical envelope but still providing the full legal security of a typical envelope, with the added bonus of the DMCA to beat them over the head with.
Parent
Re:Stop using FedEx (Score:4, Interesting)
Yes, and if the police show up and say "we wanna open this package" FedEx will say "I've gotta see a warrant or I'll be liable for you violating someone's 4th amendment rights". Or, at least, that's what will happen if the person the police are talking to actually speaks english...
Parent
ok (Score:3, Insightful)
Re:ok (Score:4, Insightful)
Parent
Re:ok (Score:5, Insightful)
More to the point, it is clearly no different than a bank safety deposit box, and those cannot be searched without a warrant. The mere fact that we are talking about data instead of physical objects should have no legal bearing on the requirement of a warrant for search and seizure. This is a clear case of bailment, and in bailment cases with a corporate entity, one can generally assume a right to privacy.
This will definitely get overturned on appeal unless the lawyers involved are inept.
Parent
Re:ok (Score:5, Informative)
Funny, in the UK we had police smash into almost 7,000 safe-deposit boxes.
More than 500 officers smashed their way into thousands of safety-deposit boxes to retrieve guns, drugs and millions of pounds of criminal assets. At least, that's what was supposed to happen."
It was a warrant-expansion, from one of those "seizure of criminals assests" laws, that were started first in the States. Gone ALL wrong, 'tho'.
"Many of the clientele were families who had fled turmoil, pogroms, coups and wars and long had a cultural preference for locking away money and jewels, building up a vehement distrust for the integrity of traditional banks. Here, stepping down the spiral staircase at the back to the darkened boxes below, they felt reassured that their most important possessions were safe."
Read more: http://www.dailymail.co.uk/home/moslive/article-1222777/The-raid-rocked-Met-Why-gun-drugs-op-6-717-safety-deposit-boxes-cost-taxpayer-fortune.html [dailymail.co.uk]
Parent
Re:Unencrypted e-mail is like postcards (Score:5, Insightful)
Parent
There are tools that can help (Score:4, Insightful)
It's a real shame that email encryption never really hit the mainstream.
Re: (Score:3, Insightful)
This is precisely the sort of action that could lead to encryption taking hold.
Re: (Score:3, Funny)
Re:There are tools that can help (Score:4, Insightful)
The way I've always heard it, regular email is just like a postcard - anyone in the chain who touches it can read it. Maybe decisions like this one will get more people using encryption for their email. My pet concept is the job of key generation, trust, and management should be handled by banks. After all, we all trust the banks with our money already.
Of course another option would be to get common carrier status for the internet, at least within the US.
Yet another step would be for the US Postal service to run (TLS encrypted and authenticated) mail services. Not that I'm enamored of the Post Office doing the job, but that's the easiest way to grant legal protection to the content.
Parent
I wonder if you can use the DMCA to your advantage (Score:5, Interesting)
As a bit of an aside, does it matter if you try to make the data private via encryption?
There could be an interesting relationship here: If you claim (probably rightfully) that you own the copyright to the 'content' in question, and encrypt it, does this mean that it would be unlawful for anyone to try and decrypt it under the DMCA?
Re:I wonder if you can use the DMCA to your advant (Score:5, Insightful)
Parent
As Half Life 2 taught us... (Score:3, Interesting)
*splutter*... US Mail? (Score:4, Insightful)
By this logic... (Score:5, Insightful)
...your medical records aren't private, either. When you use a hospital or a doctor's office, you're not in your own home, and your records of the visit are stored at the facility. This judge is a moron.
Re:By this logic... (Score:5, Informative)
Actually, they are private because there is a law saying they are private.
Parent
Does this mean... (Score:4, Insightful)
when we send mail via USPS, since the mail isn't technically in our homes while it is sitting in the post office, that the government can read it without violating A4?
This is not the same everywhere. (Score:5, Informative)
Recently in the second Circuit, it has been ruled that gmail users do have an expectation of privacy in their e-mail account. http://online.wsj.com/public/resources/documents/Bear1.pdf [wsj.com]. Here the Court ruled that the warrant was too broad since it didn't restrict the inspection of e-mails that were unrelated to the investigation.
In light of both rulings, it may not prevent the government inspection, but could be grounds to suppress. Furthermore, the Stored communications act prohibits a warrant for this type of information unless, "offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation."
ECPA (Score:5, Informative)
I see that the electronic communication privacy act of 1986 is being ignored once again.
http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act
3rd-party doctrine (Score:5, Insightful)
When a person uses the Internet, the user's actions are no longer in his or her physical home... All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP
Yes, just like:
- Mail
- Safe deposit boxes
- Bank accounts
- Voice mails
- Telephone conversations
- Storage units
As far as I know, all of the above things are subject to the 4th amendment. WTF???!!!
Re:3rd-party doctrine (Score:4, Interesting)
You would be wrong.
Most those things have separate laws to cover them. Well some of them due, I do not think there are any such protections for safe deposit boxes other than the providers of said boxes have a reputation to maintain if they want people to use them. There aren't to my knowledge any such protections for storage units, although it may be covered as if it were your home by a different law.
Phones and mail have laws specific too them to protect them, nothing to do with the 4th admendment other than spirit and intention.
We're just going to have to get off our lazy asses and demand the same coverage for internet related communication.
The main difference with phones is historically, there has not been a recording of the call stored outside the persons home. The phone company doesn't record every conversation for you to listen too later. If they did, you'd be in a different arena. Its much easier for law enforcement to get records of your calls than it is to wire tap your calls, the records are already stored so you can be billed, and you and I demanded the phone company do so, as we expect detailed billing.
With email, ISPs DO record it for later, as part of the service, thats the way it works. Your email ISN'T private and its rather retarded that you think something stored on someone elses hard drive is private to you, regardless of the law.
Parent
Summary is not quite right. (Score:4, Insightful)
The judge ruled that the warrant can be served on the third party without notifying the sender. This would be akin to serving a warrant to one's employer to search one's workspace.
Or, serving a warrant on your friend to access your friend's computer to get emails sent by you.
I think this ruling is on shaky ground due to the concept of "reasonable expectation of privacy".
TFA talks about notification not access (Score:4, Interesting)
The article doesn't seem to make the distinction between mail at rest (on a mail server) and mail in transit (passing on the wire) so I don't know if running your own mail server makes any difference here or not. It would at least reduce the exposure time for "snapshots" to be taken and disclosed. If your mail was on your own server you would at least have to be approached by a court with a subpoena or similar that demands access, which you would probably notice.
Encryption is of course, the answer.
This is nothing new (Score:4, Informative)
We've seen this sort of "logic" before, and often. The general principle is "When a computer becomes involved, all precedent is forgotten, and centuries of hard-learned lessons must be learned all over again." I've forgotten who first pointed this out, but it's a useful thing to remember.
It took many centuries, and many deaths, for the freedoms that most of the "first-world" countries have were encoded in their laws. But over and over, we've found that the courts don't apply those laws to anything that involves a computer. It takes a good list of horror stories about the actions of ISPs and other people in positions of power, plus new laws, to get the older Real World laws applied to anything involving a computer. This is just one example of many.
It's sorta funny that computers, which are the ultimate in relentless, unforgiving, mechanical logic, have an effect on humans that can be characterized as destroying our ability to use logic as simple as saying that everything we knew before still applies when there's a computer in the vicinity.
In most of the First World, it's illegal for a postal or other delivery employee to open a package and make notes on the content. There are good historic reasons for this. It's interesting to read the history of the concept of "common carrier", and understand why it came to be. People did literally die before these rules went into effect, as the result of people opening and reading the contents of messages in transit, and selling the information to interested parties. This history isn't a secret. But when its a computer transferring messages, the carriers are permitted to inspect the contents and sell the information to interested parties. This will eventually lead to laws applying the common-carrier rules to computerized communications. But this will only happen after the same sort of disasters that led to the common-carrier rules for written, printed and analog telephone communications.
The only scheme that's stable over the long term is that "carriers" of messages should not be allowed to use the contents of the messages for any purpose. In exchange for this, the people in power agree to not punish the carriers for the contents of any delivered messages. Anything else will eventually be a disaster for the people in power, when they learn too late that the carriers have made "commercial" use of the contents of messages to/from powerful people.
This isn't a hypothetical scenario; it is exactly what led to the common-carrier laws in the past. Things like this court decision just shorten the time until such disasters occur. And it's all due to our mysterious inability to remember and apply historic precedent when there's a computer involved.
The blog's author has updated his analysis... (Score:4, Informative)
The original author of the blog in the story has revised his analysis thus:
"In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers. I missed this because the reasoning closely resembles the argument for saying that the Fourth Amendment doesn’t apply at all, and I didn’t read the earlier section closely enough. That’s obviously a much narrower position, and I apologize for misunderstanding it the first time in the quick skim I gave it. Sorry about that: The fault is entirely mine."
http://volokh.com/2009/10/29/opinion-on-fourth-amendment-and-e-mail/ [volokh.com]
Re: (Score:3, Informative)
While you have the car in your possession, no. But, once you turn it in, yes.
And, that is a bad analogy.
Re:Geeks may say (Score:5, Insightful)
I run my own mail server, you insensitive clod!
of course, the 'ever so smart judge' does not know this fine nuance.
the fact that packets travel along routers, bridges and gateways means that some of your 'property' is stored/forwarded outside your 'house'. BUT SO WHAT??
US mail travels in a store-forward way. are they allowed to read your mail because its 'not in your house, at the time' ?
finally, why is this moran allowed to concluded that ALL mail sits on 'webservers' ? even if it IS web-based, oftentimes its pop/imapped to your home system and then deleted off the server. or maybe you run old style port25 mail and it truly does go point to point and never 'sits' on an ISP for more than transit-time.
I'm really annoyed by judges who make decisions based on FALSE assumptions and lack of understanding. this judge should be fired or even tried for treason. his crime is THAT great; its a threat to some fundamental privacy that the constitution (once) allowed us.
those who seek to over-rule constitutional laws ARE traitors. look it up.
Parent
Re:Geeks may say (Score:5, Insightful)
Parent