Secure Private Web Sites and Wiretapping

Masem writes "According to this CNET article, an interesting case is working it's way through the courts. A pilot for Hawaiian Airlines had set up a private web site, sufficiently secured for only those that he wanted to allow access to (in this case, coworkers), on which he reported gripes and complaints about the company. The airline used a fellow pilot's name and information to gain access to the site at least 20 times to find out what he was doing (though the article does not say if the pilot had been punished in anyway). The pilot's lawyers argued that secured communication that the web site provided was considered to be the same level as phone calls, and thus the activities of the airline were akin to wiretapping. The initial judical decision rejected this arguement, but a federal circuit court reversed it and found in favor of the pilot. It's unknown where this will go, but this decision could set several favorable precidents regarding private communications on the net."

Re:Wire-tapping

[DreamingReal]

It seems that a law exists that prohibits employers from reading the private communications of employees on stored information system (websites?) however its penalties are less severe than the law prohibiting them from listening in on private telephone conversations.

Actually, I don't think it has anything to do with what companies can and cannot legally do. Assuming that the guy did not host the website on company computers, the nature of the site is irrelevant. Whether it is Playboy.com or this guy's site, you cannot gain entry to a protected site using a stolen password.

As such, unless the VP was acting under company orders or gaining illegal access on company computers, I cannot see how his employer could be help liable.

-------

Could the DMCA be applied?

[Izubachi]

IANAL

This is probably useless, but I'm just curious, would it be possible to apply the DMCA to this case? Considering how broad the idiotic terms in the law are, couldn't Hawaiian Airlines be considered "circumventing protection" by finding a way to access the private site, even if it was by social engineering means instead of technical. That would be a nice turn-around on an old enemy, but it might be a bad precedent to set, widening the reach of the law even more.

Re:Could the DMCA be applied?

[OmegaDan]

The DMCA only works if your a paranoid-delusional company trying to erode the freedoms of the public for the sake of selling more battlefield earth DVD's ... because everyones stealing your property!

When someone does this to their site...

[jerrytcow]

If someone cracked their web site, you could bet Hawaiian Airlines would be all over them with lawyers, FBI, etc. It's nice that the courts ruled in favor of the pilot, but I'd like to see some charges filed for illegally breaking into this guy's site.

Wire-tapping

[radja]

It was likened to phonecalls.. does that mean companies can do wiretapping in the US? damn... make some laws already. You need'em.. badly..

//rdj

Re:Could the DMCA be applied?

[PhilHibbs]

Absolutely, I was just thinking along the same lines. This is a perfect example of what the DMCA does cover - they really are accessing technologically-protected copyrighted material, as against DeCSS, which merely allows use of material that has already been accessed (i.e. bought).

I was going to say the same thing...

[cr0sh]

Technically, what this VP did to this guy could be considered the same thing that Kevin Mitnick did - used false pretenses and other "social engineering" tactics to gain unauthorised access to machines, and the information contained therein.

So why isn't this VP's ass in the slammer yet?

Not that I advocate what was done to Kevin Mitnick. While I know that what he did was in the wrong, I don't believe his treatment or his "punishment" fit the crime committed. However, had KM only did 1/10 the time, he still would've did more time than this VP.

Just more proof of class ruling over justice - somehow I think all of this will be swept under the rug, the VP will get his wrists slapped, and we'll hear no more about it...

Worldcom [worldcom.com] - Generation Duh!

Re:Could the DMCA be applied?

[net-fu]

DMCA applies to copyright. To apply it to this case, wouldn't the pilot (and anyone else) have to have an explicit copyright notice at the bottom of each page? I don't really want live in a world where every private idea has to be Mirandized-- where we qualify every phone call with "You do not have to right to record this conversation."

There is such a thing as a 'reasonable expectation of privacy'. A call on a payphone in a crowded room doesn't afford the same level of privacy. However, can you say the same thing about a cordless phone? Is the harm done best resolved in criminal court or civil court? How can you set a price on that? How can you prevent someone with a CB and a crystal replacement (or any number or electrical engineers) from making a listening device?

Who's liable? -- I think it's the companies that make the phones!! Just like DVD makes are liable for the their inability to make strong encryption.

The problem with DMCA is it punishes consumers for the manufacturer's bad product while encouraging the manufacturer to ship same product. The DVD people must wake up in a cold sweat when they think about the implications of 16 year olds blowing away their encryption-- so they hide behind the law.

Besides the technology, the other problem that's always hurt privacy concerns is cost. i.e. your company has a mailserver and bandwidth that they pay for. They should be able to sneak a peek! It's been hard to convice people that the same rules that apply to phone should apply there.

What has changed people's attitudes on that is some IT manager's opionions on email snooping. Other people in the company don't like it. If you are an admin, it's like being a priest or a phone company employee. Yeah- you see a bit here or there because you have to, but most admins definitely don't want to. Especially not people they know.

When your boss tells his superiors that he wants to snoop email-- it's because he wants to snoop his employees most likely. Next he wants to snoop his superiors. Yes there are legitimate reasons for looking through email (porn, porn, porn) and you have to fight porn unless you want to get sued. But without policy it is a dangerous thing.

Hopefully we will see some postive work being done on this front.

URL for decision

[Froomkin]

Read the decision in Konop v. Hawaiian Airlines [findlaw.com] at findlaw.com.

Re:Could the DMCA be applied?

[PhilHibbs]

DMCA applies to copyright. To apply it to this case, wouldn't the pilot (and anyone else) have to have an explicit copyright notice at the bottom of each page?

No, I don't have to say "Copyright © 2001 Phil Hibbs" in order to gain copyright protection of this text. It's automatically copyright-protected.

Re:Wire-tapping

[lizrd]

Companies in the US cannot (legally) do wiretapping. That's the whole point. It seems that a law exists that prohibits employers from reading the private communications of employees on stored information system (websites?) however its penalties are less severe than the law prohibiting them from listening in on private telephone conversations. The question at issue here is if the wiretap law has been violated as well. These laws are quite complex and more than a little vague given that the different options for personal communications have expanded greatly in the past few years and it is difficult (even for geeks) to forsee what privacy issues will arise with future communication technologies and what protections should be afforded to different groups of people.
_____________