Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
News Your Rights Online

Bookseller Intercepted Email 103

Posted by jamie from the ex-libris dept.
jconley writes "In this somewhat scary story, an online rare book dealer, Alibris, intercepted e-mail between its clients and Amazon.com. It amounts to online wiretapping." Read the story at CNET. Alibris pled guilty but says (basically) it was a misunderstanding. The penalty: a quarter-million dollar fine - are other corporations paying attention?
This discussion has been archived. No new comments can be posted.

Bookseller Intercepted Email More

Bookseller Intercepted Email

Comments Filter:
  • Hah! Amazon complaining about people not respecting privacy.

    What next, TRUSTe complaining about ineffectual watchdog groups? eBay complaining about Usenet spam?
  • A quarter of a million dollars is a lot, but I'm surprised it wasn't more.

    I'm sure they learned their lesson, tho :)

  • It's possible... (Score:3)

    by rde ( 17364 ) on Tuesday November 23, 1999 @10:19AM (#1509483)
    I'd be (for some reason that hasn't occured to me) inclined to give them the benefit of the doubt in this case; after all, a rare-bookseller probably has little competition with someone like Amazon. However, an interesting line was

    Alibris admits to the wrongdoing but said it gained no commercial advantage because it already knew what its customers were buying.

    Hands up everyone out there who lets their email provider know what books they buy from Amazon.

  • This is pretty unclear (Score:3)

    by SendBot ( 29932 ) on Tuesday November 23, 1999 @10:23AM (#1509484) Homepage Journal
    The article didn't say much about the company's agreements with its clients. But unless they violate their stated privacy policy or otherwise violate thier legal agreements, is it really illegal? I mean, your boss can read your email at work and get away with it because they claim property over the network. It's a privacy invasion, but it's beyond the scope of the law. Now, if someone was reading network traffic on a network that they didn't own, that would be completely different. From the article, it looks like they were trying to have copies sent to them, and screwed up and had the mail sent only to them instead. I could see some sendmail newbie making that mistake pretty easily.
  • Actually, it was the predecessor to Alibris that did the intercepting, and it was on email accounts they offered to the clients. Apparently, that might be covered under some legal agreement. Anyway, the privacy you get these days is nil. If you have a credit card, own a home, rent an apartment, have a drivers liscense, or even a social security number, you've given up your privacy. It's just a matter of time until someone wants to take advantage of that fact.
  • This is an excellent example on why encryption is necessary. Who knows who else is doing thins like this?

    (BTW, read the last two sentences...don't you wish everyone in government thought like that?)

  • intercepted messages (Score:3)

    by mmmmbeer ( 107215 ) on Tuesday November 23, 1999 @10:27AM (#1509487)
    Maybe I'm missing something here, but it sounds to me that the "intercepted" messages were ones sent to Alibris' email clients. Isn't it pretty standard by now for all email providers to say, "Hey, by the way, your email may be monitored"? Users know that their providers may be seeing their "private" messages. And anyone sending a message should understand that, too.

    I understand the alleged motive, since they are a competitor of Amazon, but what if this had been messages from a non-competitor? Would they have been charged the same?
  • Misunderstanding my ass! How the hell could you "accidentally" spy on email messages?? The penalty for this ridiculous invasion of privacy should be a heck of lot more than 250K!

    (If private companies can do this, who knows what the government is doing! Scary thoughts..)

    My $0.02

  • eBay complaining about Usenet spam?


    Funny you bring this up. Every usenet group I visit, whether it's about classic video games, Lego, british cars, etc ALL contain spam related to some related item being auctioned off on eBay. Imagine how less-polluted usenet would be without good 'ol ebay advertisements, as if I couldn't just go to ebay myself and find out.

  • Sounds like a screwup (Score:5)

    by Otto ( 17870 ) on Tuesday November 23, 1999 @10:46AM (#1509490) Homepage Journal
    According to chief executive Martin Manley, the company broke the law when it tried to rectify complaints from some clients who said they weren't receiving email messages from Amazon. In tracking such messages to determine the problem, the company unlawfully captured the messages, although Manley said it did not read them.

    Okay, let's first set the ground rules here...

    According to their web site, Alibris is not wholy a bookstore.

    Alibris uses the Internet to enable hundreds of independent booksellers around the world to sell treasured books to consumers, libraries, wholesalers, and retail stores.

    My guess is that the predecessor of Alibris mostly specialized in a book-finding service.. Anyone have any information on that?

    Anyway, looks like the e-mail system they had allowed users to get an email with them to try to find old and rare books and so forth. Sounds kinda cool actually.

    Probably they had some mail problems with Amazon, and set the thing to intercept messages to see what was wrong.

    I'd give them the benefit of the doubt. An e-mail provider must be able to look at messages to resolve problems in routing or what have you. Perhaps not actual message content, but that's hard to distinguish, since the info they need and the info that should be private are not wholly separated.

    ---
  • If you have a credit card, own a home, rent an apartment, have a drivers liscense[sic], or even a social security number, you've given up your privacy. It's just a matter of time until someone wants to take advantage of that fact.

    I haven't "given up" jack. Had take from me, through deception, coercion, or force perhaps, but I in no way "willingly and knowingly" gave anyone permission to poke around in my private affairs, much less give or sell that information to others. But, living in the US of A, my privacy was sold against my will to every mass mailer and spammer on the planet long ago. (Indeed, I was getting junk mail years before I was an adult, and therefor too young by law to enter into any agreement allowing anything of the kind. Not that that stopped them, mind you.)

    If you think I'm going to take such invasions of my privacy lying down, you have a rather nasty surprise in store.

    See Private Citizen [privatecitizen.com] on how to at least curb one particular invasion of privacy which is all too common. (My only affiliation with them is as a very satisfied, paying "member"). It was the best $30.00 I ever spent, eliminating all of my junk mail and junk phone calls in one fell swoop.

  • Re:Not quite (Score:3)

    by SlydeRule ( 42852 ) on Tuesday November 23, 1999 @10:47AM (#1509492)
    If you have a credit card, own a home, rent an apartment, have a drivers liscense, or even a social security number, you've given up your privacy.

    You have given up your anonymity, not your privacy.

    The two are separate concepts. For example, your medical records are private but not anonymous. And someone distributing a "hidden cam" video of you violates your privacy even though you remain anonymous.

    As we lose our anonymity, we must insist that it be replaced by privacy.

  • Why does this give me a very bad feeling? More than the realJukebox thing, in fact (I never use that program anymore) I think the big issue here is of the intercepted e-mail. If I read the article correctly, they didn't prevent the mail from going where it needed to, they just read it and used it in their statistical surveys.

    It still bothers me. Blocking e-mail altogether wouldn't be that far off, had this corporation not been taken to task. And even though they were, what's to prevent an e-mail provider from putting a clause in the contract so they could intercept at will? The PR would be something along the lines of:
    ISP: We're doing this so we can catch those dirty, dirty pornographers trying to ensnare the innocents of the world.

    REPORTER: You have pornographers on your network? ISP: Er... of course not! But they're a sly bunch, so we have to watch out for them!
    Even better - a quick look up at the header of this message will show that I've got Hotmail as one of my e-mail providers. What if, suddenly, I had difficulty sending mail to linux-related sites? In view of what's happened here, I don't think that a step like what I'm envisioning is too far away, and that bothers me more than anything else.
  • Hands up everyone out there who lets their email provider know what books they buy from
    Amazon.

    Maybe they just go to their little database (where they record all their sales). Remember that this company is not jsut an email provider, but is *also* a rare book dealer. Their ISP clients are also their rare books clients.


    "You want to kiss the sky? Better learn how to kneel." - U2
    "It was like trying to herd cats..." - Robert A. Heinlein

  • They also broke into several small ISP's in area (Score:3)

    by Anonymous Coward on Tuesday November 23, 1999 @10:49AM (#1509495)
    As one of the people involved in this (on the good side)...

    The 'book reseller' also owned an operated a small ISP. The FBI found files on their systems from several other area ISP's. They had managed to break into the sites and steal /etc/passwd and /etc/shadow. The had several thousand 'access codes' in their possession. I think the $250k fine was enough.

    One of the people invovled is a selecmen for a nearby town. It is amazing what some people will stoop to to get ahead in business.

    I know all this because I live in the area...

  • Really, a fine of $250,000 is just a cost of doing business. The only thing is it's not deductible, due to being a fine.

    Expect more of this - this is just the tip of the iceberg, the lone case where they got caught, not the majority of cases.

    Just because you're paranoid, doesn't mean they're not spying on you ...
  • This sentiment is non-productive. Am I happy with the level of privacy I have wrt to personal data? Certainly not! Does that mean that I publish the list of books I order in the local newspaper? Well, not usually.

    Just because we've lost a lot of privacy doesn't mean:

    1. I should be happy about it
    2. I shouldn't try to stop from losing more
    3. I shouldn't try to regain that which I have lost
    On a side note, I wonder if Amazon will sue Alibris (this was a criminal lawsuit, according to the article)
  • $250,000 for about 40,000 messages. Hey, if anyone's listening, I'll let you read my mail for sixty bucks a message too!
  • That's 4,000 emails in question not 40,000. You did the math right, though. About $60 per email.

  • Here's why the government cares (Score:5)

    by / ( 33804 ) on Tuesday November 23, 1999 @11:08AM (#1509501)
    The government cares about such invasions of privacy on the part of individuals and corporations because, quite frankly, it encroaches upon the prerogative of the state. Just as the state is to have a monopoly on violence in society, so is the state wish to have a monopoly on the invasion of privacy: Echelon, et al. Just as common murder challenges the king's authority as the only legitimate source of death within his realm, so does common wiretapping do as much in this matter.

    Hopefully, we can concentrate all of these atrocities within the state and then geld the state with constitutional amendments, as we have in the US concerning torture and the constitutional prohibition against cruel and unusual punishments. Alas, my cynicism would counsel otherwise.

  • False! (Score:3)

    by isaac ( 2852 ) on Tuesday November 23, 1999 @11:15AM (#1509504)
    You have given up your anonymity, not your privacy.

    The two are separate concepts. For example, your medical records are private but not anonymous. And someone distributing a "hidden cam" video of you violates your privacy even though you remain anonymous.

    Wrong on both counts.

    You should have read the fine print on the form you signed to get health insurance, which essentially gives your insurers (and anyone they choose to share it with) full access to your medical records.

    Likewise, there are no laws prohibiting video-only surveilance in the USA. There are laws that state your likeness can't be used for commercial purposes without your permission, but that's not the same thing, and is a property, rather than privacy protection. It doesn't give you the right to compensation, for example, if your image appears in a news photograph.

    There is virtually no privacy protection in this country, beyond the (mostly gutted) Fourth Amendment.

    -Isaac

  • Sounds like this is taken out of context (Score:5)

    by JTB ( 115442 ) on Tuesday November 23, 1999 @11:15AM (#1509505)
    If I understand correctly, what happened went like this:
    • The defendent provides a service to help people find rare books, via email. For example, Customer X tells the defendant, "I want an original manuscript of Plato's Republic. Please contact online booksellers and have them contact me if they have this book."
    • The defendent contacts many online booksellers telling anyone with an original manuscript of Plato's Republic to email Customer X.
    • Customer X doesn't get any responses from Amazon, and contacts the defendant saying, "Hey, I'm not getting any messages from Amazon."
    • After several Customer Xs complain, the defendant attempts to figure out why messages from Amazon aren't going through, so they capture messages sent from Amazon to their users. Not for the purpose of reading them (because we already know what Customer X wants to buy), but for the purpose of seeing where the messages die.
    • Someone throws a hissy-fit, a federal judge steps in, and $250,000 later, we can all go back to being productive.

    Sounds like a waste of everyone's time.
  • But how will this play out, in the longer term? In this case, any interception was not only unnecessary (even if you believe the defence), illegal, but also utterly unethical, at best.

    Now, let's see what happens if you generalise to the usual extremes politicians, the media and the more vocal populace love to do. Should radio telescopes and SETI be banned, in case they accidentally intercept e-mails or other private communications? Never mind their setup can't process any such information, but sufficiently litigenous plebs with good enough lawyers might give it a go.

  • If you send something via FedEx, do you expect to have it read?

    Of course, that is slightly different, because in that case, your parcel is sealed, and FedEx would have top breck that seal. Now, at least, it is obvious that an email has the same protection - this decision (it seems to me) means that your ISP must get your permission to read it, even to diagnose network faults.

    Yes, this is slightly unrealistic for plaintext emails, but the point is that now you have a degree of protection against unauthorised reading of emails.

    When you send email from work, that is different - by using the work facilities, you are acting as an agent of your company, and which means that all access to your emails is handled by company policy - in the same way a company can make a rule about its employees not reading thing in other peoples offices.

    PS: I'm not a lawyer, so basically I made all this up. It might be somewhat correct, though.

    --Donate food by clicking: www.thehungersite.com [thehungersite.com]

  • This should be a wake up call to all the e-tailers out there that to protect your customers you should offer some kind of privacy enhanced e-mail / PKI solution. PGP seems the logical choice. Amazon could have a place to paste in your public key on your user profile so any correspondence could be encrypted if desired. Sure most people wouldn't use it, but at least it would be due diligence on the part of Amazon.

    -DS

  • Lessons Learned (Score:3)

    by regs ( 18775 ) on Tuesday November 23, 1999 @11:24AM (#1509510) Homepage


    I think that regardless of fault or motive in this case, it underscores an essential point that has been lost in all the new economy, "all services will be free and subsidized by advertising", hype: trust.



    As email becomes an increasingly important tool of the masses (this is your dad's email!), we're going to see more issues like this. When someone signs up with Juno or Hotmail or Email.com or Yahoo! mail or any of 200 other free email services, they are putting all that personal, private data in someone else's hands. I argue this point with many people, and they say, "I don't care... there's nothing important in my email, anyway." They are, of course, missing the point. What if you're emailing your doctor about your HIV infection and your email provider (or an employee within them... the company doesn't have to be the culprit necessarily) turns you in for a bounty to your insurance company. I mean, really, it's like using a company phone... you're personal correspondence is on resources that you do not control. Needless to say, this doesn't surprise me in the least and I think this is only the tip of the iceberg. As we have seen in the excellent accounts of the failures of Truste, these companies are willing to go to great lengths to collect this data, and I wouldn't put it past to change their "privacy" policy to include the fact that they can use the content of your messages for whatever they choose; they would take this step and not bother to inform their users.


    I don't want to get off on a rant here... so I won't. I was beginning to get a little too lunatic fringe there.


    The point is that people need to made aware they need to have trust in their providers. Call me a little paranoid, but my email ends up on a box sitting on one end of DSL line in a friend's apartment. The box runs OpenBSD and is tighter than a frog's ass. I know who runs the box. I know who has accounts on the box. I trust them.



    I'm not advocating an "everything must be encrypted" stance (but I wouldn't call it a bad idea). This is not a security issue so much as it is an issue of understanding the nature and motives behind the relationships this new age is birthing.

    --

  • You need to be made aware of it if someone is going to read your mail.

    My employer makes me sign a form periodically (every couple of years?) that I'm aware that all email sent from a company account is company property and might be read.

    Without a signed permission, I don't want anyone reading my mail.
  • I am uncertain how the company is at fault. It seems like they offer email as a service to customers, and are being blamed for debugging their service.

    I can also recall a time before the internet, when users were warned that public and private messages stood the chance of being monitored or reviewed at any time. I don't see how this case is different.

  • Need for secure e-mail (Score:5)

    by alexhmit01 ( 104757 ) on Tuesday November 23, 1999 @11:38AM (#1509515)
    My concern with this, is that plaintext e-mail isn't the same as post office e-mails. Those are sealed. I would argue that plaintext e-mail is akin to a postcard, anyone on the network CAN read it. In fact, the ISP HAD to intercept the e-mail electronically (there machines had to see a copy of it), so it's just a question of them logging it. If they log all the bits coming across their network, is that also a wire tap? It is THEIR network, how is it illegally wire tapping for them to monitor stuff on their network?

    On the other hand, this makes the case for a need to replace plaintext e-mail. Plaintext e-mail may serve a purpose (you're out of town and go to a Cybercafe and fire off a quick, all is good, we arrived safely, take care, message), but real e-mail should be encrypted (placed in a sealed envelope) and signed.

    Alex

  • Re:tcpdump shows all sorts of stuff on my cablemod (Score:3)

    by Cramer ( 69040 ) on Tuesday November 23, 1999 @11:38AM (#1509516) Homepage
    Read the contract you "signed" for the service. Most ISPs frown on that sort of thing -- of course, that doesn't mean it cannot be done. Most modern cable modem hardware doesn't decode stuff not destined to it (MAC address filtering.)

    Once when I was in college, the head sysadmin (bone head) had set his IP address to be the broadcast address. He was somehow surprised when I told him the root passwords.
  • Translation: We didn't get any new information from trapping their email that we didn't already have from agressive web proxying.

  • This really is scary (Score:3)

    by webster ( 22696 ) on Tuesday November 23, 1999 @11:46AM (#1509519)
    Anyone who has administered email servers has to feel a real shiver going up the spine on reading this, because it is impossible to keep email flowing without engaging occasionally in just this sort of thing. When email starts behaving erratically you have to check oout the headers. With Sendmail type MTAs that means capturing and reading the email messages, because that's where they are found. And no matter how hard you try, you are going to read at least some of the content in some of those messages.

    If this comes to be seen as illegal, it could mean very bad things for Internet email admins, and a lot of us who don't even admin anymore could find ourselves in deep doodoo.

  • I want to see what's inside of those packets. tcpdump doesn't show the meat of the stuff; just the headers. I don't think there's much stuff going past my node, though.

  • It seems like they offer email as a service to customers, and are being blamed for debugging their service.

    Alibris themselves say that they did nothing except debug their service.

    The U.S. Attorney, on the other hand, charged them with "unauthorized possession of passwords with intent to defraud", among other things (ref. CNN [cnn.com] ). I assume there were some grounds for the charges, but since they were settled without a trial or conviction, we'll probably never know the truth of the matter.
    --

  • If users are having trouble sending mail, you better believe sysadmins investigate the messages. That's not interception, any more than the post office is "intercepting" your mail when it examines the envelope.

  • Good point, I think as more and more (esp. commercial) services get online, encryption should almost always be used by default. What with personal information, easily-misunderstood-when-out-of-context content in emails, forums, etc., plaintext transfer is just too... well, plain. And even if no hidden motives are involved, you could accidentally see something in the transmission that you shouldn't, and get into trouble just because of that, like this company here.

    As we move into the age of the vast commercialization of the Internet, encryption should be somewhat like a standard thing, and plaintext used only when you actually intend the content to be read by others. Plus, unaware users should not be left with plaintext as default. They should be conscious of it when their transmissions are sent in plaintext. All email programs, sites where you sign up for something, etc., should use encryption by default. I think encryption technology is advanced enough and common enough these days for this to be feasible. As for potential performance degradation, I remember the days when I had an 8088 and said, "WoW! the 286 runs at 16 MHz??!! Who'll ever need that except to play DOOM??"

  • Translation through Microsoft Filter: Maybe we used it, maybe we didn't. Prove it.

    Gimmie a break, why would they intercept the emails unless they were using the information?

    I'll answer that: Why prevent the email from being delivered when it could just as easily be copied? The only reason would be they didn't want their customers to see the email.

    The scary part is: how many other email providers are skimming their customers' email without their knowledge?

  • Comment removed based on user account deletion

  • Re:Lessons Learned (Score:4)

    by DiningPhilosopher ( 17036 ) on Tuesday November 23, 1999 @12:10PM (#1509528)
    I don't understand why control of the actual mailbox is so important when you can't possibly control all of the intermediate sites which relay your mail from one place to another... Okay, your ISP doesn't have direct access to the mail you've already received, but they could easily have records of everything coming and going one level up...

    The only real solution is encryption. Any number of people can read your email as it goes through their servers - unless they need a key to do so. Until the use of strong encryption is widespread we'll all be sending our mail on postcards.
  • Just one odd thing about your example:

    Customer X tells the defendant, "I want
    an original manuscript of Plato's Republic.

    I'm no paleographer, but I know people who are, and if anyone had an original manuscript of any of Plato's dialogues, that fact would have major historical significance. It wouldn't be something you could buy online.

    But I agree with the rest of your description of the situation.
  • FYI: On www.privatecitizen.com they talk about:

    "We also send our members a copy of a little known Postal Service form that many call `The Ultimate Junk Mail Weapon'."

    That form is PS Form 1500, available at any US Post Office. It was actually designed to stop porn, but the Supreme Court ruled that it applies to any mail, or, to put it another way, offensive is in the eye of the beholder.
  • In France, the penalty for snooping on someone's email, be he your boss, your ISP, your neighbour or a policeman (w/o a warrant, of course) is ... jail time. If I remember properly, up to three years -- since according to the jurisprudence, which was established years ago thanks to the Minitel, it's considered to be the same as robbing one's snail mailbox.

    Me thinks it's appropriate ...

    --

  • PGP != PKI (Score:4)

    by DiningPhilosopher ( 17036 ) on Tuesday November 23, 1999 @12:25PM (#1509532)
    You're absolutely right, everyone needs to start using encrypted email. A PKI (Public Key Infrastructure) will also be necessary - however, PGP doesn't provide one.

    PKIs are designed to solve the problem of key exchange - we all trust a central authority to sign my key and verify that it actually belongs to me. PGP doesn't solve this problem. It relies on the user to establish his own unspoofable channel (e.g. face-to-face exchange) for verification of keys.

    If you plan to use someone's PGP public key you MUST verify the signature with that person in an unspoofable way or the whole system falls apart. Thus PGP can't work for widespread communications security (Don't get me wrong - I use it and love it). Instead we need a real, traditional PKI. Which introduces many more problems (Who gets to sign certificates and who doesn't? If I notify them that my key has been compromised, how do they notify everyone who has that key? And so on.)

    There's a whole industry built around this (and I work in it). There's no simple solution.
  • to sell you for a really good price.

    No seriously, it's obvious that the poster you're responding to is aware of the impossibility of finding an original manuscript from Plato ... it was just a funny example ...

    --

  • Electronic Communications Privacy Act (Score:3)

    by the eric conspiracy ( 20178 ) on Tuesday November 23, 1999 @12:35PM (#1509535)
    Folks running ISPs and services like Alibris really should pay attention to the Electronic Communications Privacy Act of 1986 [eff.org]. People sending mail, using cell phones and so forth actually DO have some privacy rights. It basically gives carriers the right to debug their services, but anyone disclosing or reading content like Alibris may have been in the absence of a court order is breaking the law.

    While there is no rational expectation of Internet privacy because of the open nature of Internet protocols, it isn't a wide open free-for-all either.

  • That article was very unclear. Several other people have pointed this out as well, but I've got some insight on a personal level.

    ASFAIK it's still fairly common practice for ISPs to include in their usage agreements something along the lines of "You can be monitored, and there really isn't much you can do about it". Not that I'm saying that's the way things should be, but I'd expect to see some lawsuits challenging the validity of those agreements. Have there been any that any one has heard of? What were the outcomes, if any?

    What I mainly am worried about is the criminal implications this may have. I don't know a lot about criminal law, so somebody please correct me if I'm wrong. Isn't it a current legal precedent for ISPs and other people in similar situations to basically be held legally responsible for what's on their servers? I think that's at least the case for web pages, I don't know if maybe there's an exception to the rule for email, since it's supposedly "private". I'm just scared that if sometime in the near future (god forbid, but for argument's sake) if Joe Terrorist blows up a building somewhere in the U.S. and it's determined that he planned the whole thing using email.

    Now, if the ISP who handled the email can be found criminally negligent for letting such material go across their network, yet can also be sued for invading someone's privacy if they monitor it, where does that leave us?

    Also, what about mail admins? I used to work for a pretty big ISP and I got hundreds of bounced messages (that get bounced to postmaster) sent to me every day. Most of them I just deleted, but I did have to look through them to attempt to diagnose certain problems. And it's pretty hard to look through a message and not notice the body, sure it can be done, but you don't really think about it at the time. Especially if the contents of said message are "Please transfer $1.5 Million into account XXX-XXX-XXX from account XXX-XXX-XXX" (that was actually in a bounced message I saw once). I mean that just opens up a whole world of hurt if you're in that position. Hopefully just seeing it wouldn't violate any laws, but this whole area of law is so murky...

    Something to think about I guess.

  • This was no accident (Score:2)

    by Anonymous Coward
    The article makes it sound like the email capturing was by mistake. I know everyone involved. and I know it was not done by accident. The sys-admins did do many bone-headed things in the past but they didn't screw up and capture e-mail by accident.

    Also not mentioned in the article is the subsidiary ISP (www.valinet.com [valinet.com]) which they owned and operated and the hacking they attempted in the area. The ISP has recently been sold to another party, I hope they don't get killed because of the bad press.

    The local press here (Western MA) is having a field day with this

  • The internet is two things. 1) A place where are ideas are freely express and one of the few free zones left in the world. 2) A place where some people will do anything do get what they want anyway they can. For the internet to hold its current integrity both well have to remain.

  • You need to be made aware of it if someone is going to read your mail.

    In the physical world, this is correct. The effort to prevent someone from doing something they can do must be expended because there is no other way.

    On the net, this is not correct because there is another way. Simply make the undesired activity impossible.

    How? GnuPG [gnupg.org] or PGP [pgpi.org].

    sklein

  • It is amazing to me as a Canadian to look at Americans and see the total fear and distrust that you have for your government. In Canada, especilly out west, we dislike our government, and feel out of control, but we do not fear or distrust it.

    Both governments have their flaws, but both are very democratic. If anything, the power that the Canadian federal government has over it citizans is more than that of its American counterpart. The American government is also better suited to avoid situations of abuse of power, while the Canadian system emphsises on speed.

    This leads me to wonder why Americans fear their government so much. The only explanation that I can find on the side of the government is that, because of the size and power of the country, it has the potental to do so much. However i have difficulty believing that this is the cause.

    This leads me to believe that it is not the government that causes this fear and distrust, but the overall attitude of the people. From a fairly liberal, outsider perspective, it would seem that the parinoia that Americans see, is not caused by abuses of the government, but by the fear of the people that they will happen.

    If you look at your arguments, they have no reason. Why does the state want violence, why do they want to spy on you, why do they want a monopoly on this. when there are really, rational answers, then your idea may have grounds, but for now it's just heresay.

  • I buy stuff on there all the time. If they're pulling any crap I am going somewhere else ASAP.
  • And in a truly free country all email would be encrypted, so this issue would never arise. By relying on a legislative solution, in France your email can still be snooped by corrupt government agents or any cracker good enough to not get caught.
  • I thought the same thing when I read this-namely that maybe they really were debugging a problem and captured the emails.

    This made me think of a question:

    If you were having problems with snail mail getting routed to your house the post office would have to investigate, and to do so they would have to maybe look at your mail--not the contents mind you, but the envelope. It seems to me that there is a need for a similar protection for email.

    Yes, encryption is an option, and had everyone been using it, they couldn't have claimed a privacy invasion ;)

    But seriously, what would the technical difficulty be for an addition of what amounts to a protocol version of envelope glue. In other words, something in the header that allows de-cryption of the body--but only once. That way the receiver does not have to publish a key, and yet has knowledge that their mail was tampered with. Something like an extension of a digitial signature.

    Is this at all practical? Is this even different from a signature? I am not fully versed in the nuances of encryption, and I know that many here are, so I thought I would put this out as an idea.

    The advantage of such a scenario would be that online companies such as Amazon could seal their emails, and not have to have their recipients do anything.

  • Internet traffic == postcards (Score:1)

    by Anonymous Coward
    They are readable as they are handed from person to person (site to site). Ya want privacy? Put that postcard into an envelope, i.e., encrypt. I encrypt, so I don't care who's sniffing my packets.

    My radio scanner picks up cell phone calls that are BROADCASTED IN THE CLEAR. This is legal (I'm in BC, Canada). Why shouldn't it be legal to listen in on data BROADCASTED OVER THE INTERNET IN THE CLEAR?

  • Re:Internet traffic == postcards (Score:1)

    by Anonymous Coward
    They are readable as they are handed from person to person (site to site). Ya want privacy? Put that postcard into an envelope, i.e., encrypt. I encrypt, so I don't care who's sniffing my packets. My radio scanner picks up cell phone calls that are BROADCASTED IN THE CLEAR. This is legal (I'm in BC, Canada). Why shouldn't it be legal to listen in on data BROADCASTED OVER THE INTERNET IN THE CLEAR?

    Because crypto puts control of privacy in the people's hands, while legislation outlawing snooping puts control of privacy in the gov'ts hands. Which do you think the gov't prefers?

  • To track down lost e-mail, the administrators could have logged only the headers of the targeted messages. By discarding the body, they would have had a much easier time with their claim that they were simply troubleshooting and not evesdropping.

    I suppose this would make potential lost messages unrecoverable, but the problem could be identified and solved without loss of privacy.

    Anyone know if they were able to demonstrate that there had been a problem somewhere? Perhaps they accidentally interrupted the Amazon e-mail when they installed their sniffer!

  • seperate parts of messages (Score:3)

    by cabbey ( 8697 ) on Tuesday November 23, 1999 @02:22PM (#1509551) Homepage
    both of you are basically trying to seperate the routing info needed to debug MTA problems from the contents of an email....

    This seperation is already in place. per the RFC responsible for mail formating and stream protocol (eight hundred and something I think) the format of a message is:

    From ???@???
    [headers]
    [blank line]
    [body]
    .

    where [headers] is zero to one headers of the form key=value, with second and higher lines of a multiline entry begining with a tab.

    and [blank line] is defined as exactly that... an empty line. [body] then is whatever is in your email.

    The top half of that, [headers] is the part needed for debugging; there are even scripts that will strip out everything except the headers for this very purpose. I think sendmail even has a configure option that will copy the headers of all messages to a log file.
  • If ISPs were granted official common carrier status, it would be illegal fro them to snoop traffic. Their network cables would be considered a public resource owned or at least under control of the gov't. They would have to sell bandwith to competition. And they would be GURANTEED LEGAL IMMUNITY from being sued for forwarding kiddie pr0n, w4r3z, hate materials, etc. as they would be a simple transport medium (just like phone company [a common carrier] cannot be sued for having drug deals happen over their phone wires).

    However, ISPs have not been granted common carrier status. As such, they are simply private companies who sell a pipe to other companies (and eventually to users) to carry data. They fully own the network cabling and have every right to examine the data they're paying to transport. ISPs have been shut down for having kiddie pr0n and w4r3z on their news spools. So if they're responsible, why not have the RIGHT TO SNOOP?

    Gov't wants to have it in their favor both ways (duh). They want ISPs to be held accountable for content (a la CDA) yet want them not to snoop and to open their lines up to competitors (see AOL attempt to require cablemodem providers to open their lines). A decision must be made. Give a free ride to the peddlers of pedo pr0n and w4r3z exchange, of give ISPs the right to listen in on everything. What's it gonna be Mr. Fed?

  • Especially if the contents of said message are "Please transfer $1.5 Million into account XXX-XXX-XXX from account XXX-XXX-XXX" (that was actually in a bounced message I saw once).
    Watch it, buster! You may be fined $250,000!!!!!
  • On the way home, I thought of several problems to my idea, thanks for the info.

  • "Traditional PKI" is like saying Retro Quantum Computing. The problem (and I'm agreeing with you) is who do you trust? Since the Internet is global, you can't put things in the hands of any one government, nor is anyone likely to trust a private enterprise i.e. Verisign. I also doubt that any educational institute would be that trustworthy.

    So what's the solution? I'm not sure, perhaps some kind of a G8 type group commissions a non-profit organization to sign and distribute keys. It could be audited quarterly by several other private (non-profit) companies and perhaps the member governments themselves. This could, in effect, create a de facto standard for key distribution and trust relationships. Then you open up the can of worms that is private key storage. That's beyond the scope of this thread!

    The current PKI model is for each organization to have their own PKI and to establish trust relationships with other organizations. I doubt that has the staying power when you introduce the consumer into the mix. The problem is implicit trust doesn't work. i.e. If I trust Alice, and Alice trusts Bob, doesn't mean I should trust Bob.

    Why can't we use implicit trust? The same reason we don't allow other countries to do our diplomacy for us. We may now be establishing good trade relationships with China, and Taiwan may trade with us, but China and Taiwan (if you acknowledge Taiwan's sovereignty) aren't likely to trust each other. If you require explicit trust relationships the required peering would be ridiculous. You'd wind up with the "n-squared" problem from hell. I agree though, there has to be something better than PGP but for now, baby steps may be the best approach.

    -DS
  • Yes, but the problem with that is that you COULD set up a program to snip the headers you need, but in doing that snipping, you're still accessing the whole message in some form. Think about the post office analogy. With snail mail, there is both envelope and content. You can eyeball the envelope without knowing the content.

    Postcards are what email is like. The post office, in eyeballing the important data (that being the mailing address, postage, etc), they CAN see the content. They may not read it, but it's right there. It's easy to claim the mail has been 'read' for diagnostic purposes, simply because there's not much of an alternative. Even if the content is not expressly read, it has been 'opened' and therefore is in violation of privacy.

    Now, this is all assuming these people were having diagnostic problems. I can't comment on that. My solution is much like anyone else's.. Seperate envelope and content. Encrypt. If you do that, even if someone WANTED to open the envelope, the content is in gobbledygook =)
  • Or maybe it's an understanding of history. In this century more people have been killed by their own governments than by all wars combined.

    I would really like to know one time in the history of you country, or mine for that matter, when large numbers of people have been killed by the government against the will of the people.

    The only real time that I can think of would have been when the United States expanded west, but there was really no objection to it on a large scale, even though people knew about it. It would also be difficult to say that this was not a war, as the people they were fighting did not want to be part of the country. I have not studied American history to a great extent, but if it did happen, please enlighten me.

    I do however still stand by my original point, and the fact that a democratic government is only a refection of the people who elect it.

  • http://www.panix.com/~iayork/amazon_doc.html [panix.com]

    Summary for those who don't want to read:

    Amazon has spammed. They have hit mailing lists. Mostly, they spam customers, without waiting for permission. They occasionally "lose" opt-out requests. They stay solidly committed to opt-out spamming, rather than opt-in mailings. Amazon employees have posted to Usenet via DejaNews as "customers", without mentioning what you'd find if you did an nslookup on NNTP-Posting-Host.

    They are scum, they are liars, and they are not worth your time.

    http://www.powells.com/ [powells.com] (Powell's Books) is a better deal. I've never been spammed by them, and neither has my mom (I bought her a gift certificate there last year.) By contrast, she bought a book from Amazon, and has gotten a number of mailings.

  • ASFAIK it's still fairly common practice for ISPs to include in their usage agreements something along the lines of "You can be monitored, and there really isn't much you can do about it".

    It may be in your agreement, but the Electronic Communications Privacy Act of 1986 (ECPA) [eff.org] overrides it for e-mail. An ISP cannot monitor or intercept your e-mail. This is different from businesses; ECPA applies only to the ISP-customer relationship, not the employer-employee relationship. "Necessary incident[s] to the rendition of service" are exempted (e.g. the aforementioned sendmail queue debugging), as is protecting the rights or property of the ISP.

    Isn't it a current legal precedent for ISPs and other people in similar situations to basically be held legally responsible for what's on their servers?

    The other way around. Section 230 of the Telecommunications Act of 1996 states that ISPs cannot be held liable for their members' actions, pages, etc. See Doe v. AOL [aol.com] and Zeran v. AOL [aol.com].

    I used to work for a pretty big ISP and I got hundreds of bounced messages (that get bounced to postmaster) sent to me every day.

    If it was your own default sendmail config that sent all copies of bounces to postmaster, including contents, then yes, I'd say that's pretty risky. If other sites were sending you these as "bounced bounces", then you weren't the one doing the intercepting.

    Jay Levitt
    Chief Architect, AOL Mail
    Drawing on my job, but speaking for myself
  • As a person who is regularly after rare stuff, and also as a person that understands that sending an e-mail is like sending a postcard, I'd have to say that I can't believe anyone cared about the action, nor can I believe the fine imposed.

    I believe, even expect, that any buying patterns I display at any store will be bought and sold like a commodity. What's more, any place that can actually supply the obscure stuff I'm after is a God-send.

    When I'm after a product and I send some e-mails off, I want them to cross as many desks as possible in the hope that someone can help me obtain the item.

    Are stores no longer allowed to pass one requests to other organisations? "I asked you for this product, I didn't give you permission to ask anyone else on my behalf." That's nuts.

    What happened to a community working together? Is networking illegal? Why does everyone want to be an island? Why are people so quick to sacrifice the good effects of sharing data just on the off-chance that something "private" reaches "bad" people...?
  • Drug testing in the workplace also falls under the category titled "rape of the 4th Ammendment". What's even creepier is that they can do genetic testing on urine (as well as hair, blood, semen, etc.)Many U.S. companies that sponser employee insurance are requiring genetic testing as a pre-employment assesment. Now they can tell if you are genetically pre-disposed to certain conditions like Alzheimer's, Huntington's Disease, and certain forms of cancer. What do you think your chances are of scoring that job? Of finding insurance coverage? The worst part is that most genetic diseases are multi-gene mutations. Therefore, one mutation does not mean that you will get the disease, merely that you are predisposed. Will there be an un-employable class...an American version of India's Untouchables? The walls have ears...Big Brother is everywhere!
  • The post office analogy is not really very accurate when you really look closely at the problem. The program that dumps the headers out for you (an MTA: Mail Transfer Agent, such as sendmail) already accesses and parses the whole message... it HAS to. Said same program can pipe a copy of the headers to a file thereby keeping the "contaminated" part of the process (the one that reads your mail) in the program and the "prying eyes" part of the process (the postmaster trying to fix her network) seperate. (this of course assumes morals, competency and a whole bunch of other stuff.....)

    A much better analogy is the telegram (don't laugh!) operated by the old school telegraph operators that could tap out a message without reading it... or better yet, an illeterate operator! If all you know how to do is transpose '---' to 'O' and vice-versa then it doesn't matter if I'm sending a love letter or a creditcard number.

    The biggest refrain in this though is that if you want privacy you must encrypt . GnuPG [gnupg.org] or PGPi [pgpi.org] or if you must have someone to sue if it breaks... PGP [nai.com].
  • Read the manpage (if you dare :-))

    '-w filename' records "snaplen" bytes of the packet to a file (-r reads it back) Once it's recorded, you can look at it with what ever. You can also doctor tcpdump (rather easily) to dump the isprint()able part of the packet. (I've done this a few times over the years.)

  • The only real time that I can think of would have been when the United States expanded west, but there was really no objection to it on a large scale, even though people knew about it. It would also be difficult to say that this was not a

    war, as the people they were fighting did not want to be part of the country.


    Well, as far as I'm concerned, you just answered your own question. The expansion westward by America killed a large number of people, all of whom I can assure you very much did NOT want to be killed by "their" government (or at least the government which claimed to rule them). The plight of the American Indians is a cause for great shame in America. At that time, the "will of the people" was with the murderers, but that doesn't do YOU very much good when they put you up against the wall, does it?

    A large number of examples can furthermore be cited from history where a government took power with the "will of the people" and then turned bad. (USSR, Maoist China, Iran, etc.). I think the reason you see such fear in America of this happening is because of the origins of the country. America was formed after a successful rebellion against what the people considered an oppressive government. The Articles of Confederation (especially) and the Constitution which followed were created specificly to limit the power of the government, so that another rebellion would not be necessary. Unfortunately, the last 200 years are basically the story of learning how to ignore the Consitution for governmental gain -- the income tax wasn't even legalized until the early part of this century!

    So, as you can see, people in America can get very touchy when it comes to government power (not touchy enough for me, though!). Libertarians (who like to think of themselves as the true philosophical descentants of the Founding Fathers) tend to view any amount of government as merely a necessary evil, and would remove as much of it as possible if they could.

    I think your misunderstanding comes from a cultural difference derived from the way our two countries were formed.

  • In addition to what seebs writes, they have sent mail with forged headers (redirecting the bounces to a nonexistent mailbox at usa.net), they have purchased e-mail lists from other companies (whose recipients did not give permission for their names to be sold), they have failed to cancel their "associate" sites for spamming, and an affiliate company (pets.com) has harvested web sites for e-mail addresses to spam.

    Jay Levitt
  • Very interesting, however i must point out that in every case that you mentioned of governments that turned the will of the people into something bad, of which I could name several more, including Nazi germany and pinochets(sp?) rule, were all radical regimes of which the United States is not. It is easy to complain about how slow your governmnet is, but it has maintained stability under uncertain conditions for over 200 years which is a very important accomplishment.
  • Hands up everyone out there who lets their email provider know what books they buy from Amazon.

    Hands up everyone who believes that Amazon wouldn't sell your personal info, including a list of books bought, to some guy on the street for $.05.

    If one of my users says "I'm having trouble sending mail to ", you better believe I end up "intercepting" and "examining" the email to figure it out. Not a problem; it's my job.

  • It has been freed last years; 128bit keys are allowed, and the law is on its way to free it completely RSN.

    --

  • >They are readable as they are handed from person to person (site to site). Ya want privacy? Put that postcard >into an envelope, i.e., encrypt. I encrypt, so I don't care who's sniffing my packets.

    They are readable, yes, but that certainly doesn't mean that because of that, it's perfectly right to go out there and check someones mailbox for non-enveloped letters or postcards. Neither do i have the right to read someones e-mail even if it's not encrypted. All people do not even know, that their mail can be intercepted on the road, and do not see any reason for some weird encrypting.

    >My radio scanner picks up cell phone calls that are BROADCASTED IN THE CLEAR. This is legal (I'm in BC,
    >Canada). Why shouldn't it be legal to listen in on data BROADCASTED OVER THE INTERNET IN THE CLEAR?

    Well, looks like Canadian law sucks (i'll bet somewhere listening private broadcasts, encrypted or not, is unlegal), if something is legal, it is NOT guaranteed that the same thing is right. You should use your own brains also, if you have one of those.

    And, wire phone calls are also unencrypted, is it right and legal and moral etc to climb into the pole and start listening? No, hell, it certainly is not.
  • Just to add a little balance to the discussion - I've been a user of Amazon and Amazon.co.uk for a long time now - I've bought a number of items from them.

    When I asked for one of my email accounts to be removed from their mailing list, I stopped receiving email from them immediately.

    I have never received email from them on an account that hadn't solicited it.

    I'm not saying they've never done it, but I am saying that they have behaved impeccably with respect to me, and I know very few people who dislike Spam more than I do.

  • I take it that you don't understand the web of trust model. The idea that PGP implements is to allow anyone to trust anyone else, regardless of their 'status' -- that is, there are no certificate authorities. However, because I can trust your signed keys, I can inherently trust a key that has your signtature attached. In fact, I could trust someone's key because it was signed by someone whose key was signed by someone whose key was signed by you (who I trust). This kind of 'friend trusts friend trusts friend' model is very useful if a large number of people are using the system. Within a closed system such as a company, keys get signed quickly because of close proximity to each other. Each of these people may know and trust a few other people on the Internet (say, 3). If there are 50 people at a company using PGP who have all signed each others' keys and trust those people to sign others' keys responsibly (two different trust settings), then there is an automatic infrastructure of 150 people trusting each other through the company people (not including the latter group).

    With high percentages of PGP/GPG usage, there is a good web of trust established and a public key infrastructure in the hierarchial sense is not needed. However, a trusted "root" authority can establish themselves (Thawte [thawte.com] is one such authority) and sign PGP keys, allowing everyone to trust their key, and implicitly trust others' keys.

    Both models are usable under a web of trust model; don't discount PGP so easily.

    - Michael T. Babcock <homepage [linuxsupportline.com]>
  • Actually, doing something like this would only add
    a false sense of security. If I were a mailicious mail admin, I could capture a copy of your message, use the info in the header to unwrap the message, and you'd never be the wiser.

    The reason this analogy breaks down is that in physical postal mail, there is one physical object being delivered. In e-mail, it is a stream of data that is being replicated across many systems (and generally deleted from each system after it gets passed to the next one).

    Frankly, if it is illegal to look at email messages for the purpose of debugging mail routing problems, I'm in deep doo-doo, because I and my staff do it on a regular basis. We have no interest in the content of the message, and we have no intent to monitor content, but the fact is that 99% of e-mail messages have plaintext content attached to the headers that we need to read to be able to debug routing issues.
  • The "From ???@???" isn't part of the RFC822 message, it's added by the local delivery agent to convert a RFC822 message to mbox format.

    This isn't to be confused with the 'From:' header, which is of course part of the RFC822 message.

  • Actually no, never have seen it. Rather, I have just finished a paper on genetic testing/bioethics.
  • opps... good point.
  • If anything, the power that the Canadian federal government has over itz citizens is more than that of its American counterpart.

    I suspect that the Canadian federal government actually has less power over its citizens than the American one. Many perogatives that the US federal government has arrogated onto itself (particularly in the field of social insurance) are jealously guarded by Canadian provinces. Canada's federal government basically governs by carrot (big cash handouts to the provinces), whereas America's mostly governs by the stick. Granted, there are exceptions (the 21-year drinking age was nationalized in the US by tying it to federal transportation funding).

    In any event, the RCMP hasn't taken to the practices of shooting pregnant women, leading assaults against non-traditional religious groups, and bursting into peoples' homes and killing elderly men for no reason, all in the supposed interest of protecting society from the evils of guns and drugs. I suspect if the RCMP behaved as our "law enforcement" authorities did, many more Canadians would be afraid of their government (and particularly of their efforts to disarm the populace, in order to further ensure the state's monopoly of violence).
  • The monopoly of violence comes from the basic historical theory of how political units originally came to pass. I can't give any great citations, but the basic outline is:
    1. Man lives in a state of nature. He uses violence to protect his property.
    2. Men join together to collectively ensure their security.
    3. Some man becomes the ruler.
    4. This man, to consolidate this position, decides that only he can permit the use of violence to settle disputes. At least, I'm pretty sure how this theory works. It may come from Hobbes' The Leviathan. I know Locke makes similar points.

      Incidentally, I think the author has an interesting theory, and it would seem consistent with the government's actions with regard to crypto (which, after all, seeks a monopoly on the legitimate use of truly secure communications).

  • If you send something via FedEx, do you expect to have it read?

    You ought to maybe read the Terms and Conditions of shipping via FedEx:

    Inspection of Shipments [fedex.com]

    Inspection of Shipments

    We may, but are not obligated to, open and inspect any shipment at our
    sole discretion and with or without notice.



    Besides being on the web page, that's also verbatim from the back of the airbill you sign when you ship.
  • I most certainly do understand the web of trust model. I'm a PGP user and I develop cryptographic software professionally.

    The PGP trust model is quite clever and works well for groups of people (e.g. friends, coworkers, etc.). I personally find PGP to be very good at what I use it for. However, the web of trust is no substitute for a real PKI with one or more trusted roots. Every time you contact someone with whom you've never communicated (and with whom the people you trust have never communicated) you need to establish a secure channel, like a phone call. This gets very tiresome if secure communications are widespread. If you don't believe me, think of the trouble of contacting a tech support organization or operating a large mailing list...

    Worse yet, try explaining all of this to your grandmother, who has just acquired a new email account. She may not understand the concept of "mouse", let alone public key cryptography. If we want everyone on the system it has to be self-operating. PGP just isn't. (By the way, if you need to trust an organization like Thawte to sign keys you've stepped into the realm of PKI)

Slashdot Top Deals

Once it hits the fan, the only rational choice is to sweep it up, package it, and sell it as fertilizer.

Close