Re: Another round of viruses - encrypted this time

[Danny Sauer <sauer@cloudmaster.com>]

mike808@users.sourceforge.net wrote:
[...]
>... except that Congress granted the
> Postmaster the specific right to inspect any mail.

Well, there you go.  Mail to "postmaster" goes to me, therefore I'm the 
Postmaster and can inspect any mail.  I'm glad that we finally agree. ;)

>>Email is a postcard, not a phone call.  I'm the 
>>postman whom you trust to not read your postcard except possibly to 
>>verify the address of the recipient, or to count how many cards your 
>>neighbor's getting from that guy in the Bahamas.
> 
> 
> It's not that I trust you to not read my postcard, it's that Congress forbids
> you to, unless you want to accept liability for its contents, legal or
> otherwise. Furthermore, it forbids you to do so without my knowledge as the
> recipient. And it's not a postcard - it's an *envelope*. The fact that it is
> trivial for you to open the envelope and look at the contents without my
> knowledge or a trace doesn't matter. The contents of the envelope are not your
> property -- unless you have a specific contract with recipients that otherwise
> grant you additional rights and privileges.

I wonder why a government entity like the USDA isn't aware of these 
regulations?

http://www.usda.gov/da/pdsd/Security%20Guide/V1comput/Email.htm

"Sending e-mail is like sending a postcard through the mail. Just as the 
mailman and others have an opportunity to read a postcard, network 
eavesdroppers can read your e-mail as it passes through the Internet 
from computer to computer. E-mail is transmitted over a public network 
where you have no right to expect privacy. It is not like a telephone 
call, where privacy rights are protected by law."

Anyway, I'm done guessing and speculating about legality and arguing 
with someone else's speculations.  Off to search for the actual laws:

Reading over the page at 
http://www.usdoj.gov/criminal/cybercrime/1030_anal.html, it becomes 
clear that the law distinguishes based on intent.  Obtaining information 
from any computer system by an authorized user (aka me, the sysadmin) is 
not a crime as long as any damage caused is unintentional.  If you 
hax0red my mail server and got the same information, though, even if 
your access was gained through my negligence, you're guilty of a 
misdemeanor even if no "real" damage is caused.  This is in regards to 
arbitrary data stored on a computing system.

So far I'm in the clear for reading and even altering any e-mail, so 
long as it doesn't cause "substantial" financial problems (and I could 
probably get away in that case, too, since I'm not a public provider).

Now, reading up on the DOJ's "search and seizure" manual 
(http://www.cybercrime.gov/s&smanual2002.htm#_III_), which includes a 
nice summary of the Electronic Communications Privacy Act, I find that 
I'm an electronic communications provider when I'm transmitting the 
message - that applies until the message is read by the recipient. 
However, since none of the computing facilities that I maintain are 
available to the public (I have to be friends with the people who get an 
account at my house, and not just anyone can be my friend - and at work 
people have to work for us, and not just anyone can get a job here), I 
do not ever classify as a remote computing service.

This is an important clarification, because, since my services are not 
available "to the public", the contents of my servers (contents 
*includes* the email) can be voluntarily disclosed by the provider (me) 
to both government and non-government entities.  Here's a useful quote 
with an example:

--
When considering whether a provider of RCS or ECS can disclose contents 
or records, the first question agents must ask is whether the relevant 
service offered by the provider is available "to the public." If the 
provider does not provide the applicable service "to the public," then 
ECPA does not place any restrictions on disclosure. See 18 U.S.C. § 
2702(a). For example, in Andersen Consulting v. UOP, 991 F. Supp. 1041 
(N.D. Ill. 1998), the petroleum company UOP hired the consulting firm 
Andersen Consulting and gave Andersen employees accounts on UOP's 
computer network. After the relationship between UOP and Andersen 
soured, UOP disclosed to the Wall Street Journal e-mails that Andersen 
employees had left on the UOP network. Andersen sued, claiming that the 
disclosure of its contents by the provider UOP had violated ECPA. The 
district court rejected the suit on the ground that UOP did not provide 
an electronic communication service to the public:

     Giving Andersen access to [UOP's] e-mail system is not equivalent 
to providing e-mail to the public. Andersen was hired by UOP to do a 
project and as such, was given access to UOP's e-mail system similar to 
UOP employees. Andersen was not any member of the community at large, 
but a hired contractor.

Id. at 1043. Because UOP did not provide services to the public, ECPA 
did not prohibit disclosure of contents belonging to UOP's "subscribers."
--

I can voluntarily disclose information regarding my users to myself or 
to anyone else so long as my needs or the needs of public safety or my 
own needs (which are pretty ambiguous) outweigh privacy concerns, or 
when the disclosure is unlikely to pose a significant threat to any 
privacy interests.  My knowing what's on the machine does not constitute 
a significant threat to privacy interests, because my sense of 
professional ethics compels me to keep that information to myself.

Hence, it's completely legal for me to know what's on my server at any 
time, and I'm not liable for not telling anyone about it because my 
disclosure of said information is *voluntary* unless it's subpoenaed. 
BTW, the Patriot act changed the definition of electronic communications 
so that I can also listen to your voice mail and voluntarily disclose 
that.  Telephone conversations are not electronic conversations because 
they contain human voice and are transmitted by sound waves.  They have 
different laws.

An ISP has different restrictions, but primarily in that they can't go 
disclosing the information without the law asking for it.  It's still 
legal for them to read the email and anything else stored on their 
computer.  Some courts are claiming that the owner of a computer used to 
transmit communication is a "party to the communication", though, and 
that could potentially be used to justify an ISP recording the 
communication - because it only takes one party's consent.  There's also 
a provider exemption - 18 U.S.C. § 2511(2)(a)(i) - which states that 
essentially a sysadmin can intercept and disclose communications to 
protect the provider's rights and/or property.  So, an ISP can record 
everything that passes through as long as their primary intent is to 
catch haX0rs.

The really scary part of the ECPA is that there's no remedy for 
violation the law.  So, if the cops go to your ISP and read your email, 
find out that you're gonna kill the mayor, and decide to prosecute - 
that evidence is admissible in court even though it was obtained 
unconstitutionally (AKA without a warrant/subpoena).  That's just evil.

If there are new laws that supersede what I read, please correct me. 
However, I'm pretty sure that I'm right.

--Danny

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.