The Wiretap Act and email

p2pnet.net: Wiretap law 'eviscerated'

This article from p2pnet.net reports that in the case of USA v. Bradford C. Councilman the First Circuit (not the Ninth, mentioned later, which was involved in earlier related decisions) found that an email service provider's interception of customer email did not constitute a wiretap. Evidently since "the emails were in electronic storage", which I suppose means that the emails sit in RAM or on a hard disk on the mail server, the service provider's act did not constitute an interception in the legal sense.

My first thought is that the court's decision is bullshit. Taken from the court decision itself:

"Intercept" is defined as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device."

Okay, sure. Then how do they get to:

[T]he district court held that Congress did not intend for the Wiretap Act's interception provisions to apply to communication in electronic storage.

I guess, if they're thinking of someone accessing stored emails on a hard drive that were sent long ago, that's not truly wiretapping. While technically in both cases the emails are in electronic storage (in RAM or on a hard disk on some computer), the semantic difference is tremendous. Electronic storage on an intermediary server should not be considered equivalent to electronic storage on a personal computer.

Unfortunately, their position comes straight from past decisions. The majority opinion reports decisions by the Fifth Circuit in Steve Jackson Games, Inc. v. United States Secret Service and by the Ninth Circuit in Konop v. Hawaiian Airlines, Inc. which state categorically that the Wiretap Act does not apply to communications in electronic storage.

This is too broad a statement. There's no way that we can accept such a broad judicial principle; being "in electronic storage" means a world of different things.

My second thought, unrelated to the first, concerns the ever-present question, what is the right thing to do? To me, at least, Councilman was in the wrong. No email service provider ought to intercept messages because they are from a competitor - this is like the stories of Hotmail blocking Gmail invites (see, for example, this article), though not quite as egregious since the emails are merely copied. But if we were to enact a broad principle stating that interception of emails is illegal, then Gmail service would be illegal, as would the almost universal virus scanning of incoming email. So it seems appropriate to tolerate interception for some purposes. But whenever an act is tolerated under some motives and not under others, law gets murky.

The ultimate solution is to permit interception with full disclosure - but disclosure in a more obvious way than buried within the ghastly license agreements that we all agree to unread when we sign up for a service or install software. I'm not certain what appropriate disclosure would be. I just know that if people knew this guy was copying emails from Amazon, nobody would use his service, and the market would take care of the problem.

Perhaps this is a principle that can be applied to other areas of IP law and policy. Make more actions permitted but clearly disclosed; then let the market sort the acceptable from the not. It's an interesting thought, at least.

The latest Court decision

AP release

As an aside: Ever notice that whenever someone uses 'Court', with a capital 'C', it always refers to the Supreme Court? Are we beginning to hero-worship the Nine?

The Supreme Court upheld a lower court ruling that COPA (Child Online Protection Act) may violate the first amendment. The law permitted fining web sites posting unguarded material considered "harmful to minors". I haven't read the act (it was evidently passed in 1998), but I would assume that a sufficient guard for such material would be some sort of authentication system where a user wishing to view the material must provide some age authentication, and will in return receive a cookie that permits access to the site. All other pages within the site first check for the presence of the cookie, and redirect the viewer to the authentication page if it is not found. For some reason, the article instead mentions filters, which are a technological solution for individual computer users to shut off access to such sites entirely - filters operate at the other end, at the personal computer rather than the website, and generally web site designers do nothing to make themselves blocked by a filter. Perhaps the COPA law required web sites with adult content to register with some filtering software company to make the filtering process easier.

Free speech on the Internet is an interesting question. We tolerate some degree of restricted speech - for example, FCC regulations on nudity and swearing in broadcast television. Some environments, such as private in-person meetings, are at the other end of the spectrum - you can talk about whatever you want, with the possible exception of conspiracy to commit a crime (not sure about the legal boundaries there). The internet contains elements of both of these mediums - there are very well guarded private forums in which all actions are acceptable, and public news sites which rarely involve material such as swearing or nudity. But most of the web is fully and freely accessible to anyone with an Internet connection, as broadcast television is fully and freely accessible to anyone with a television, and yet it operates under significantly looser standards. If you look solely at the question of availability, then content restriction seems to make sense.

But the Internet is a different medium than television, because the content comes from individuals. It is a public forum, where participants talk as much as they listen, rather than a commercial producer-consumer market. It is the first environment ever where a single person can make their voice heard to hundreds of millions of people (if they have anything to say); the current trend of blogging has made this process even easier. This is truly a utopian environment, and restriction is unthinkable.

Update: Some links to articles from other sites on the decision

Center for Democracy and Technology Headlines - article includes links to the decision and more info about COPA

LawMeme - Ashcroft v. ACLU - explains the discussion of filters (majority opinion asks whether modern technology filters, as opposed to 1998 versions, can be acceptable and less restrictive); also gives individual justice opinion summaries

Quote of the Day

"I'm like toilet paper, Pampers and toothpaste. I'm definitely proven to be effective."

Shaquille O'Neal, ESPN.com
http://sports.espn.go.com/nba/news/story?id=1830201

Post from Ernest Miller on Hatch's INDUCE announcement

The Importance of...: The Obsessively Annotated Introduction to the INDUCE Act

This is a really thorough and well-done post which presents Senator Hatch's announcement of the formerly named INDUCE act (which is now “Inducing Infringement of Copyrights Act of 2004” S. 2560). Ernest adds a number of clarifications and corrections to the announcement. In a couple places he's a little extreme for my tastes, but there are enough interesting edits to make the article well worth reading. Some of the highlights from early in the document:

Artists realize that adults who corrupt or exploit the innocence of children are the worst type of villains. [Well, call me morally challenged, but I consider murderers worse. And I take it these are different artists than the ones that corrupt children through that "rock and roll" or "rap" noise?]

...

Criminal law defines “inducement” as “that which leads or tempts to the commission of crime.” [Luckily, not every temptation is a crime or there would be more people in jail than free.] Some P2P software appears to be the definition of criminal inducement captured in computer code. [Software is a tool. This is the same as saying that bolt-cutters and crowbars are inducements to burglary.]

the Personal Technology Freedom Coalition

CNET News.com - Tech heavies support challenge to copyright law

Others more respectable than myself have reported on this already, but I will contribute to the blog world's culture of redundancy that promotes the spread of information so effectively. The Personal Technology Freedom Coalition, as it appears it will be called, consists of a number of Silicon Valley companies including such heavyweights as Intel, Sun Microsystems, and Verizon along with a number of dedicated consumer interest and other public service organizations (notably the EFF, but also non-technology groups including the American Foundation for the Blind who have reasons to push for alternative uses of technology). It is not surprising that the biggest IP players in the valley (here I am thinking of IBM, Microsoft, and Cisco, though I'm sure there are others) have not joined in. Some, such as Microsoft, stand to make more from stricter copyright regulations. Others are perhaps hesitant to take a side at all.

The purpose of the coalition is to oppose the Digital Millenium Copyright Act's copyright circumvention provision, largely through supporting Rep. Boucher's DMCRA (Digitial Media Consumers' Rights Act). This provision is quite offensive to those of us who feel the computer and the software on it are our business; it essentially restricts the consumer's actions by forcing them to comply with copyright control technologies even if the product protected by the technology to be used in substantial beneficial ways. I see a legal basis for restricting commerce, such as illegal file sharing. But if you own the CD and the computer, and you want to break the encoding on your CD using your computer so that you can listen to your purchased music in some non-manufacturer-supported format, that is your right, as far as I'm concerned. It's sort of like owning a gun. They can say it's illegal to shoot someone, but if you want to keep a gun in your house and use it by yourself you can. Maybe someday the higher ups will recognize the significance of this principle.

I don't know how far along this bill is now, but it's been occasionally mentioned for a while. I myself blogged on the bill when I first heard of it (in the previous incarnation of this blog), which was on April 6th.

Spyware control bill

Delayed notice on the House passing a spyware control bill. Here is the CNET article from Thursday. Details worth mentioning: It appears to restrict key logging (recording users' keystrokes) as well as popup advertisements that cannot be closed. Hard to disagree with that. Also, evidently it's called the "Securely Protect Yourself Against Cyber Trespass Act," or the SPYACT Act. Umm, yeah.

what the hell?

Ed Felten has posted about a recent EFF article on Orrin Hatch's latest bill, the INDUCE Act, which targets those whose products or activities "induce" copyright infringements. As the EFF rightly points out, this creates "an entirely new form of liability". The EFF mentions a couple of examples of individuals who could be prosecuted under the act, including counselors or journalists.

I haven't read the text, so I can't be sure of this, but given the information I have here is my concern. Some brilliant theory weenie could prove that a major security protocol is in fact insecure (after all, very few security protocols are provably secure) by discovering a weakness, and publishes this discovery in a major academic journal, consequently receiving a lot of press which causes the weakness to become widely known. If this protocol has been used to protect a single copyrighted work, the holder of that copyright could sue the researcher for this. That's beyond the line.

Let's look at this in a little detail. There are three different people who can be sued for a copyright infringement of this sort. Person A discovers a weakness in a technique which is used by DRM program P, and publishes the weakness without even discussing program P. Person B writes a software program Q based on Person A's weakness to exploit program P. Person C uses Person B's program Q to actually decode a copyrighted work protected by program P.

Very few people would argue that Person C is not legally liable for his/her actions. However, Person C is very hard to catch. The RIAA has tried and tried to damage Person B in a number of cases, though many people have argued that program Q is free speech (without convincing many). Often Person B is outside the US, though, and untouchable. Now they're going to start taking on Person A, the researcher and academic.

You may argue that Persons A and B are frequently the same, and that is true. But there are a number of people trying hard to be Person A so they can get their publications and their grants and their tenure, or their patents and their royalties and bonuses. They don't want to be Person B, and they certainly aren't trying to encourage Person C (most of them). Leave them alone.


Update:According to this CNET News article the bill is mostly targetting Person B and program Q - the reversal of the old Betamax decision that decided the Betamax player was capable of "substantial noninfringing use" and thus was not inherently illegal. It is targetted at P2P file-sharing programs (which are also capable of substantial noninfringing use). While realizing this could have kept me from the above diatribe, I stand by my thoughts that the act could be used to target Person A in future uses (once they have the act, after all, they'll use it for whatever they can).

Evidence that some people get it

Brief notes:

California released standards for electronic voting systems that include a voter-verifiable paper trail. See Wired. As far as I'm concerned, this is a minimum for any voting system to be worthy of use.

This has received plenty of press already, but it fits in here. The FTC has stated that a No-Spam email list will not work. See Wired, or many, many other places. It's sad that this was even considered.

From the UK: The BBC's online Creative Archive will contain audio and video clips of nature programming available for British citizens to view, share, and edit (for noncommercial purposes). See the source of the day, Wired. This is a nice step. The article also contains my quote-of-the-day, from Union of the Public Domain coordinater David Tannenbaum:

"We want to make sure that the archive is more than just shagging marmots"

(Note: a marmot appears to be some sort of woodchuck. Google it yourself or try http://www.marmots.org/.)

The latest government attempts to make everyone of intelligence leave the country

Do you ever get the feeling in the post-9/11 world that this is what policy makers are trying to do? Though I guess if everyone of intelligence left the country George Bush would have much less trouble being reelected. (This is not to say that there are no smart Republicans, because I know some; it's just that there are many more smart Democrats.)

Today's signs that the police state is upon us are brought to you by Bruce Schneier's monthly Counterpane Crypt-O-Gram newsletter (with perhaps some addenda when/if I get around to going through my Bloglines). These are not national policies, and they're not actually final yet, but if you want existing national policies that resemble them I'm sure I can dig up a few.

Item #1: Evidently "the LA police are considering jamming all cell phones in the event of a terrorist attack" because of the technological possibility that a cell phone can be used to remotely detonate a bomb, a concept familiar with anyone who has ever seen an action movie.

Item #2: In NYC, the transportation gods are considering banning photography on subways for security reasons. Evidently they're also considering banning walking between cars on a train, even when the subway is stopped. Because someone walking between train cars while taking pictures must be a terrorist.

Maybe there's a reason for all this. Maybe it's a plan to deal with the excessive immigration problem by ensuring that no one in their right mind would want to live in the US. Maybe closeted conservative economists have released private formulas that determine the economy improves with higher citizen dissatisfaction. Or maybe the administration is tired of making the rest of the world hate them and has switched to us.

Government information collection and its risks

UCLA laptop theft exposes ID info

This article is an example of the problems that can occur when information is kept in digital databases. The article reports on the theft of a laptop containing a database of blood donors with their name, birthdate, blood type, and social security number - a recipe for identity theft. The database was protected with a password but was not encrypted. There aren't enough details in the article to determine just how easy it would be to get the data (i.e. whether it's stored as plaintext or whether the password would need to be cracked), but I'm sure it's not very difficult.

This touches on the question of security standars and regulation. Should we require that organizations collecting this level of personal information comply with some standards for protecting it? What would constitute an acceptable standard?

1. Any system using password protection combined with plaintext storage of the data (what I assume is implied by the article) is clearly insufficient.

2. Encryption of the data would help, but what would be the decryption method? Many user-friendly encryptions decrypt with a password, which is fairly insecure - even if the password is not the user's last name, even if the password is not left on a post-it note on the user's computer, it can still probably be brute-forced. Something like an external USB flash drive storing the decryption key would be better - but still, people would leave the key in the laptop and both would be stolen. Policy could mandate removal but we all know how far that would go in practice.

3. Remote encrypted storage is an option. But there are issues with that too, mostly concerned with how that would be accessed. If the stolen laptop could still be used to access the database, then we're no better off. That's easy to prevent, though - have laptop-specific account access and disable the account when the laptop is stolen. If the laptop cached information, it could be acquired without remote access. The cache could be cleared after use, but there might still be traces of the data, or the laptop could be left on and running (though this could threaten any system). We'd need local encryption of any cached data, but that has the same problems as above. We could try not to cache anything, but I'm not sure how hard that is. Seems possible.

Enough speculating for my own amusement. I don't really know anything. And nobody appears to be trying to solve this problem anyway.

Legislation and cybersecurity

PCWorld.com: Cybersecurity: A Job for the Feds?

This is an intriguing article. The Gartner group is one of the best known IT research groups, referred to as an IT think tank (with the appropriate policy connotations) by a former boss of mine. According to PCWorld, at their IT Security Summit in DC on Monday, there was an argument over the degree to which the government should be involved in promoting cybersecurity.

In this as with many other technical issues, the market has been left to find its own solutions, because the government is far too slow and deliberate to keep up with the everchanging technology industry. But there are real national security concerns here that are not necessarily being sufficiently protected.

I don't know enough about the options Congress has for getting involved in this, so I won't say too much. I do want to point out one portion of the article that is worth considering:

[Former White House counterterrorism expert Roger] Cressey predicted national legislation will follow a major cyber outage, and Congress will then legislate with "a hammer instead of a scalpel."

"If we ever truly have a major cyber event ... then you're going to see Congress legislate," Cressey said. "They will legislate because of a public outcry. It will be bad legislation."

Quote for the day

From this article on CNET, about the recent paper purporting to have solved the Riemann hypothesis:

"Like many other math problems, immediate commercial applications for a proof of the Riemann hypothesis are unlikely"

What further comment could I make?

The latest Microsoft patent

CNET: Microsoft checks off patent win

At first I thought this was a ridiculously broad patent. After reading the details I decided it was still broad and not really worthy of a patent, but it's definitely not the worst I've heard. The technology finds items in source code comments and extracts them and makes them into an external todo list. When you mark the item off of the todo list it changes the source code comment. Pretty nifty if you ask me.

Lots of new posts

I intend to make up for my recent lapse by posting the many interesting articles that have accumulated since then. Here is the first installment in this set.

Within the theme of "at some point in the future there will be only one software company" is ongoing coverage from CNET on the Oracle/PeopleSoft merger lawsuit. The latest article observes that challenges to governmental attempts to block mergers through antitrust legislation are very rare, and that there is a pretty good case to be made.

I can't imagine why the different cultures of the two companies make this a "landmark case" - so what if they have different cultures? That has absolutely no relevance. The point is whether or not Oracle merged with PeopleSoft would represent too strong an individual influence in the US business application software market.

Within the same theme is a NY lawsuit against Microsoft, one of the state-level suits that followed from the Justice Department's federal antitrust case. The content of the article is not significant - it is interesting merely to note ongoing efforts by consumers to protest the Microsoft monopoly through the court system.

Update: eWeek reports that IBM projects significant losses if the Oracle/PeopleSoft merger completes. The article seems to imply that this benefits Oracle because it means that the IBM witness will be perceived as biased against the merger, but it seems to me to increase the government's case - the loss is because IBM's database software doesn't work with Oracle's accounting and personnel software, but it does work with PeopleSoft's. A merger, then, would mean that it's likely the accouting and personnel software released by the new Oracle would not work with IBM's database software, and people formerly using the PeopleSoft software with IBM's would switch to using all Oracle software. This is exactly the sort of situation antitrust law tries to prevent.