Careful Where You Keep Your E-Mail

|

You'd better watch out, especially if your e-mail provider is based in Massachusetts, Maine, New Hampshire, or Rhode Island. The First Circuit Court of Appeals has just ruled that your ISP can read your e-mail while it's sitting on their computers, for any reason at all.

Councilman, owner of a website selling rare and out-of-print books, offered book dealer customers e-mail accounts through his site. But unknown to those customers, Councilman installed code that intercepted and copied any e-mail that came to them from his competitor, Amazon.com. Although Councilman did not prevent the mail from reaching recipients, he read thousands of copied messages in order to know what books customers were seeking and gain a commercial advantage over Amazon.

Authorities charged Councilman with violating the Wiretap Act, which governs unauthorized interception of communication. But the court found that because the e-mails were already in the random access memory, or RAM, of the defendant's computer system when he copied them, he did not intercept them while they were in transit over wires and therefore did not violate the Wiretap Act, even though he copied the messages before the intended recipients read them. The court ruled that the messages were in storage rather than transit.

Almost makes me want to run my own server.

NEXT: Getting Off Lightly

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Alas, running your own server won’t help. Since email traffic passes through many, many routers as it makes its way to your server, the court’s “reasoning” could probably be extended to router memory. Kind of like standing in your yard and reading bus billboards as they roll past. Or listening to your neighbor’s portable phone conversations because, gee, the signal keeps passing through the processor in my descrambler (I know these analogies are not 100% accurate, so please save your flames).

  2. I’ve been using mail.com for a long time, but it wasn’t until recently, when I upgraded to their non-free Pop 3 service and saw the charge on my bill, that I realized that mail.com is based in Hong Kong. It really bothered me at first. Who wants the Chinese Communist Party reading their e-mail? But, then again, I’m not planning to go to China anytime soon, so why should I care? In fact, considering the Patriot Act and rulings like this one, I suspect my e-mail might actually be a little more secure for being in the hands of an ISP operating in a foreign country, even an authoritarian one. I haven?t seen any reference to the Patriot Act on mail.com, but my guess is that, because US law enforcement has no jurisdiction in China, it?s unlikely that mail.com would comply with an American request or a subpoena for information.

    P.S. Yeah I know; Echelon or whatever became of TIA catalogs all my e-mail anyway.

  3. It’s quite simple. This should be perfectly legal, as long as it is fully and conspicuously disclosed to the customer prior to entering into a contract. Otherwise, it should be considered fraudulent.

  4. Although I expect someone will advance the legalese needed to equate electronic storage with “wires”, this creates an opportunity for premium high-security private personal networks. Or for an ownership scheme in which not only the data, but the spaces it occupies, are considered the private property of the originator.

  5. I agree with Evan. Why is Reason complaining? Did councilman commit fraud? If so, they must be prosecuted. Remember that the government shouldn’t be in the business of protecting people from their own laziness. If you sign up for an email account, etc, and don’t care enough to look at the terms of service that you surely agreed to, then you can’t run to uncle sam when the terms weren’t what you thought they were. From now on, don’t sign up for anything unless you agree with the TOS!

  6. I was going to make the router buffer point myself–I don’t see how it is the least bit different. This decision seems to condone the age-old problem of infrastructure providers having access to private information, by saying it’s ok for anyone priviledged enough to own infrastructure to disregard the privacy of those who aren’t.

    The simple solution is to encrypt personal mail with PGP whenever possible, and not to take free email accounts from organizations with a direct financial interest in your mail’s contents.

    And I do run my own mail server for this reason; partially for the geek cred, but also for reasons like this.

  7. meep: Me Too!, on both the server and PGP.

    Face it, guys, we have no expectation of privacy when sending plaintext across the net, regardless of what ISP or mailbox you’re using (or what their privacy policy is). A message (hell, just a single packet) passes through so many hands, that there’s simply no way to control access.

    Hard crypto is your friend.

  8. So does this give a green light to any government official doing the same?

    Since most voice traffic is now being transfered via packets and not over dedicated circuits, the phone system is just as vulnerable to the “buffer memory” loophole.

  9. I run mail servers for a VERY large ISP/service provider. I read emails on the system all of the time; typically I’m checking for spam or looking to see why mail doesn’t get delivered.

    The general theory, though, is that the owner of the server OWNS the mail server. And, that means everything on it, whether in memory (RAM) or on a storage system like CD, drives or tapes. If you have an email account on a server someone else owns, then that someone else also owns the email on the server.

    Also, Jennifer tries to draw a parallel (sp? I can never get it right 🙂 to a postman reading your letters. It’s not even close. An email is more akin to you writing a postcard and then giving it to someone else who gives it to someone else who gives it to someone else…eventually it gets to its destination.

    If you don’t want your email read, get PGP.

    And, as for a government official doing the same thing, the servers (email servers) and network are still in private hands. My guess (err…hope) is that they would need a warrant to search private property. But, as we all know, the Bill of Rights is basically dead anyway.

  10. Andy-
    You did indeed spell “parallel” properly.

  11. But you didn’t spell PGP correctly, clearly an ironic byproduct of smoking so much angel dust. ;>

  12. Re: PGP, maybe I’m missing something, but isn’t it akin to a secret handshake?

    With PGP, you can digitally sign your email: Automatically, PGP will calculate a complex mathematical value (called a hash) based on the exact content of your email message, and will then encrypt that value to your private key. The recipient of your email will use their PGP software to automatically make the same calculation – if the calculations match (the recipient’s software automatically will use your public key to decrypt your encrypted hash), that is proof that the message has not been altered in any way (no spaces or letters have been added, deleted, changed, etc.). (Lifted from here).

    If none of my clients, none of my friends, none of the mailing lists to which I belong, none of my colleagues, none of the government officials to whom I write and bitch are using PGP, then what’s the point?

  13. If none of my clients, none of my friends, none of the mailing lists to which I belong, none of my colleagues, none of the government officials to whom I write and bitch are using PGP, then what’s the point?

    The point is that you are screwed, no matter what. Your e-mail passes through so many hands, on so many unsecured wires, that you can have no reasonable expectation of privacy.

    Do you send credit card numbers through e-mail? No. Why not? Because someone will read your mail if you do. In this case, it’s a hacker, not your ISP, but you have no reasonable expectation of privacy in e-mail. You should never send an e-mail that you wouldn’t want other people to read in the worst case.

    Trying to protect people from their ISP reading their mail will just give people a false expectation of privacy and encourage them to do things they wouldn’t otherwise do. (Like send vital financial info through e-mail.)

  14. Well, a lot of us have corporate email, and the HR policies stipulate that all of that can be read any time. Then there is the issue of companies changing the contents of email. Yahoo has done this in the past – and they were caught.

    I think people should encrypt and digitally sign their email. We’ve come a long way on this front. Digitally signed and encrypted email is now much easier to use, and chances are you’re already using a mail client that supports it natively.

    …the only exception is people who use web-mail. There are ways to make Hotmail work with it (email me and I can prove it), and a number of people inside of Microsoft are pushing to have encrypted email support in Hotmail (Outlook Web Access already supports this for those who use that webmail client).

    Anyone who’s interested in checking it out can find a decent little tutorial here.

    It’s so easy to use that my Mom and Dad use it, as well as my fiancee. My CIS student brother doesn’t use it, but he also runs an open wireless access point so go figure.

    It’s kind of like having a house with locks on all of the doors and windows, but nobody has really pointed them out, so you never use them.

    Undoubtedly some will argue that the chances of email tampering are minimal, so it’s not worth the miniscule effort.

    These might as well be people like a friend of mine who insisted on leaving his doors unlocked because he “had nothing important to steal”.

  15. Jesus fucking christ. This is what happens when you ask a bunch of goddamned lawyers to regulate technology.

  16. When you get right down to it, how would this be any different from saying that the postman is allowed to read your snail mail while it’s in his possession?

    I hope Councilman loses all of his customers.

  17. Alas, running your own server won’t help. Since email traffic passes through many, many routers as it makes its way to your server, the court’s “reasoning” could probably be extended to router memory. Kind of like standing on the street and reading bus billboards as they roll past (I know that analogy is not 100% accurate, so please save your flames).

  18. Alas, running your own server won’t help. Since email traffic passes through many, many routers as it makes its way to your server, the court’s “reasoning” could probably be extended to router memory. Kind of like standing in your yard and reading bus billboards as they roll past. Or listening to your neighbor’s portable phone conversations because, gee, the signal just passed through the processor in my descrambler (I know these analogies are not 100% accurate, so please save your flames).

Please to post comments

Comments are closed.