PGP CTO Blog

Here is a quick summary of the incident: In 1998, a rare-book seller, Interloc (now Alibris), set up email accounts for its customers. Interloc was concerned about competition with Amazon, so its employees set up procmail scripts to divert a copy of any email coming from Amazon out of the recipient customer's mailbox so Interloc could secretly read these emails. They intercepted and read thousands of messages of people using the interloc.com mail servers. In 1999, two employees pled guilty to wiretapping charges. However, the VP in charge of these employees fought the charges on the grounds that because the emails in question were in the server's memory and disk, they were stored and not in transit--and therefore were not subject to existing wiretapping laws. The appeals court made the stunning decision agreeing with this argument. You can read the full decision at http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf.

This decision is stunning because before last week, we thought there was law that extended "wiretap" protection to email; however, this decision effectively says there isn't. In 1986, Congress did extend wiretap law to email. However, it differentiated between email in transit and email you have read. In plain English, if I send you an email, then that email is "in transit" until you read it. Once you have read it, it is considered "stored communications." Stored communications have fewer protections than communications in transit and, in fact, there are separate laws protecting stored communications.

This decision is a grotesque miscarriage of justice for a number of reasons. Furthermore, it's shocking that although plenty of people are worried about Gmail, no one is saying much of anything about this ruling. Those who are talking, however, don't seem to grasp how painfully ignorant this decision is or its ramifications. Even worse, the dissenting opinion is a marvelous example of a judge who has done a lot of research to understand the issues. I recommend reading the whole thing.

On pages 14-15 of the decision, it states:

The Wiretap Act's purpose was, and continues to be, to protect the privacy of communications. We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communications. Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology. We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes. However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly.

A footnote adds the following:

In fact, defendant is correct to make an argument, on due process grounds, that he is entitled to the benefit of any ambiguity in the statute. While we find there is no ambiguity in Congress's language, in a criminal case we have the constitutional obligation to define language narrowly.

Why this decision goes too far
I agree with some of the basic principles here and applaud the idea that we shouldn't extend old law in new places in many cases. However, any virtue can be a vice if taken too far, and this is such a case. I'm going to point out the ridiculousness of this decision with a two-fold approach. On the one hand, I'm going to assume the rôle of an attacker and design a system I can use to intercept your communications with impunity. On the other hand, I'm going to assume the rôle of a defender and design a system guaranteed to protect your communications. Unfortunately, both of these tasks are easy, and you're not going to like the outcome.

As an attacker, if I build a system that stores information in either memory or disk, I'm permitted to make copies of it. Thus, any email system I employ that involves the use of a general-purpose computer using memory or disk lets me “tap” you with impunity. Furthermore, using a router or firewall would very likely get me off the hook on the same grounds. If the router allows prioritization of traffic--meaning it allows real-time traffic such as voice or video to jump ahead of less time-critical traffic such as email--then it must be storing the delayed packets in memory, which meets the judge's requirement of storing the data, thus making it no longer "in transit."

As you no doubt have figured out, this type of attack is easy. Almost any email server has disks and memory, so I'm safe there. And any Cisco router allows traffic prioritization, so it effectively sanitizes any wiretapper. Any proxy firewall is now a legal wiretap device. Heck, any firewall with stateful packet inspection also has to store the packets in memory to inspect them, so I can always make a copy there, too--and it's legal. Note that in all these cases, the data becomes "stored" and has some protections, but these are much less than the protections afforded data "in transit."

I'll toss one more log on the fire. This decision stresses the constitutional obligation to interpret language narrowly. "Wire communications" use a "wire, cable or other like connection," so it certainly sounds as if by putting a wireless bridge in my server room, I can do whatever I want. I freely admit that this may be going a bit too far, but when there's constitutional obligation to interpret narrowly, I'm going to see how narrow we can make it. A wire is a wire is a wire is a wire, and if there are no wires, it can't be a wiretap. If we're legally allowed to play word games based on technical details, than expect all laws to need to be rewritten every few years.

As a defender, how do I make a privacy-enforcing system? This task is far more difficult. Under this new interpretation of the law, I cannot use a device that uses memory or disk drives, re-orders or delays traffic, or even routes it. All these things require the sorts of delays that magically turn email into stored data. To comply with this interpretation of wiretapping, my email system has to be made completely out of wires and nothing else. Perhaps someday, we will invent such a system, but that's pure speculation at this point.

Unfortunately, this interpretation of wiretapping says that when Congress extended wiretapping protection to email in 1986, it did not intend it to be used with computers, only with telephones, and then only with those that have actual wires. It says that the Electronic Communications Privacy Act (of which the Wiretap Act is a part) is clearly not intended to apply to anything electronic, merely to things that are electrical.

I find it tempting to launch into a rant about judges that know nothing about technology, but the dissenting opinion (starting on page 17) is everything we'd want from a responsible judge. Alas, there was only one such judge on the panel. The dissenting opinion is brilliant. I suggest you read it.

Congress clearly intended an email to be "in transit" from the time the sender sends it until the receiver reads it. Quibble as we may with some details--if the receiver immediately deletes the email, is the holder required to consider it gone, even if the bits are still on disk?--that's the law, and Interloc broke it. If Interloc wanted to play with loopholes, it could have waited until the users read the emails from Amazon. What Interloc did was not only wrong, but wiretapping. It is only judicial timidity and this ignorant interpretation of the law that has essentially said computer protection laws only apply to fantasy technologies, not actual ones. Such an interpretation is not only bad for privacy, it is bad for business.

The ramifications of this decision
EPIC, the EFF, and others have discussed why this is a bad thing for people like you and me: If wiretapping doesn't apply to computers, according to this decision, then anyone can now spy on you with impunity--at least in the state of New York and the New England states.

Until last week when this ruling was handed down, there were things you would guarantee your customers in a contract and things you wouldn't--because they were illegal. For instance, you don't have to put in your contracts that you're not going to break the law because everyone knows that breaking the law is illegal. Now, however, you're going to have to write into every contract language saying that you aren't going to spy on your customers to get information that's useful for your business. Worse, if you try to squirm out of it, it's going to be used as evidence showing how evil you are and how you always wanted to spy on people. Keep in mind that you also need to look at every company with which you contract and outsource. You now have to get them to agree not to spy on you or your customers. If you don't, and it turns out one of them is dishonest, your good name and reputation will be forfeit. People are probably going to insist on financial penalties should one of your employees do something stupid, so you also might want to consider getting some bonding or insurance just to be on the safe side.

How can you protect your email?
That's simple: encrypt it. If you encrypt your email, an unscrupulous person can't read it, even when they spy on you legally.

This finally puts a very sharp point on an issue about encryption. There's been a lot of discussion about whether or not SSL encryption on the network is good enough, or if you have to go all the way to encrypting the actual messages. SSL protects you against an intercept that would be illegal. PGP encryption protects you from an intercept that's now legal.

Background reading
Arnfield, Beatrice, "Court Decision Exposes E-Mails to Snoops," July 6, 2004

Gross, Grant, “Who Could Be Reading Your E-Mail?” July 2, 2004

Hicks, Matt, “Wiretap Ruling Could Signal End of E-Mail Privacy,” July 1, 2004

Weiss, Todd, “Court rules ISP didn't violate law by capturing, copying e-mails,” July 2, 2004

PGP News Feed