Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [ISN] E-Mail Snooping Ruled Permissible
From: Jason Coombs <jasonc () science org>
Date: Tue, 06 Jul 2004 02:37:38 -1000

Anyone who has not read this appeals court decision should do so now.


The stipulated facts make it clear that the government failed to hire an expert witness who knows how SMTP, POP3, sendmail, procmail, DNS, MTA, MUA, HTTP, Web browsers, computers, hard drives, software, RAM and the Internet actually work.

Take, for instance, page 3, where both parties stipulate that the following is true:

"Once the e-mail is accessible to the recipient, final delivery has been completed."

Every person who is reading this message should be able to stipulate that final delivery was not complete until a Mail User Agent retrieved it from temporary storage on the mail server. If you're using Webmail then your browser is your MUA and it speaks HTTP rather than POP3. That was the case with Interloc e-mail accounts.

Yet the court and the parties managed to agree that final delivery is complete any time the message is in the possession of an MTA that happens to consider itself to be the last hop in the delivery route. Never mind that there must be one more delivery step where an MUA under user control receives the message on behalf of the user.

The fact that the mail server may arbitrarily expire old messages and take other actions that disrupt the final delivery to an MUA was clearly of no concern to anyone in this case.

I can't imagine ever stipulating that once my mail messages are touched by procmail final delivery is complete. That's like saying once the incoming mail truck arrives at my local post office and the mail sort is done and my mail is placed in a stack with a rubber band around it that final delivery is complete. All I have to do now is go to the post office and remind them that they didn't bother to deliver my mail today and I'll be given access to the stack, right? Therefore final delivery is complete once the stack is created that has my name on it?

Nobody cares about getting the message delivered to a program that is under the control of the recipient, apparently.

The only storage location that can be considered to be final delivery of an e-mail message is a storage location that is under the control of the recipient. An inbox on the recipient's hard drive would be a fine indication of final delivery. To even approach a proper stipulation of facts with respect to the subtle distinction between Web-based e-mail services, which are closer to post office boxes, and POP3-based e-mail services, which are closer to conventional postal mail delivery to your home, requires mention of POP3 and the role of the MUA, both of which are missing from the stipulation made by the parties.

The dissenting opinion, page 18, includes discussion of MUA but it asserts that the MUA in this case was procmail. One would hope that the voice of reason would at least get its facts straight when everyone else was lost or confused. Too bad in this case the voice of reason was clueless, too.

The court correctly points out that Congress intentionally exempted stored electronic communication from the definition of "electronic communication" in section 2510(12) of 18 U.S.C. There is no other reason than this intentional exemption that the appeals court ruled as they did in this case, and given the facts as they were presented by the parties the ruling was proper.

However, an e-mail message goes from electronic storage on a hard drive to electronic storage in RAM and then back to electronic storage on a hard drive again by passing through wires. The government should have argued that the procmail program intercepted electronic communications by causing stored electronic communications to once again be transmitted over wires. But for stimulating that transmission over wires the procmail system would not have been able to access the second set of stored electronic communications THAT THE PROCMAIL PROGRAM ITSELF CAUSED. In reality the procmail program was creating an echo and capturing the echo. That you cannot do this in other wiretap scenarios and thereby avoid the Wiretap Act should have made the court examine this more closely.

This case should have set the precedent that causing a stored electronic communication to be transmitted over wires to a different electronic communication storage temporarily "on-demand" in order to circumvent the Wiretap Act is not acceptable. The exemption on stored electronic communications that came from Steve Jackson Games v. U.S. Secret Service should not be applied to "live" electronic communications systems that can be induced to "echo" stored electronic communications but rather the Steve Jackson Games precedent should apply only to "dead" storage that must be reactivated, powered up from an off condition and examined directly, without causing an echo, in order for the stored electronic communications to be accessed.

Steve Jackson Games should continue to exempt forensic investigators from prosecution or civil liability, and keep true "stored electronic communications" accessible to law enforcement and the prosecution in criminal cases. It is necessary for there to be some exemption otherwise it would be impossible for law enforcement to ever look at any hard drive without obtaining a wiretap authorization that specifically names every party whose stored communications are found on the drive when it is analyzed. However, the exemption that this court ruling suggests we must learn to live with is not an exemption that is sensible or that is consistent with the full truth of the matter.

The court in this case was not given the opportunity to consider this view because the technical stipulations of fact were so badly flawed. I would be satisfied with the outcome of this appeal had the technical stipulations and reasoning been proper, yet they were not. We still do not know how a court might rule if the correct and true technical stipulation is made in a similar case. We do know that it will be more difficult to get another appeal heard on the matter, as other courts will tend to defer to this appeal unless somebody intelligent manages to explain these issues clearly at just the right time.

It is disturbing to see how poor the quality of computer expert testimony is in court, and how little effort is put into clarifying the reality behind technical issues. When the parties stipulate to things that are not the truth, or when either side is technically inept, it causes courts to make errors. Then we end up with bad precedent.


Jason Coombs
jasonc () science org

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]