Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: [ISN] E-Mail Snooping Ruled Permissible
From: "Tom Arseneault" <TArseneault () counterpane com>
Date: Tue, 6 Jul 2004 16:57:21 -0700

Jason,

First off your analogy is flawed. In snail mail final deliver is when it
get to the final address point. If it's a PO box then if delivered even
if you don't come and pick it up, if your in an apartment house then the
mailbox cluster is where the final delivery point is, in rural
communities the mailbox is on the main road and you have to drive to the
main road to pick up your mail. The point is that the "final delivery
point" is not always directly under the control of the user. In email if
your address is pointing to a pop3 mail server that is the end point,
the final deliver location, and the user than uses pop3 to pick it up,
in web based email the web server is the final delivery point and the
user uses the browser to pick it up. If you try and use some other
metric other than "email address" as the final delivery point I can just
imagine what a mess the laws will be in. 

Take for example web based email, if you read it with your browser but
the mail still resides on the web server, does that mean it's not
delivered? Does the act of reading it make it delivered? Pop3
connections do not have "email" addresses so what is used to define the
transaction, what if the user leaves a copy on the server? I found this
on the Internet: "An MUA, or Mail User Agent, is a software program that
acts on behalf of the user." which covers Procmail quite nicely. Also an
MTA is defined as "accepts mail for delivery and either holds it for
download by a client or passes it to another MTA for delivery". POP3 is
client software that downloads mail to a reader so it's not an MTA which
supports my contention that the final delivery point, as far as law is
concerned, is the final MTA and not the POP/HTTP connection where a user
read the email. 

Note: there was one line they did not go into any further "Often, a
separate Mail Delivery Agent ("MDA") will be required to retrieve the
e-mail from the MTA in order to make final delivery." So if you use this
definition then the POP connection would be the MDA and you would not
have made final delivery until the MDA transfer was complete. But this
is of no consequence because the issue was not one of where final
deliver was but in the very definition of "wire tapping"

The error of the court was not in their definitions of what constituted
final delivery but in saying that the emails were in "storage" at the
time. Whether it was in wires or on disk should have been immaterial to
the fact was that it had not reached the user mailbox and the MTA had
not terminated before the procmail script took over. I content that the
procmail, which was not written with the knowledge or consent of the end
user captured the email before final delivery and hence the mail was in
transit and should have been protected. The wire tap act needs to be
expanded **carefully** to include email (which would look like a
combination of snail mail and wire transaction laws). 

Thomas J. Arseneault 
Security Engineer
Counterpane Internet Security
tarseneault () counterpane com

-----Original Message-----
From: Jason Coombs [mailto:jasonc () science org] 
Sent: Tuesday, July 06, 2004 5:38 AM
To: bugtraq () securityfocus com
Cc: isn () attrition org; isn () c4i org; full-disclosure () lists netsys com
Subject: Re: [ISN] E-Mail Snooping Ruled Permissible

Anyone who has not read this appeals court decision should do so now.

http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf

The stipulated facts make it clear that the government failed 
to hire an expert witness who knows how SMTP, POP3, sendmail, 
procmail, DNS, MTA, MUA, HTTP, Web browsers, computers, hard 
drives, software, RAM and the Internet actually work.

Take, for instance, page 3, where both parties stipulate that 
the following is true:

"Once the e-mail is accessible to the recipient, final 
delivery has been completed."

Every person who is reading this message should be able to 
stipulate that final delivery was not complete until a Mail 
User Agent retrieved it from temporary storage on the mail 
server. If you're using Webmail then your browser is your MUA 
and it speaks HTTP rather than POP3. That was the case with 
Interloc e-mail accounts.

Yet the court and the parties managed to agree that final 
delivery is complete any time the message is in the 
possession of an MTA that happens to consider itself to be 
the last hop in the delivery route. 
Never mind that there must be one more delivery step where an 
MUA under user control receives the message on behalf of the user.

The fact that the mail server may arbitrarily expire old 
messages and take other actions that disrupt the final 
delivery to an MUA was clearly of no concern to anyone in this case.

I can't imagine ever stipulating that once my mail messages 
are touched by procmail final delivery is complete. That's 
like saying once the incoming mail truck arrives at my local 
post office and the mail sort is done and my mail is placed 
in a stack with a rubber band around it that final delivery 
is complete. All I have to do now is go to the post office 
and remind them that they didn't bother to deliver my mail 
today and I'll be given access to the stack, right? Therefore 
final delivery is complete once the stack is created that has 
my name on it?

Nobody cares about getting the message delivered to a program 
that is under the control of the recipient, apparently.

The only storage location that can be considered to be final 
delivery of an e-mail message is a storage location that is 
under the control of the recipient. An inbox on the 
recipient's hard drive would be a fine indication of final 
delivery. To even approach a proper stipulation of facts with 
respect to the subtle distinction between Web-based e-mail 
services, which are closer to post office boxes, and 
POP3-based e-mail services, which are closer to conventional 
postal mail delivery to your home, requires mention of POP3 
and the role of the MUA, both of which are missing from the 
stipulation made by the parties.

The dissenting opinion, page 18, includes discussion of MUA 
but it asserts that the MUA in this case was procmail. One 
would hope that the voice of reason would at least get its 
facts straight when everyone else was lost or confused. Too 
bad in this case the voice of reason was clueless, too.

The court correctly points out that Congress intentionally 
exempted stored electronic communication from the definition 
of "electronic communication" in section 2510(12) of 18 
U.S.C. There is no other reason than this intentional 
exemption that the appeals court ruled as they did in this 
case, and given the facts as they were presented by the 
parties the ruling was proper.

However, an e-mail message goes from electronic storage on a 
hard drive to electronic storage in RAM and then back to 
electronic storage on a hard drive again by passing through 
wires. The government should have argued that the procmail 
program intercepted electronic communications by causing 
stored electronic communications to once again be transmitted 
over wires. But for stimulating that transmission over wires 
the procmail system would not have been able to access the 
second set of stored electronic communications THAT THE 
PROCMAIL PROGRAM ITSELF CAUSED. In reality the procmail 
program was creating an echo and capturing the echo. That you 
cannot do this in other wiretap scenarios and thereby avoid 
the Wiretap Act should have made the court examine this more closely.

This case should have set the precedent that causing a stored 
electronic communication to be transmitted over wires to a 
different electronic communication storage temporarily 
"on-demand" in order to circumvent the Wiretap Act is not 
acceptable. The exemption on stored electronic communications 
that came from Steve Jackson Games v. U.S. Secret Service 
should not be applied to "live" electronic communications 
systems that can be induced to "echo" stored electronic 
communications but rather the Steve Jackson Games precedent 
should apply only to "dead" storage that must be reactivated, 
powered up from an off condition and examined directly, 
without causing an echo, in order for the stored electronic 
communications to be accessed.

Steve Jackson Games should continue to exempt forensic 
investigators from prosecution or civil liability, and keep 
true "stored electronic communications" accessible to law 
enforcement and the prosecution in criminal cases. It is 
necessary for there to be some exemption otherwise it would 
be impossible for law enforcement to ever look at any hard 
drive without obtaining a wiretap authorization that 
specifically names every party whose stored communications 
are found on the drive when it is analyzed. However, the 
exemption that this court ruling suggests we must learn to 
live with is not an exemption that is sensible or that is 
consistent with the full truth of the matter.

The court in this case was not given the opportunity to 
consider this view because the technical stipulations of fact 
were so badly flawed. I would be satisfied with the outcome 
of this appeal had the technical stipulations and reasoning 
been proper, yet they were not. We still do not know how a 
court might rule if the correct and true technical 
stipulation is made in a similar case. We do know that it 
will be more difficult to get another appeal heard on the 
matter, as other courts will tend to defer to this appeal 
unless somebody intelligent manages to explain these issues 
clearly at just the right time.

It is disturbing to see how poor the quality of computer 
expert testimony is in court, and how little effort is put 
into clarifying the reality behind technical issues. When the 
parties stipulate to things that are not the truth, or when 
either side is technically inept, it causes courts to make 
errors. Then we end up with bad precedent.

Sincerely,

Jason Coombs
jasonc () science org


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]