mailing list archives
RE: [ISN] E-Mail Snooping Ruled Permissible
From: "Tom Arseneault" <TArseneault () counterpane com>
Date: Tue, 6 Jul 2004 16:57:21 -0700
First off your analogy is flawed. In snail mail final deliver is when it
get to the final address point. If it's a PO box then if delivered even
if you don't come and pick it up, if your in an apartment house then the
mailbox cluster is where the final delivery point is, in rural
communities the mailbox is on the main road and you have to drive to the
main road to pick up your mail. The point is that the "final delivery
point" is not always directly under the control of the user. In email if
your address is pointing to a pop3 mail server that is the end point,
the final deliver location, and the user than uses pop3 to pick it up,
in web based email the web server is the final delivery point and the
user uses the browser to pick it up. If you try and use some other
metric other than "email address" as the final delivery point I can just
imagine what a mess the laws will be in.
Take for example web based email, if you read it with your browser but
the mail still resides on the web server, does that mean it's not
delivered? Does the act of reading it make it delivered? Pop3
connections do not have "email" addresses so what is used to define the
transaction, what if the user leaves a copy on the server? I found this
on the Internet: "An MUA, or Mail User Agent, is a software program that
acts on behalf of the user." which covers Procmail quite nicely. Also an
MTA is defined as "accepts mail for delivery and either holds it for
download by a client or passes it to another MTA for delivery". POP3 is
client software that downloads mail to a reader so it's not an MTA which
supports my contention that the final delivery point, as far as law is
concerned, is the final MTA and not the POP/HTTP connection where a user
read the email.
Note: there was one line they did not go into any further "Often, a
separate Mail Delivery Agent ("MDA") will be required to retrieve the
e-mail from the MTA in order to make final delivery." So if you use this
definition then the POP connection would be the MDA and you would not
have made final delivery until the MDA transfer was complete. But this
is of no consequence because the issue was not one of where final
deliver was but in the very definition of "wire tapping"
The error of the court was not in their definitions of what constituted
final delivery but in saying that the emails were in "storage" at the
time. Whether it was in wires or on disk should have been immaterial to
the fact was that it had not reached the user mailbox and the MTA had
not terminated before the procmail script took over. I content that the
procmail, which was not written with the knowledge or consent of the end
user captured the email before final delivery and hence the mail was in
transit and should have been protected. The wire tap act needs to be
expanded **carefully** to include email (which would look like a
combination of snail mail and wire transaction laws).
Thomas J. Arseneault
Counterpane Internet Security
tarseneault () counterpane com
From: Jason Coombs [mailto:jasonc () science org]
Sent: Tuesday, July 06, 2004 5:38 AM
To: bugtraq () securityfocus com
Cc: isn () attrition org; isn () c4i org; full-disclosure () lists netsys com
Subject: Re: [ISN] E-Mail Snooping Ruled Permissible
Anyone who has not read this appeals court decision should do so now.
The stipulated facts make it clear that the government failed
to hire an expert witness who knows how SMTP, POP3, sendmail,
procmail, DNS, MTA, MUA, HTTP, Web browsers, computers, hard
drives, software, RAM and the Internet actually work.
Take, for instance, page 3, where both parties stipulate that
the following is true:
"Once the e-mail is accessible to the recipient, final
delivery has been completed."
Every person who is reading this message should be able to
stipulate that final delivery was not complete until a Mail
User Agent retrieved it from temporary storage on the mail
server. If you're using Webmail then your browser is your MUA
and it speaks HTTP rather than POP3. That was the case with
Interloc e-mail accounts.
Yet the court and the parties managed to agree that final
delivery is complete any time the message is in the
possession of an MTA that happens to consider itself to be
the last hop in the delivery route.
Never mind that there must be one more delivery step where an
MUA under user control receives the message on behalf of the user.
The fact that the mail server may arbitrarily expire old
messages and take other actions that disrupt the final
delivery to an MUA was clearly of no concern to anyone in this case.
I can't imagine ever stipulating that once my mail messages
are touched by procmail final delivery is complete. That's
like saying once the incoming mail truck arrives at my local
post office and the mail sort is done and my mail is placed
in a stack with a rubber band around it that final delivery
is complete. All I have to do now is go to the post office
and remind them that they didn't bother to deliver my mail
today and I'll be given access to the stack, right? Therefore
final delivery is complete once the stack is created that has
my name on it?
Nobody cares about getting the message delivered to a program
that is under the control of the recipient, apparently.
The only storage location that can be considered to be final
delivery of an e-mail message is a storage location that is
under the control of the recipient. An inbox on the
recipient's hard drive would be a fine indication of final
delivery. To even approach a proper stipulation of facts with
respect to the subtle distinction between Web-based e-mail
services, which are closer to post office boxes, and
POP3-based e-mail services, which are closer to conventional
postal mail delivery to your home, requires mention of POP3
and the role of the MUA, both of which are missing from the
stipulation made by the parties.
The dissenting opinion, page 18, includes discussion of MUA
but it asserts that the MUA in this case was procmail. One
would hope that the voice of reason would at least get its
facts straight when everyone else was lost or confused. Too
bad in this case the voice of reason was clueless, too.
The court correctly points out that Congress intentionally
exempted stored electronic communication from the definition
of "electronic communication" in section 2510(12) of 18
U.S.C. There is no other reason than this intentional
exemption that the appeals court ruled as they did in this
case, and given the facts as they were presented by the
parties the ruling was proper.
However, an e-mail message goes from electronic storage on a
hard drive to electronic storage in RAM and then back to
electronic storage on a hard drive again by passing through
wires. The government should have argued that the procmail
program intercepted electronic communications by causing
stored electronic communications to once again be transmitted
over wires. But for stimulating that transmission over wires
the procmail system would not have been able to access the
second set of stored electronic communications THAT THE
PROCMAIL PROGRAM ITSELF CAUSED. In reality the procmail
program was creating an echo and capturing the echo. That you
cannot do this in other wiretap scenarios and thereby avoid
the Wiretap Act should have made the court examine this more closely.
This case should have set the precedent that causing a stored
electronic communication to be transmitted over wires to a
different electronic communication storage temporarily
"on-demand" in order to circumvent the Wiretap Act is not
acceptable. The exemption on stored electronic communications
that came from Steve Jackson Games v. U.S. Secret Service
should not be applied to "live" electronic communications
systems that can be induced to "echo" stored electronic
communications but rather the Steve Jackson Games precedent
should apply only to "dead" storage that must be reactivated,
powered up from an off condition and examined directly,
without causing an echo, in order for the stored electronic
communications to be accessed.
Steve Jackson Games should continue to exempt forensic
investigators from prosecution or civil liability, and keep
true "stored electronic communications" accessible to law
enforcement and the prosecution in criminal cases. It is
necessary for there to be some exemption otherwise it would
be impossible for law enforcement to ever look at any hard
drive without obtaining a wiretap authorization that
specifically names every party whose stored communications
are found on the drive when it is analyzed. However, the
exemption that this court ruling suggests we must learn to
live with is not an exemption that is sensible or that is
consistent with the full truth of the matter.
The court in this case was not given the opportunity to
consider this view because the technical stipulations of fact
were so badly flawed. I would be satisfied with the outcome
of this appeal had the technical stipulations and reasoning
been proper, yet they were not. We still do not know how a
court might rule if the correct and true technical
stipulation is made in a similar case. We do know that it
will be more difficult to get another appeal heard on the
matter, as other courts will tend to defer to this appeal
unless somebody intelligent manages to explain these issues
clearly at just the right time.
It is disturbing to see how poor the quality of computer
expert testimony is in court, and how little effort is put
into clarifying the reality behind technical issues. When the
parties stipulate to things that are not the truth, or when
either side is technically inept, it causes courts to make
errors. Then we end up with bad precedent.
jasonc () science org
Full-Disclosure - We believe in it.