[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40EA9D12.9070201@science.org>
Date: Tue, 06 Jul 2004 02:37:38 -1000
From: Jason Coombs <jasonc@...ence.org>
To: bugtraq@...urityfocus.com
Cc: isn@...rition.org, isn@....org, full-disclosure@...ts.netsys.com
Subject: Re: [ISN] E-Mail Snooping Ruled Permissible
Anyone who has not read this appeals court decision should do so now.
http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf
The stipulated facts make it clear that the government failed to hire an
expert witness who knows how SMTP, POP3, sendmail, procmail, DNS, MTA,
MUA, HTTP, Web browsers, computers, hard drives, software, RAM and the
Internet actually work.
Take, for instance, page 3, where both parties stipulate that the
following is true:
"Once the e-mail is accessible to the recipient, final delivery has been
completed."
Every person who is reading this message should be able to stipulate
that final delivery was not complete until a Mail User Agent retrieved
it from temporary storage on the mail server. If you're using Webmail
then your browser is your MUA and it speaks HTTP rather than POP3. That
was the case with Interloc e-mail accounts.
Yet the court and the parties managed to agree that final delivery is
complete any time the message is in the possession of an MTA that
happens to consider itself to be the last hop in the delivery route.
Never mind that there must be one more delivery step where an MUA under
user control receives the message on behalf of the user.
The fact that the mail server may arbitrarily expire old messages and
take other actions that disrupt the final delivery to an MUA was clearly
of no concern to anyone in this case.
I can't imagine ever stipulating that once my mail messages are touched
by procmail final delivery is complete. That's like saying once the
incoming mail truck arrives at my local post office and the mail sort is
done and my mail is placed in a stack with a rubber band around it that
final delivery is complete. All I have to do now is go to the post
office and remind them that they didn't bother to deliver my mail today
and I'll be given access to the stack, right? Therefore final delivery
is complete once the stack is created that has my name on it?
Nobody cares about getting the message delivered to a program that is
under the control of the recipient, apparently.
The only storage location that can be considered to be final delivery of
an e-mail message is a storage location that is under the control of the
recipient. An inbox on the recipient's hard drive would be a fine
indication of final delivery. To even approach a proper stipulation of
facts with respect to the subtle distinction between Web-based e-mail
services, which are closer to post office boxes, and POP3-based e-mail
services, which are closer to conventional postal mail delivery to your
home, requires mention of POP3 and the role of the MUA, both of which
are missing from the stipulation made by the parties.
The dissenting opinion, page 18, includes discussion of MUA but it
asserts that the MUA in this case was procmail. One would hope that the
voice of reason would at least get its facts straight when everyone else
was lost or confused. Too bad in this case the voice of reason was
clueless, too.
The court correctly points out that Congress intentionally exempted
stored electronic communication from the definition of "electronic
communication" in section 2510(12) of 18 U.S.C. There is no other reason
than this intentional exemption that the appeals court ruled as they did
in this case, and given the facts as they were presented by the parties
the ruling was proper.
However, an e-mail message goes from electronic storage on a hard drive
to electronic storage in RAM and then back to electronic storage on a
hard drive again by passing through wires. The government should have
argued that the procmail program intercepted electronic communications
by causing stored electronic communications to once again be transmitted
over wires. But for stimulating that transmission over wires the
procmail system would not have been able to access the second set of
stored electronic communications THAT THE PROCMAIL PROGRAM ITSELF
CAUSED. In reality the procmail program was creating an echo and
capturing the echo. That you cannot do this in other wiretap scenarios
and thereby avoid the Wiretap Act should have made the court examine
this more closely.
This case should have set the precedent that causing a stored electronic
communication to be transmitted over wires to a different electronic
communication storage temporarily "on-demand" in order to circumvent the
Wiretap Act is not acceptable. The exemption on stored electronic
communications that came from Steve Jackson Games v. U.S. Secret Service
should not be applied to "live" electronic communications systems that
can be induced to "echo" stored electronic communications but rather the
Steve Jackson Games precedent should apply only to "dead" storage that
must be reactivated, powered up from an off condition and examined
directly, without causing an echo, in order for the stored electronic
communications to be accessed.
Steve Jackson Games should continue to exempt forensic investigators
from prosecution or civil liability, and keep true "stored electronic
communications" accessible to law enforcement and the prosecution in
criminal cases. It is necessary for there to be some exemption otherwise
it would be impossible for law enforcement to ever look at any hard
drive without obtaining a wiretap authorization that specifically names
every party whose stored communications are found on the drive when it
is analyzed. However, the exemption that this court ruling suggests we
must learn to live with is not an exemption that is sensible or that is
consistent with the full truth of the matter.
The court in this case was not given the opportunity to consider this
view because the technical stipulations of fact were so badly flawed. I
would be satisfied with the outcome of this appeal had the technical
stipulations and reasoning been proper, yet they were not. We still do
not know how a court might rule if the correct and true technical
stipulation is made in a similar case. We do know that it will be more
difficult to get another appeal heard on the matter, as other courts
will tend to defer to this appeal unless somebody intelligent manages to
explain these issues clearly at just the right time.
It is disturbing to see how poor the quality of computer expert
testimony is in court, and how little effort is put into clarifying the
reality behind technical issues. When the parties stipulate to things
that are not the truth, or when either side is technically inept, it
causes courts to make errors. Then we end up with bad precedent.
Sincerely,
Jason Coombs
jasonc@...ence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists