Thursday, July 01, 2004

ISPs permitted to read users email

Wired News reports:
E-mail privacy suffered a serious setback on Tuesday when a court of appeals ruled that an e-mail provider did not break the law in reading his customers' communications without their consent.

The US First Circuit Court of Appeals (covering large parts of New England) ruled that Bradford C. Councilman was not in violation of wiretap laws when he copied and read customers email so that he could monitor their business transactions with rival Amazon.com.
Councilman, owner of a website selling rare and out-of-print books, offered book-dealer customers e-mail accounts through his site. But unknown to those customers, Councilman installed code that intercepted and copied any e-mail that came to them from his competitor, Amazon.com. Although Councilman did not prevent the mail from reaching recipients, he read thousands of copied messages in order to know what books customers were seeking and gain a commercial advantage over Amazon.

Authorities charged Councilman with violating the Wiretap Act (formally known as the Electronic Communications Privacy Act or ECPA), which governs unauthorized interception of communication. But the court found that because the e-mails were already in the random access memory, or RAM, of the defendant's computer system when he copied them, he did not intercept them while they were in transit over wires and therefore did not violate the ECPA, even though he copied the messages before the intended recipients read them. The court ruled that the messages were in storage rather than transit.

However, the court did acknowledge that the Wiretap act might be inadequate to protect consumers privacy over the Internet. In spite of all the criticism being levelled at them, the decision could have been correct; the court was merely interpreting this law, and not legislating, as American courts too often do. (Roe v. Wade, anyone?) The judge, in his decision (PDF) appears to rely on the distinction between electronic and wire communications. Quoting from the ECPA:
"wire communication" means any aural transfer made in whole or in part through the use of facilities for the
transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception (including the use of such connection in a switching station)... and such term includes any electronic storage of such communication

"electronic communication" means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce...

"electronic storage" means--
(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and
(B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication;

Note the absence of the phrase "electronic storage" from the definition of "electronic communication", even though it is included in the definition of "wire communication." The judge cites precedents which uphold the principle that
"When Congress includes a particular language in one section of a statute but omits it in another section of the same Act, it is generally presumed that Congress acts intentionally and purposely in the the disparate inclusion or exclusion."
As RAM most definitely is electronic storage, he appears to have interpreted the law correctly.

It seems that the judge sympathises with the authorities, but believes that a strict interpretation of the law compels him to acquit the defendant. In order that this miscarriage of justice is not repeated, they believe that the ECPA should be revised. To that extent, I agree. If this is what the law says, then (quoting Mr. Bumble) "the law is an ass" and we need a new law. The implications for online privacy are stunning. Any email you send over the net can now be legitimately read by your ISP and/or email service provider, and they can freely use the data however they see fit. I can't even begin to describe the consequences! Compared to this, the automated parsing of email by Gmail is entirely innocuous. The ECPA should be modified immediately. Posters on Slashdot have a brilliant solution: Gillbates writes "I feel like starting an ISP and offering free email accounts to congressmen, judges, FBI agents, etc... The time difference between an embarrassing email leak and legislation outlawing reading another's email is left as an exercise for the reader...."

4 comments:

Sanketh said...

Korula,
Man your blog is all information. I often wonder what I can blog about. Don't think I can do it as well as you do. Anyway good luck with your PhD.
Do keep in touch.
This is another pseudo-middle class student signing off. :)

And yes I know this has nothing to do with the post. I didn't get to reading it.

Anonymous said...

What do you mean the court was legislating in Roe vs Wade? It was just interpreting the privacy clause of the constitution(5th amendment iirc) to a woman in the first trimester of pregnancy.
Creative interpretation? Perhaps. But I subscribe to the 'constitution as a living document.' school of thought.

Nitish said...

Perhaps I should have phrased that better; I meant that it could be argued that the court went too far in Roe v. Wade. One would have to concede, as you do, that it was at least a creative interpretation.

I disagree with the conventional interpretation of the Constitution being a 'living document,' though. I fully accept that it can and should evolve with society. The question is whether the agent of change should be the courts or the legislature, as is mandated in the constitution. Justice Antonin Scalia has a well-written piece that touches on the subject, though it's actually about the constitutionality of the death penalty. Though I often disagree with him (I think he's sometimes extremely conservative), he makes a good point here: "... The Constitution that I interpret and apply is not living but dead—or, as I prefer to put it, enduring. It means today not what current society (much less the Court) thinks it ought to mean, but what it meant when it was adopted... There is plenty of room within this system for “evolving standards of decency,” but the instrument of evolution (or, if you are more tolerant of the Court’s approach, the herald that evolution has occurred) is not the nine lawyers who sit on the Supreme Court of the United States, but the Congress of the United States and the legislatures of the fifty states, who may, within their own jurisdictions, [pass laws they wish and/or modify the constitution.]" (Complete essay)

And as for my personal opinion on the subject, I'm pro-choice. The choice that I would make (of course, I'm not a woman!) would be against abortion, but I think that people should be permitted to decide themselves.

Nitish said...

In case anyone wants to look them up, the relevant (to Roe v. Wade) sections of the constitution are the ninth and fourteenth amendments.