Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

13 Jan 2008

Snooping on e-mail is still against the law, just barely Email

In August 2005, the full U.S. Court of Appeals for the 1st Circuit issued its long awaited decision in the U.S. v. Councilman case. This case has an extremely peculiar set of facts and a peculiar history to match, and although I agree with the court's decision, I'm not too encouraged by the history of the case.

Everyone apparently agreed to the facts of the case, but see the update at the end of this article: Brad Councilman was an executive at a company called Interloc which ran an online service for used bookstores, which among other things provided the stores with e-mail accounts. (Interloc is long gone, merged into the larger Alibris.) In 1998 Councilman allegedly decided to do a little surrepetitious market research by adjusting the procmail script that delivered the stores' e-mail to make copies of mail from in a mailbox that Councilman and other Interloc employees read, and they did indeed copy and read thousands of messages. Councilman was in the unusual position of being both an ISP for these stores and their competitor. In 2001, Councilman was indicted for violating the Wiretap Act, by intercepting electronic communications, namely the e-mail from Amazon. Councilman's lawyers came up with a clever defense arguing that what he did wasn't against the law.

The law in question has three parts that are somewhat relevant. The part known as the Wiretap Act applies to ``wire communications'', which the law essentially defines as phone calls. That part includes language that says that it also applies to ``stored communications'', intended to extend coverage to voicemail. The next part, often known as the ECPA (although the ECPA also amended the Wiretap Act) applies to ''electronic communications'' which clearly covers e-mail, but doesn't say anything about stored communications. The third part, the Stored Communication Act, definitely applies to stored e-mail, but has a giant loophole for service providers that would apply to Councilman in his role as an ISP.

Councilman's argument was that at the time that procmail acted on a message, it was in storage, not in transit, and since the electronic communications part of the law doesn't say anything about stored communications, it doesn't apply to them, even though they were only stored for a few milliseconds. This is a clever legal argument, but it would be a disaster for privacy since it would in effect wipe out the ECPA. Every bit of traffic on the Internet is processed by store-and-forward, and it's all stored briefly as it's relayed on its way. Routers store packets before sending them along, so under this theory, one could snoop on packets by doing the snooping in routers. Mail servers store messages, so any snooping in a mail server would be fair game. These happen as well to be the places where it's easiest to snoop, so it'd be open season on net traffic.

The initial trial judge bought Councilman's argument. His decision was appealed to a three-judge panel of the appeals court, which also bought the argument on a 2-1 decision, believing that if Congress had wanted to put stored communication language in the ECPA they could have (and still could, by amending it), but they didn't. The government asked for and got en banc review of the full court, which did not buy the argument. The judge who dissented on the first appeal wrote the decision for the full court, from which the two judges who wrote the preceding decision not surprisingly dissented.

Since the facts were not in dispute, the courts had to decide what the law meant and what Congress intended. Sen. Leahy, who sponsored the ECPA in the first place, submitted an eloquent amicus brief describing both his recollection of what happened as they passed the ECPA, and that Councilman's interpretation would void the law. The Electronic Privacy Information Center filed a brief on behalf of five technical experts (including me) in which we also argued that e-mail by its nature is stored while it's in transit. The opinion weighed the factors and decided that we were right, and the previous two decisions were wrong.

I find it somewhat dismaying that the trial court and two of three judges who heard the original appeal didn't understand that their decisions amounted to wiping out the ECPA. (Or worse, they understood and didn't care, but I don't think that's it.) Federal appeals courts judges are one step below the Supreme Court, and are among the smartest and most experienced judges in the country. These guys are not dumb, but due to some combination of the skill of Councilman's lawyers argument and their unfamiliarity with the technology, two judges from that court didn't get it. The en banc decision is very good and shows an excellent understanding of the case and the technology, but we can't count on Judge Lipez, who wrote it, to hear every ECPA case. That's why, although this case came out in a way that makes legal and technical sense, I'm not confident that future cases with slightly different facts, most likely less peculiar than Interloc's ISP-competitor combo, would be decided consistently.

Bruce Schneier, who was another of the experts in the EPIC brief, noted in an entry in his blog that this also puts the lie the entertainment industry's expansive argument that the incidental copies your computer makes when it reads, say, a CD-ROM or DVD in order to play it are copies worthy of copyright protection. Again, I hope he's right, but I'm not holding my breath.

2007 update: In February 2007, Councilman was acquitted of all charges. According to an AP wire service report, the case against him was based on claims by two Interloc employees that he had instructed them to keep copies of the mail. Councilman denied it, a detail that none of the 2005 reports picked up. In 2007 a Massachusetts jury agreed that the employees' claims were not credible, and Councilman had not told them to do it.

  posted at: 02:20 :: permanent link to this entry :: 0 comments
Stable link is


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

It turns out you don’t need a license to hunt for spam.
62 days ago

A keen grasp of the obvious
Italian Apple Cake
620 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed

© 2005-2024 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.