[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Forward Privacy" for ISPs and Customers



Tim said
> IANAL, and I have been skimmming over most of the Bell v. Unicorn v. Nuri
> debates about the legality of wiretapping, but something jumped out at me:
>
... stuff deleted ...
>
> I agree that ISPs look a lot like phone companies for the purposes of
> regulations and wiretaps. My ISP sells me some connectivity, sends me a
> bill, etc.
>

It seems to me that they are actually selling two seperate things.  One is
connectivity the other storage.  The storage might have a different legal
status than the connectivity.  So, is email part of the connectivity or the
storage?  What is the legal status of phone company provided voice mail?  This
seems pretty close to email.

> Thus, if it is constitutionally OK (a technical term) for courts to order
> phone logs to be turned over to law enforcement, why not logs of e-mail? Or
> logs of Web sites visited, for example? I see no basis for a special
> distinction. Records are records, and businesses routinely have to turn
> over various records under court order.
>
> However, there are certain things my phone company does *not* do. They
> don't keep _copies_ (recordings) of my phone conversations. This means a
> court order can't yield copies of past conversations. They also don't track
> incoming phone calls to me. (I don't believe such records of incoming phone
> calls are kept; maybe I'm wrong. Certainly with Caller ID, storing incoming
> phone numbers is possible....I just don't think local or regional phone
> companies care about such records, and hence don't bother to accumulate
> them.)
>
> Now, should the phone company keep such records, they would be accessible
> via court order.
>
> My point? ISPs are currently in a position to turn over *far* more
> information than phone companies are able to turn over. It's as if the
> phone companies kept audio recordings of all conversations, without even
> the need for law enforcement to do a wiretap or pen register or whatnot. It
> would be trivial for law enforcement to say: "Phone Company, here's a
> subpoena/court order for the last 6 months of phone conversations Tim May
> has had. Please ship the tapes via FedEx."
>

Do we know that if phone companies kept recordings of your conversations they
would have the same legal status as the records that they already keep?

> This makes the ISP case a bit different. Not legally, but technologically.
>
> There are some fixes.
>
> Something ISPs could do--and may do if there is sufficient customer
> pressure--is to adopt a policy of "forward secrecy" (to slightly abuse this
> technical term). That is, to have an explicit policy--implemented in the
> software--of _really_ deleting the back messages once a customer downloads
> them to his site. This means that _backups_ must be done in a careful
> manner, such that even the backup tapes or disks are affected by a removal.
>
> (Recall that Ollie North thought he had deleted his incriminating White
> House PROFS messsages, but that they were faithfully preserved on backup
> tapes, and could be retrieved.)
>
> My Eudora Pro mail programs sucks down messages from my ISP and, as yours
> probably does, tells the ISPs mail server to delete it upon downloading. An
> option for users could be something like "Don't make longterm backups of my
> account, and leave no copies whatsoever once I have downloaded my
> messages."
>
> This would make the job of a law enforcement or TLA a lot more difficult
> than it is now, where the e-mail and logs are ready to be handed over on a
> silver platter, all nicely accumulated and human-readable.
>

It would be good to get ISP's to work this way regardless of the law.  Its
better for the data not to exist than have it legally hard to obtain.

> Back to the legal issue. Perhaps the Digital Telephony Act will be
> interpreted to require ISPs to make their systems "tappable," possibly by
> adding message logging. possibly just by offering access to the T1s and T3s
> only ("OK, Feds, here's where the T3 enters the building...be careful you
> don't cut the core, OK?").
>
> But if no logs and backup tapes of mail are kept, at least the job of
> gaining access to communications is made more difficult.
>
> And, I'm sure the lawyers will agree, while ISPs may be treated essentially
> the same as telephone companies, absolutely *nothing* requires either to
> keep specific kinds of account records (*), to "know their customer" (a la
> banking laws, supposedly), or to record all traffic.
>
> (* Prepaid phone cards, paid for in cash, and payphones, tell us that True
> Names are not needed with the phone companies. And so on.)
>
> We don't have to make it easy for them.
>
> --Tim May
>
>
> "The government announcement is disastrous," said Jim Bidzos,.."We warned
> IBM that the National Security Agency would try to twist their
> technology." [NYT, 1996-10-02]
> We got computers, we're tapping phone lines, I know that that ain't
> allowed.
---------:---------:---------:---------:---------:---------:---------:----
> Timothy C. May              | Crypto Anarchy: encryption, digital money,
> [email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
> W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
> Higher Power: 2^1,257,787-1 | black markets, collapse of governments.
> "National borders aren't even speed bumps on the information superhighway."
>
>

--------------------
Scott V. McGuire <[email protected]>
PGP key available at http://web.syr.edu/~svmcguir
Key fingerprint = 86 B1 10 3F 4E 48 75 0E  96 9B 1E 52 8B B1 26 05