Thursday, July 01, 2004
Email May Not Be As Private As You Think
A decision handed down yesterday by the U.S. Court of Appeals for the 1st Circuit in the case of U.S. v. Councilman has some potentially startling applications for anyone who sends or receives email with sensitive or confidential information.
Councilman's company sold rare and out-of-print books. It offered book dealers email accounts, too. What the book dealers didn't know was that Councilman was exploiting their use of the email accounts to gather competitive intelligence about their needs. He did this by having a computer program written that would copy all incoming email to the book dealers from rival Amazon.com and allow him to read it without their knowledge.
The opinion here deals with the issue of whether Councilman's conduct violated the federal Wiretap Act. In a 16 page majority opinion, the 1st Circuit agrees with the trial court that it did not violate that statute becaue the statute requires the communication to be "intercepted," and the court took the position that since the email was in electronic storage, it was not intercepted. The Act, written before the Internet gained such huge popularity, simply does not squarely fit facts such as these. (The dissenting judge explains, in a 37 page dissent, why he strongly disagrees. . .)
Where is YOUR email stored? Who could possibly have access to it during that storage period? Knowing that, at least under this court's reasoning, a cybersnooper who reads your email from storage could not be successfully prosecuted under the Wiretap Act, it becomes even more important to contractually prohibit prying eyes with strong contract language and severe penalties for violation.
Here are some thoughts about the case from other members of the BOL Team:
JOHN: As we know, courts of appeals aren’t necessarily the “last word” on topics like this. The finding seems a little bit of a stretch, and could be overturned.
But, this isn’t the Ninth Circuit, is it?
Another potential problem for banks would be outsourced firewalls. Couldn’t it be argued that messages are stored there at least momentarily before running thru the filter and out the door?
MICHELE: Hmm --- that is scary. Several things come to mind.
If it is not illegal to read private transmissions so long as they continue
to go to the intended person that puts at risk any institution that uses
a 3rd party outsourced provider for their mail services -- and there are
a lot of banks that do that. Even if a bank was using a sophisticated third-party outsourcer and had privacy clauses in place, what about smaller institutions that allow mail to go through a local ISP? -- that is an even worse scenario.
It really seems to me that this can't stick -- that there will be some
change to the law -- I am sure there are lots of other possibilities
that would leave people feeling very unsafe and exposed.
ANDY: It says that if information passes over your machine and is stored, you have the ability to review it. It should scare everyone. Does this give (in
this case Councilman) the authority to review all your email that he
had, even for a moment, and the attachments, even when they're encrypted?
Does this give law enforcement the ability to get his records, and thereby
get your records? Would this apply, and I'm sure it would, to Gmail, Yahoo,
MSN, etc. and offsite storage businesses as well as web hosts? You only
thought you had a secret password protected section of your website.
GEORGE: WOW -- well, at a minimum, it seems to me that if a financial institution
outsources their email, the ISP could look at email on the server without
penalty.
Another thought comes to mind. If the servers are outsourced, does this
ruling allow the ISP, or server owner, to snoop through all the files
without consequence?
On the other hand, this seems like a loophole that will quickly be plugged.
Just because the Wiretap Act can't be used as a defense doesn't render the
activity acceptable. And, not knowing the specific arrangement that this guy
had with his customers, I don't know if outsourcers would have the same
freedom (not knowing what the standard contract language is in ISP
agreements).
A decision handed down yesterday by the U.S. Court of Appeals for the 1st Circuit in the case of U.S. v. Councilman has some potentially startling applications for anyone who sends or receives email with sensitive or confidential information.
Councilman's company sold rare and out-of-print books. It offered book dealers email accounts, too. What the book dealers didn't know was that Councilman was exploiting their use of the email accounts to gather competitive intelligence about their needs. He did this by having a computer program written that would copy all incoming email to the book dealers from rival Amazon.com and allow him to read it without their knowledge.
The opinion here deals with the issue of whether Councilman's conduct violated the federal Wiretap Act. In a 16 page majority opinion, the 1st Circuit agrees with the trial court that it did not violate that statute becaue the statute requires the communication to be "intercepted," and the court took the position that since the email was in electronic storage, it was not intercepted. The Act, written before the Internet gained such huge popularity, simply does not squarely fit facts such as these. (The dissenting judge explains, in a 37 page dissent, why he strongly disagrees. . .)
Where is YOUR email stored? Who could possibly have access to it during that storage period? Knowing that, at least under this court's reasoning, a cybersnooper who reads your email from storage could not be successfully prosecuted under the Wiretap Act, it becomes even more important to contractually prohibit prying eyes with strong contract language and severe penalties for violation.
Here are some thoughts about the case from other members of the BOL Team:
JOHN: As we know, courts of appeals aren’t necessarily the “last word” on topics like this. The finding seems a little bit of a stretch, and could be overturned.
But, this isn’t the Ninth Circuit, is it?
Another potential problem for banks would be outsourced firewalls. Couldn’t it be argued that messages are stored there at least momentarily before running thru the filter and out the door?
MICHELE: Hmm --- that is scary. Several things come to mind.
If it is not illegal to read private transmissions so long as they continue
to go to the intended person that puts at risk any institution that uses
a 3rd party outsourced provider for their mail services -- and there are
a lot of banks that do that. Even if a bank was using a sophisticated third-party outsourcer and had privacy clauses in place, what about smaller institutions that allow mail to go through a local ISP? -- that is an even worse scenario.
It really seems to me that this can't stick -- that there will be some
change to the law -- I am sure there are lots of other possibilities
that would leave people feeling very unsafe and exposed.
ANDY: It says that if information passes over your machine and is stored, you have the ability to review it. It should scare everyone. Does this give (in
this case Councilman) the authority to review all your email that he
had, even for a moment, and the attachments, even when they're encrypted?
Does this give law enforcement the ability to get his records, and thereby
get your records? Would this apply, and I'm sure it would, to Gmail, Yahoo,
MSN, etc. and offsite storage businesses as well as web hosts? You only
thought you had a secret password protected section of your website.
GEORGE: WOW -- well, at a minimum, it seems to me that if a financial institution
outsources their email, the ISP could look at email on the server without
penalty.
Another thought comes to mind. If the servers are outsourced, does this
ruling allow the ISP, or server owner, to snoop through all the files
without consequence?
On the other hand, this seems like a loophole that will quickly be plugged.
Just because the Wiretap Act can't be used as a defense doesn't render the
activity acceptable. And, not knowing the specific arrangement that this guy
had with his customers, I don't know if outsourcers would have the same
freedom (not knowing what the standard contract language is in ISP
agreements).
Comments:
Post a Comment
