Re: [ISN] E-Mail Snooping Ruled Permissible

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [ISN] E-Mail Snooping Ruled Permissible
From: Jason Coombs <jasonc@xxxxxxxxxxx>
Date: Tue, 06 Jul 2004 02:37:38 -1000
Cc: isn@xxxxxxxxxxxxx, isn@xxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
In-reply-to: <NIELKHAILAIGBGCJLDFMGELOCJAA.coryd@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <NIELKHAILAIGBGCJLDFMGELOCJAA.coryd@xxxxxxxxx>
Reply-to: jasonc@xxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4

Anyone who has not read this appeals court decision should do so now.

http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf

The stipulated facts make it clear that the government failed to hire anexpert witness who knows how SMTP, POP3, sendmail, procmail, DNS, MTA,MUA, HTTP, Web browsers, computers, hard drives, software, RAM and theInternet actually work.

Take, for instance, page 3, where both parties stipulate that thefollowing is true:

"Once the e-mail is accessible to the recipient, final delivery has beencompleted."

Every person who is reading this message should be able to stipulatethat final delivery was not complete until a Mail User Agent retrievedit from temporary storage on the mail server. If you're using Webmailthen your browser is your MUA and it speaks HTTP rather than POP3. Thatwas the case with Interloc e-mail accounts.

Yet the court and the parties managed to agree that final delivery iscomplete any time the message is in the possession of an MTA thathappens to consider itself to be the last hop in the delivery route.Never mind that there must be one more delivery step where an MUA underuser control receives the message on behalf of the user.

The fact that the mail server may arbitrarily expire old messages andtake other actions that disrupt the final delivery to an MUA was clearlyof no concern to anyone in this case.

I can't imagine ever stipulating that once my mail messages are touchedby procmail final delivery is complete. That's like saying once theincoming mail truck arrives at my local post office and the mail sort isdone and my mail is placed in a stack with a rubber band around it thatfinal delivery is complete. All I have to do now is go to the postoffice and remind them that they didn't bother to deliver my mail todayand I'll be given access to the stack, right? Therefore final deliveryis complete once the stack is created that has my name on it?

Nobody cares about getting the message delivered to a program that isunder the control of the recipient, apparently.

The only storage location that can be considered to be final delivery ofan e-mail message is a storage location that is under the control of therecipient. An inbox on the recipient's hard drive would be a fineindication of final delivery. To even approach a proper stipulation offacts with respect to the subtle distinction between Web-based e-mailservices, which are closer to post office boxes, and POP3-based e-mailservices, which are closer to conventional postal mail delivery to yourhome, requires mention of POP3 and the role of the MUA, both of whichare missing from the stipulation made by the parties.

The dissenting opinion, page 18, includes discussion of MUA but itasserts that the MUA in this case was procmail. One would hope that thevoice of reason would at least get its facts straight when everyone elsewas lost or confused. Too bad in this case the voice of reason wasclueless, too.

The court correctly points out that Congress intentionally exemptedstored electronic communication from the definition of "electroniccommunication" in section 2510(12) of 18 U.S.C. There is no other reasonthan this intentional exemption that the appeals court ruled as they didin this case, and given the facts as they were presented by the partiesthe ruling was proper.

However, an e-mail message goes from electronic storage on a hard driveto electronic storage in RAM and then back to electronic storage on ahard drive again by passing through wires. The government should haveargued that the procmail program intercepted electronic communicationsby causing stored electronic communications to once again be transmittedover wires. But for stimulating that transmission over wires theprocmail system would not have been able to access the second set ofstored electronic communications THAT THE PROCMAIL PROGRAM ITSELFCAUSED. In reality the procmail program was creating an echo andcapturing the echo. That you cannot do this in other wiretap scenariosand thereby avoid the Wiretap Act should have made the court examinethis more closely.

This case should have set the precedent that causing a stored electroniccommunication to be transmitted over wires to a different electroniccommunication storage temporarily "on-demand" in order to circumvent theWiretap Act is not acceptable. The exemption on stored electroniccommunications that came from Steve Jackson Games v. U.S. Secret Serviceshould not be applied to "live" electronic communications systems thatcan be induced to "echo" stored electronic communications but rather theSteve Jackson Games precedent should apply only to "dead" storage thatmust be reactivated, powered up from an off condition and examineddirectly, without causing an echo, in order for the stored electroniccommunications to be accessed.

Steve Jackson Games should continue to exempt forensic investigatorsfrom prosecution or civil liability, and keep true "stored electroniccommunications" accessible to law enforcement and the prosecution incriminal cases. It is necessary for there to be some exemption otherwiseit would be impossible for law enforcement to ever look at any harddrive without obtaining a wiretap authorization that specifically namesevery party whose stored communications are found on the drive when itis analyzed. However, the exemption that this court ruling suggests wemust learn to live with is not an exemption that is sensible or that isconsistent with the full truth of the matter.

The court in this case was not given the opportunity to consider thisview because the technical stipulations of fact were so badly flawed. Iwould be satisfied with the outcome of this appeal had the technicalstipulations and reasoning been proper, yet they were not. We still donot know how a court might rule if the correct and true technicalstipulation is made in a similar case. We do know that it will be moredifficult to get another appeal heard on the matter, as other courtswill tend to defer to this appeal unless somebody intelligent manages toexplain these issues clearly at just the right time.

It is disturbing to see how poor the quality of computer experttestimony is in court, and how little effort is put into clarifying thereality behind technical issues. When the parties stipulate to thingsthat are not the truth, or when either side is technically inept, itcauses courts to make errors. Then we end up with bad precedent.


Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx

Prev by Date: Re: Microsoft and Security
Next by Date: backdoor menu on conexant chipset dsl router (Zoom X3)
Previous by thread: Eudora 6.1.2 attachment spoof
Next by thread: backdoor menu on conexant chipset dsl router (Zoom X3)
Index(es):
- Date
- Thread