Otherwise Occupied - ECPA

Why worry about email interception?

gregh — Sun, 22 Jul 2007 23:21:41 -0500

That's not an uncommon question. The argument may be easy to buy into. Stored email is afforded little protection under the Stored Communications Act (SCA). Given those weak protections, why bother with the complexities of interception when they can simply be requested from the provider?

The answer is simple. Savvy users of email will limit their exposure to subpoenas for stored email. How? Control of mail servers is the most likely. Media conversion of email on delivery is another. International mail servers is yet another. There are others. What's more, the government always limit its access to a single type of network traffic. If agents are already sniffing for instant message traffic, there's no reason to expect they won't also go ahead and collect emal information. The end result is that the government, in spite of the ease of collecting email under the SCA, will still have motivation and opportunity to intercept email.

If the government is going to intrude on Americans' privacy protections online by intercepting Internet communications, assessing the protections of intercepted email remains important.

Speaking in SMTP

gregh — Mon, 02 Jul 2007 23:26:24 -0500

As I've previously written, what I consider a key flaw in current analysis of Fourth Amendment (and Electronic Communications Privacy Act) protections against interception of Internet communication is that it takes a narrow view of what constitutes communication on the Internet. The standard is "any information" that concerns the substance, meaning, or purport of a communication.

We should look to other forms of communication to arrive at a reasonable definition of Internet communication. I've suggested voice as the most pervasive. We don't permit the recording of waveforms of speech and only exclude transcripts. Without a warrant, the government may not record a telephone conversation.

When a person sends an email message, that form of communication is chosen, for whatever reason, over a telephone call. While the propagation of sound is required for meaningful oral communication by telephone, the propagation of properly formatted SMTP commands and RFC 822 message bodies are required for comprehension of the stream of bytes comprising an email message. Without that formatting, there is no substance, purport, or meaning of an email. In many cases, it won't be delivered at all.

The SMTP commands that transport a message across the Internet are, therefore, comparable to the use of voice to communicate across a telephone line. The courts and the Congress don't allow the recording of the electrical underpinnings that make up that voice communication. It makes little sense to allow recording of the commands and formatting that make up an email message.

If I can get to a point where I can substantively establish this, it becomes clear that what follows is protection of the application layer.

Dialing, routing, addressing, and signaling

gregh — Sun, 17 Jun 2007 23:43:03 -0500

Dialing, routing, addressing, and signaling. Pen registers and trap-and-trace devices are devices that may be used to collect the non-content portions of a communication. As I've previously written, contents refers to "any information concerning the substance, purport, or meaning" of a communication. Therefore, non-content dialing, routing, addressing, and signaling information is necessarily such information that does not concern any such information about a communication. Simple enough, right?

Well, it seemed simple enough to Congress. They proceeded with the intention to call an "email address" a communications "facility," moving it into the definitions of pen registers and trap-and-trace devices. This involves a convoluted notion that one communicates from email address to email address, much as one communicates from phone to phone. Obviously, this is nonsense, but that hasn't stopped law enforcement from seizing upon this expansion.

However, let's assume for a minute that an email address actually is a communications facility unto itself, and that when we communicate via email, the endpoints are actually email addresses. If we focus solely on the real-time interception of non-content information of an email communication, what is "dialing, routing, addressing, and signaling" information, and what is "any content concerning the substance, purport, or meaning" of that communication? Remember, this is still a message in transit across the Internet.

Here's what we know. Before the email message can be sent, there is already going to be a TCP connection established between the sending computer and the receiving computer. Only after the TCP connection is established may the actual communication take place. When that message gets to the remote computer, that remote computer is going to have to receive it, most likely via the SMTP. In this day and age of heavy spam and other deviousness online, it is very likely that the message is going to have to be formatted somewhat well in order to be delivered.

In order for a message to be properly formatted for receipt by the remote computer, the sending computer will send SMTP commands, continuing to send others, followed by the actual content of the message being sent, in response to replies from the remote computer. The sending computer will give, at a minimum, its name, the email address that is sending the message, the email address that is the destination of the message, and finally, the message. If these steps aren't followed, the message will not be delivered.

But there's more. Once a message is delivered, for a communication to be complete, the message must be read. There are many things that may be carried in a message to allow it to be understood. Obviously, the body of the message allows it to be understood. But we're concerned, also, with any information that concerns the substance, purport, or meaning of the message.

In a telephone call, a great deal of substance, purport, or meaning may be derived from the voice of the communicator. In email, there is no such voice. However, the sending address certainly gives a message voice. The personalizable "From:" header my also lend such a voice. Bayesian spam filters assign scores to a message based on tokens in the headers, and these can also lend a voice, as can such headers as message priorities and the "Received:" headers, which allow a message to be traced and in many mail programs, is used to sort messages by date (and not the "Date:" header.)

In short, the proper use of SMTP commands, the email addresses and addressing, as well as received headers and the nature of the contents of the headers all lend substance, purport, and meaning to a message. However, under the most common interpretations of the current laws, all of those pieces of content may be readily obtained by law enforcement agents under the Pen Register Act.

Substance, purport, or meaning

gregh — Wed, 06 Jun 2007 23:31:00 -0500

The Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510 et seq, places restrictions on the interception of communications contents, in accordance with the basic findings of Katz v. U.S. and some refinement in Smith v. Maryland. In § 2510(8), "contents" is defined as "any information concerning the substance, purport, or meaning of that communication." (emphasis added.)

In electronic communications, what standard must be met for information to concern the substance, purport, or meaning of the communication? That's an excellent question, and it's one I've been trying to answer. (I should probably note that "substance, purport, or meaning" is not the Supreme Court's language; however, the Supreme Court has cited that Congressional language on many occasions without obvious disagreement.)

Email is the context most often considered, especially after the USA PATRIOT Act attempted to make email addresses "communications facilities." The conventional wisdom with respect to email is that only the body of a message and maybe (maybe) the subject header is content. Everything else, the standard argument goes, is non-content. I disagree, and I think on a technical level this position is undermined by finding analogies to clearly protected forms of communications, but specifically telephone communications.

Those of us who understand email also understand that message headers are meaningful. In an age when nearly every message sent on the Internet will face at least one spam or virus filter, those headers lend substance and purport, because they enable a message to be delivered. In this age of massive Bayesian filters, where header tokens can classify a message as spam or not, message headers lend substance and purport.

But message headers do something more. They communicate the sender, as well as the chosen representation of the sender's name and email address. When I see who a message comes from, especially if I am forced to check the headers to see the path, substance and purport are immediately gained. In many cases, I must check those things to know who the sender was.

And where does this leave the telephone analogy? Imagine if oral communications (which have greater statutory protection, but use the same "contents" definition) were recorded, such that the spoken words were obscured, but the tones, inflections, and voices could be heard. What if we could record greetings of phone conversations to understand who the target was?

The government can't, at least not legally, without a warrant. However, the government may collect all of your message headers, intercepting them in bulk, without a warrant.

The big questions, then, are what do we mean by "any"? "Concerning"? "Substance"? "Purport"? "Meaning"? It's not entirely clear, and finding the appropriate law that can shed light on these issues is tough.

This is just the tip of the iceberg. There are, in my opinion, considerably more problems with the current analysis of the protections of electronic communications, and they almost all hinge on clearly broken ideas of how the Internet works.

More to come.