----- Original Message ----- From: "Tim May" <tcmay@got.net> To: <cypherpunks@lne.com> Sent: Sunday, August 05, 2001 3:36 PM Subject: Remailer logs
On Sunday, August 5, 2001, at 03:01 PM, Aimee Farr wrote:
Yes. Unless it is of special relevance. For example:
Dear company:
I just wanted to write you and tell you that the microwave that I bought from you exploded. Thought you should know. Nobody was hurt, thank goodness! Maybe something is wrong with it?
Thanks,
Mrs. Smith
The above wouldn't just be any old email now would it?
Mr. May replies:
Which is why important letters and notifications which may be relevant in some future case are almost always sent via registered mail, served in person, and so on.
...and why some lawsuit attracting materials are sent via remailers. And this I think is the point.
There is a big difference between a legal notice like "You are hereby notified of a possible defect in your Whackomatic product and copies of this letter have been sent to your legal offices and with the Better Business Bureau." and "Hey, I hope you kept that e-mail I sent you last year."
Yes, but in two of the cases I cited no such notice was sent or required. Moreover, the remailer operator is in a much _worse_ position with respect to this issue. How can he or she know which emails are of potential probative value to a court? The remailer operator who gets a _single_ complaint arguably should have to retain _all_ logs and correspondence indefinitely after that and archive it as he/she is on notice that one or more might be infringing and he/she has no ability to distinguish which one will be important- at least under this argument.
LIkewise, communications are frequently channeled to specific addresses ("Send product warranty queries to ....") and are even discarded ("Unsolicited manuscripts and letters sent to Big Studio, Inc. are destroyed").
But now we are talking about communications sent through third parties with much more established content immunity (postal service, common carriers, etc.) Remailers don't seem to be at that level yet. We are also moving the discussion to the potential liability of a company who receives these things, a direct party to the suit, rather than where it was originally, on the potential liability of a third party for "spoliation" of "evidence" they wittingly or unwittingly handled. Making comparisons to Big Studio, Inc. and such avoid the basic point I think. Big Studio, Inc. for one- has a much more legitimate set of reasons to have a _document_ destruction policy. Storage costs and etc. Now, Big Studio, Inc. has even _less_ reason to destroy email. It's easy to archive, bits don't weigh much (anything), it's cheap compared to paper storage and CD-Rs have a good shelf life (15-50 years I think I once read? Your mileage may vary). What compelling reason does Bob's garage housed remailer service have to destroy information related to the content that passes his wires. The first and most obvious answer is the exact and stated purpose of the remailer- obscuring information about that content's source, destination and etc. This is the problem. Impossible to deal with? No. Criminal? Maybe, but the circumstances would have to be extreme. Potentially the subject of a costly civil suit? Potentially. Potentially subjecting the remailer operator to subpoena or other nonsense? Definitely. Already happened. It's like someone (Mr. May?) once said about y2k: It's not the odds, it's the stakes. A little insurance goes a long way. With respect to third parties it's clear that liability for spoliation can exist. It's also clear that that can be based on mere negligence. It's also clear that there need be no proceeding in progress. The third party can be entirely ignorant of a potential case. All of this is worrisome.
Now, is there some _specific_ legislation requiring either these kinds of "records retention" or "manuscript submission" policies? Maybe in some cases, by direct legislation. Certainly not for remailer logs, which is the point James and others of us have been making.
Specific legislation? Not needed. Of course the first thing we look for is specific legislation- that makes the job easy. The reality is that there is rarely a statute that speaks directly to a new issue like the liability of remailers for "infringing" content or thought crime distribution. If there were lawyers wouldn't be needed. (That would be a nice change). On the flip side it means that prosecutors, in the absence of a specific statute, are going to stretch what they have and that legislators (trying to keep up with the lack of specific statutes for technical issues) will write nice broad laws to keep the prosecutors (which they once probably were themselves) happy. Also remember, that criminal liability (which would be covered by statute) isn't necessarily all we are worried about. For the graduate student/salaryman remailer operator civil liability would be much the same problem, if not worse since if it got to that point the powers driving civil litigation would probably be better funded and incented than would the feds _and_ in some cases (copyright, DMCA, Antitrust etc.) will _also_ have the feds to play with. Combine copyright with DMCA, Adobe and a remailer and you have something potentially really ugly for a remailer operator. He/she might not even be the focus of the suit, but get steamrolled in the process- typical.
Is there a _custom_ for some of these policies? Sure. Lawyers probably keep most letters which come to them...but probably don't worry about e-mail too much. (I used to correspond with several lawyers. Should I expect that they kept my e-mails? Of course not.)
Well, given that there are at least 3 examples I know of where e-mail destruction (even in Microsoft's case where it was made to look "routine" and linked with a newly developed policy) was used successfully to impose sanctions or modify jury instructions I think there is ample precedent for concern. Also, as I've pointed out, destruction policies do help some, but not all _that_ much and the only reason they help is because the large company has a legitimate reason for the policies (storage costs, maintenance costs, sorting costs- mostly costs). Again, Bob's remailing service isn't going to have that argument (of course the battle of the experts might ensue where Bob, at his own expense and with the $67.50 legal defense fund raised by the cypherpunks hires Mr. Trei or someone similar to testify about how these are normal and best practices- but I'd be surprised if that made a whole lot of difference). Let's just try to step out of techno-think here for a second. If you tell joe sixpack that Bob is running a service that strips off the headers of email for the purposes of rendering the sender anonymous (not to mention all the other things mixmaster does far beyond this simple measure) and that Bob not only full well knew this but fully intended to provide this service- add to that the fact that it would be pretty easy to show that remailer operators knew (or should have known) that their service was highly likely to attract illicit or otherwise litigation attracting content (this is the point right?)- I think it's a pretty safe bet joe sixpack is going to nod his head a lot at the prosecutor despite the objections of all these young whipper-snapper techno-weenies making clever "but it's not REALLY destroying the data, its just making it totally inaccessible for 900 years without the right key" arguments. Now that's just joe sixpack. I haven't even gotten to thinking much about what a judge will think of what the prosecution will inevitably call an "evidence destruction engine." Here's how I might play this out as a prosecutor: Mr. Smith, you run a service called the "nobody" mixmaster remailer? And this service destroys identifying information from incoming electronic mail before passing it on to the next destination? So the purpose of this service is to mask the identity of the sender? If say, I wanted to send a death threat, this would mask my identity fairly well? I could probably get away with that then, couldn't I? The police would be powerless? The FBI? Indeed, your service been carefully designed with that kind of threat model in mind? And are you aware of any legal proceedings involving other remailers? Are you aware of a similar service offered called the "Free Zone at blah@blah.net? So you aren't aware of the legal complications involving that remailer and the Church of Scientology? Your honor, I'd like to introduce Exhibit D, conversations on a mailing list discussing the design of the mixmaster remailer in which the designers and other participants discuss mixmaster remailer use in deterring legitimate law enforcement and civil investigations and the Scientology incident specifically. I'd also like to introduce Exhibit E, a list of the email addresses of recipients on that list during these discussions. If the witness could please read line 453, highlighted on the sheet there. Is that your email address? Does that refresh your memory, you _were_ on this mailing list during these discussions weren't you? So you were aware of these design criteria, to deny identifying evidence to lawful authorities or civil litigants? Excuse me, to provide the users with.... total anonyminity. I'm sorry. Mr. Smith, do you charge for users of the remailer? So is it safe to say that you don't intent to profit from this service? Then your motivation for running the service is... to help people destroy evidence then? Ok, sorry your honor, withdrawn. Then your motivation for running this service is definitely not for profit? You're a good citizen, as it were? Yes, of course you are. You destroy all logs about users of the service, isn't that correct? Excuse me, you "fail to record" any information about users of the service? I'm confused. Someone sends an electronic mail to your service, it has a "reply to" or a "from" header on it when it arrives, correct? But before sending it on to its destination, you destroy this information, correct? Excuse me. Delete it. Whatever. I see. So people would use this service to mask their identity, if they didn't want to be responsible for the content they are sending perhaps? And someone committing a crime, something untraceable, they would be able to hide behind your service wouldn't they? But that is a risk of running the service yes? What about, say a drug deal? A death threat? Something libelous? So wouldn't it be safe to say that a reasonable person might expect some abuse of such a service by criminals? Isn't it true that you have an abuse@blah.net address to deal with this precise eventuality? So you expected there might be legal problems? blah blah blah Now, I've omitted the witnesses responses, the myriad of objections and such that such an exchange would certainly create, but I think it makes a point. Whatever the outcome of this exchange in terms of the record the 50+ year old gray haired Reagan appointee behind the bench and the idiots who couldn't figure out how to dodge jury duty are going to get a pretty distinct impression of this service. It just plain looks bad. This is what I have to keep pointing out. It doesn't _matter_ if its technically kosher. It just plain looks bad. I'd be surprised of some of the jury members didn't write their congressmen insisting a law be passed to rid us of this scourge of remailers after a clever prosecutor got to them. We need to work hard on making remailers look better in this kind of a scenario. Granted it's extreme, but that's how cypherpunks define their threat models- no? Overkill is our friend in security design, plus, it's usually pretty cheap to add 64 bits to a key. I've only thrown this example together using typical prosecutorial tricks (use of the word "mask" instead of hide, use of the word "destroy" instead of strip, work in a parade of horribles, etc. etc.) that came to me off the top of my head. Yes yes, armchair lawyers, I've lead the witness a few times and such to keep the space down, but I could get it all in with twice the space if I really wanted to. So could any good courtroom lawyer. I'm sure someone who had prepared carefully would be plenty more sophisticated about it, and run the witness into plenty more traps than I bothered to get into.
What about the role of _technology_? With the technology of formal letters, printed on formal legal department letterheads, and with filing cabinets in offices across the land, the _technology_ fits with the _custom_ of filing every letter received. With e-mail, which is ephemeral, subject to inadvertent erasure (hit the wrong key and it's gone), subject to erasure or misfiling during housecleaning, hard disk crashes, reformattings, or just plain switching mailers, there is much less expectation of permanence.
But that's going away slowly. The EPM, digital signatures, archival services, all of these things are moving towards permanence, not away from it. I can find ancient posts I forgot I even wrote from years back on google or anywhere else. I can't find any of the paper copies of papers I wrote from back then anymore in anything less than 2 hours of looking. I'd say digital technology is doing just fine in this regard. Sure, there's bit rot, but it's closely coming to be not much more significant than microfiche run, or paper mold, perhaps even less so with the introduction of cheap CD-R technologies and coming cheap DVD-R technologies. If anything the persistence of archives and search engines is having the reverse effect, one of the reasons I started using a nym in the first place, one of the reasons I continue to. Also, courts are constantly whining about the potential destruction of evidence in such a way that it's caused major erosions of the 4th. No-knock searches are primarily justified at the threat of lost evidence to the court. E-mail and electronic data is the ultimate threat for lost evidence. It takes just a power interruption to destroy all the information (read: evidence) on a poorly (properly?) designed system. Doesn't that make you wonder if eventually, over the next several years these sorts of things are going to be taken much more seriously? When there is no more "smoking memo" because the office is mostly paperless, the smoking e-mail is going to be the king of the Hollywood courtroom drama scene. Expect e-mail to get more, not less onerous for people handling it. [Good stuff about Lessig removed]
Getting back to remailer logs for a moment, why is a remailer any more responsible for keeping detailed logs than a person like me is for keeping logs of what mail I received, whom I bounced it over to, and so on?
Because the case is much easier to make that a remailer operator knew or should have known that there was the potential for content coming across his service to be the subject of a dispute. That's the whole point of the remailer. It shifts the risk and costs of investigation to the remailer operators, from the sender. It follows that in the efficient market the remailer operators are the best able to deal with that risk and those costs, hence their willingness to shoulder that burden. I think today that's not necessarily so and given that the risk of handling illicit information has geometrically increased over the last few years (DMCA etc. etc. ad nauseaum) it only follows that remailer operators should follow suit and augment their risk management efforts. The inescapable reality- despite all the window dressing we might put on them- is that remailers perform a single function- making email untraceable- from which a few purposes legitimate- free speech, recovery groups, human rights, whistleblowers- and illegitimate- libel, copyright violation, etc.- may stem. I'm going to take the liberty of pointing out (without taking a position one way or the other) that even the _legitimate_ purposes are somewhat at odds with the interests of courts and the judicial system. Specifically, someone admitting they have just bought and currently possess 2 grams of cocaine on narcotics anonymous and god if they aren't trying to resist using it if only their NA buddy would answer the phone- is a contemporaneous admission of a felony (to wit: possession of narcotics) in which a court has a legitimate interest in preserving the evidence for (whatever you think of drug laws or the jurisdictions of courts and etc.) Whistleblowers are probably in violation of an NDA somewhere. They are circumventing law for the "higher good." That "higher good" is generally going to be a matter of perspective and it will vary in its weighted importance depending on the individual. (One man's freedom fighter, another man's terrorist, etc.). Remailers are a "short circuit" of some of the really poor and unfortunate outcomes of all information being traceable and available to courts. (Insert discussion of importance of anonymity and its critical role in everything from political speech to the founding fathers, the federalist papers etc.) But let's be frank and recognize that not everyone, particularly non-cypherpunkish types, will appreciate that or consider that a "good thing"(tm). To these people a prosecutor's description of an "evidence destroying engine" is going to probably stick- even if it was objected right out of the record (which it may or may not have been) and the jury instructed to disregard it (which they may or may not have been). Some of the high end plaintiff's lawyers I've encountered and worked with will actually test their catch phrases ("evidence destroying engine") on focus groups to see what sticks- what they can slip in that will stay with jurors even if they can't read it in the record later. Sometimes they will do these things by adding in what they know about the jurors. GM and Hogan & Hartson were very good at this- using demographic information about the jury to tailor "objected away" comments to stick in the minds of mothers, single working professionals, etc. right to the end.
The fact that Robb London might be "very interested" in where I bounced Jim Bell's mail to does NOT mean I had any obligation to keep detailed records, presumably in a form not subject to erasure or loss through routine misadventures of the computer kind.
Depends on how you want to define obligation. Do you think a manufacturer of a product has an obligation to keep old design notes around for over a decade even when their attorney tells them they can toss em? Do you think a car dealer has an obligation to keep around every used car they ever get their hands on, instead of selling them, on the off chance they might be evidence in a suit? Do you think Microsoft has an obligation to keep every single email they ever sent just in case they one day get sued for Antitrust? I don't. Courts have all found some level of obligation (of varying severity/intensity) in these examples. I think they are all patently silly. I think they are bad law. Doesn't change the fact that they are precedent. The key factor in all these is that information a court wanted seemed to be in the possession or control of these parties at one time or another. A remailer operator, in my view, is much likelier to be in a position to handle such information, or be seen as a potential source of the information, than the same individual not running a remailer.
And as James keeps ragging about, if they haven't gone after Microsoft for "spoliating" as MS got rid of old e-mail and limited employee planners and notes, they surely can't go after the operator of the noisebox remailer, for example, for failing to keep logs of all traffic from May 19, 1999 to May 24, 1999.
But they DID go after MS. And MS was almost sanctioned for it and it _was_ in the jury instructions. Remember also that Microsoft lost at trial. Moreover MS knew this was a potential problem and therefore specifically did _not_ have an email destruction policy in place before the suit- at odds with some of the fervent (and totally unsupported) claims by persons here that they did. They had a very aggressive e-mail _retention_ policy. As early as 1992 they asserted that all U.S. emails were preserved for fifteen (15) years. (!) See e.g.,: Los Angeles Times, November 5, 1998. See Also Generally: Wendy Goldman Rohm's outstanding book "Microsoft File: The Secret Case Against Bill Gates." Microsoft then instituted a far less inclusive "retention policy" (See Caldera v. Microsoft) and also an "upgrade policy." As it happened the "upgrades" didn't convert over the old mail. This was the subject of the potential sanctions and quite a to-do at the time. Mind you, these were all in the context of "routine" destruction. Since then I understand from third parties that they have changed their policy and now archived email is pretty much allowed to slowly rot and general disinterest paid to archives, no policy is actually implemented- much better looking really. Just careless, not malicious.
(And, by the way, conventional remailer logs, it would seem, would be of incoming traffic and outgoing traffic. The guts of the "request-remailing-to" operation, in either Cypherpunks Type I or 1 or Mixmaster remailers happens inside another program. It would take extra twiddling of the logging software to actually add a report saying "Incoming message #71734 was pooled and was sent out 23 minutes and 18 seconds later as outgoing message #70219."
A compelling technical argument. Not so compelling without lots of expert testimony in court. _I_ agree with you, Mr. May. I'm pointing out that we need to find ways to give remailer operators more shielding than these kind of technical arguments- which courts do not traditionally have an easy time understanding. (Napster, MPAA, RIAA, Microsoft, etc.).
Standard Unix or Linux logs should not be very helpful, and keeping them is not required by any current statute. (CALEA may have stuff in it about logs, but the LEAs have yet to push in this direction. Certainly an ex post facto laws penalizing someone for violating CALEA when no CALEA standards/precedents are established would be a reach.)
Again, the fact that no statute exists hardly gets you out of the woods- none of the cases I cited rely on a statute to impose sanctions, except for the relevant rules of civil procedure and potentially obstruction of justice, which is such a catch-all that it can be applied here. (CALEA is dead at sea- and I hope it stays that way). Mr. May later comments:
By the way, my insurance companies, financial advisors, and real estate agents will NOT take e-mail orders or instructions. Morgan Stanley Dean Witter, for example, will NOT take orders or instructions in e-mail.
My broker, banker, and financial advisors all will accept signed email instructions from me. I rarely give instructions this way, however- that's personal preference. They are not the only ones either. I know of three large trading operations that use email now to deal with large contract trades. (They used to use fax). Moreover they keep archives for 10 years of all their customer e-mails.