Re: "Forward Privacy" for ISPs and Customers
Tim said
IANAL, and I have been skimmming over most of the Bell v. Unicorn v. Nuri debates about the legality of wiretapping, but something jumped out at me:
... stuff deleted ...
I agree that ISPs look a lot like phone companies for the purposes of regulations and wiretaps. My ISP sells me some connectivity, sends me a bill, etc.
It seems to me that they are actually selling two seperate things. One is connectivity the other storage. The storage might have a different legal status than the connectivity. So, is email part of the connectivity or the storage? What is the legal status of phone company provided voice mail? This seems pretty close to email.
Thus, if it is constitutionally OK (a technical term) for courts to order phone logs to be turned over to law enforcement, why not logs of e-mail? Or logs of Web sites visited, for example? I see no basis for a special distinction. Records are records, and businesses routinely have to turn over various records under court order.
However, there are certain things my phone company does *not* do. They don't keep _copies_ (recordings) of my phone conversations. This means a court order can't yield copies of past conversations. They also don't track incoming phone calls to me. (I don't believe such records of incoming phone calls are kept; maybe I'm wrong. Certainly with Caller ID, storing incoming phone numbers is possible....I just don't think local or regional phone companies care about such records, and hence don't bother to accumulate them.)
Now, should the phone company keep such records, they would be accessible via court order.
My point? ISPs are currently in a position to turn over *far* more information than phone companies are able to turn over. It's as if the phone companies kept audio recordings of all conversations, without even the need for law enforcement to do a wiretap or pen register or whatnot. It would be trivial for law enforcement to say: "Phone Company, here's a subpoena/court order for the last 6 months of phone conversations Tim May has had. Please ship the tapes via FedEx."
Do we know that if phone companies kept recordings of your conversations they would have the same legal status as the records that they already keep?
This makes the ISP case a bit different. Not legally, but technologically.
There are some fixes.
Something ISPs could do--and may do if there is sufficient customer pressure--is to adopt a policy of "forward secrecy" (to slightly abuse this technical term). That is, to have an explicit policy--implemented in the software--of _really_ deleting the back messages once a customer downloads them to his site. This means that _backups_ must be done in a careful manner, such that even the backup tapes or disks are affected by a removal.
(Recall that Ollie North thought he had deleted his incriminating White House PROFS messsages, but that they were faithfully preserved on backup tapes, and could be retrieved.)
My Eudora Pro mail programs sucks down messages from my ISP and, as yours probably does, tells the ISPs mail server to delete it upon downloading. An option for users could be something like "Don't make longterm backups of my account, and leave no copies whatsoever once I have downloaded my messages."
This would make the job of a law enforcement or TLA a lot more difficult than it is now, where the e-mail and logs are ready to be handed over on a silver platter, all nicely accumulated and human-readable.
It would be good to get ISP's to work this way regardless of the law. Its better for the data not to exist than have it legally hard to obtain.
Back to the legal issue. Perhaps the Digital Telephony Act will be interpreted to require ISPs to make their systems "tappable," possibly by adding message logging. possibly just by offering access to the T1s and T3s only ("OK, Feds, here's where the T3 enters the building...be careful you don't cut the core, OK?").
But if no logs and backup tapes of mail are kept, at least the job of gaining access to communications is made more difficult.
And, I'm sure the lawyers will agree, while ISPs may be treated essentially the same as telephone companies, absolutely *nothing* requires either to keep specific kinds of account records (*), to "know their customer" (a la banking laws, supposedly), or to record all traffic.
(* Prepaid phone cards, paid for in cash, and payphones, tell us that True Names are not needed with the phone companies. And so on.)
We don't have to make it easy for them.
--Tim May
"The government announcement is disastrous," said Jim Bidzos,.."We warned IBM that the National Security Agency would try to twist their technology." [NYT, 1996-10-02] We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
-------------------- Scott V. McGuire <svmcguir@syr.edu> PGP key available at http://web.syr.edu/~svmcguir Key fingerprint = 86 B1 10 3F 4E 48 75 0E 96 9B 1E 52 8B B1 26 05
by way of Timothy C. May:
It seems to me that they are actually selling two seperate things. One is connectivity the other storage. The storage might have a different legal status than the connectivity. So, is email part of the connectivity or the storage? What is the legal status of phone company provided voice mail? This seems pretty close to email.
The storage is sold as a separate service. If you look at ISP adverts, some offer this, some don't. The legal standing is a bit murky for data storage as far as I can tell. Some privacy act stuff comes into play, but I'm curious how similar it is to a "U-Store" type of rent-a-storage room. 24 hour hot backup facilities & their legal standing as far as property rights etc. would probably be the best example I can think of to parallel this to ISP storage.
Do we know that if phone companies kept recordings of your conversations they would have the same legal status as the records that they already keep?
No, they couldn't by definition. Becasue unless otherwise ordered by the courts to keep your conversations, those conversations are considered to be not the phone companies property, private, and proprietary to you. They would be breaking the law if they kept them, because by definiton, they are your property. The fone corps only own & have rights to the transport medium, not the content.
It would be good to get ISP's to work this way regardless of the law. Its better for the data not to exist than have it legally hard to obtain. Agreed.
And, I'm sure the lawyers will agree, while ISPs may be treated essentially the same as telephone companies, absolutely *nothing* requires either to keep specific kinds of account records (*), to "know their customer" (a la banking laws, supposedly), or to record all traffic. Some of the privacy laws explicitly preclude this sort of behavior in fact. There is such a thing as too much "knowledge" of a customer.
No, we don't have to make it easy for them. They shouldn't want it to be easy. This notion that Escrow is a good thing becasue of pornographers, terrorists, and criminals is just so much bullshit and we all know it. It's not an accident that the refrain bears such a resemblance to Dorthy's (not Denning, but she could play the witch, but rather the Wizard of OZ) mythical "lions and tigers and bears, oh my". Dorthy's feared lions and tigers and bears never materialized, and neither will the ones that Governments allude to. The notion that it's in my best/greater interest for me to give up *MY* privacy so that some LEO's job is made easier is just plain stupid, broken and wrong. My job is not to make their job easier. Their job is not easy, nor should it ever be in free societies. If they don't like it, they can go make donuts for a living. But I'm not going to help them try and redefine things to give them more time to play golf. That aside, they're deluding themselves. As long as there are CryptoAnarchists and people willing to create the ability for common people to maintain (notice I said maintain) privacy in their lives, they won't win. They can't unless they want to sacrifice freedom and become totolitarians. Key Escrow is bullshit. It's a bad concept, a bad idea, and mainly satisfies the control needs of a bunch of prune faced uptight stressed out & paranoid spooks. No one ~needs~ any form of publicly used key escrow (corps may want it for private internal use, but that's private) And I'll be damned if I'll ever use it. -Give no ground. Tim Scanlon
At 7:45 AM -0400 10/11/96, Tim Scanlon wrote:
by way of Timothy C. May: ^^^^^^^^^^^^^^
It seems to me that they are actually selling two seperate things. One is connectivity the other storage. The storage might have a different legal status than the connectivity. So, is email part of the connectivity or the storage? What is the legal status of phone company provided voice mail? This seems pretty close to email.
Careful with the attribution--I did not write anything in the paragraph above. However, I agree with most of the points you made.
That aside, they're deluding themselves. As long as there are CryptoAnarchists and people willing to create the ability for common people to maintain (notice I said maintain) privacy in their lives, they won't win. They can't unless they want to sacrifice freedom and become totolitarians.
Key Escrow is bullshit. It's a bad concept, a bad idea, and mainly satisfies the control needs of a bunch of prune faced uptight stressed out & paranoid spooks. No one ~needs~ any form of publicly used key escrow (corps may want it for private internal use, but that's private) And I'll be damned if I'll ever use it. -Give no ground.
--Tim May "The government announcement is disastrous," said Jim Bidzos,.."We warned IBM that the National Security Agency would try to twist their technology." [NYT, 1996-10-02] We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."
participants (3)
-
Scott McGuire -
Tim Scanlon -
Timothy C. May