Scarfo "keylogger", PGP

Steven M. Bellovin smb at research.att.com
Tue Oct 16 12:35:54 EDT 2001 

In message <9qftr6$23i$1 at abraham.cs.berkeley.edu>, David Wagner writes:
>It seems the FBI hopes the law will make a distinction between software
>that talks directly to the modem and software that doesn't.  They note
>that PGP falls into the latter category, and thus -- they argue -- they
>should be permitted to snoop on PGP without needing a wiretap warrant.
>
>However, if you're using PGP to encrypt email before sending, this
>reasoning sounds a little hard to swallow.  It's hard to see how such a
>use of PGP could be differentiated from use of a mail client; neither
>of them talk directly to the modem, but both are indirectly a part of
>the communications path.  Maybe there's something I'm missing.

The problem is that you're thinking like a computer scientist instead 
of like a lawyer...

Definitions are important in the law.  The wiretap statute (18 USC 2510
et seq, http://www4.law.cornell.edu/uscode/18/2510.html) defines
an "electronic communication" as "any transfer of signs, 
signals, writing, images, sounds, data, or intelligence of any 
nature transmitted in whole or in part by a wire, radio, 
electromagnetic, photoelectronic or photooptical system that 
affects interstate or foreign commerce, but does not include - 
(A) any wire or oral communication..."  ("Wire communications"
refers to telephone calls.)  Interception of such transmissions
is one of the things governed by the wiretap statute; the procedure
for getting an authorization for a tap is very cumbersome,
and is subject to numerous restrictions in both the statute and
DoJ regulations.

Access to *stored communications* -- things that aren't actually
traveling over a wire -- are governed by 18 USC 2701 et seq.,
which was added to the wiretap statute in 1986.  (That's when
electronic communications were added as well.)  The rules for
access there are much simpler.  But that section was written on
the assumption that email would only be stored on your service
bureau's machine!  In this case, it would appear that we're back to
the ordinary search and seizure statutes governing any computer records
owned by an individual.  *But* -- if they're *in the process of being
sent* -- 2511 would apply, it would be a wiretap, and it would be
hard to do.  The FBI agents who wrote that keystroke logger are
well aware of this distinction, and apparently tried to finesse
the point by ensuring that no communications (within the meaning
of the statute) were taking place when their package was operating.

I suppose that someone could make an argument to a judge that
email being composed is intended for transmission, and that it
should therefore be covered by 2511.  The government's counter will
be to cite 2703, which provides for simpler access to some email, as
evidence that Congress did not intend the same protections for
email not actually in transit.  I'd have to reread the ruling
in the Steve Jackson Games case to carry my analysis any further,
but I'll leave that to the real lawyers.



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list