Swiss ISPs Required to Log Email for Six Months - negative side effects for end users not mandated by the law due to chosen implementation approach

[Ralf Hauser]

Bill,

Just heard from a small ISP how some might implement this:
Some companies offering technical solutions to comply with the law (BUePF)
chose the following implementation approach:
Considering Switzerland being a small market and that a variety of different
makes of MTAs are in use, they would not implement the "wire"-tap mechanism
inside each MTA, but basically put a filter next to it.
Those filters apparently drop all encrypted traffic since it probably is too
costly to also tap into each MTAs (session) key management.

Conclusion 1: All content already encrypted by the end-user (GnuPG etc.) is
safe. (not too bad, as to be expected)

However, if ISPs using such a filter encrypt the traffic between their own
MTA and the destination ISPs MTA, their filter won't work and thus they
cannot cooperate with the law enforcement under this architecture as
required by the law.

Conclusion 2: In order not to get in trouble for not being able to cooperate
according to the law, some ISPs choose NOT TO USE ENCRYPTION BETWEEN MTAs
EVER (even if they offer SSL protection of SMTP/POP/IMAP to the end user).
(I don't think this was intended by the lawmakers because it increases the
exposure of all citizens - also those who are not under investigation
:(   :(  )

Ralf
> -----Original Message-----
> SWISS ISPS MUST LOG AND STORE CONSUMERS' EMAIL DATA
> As of April 1, Swiss ISPs will have to keep a log for six
> months of all the emails sent by their customers.  Experts
> criticize the measure, saying it will be both difficult and
> costly to implement.
> http://www.statewatch.org/news/2003/apr/01switz.htm
>
> =====
> The law was passed in January 2002, and ISPs had until April 1 to
> implement.
>
> Does anybody know if this only applies to email providers,
> or exactly what kinds of email providers,
> or if it also requires ISPs who provide IP transport to eavesdrop it?
> What about businesses providing email for their employees and other users?
> How much of the Swiss email business will be driven out of the country,
> either to US email providers or European providers like Wanadoo
> and Tiscali?
>
> And does anybody know if they have to keep _all_ the spam?
> Or is keeping one copy of each enough?
> Or can they give their customers _some_ privacy protection by
> always giving the authorities all of the spam in addition to
> whatever they really wanted?


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com