SSL/TLS and port 587

Ed Gerck edgerck at nma.com
Wed Jan 23 11:10:01 EST 2008


Steven M. Bellovin wrote:
> On Tue, 22 Jan 2008 21:49:32 -0800
> Ed Gerck <edgerck at nma.com> wrote:
> 
>> As I commented in the
>> second paragraph, an attack at the ISP (where SSL/TLS is
>> of no help) has been the dominant threat -- and that is
>> why one of the main problems is called "warrantless
>> wiretapping". Further, because US law does /not/ protect
>> data at rest, anyone claiming "authorized process" (which
>> the ISP itself may) can eavesdrop without any required
>> formality.
>>
> Please justify this.  Email stored at the ISP is protected in the U.S.
> by the Stored Communications Act, 18 USC 2701
> (http://www4.law.cornell.edu/uscode/18/2701.html).  While it's not a
> well-drafted piece of legislation and has been the subject of much
> litigation, from the Steve Jackson Games case
> (http://w2.eff.org/legal/cases/SJG/) to Warshak v. United States
> (http://www.cs.columbia.edu/~smb/blog/2007-06/2007-06-19.html), I don't
> see how you can say stored email isn't protected at all.

As you wrote in your blog, "users really need to read those boring
[ISP] licenses carefully."

ISP service terms grant the disclosure right on the basis of
something broadly called "valid legal process" or any such
term as defined /by the ISP/. Management access to the account
(including email data) is a valid legal process (authorized by the
service terms as a private contract) that can be used without
any required formality, for example to verify compliance to the
service terms or something else [1].

Frequently, "common sense" and "standard use" are used to
justify such access but, technically, no justification is
actually needed.

Further, when an ISP such as google says "Google does not share
or reveal email content or personal information with third
parties." one usually forgets that (1) third parties may actually
mean everyone on the planet but you; (2) third parties also
have third parties; and (3) #2 is recursive.

Mr. Councilman's case and his lawyer's declaration that "Congress
recognized that any time you store communication, there is an
inherent loss of privacy" was not in your blog, though. Did I
miss something?

Cheers,
Ed Gerck

[1] in http://mail.google.com/mail/help/about_privacy.html :
Of course, the law and common sense dictate some exceptions. These exceptions include requests by users that Google's support staff access their email messages in order to diagnose problems; when Google is required by law to do so; and when we are compelled to disclose personal information because we reasonably believe it's necessary in order to protect the rights, property or safety of Google, its users and the public. For full details, please refer to the "When we may disclose your personal information" section of our privacy policy. These exceptions are standard across the industry and are necessary for email providers to assist their users and to meet legal requirements.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list