SSL/TLS and port 587

Steven M. Bellovin smb at cs.columbia.edu
Wed Jan 23 11:45:31 EST 2008 

On Wed, 23 Jan 2008 08:10:01 -0800
Ed Gerck <edgerck at nma.com> wrote:

> Steven M. Bellovin wrote:
> > On Tue, 22 Jan 2008 21:49:32 -0800
> > Ed Gerck <edgerck at nma.com> wrote:
> > >> As I commented in the
> >> second paragraph, an attack at the ISP (where SSL/TLS is
> >> of no help) has been the dominant threat -- and that is
> >> why one of the main problems is called "warrantless
> >> wiretapping". Further, because US law does /not/ protect
> >> data at rest, anyone claiming "authorized process" (which
> >> the ISP itself may) can eavesdrop without any required
> >> formality.
> >>
> > Please justify this.  Email stored at the ISP is protected in the
> > U.S. by the Stored Communications Act, 18 USC 2701
> > (http://www4.law.cornell.edu/uscode/18/2701.html).  While it's not a
> > well-drafted piece of legislation and has been the subject of much
> > litigation, from the Steve Jackson Games case
> > (http://w2.eff.org/legal/cases/SJG/) to Warshak v. United States
> > (http://www.cs.columbia.edu/~smb/blog/2007-06/2007-06-19.html), I
> > don't see how you can say stored email isn't protected at all.
> 
> As you wrote in your blog, "users really need to read those boring
> [ISP] licenses carefully."
> 
> ISP service terms grant the disclosure right on the basis of
> something broadly called "valid legal process" or any such
> term as defined /by the ISP/. Management access to the account
> (including email data) is a valid legal process (authorized by the
> service terms as a private contract) that can be used without
> any required formality, for example to verify compliance to the
> service terms or something else [1].
> 
> Frequently, "common sense" and "standard use" are used to
> justify such access but, technically, no justification is
> actually needed.
> 
> Further, when an ISP such as google says "Google does not share
> or reveal email content or personal information with third
> parties." one usually forgets that (1) third parties may actually
> mean everyone on the planet but you; (2) third parties also
> have third parties; and (3) #2 is recursive.

You're confusing two concepts.  "Warrants" apply to government
behavior; terming something a "wireless wiretap" carries the clear
implication of government action.  Private action may or may not
violate the wiretap act or the Stored Communications Act, but it has
nothing to do with warrants.
> 
> Mr. Councilman's case and his lawyer's declaration that "Congress
> recognized that any time you store communication, there is an
> inherent loss of privacy" was not in your blog, though. Did I
> miss something?

Since the Councilman case took place several years before I started my
blog, it's hardly surprising that I didn't blog on it.  And it turns out
that Councilman -- see http://epic.org/privacy/councilman/ for a
summary -- isn't very interesting any more.  The original district
court ruling, upheld by three judges of the Court of Appeals,
significantly weakened privacy protections for email.  It was indeed an
important and controversial ruling.  However, case was reheard en banc;
the full court ruled that the earlier decisions were incorrect, which
left previous interpretations of the wiretap law intact.  As far as I
can tell, it was never appealed to the Supreme Court.  (The ultimate
outcome, which isn't very interesting to this list, is discussed in
http://pacer.mad.uscourts.gov/dc/opinions/ponsor/pdf/councilman%20mo.pdf)

You are, of course, quite correct that ISP terms of service need to be
read carefully.

> 
> Cheers,
> Ed Gerck
> 
> [1] in http://mail.google.com/mail/help/about_privacy.html :
> Of course, the law and common sense dictate some exceptions. These
> exceptions include requests by users that Google's support staff
> access their email messages in order to diagnose problems; when
> Google is required by law to do so; and when we are compelled to
> disclose personal information because we reasonably believe it's
> necessary in order to protect the rights, property or safety of
> Google, its users and the public. For full details, please refer to
> the "When we may disclose your personal information" section of our
> privacy policy. These exceptions are standard across the industry and
> are necessary for email providers to assist their users and to meet
> legal requirements.



		--Steve Bellovin, http://www.cs.columbia.edu/~smb

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list