gregh  2007-08-02 14:28  blawgging  Blogging  email  Law   

Introducing the Inspired Blawggers Newsletter!:

You might notice, if you're reading this on the blog's website, that I've got a new addition to the sidebar - a prominent link to a new page where you can sign up to join the newly minted Inspired Blawggers newsletter mailing list!

This newsletter is going to feature all new content - stuff you won't find on Inspired Solo or anywhere else, for that matter. Articles written exclusively for the newsletter will include a host of topics of interest to lawyers who blog:

"I will inspire you to be a better blawgger by forcing you to sign up for an email newsletter."

For those of us who realize the benefits of syndication, the notion of being forced into email newsletters is crazy. Email doesn't allow for the richness, the linking, the sharing, or the cataloging that syndicated web content does. There is really only one compelling reason to make this sort of move: identification of readers to advertisers. That's hidden in code here: "in addition to new and exclusive content, subscribers will also receive advance notice of new services and products from Inspired Consulting. . . ." But then there's my favorite: "regular “best of the blog” feature where I’ll highlight some of the most useful posts at The Inspired Solo since the last newsletter was issued."

Tell me again how an email newsletter is supposed to inspire me about blogging? And please, tell me how seriously I'm supposed to take a blogger who resorts to a an email newsletter for content distribution.

gregh  2007-07-22 20:21  ECPA  email  fourth_amendment  Law   

That's not an uncommon question. The argument may be easy to buy into. Stored email is afforded little protection under the Stored Communications Act (SCA). Given those weak protections, why bother with the complexities of interception when they can simply be requested from the provider?

The answer is simple. Savvy users of email will limit their exposure to subpoenas for stored email. How? Control of mail servers is the most likely. Media conversion of email on delivery is another. International mail servers is yet another. There are others. What's more, the government always limit its access to a single type of network traffic. If agents are already sniffing for instant message traffic, there's no reason to expect they won't also go ahead and collect emal information. The end result is that the government, in spite of the ease of collecting email under the SCA, will still have motivation and opportunity to intercept email.

If the government is going to intrude on Americans' privacy protections online by intercepting Internet communications, assessing the protections of intercepted email remains important.

gregh  2007-06-18 11:51  email  fourth_amendment  stored_communications_act   

The Sixth Circuit Court of Appeals ruled today in Warshak v. United States. At issue, in part, was whether a person has a reasonable expectation of privacy in their email stored at their ISP, and if so, whether the non-warrant seizure provisions of the Stored Communications Act are valid under the Fourth Amendment.

The answers: Yes and No. Yes, Warshak did have a reasonable expectation of privacy in his emails, even though they were stored at his ISP. The court reached this decision in spite of U.S. v. Miller, which has been repeatedly abused to suggest otherwise. Miller held that a bank customer has no reasonable expectation of privacy in bank records, because they have been turned over to a third party. The pro-search-and-seizure crowd has run with this, claiming that Miller stands for the proposition that any content turned over to a third party voids a reasonable expectation of privacy.

The issue is whether email messages are actually turned over to a third party for storage. In Miller, information of bank transactions were necessarily turned over to the bank; how else would they track what a customer did? Distorting it to have a much broader scope simply made no sense. Similarly, in Smith v. Maryland, the Supreme Court held that there was no reasonable expectation of privacy in the phone numbers a person dialed, because they were necessarily turned over and often recorded by the phone companies in their normal courses of business. However, Smith did overturn Katz by any stretch, and in fact imposed the content/non-content divide that has been causing so much consternation.

The court flatly denied the argument that a third party receiving and holding email messages constituted the elimination of a reasonable expectation of privacy, because the third party in this instance was simply an intermediary, not a party the content was being shared with:

Compelled disclosure of subscriber information and related records through the ISP might not underermine the e-mail subscriber’s Fourth Amendment interest under Smith, because like the information obtained through the pen register in Smith and like the bank records in Miller, subscriber information and related records are records of the service provider as well, and may likely be accessed by ISP employees in the normal course of their employment. Consequently, the user does not maintain the same expectation of privacy in them vis- a-vis the service provider, and a third party subpoena to the service provider to access information that is shared with it likely creates no Fourth Amendment problems. The combined precedents of Katz and Smith, however, recognize a heightened protection for the content of the communications. Like telephone conversations, simply because the phone company or the ISP could access the content of e-mails and phone calls, the privacy expectation in the content of either is not diminished, because there is a societal expectation that the ISP or the phone company will not do so as a matter of course.

That is some good stuff right there. Yes, a user of a commercial email service may retain a reasonable expectation of privacy in the messages stored by that service.

And so, the big question, are those facets of the Stored Communications Act that allow such seizures without warrants (or other sufficient notice to make the seizures reasonable) facially valid?

The Sixth Circuit said no:

Under Berger, facial invalidation is justified where the statute, on its face, endorses procedures to authorize a search that clearly do not comport with the Fourth Amendment. A seizure of e-mails from an ISP, without either a warrant supported by probable cause, notice to the account holder to render the intrusion the functionaly equivalent of a subpoena, or a showing that the user maintained no expectation of privacy in the e-mail, amounts to exactly this.

Perhaps a less crushing finding, but also an important one, was the finding that Warshak had standing to file this suit at all. It would have been easy for the court to crumble under the Lyons argument put forth by the government and let this slide under the table. However, unlike Lyons, the court noted that it is government policy to seize email using the procedures of the Stored Communications Act, and with the prosecution of Warshak still ongoing, there's still reason to believe that he had standing to request that the government be enjoined from further illegal seizures of his email.

What didn't the court address that I sure would like some more court action on? The divide between content and non-content. However, this is big. Congratulations to University of San Francisco Professor Susan Freiwald (my Cyberspace Law prof and the reviewer of my paper), Professor Patricia Bellia of Notre Dame, and the Electronic Frontier Foundation as Amici Curiae on this matter.

gregh  2007-06-17 20:43  ECPA  email  fourth_amendment  privacy   

Dialing, routing, addressing, and signaling. Pen registers and trap-and-trace devices are devices that may be used to collect the non-content portions of a communication. As I've previously written, contents refers to "any information concerning the substance, purport, or meaning" of a communication. Therefore, non-content dialing, routing, addressing, and signaling information is necessarily such information that does not concern any such information about a communication. Simple enough, right?

Well, it seemed simple enough to Congress. They proceeded with the intention to call an "email address" a communications "facility," moving it into the definitions of pen registers and trap-and-trace devices. This involves a convoluted notion that one communicates from email address to email address, much as one communicates from phone to phone. Obviously, this is nonsense, but that hasn't stopped law enforcement from seizing upon this expansion.

However, let's assume for a minute that an email address actually is a communications facility unto itself, and that when we communicate via email, the endpoints are actually email addresses. If we focus solely on the real-time interception of non-content information of an email communication, what is "dialing, routing, addressing, and signaling" information, and what is "any content concerning the substance, purport, or meaning" of that communication? Remember, this is still a message in transit across the Internet.

Here's what we know. Before the email message can be sent, there is already going to be a TCP connection established between the sending computer and the receiving computer. Only after the TCP connection is established may the actual communication take place. When that message gets to the remote computer, that remote computer is going to have to receive it, most likely via the SMTP. In this day and age of heavy spam and other deviousness online, it is very likely that the message is going to have to be formatted somewhat well in order to be delivered.

In order for a message to be properly formatted for receipt by the remote computer, the sending computer will send SMTP commands, continuing to send others, followed by the actual content of the message being sent, in response to replies from the remote computer. The sending computer will give, at a minimum, its name, the email address that is sending the message, the email address that is the destination of the message, and finally, the message. If these steps aren't followed, the message will not be delivered.

But there's more. Once a message is delivered, for a communication to be complete, the message must be read. There are many things that may be carried in a message to allow it to be understood. Obviously, the body of the message allows it to be understood. But we're concerned, also, with any information that concerns the substance, purport, or meaning of the message.

In a telephone call, a great deal of substance, purport, or meaning may be derived from the voice of the communicator. In email, there is no such voice. However, the sending address certainly gives a message voice. The personalizable "From:" header my also lend such a voice. Bayesian spam filters assign scores to a message based on tokens in the headers, and these can also lend a voice, as can such headers as message priorities and the "Received:" headers, which allow a message to be traced and in many mail programs, is used to sort messages by date (and not the "Date:" header.)

In short, the proper use of SMTP commands, the email addresses and addressing, as well as received headers and the nature of the contents of the headers all lend substance, purport, and meaning to a message. However, under the most common interpretations of the current laws, all of those pieces of content may be readily obtained by law enforcement agents under the Pen Register Act.

gregh  2007-04-10 08:23  email  spam   

You know your work is infecting your sensibilities when you open a mail with the above subject headings, worried that it might just be about system with those names and not a spam.

gregh  2006-11-06 15:43  email  Law  privacy  spam   

My fellow USF School of Law blogger notes:

Spam:

This is good to know. Cal. Bus. & Professions Code section 17538.4 requires that spam have an opt-out feature. If you opt out and they continue spamming you, they can be liable for $50 per message up to $25,000 per day.

I wonder if the source of the spam has to be located in California?

The short answer... isn't particularly short.

California Business & Professions Code § 17538.4 was repealed in 2003. It was split up into a number of pieces. The most interesting are Cal. Bus. & Prof. Code §§ 17529.2 and 17529.8.

The former restricts the sending of spam from California or to email addresses in California (along with some restrictions on address harvesting):

Notwithstanding any other provision of law, a person or entity may not do any of the following:
(a) Initiate or advertise in an unsolicited commercial e-mail advertisement from California or advertise in an unsolicited commercial e-mail advertisement sent from California.
(b) Initiate or advertise in an unsolicited commercial e-mail advertisement to a California electronic mail address, or advertise in an unsolicited commercial e-mail advertisement sent to a California electronic mail address.

The latter provides the remedies:

(a)(1) In addition to any other remedies provided by this article or by any other provisions of law, a recipient of an unsolicited commercial e-mail advertisement transmitted in violation of this article, an electronic mail service provider, or the Attorney General may bring an action against an entity that violates any provision of this article to recover either or both of the following:

(A) Actual damages.
(B) Liquidated damages of one thousand dollars ($1,000) for each unsolicited commercial e-mail advertisement transmitted in violation of Section 17529.2, up to one million dollars ($1,000,000) per incident.

(2) The recipient, an electronic mail service provider, or the Attorney General, if the prevailing plaintiff, may also recover reasonable attorney's fees and costs.

The problem is, 15 U.S.C. § 7707(b):

(b) State law

(1) In general

This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.

(2) State law not specific to electronic mail

This chapter shall not be construed to preempt the applicability of--
(A) State laws that are not specific to electronic mail, including State trespass, contract, or tort law; or
(B) other State laws to the extent that those laws relate to acts of fraud or computer crime.

That would seem to leave Californians with only § 17529.5:

(a) It is unlawful for any person or entity to advertise in a commercial e-mail advertisement either sent from California or sent to a California electronic mail address under any of the following circumstances:

(1) The e-mail advertisement contains or is accompanied by a third-party's domain name without the permission of the third party.

(2) The e-mail advertisement contains or is accompanied by falsified, misrepresented, or forged header information. This paragraph does not apply to truthful information used by a third party who has been lawfully authorized by the advertiser to use that information.

(3) The e-mail advertisement has a subject line that a person knows would be likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.

In short, we got a wimpy solution from the federal government that expressly preempted the laboratory that was being provided by the states. It allowed a bunch of folks in Congress to declare victory, when all we've really seen is a huge increase in the amount of spam. (At work, spam blocked by our very expensive filters currently knocks out around 50% of inbound email. Just a remaining trickle is actual spam after that.)

Until we can get widespread technical solutions, whether it's Microsoft's newly less-encumbered Sender ID, Yahoo's DomainKeys, the simpler SPF, or something else that's wandering around, things will continue to be ugly. Now that so much spam originates from the bots lingering around the world, trying to take any legal action against spammers is very, very difficult and expensive. The relatively small number of successful cases, given the huge expense of this problem, seems ample evidence of that.

gregh  2006-08-15 15:47  email   

Where "he" is Sam.

Back in April (I guess) I posted a blog entry suggesting that either I didn't know anyone who works at Google or if I did, I didn't know that I knew anyone who works at Google. Sam dropped me an email (and commented on the post) to confirm that I do, in fact, know someone who works at Google.

Today, Sam responded to my reply:

From: Samuel Minter
Date: Tue, 15 Aug 2006 23:34:33 +0000
To: greg@haverkamp.com
Subject: Re: xxxxxx

And now you do.

Greg Haverkamp wrote:

>How about that...
>
>Obviously, I had no idea.
>
>Greg
>
>On Tue, Apr 25, 2006 at 03:34:00PM +0000, Samuel Minter wrote:
>