September 18, 2004

The Node is the Threat

Slowly, inch by inch, by hack and by phish, the Internet security community is coming to realise that the Node is the Threat, and the Wire is incidental. The military-inspired security textbooks of the 80s that led to 90s security practice never had much relevance for the net, simply because in military and national security places, the nodes were well guarded. It was the antennas of the NSA and the GRU that those guys were focused on.

Whether you agree with the following judgement or not (and one judge did not), it highlights how the node is where the action is [1]. If you secure the wire and ignore the node, then you've only done a tiny part of the job. Probably still worth doing, but don't hold any illusions as to the overall security benefit, and don't sell any of those illusions to the customer.

[1] See also the Wired article on E-Mail Snooping Ruled Permissible and the court record.

ISPs Can Check E-Mail

By Roy Mark July 1, 2004

Backed by the clear, though perhaps out-of-date, language of the Wiretap Act, e-mail providers have the right to read and copy the inbound e-mail of their clients, a federal appeals court ruled Wednesday. The decision sparked howls of protest from privacy advocates, despite immediate assurances from some of the nation's largest ISPs that they would never engage in such practices.

The U.S. Court of Appeals for the 1st Circuit in Boston voted 2-1 Wednesday to uphold the dismissal of a 2001 indictment against Branford C. Councilman, the vice president of now-defunct Interloc Inc., a rare and out-of-print books site.

The U.S. district attorney for Massachusetts charged Councilman, who maintained an e-mail service for his clients, with illegal wiretapping for making copies of e-mail sent to his clients from The district attorney claimed Councilman copied the e-mail to gain a competitive advantage.

But Councilman's attorneys argued his actions were within the legal limits, because he did not intercept the messages in transit. E-mail, often only momentarily, is routed through servers. The U.S. District Court for Massachusetts ultimately ruled that counted as storage and dismissed the indictment.

Yesterday's decision echoed that ruling in voting to uphold the indictment dismissal, saying e-mail does not enjoy the same eavesdropping protections as telephone conversations, because it is stored on servers before being routed to recipients.

Samantha Martin of the Massachusetts district attorney's office said, "We are still in the process of reviewing that decision and weighing our options on what steps to take next."

The two-judge majority deferred to the language of the Wiretap Act, noting it prohibits the unauthorized interception and storage of "wire communications," but only makes reference to the interception of "electronic communications."

"The Wiretap Act's purpose was, and continues to be, to protect the privacy of communications. We believe that the language of the statute makes clear that Congress meant to give lesser protection to electronic communications than wire and oral communications," Appeals Court Judge Juan R. Torruella wrote. "Moreover, at this juncture, much of the protection may have been eviscerated by the realities of modern technology."

"We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes," Torruella wrote. "However, it is not the province of this court to graft meaning onto the statute where Congress has spoken plainly."

In his dissenting opinion, Appeals Court Judge Kermit V. Lipez said there is no distinction between the electronic transmission and storage of e-mail.

"All digital transmissions must be stored in RAM or on hard drives while they are being processed by computers during transmission," Lipez wrote. "Every computer that forwards the packets that comprise an e-mail message must store those packets in memory while it reads their addresses, and every digital switch that makes up the telecommunications network through which the packets travel between computers must also store the packets while they are being routed across the network."

Lipez concluded: "Since this type of storage is a fundamental part of the transmission process, attempting to separate all storage from transmission makes no sense."

America Online, EarthLink (Quote, Chart) and Yahoo (Quote, Chart), three of the country's largest ISPs, all have privacy policies prohibiting them from reading customer e-mail, except in the case of a court order.

"Consistent with Yahoo's terms of service and privacy policy, we do not monitor user communications," said Yahoo spokeswoman Mary Osako said.

Also jumping to the ISP defense was EarthLink spokeswoman Carla Shaw.

"EarthLink has a long history of protecting customer privacy, and that protection extends to e-mail," she said. "We don't retain copies of customer e-mail, and we don't read customer e-mail."

But this does little to alleviate the concerns of folks like Kevin Bankston, an attorney for the online privacy group Electronic Frontier Foundation.

"By interpreting the Wiretap Act's protections very narrowly," Bankston said in a statement, "this court has effectively given Internet communications providers free reign to invade the privacy of their users for any reason and at any time."

Bankston added that the law "has failed to adapt to the realities of Internet communications and must be updated to protect online privacy."

Posted by iang at September 18, 2004 08:00 AM | TrackBack

Perhaps the idea of privacy has to be modified to make a clearer understanding that if you transmit anything in any fashion it becomes the public domain. The assumption of having a save place must be limited to thoughts only. Freedom of association ends when only the thoughts inside your head are private and nothing else. Since the concept of a home a refuge from the world is now a joke and the concept of a family follows along the same path then it is the indivisuals thoughts that are private nothing else. Limits on anyones ability to obtain information are foolish. Now if they find a way to steal the thoughts in your head we are all doomed. The notion of privacy and its actions are false and cannot be enforced by law. Cultural norms might work since the only thing that seperates us from Chimps is culture. Cultural profiling maybe the means of obtaining privacy of course one needs to test the transmitters and recievers of information and their ability to shield it from those not meeting the cultural threshold for privacy to exist. So barbarians have invaded and will not stop until you are destroyed. Maybe just maybe some more draconian measures should be taken against those caught taking something private like the cutting off of the hand.

Posted by: Jim Nesfield at September 18, 2004 10:06 AM