Law Hits Home

A recent court decision on a 5-year-old case highlights the failure of our laws to protect the privacy of personal e-mail.

Everyone (or almost everyone) knows that the e-mail you send and receive at work, using your employer's computers and network, isn't really private: The company and your boss have the right to both monitor and read what you're sending and receiving. But if you're like me, you probably thought that the Internet service provider you use at home--and by extension those who work there--doesn't have the same right. We're wrong: They do.

At least that's what a recent court ruling says. Apparently, a strict reading of the laws that supposedly protect our private communications--principally 1968's Wiretap Act (Chapter 119 of Title 18) and one of the subsequent amendments to it, 1986's Electronic Communications Privacy Act--in effect denies e-mail the kind of privacy protection from law enforcement agents that other forms of personal communication have.

What's more, the laws give ISPs pretty much the same right to read and monitor your e-mail that you have.

In Transit Versus Stored

About a month ago, in United States v. Bradford C. Councilman, the U.S. First Circuit Court of Appeals ruled that an ISP wasn't covered by the Wiretap Act if it chose to snoop into its users' e-mail because the e-mail messages were stored on its servers.

Councilman worked for a company called Interloc, a rare-book listing service that also provided Internet access (the company was subsequently bought by Alibris). He ordered a modification to the company's e-mail-handling program so that he could identify e-mail sent to its users from certain domains, such as Amazon.com, that were his competitors. He then read those e-mail messages in order to get a competitive advantage.

However, according to the Wiretap Act, an ISP is not allowed to intercept your e-mail and read it or otherwise use its contents. So the federal government prosecuted.

Councilman argued that he didn't intercept anything, as the e-mail messages were no longer in transit: They were stored in the RAM or the hard drive of his company's computers. Both the district and appellate courts in Massachusetts agreed.

Why should the location matter? Well, it matters because the law treats stored e-mail messages differently from ones in transit. I kid you not.

Stored e-mail messages fall under the guidelines set out in 1968's Stored Communications Act (Title 18, Chapter 121). Its restrictions on both ISPs and law enforcement agents are less stringent than the rules governing communications under the Wiretap Act. And while wiretap laws don't allow ISPs to read your e-mail, the Stored Communications Act does.

Like so many other legal decisions, it all comes down to language and definitions--in this case the definitions of transit, transmission, and interception. For the wiretap rules to apply, your e-mail has to be intercepted, which means it has to be in transit.

If I were asked, I'd say an e-mail is in transit as long as it hasn't actually been downloaded to my inbox: It hasn't reached me, so it's still traveling. It's like a package: Those new CDs I've ordered from Amazon.com are still in transit until they're in my hands, although technically they may be stored at the local UPS depot awaiting rescheduled delivery because I wasn't home the first time.

However, the laws are worded--and have been interpreted by the courts--to define transit as a very limited state for electronic communications. Transit is only that tiny portion of time it takes an e-mail message to pulse through telecom pipes between periods when it's stored on the servers that route e-mail traffic from sender to receiver. Storage is quite broadly defined in these laws. It includes all kinds of momentary storage, such as on a server or in a PC's RAM, or even its cache. So e-mail is considered to be "in storage" nearly all of the time.

Welcome to the wacky world of law.

Consistent Protection in the Works

Although the decision in United States v. Councilman gives ISPs the right to snoop into users' e-mail practically anytime they want to--and significantly eases access to private e-mail for law enforcement agents--it's something of a red herring, says Kevin Bankston, an attorney for the Electronic Frontier Foundation. The real problem, he says, is that the Stored Communications Act and the Wiretap Act treat e-mail so differently, when they should protect it in the same way. Voice mail, for example, is explicitly protected under wiretap laws even when it's stored.

At least some congressional representatives think this discrepancy should be resolved, and a new bill (H.R. 4956) proposed in late July should help do just that. The E-Mail Privacy Act of 2004 would basically place e-mail, even while it's stored, under the interception rules for wiretaps, and would also help prevent ISPs from accessing users' e-mail messages beyond what's needed for the service to function.

Not All Monitoring Is Bad

There are certain kinds of e-mail scanning and filtering I want my ISP to perform. It can--and should--go to town on spam, and I'm grateful for any virus or worm scanning that goes on before my local protection kicks in. In my mind, that's part of the service I'm paying for. ISPs are allowed to perform functions like this because such actions are considered part of their normal course of business, or serve to protect their business or equipment. H.R. 4956 would have no effect on that.

In case you're wondering, Google's controversial Gmail wouldn't be affected under the new bill either. Users know exactly what they're getting into when they sign up, so they have given consent to Gmail's computerized snooping.

ISPs already enjoy a certain privileged position in the eyes of the law: They're exempt from responsibility and liability for what their users say in the e-mail the service handles. That privilege exists for good reason: They need that freedom to operate the service and consequently allow you and me to exercise our free speech on this medium. But the unrestricted right to scan, read, or copy the e-mail they process--without user knowledge or consent--serves no comparable good. It's time to close that loophole.

Anush Yegyazarian is a PC World senior editor.

Subscribe to the Security Watch Newsletter

Comments