Court Upholds Warrantless Internet Snooping

amigoro writes to let us know about an appeals court ruling on Friday that holds that federal agents can snoop on an individual's web surfing, email and all other forms of Internet communication habits without a warrant. The court found recording this kind of information to be analogous to the use of a pen register. In 1979 the Supreme Court ruled that this technique did not constitute a search for Fourth Amendment purposes.

And what happened

[Bananatree3]

with the anti-wiretapping laws passed several decades ago? Please fill me in, do those have any effect or did they just sweep past them and make them irrelevent?

Re:

[Anonymous Coward]

They're saying that those don't apply in this case because they're not tapping wires, they're looking at logs.

Address implies content

[Harmonious Botch]

From TFA

...the court said, although the government learns what computer sites someone visited, "it does not find out the contents of the messages or the particular pages on the Web sites the person viewed."

The search is no more intrusive than officers' examination of a list of phone numbers or the outside of a mailed package, neither of which requires a warrant, Judge Raymond Fisher said in the 3-0 ruling.

I think that his honor missed something here. He seems to be saying that knowing the address of a web page is like knowing the address on an envelope, and in either case the contents is not being snooped upon. In the case of the letter he would be right, for a letter can contain anything ( I could mail a recipe for braised goat's eyes to Bin Laden ).
But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here.

Re:

[Anonamused Cow-herd]

But a web address often has a 1-to-1 corespondence with its contents.

Exactly. Knowing the to/from ADDRESS is one thing; knowing the _content_ of the request is another thing. This ruling allows things like:

• Monitoring search behaviors (since search contents are contained in GET URLs)
• Near-full auditing of all Web content viewed, down to individual comments/forum pages
• For some systems, warrantless snooping of usernames and passwords (when such information is contained in the URL)

Yeah. Bad idea.

Re:Address implies content

[Anonamused Cow-herd]

Hmm. Turns out the SF gate article is misleading. Disregard the above. http://blog.wired.com/27bstroke6/2007/07/appeals-c ourt-r.html [wired.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheGavster]

It gets them MORE; the public success of a witch-hunt is measured in the gross number of people accused, not the net number actually guilty of anything.

Re:

[rtb61]

However, there really is a problem in the definition of what is and is not the public obtaining of a connection. Really for an ADSL enabled phone line, your obtaining a connection is the original connection between your modem and the ISP that you choose, all data transmitted there after constitute part of the electronic transmission that represent the communications between you and your ISP, so they a really wire tapping the communications between you and your ISP whether it be a hard copy printed log (no d

Re:

[Anonamused Cow-herd]

That's true. It's why I actually spelled out the text of the article in another post -- I was just trying to clear up a wrong post I'd made earlier.

Re:

[computational super]

compare an ecstasy drug-ring to a champion of civil liberties?

Did you expect the next landmark civil liberties supreme court decision to revolve around correspondence between heart surgeons discussing the best way to save the lives of starving African orphans? If civil liberties only apply to people above suspicion in the first place, there's not much point in having them, now, is there?

Re:

[mi]

But a web address often has a 1-to-1 corespondence with its contents.

Often is the key word here. You ignore it in one of your examples (regular mail), but stress it in the other (web addresses). You would not be mailing to Bin Laden often — not any more often, than you would connect to a jihadist web-site to post "terrorists are swine" on it.

I think, the judge is right...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

It would depend upon HOW they got that info.

[khasim]

But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents.

Exactly.

Now, there are possible ways to get the IP addresses that you connect to WITHOUT getting any more information than that (and such information is just about useless).

But I don't trust the government to put any effort into protecting MY Freedoms and privacy when it is so much easier for them to abuse such.

There is a huge difference between knowing

Re:

[PingPongBoy]

easier for them to abuse

Well, for one, they are probably not after people who have antipolitical views, but have much larger fish to fry, like terrorists |) Still, it makes you wonder how you are judged because you can't really tell what the Internet is doing against your reputation, especially if some website is rigged to send data to the wrong places.

On the one hand, given today's connectedness, one might be tempted to build snoop technology just to see if it's safe to go downtown--and does the ruling ok

Re:

[Wrath0fb0b]

But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here.

Heavens I wouldn't want the feds to know I had visited http://mail.google.com/mail/ [google.com] or https://www.paypal.com/us/cgi-bin/webscr?cmd=_acco unt [paypal.com] - then they could figure out all my email and PayPal transactions! Address only implies content for publicly available resources - resources in which you have no reasonable expectation of privacy. If you want to keep something private, stick a login screen in front of it or encrypt it.

As far as your statement that this "search" (which it isn't) is unconstitutional, I

Re:

[Tuoqui]

Unfortunately for you, it is possible to write a letter anonymously. You simply do not include a return address. The contents are guaranteed to be private and since there is no return address, who sent it is also private.

Unfortunately in an Internet world you need to stamp a return address on every packet you send out in the form of an IP address.

Re:

[sumdumass]

The thing is, Nothing has changed with the Internet since it's inception except people's understanding of it. If they don't like it, use other means for communications. We have known for ages that your not really anonymous on the thing and we have had many programs attempt to allow the anonymity people are looking for.

Don't act like something has been taken away. It hasn't. If anything, it has only been cleared up once and for all. This has been a question that has been out there since Clinton authorized Ec

Re:Address implies content

[Kadin2048]

The GP was wrong in his interpretation of the court's decision.

They actually realized that a log of IP addresses and a log of URLs are two very different things, and convey different levels of information. This was actually mentioned in a footnote (quoting from the Wired article [wired.com]):

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com/ [nytimes.com] whereas a technique that captures URLs would also divulge the particular articles the person viewed.

An example is the difference between a log that shows "http://en.wikipedia.org/wiki/Surface-to-air_missi le, http://en.wikipedia.org/wiki/Missile_guidance [wikipedia.org]" and one that shows "http://66.230.200.100". The latter is analogous to the numbers I'd dial into a phone in order to connect me to someone; the former is more indicative of the content of the communication.

Furthermore, just because a resource is "publicly available" doesn't mean that there's "no reasonable expectation of privacy." I expect that my Wikipedia browsing habits are between me, my ISP, and Wikipedia (and anyone else snooping on the line), likewise, although my Google searches are sent via GET URLs, that doesn't mean that they're public. (Particularly given that there's no alternative method, at least that I'm aware of, to use most search engines.) Libraries are public, also, but that doesn't mean that everyone's records are public information.

Re:

[coolGuyZak]

That would be the fourth amendment [wikipedia.org], chief:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

From the wikipedia article:

In Katz v. United States,[7] Justice Harlan issued a concurring opinion articulating the two-part test later a

Re:Address implies content

[dirk]

Well, the first thing is that they can not get the URL, only the web site address. So they can find out you went to Slashdot.org, but not that you went to a specific article. And while there is often a 1-1 correlation between the web address and figuring out the content, the same can be said for phone numbers. If I know you called Planned Parenthood, I know just as much as if I know you went to their web site. All I know is you have some interest in something they do. It does narrow it down a bit, but is far from conclusive, especially since I don't know what exactly you looked at on the page.

I'm not a fan of the pen register rule, but this seems like a completely logical and fair expansion of the rule to cyberspace.

Re:

[Firethorn]

Knowing person X emailed person Y can also contain just about anything. As for the webpage - that can be very dynamic. For example, you won't know what accounts I have at my bank simply because I log in there. That'd take more research.

I'm kinda conflicted on this issue. On the one hand, this is an invasion of privacy, just like recording who I send mail to, even if they don't read the contents. On the other hand, I can understand how this would be a valuable tool in law enforcement for things like dru

Especially where...

[Newer Guy]

Especially where the URL in question links to an email message! Many webmail services use URLs to access individual emails. Snooping these addresses can actually OPEN email messages. How can this be allowed?

Re:

[Kadin2048]

Well, although I agree with your general point -- that URLs are a whole lot more information than IPs -- however, I think the example of webmail is probably wrong. All non-trivial email systems, and all the public ones that I'm aware of, use some form of authentication besides just having hard-to-guess URLs.

So just knowing that I went to a particular webmail URL wouldn't let someone else gain access to it without also knowing my password, or having some other way to snoop the authentication. (Maybe copying

Re:

[mrchaotica]

Not to mention that the "address" of a web page is the IP address or domain name, not the full URL!

Re:

[Tim C]

No, that's the address of the server, the web page's address most certainly is the full URL - that's how you find it. Similarly, the address of a person living in a flat includes the flat number/name, not just the address of the building the flat is part of.

Re:Address implies content

[slashqwerty]

Something to keep in mind. The internet isn't so different from the mail. Simply knowing who someone communicated with provides the government with enough knowledge to track down someone who leaks embarrassing information to the press. From the U.S. Postal Museum in Washington, D.C.

At the beginning of the new America, nearly all the news came by mail. When the Constitution was signed, it was rushed by post riders to every town that had a printing press. And that's how the newspapers were able to bring the resounding news of how we were to govern ourselves. The newspapers knew of it first by mail.

In England, for centuries, the mail was frequently scrutinized by agents of the Crown or of the Parliament. It could be worth your life to write a letter that might be seen as having the seeds of treason. This did not happen here. From the beginning, by and large, the U.S. mails have been free of eyes other than our own and those of the sender.

To the framers of the Constitution, the mail made the engine of democracy run--along with the newspapers. And newspapers then printed a good deal of correspondence. Rufus Putnam, a key military figure in the Revolutionary War, said, "The knowledge diffused among the people by newspapers, by correspondence between friends" was crucial to the future of the nation. "Nothing can be more fatal to a republican government than ignorance among its citizens."

As a journalist, I have sometimes been asked where my leads for stories come from. Much of the time, they come from opening the mail. Readers from all over the country send personal stories, newspaper clippings, local court decisions, and student newspaper editorials arguing for the First Amendment rights of students. There is no other way I would have known about these stories except through the mail. It is through letters that I often receive highly confidential stories about unfairness in the justice system from people who would not trust any other form of communication.

The framers of the Constitution knew how vital the mail would be when Article I was written to protect privacy of communication through the mail.

Re:

[hacker]

I think that his honor missed something here. He seems to be saying that knowing the address of a web page is like knowing the address on an envelope, and in either case the contents is not being snooped upon.

The difference ends in the description.

If I was going to snoop on the contents of an envelope, it would be obvious that it was opened (except in the case of a professional de-sealing, of course).

With the URL of a webpage (or the IP it originates from), it is more akin to a postcard than an enve

Re:

[Tim C]

I think it really depends on the nature of the request. If all that's being read is a static page, then your analogy is good. If on the other hand information is being submitted to the web site (such as this comment), then merely knowing the URL doesn't tell you what was posted at all.

Not that I necessarily support the ruling, mind.

Re:

[hacker]

If on the other hand information is being submitted to the web site (such as this comment), then merely knowing the URL doesn't tell you what was posted at all.

But capturing the POST data (which would have to happen anyway, in the context of the transaction across the routers, through the wire-level sniffers), would certainly have that data.

Again, its like me walking through your house, and saying I only looked at your walls, but not at anything else in your residence, after I opened your door with th

Re:

[delong]

But a web address often has a 1-to-1 corespondence with its contents. Knowing the address is one simple - and undetectable - step from knowing the contents. They are doing an unconstitutional search here

No, they aren't. Just as dialing a specific phone number may be very indicative of the content of the call, given the person on the other end, the URL and email addresses one is contacting are addressing info. Just because there is some incidental indication of content is not the same as actually searching

Re:

[sumdumass]

Your not going to find a politician who isn't corupt in this sense. Even the third party candidate say one thing to their base to get funding and another to get votes. Of course this is assuming that is a level of corruption.

And yes, you do have a bunch of people who don't see this as the end of the world. there are more important things on their minds. When going to the polls, you aren't voting for the best man, you are voting for the lessor of two evils. The best men (women) for the jobs aren't even runni

Re:

[iminplaya]

We are picking from close to the bottom of the barrel when it comes to politicians.

To me that puts the blame for this entire mess squarely on our shoulders. I saw a great poster the other day that says, "Child prostitutions exists because YOU pay for it." I apply the same rules to spam and politics. The sellers are the serpent. The buyers are the sinners.

Re:

[sumdumass]

Sure, I don't see how I could disagree if I tried.

The problem is that if you don't participate, at least with the politics, you end up with worse then you want. You can't stop buying because it directly effects most of us and indirectly effects all of us.

Re:

[mysidia]

But the logs they are looking at are generated by equipment that taps into the wires. And the contents of the logs are not public knowledge, the contents of the second inner envelope are a private matter between a user and their service provider.

They are much more detailed than a list of phone numbers called. They are much more detailed than the address on an envelope.

The logged URL provides more information than the destination address on the packet.

In fact, even knowing that what was sent w

The laws are technologically obsolete

[hey!]

The laws were written with specific technologies in mind.

For example a wiretap is conceptually, if not legally, tied to telephony. In order to be a wiretap, a communication must have an aural component. Thus intercepting an email being sent over WiFi is not a wiretap, but a VoIP intercept is. Likewise intercepting an email with a voice mail attachment (such as might be generated by a voice mail/email gateway on a system like Asterix) might qualify as a wiretap.

There are provisions for controlling the reading of text messages, but the law is written for a system like the old Telex system, in which the messages are ephemeral,but stored in temporary buffers at various stages of delivery. Thus while intercepting an email in a transfer agent queue is questionable, once it is delivered to your email box at the ISP, it becomes fair game. It is no longer in transit, but stored on a server. In the days of Telex, you'd take your message of the teleprinter, read it, and shred it, knowing that it was gone forever, not recoverable from your mail box or from backup tapes.

The third part of the ECPA laws deals with something called a Pen Register: a device that is attached to an old fashioned phone line to capture the in-band signaling of the phone numbers being called. Even though the privacy concerns for email or web proxy logs are identical, these situations are not covered by the Pen Register Act.

The underlying problem is this: although attempts were made in the laws to make them independent of a specific technology, those efforts failed because US law (unlike EU law) does not recognize a fundamental right to private communication. There are packages of specific rights secured by the Bill of Rights, statutes and common law privacy concerns, but these rights are much less than a true right of private communication. The reason is that you can't have a meaningful right to private communication when that communication is mediated by a third party like an ISP or a telephone company, not unless you have a fundamental right to informational privacy.

Without a right to information privacy, anything that falls into the hands of a third party is fair game. This includes information ISPs or telephone companies store in order to route and deliver a message, up to and including the entire content of the message. ECPA, which consists of the Wiretap Act, the Stored Communications Privacy Act and Pen Register Act, closed these loopholes in its time, but as of today those loopholes are wide open again.

This process will repeat itself forever, no matter how many times we close the loophole, until a fundamental right of informational privacy is recognized. We could do that be adopting into law the EU Data Directive. The reason we don't is that this would hurt US companies which are flourishing by exploiting the America's backwater status when it comes to privacy.

Re:

[IdleTime]

Wow!

Now I understand why Americans are screaming about their freedom all the time, it's to convince yourself that you have freedom, which of course is bollocks.

Americans wouldn't know what freedom was if it hit them in the head, but they sure like to brag about their non-existent freedom

Re:

[PopeRatzo]

C'mon fellas, we're gonna have to learn to get along if this country's going to move forward in a post-impeachment America.

And it's been years since I've set foot in a coffee shop.

Bad conclusion

[CaptainPatent]

FTA:

Federal agents do not need a search warrant to monitor a suspect's computer use and determine the e-mail addresses and Web pages the suspect is contacting, a federal appeals court ruled Friday.

Because obviously we don't have a right to, nor would we want to keep any of that information private. Just because the decision was based upon an analogous situation doesn't mean the initial decision was necessarily correct in the first place.

Re:

[ari_j]

Results-oriented justice, your friend in the 21st century. *sigh*

Re:

[delong]

Because obviously we don't have a right to, nor would we want to keep any of that information private

The inquiry is whether you have a reasonable expectation of privacy, that is whether your expectation of privacy is objectively reasonable. The Fourth Amendment prohibits unreasonable searches and seizures, not searches and seizures that offend the most hypersensitive in the population.

Maybe it is the same. But I'm not convinced.

[khasim]

With a "pen register" all they get is the phone number you called.

That would be analogous to the IP address that you connected to (and maybe the port).

The question is how are they capturing the IP addresses? If they're capturing the packets, that's the same as a wiretap.

Encryption. Learn it. Love it. Live it.

Re:Maybe it is the same. But I'm not convinced.

[ScrewMaster]

Encryption. Learn it. Love it. Live it.

Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

The price of Freedom ...

[khasim]

People died for the Freedom that too many of us seem willing to trade away.

If the worst thing that happens to you is some jail time because you refused to reveal your keys, consider yourself ahead of the game.

Fascism begins when the efficiency of the Government becomes more important than the Rights of the People.

Re:The price of Freedom ...

[WilliamSChips]

No, Fascism begins when people decide that fighting Communism is more important than protecting rights.

Re:

[raehl]

No, Fascism begins when people decide that fighting Communism is more important than protecting rights.

s/Communism/Terrorism/g

Re:

[ScrewMaster]

I don't know what idiot modded you "Flamebait", because you're right. However, it's not really "efficiency" that we're talking about. What is efficient law enforcement? That's when the cops catch bad guys with a minimum of fuss and a minimum of disruption to the lives of the ordinary citizenry. What our government is doing now is not efficient: the cultural and economic impact of their activities is already significant, and increasing with every poor legal decision that gets handed down.

Possibly.

[khasim]

What is efficient law enforcement? That's when the cops catch bad guys with a minimum of fuss and a minimum of disruption to the lives of the ordinary citizenry.

The way I look at it, if you could catch one more "bad guy" a day ... just by skipping some of the procedures and processes that we have to protect our Rights ... how many people would support that?

Lots.

As opposed to Ben Franklin's:

That it is better 100 guilty Persons should escape than that one innocent Person should suffer, is a Maxim that has been long and generally approved.

They'd rather follow Otto Bismark's opinion:

It is better that ten innocent men suffer than one guilty man escape.

The problem is that it is the Government that chooses what "crime" and what "evidence" will be used to charge a person.

And the Government is composed of people. Sometimes honourable. Many times petty and vindictive if not outright criminals. Which is why our country was founded upon the belief that you cannot trust the Government. That we had to limit the Government's authority and protect the Rights of the People.

It's all about how you view Rights and whether you are with Franklin or Bismark.

Re:

[syousef]

If the worst thing that happens to you is some jail time because you refused to reveal your keys, consider yourself ahead of the game.

Lovely ideal but the practical considerations of having your life fall apart - job, marriage, family, friends all gone - say hi to your new cellmate who's hobbies include anal penetration of yourself aren't so nice.

Re:Maybe it is the same. But I'm not convinced.

[bobdotorg]

Encryption. Learn it. Love it. Live it.

Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

Even in the scenario where you are required to surrender your keys, encryption is still quite useful in the context of this article / warrantless searches. The authorities would need a warrant to make you surrender your keys, and you would know you were being spied upon.

Re:

[CaptainZapp]

Yeah, but it's sort of hard to encrypt URLs that you enter into you browser.

Re:

[AnyoneEB]

I am pretty sure that with HTTPS you can only tell what server the client is connecting to, not what URL on that server they are accessing.

Re:Maybe it is the same. But I'm not convinced.

[Ngwenya]

Until they illegalize it.

Extremely unlikely. You'd be trashing the entire electronic commerce infrastructure which relies on solid encryption. And there's no way a corporately oriented government system is going to do that.

Anyway - you've got no worries. If the USG tried that, you'd use all those wonderful 2nd-amendment protected firearms to overthrow it? :-) OK - snarky Brit comment over. Back to the normally scheduled stuff.

Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

You mean the United Kingdom. Sadly Scotland is also sucked into RIP silliness.

The police and other law enforcement agencies still need a judicially signed warrant to obtain those keys. There's all sorts of stupidities in there - but let me ask a question: Why should you be able to refuse to obey a properly formed court order? If they served a legitimate court order to hand over they keys to your house, should it be legal to flip them the finger? If you think that encryption keys are somehow immune to warranted seizure, you have to say why. Alternatively, if you think that all court seizure orders are wrong, then you probably have to defend that one even more!

I don't have a problem with warranted search and seizure. I have a huge problem with the LEAs thinking that privacy is solely a cover for people to do evil things.

--Ng

2nd Amendment

[sconeu]

Re: crypto...

GP: Until they illegalize it.

PP: Anyway - you've got no worries. If the USG tried that, you'd use all those wonderful 2nd-amendment protected firearms to overthrow it? :

Actually, you could make a Second Amendment argument to the court. Is strong crypto still on the ITAR list? If so, it's a "munition" and the Second Amendment guarantees your right to it.

Re:

[Ngwenya]

Actually, you could make a Second Amendment argument to the court. Is strong crypto still on the ITAR list? If so, it's a "munition" and the Second Amendment guarantees your right to it

I can't remember all the details, but ISTR that most publically available crypto systems were placed under the EAR (Export Administration Regulations) under the Department of Commerce, rather than the munitions list. The change happened under the Clinton administration, I think.

Anyway, I think the second amendment guarantees

Re:

[syousef]

Extremely unlikely. You'd be trashing the entire electronic commerce infrastructure which relies on solid encryption. And there's no way a corporately oriented government system is going to do that.

How about introducing a license to employ encryption. One where the banks and electronic trade organizations covered had a license that covered the end user. Anything done to employ encryption that hasn't been approved by an organization with a license is illegal. That'd make using PGP to send messages illegal f

Re:

[Ngwenya]

How about introducing a license to employ encryption. One where the banks and electronic trade organizations covered had a license that covered the end user. Anything done to employ encryption that hasn't been approved by an organization with a license is illegal. That'd make using PGP to send messages illegal for the guy on the street, but using a web browser to view an encrypted Internet banking page legal for the same guy.

Scary but doable I'm afraid.

Not really. As Ron Rivest illustrated with the winnowin

Re:

[syousef]

Would the law then become "Don't do anything we think might be suspicious"? At that point, you're saying the US government becomes an arbitrary entity, abandoning all constitutionally based jurisprudence - and the courts are happy to go along with it.

You mean like the US president's little habbit of wiretapping without a warrant, or your CIA's little habbit of spiriting people off to foreign countries and holding them without charge for almost 5 years? Or how about the whole thing with the RIAA/MPAA decide

Re:

[Ngwenya]

well, personally i think it's different from not giving over a key since, well, even though they're very similar, a physical key is an object and an encryption key or password is a tiny piece of knowledge. my opinion is that since it's data it ought to be treated differently. i know not everyone will agree with me there :)

Not everyone, indeed. Including most judiciaries in the world! :-)

I think most states would treat a password as like the combination to a safe. You cannot be physically tortured into revea

Re:

[hacker]

Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

As I wrote about almost exactly 2 years ago to the day [gnu-designs.com], this is our calling.

How do we answer?

Withhold your keys, indefinitely.

Let them keep asking for them. Keep saying NO! If they jail you for it, go. If they keep asking, keep saying NO.

Stand up for what you know is wrong, and let millions of others do the same.

Remember, we put our government into place to represent our best interests. Wh

Re:

[ScrewMaster]

And you especially say "No!" if you happen to have anything in your encrypted storage that would put you in jail anyway.

Of course, the government response to such reasoning would probably be to make withholding encryption keys a crime of such magnitude that you'll gladly give in to avoid more time in the pen than any ordinary criminal activity would land you. They justify that kind of abuse because, obviously, if you won't give them your keys you have something to hide, and the more you resist the more s

Re:

[hacker]

Now things are so far out of hand that any attempt at correction is going to be very expensive indeed.

Personally (and if you read my blog entry on it), its a cost I'm willing to bear.

What I believe in, and my morals are not subject to compromise.

Re:

[ScrewMaster]

What I believe in, and my morals are not subject to compromise.

That's good. Stay with it, you have the right idea. You just need to convince fifty or sixty million other citizens to think the same way. If you can, why, we'll have a genuine movement on our hands.

Making changes to the way a government works is less a matter of general principle (most Americans believe in what you're saying, I know I do) but of motivation and a willingness to take measured risks. You need to get people en-masse to get up

Re:

[stinerman]

Withhold your keys, indefinitely.

Shit, most of the time you don't know your encryption key. I have no clue what encryption key was used when I sent my last email to Gmail's SMTP servers. I use TLS, so I don't have the foggiest idea. Same with any website where you use SSL. Doing any offshore banking? I guarantee you don't know your session encryption key; it's pseudo-randomly derived and then thrown away.

Re:

[hacker]

Then the government will just have the NSA super computers brute force it in a matter of minuets AND you get thrown in jail.

Not quite.

I can generate a key that would take them longer than several lifetimes to crack, and encrypt my data with that. By the time they crack it, assuming they can brute force it, the data they get will be out of date and useless.

Remember, computers are still limited by physics, and we know what the maximum speed is; the speed of the electron.

Re:

[Sloppy]

simply make it illegal to withhold your keys from government agents

At least, at that point, you know it's happening. Someone can't put a gun to your head and demand your passphrase, without cluing you into what's happening. (Well, ok, barring rohypnol or something like that. ;-)

The British system sucks, but at least it keeps [that type of] surveillance "personal." When you force attackers to take active measures to thwart your privacy (i.e. make them make you give up keys, make them do MitM attacks ins

Don't forget all your Little Brothers

[Sloppy]

Encryption. Learn it. Love it. Live it.

Until they illegalize it. Or, as I understand England has done, simply make it illegal to withhold your keys from government agents.

One other thing to remember: while governments do tend to be the biggest threat to freedom and happiness, they're not all you have to worry about. Even that UK law only says you have to give your keys to the government, not just anyone who asks. You don't have to give your keys to Google, for example, so that they can scan your emails

Re:

[Ngwenya]

Even if they have no definite proof that there was anything illegal on my PC, as I cannot decrypt the contents of the HDD for them, I am arrested.

It's not quite that simple. They do have to be able to demonstrate to the court that there was a high likelihood that you were in possession of the key within a reasonable time frame (ie, if you were receiving emails encrypted with that key until yesterday, and responding with emails which were also self-encrypted under that key) then the court might hold that you

Who said the other stuff was right?

[twitter]

The question is how are they capturing the IP addresses? If they're capturing the packets, that's the same as a wiretap.

That's a valid point, supported by disturbing evidence. [slashdot.org] What I think they want you to think is that they can require ISPs to keep the information and demand it at any time. TIA was planned before 911 and is largely in place, despite overwhelming popular objections and Congressional disaproval.

There are objections [slashdot.org] to the other practices as well.

Re:

[ScrewMaster]

No kidding. I doubt they'll be able to block it too effectively (all those work-at-home types using corporate VPNS would be royally pissed off and so would their employers) but they can sure make it illegal. That way, anyone using encryption would have to register with their ISP (and thus with the Feds) and if you aren't registered you're presumed to be doing something illegal. An extension of the morally-bankrupt "if you've nothing to hide ..." principle.

I can't see Comcast or AT&T telling the Feds

More specifically

[Shadow Wrought]

They are allowed to look at the sender information on your e-mails and domain of websites you are looking at. The contents of the e-mails and which pages of a website, ie the URL, are still off limits.

Re:

[ColdWetDog]

I, for one, welcome our Federal email and HTML sniffing overloads.

Re:

[CODiNE]

Yikes, so then technically everyone who visits the Pirate Bay would automatically be suspected of seeking out child porn. Visit video.google.com and you have been engaged in activities consistent with someone looking for child porn. Let's say someone posts nasty stuff to Youtube which is later removed, it doesn't matter because that site is now flagged and anyone who visits it now has probable cause for a full-on investigation.

What this is really, is a legal way of labeling everyone on the internet as a p

Re:

[Dunbal]

What this is really, is a legal way of labeling everyone on the internet as a potential criminal.

      Well, from a law enforcement point of view, everyone IS a potential criminal.

      However I wish them luck drowning in their ocean of data. And hopefully the false positives will be able to prove their innocence (isn't it supposed to be the other way around?) and avoid going to jail.

Re:

[BoberFett]

And how exactly do they retrieve just the domain name? I imagine it has to parsed out of the full URL from the HTTP header. And as the courts of ruled before for copyright purposes, they think that having a copy of something in memory is legally the same as having a copy on the hard drive. What's good for the goose is good for the gander, so this should be considered making copies of the entire HTTP header including all URL data and possibly even POST data. That's clearly beyond just having the domain name.

Re:

[BoberFett]

"courts of ruled?" Sorry I just woke up. "courts have ruled"

Re:

[0x0000]

Fwiw, I find it odd that this URL/content info which Law Enforcement [within the 9th Circuit, at least] is not allowed to collect without a warrant is routinely collected with impunity by tracking cookies, "transparent" proxies, and so on. If this decision is going to stand, there should be some impact on legislation anti-spyware and private monitoring of internet activity by advertisers and ISPs.

Also, if I understand the situation correctly, e.g. Google already tracks all this information about their us

Great!

[schmidt349]

So they won't mind if I start encrypting everything then.

Re:

[/dev/trash]

As loing as you send them the keys first. You know in case children are involved or terrorists.

Ninth Circuit

[Anonymous Coward]

Circuit Courts of Appeals only have jurisdiction over cases arising in their proper Circuit. This decision is not applicable anywhere but the Ninth Circuit.

http://upload.wikimedia.org/wikipedia/commons/thum b/d/df/US_Court_of_Appeals_and_District_Court_map. svg/620px-US_Court_of_Appeals_and_District_Court_m ap.svg.png [wikimedia.org]

Editors, please.

Re:

[ravenshrike]

Stare Decisis. And they'll use it if it suits them, but otherwise they won't. Or they'll use it if they can ignore/twist the meaning all out of proportion(see almost every single fucking case that cites US V Miller except for the recent Parker decision.) Until the Supremes either take a case and define it or take a case using it and say it's proper, it's not truly Stare Decisis.

Misleading Summary

[logicnazi]

What the ruling held was that the header information of your email (and web browsing I believe) is subject to exactly the same standards as the information about what phone numbers you dial. Mostly this seems like an appropriate and totally correct extension of offline legal standards to the online world. The only reason that it is more problematic is that an email header includes things like the subject which contains a little bit of the content.

Still all things considered this seems like the correct rule. Subject lines don't contain that much information and if you are concerned you can just use an unrevealing subject. Moreover, we already contemplate the possibility that someone who happens to glance at the recipients screen might notice the title so it really doesn't seem like we have the same expectation of privacy for the title of the message as we do for the body.

Anyway for a better more interesting discussion about this case you can check out Orin Kerr's comments [volokh.com] over at the Volokh Conspiracy.

How this mess developed

[Animats]

This mess developed over time.

All this stems from a distinction in wiretap law that goes back to the dial telephone era. Listening to voice requires a warrant, because that info belongs to the parties of the call only. But information used by the telephone company itself to route the call, like dial digits, can be requested from the telephone company. A "pen register" was classically a little electromechanical gadget that recorded dial pulses as dashes on a paper tape. There was no way to extract voice info with a pen register.

Then came Touch-Tone. Now the switching data was in the voice channel. After some court decisions, it was established that listening to the voice channel and extracting tones was OK, if done with "minimal" access to the voice channel.

Over time, this led to the "pen register" exception being extended to content the telco didn't process, including tones sent during a call to third-party services like voice mail, packet headers, E-mail headers, cellular location data, etc. Then came a "lower standard for stored messages", which included SMS messages and E-mail. Then came bulk interception via CALEA. Then the Patriot Act.

/me brags about Canada

[Schraegstrichpunkt]

In Canada, the police need a warrant [justice.gc.ca] (CanLII link [canlii.org]) to get a dialled-number recorder placed on someone's phone (though apparently such a warrant is easier to get than a wire-tapping warrant), so extending this to the Internet wouldn't really be all that scary.

I think Quebec's general unwillingness to trust the federal government probably helps a lot here.

Re:

[delong]

I think Quebec's general unwillingness to trust the federal government probably helps a lot here

It also helps that Canada doesn't have the Fourth Amendment. The Fourth Amendment only bars unreasonable searches and seizures, and the reasonableness jurisprudence is obviously different than whatever you guys have concocted in Canada from general English common law principles.

So...

[BlueParrot]

Time to start using:
http://en.wikipedia.org/wiki/Tor_(anonymity_networ k) [wikipedia.org]
and
http://en.wikipedia.org/wiki/GNU_Privacy_Guard [wikipedia.org]

The alternative would be to vote the idiots out of office, but it doesn't seem as if that will happen any time soon.

Re:

[Rod Beauvex]

The problem is they're all idiots, so when you vote one out, another comes in.

Re:

[SpaceLifeForm]

An even worse problem is that there are now corrupt
individuals making legal decisions that you didn't vote for.

Your elected representatives did.

The problem was, your elected representatives were not paying attention,
were too scared to think straight, and voted for people and legislation in a hasty manner.

An example would be those that voted for the Patriot Act without even reading it.

Article is misleading... here's one from wired.

[Anonamused Cow-herd]

That article is completely misleading. The ruling covers IP addresses only. Here's a better article from Wired. [wired.com] For the lazy, here's the text content:

--
Appeals Court Rules No Privacy Interest in IP Addresses, Email To/From Fields

The Ninth Circuit Court of Appeals ruled Friday in United States vs. Forester that IP addresses and the To/From fields in emails are the legal equivalent of dialed phone numbers and the government can get a court order to obtain them without showing probable cause as would be needed in a search one's house.

The Court extended to the internet a 1979 case known as Smith vs. Maryland, where the Supreme Court found that individuals have no reasonable expectation of privacy in the phone numbers they dial because they transmitted them to the phone company in order to complete the call. However, under Smith, the contents of the calls could not be listened in on without proving probable cause to a judge.

The Ninth Circuit, ruling in an appeal of an Ecstasy-drug ring conviction found that emails' To/From fields and visited IP addresses were the internet's equivalent of phone numbers. For example, the government could get a log that said a person visited to http://66.230.200.100/ [66.230.200.100] (Wikipedia's address). However, the court suggested that knowing full urls are very close to content (e.g. http://en.wikipedia.org/wiki/Ecstasy [wikipedia.org]) and would likely require a higher burden of proof to obtain than mere IP addresses.

From a footnote in the decision:

Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times' website at http://www.nytimes.com/ [nytimes.com] whereas a technique that captures URLs would also divulge the particular articles the person viewed.

Professor Orin Kerr questions whether the decision is about getting this information from an ISP or whether it was from a device installed on a computer surreptitiously. He suggests the latter should require a higher standard, but I'm not sure why? Perhaps it's because that might require law enforcement to enter a person's house?

Read the ruling - IP *AND* e-mail addresses

[SpaceLifeForm]

Ruling [PDF] [uscourts.gov]

Alba challenges the validity of computer surveillance that enabled the government to learn the to/from addresses of his e mail messages, the Internet protocol ("IP") addresses of the websites that he visited and the total volume of information transmitted to or from his account. We conclude that this surveillance was analogous to the use of a pen register that the Supreme Court held in Smith v. Maryland, 442 U.S. 735 (1979), did not constitute a search for Fourth Amendment purposes. Moreover,

Re:

[Anonamused Cow-herd]

I agree -- it didn't seem like a hard concept to grasp to me.

So what?

[ratboy666]

I send email signed with GPG. Mess with the headers, sure, but the BODY can't be tampered with. Read, yes, tamper, no.

If something must remain confidental (source code, thoughts, company plans), it is put onto a server, and a reference sent via email (with GPG signing). The recipient can CERTAINLY go to the web page, where she will be redirected to an SSL page.

As soon as the SSL connection is set up, I use Apache Basic Authentication. Give me a user name and password. And these are reasonably secure. At lea

Everyone ELSE is, why not?

[WheelDweller]

Keygrabbers, bots, password snooping...and that's just the guys from Microsoft! :>

If this stops building from exploding, it's fine with me. It's not like the net's been private for over ten years...

Want something private? Create an ssh tunnel.

The court is missing the point......

[budword]

Here is a little snippet from the Fine ruling..... Surveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the uniform resource locators (URL) of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the persons Internet activity. For instance, a surveillance technique that captures IP addr

This is great news!

[hacker]

Great news comes in strange forms sometimes...

Now we can all begin converting our internal infrastructure to using very strong, protocol-based encryption, end-to-end. Bittorrent for http, secure, anonymous, private networks wrapped around our standard applications and more.

Begin now, if you're not using strong encryption.. you should be. Don't let the government WE put into place, tell you what YOU can do with your own Internet time.

If the government we put into place is not representing your best interests, its time to replace them with one that does.

Lock everything down and keep prying eyes out.

Encryption doesn't help much. :-(

[TerranFury]

It doesn't matter if I say,

"Hey Bob-The-Anarchist, let's go be subversive!"

or

"Hey Bob-The-Anarchist, KJLJALIUHFFLKAJHSLSAUFRGGFGFGJEUCJDKUEUD"

Even if they can't decode the second one, anyone listening still knows I was talking to the "Enemy of the People," Bob.

So, seeing how what's at issue in this article is who you're talking to more than what you're saying, encryption is, unfortunately, not super relevant.

I think the only technical solution here is to use steganography and communicate through

Re:

[r_jensen11]

From TFA: "The search is no more intrusive than officers' examination of a list of phone numbers or the outside of a mailed package, neither of which requires a warrant, Judge Raymond Fisher said in the 3-0 ruling."

I don't see what all the hoopla is all about. They're not opening the emails or reading any content. At least, they should not be. ;)

Take your foil hats off...

Cheers.

Except that, as far as I know, it's not illegal to post something without a return address on it.

Re:

[eck011219]

I think you're missing a key point -- an e-mail has a subject line, while a phone number or a letter mailed by post does not. Even without reading the contents of the message (and I don't believe for a minute that they don't -- call me paranoid), you can see what the message is about. Not true of a phone call or letter.

Also, as stated elsewhere, any web address has a direct relationship to the contents of a web page. This is more information than just a phone number or address on a letter.

Personally, I'm no

Re:

[Hatta]

Sorry but this is bad news. Suppose you read an article on Fark, some guy gets busted making explosives or smoking salvia or anything crazy like that. You, being the curious type, do a little research and end up on some sites devoted to spreading information the application of which would be illegal. Whether or not you do anything illegal, you make some friends and hang around on their message board or IRC channel where 95% of the talk is off topic anyay.

Now the feds using their tap into the AT&T bac

Re:Law Reform

[Dunbal]

The constitution isn't divine. I call for a reform.

      Be careful what you wish for - the "reform" might not be quite what you wanted, citizen.