Virginia High Court Wrong About IP Addresses 174
The first 20 pages of the decision, which are all about legal standing, jurisdiction, and overbreadth, made my eyes glaze over. I'm not analyzing those at all except to point out that on most of those issues, the lower court came to exactly the opposite conclusion from that of the Virginia Supreme Court, and there is no reason to think that the higher court is any more likely to be "correct" than the lower court (even granting the assumption that there is an objectively "correct" answer to these questions). Any time you feel intimidated by "experts," it's helpful to step back and ask whether the alleged experts even agree with each other.
Page 21 is where the technical stuff starts that we can tear apart directly. The decision says, in talking about the transmission of e-mail:
The IP address and domain name do not directly identify the sender, but if the IP address or domain name is acquired from a registering organization, a database search of the address or domain name can eventually lead to the contact information on file with the registration organizations. A sender's IP address or domain name which is not registered will not prevent the transmission of the e-mail; however, the identity of the sender may not be discoverable through a database search and use of registration contact information.
These are statements that are only true if you play some kind of parlor game to
find a way to read them as "true," not statements that indicate the court knew
what was going on. To review: IP addresses in the U.S. are generally allocated
by ARIN in blocks to Internet service providers
and Web hosting companies; these
companies then lease the IP addresses to their customers. You can
look up an IP
address with ARIN to determine which ISP or hosting company has been assigned
that particular block, but the ISP or hosting company generally won't tell you
the identity of their customer who has leased it from them. And anybody
can register a domain, but most domain registrars give you the option of registering
the domain anonymously, so that only the registrar knows the owner's true identity.
So the court's statement that a database search "can eventually lead" to contact
information is correct only if you clarify that it "can" lead there, but it usually
won't. As a finding of fact, this is 100% true, and about as useful as "Obama might
win in November. Or he might not."
But it's impossible to defend what the court says next:
As shown by the record, because e-mail transmission protocol requires entry of an IP address and domain name for the sender, the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name. Therefore ... registered IP addresses and domain names discoverable through searchable data bases and registration documents "necessarily result[] in a surrender of [the speaker's] anonymity."
Now, there are two possible definitions of "anonymity" to consider: (1) you can be anonymous
to the extent that ordinary citizens reading your content cannot determine your identity
without a subpoena; or (2) you can be anonymous to the extent that even the government,
armed with subpoenas and wiretaps, can never find out who you are. But under either
interpretation of the word, the court's statement that "the only way such a speaker can publish
an anonymous e-mail is to enter a false IP address or domain name," is wrong.
By default, almost all Internet users are already anonymous in the first sense, even without
using forged headers or other tricks in their e-mails. When you send e-mail through your own
Internet service provider's mail server, or when you log on to Hotmail and send messages from
a Hotmail account, or when you lease a dedicated server from a Web hosting company and use it
to send mails, the messages don't contain any more information about your true identity than
you decide to put in them. Only the government could ordinarily discover your identity in those
cases, by looking at the IP address that the message was sent from, and subpoenaing the Internet
service provider or hosting company for the identity of the person using that IP address at that
time.
But there are even ways to be anonymous in the second sense -- such that not even the
government could identify you -- without resorting to forged e-mail headers. You can create
Hotmail and Gmail accounts without giving the providers any of your true information. When
you send messages through those services, they pass along the IP address that you used to
connect to their Web sites, but you can obscure your IP address as well, by using an anonymizing
proxy or a service like Tor.
Elsewhere in their decision, the court indicated that what they really wanted to protect
was the right to send anonymous bulk e-mails that were political or otherwise
non-commercial. But even by that standard, it's still possible to use Hotmail and Gmail
together with an anonymizing proxy (the mail services do
impose limits on how many messages
each account can send in a day, but if you want to send bulk mails badly enough, you can always
sign up for multiple accounts). And if you only care about staying beyond the reach of U.S.
subpoena power, you can always sign up for a dedicated host overseas and send the bulk mails
from there.
Apart from the court's misstatement that forged headers are the only way to publish anonymously
in e-mail, there is the incorrect presumption that forged headers actually do afford
anonymity in either of the senses given above. The court wrote, "[T]he only way such a
speaker can publish an anonymous e-mail is to enter a false IP address or domain name."
But while it is possible to enter any domain you want in your return e-mail address
when you send an e-mail, the court apparently didn't know what it was talking about when it
referred to "entering a false IP address." You can't just "enter" any arbitrary IP address
when sending an e-mail. If user@domain name.com receives an e-mail, the mail server at
domain name.com has to receive the message over a connection made from some other machine,
and the domain name.com mail server can always see the IP address of the machine on the other
end of the connection. Normally, this machine on the other end would be the mail server of
the sender's Internet service provider. Or if the sender has leased a dedicated machine at
a hosting company, that dedicated machine would be the one connecting to the domain name.com
mail server. Some desktop spamming programs let you turn your home computer into the sending
mail server, so that it connects directly with the remote mail server to send the message.
In all of these cases, the receiving mail server can see the IP address of the sending
machine, so a government subpoena would usually be enough to determine the sender's identity.
(I know you all know this, but I have delusions that some helpful clerk will print out this
article and explain this to the judge.)
When spammers "enter" false IP addresses in sending mails, that usually means entering made-up
IP addresses in headers that are sent along with the contents of the message. However, these
would normally only have the effect of throwing someone off the trail who opened the message
sent to user@domain name.com and was reading the headers manually. Perhaps they would see some
random IP addresses scattered in the headers, would go to ARIN and look up the hosting company
or ISP that those IP addresses were assigned to, and would mistakenly file a complaint with
that company. But the domain name.com server can always see the true IP address that the message
was received from, and for people who know how to read the headers properly, that IP address
will be indicated in the headers as the address that connected to the domain name.com mail server
to send the mail.
So the court's statement that "the only way such a speaker can publish an anonymous e-mail is
to enter a false IP address or domain name" is doubly wrong: because it's easy to send e-mails
anonymously without using forged headers, and because forged headers do not in fact provide the
level of anonymity that the court said should be protected anyway. The only way to truly
obscure your identity by hijacking a third-party IP address without permission, would be to
hack into a third party's computer, by infecting a user's home computer with a Trojan horse for
example, and
using it to send mail.
Presumably the court was not contemplating that such an
activity should be considered legal, even as a means of sending political speech.
It would presumably be unconstitutional for an anti-spam law to prohibit anonymous political
e-mails which attempted to hide the sender's identity -- that is after all what
"anonymous" means! You couldn't pass a law outlawing Tor, for example. But the Virginia
law doesn't apply to senders merely trying to hide their identity, it applies only
to the use of computers
"to falsify or forge electronic mail transmission information or other routing
information in any manner in connection with the transmission of unsolicited bulk electronic mail"
(emphasis added). There is a difference between obscuring one's identity (which Tor and anonymous
remailers allow you to do), and actively trying to frame an existing third party by using
forged headers to make the mail appear that it came from somewhere else, especially when
sending bulk mail, which is likely to generate complaints whether it's commercial or not.
By contrast, the
Washington anti-spam law
prohibits any mail which "misrepresents
or obscures" the origin of the message (emphasis added). This is broader and
could be construed to include a wider range of things, such as the use of overseas IP
addresses to send bulk mail on behalf of a U.S. company, or the use of anonymously registered
domains to hide the sender's identity. It would probably be unconstitutional to prohibit
these obscuring techniques for non-commercial anonymous e-mail, which is why the Washington
law specifically applies only to commercial messages.
But here I'm getting into issues like constitutional law where different experts might disagree.
The clear-cut technical fact is that, contrary to the court's ruling, forged e-mail headers do not
provide true anonymity when sending mail, whereas there are other, legal, ways of sending
mail that do make the sender truly anonymous.
What is frustrating about the court's misstatements about IP addresses, domain names,
and anonymity, is that the judge is obviously intelligent and could have understood
the concepts if they had been explained correctly to him. I held some misconceptions
for a long time myself about domain names and IP addresses, because the first explanations
I read were incomplete or wrong, or I didn't understand them.
But the mistakes in the ruling would have been caught if
the judge had just showed a draft to an Internet guru and said, "Hey, can you check if there's
anything wrong here?" I know, I know, that's "just not done" (and there are
probably
formal rules in most states
against showing a draft of a ruling to a third party before publishing it, even if the
third party reviewer is sworn to secrecy, as they should be).
But there's nothing stopping the judge from asking a technical expert during the trial,
"It seems to me that the only way to publish anonymously on the Internet would be to use
forged headers in e-mail. Can you tell me if that's right before I go too far down that
line of reasoning?"
I've appeared before judges in Small Claims court who did ask questions about any part of
the technical issues that they wanted to understand, and were even willing to revise
some prior misconceptions. But all of them, even the open-minded ones, proceed by gathering
information during the trial, and then in the conclusion, spell out their argument and their
ruling (during which time you're not allowed to interrupt), which is then set in stone unless you appeal.
I've never seen a judge say, "Here's the line of
reasoning in my head right now, and my tentative conclusion. Is there anything in that
chain of reasoning that you want to dispute, before I make it final? I am not
promising to change my mind just because you disagree with something. But I will take it
into account." This is essentially what scientists do when they submit their papers for peer review
before publishing them, to minimize the chance of making an error. Judges could do the same thing
-- if not formally, because they're not allowed to show opinions to third parties, then at least
informally, by running their ideas past the experts assembled in their courtroom -- to reduce
the chance of making a mistake. But have you ever heard of a judge doing that?
The Virginia judges probably did about as well as one could be expected to do, having learned
all these technical terms only recently, and then withdrawing to their chambers to form an
argument without any feedback from any technical experts. So, given the technical howlers
that ended up in the ruling, the moral is that forming an argument in isolation from experts
is probably not the right way to go about it.
summary way to long. (Score:4, Insightful)
I disagree (Score:2, Insightful)
If you aren't prepared to put your name to what you say, then I don't want to hear it.
Tell that to all the Iraq war protesters (when it first started) who had their houses vandalized and were assaulted because of their views.
Or the folks who disagree with their Governments and are being watched, were tortured or killed.
Or how about being an atheist in a theist country and trying to get work - outside of working for Bill Maher.
Just saying.
Re:I don't want any anonymous mail in any case. (Score:5, Insightful)
If you aren't prepared to put your name to what you say, then I don't want to hear it.
Then, you will hear only those things that no one is trying to suppress by intimidation or retaliation.
If you don't have time for anonymous speech, that's fine. However, anonymous speech too often conveys vital information for it to be prohibited for those who want to hear it.
i agree with the summary for a change (Score:4, Insightful)
Re:summary way to long. (Score:4, Insightful)
>>>But the decision contains statements about IP addresses, domain names, and anonymity that are rather basically wrong, and which may enable the state to win on appeal.
So who would the State of Virginia appeal to? (just curious)
Re:summary way to long. (Score:3, Insightful)
Re:summary way to long. (Score:4, Insightful)
Re:summary way to long. (Score:5, Insightful)
and I really wish someone had put that sentence right in the court's face.
Impossible to defend? (Score:3, Insightful)
But it's impossible to defend what the court says next:
As shown by the record, because e-mail transmission protocol requires entry of an IP address and domain name for the sender, the only way such a speaker can publish an anonymous e-mail is to enter a false IP address or domain name. Therefore... registered IP addresses and domain names discoverable through searchable data bases and registration documents "necessarily result[] in a surrender of [the speaker's] anonymity."
Impossible to defend? Just watch me.
You're overlooking a perfectly reasonable generalization that the judge is making. The IPv4 packet headers and the email headers, to the judge, are one and the same: Both can be used (indirectly) to identify the sender of the email, and both need to be "forged" in order to send anonymous email.
Keep in mind that tunnelling your packets through a proxy effectively "forges" the IPv4 source address, since the communication is actually originating at your computer, but on the receiving end, it shows up as being from the proxy, even though the communication actually originated elsewhere.
The judge was right to point out that you can't communicate on the Internet without including some kind of "sender address", and this address needs to be forged in order to use the Internet to communicate anonymously. As far as his argument is concerned, it doesn't matter whether the headers you're forging are specified in RFC 791 or in RFC 822.
Re:I don't want any anonymous mail in any case. (Score:5, Insightful)
Yes, I *do* have free speech. EVERYWHERE.
No you don't. You don't have the right to free speech within my house, and I can tell you to leave my home and use force to compel you to if something you say offends me. Hell, I can make you leave my home if you refuse to say something I want you to say.
You do not have the right to free speech on my servers. If I'm running a forum and I don't like what you say, I'm well within my rights to delete your posts and ban you forever. Because I own these things, I have control over them, in many ways more control than the government will ever have. The government can only restrict certain types of speech, I can restrict any or all speech.
Re:I don't want any anonymous mail in any case. (Score:4, Insightful)
When you tell people they can't spam, you're telling them that they don't have the right to speak their mind to the world.
No, you're telling them that they don't have the right to make everyone listen to what they want to say... which they don't, as far as I'm concerned.
What they choose to say on their own web site, which I visit voluntarily, or in a public forum, which no-one is forced to attend, is one thing. What they shove, unsolicited, into millions of inboxes is quite another. The problem with spam is not what they say, but the push model they use to say it.
Re:summary way to long. (Score:3, Insightful)
but the ISP or hosting company generally won't tell you the identity of their customer who has leased it from them...So the court's statement that a database search "can eventually lead" to contact information is correct only if you clarify that it "can" lead there, but it usually won't.
Unless, of course, you have a subpoena, in which case the ISP or hosting company will most certainly tell you. And they will likely do a database search on their own system prior to telling you. If you're trying to be anonymous, you generally want to be anonymous from the government, too...
Re:summary way to long. (Score:5, Insightful)
Perhaps some contributors misunderstand the concept of a "summary." I've seen more than a few who could definitely use a primer on the effectiveness of "brevity" as well.
Fair enough, but I honestly think that in this case, the overlong and verbose summary is a refreshing change. What generally and typically passes as a "story" is most often a few scant one-line paragraphs that summarises, or worse, describes and editorialises, a real event or an issue.
It's not unlike what we routinely get from an organisation like CNN, where "news" is offered up in the form of sound bites, provocative graphics, and an absurdly dramatic soundtrack. If it wasn't for the pseudo passionate mumblings and fixed but empty stares of Anderson Cooper, or the rumbling drone from Wolf Blitzer, we could step back and recognise that what's presented is mostly devoid of content.
If you think that's an exaggerated comparison, try reading future Slashot stories with lynx (or just dump it to less, like I do). By the time you find the actual content, you realise there's not enough there to even bother with. In Slashdot's case, it's a truism that what's of most value is found in the contributions of its readers. It's similarly the case that most of us wait for or anticipate a reader offering up the real meat of the story, or some unique insight into it. We don't read the articles just because we're lazy. We don't read them because what's found on the pages of Slashdot is simply better.
Think of it this way -- this may be the one time where we should be modding the summary instead of the posts!
Re:summary way to long. (Score:3, Insightful)
Some of us don't even finish writing the
Re:You might want to stick with what you know (Score:3, Insightful)