
Congress, at Last Minute, Drops Requirement to Obtain Warrant to Monitor Email - mtgx
http://www.allgov.com/news/top-stories/congress-at-last-minute-drops-requirement-to-obtain-warrant-to-monitor-email-121225
======
ghayes
I wish we would treat cyberspace analogues of established property with the
same respect given to the original. For example, your e-mail inbox is the
online equivalent of your mailbox. Yet, one being "on your lawn" and the other
"at Google's data-center," all bets are off. While I believe the Supreme Court
should do better job at explicitly addressing this (for instance, "responsible
expectation of privacy" established Katz[1] would be a fair test for e-mail,
while Jones[2] and Kyllo[3] show the importance of taking modern technology
into account), the government needs to firmly establish which techniques are
important for security while protecting us from those which recklessly violate
privacy.

[1]
[http://www.law.cornell.edu/supct/html/historics/USSC_CR_0389...](http://www.law.cornell.edu/supct/html/historics/USSC_CR_0389_0347_ZC1.html)

[2] <http://www.law.cornell.edu/supremecourt/text/10-1259>

[3] <http://www.law.cornell.edu/supct/html/99-8508.ZS.html>

~~~
shawn-butler
The Sixth Disctrict court of appeals did address this directly in US v Warshak
[0]. What this scare article does a good job of is confusing the reader.

Unopened email left on a 3rd party server for longer than 180 days was
considered discarded or abandoned property. Discarded physical property has
never retained a reasonable expectation of privacy (for instance, the police
are free to dumpster dive once your property is considered discarded).
Similarly when you vacate an apartment and leave all your belongings behind,
they become the property of the landlord. These are firmly established
principles of common law. The waters become more grey when you are not using
the 3rd party for communication but for storage, say for emails you have read
and leave on the server for 180+ days. [1]

So in this case Congress wanted to establish a new right to privacy that
required a warrant on rather vague and nebulous grounds. It was dropped and so
the status quo remains.

All the people here complaining apparently have no idea what the law of the
land currently is? Email communications residing on a third-party server for
less than 180 days that offers services to the public can not be obtained
without a warrant. Notification of the issuance of a warrant could be delayed
by 90 days. This does not apply to 3rd party services that do not offer
services to the public. They can voluntarily disclose content at their whim.

If you believe my understanding to be flawed I welcome the opportunity to be
corrected.

[0]: [https://www.eff.org/deeplinks/2010/12/breaking-news-eff-
vict...](https://www.eff.org/deeplinks/2010/12/breaking-news-eff-victory-
appeals-court-holds)

[1]:
[http://en.wikipedia.org/wiki/Stored_Communications_Act#Overv...](http://en.wikipedia.org/wiki/Stored_Communications_Act#Overview)

~~~
paulsutter
Anything we can do to proactively claim or declare our emails older than 180
days to be not discarded and not abandoned? Or move them to a new server
periodically so that they aren't stored in a server for more than 180 days?

From Wikipedia [1]: "Property is generally deemed to have been abandoned if it
is found in a place where the true owner likely intended to leave it, but is
in such a condition that it is apparent that he or she has no intention of
returning to claim it."

I'm winging it here, but Gmail could have an optional feature to prompt every
three months "do you claim your mail from January 2005 to December 2012?", and
just answer yes every time. Then Google could respond to be subpoena that the
user has no mail that has not been claimed in 180 days.

Any lawyers here who can come up with something more solid?

[1]
[http://en.m.wikipedia.org/wiki/Lost,_mislaid,_and_abandoned_...](http://en.m.wikipedia.org/wiki/Lost,_mislaid,_and_abandoned_property)

(Be nice if you had some contact info on your profile)

~~~
plainsman
Google already does not fulfill subpoenas for email seizures in many cases due
to the decision in Warshak - their contention is that they cannot be sure if
the user resides or uses their email under the jurisdiction of the Sixth
Circuit.

It's puzzling to think about why Warshak wasn't appealed to the Supreme Court
(SC), where a decision would have federal instead of regional consequences.
The Justice Department most likely felt such a move could easily end in the SC
siding with the Sixth, ending the free lunch on electronic communications
seizures that law enforcement currently enjoys.

~~~
shawn-butler
Google's particular problem, in my humble opinion, is that the protections do
not apply to non-content portions of the communication. For example, the
government does not need a warrant to require production of the smtp logs,
just as they don't need a warrant to see what phone numbers you called whereas
listening to those same conversations does require court authority.

Google unlike most other email providers is going through the content of every
email (I assume prior to its being read by the user) and indexing its contents
for the purposes of determining relevant advertising (and whatever else they
do with that info about which I admittedly know very little).

I would wager that those indexes might fall under the "log" rather than
"content" aspect and therefore their production would not be subject to
warrant if they are keeping it stored somewhere; but, that's for someone
receiving a higher pay grade to determine.

Cert for Warshak was not sought by either party most likely because the
outcome of the appeal was largely in the govt's favor. Most of the convictions
stood while only some were remanded. So I imagine it wasn't in either parties'
best interest to roll the dice again. Finally, the precedent established in
Warshak is applicable in the other horizontal jurisdictions. I would find it
hard to believe any of the other appellate courts would go against its sound
reasoning. But I guess the point stands that if you want to be safe you should
ensure your servers reside in the jurisdiction of the Sixth!

------
raintrees
This seems a good place for a dose of "what is good for the goose is good for
the gander"... Since Congress is employed solely to represent its
constituents, maybe all of their communications(public or private, if they are
in any relation to their employment) be disseminated far and wide to all of
those constituents to monitor those representative's abilities to fulfill
their obligations to their constituents.

A period of time observing the sausage-making process of crafting and passing
law may be quite a wakeup call for Jane Q. Public....

------
propercoil
They always do that in holidays when no one is looking like they did with the
NDAA. no suprise

~~~
tptacek
The NDAA did exactly what this bill purports to do: leave intact an
unfortunate status quo. Almost nothing people say about it on message boards
is true; it has become a shibboleth for "I pass along public policy gossip
without verifying it".

~~~
mtgx
But did it leave it intact or did it enforce it? Why did they need to write in
NDAA too that they can do that if there already was written in another law?

~~~
tptacek
I don't understand the first question. The answer to the second question is
that the powers granted to the executive under the 2012 NDAA (there's an NDAA
every year) are _more limited_ than the blanket authorization to use force
granted in 2001.

------
derekja
Has anyone out there created a utility that will download and delete any gmail
messages older than 6 months, storing them only in an encrypted local store?

~~~
kleiba
I would be surprised if deleting a mail from your gmail account would actually
delete them from Google's servers?! I was always under the assumption that
Google will store them until eternity. But as assumptions go, I can't really
back that up -- but perhaps someone on HN has better knowledge?

~~~
aioprisan
I'd be interested to hear about this as well.

~~~
pjbrunet
Good question. I deleted my Amazon account about a year ago which wasn't easy
--required back and forth correspondence with tech support: "Yes, I'm
absolutely 100% sure I really, really understand the implications of deleting
my account." In any case, I keep getting Amazon gift cards from people so I go
to sign up to Amazon for a new account. Turns out my account was never
actually deleted, I was able to click "forgot my password" and they still had
a record of everything.

------
hfsktr
I didn't see anyone post it but the link above didn't go directly to the
article (at least for me). It was available in the recent stories though. The
url on that page is: [http://www.allgov.com/news/top-stories/congress-at-last-
minu...](http://www.allgov.com/news/top-stories/congress-at-last-minute-drops-
requirement-to-obtain-warrant-to-monitor-email-121225?news=846578)

------
benhebert
War on terror is a hoax used for pushing forward an agenda. Save us from the
terrorists and drugs! God forbid you travel out of the US and see some of the
world, you might be "taken".

The way the media sensationalizes some of these shootings, it's like we have
to live in a constant state of fear.

~~~
neumann_alfred
_God forbid you travel out of the US and see some of the world, you might be
"taken"._

Ironically, I feel the same way about the US since 9/11: I'd rather freely run
my yap about (politics of) the country on the internet and not ever set foot
there, than visit it and risk my freedom. Which makes me sad, because I know
it has many great people in it... but a lot of things would have to change
rather drastically for me to revise this.

~~~
alan_cx
Yeah, I feel broadly the same way. In so many ways the US is a fantastic
country, but the government and its politics are insane, and frankly scary
from the outside. I thought things would vastly improve under Obama, but from
what I can see, he's little more than a "Bush Lite". Pity, IMHO.

Worth separating the people from their government, although I would argue that
in a democracy the government is the voter's fault. But it seems to me that
the US government / establishment fears and hates its own population as much
as it does foreigners.

I kinda wish Americans would wake up and see the monster, then do something
about it. If the US establishment starts treating its own people better, that
might fan out internationally for everyone's good. Not least, Americans.

But then, as I say, the US is supposed to be a democracy, so presumably they
have what they want already. So, er, fair enough. Who am I to suggest
otherwise?

~~~
ams6110
Too many generations of poorly-educated and/or dependent voters are making
your wish something that is less and less likely to be realized.

------
dmix
Another reason we need better encryption solutions for email.

Are there any useful options that encrypt email?

~~~
napoleond
My company is working on this: <http://parley.co>

EDIT: As mentioned a few times elsewhere on this thread, the biggest barrier
to encrypted email adoption is the network effect, ie. both ends need to be
using it. _That_ is the core problem we're trying to solve--making an email
system that would be better than the rest even if it _weren't_ encrypted, but
that's the icing on the cake.

~~~
tptacek
If "works anywhere on any device" means it crypto code is loaded over
Javascript without browser extensions, that's a goal that cannot share a
project with "make it impossible for admins to read email even with a
subpoena".

The reason it's 2012 and there's still no universal solution for encrypting
email is that it's a hard problem. If you care about the security of your
mail, you should use GPG.

~~~
napoleond
We are in full agreement. Parley.co does not use Javascript crypto or browser
plugins, ie. it is not webmail. (There _is_ a webmail component that can be
used to _send_ messages which are encrypted at the server, and can allow
synchronous two-way communications for logged in Parley users that is _not_
end-to-end, but it is only provided as a stop-gap and the trade-offs are
clearly presented. Discussing it usually ends up as a distraction, since our
core offering is based on installing standalone clients.)

We'll be posting more information about the whole thing soon, but if anyone
has any questions I'm always happy to discuss what we're doing either by email
(in my profile) or (at risk of derailing the thread) here.

EDIT: Also, Parley uses OpenPGP. People who are happy with their PGP/GPG setup
should continue using it, but the goal is to create a compatible service which
those people would feel comfortable recommending to less tech-savvy friends.

------
durpleDrank
Didn't they do the same dirty trick for the federal reserve act ? Basically
all of congress is home with their families, and only a few people (who most
likely want to see the change (for whatever reason _AHEM_ )) show up to to
vote.

~~~
srj
I believe each congressional body requires a majority of members present to
have quorum and conduct business.

------
sown
So how does this work if, say, I have an mbox file with messages from 7 months
ago and also yesterday? Do they get to snag the entire mbox file or do they
have to painstakingly filter out messages from the files?

------
alexmat
This looks like a promising idea: <http://bitmessage.org/>

Edit: Send me a message if you get it running and I'll reply,
BM-2nftGCPpQ9HtjwJgbZfSFhPHqiJbJK7pwvi

------
shmerl
They demonstrated that they value police state ideals over the civil
liberties. Wasn't it expected?

~~~
creativityland
Obama State. FTFY.

~~~
neumann_alfred
Right. Because Obama totally didn't continue a long legacy, he basically
kickstarted this all by himself..

My suggestion would be to more or less ignore the sock puppet of the day and
instead pay attention to interest groups and whatnot. Those don't change
nearly as much as the faces or slogans that are put on stuff.

------
biafra
Why is email that is 180 days old considered abandoned?

Does this also apply to email, that is stored on a server that I rented or
bought?

Am I supposed to delete all email after I read it?

------
gasull
Every year the average Westerner citizen is less free than a year ago, and the
median citizen is also poorer than the year before.

Is this just my impression? Is the pendulum ever going to swing back?

------
QuantumGuy
Ultimately isn't the way around something like this is VPN services and
encrypting your email? Or is it more than that at this point?

------
BrianPetro
'Burn' Emails

Use <https://receiveee.com> for all of your illicit emailing.

~~~
newman314
It's got misconfigured SSL cipher settings.

See
[https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2...](https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Freceiveee.com%2F)

------
chris_wot
Could monitoring be the same searching? If so, that legislation is
unconstitional!

------
whiddershins
It's funny to see that headline jumps out at you, but not the one above it?

------
Entr0p
whelp, that passing will end my use of free text email.

~~~
JshWright
This is an article about an amendment proposed to a law that's already on the
books. The 180 days thing is already the law of the land, this amendment
sought to change that. There's now nothing in this bill relating to mail
privacy (i.e. the existing law isn't being changed at all).

So, if that's the way you feel about it, the time to stop using free text
email was 1986, when ECPA was first passed.

~~~
Entr0p
interesting, I'll have to read more - I was expecting that a warrant was
required under current law to use intercepted emails

~~~
monochromatic
I think most people do expect that.

~~~
tptacek
Warrants are required for mail less than 180 days old.

------
crististm
So congress can fuck around for free?

------
thoughtcriminal
Where's Obama? Where's the great "centerist"? The great leader?

He's invisible again.

~~~
creativityland
Why are you surprised?

------
rsync
If you don't host your own mail server, you are a clown-person. Joe 6 pack has
an excuse, but nobody here does.

~~~
dsplittgerber
How can I, as a somewhat proficient non-techie, accomplish that without having
to dedicate a 24/7 *nix box from home?

Please, if anyone knows a simple, yet elegant solution, I'm all ears.

~~~
ghayes
An alternative to postfix:

To receive mail, you could setup Haraka (a very simple NodeJS smtp server)[1]
on any unix instance (such as AWS micro). You'll need to set proper MX records
for your domain and a few simple configurations. If Heroku would let you
specify a port (specifically, 25), you would be able to host on Heroku's free
plan. This may put you back at odds by hosting your data on AWS (third-party).
Also, you would likely need to setup a POP server to download your messages
from the server.

[1] <https://github.com/baudehlo/Haraka>

~~~
kawsper
Wouldn't they be able to access cloud systems such as AWS, Linode or Heroku as
long as it hosts e-mail systems?

~~~
antidoh
That's going to be an interesting question. If you host on linode or google
apps or pair.com, is that a server under your control, or a third party.

I would call it a server under your control, the same as a store in a strip
mall is under your control, not the mall owner.

But which way does anyone think that's going to go? Not the right way is my
assumption.

However, if all your data is encrypted once it rests on the box, you'll at
least know you're being probed when they subpoena your keys.

