A federal appeals court has upheld a lower court's ruling against warrantless seizures of email. Law enforcement agents need to obtain a warrant before looking at a user's email even if it is stored online, the Sixth Circuit Court of Appeal ruled on Wednesday. For 20 years, long before the introduction of knee-jerk law …
I can see the US government is doing well at keeping their secret email browsing a secret!
The fact that everyone knows their looking at peoples emails makes it so its not a secret anymore so doesn't that make the US governments excuse null and void?
You mean they didn't before???!!
You mean they were dipping without a warrant before??? Wow thats f*cked up.
Can you imagine any idiot in the FBI deciding to take a peek at their Senators wife's private emails?
Reasonable expectation of privacy?
I don't expect email to be private - that's what encryption is for. Only an idiot would send passwords, credit card numbers, or assassination plots through unencrypted email, regardless of what the courts say.
re:Reasonable expectation of privacy?
Thats what you would think!
Why do you think it's illegal to export serious encryption technology outside the US? It's because the Govt requires encryption manufacturers to provide the means to view the contents of encrypted files/emails and they are willing to "respect the privacy" of US citizens using the technology. . There is no way to make email or electronic communications secure against the US govt. If you want to send secrets use regular mail or FedEx. It's the only really secure way to get it done.
That's one of the advantages of open source - you can see if there are any backdoors in there.....
I'm confident that GPG is secure encryption, and since the private key never leaves my custody, I am confident that only I have the mechanism to decrypt encrypted emails sent to me.
There is the possibility of brute force attacks on encrypted email, but when you start encrypting everything, including trivial stuff, it gets harder to work out what you want to throw the resources at to try and crack.
Incidentally, I wonder how long before phishers start querying the pgp keyservers for email addresses to use in phishing attacks? Encrypting the emails will certainly get them past gateway spam filters etc....
Receiving encrypted emails will also give them a false sense of authority...
when I started learning TCP/IP, SMTP and the like, one of the first things my lecturer commented on was to assume the channel between points on the internet were public. They could be viewed, and intercepted quite easily. As a result, you can never assume an email got to it's destination intact, and you could never rely on an email itself to verifiy it came from where it claimed to.
That's why digital signatures (with the associated encryption) exist. Given that any interception or "sabotage" (does adding headers count as tampering ?) could occur quite legitimately - no need for illegal activities.
Given that, it's hard to see how anyone could claim they expect email to be inviolate, when the transport it runs on top of isn't.
It's not like posting a letter, where it's sealed, and there *are* strict laws about tampering.
Sending an email is like sending a postcard through the mail - who would expect that to be private ?
Serious encryption technology is already in use outside the US. PGP, for example, allows several strong encryption types, for securing e-mail communications. AES is pretty secure, too - and if it's illegal to use that outside the US, I'd like to see the US government suing Sony for using it in Blu-Ray discs. :)
Then there's a favourite method of encryption used by the US, which could be used by anyone: Simply sample a *lot* of cosmic radiation and place it on a CD/DVD/hard disc used by trusted parties - either end has access to the same noise. First, compress your data. Then XOR the data with radiation noise on the disc (making sure you never use the same noise twice - when you've used the whole disc, you destroy it and use a new radiation noise disc) - then encrypt the result using something like 256-bit AES.
Simple, foolproof and utterly immune to any kind of cryptoanalysis attack. Or anything the Feds or CIA might have.
Of course I've been using it, for many years. I belong to several committees that meet and vote online. All votes are required to be signed.
As far as export is concerned, it's been years since encryption technology has been covered by ITARS. I have several pictures of me wearing in t-shirt that says "This is a munition" with the RSA code, taken in many countries.
RE: "Reasonable expectation"
What you said about the channel being insecure is all very true and I'm sure that better than 90% of Reg readers would understand it (and better than 80% would have already known it)... BUT this is a US legal decision we're talking about. Most court cases like this hang on the "reasonable person" standard and, based on case law, a person who just meets that standard is a half-wit who can barely function in society.
RE: Reasonable expectation of privacy.
The issue covered by the judgment is not one of the security of the transmission of e-mail. It's all about the requirement of law enforcement officials to get the court's approval, in the form of a warrant, to search for suspected evidence.
The law enforcement agency was contending that if the data is still on the server of the provider they don't need a warrant. That they can bypass the court's oversight by going to the e-mail provider and demanding (or requesting) they hand over the messages.
In saying that, they are basically asserting that once an e-mail message is in the hands of your provider, you have put it into the 'open field' (a.k.a. public view) and it is therefore not subject to warrant requirements. This would be comparable to leaving your bank-robbery plans on the table of a restaurant: the police don't need a warrant if they convince the restaurant owner to give it to them.
Several rulings have been made on very similar matters...
The courts have always finally ruled that the authorities can't skirt the requirement of a warrant by getting the data from a storage facility. The originator of data has a reasonable expectation of privacy in that a storage facility, being that they are not the owner or recipient, has no inherent right to use the data. Therefore sending it through or storing it with them is not putting it into the open field, which means they have no right to hand it over to the authorities of their own accord... and that means that a warrant is required.
Reasonable expectation of privacy.
This would also benfit providers in that they don't have to anti-up emails based on any old pc plod request. Just because you are a Fed or a cop does not give you right to just go and demand that a provider hand over someones email.
For instance say the emails belonged to neighbour, a spouses friend. Get the idea.
The idea of claiming that information in storage was can be obtained by the goverment with out due course has been repeatedly in the news recently. Telephone call monitoring, telling search engines to hand over there stored search data being the major two.
If email is allowed to be obatined this way, with out a court order, because it is stored on a providers server, whats to say that PC plod can't just go all the way, flash his ID and demand to see any persons ip record in full from any ISP.
I think that any resaonable person would not expect the goverment to be looking into their private life. That the goverment needs to provide resonable proof to a court before it or PC plod does.