Re: DPI and my testimony to Congress today

[David Farber <dave () farber net>]

________________________________________
From: Joel M Snyder [Joel.Snyder () Opus1 COM]
Sent: Friday, July 18, 2008 9:40 PM
To: Gerry Faulhaber
Cc: David Farber
Subject: Re: [IP] DPI and my testimony to Congress today

I wouldn't say that it's settled law that employers can read employee's email,
necessarily.  I think that ECPA has some holes in it that let the owner of a
system read the email stored on that system---it isn't clear that they can, for
example, read an employee's email if they are using GMAIL to send/receive it.

Generally, what ECPA has done (reminding you: IANAL) is make it very clear that
an employer can assert the ability to read email, and if they make it very clear
that they assert this capability and right, then they can do it.  But in the
absence of a clear assertion, the employee does have some expectation of
privacy.  I don't have my file of case law here for easy access, but there was a
famous "Toshiba" case where they listened in on someone's email, but they had
not made it clear that they were going to do that, and a judge spanked them for
it.

Of course, employers who own desktop PCs, networks and email servers are a
kind-of special case, since the owner of a computing resource asserts some
control over the contents thereunto.  This is less true of the network than of
the email server (hence the treatment of GMAIL/Yahoo differently from mail
stored on the local server) because of the 'value' of the resource.

I guess the general point is that there is some law, and case law, that does
provide some email privacy.  It doesn't have the same level of protection as
other communications and renting porn from video libraries, but it's not
entirely unprotected.  Whether that's sufficient to say that there is privacy is
a whole 'nother deal.

However, just to bring this around to the DPI discussion: every service provider
has a series of security devices (firewalls, but also IPSes, etc.) which all
explicitly use DPI to help provide additional security; in addition, these
devices can also often use the same categorization features to provide QoS
guarantees.  That's not going away, and that's explicitly permitted in ECPA (and
in other laws---the outside of the envelope is not nearly as well protected as
the inside).

It is amusing to me, as the operator of a network, to hear this debate, because
network operators have no intention of giving up the ability to look at traffic
for security and prioritization purposes, and no amount of legal gerrymandering
is going to make that change because it's basic to the safe and successful
operation of the network.  This is the same in the telephone network: the
telephone company NEEDS to look 'into' the network to see what is going on, to
tune it, and to provide good service to everyone.  What might be needed is some
level of protection that prohibits ISPs from disclosing that information--in the
same way that the telephone company is prohibited from disclosing it, or your
doctor is prohibited from disclosing it--but that kind of sane lawmaking just
doesn't seem to jibe with the hysterics that this debate engenders.

Anyway, gotta run eat some dinner. I hope all is well!

jms


Gerry Faulhaber wrote:
> Wow.  Blast from the past.  That was an interesting trip, wasn't it?
>
> About e-mail privacy: it is settled law that employers can read
> employees' e-mail (but they cannot listen in on phone conversations).
> How does this square with ECPA?
>
> Gerry
>
> ----- Original Message ----- From: "Joel M Snyder" <Joel.Snyder () Opus1 COM>
> To: <gerry-faulhaber () mchsi com>
> Cc: <dave () farber net>
> Sent: Friday, July 18, 2008 6:26 PM
> Subject: Re: [IP] DPI and my testimony to Congress today
>
>
> > > Are there regulations regarding, say, US mail privacy?  Yes; see
> > > http://en.wikipedia.org/wiki/Secrecy_of_correspondence .  However,
> > > this has
> > > recently been under attack.  How about FedEx?  Can't find anything on
> > > this
> > > topic, so I would assume no.  E-mail privacy?  I think we all know the
> > > answer to that: NO.
> >
> > Ummm.  Actually, YES.  Has been for over 20 years.  ECPA (Electronic
> > Communications Privacy Act) protects the privacy of email and other
> > stored electronic correspondence.   There's a nice link on the CPSR
> > page that has the text in a readable form:
> > http://cpsr.org/issues/privacy/ecpa86/
> >
> > I hope all is well with you.  I was talking to Bill McHenry and Sy
> > Goodman a month or so ago and we were reminiscing about that trip we
> > all took to the great Soyuz back in the late 1980s.  Times, they have
> > a changed!
> >
> > jms
> >
> >
> > --
> > Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> > Senior Partner, Opus One       Phone: +1 520 324 0494
> > jms () Opus1 COM                http://www.opus1.com/jms

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms () Opus1 COM                http://www.opus1.com/jms



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com