Three dozen things Liz Figueroa's anti-Google bill would break [priv]

[Declan McCullagh <declan () well com>]

-------- Original Message --------
Subject: Re: [Politech] Four examples of what Liz Figueroa's anti-Google 
bill would do [priv]
Date: Fri, 23 Apr 2004 14:15:48 -0400
From: Dan Geer <geer () TheWorld com>
To: Declan McCullagh <declan () well com>
CC: dan () geer org


A prediction: Just as in the 1990s the COTS sector
caught up with the military sector in applications
of cryptography this decade will see the self-same
overtaking but this time of traffic analysis.  You
do not need to examine content if you can deploy
enough sensors and make sense of their findings.

--dan


-------- Original Message --------
Subject: Re: [Politech] What would Liz Figueroa's anti-Google bill 
really do? [priv]
Date: Fri, 23 Apr 2004 12:10:15 -0700
From: James Ausman <ausman () CSUA Berkeley EDU>
To: Declan McCullagh <declan () well com>
CC: ausman () soda csua berkeley edu

>Is there anything I'm missing?

As it looks now, it would prohibit companies from using things like
CRM mail systems to manage their workflow. I can imagine a way
to obtain consent for scanning, but it would be cumbersome and
a pain for consumers.

Cheers,
Jim Ausman


-------- Original Message --------
Subject: Three dozen things Liz Figueroa's anti-Google bill would break
Date: Sat, 24 Apr 2004 14:48:43 -0700
From: Bill Stewart <bill.stewart () pobox com>
To: Declan McCullagh <declan () well com>

At 06:31 AM 4/23/2004, Declan McCullagh wrote:
> Figueroa's office admitted the bill would make it illegal for a California 
> company to offer a "family friendly" email service that filtered dirty 
> jokes into their own folder, for instance. It would also prohibit 
> reviewing incoming messages to make clickable hyperlinks out of text 
> phrases like "www.mccullagh.org." It might ban the practice of discarding 
> messages with attachments beyond a certain size limit.
>
> Is there anything I'm missing?


Oh, you're probably missing lots of things; certainly Figueroa is :-)
The law is really terribly broken, as most knee-jerk implementations of
good intentions are.  I really hope she doesn't mind making
Yahoo and Hotmail's basic services illegal while she's "fixing" Google's
new ones.

For instance, you're missing any automated processing that
you'd like to have an email provider do for you that you would have
otherwise had to do on your own mail system on your own computer,
and any mail services that handle different messages differently,
even simple things like web-based mail readers that display
different kinds of messages differently.
Here are a couple dozen services the law bans that don't involve
advertising privacy issues; you should be able to think of more.

- Autoresponders that thank senders for their email about __x__
        Most politicians' email addresses do this,
        and most ISP technical support and complaint email addresses do 
this.
- Vacationmail responders that say you're not in the office right now,
        especially the smart responders that don't reply to mailing lists.
- Closed-account responders that say your new email address is __x___
        - the law might even be interpreted to say that SMTP can't
        reject email that was sent to a non-existent account.
- Autoresponders that notify the sender that the email system does
        automated processing and that their email cannot legally be 
accepted
        because the sender is not a subscriber to the service.
- Autoresponders that inform the sender that if they'd _like_ to
        subscribe to the service and give up lots of private information
        in return for being allowed to send mail to its subscribers,
here's how.
- Autoresponders that tell the sender that they can
        complain to
<http://democrats.sen.ca.gov/servlet/gov.ca.senate.democrats.pub.members.memDisplayFeedback?district=sd10>Senator.Figueroa () sen ca gov 

+1-916-445-6671 about this invasion of privacy.
- Mail servers that forward high priority messages to your pager
        or to another email account or to your cellphone's email gateway

- Mailing list managers that accept subscribe/unsubscribe requests by mail.
        This is especially bad, because that's an application
        that you really want to run at an ISP instead of your home PC
        for reliability reasons.
- Mailing list archivers that make your mailing list list available on 
the web
- Email-to-usenet gateways, email-to-ftp gateways (remember those?)

- Email gateways to cellphone text message services,
        which usually delete all the mail headers and
        turn html and Microsoft formatting into simple text
        so you can read the mail on your phone

- Automatically sorting email into folders based on content,
        such as putting different mailing lists into different folders
        so you can read it more easily.
- Saving attachments into specific folders, such as a web photo service
        that lets you send it pictures by email.
- Automatically downloading URLs for images from a web photo service
        (this arguably involves third-party privacy,
        depending on whether the URL indicates the recipient's info or not,
        but there's no way for the recipient's ISP to know that,
        and it's the recipient's ISP who's being banned here.)

- Web mail readers that mark high priority messages,
        or let you use different colors for different kinds of mail.
        The recipient may want this, but you can't do this with
        email sent by non-subscribers.  Even your friends or employer.
- Web mail readers that sort your mail by Subject: instead of date
- Web mail readers that show the date in your time zone instead of the 
sender's
- Web mail readers that don't show you the boring email headers
        (like Received: or User-Agent: Mozilla Thunderbird 0.5
(Macintosh/20040208))
        just the interesting ones like From: and Subject:
- Web mail readers that translate different email message formats
        (like Microsoft RTF or Microsoft Word attachments)
        and display them in a form you can read on the web.
- Text mail readers that output your message in a simpler form that
        text-to-speech readers for blind people can use.
- Text-to-speech mail readers that also do the audio on the mail server.
        This is not only useful for blind people, but it also
        enables services like calling up your email by phone.

- Secure Mail services that automatically decrypt your incoming mail if
they can
- Secure mail services that automatically encrypt your incoming mail if
they can

- Email services that charge by volume of mail that you've received,
        or don't let you receive mail or attachments if you're over quota.
        The law's broadly ambiguous about what "otherwise evaluate" means.

- Web mail services that automatically maintain address books for you,
        so you can send mail to "Figueroa" instead of typing
"<http://democrats.sen.ca.gov/servlet/gov.ca.senate.democrats.pub.members.memDisplayFeedback?district=sd10>Senator.Figueroa 
() sen ca gov".

- Instant messaging systems that accept IMs from other providers
        and not just their own subscribers, because those almost always
        have to translate the format.  This is an important
        openness issue in the industry, and the law appears to forbid it.

- Instant-messaging-to-email gateways (both directions)

- Calendar systems that let you email appointments to them, if run by an ISP
- Calendar systems that accept Instant Messages for appointments
        and run on open IM systems
- Calendar systems that send Instant Message reminders, if they're on open
IM systems

- Address-book services like Plaxo which let you send email updates
        to tell their customers that you've moved.

It's also not clear to me from a first reading of the law
whether email to the ISP itself, as opposed to email to one of its 
customers,
is also covered by the law - can their sales () isp example net address
deliver the mail to the right sales person based on sender or contents?
If one of their employees is out of the office, can their mail system
send an "I'm out of the office" message back?

You can't just fix the law by saying "ok, it can do automated processing
as long as it doesn't involve third parties."  Here are a few examples:
- Forwarding your email to other ISPs / pagers / cellphones
- Online polling and political survey services that accept email and
        summarize it for the customer.
- Web mail readers that use third party services for special processing,
        like translation from English to Spanish or Korean to English
- Mailing list archives that can be read by non-subscribers.
        For instance, the http://www.politechbot.com archives
        let me read your postings, even though I'm not a subscriber,
        and they let Google's web servers see it.
        Many Yahoogroups mailing lists allow non-subscribers to read them;
        many others don't, and many let you read messages but not
        download files or photos.
- Web mail readers that automatically download images from URLs,
        which might be online greeting cards, or photos from
        photo sharing services, or annoying spam.

I haven't even gotten to the usual jurisdictional issues that apply
when people try to make local laws about the whole internet.
I'm assuming that California wouldn't try to apply this to
email or IM companies running outside of California
just because some subscribers might live in California.
They might try to impose the rules on companies that have
non-California-based email systems and also have California presence -
if Google runs GMAIL from one of their other locations, are they in 
violation?
It's realistically too much trouble for a company to run an
email server in California that doesn't accept customers from California.
One problem with the Internet hosting business is that you don't
always know where your suppliers are unless you do lots of
due diligence work - cheap web hosting companies often have
servers in different places, and they'll put your account on
whatever server has space, and the backup will be on another
random server, and move servers around if they buy more space,
so if you're a small company developing interesting
email processing services, you really might not know
whether your server's in California this month.
(I think one of my favorite Australian-run ISPs is currently in New York,
and another one run by a guy in India seems to be outsourced to a server in
Missouri,
and both of them have moved since I started using them -
if I set my vacation-mailer on those accounts, does that make me or them
the criminal?)

Bill Stewart  bill.stewart () pobox com
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)