Can I Read Your Email?

by Alex Muentz, Esq.  (lex@successfulseasons.com)

I've given a few talks at hacker conferences and there are a lot of misconceptions about the laws that govern what we can and can't do.  While most legal issues are discussed in articles longer than an entire copy of 2600, I'd like to give a quick overview on reading email - can you read other people's, and who can read yours?

Note:  This is not legal advice.  While I am an attorney, I'm not your attorney.  I'm going to talk about U.S. Federal law, namely the Stored Communications Act and the Wiretap Act.  Many U.S. states have their own laws on this topic that mirror Federal law or work slightly differently.  Other countries have their own laws, and it seems that the U.S. government doesn't even follow their own.  If you have any questions about specific facts or your own Case, contact an attorney.  That said, let's have some fun...

The Stored Communications Act (SCA) bars unauthorized people from intentionally accessing an "electronic communication service facility."

It also prohibits authorized users from exceeding their granted access and obtaining, altering, or preventing the delivery of another's Electronic Communication (EC) that is in storage.  There's a second set of laws, commonly known as the Wiretap Act or the Electronic Communications Privacy Act (ECPA) that deal with EC in transit.

"Storage" here is what attorneys call a "term of art," which means that it doesn't mean what you think it means.

Storage under the SCA includes any time the EC stops, even for a microsecond.  Consider this hypothetical: I email this article to 2600.  My email server holds onto the email while it figures out how to route it.  It's in storage, if only for a tenth of a second, so it's covered by the SCA.

he email server breaks it into packets and sends it to its upstream router.  Now the packets are "in transit" until they make it to the router.  The packets are in storage when in the router's memory.  They're also in storage if I have my email client save sent mail.

Yup, "EC" is a vague term too.  Since ECs aren't defined by the SCA, any new method of digital communication is likely to be covered.  Messages on BBSes, web forums, email, IMs, pages, and cell phone text messages have already been ruled to be covered by the SCA.

Since the outcome of many legal issues depends on who you are and what you're doing to whom, the following chart should help:

Who Are You?Whose EC Are You Looking At?Am I O.K.?
Intended RecipientYoursYup (1)
Inadvertent RecipientSomeone Else'sYup (2)
Intentional RecipientSomeone Else'sNope (3)
Email Provider (public)User'sMaybe (4)
Email Provider (private)User'sMaybe (5)
PoliceSomeone Else'sMaybe (6)

1.)  The intended recipient can always read their own stuff, at least under the SCA.

2.)  If you get an incorrectly addressed email, or if your email system misroutes someone else's email to you, you're O.K., as long as you didn't do anything to get that email.  Mind you, if you asked someone else to get you the email, and neither of you are authorized to see it, it's not inadvertent.

3.)  If you intentionally exceed your granted permissions and access or modify someone else's EC without their permission or prevent them from getting it, you've violated the SCA and are potentially up to one year in prison and fines, or five years if you do it for profit or "malicious destruction."  Here's the fun part: The law isn't quite sure what "exceeds authorized access" means yet.

4 & 5.)  A provider of an "electronic communications service" or their workers can look at ECs stored on their systems.  Providers who offer their service to the public, such as ISPs or cell phone companies can't divulge the contents of ECs, except to deliver the message to the recipient, or when served with a valid subpoena or search warrant.  Also, a public provider may forward an EC to the police if they believe it contains an imminent threat of serious physical harm to another, and that the provider inadvertently noticed the threat.

A private provider, such as a university or business that offers email only to their workers may be able to divulge the contents of emails if they want to.  It's a gray area, which is why lots of employers make you sign a release when they give you an account on their systems.  That way they're protected either way.

6.)  The police can acquire the contents of ECs with a valid search warrant, which requires that there is probable cause that the emails are evidence of a crime.  The police can also read ECs if the recipient allows them.

So what exactly is a "provider" under these laws?

While it's not explicitly defined in the law, the common law system (what the U.S. uses) allows judges to look at previous court cases to guide them.  So far, if you own the service and decide if others get to use it, you're a provider.  So if you run a Linux box and give your friends or employees mail accounts, you're a provider.  If you let anyone use the system for a fee, you may be a "public provider."

What About Sniffing?

What happens if you don't get their communications from storage, but sniff it from the wire or from wireless?

In most states, the SCA no longer concerns you.  However, the Wiretap Act does come into play.

Intercepting ECs without authorization by the recipient or law may result in up to five years imprisonment, open you up to civil suit by the victims, and a fine.  The "authorizations under law" is an interesting list.

You can look at ECs on the network if you:

  1. Get permission from the recipient of the EC.

  2. Are the intended recipient of the EC.

  3. Are intercepting transmissions intended for the general public, persons, ships, or aircraft in distress, police/fire/emergency, CB band, or amateur radio.  Note:  Encrypted transmissions are not considered "for the public."

  4. Are investigating a source of "harmful interference" to authorized radio or consumer electronics, as long as the interception is only to determine the source.

  5. Are an employee of the FCC if intercepting EC is within their job description.

  6. Are a provider of an electronic communication service and the interception is:
    • Necessary to provide the service.
    • Necessary to protect the rights or property of the service.
    • To comply with a court order or wiretap warrant.
    • Employees of the above can be protected under the "provider" exception if the - interception is within their job description.

There's some other stuff about allowing the President (and his employees) to conduct foreign intelligence, but what that means isn't going to get figured out for a while.

What's interesting is that "providers" are allowed to do a lot more with ECs when they're in storage than when they're being transmitted.  That may be changing soon.  There's a recent court ruling that seems to limit what providers can do with ECs on their systems.

To Recap

You can read your own mail.

If someone sends you stuff by mistake, you can read it.  If you break into someone else's server, you're in trouble.

If you're allowed in the server, but get root by some nefarious means, or guess your ex-girlfriend's Hotmail password to read their mail, you're in trouble.  If you want to test out a sniffer, get permission from the owner of the network.

There are some gray areas in the law, such as who can grant permission to view ECs and what constitutes permission.  Does letting a user Sudo grant permission to read other people's stuff?  If I give my root login to someone else and they read your email, did I grant permission to do it?

All these are interesting questions and they haven't been answered by the courts yet.  Of course, every one of these questions will have to be answered by a real case, with victims and defendants.  Nobody wants to be a test case.

Be careful out there.

If you do get busted or sued, keep your mouth shut and talk to a lawyer.
Return to $2600 Index