BC Law IPTF Blog

Given the way that the gov’t can discover your personal information–name and address–from your IP, if you care about privacy, then you should care about how your IP is revealed. Now this can be done in many ways regarding web browsing, but how about web-based e-mail? I’ve looked at Gmail and Yahoo!, and Yahoo! puts your client PC’s IP address in the e-mail headers; Gmail does not. Yahoo! makes this clear in their “privacy” policy:

Yahoo! Mail includes IP addresses in outgoing mail message headers, as specified by standard Internet protocol.       

And I’ve verified this through some e-mail tests. So if you send e-mail to a government address–whether it’s fake, spoofed, a honeypot, what-not–through Yahoo! Mail, then you’re basically telling the recipient who you are in real life. Even anyone with easily Google-able tools on the Internet, can find out your general location and information on your ISP.

Update: Hotmail also passes your IP address in the headers, too. (It’s passed as “X-Originating-Ip.”) So watch out for Yahoo! and Hotmail.

Pretty straightforward description of how to grab an IP (probably via a honeypot) and attribute it to a downloading user.

From U.S. v. Carter, No. 2:07-CR-00184-RLH (GWF), 2008 WL 623600, at *4 (D. Nev. March 6, 2008):

The Affidavit then described the steps taken by the Government to identify the user of Internet Protocol (IP) address 68.108.184.145. A search of the publicly available website arin.net revealed IP address 68.108.184.145 was controlled by Cox Communications. On October 31, 2006, the Government served an administrative subpoena on Cox Communications to identify the individual subscriber to IP address 68.108.184.145 on October 25, 2006 at 7:12 p.m. PDT when a user of this IP address first attempted to download the posting created by SA Luders on the Ranchi message board. On November 10, 2006, Cox Communications responded to the subpoena by identifying Luana Carter, 3815 North Nellis Boulevard, Number 26, Las Vegas, Nevada 89115, telephone number 702-860-7293, as the subscriber to IP address 68.108.184.145. Exhibit “A”, p. 16, ¶¶ 35-38. On January 17, 2007, the Government conducted a search of the public records data base LexisNexis which indicted that Luana Carter resided at the above listed address and that Defendant Travis Carter was a household member at that address. Id., ¶ 39. On January 17, 2007, the Government also checked Nevada Department of Motor Vehicle (DMV) records which revealed a current driver’s license for Luana Carter, with the same social security number, date of birth and physical address obtained through LexisNexis. Exhibit “A”, pp. 16-17, ¶ 40. On February 8, 2007, the Government also served an administrative subpoena on Nevada Power Company for subscriber information for 3815 North Nellis Boulevard, Number 26, Las Vegas, Nevada 89115. Nevada Power Company’s response to the subpoena listed Luana Carter as having an active account at that address since June 22, 2001 and listed her home telephone number as 702-860-7293. Id., ¶ 4.

A recent thread of comments on Lifehacker shows how non-governmental organizations are using this method to track down copyright infringers. If you use a P2P service such as BitTorrent, you reveal your IP to any seeder (or any other leecher in the swarm), and if the seeder is, for example, the RIAA, then they know your IP. A simple request to your ISP will cough up your name and address. And then they can get a search warrant to grab your computer(s).

If you read the rest of the case, then you’ll see that part of defense hinges upon a “wireless defense”–the “I have an open wireless router, and it could have been someone else besides me” defense. Well, that might be true, but it can’t upset the “fair probability” that the person doing the downloading the IP might have been the owner of the wireless router. I wonder, though, what the physical circumstances of the defendant was… Was he merely positing the hypothetical for his house in the countryside? Was he merely hoping for war drivers? Or was he living in an apartment building where folks on his floor and the floors above and below him–as well as war drivers–could leech his wireless bandwidth?

I wonder if the “fair probability” might erode a bit more in a high-density situation. If you really do share your wireless bandwidth with a handful of other users, is there still a “fair probability” that any Internet traffic is attributable to the router owner? Looked at another way, if someone could leech off another person’s wireless bandwidth, then maybe that person would be given freer rein to use the bandwidth in less savory ways. I mean, that’s largely why people war drive in the first place.

From National Economic Research Associates, Inc. (”NERA”) v. Evans, 21 Mass.L.Rptr. 337 (Mass. Super. 2006):

NERA contends that any reasonable person would have known that the hard disk of a computer makes a “screen shot” of all it sees, which the computer then stores in a temporary file, including e-mails retrieved from a private password-protected e-mail account on the Internet. NERA further contends that any reasonable person would have known that these temporary files, although not readily accessible to the average user, may be located and retrieved by a forensic computer expert. This Court does not agree that any reasonable person would have known this information. Certainly, until this motion, this Court did not know of the routine storing of “screen shots” from private Internet e-mail accounts on a computer’s hard disk.

Furthermore:

The bottom line is that, if an employer wishes to read an employee’s attorney-client communications unintentionally stored in a temporary file on a company-owned computer that were made via a private, password-protected e-mail account accessed through the Internet, not the company’s Intranet, the employer must plainly communicate to the employee that:
1. all such e-mails are stored on the hard disk of the company’s computer in a “screen shot” temporary file; and
2. the company expressly reserves the right to retrieve those temporary files and read them.
Only after receiving such clear guidance can employees fairly be expected to understand that their reasonable expectation in the privacy of these attorney-client communications has been compromised by the employer.

I was browsing through Massachusetts Superior Court slip opinions during this mind-numbing LexisNexis training, and I came across Commonwealth v. Maccini, No. 06-0873, slip op. (Mass.Super. April ___, 2007). This is a typical child pornography case where a cop in Ohio entered a few chatrooms and was solicited by a guy in Massachusetts who then sent him child porn.

The defense is that the child porn should be suppressed because interception of that material is in violation with the Massachusetts wire tap statute. Well, that fails because the communications were “tapped” in Ohio, and therefore the Massachusetts statute doesn’t apply. Furthermore, generally e-mail is treated more like postal mail than phone conversations, and so most courts don’t apply wire-tap statutes anyways.

Here’s what Judge Fabricant thought about it:

The question presented by this motion is whether the defendant’s e-mail and instant message communications were unlawfully intercepted within the meaning of the statute. The Court concludes that they were not, for each of two distinct reasons: First, Haueter received and recorded the communications not in Massachusetts, but in Ohio, where he was not subject to the Massachusetts statute or any similar statute; and second, Haueter’s receipt and recording of the defendant’s communications was not secret, but rather was with the defendant’s knowledge and implicit consent.

In explanation:

In State v. Lott, 152 N. H. 436, 439-442 (2005), the Supreme Court of New Hampshire applied a statute similar to ours to facts virtually identical to those presented here. After thoroughly exploring the nature and characteristics of electronic mail and instant messaging, the Court concluded that the defendant there, by using those methods of communication, “as a matter of law, consented to the recording of his communications,” because recording on a computer is inherent in such communications. Electronic mail, the Court reasoned, is essentially the equivalent of leaving a message on an answering machine; one who sends an e-mail anticipates that it will be recorded. Lott, supra, 152 N. H. at 441, citing State v. Townsend, 57 P. 3d 255, 260 (Wash. 2002). See also United States v. Maxwell, 45 M. J. 406, 418 (U. S. C. A. Armed Forces, 1996) (likening e-mail to sending a letter; sender retains no control, and no expectation of privacy). Instant messaging, similarly, is automatically recorded on the recipient?s computer. The recording remains as long as the chat window is open, and may remain indefinitely if the recipient uses any of various options that are inherent in the instant messaging program to preserve it. Lott, supra, 152 N. H. at 441, citing State v. Bouse, 150 S. W. 3d 326, 329 (Mo. Ct. App. 2004). One who uses these methods of communication, the Court concluded, is on notice of the inherent recording, and implicitly consents to it. Lott, supra. The Lott case, although not binding on this Court, is persuasive, and this Court adopts its reasoning to reach the same conclusion.

So, again, it’s OK for the government to search and seize your electronic communications. Basically, once you send a message to someone else, you do it knowing that they are keeping a copy of it. But does that mean that it’s not private? Does that mean you don’t expect them to send it to the general public? This case doesn’t get into any “expectation of privacy” reasoning; it avoids it altogether. But it’s still a good summary of the current state of the law, pre-Long, and that’s why I’m posting on it.

Maybe it has to do with the fact that I was hyperactive child. (Is that what they used to call ADD?) But today I stopped for a burrito and decided to take a look at my paper on privacy and electronic communications. I’ve been editing this paper that I finished last semester, and updating some of the law, cleaning it up, and adding some stuff on MMORPGs. It’s been slow, what with all the classes and clinic and such.

But at the burrito joint, I cruised through 10 pages and wrote about a page extra in about half an hour. There’s something about me where it’s hard for me to just sit down and work. I need to be doing something else.

(more…)

In researching for my crim pro paper, I ran across this recently decided case: U.S. v. Long, 64 M.J. 57 (U.S. Armed Forces 2006). Most courts to date hold that there is no expectation of privacy in one’s e-mails. The legal reasoning behind this is generally based upon the facts that once you send an e-mail it bounces along a chain of servers on a public Internet, and that once the recipient receives the e-mail it is easily forwarded to the general public.

Long veers strongly from these precedents. Lance Corporal Long used her military e-mail system to communicate with friends regarding her drug use. Long, 64 M.J. at 59. The Government then brought these e-mails to evidence for charges of unlawful drug use. Id.

The Long court agreed with the lower court decision that the e-mail evidence should be suppressed since Long “had a reasonable expectation of privacy in the e-mails sent and received on her government computer.” Long, 64 M.J. at 60.

Furthermore, even though there was a log-on banner to the e-mail system, explaining that e-mail use was monitored, users do not consent to monitoring of their e-mail for law enforcement purposes. Long, 64 M.J. at 65. The court interpreted precisely the language of the log-on banner, noting that the monitoring consented only be for “limited purposes”–and that no user would expect “no privacy” from the language of the banner. Id.

OK. I’m tired now. Back to Federal Income Tax for me…

This, again, is another technology-related post, tangentially related to the law.

I’m using the Torbutton Firefox plugin to route my brower requests through Vidalia/Privoxy and onto the Tor network. Tor is a technical method of constantly re-routing your web (or other Internet-related) requests through different Tor servers such that each “server step” along the way doesn’t know where the original request came from. (That’s an attempt at a simplification.) Using Tor, you can anonymize your web traffic.

So when I tried to search on Google, I was a bit confused when I was at the Danish Google - google.dk. I tried again, and then I was at the German Google. And then I realized what’s happening. My web request was getting routed from a Danish Tor server, google.com recognized my Danish “origin,” and then served me the Danish home page.

So, if anything but a little bit of a pain, it’s at least proof that my Tor-surfing is working. And my anonymity is somewhat retained.

(I’m working on a paper including a practical guide for Fourth Amendment privacy-protection of electronic communication.  That’s my justification for this post.)