I read a lot of thrillers, and I'm always fascinated by how authors such as Tom Clancy depict the technology that US intelligence agencies use. (The one writer who consistently gets the technical details right is John Sandford, although Christopher Whitcomb is giving him a run for his money.) Speaking of interesting reading, take a look at United States Signals Intelligence Directive (USSID) 18, the law under which such intelligence agencies can monitor email. Of course, we all know that without a court order, other agencies and individuals are legally prohibited from reading email that doesn't belong to them--or are they?
The story begins with an Internet bookseller called Interloc (which has since become Alibris). Interloc also provided email services (through a subsidiary) to rare-book dealers who were its customers. In January 1998, Bradford Councilman, vice president at Interloc, instructed employees to monitor and copy email communications between Interloc customers and Amazon.com (an Interloc competitor), allegedly so that Councilman could gain a market advantage for Interloc. A federal grand jury indicted Councilman in July 2001 for violating Title I of the Electronic Communications Privacy Act (ECPA--see US Code Title 18 Section 2511 for details), commonly known as the Wiretap Act, which prohibits unauthorized interception and disclosure of other people's electronic communications. That seems pretty straightforward, right?
Now, however, the plot has thickened. Councilman petitioned the court to dismiss the indictment, claiming that the Wiretap Act didn't apply to the email in question. The core of his argument was that because those messages were copied while they were stored on a server (albeit temporarily) rather than while they were "in transit," the messages fell under Title II of the ECPA (commonly known as the Stored Communications Act), which he hadn't been indicted for violating. Late last month, the United States Court of Appeals for the First Circuit affirmed the dismissal, meaning that reading through other people's email, so long as it's stored on systems under your control, appears to be legal (though rude). In essence, a bug in the law--Congress's failure to specify stored communications within the scope of "electronic communication" as defined in the ECPA--means that Councilman gets off scot free, at least for now.
Does this ruling mean you should start reading email on your server? I wouldn't advise it, for several reasons:
- The court's opinion wasn't unanimous (you can read the ruling and the dissenting opinion at http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf ).
- The court's precedent applies only to the First Circuit, not to the United States as a whole (and of course the ruling has no weight in other countries, some of which have stricter privacy and data protection laws than the United States does).
- The government can't indict Councilman again, but it did manage to win convictions against two other parties involved in the case--including the systems administrator who turned on monitoring at Councilman's request.
I'm not an attorney, and I'm not providing legal advice, but my view is simple: If you're a professional messaging administrator, then professional ethics--not to mention plain old common sense--should prevent you from monitoring email unless you're compelled to do so by a proper legal authority. Email interception can land you--and your employer--in a lot of hot water. The risk isn't worth it--end of story.