Monitoring, Flow Stats (Re: spam whore, norcal-systems)

Dean Anderson dean at
Wed Feb 3 22:32:53 UTC 1999

At 01:08 PM 2/3/1999 -0800, Dan Hollis wrote:
>On Wed, 3 Feb 1999, Dean Anderson wrote:
>> One doesn't lose privacy protections merely because they are or might
>> be doing something you don't approve of.
>In regards to electronic communication and undesirable activity (or in
>violation of a signed AUP), the privacy protection defense is an extremely
>weak one, and has been rejected by judges. Basically if what youre doing
>is in violation of an AUP that you signed, judges have ruled that
>the privacy protection claim is no defense. You voluntarily waived those
>rights by signing them away.

This is true for online service dialup users who send or get mail from a
service.  The service can boot them.  Your direct users signed agreements
which give you permission to block or filter.  They gave you permission.
Now, the ECPA still applies, but you are now *authorized* to do what would
otherwise be illegal.  ECPA makes *unauthorized* accesses illegal.

That doesn't make it true for transit providers. Your boss at a transit
provider for someone else 3 providers away isn't a party, and can't
authorize you to read the communication.

Ask yourself the following question:  Am I a party (sender or recipient) to
the communication?  Am I authorized by someone who is?  **thanks to Dean
Robb, the Attorneys manual says it must be "specifically authorized"

If you can answer either of these affirmatively, you're OK.  But remember,
if the sender comes back and says "You aren't a party to the communication,
I didn't give you permission", you could be in big trouble.  You can't be
fired for refusing to violate a law. (well, you could be, but you'd have a
wrongful termination case) But you are still responsible for a criminal
violation even if your boss tells you to do it.

Owen DeLong in private communication points up that he thinks that this
permission is transitive. That has the problem that it trivially obviates
all privacy.  Every provider is automatically authorized, no one is not
authorized. Privacy is in the eyes of the provider. The ECPA was intended
to prevent communications providers from looking at things they shouldn't
and don't need to.  So I'm not convinced.  **thanks to Dean Robb, the
Attorneys manual says it must be "specifically authorized"

I note that none of the big providers do any of this. They don't block.
They don't monitor for more than their service quality.  Other than
canceling service if they get complaints, they don't do anything except
perhaps refer complaints to others. 

>Also, the privacy protection defense is almost always rejected if it
>involves outright criminal activity eg smurfs, theft, etc.

True. Thats where the abuse clause presumably applies. But it has to be
criminal. UCE isn't criminal.


           Plain Aviation, Inc                  dean at

More information about the NANOG mailing list