Digg this story   Add to del.icio.us  
Chat, Copy, Paste, Prison
Mark Rasch, 2004-04-12

When a New Hampshire judge threw out chat-log evidence against an accused pedophile, he illustrated just how jumbled and confused Internet privacy law can be.

You are engaged in a chat session with some friends and colleagues, when one of them makes a witty remark or imparts a pithy bit of information. You hit CTRL-A and select the conversation, then copy it to a document that you save. Under a little-noticed decision in a New Hampshire Superior Court in late February, these actions may just land you in jail.

New Hampshire is "two-party consent state" -- one of those jurisdictions that requires all parties to a conversation to consent before the conversation can be intercepted or recorded. The decision is the first of its kind to apply that standard to online chats, and the ruling is clearly supported by the text of the law. But it marks a blow to an investigative technique that has been routinely used by law enforcement, employers, ISPs and others.

On August 22, 2002, as part of his official duties, Detective Frank Warchol of the Portsmouth, New Hampshire Police Department signed on to a chat room on America Online, posing as a fourteen-year-old girl. We all know what happened next. A man named Roland MacMillan also signed on to the chat room, and solicited what he believed to be the 14-year-old for sexual acts. Shortly thereafter Mr. MacMillan was arrested.

Detective Warchol -- in keeping with good evidentiary procedure and knowing that the record of the conversation would be important to preserve -- used screen capture software to essentially make a "video" of the online chat room conversation. The software created a record of the chat session that did not previously exist. The New Hampshire detective then transferred this "recording" to another computer for both preservation and analysis by essentially copying and pasting. It was this capture and recording which was used against MacMillan in court -- or, at least, was almost used.

Before trial, Mr. MacMillan's attorney filed a motion in limine to suppress the results of the recorded conversation as a violation of the New Hampshire wiretap statute. You see, New Hampshire law makes it illegal to engage in "the aural or other acquisition of, or the recording of, the contents of any telecommunication or oral communication through the use of an electronic, mechanical, or other device" without consent. MacMillan's attorney argued that the making of the recording violated this statute.

While the U.S. federal wiretap law, the U.K Regulation of Investigatory Powers statute, and many U.S. state laws provide a similar definitions of "interception" and unlawful interception, the New Hampshire statute requires that the recording of the conversation be made with the consent of all parties of the conversation -- not just one of the parties. Thus, the New Hampshire judge had to decide, essentially, two questions: did the Detective make a "recording" of an electronic communication, and was this done without the consent of one of the parties? The answer to both of these questions was, yes.

On February 23rd, Rockingham County Superior Court Judge Robert Morrill ruled that the results of the copy and paste were an unlawful wiretap, and that they could not be admitted into evidence. He could have gone further and found that the policeman committed a state felony by both making the initial screen capture, and again by transferring it to the other computer, and again when he "disclosed the contents" of the illegal copying either to the prosecutor or to the court. Judge Morrill concluded that, "If Detective Warchol had not taken these acts, the words of the online communication would no longer exist after the program was exited or the computer was shut down." This was not to suggest that the police could not have "captured" the communication -- only that they could not have done so without either a warrant or the appropriate Attorney General approval.

I Fought the Law and the Law Lost
The case exemplifies the oddities that form when technology and lawyers meet. There was nothing unlawful about Detective Warchol posing as the fourteen-year-old girl and engaging in the conversation -- at least not under established U.S. law, which permits police to deceive, defraud and outright lie during criminal investigations. Similarly, there was nothing unlawful about his reading the conversation, or later testifying about the conversation he had with MacMillan. The crime was in making the recording without consent.

Clearly Detective Warchol consented to the recording he made, and MacMillan had little expectation of privacy in the chat session. But New Hampshire, like many other U.S. states including California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Pennsylvania and Washington, requires all parties to the communication to consent to a recording before it is legal. And MacMillan, while engaged in the conversation with the putative 14-year-old, did not consent to recording the conversation.

It is useful to contrast the MacMillan case with one in 2002 in Washington state which has an even more stringent all-party consent statute. In that case, Donald Townsend engaged in an ICQ session with what he believed to be a 13-year-old girl, but was in fact an undercover police officer. In permitting the introduction of the recorded ICQ session, the court noted that the ICQ technology itself had a default setting to make a permanent record of the conversation. The court found that since Townsend should have known about the default setting, he effectively consented to the making of the recording under Washington's all-party consent statute.

In the AOL chat session, there was no such default recording, and therefore no consent by Mr. MacMillan. Therefore, the recording was illegal. The test seems to be whether the recording capability is part of the instant messaging software itself (in which case it may be legal to record) or whether it is an add-on, and therefore an unlawful recording. Courts in other all-party consent states like Maryland have reached similar conclusions with respect to recording telephone conversations.

The cases however ignore that fact that the concept of "recording" a conversation consisting of "packets" may make little sense. The packets are forwarded by routers and are automatically stored -- at least temporarily -- in the receiving machine's random access memory. Should converting this volatile memory to non-volatile memory be a felony? We need to get beyond the technology itself (AOL vs. ICQ) and ask whether there are legitimate expectations of privacy that we seek to protect by either permitting or refusing to permit the creation of a permanent record of communications.

Monitoring E-Mail
A similar and more insidious set of circumstances arose in connection with early cases about employer's right to monitor employee's e-mail communications. Under U.S. federal law, the employer, as the provider of the electronic communications services, can monitor communications "in the ordinary course of employment," or if any party to the communication has consented to the monitoring. While the former rationale -- called the "provider exception" -- traditionally has been applied to permit the telephone company to listen in on telephone calls, most companies have relied upon the latter rationale to permit them to monitor employees' e-mails or other electronic communications. Employee handbooks, login screens and warning banners contain language to the effect that "by using this system, you are consenting to our monitoring..."

That's all well and good under federal law. But what about the employees' e-mail to a non-employee third party in one of the all-party consent states? Putting aside the provider exception, why is an employer allowed to monitor this communication?

In permitting employers to read electronic communications without all-party consent, courts have determined that the capture of the inbound or outbound mail at the mail server is not an interception of a communication in transmission. Voilia! We have defined the pesky privacy provisions out of existence. In fact, since e-mail is always "store and forward," is it even possible to intercept it in transmission? Like Schroedinger's cat, don't you have to stop it to measure it and thereby alter its character?

The New Hampshire decision muddies the waters for employers. Many regulations mandate that companies monitor, record and preserve both e-mail, IM and chat communications. For example, brokers, dealers, and transfer agents subject to Securities and Exchange Commission (SEC) and National Association of Securities Dealers (NASD) rules have to keep records of such chat sessions. But the New Hampshire precedent might make such recording illegal unless the brokers obtain the effective consent of all people in the conversation -- e.g., with some sort of warning banner before they can enter the chat or conversation. It's not enough that the broker-dealer consent, but everybody in the chat must do so as well.

With new technologies, like VOIP (and the new digital telephony proposal by the US Department of Justice to the US Federal Communications Commission to make VOIP less secure and subject to monitoring), we have to reassess the fundamental rights to privacy. In at least those states that prohibit monitoring without all party consent, the employer generally cannot record an employee's telephone calls using company hardware during company time unless the person he or she is talking to also consents to the recording. This is what got Linda Tripp into trouble by recording Monica Lewinsky (well, almost got her into trouble.) Why should e-mail be any different? Why should VOIP? Why should IM? IRC? SMS? Either communications are private, or they are not. To the Internet, packets is packets. Maybe its time for the law to make up its mind.


Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us  
Comments Mode:
Chat, Copy, Paste, Prison 2004-04-12
Anonymous (2 replies)
Chat, Copy, Paste, Prison 2004-04-13
Anonymous
Chat, Copy, Paste, Prison 2004-04-15
Anonymous
Chat, Copy, Paste, Prison 2004-04-12
Anonymous (1 replies)
Copyright infringement in RAM 2004-04-14
Anonymous
Chat, Copy, Paste, Prison 2004-04-12
Anonymous
Chat, Copy, Paste, Prison 2004-04-13
Anonymous (1 replies)
Chat, Copy, Paste, Prison 2004-04-14
bee-keeper
lawful interception? 2004-04-13
Anonymous (1 replies)
lawful interception? 2004-04-13
Anonymous
Chat, Copy, Paste, Prison 2004-04-13
Anonymous (2 replies)
Chat, Copy, Paste, Prison 2004-04-14
Anon E Mouse
Chat, Copy, Paste, Prison 2004-04-15
Anonymous
Chat, Copy, Paste, Prison 2004-04-13
Anonymous Joe
Need Guidance for Whose on First 2004-04-14
Anonymous
Chat, Copy, Paste, Prison 2004-04-14
Ric Werme
and don't forget Trillian 2004-04-14
Anonymous
Pretty flimsy law... 2004-04-14
Anonymous
Chat, Copy, Paste, Prison 2004-04-15
Roy Sullivan <lasheray@msn.com>
Dura lex, sed lex 2004-04-15
Anonymous
Chat, Copy, Paste, Prison 2004-04-15
Anonymous
Chat, Copy, Paste, Prison 2004-04-16
errtu
Chat, Copy, Paste, Prison 2004-04-16
Anonymous
Chat, Copy, Paste, Prison 2006-04-03
Firegirl
Chat, Copy, Paste, Prison 2006-04-28
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus