[Mimedefang] email wire tap

Michael Sofka sofkam at rpi.edu
Tue Mar 16 12:15:21 EST 2004 

On Tuesday 16 March 2004 10:43, Charles Mount wrote:
> Thanks everyone.   As a follow-up, with add_recipient or resend_message, is
> the new recipient obvious to the other recipients, or is it like a bcc?
>
> As background on the legal issues; it is clear that legally the company not
> the employee is the owner of the office computer and all its contents
> including the email.  The place where the email administrator has to be
> careful is in being sure that the request comes from proper authority
> within the company.

Careful.   There are 50 states in the US, and they each has its own
``wiretap'' statutes.  Some states, such as NY, are "single party permission,"
meaning I can wiretap my own phone as long as I've given myself permission
to record my own conversations.  Some states are "two party permission",
which, as you might guess, means both parties must agree.  If I were to wire
tap my phone, I would be well advised to put an automated message saying
``this phone call is being recorded,'' so that somebody calling me from,
for example, Maryland (a two party state) has the option of hanging up.
This applies, even though I own my own phone.

Email is not the phone, but federal wiretap statues may apply, and there
may be state statutes that apply as well.

To give an idea of how tricky this may be, if you were to record email
illegally (either as a cracker, or as a sysadmin exceeding his or
her authority), recording the email live by running tcpdump would
be a ``wiretap,'' while copying the stored message that the email
becomes would be an unlawful access.  The former carries a stiffer
penalty (both civil and criminal) than the latter, under the
Electronic Communications Privacy Act.

Finally, it is not safe to assume ``the company owns the hardware,
so it's ok.''  The person sending the email may not work for the
company.  And, the whole issue of who can record what under what
circumstances on a machine connected to the Internet---regardless
of who owns the machine---remains largely unresolved.  The phone
company owns their machines, but it is illegal for them to wiretap you.
And, companies running their own phone systems on hardware they own
cannot record calls without notification.

Mike

-- 
Michael D. Sofka              sofkam at rpi.edu
C&CT Sr. Systems Programmer    Email, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY.  http://www.rpi.edu/~sofkam/

More information about the MIMEDefang mailing list