Path: utzoo!attcan!uunet!husc6!mailrus!cwjcc!hal!nic.MR.NET!shamash!raspail!steve From: steve@raspail.UUCP (Steve Schonberger) Newsgroups: comp.mail.headers Subject: Re: simple encryption in mail Summary: Mail privacy Message-ID: <1178@raspail.UUCP> Date: 24 Jan 89 20:14:02 GMT References: <508@solaris.UUCP> <1119MICHAEL@MAINE> Organization: Control Data Corporation, Arden Hills, MN Lines: 48 In article <1119MICHAEL@MAINE>, MICHAEL@MAINE writes: > I can't quite tell where you are located, but if it is inside the USA then > your mail administrator should know that by reading your mail as it comes > and goes he is (unless he can reasonably cite system security, which I doubt) > breaking the law. There is a law in this country (PL99-508, "The Electronic > Communications Privacy Act of 1986") that specifically prohibits intercepting > and reading of electronic mail and other forms of electronic communication. This is not correct. Any place that provides mail may choose whether to be follow this law or not. The law is that a mail provider must do everything possible to ensure the privacy of communications if they say their mail is private. By saying their mail is private, they bring themselves under the same body of law that keeps the Post Office and telephone companies from inspecting communications that they pass. The advantage of this to a mail provider is that having the provider legally bound to be secure is a good selling point, because people like secure mail. The disadvantage is that they are liable for criminal (not just civil) penalties if they breach that privacy, and possibly civil penalties if someone outside their organization invades their privacy through flaws in their security. If someone is unable to provide communication security comparable to a telephone conversation (the case with _all_ mail going through the net), doesn't want to bother making it that secure (the case within most sites), or just doesn't want to put themselves at legal risk, they can state that their system is not guaranteed secure, at which point they can do whatever they feel like to their mail. A lot of local bulletin board systems I use have statements saying that it is not their policy to read or alter mail, but that they refuse to guarantee that it is secure. By saying this they free themselves of any legal responsibility connected with that law. I do not know what that law says about the default case. In other words, I am not sure if a mail provider is assumed to guarantee privacy if they don't specifically disclaim it, or if they are assumed to disclaim it unless they specifically guarantee it. I'd be curious to know, if anyone can provide a direct quote of the law on that matter. To bring this all back to the topic of this newsgroup, I think that the only way you can expect mail to be private, legal guarantees or not, is to encrypt it. A standard mail header to indicate encryption would be a good thing, though the message looking like garbage data accomplishes the same thing. Steve Schonberger steve@raspail.uucp raspail!steve@shamash.cdc.com ...!uunet!rosevax!shamash!rapail!steve