Addendum III(this is the end for now)Re: Addendem II Re: Addendum Re: The legal basis for Service monitoring Title 18 Section 2702.6A Re: Why TOR Operators SHOULD always sniff their exit traffic...
tor
tor at algae-world.com
Fri Jun 10 03:56:42 UTC 2005
tor wrote:
> and furthermore :)
>
>
> TITLE 18--CRIMES AND CRIMINAL PROCEDURE
>
> PART I--CRIMES
>
> CHAPTER 121--STORED WIRE AND ELECTRONIC COMMUNICATIONS AND
> TRANSACTIONAL RECORDS ACCESS
>
> Sec. 2702. Voluntary disclosure of customer communications or
> records
>
>
> (3) a provider of remote computing service or electronic
> communication service to the public shall not knowingly divulge a
> record or other information pertaining to a subscriber to or
> customer of such service (not including the contents of
> communications covered by paragraph (1) or (2)) to any governmental
> entity.
>
> (b) Exceptions for disclosure of communications.--A provider
> described in subsection (a) may divulge the contents of a communication--
> (1) to an addressee or intended recipient of such communication
> or an agent of such addressee or intended recipient;
> (2) as otherwise authorized in section 2517, 2511(2)(a), or
> 2703 of this title;
> (3) with the lawful consent of the originator or an addressee
> or intended recipient of such communication, or the subscriber in
> the case of remote computing service;
> (4) to a person employed or authorized or whose facilities are
> used to forward such communication to its destination;
oops section 4 would seem to apply also(dont know how that one got past
me!!:)
a tor operator
> (5) as may be necessarily incident to the rendition of the
> service or to the protection of the rights or property of the
> provider of that service; or
> (6) to a law enforcement agency--
> (A) if the contents--
> (i) were inadvertently obtained by the service
> provider; and
> (ii) appear to pertain to the commission of a crime;
>
> (B) if required by section 227 of the Crime Control Act of
> 1990; or
> (C) if the provider reasonably believes that an emergency
> involving immediate danger of death or serious physical injury
> to any person requires disclosure of the information without
> delay.
>
>
> please note section 2702 section 3b4,5,6Ai,ii B and C..
>
>
> Uh Chris... maybe you being technical manager at eff should actually
> study title 18 code pertaining to ECPA and ask the EFF attorney what
> it means if you are that unclear about the law. These are just what I
> could come up with in about 30 minutes on access.gpo.gov. Or perhaps
> you live in a parallel
> USA where persons and/or corporations who actually provide services
> are NOT allowed to defend their service and property
> against misuse or criminal actions. The laws above are what govern the
> USA that I operate in for now...
>
>
> I am NOT a lawyer... sheesh...
>
> If I had a penny for every time I have heard this expression , then
> someone starts to spout legal advice...
>
>
> All of you who have been following this discussion ARE well advised to
> take the above to their OWN Specialist in ECPA law
> (I suggest an ex us attorney might be particularly fit for this kind
> of advice and describe completely what actions you are planning to
> take.) The above is NOT construed to be legal advice BUT IS what the
> law actually says...
>
>
> a tor operator
>
> ps sorry to all about the long US centric discussions about legal
> exceptions to ECPA et al
>
>
>
>
> tor wrote:
>
>> And in addition :)
>>
>> from the U.S. Code On line via GPO Access
>> [wais.access.gpo.gov]
>> [Laws in effect as of January 7, 2003]
>> [Document not affected by Public Laws enacted between
>> January 7, 2003 and February 12, 2003]
>> [*CITE*: *18USC2701*]
>>
>>
>> TITLE 18--CRIMES AND CRIMINAL PROCEDURE
>>
>> PART I--CRIMES
>>
>> CHAPTER 121--STORED WIRE AND ELECTRONIC COMMUNICATIONS AND
>> TRANSACTIONAL RECORDS ACCESS
>>
>> Sec. 2701. Unlawful access to stored communications
>>
>> (a) Offense.--Except as provided in subsection (c) of this section
>> whoever--
>> (1) intentionally accesses without authorization a facility
>> through which an electronic communication service is provided; or
>> (2) intentionally exceeds an authorization to access that
>> facility;
>>
>> and thereby obtains, alters, or prevents authorized access to a wire
>> or electronic communication while it is in electronic storage in such
>> system shall be punished as provided in subsection (b) of this section.
>> (b) Punishment.--The punishment for an offense under subsection
>> (a) of this section is--
>> (1) if the offense is committed for purposes of commercial
>> advantage, malicious destruction or damage, or private commercial
>> gain--
>> (A) a fine under this title or imprisonment for not more
>> than one year, or both, in the case of a first offense under
>> this subparagraph; and
>> (B) a fine under this title or imprisonment for not more
>> than two years, or both, for any subsequent offense under this
>> subparagraph; and
>>
>> (2) a fine under this title or imprisonment for not more than
>> six months, or both, in any other case.
>>
>> (c) Exceptions.--Subsection (a) of this section does not apply
>> with respect to conduct authorized--
>> (1) by the person or entity providing a wire or electronic
>> communications service;
>> (2) by a user of that service with respect to a communication
>> of or intended for that user; or
>> (3) in section 2703, 2704 or 2518 of this title.
>>
>> Please note Exception C1 above...
>>
>>
>> comment requested by EFF Attorneys..
>>
>>
>> A tor operator
>>
>> tor wrote:
>>
>>> In addition I came across these, as I quite often have acted under
>>> color of law when investigating computer intrusions/assisting law
>>> enforcement investigations. these are also very interesting
>>>
>>> TITLE 18--CRIMES AND CRIMINAL PROCEDURE
>>>
>>> PART I--CRIMES
>>>
>>> CHAPTER 119--WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND
>>> INTERCEPTION OF ORAL COMMUNICATIONS
>>>
>>> Sec. 2511. Interception and disclosure of wire, oral, or
>>> electronic communications prohibited
>>>
>>> (2)(i)
>>>
>>> and 3a
>>>
>>>
>>> (i) It shall not be unlawful under this chapter for a person
>>> acting under color of law to intercept the wire or electronic
>>> communications of a computer trespasser transmitted to, through, or
>>> from the protected computer, if--
>>> (I) the owner or operator of the protected computer
>>> authorizes the interception of the computer trespasser's
>>> communications on the protected computer;
>>> (II) the person acting under color of law is lawfully engaged
>>> in an investigation;
>>> (III) the person acting under color of law has reasonable
>>> grounds to believe that the contents of the computer trespasser's
>>> communications will be relevant to the investigation; and
>>> (IV) such interception does not acquire communications
>>> other than those transmitted to or from the computer trespasser.
>>>
>>> (3)(a) Except as provided in paragraph (b) of this subsection, a
>>> person or entity providing an electronic communication service to
>>> the public shall not intentionally divulge the contents of any
>>> communication (other than one to such person or entity, or an agent
>>> thereof) while in transmission on that service to any person or
>>> entity other than an addressee or intended recipient of such
>>> communication or an agent of such addressee or intended recipient.
>>> (b) A person or entity providing electronic communication service
>>> to the public may divulge the contents of any such communication--
>>> (i) as otherwise authorized in section 2511(2)(a) or 2517
>>> of this title;
>>> (ii) with the lawful consent of the originator or any
>>> addressee or intended recipient of such communication;
>>> (iii) to a person employed or authorized, or whose facilities
>>> are used, to forward such communication to its destination; or
>>> (iv) which were inadvertently obtained by the service
>>> provider and which appear to pertain to the commission of a
>>> crime, if such divulgence is made to a law enforcement agency.
>>>
>>>
>>> note item iv
>>>
>>>
>>> again comment is invited from REAL EFF Lawyers as we are
>>> talking about the ECPA now and this is actually what the text of the
>>> law says.
>>>
>>> a tor operator
>>>
>>>
>>>
>>>
>>>
>>>
>>> tor wrote:
>>>
>>>> Hi All,
>>>>
>>>>
>>>> BTW Chris... you may wish to examine with your EFF Attorney the
>>>> following section of USC Code Title 18
>>>>
>>>>
>>>> http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=browse_usc&docid=Cite:+18USC2511
>>>>
>>>>
>>>> to wit:
>>>>
>>>> TITLE 18--CRIMES AND CRIMINAL PROCEDURE
>>>>
>>>> PART I--CRIMES
>>>>
>>>> CHAPTER 119--WIRE AND ELECTRONIC COMMUNICATIONS INTERCEPTION AND
>>>> INTERCEPTION OF ORAL COMMUNICATIONS
>>>>
>>>> Sec. 2511. Interception and disclosure of wire, oral, or
>>>> electronic communications prohibited
>>>>
>>>> (2)(a)(i) It shall not be unlawful under this chapter for an
>>>> operator of a switchboard, or an officer, employee, or agent of a
>>>> provider of wire or electronic communication service, whose
>>>> facilities are used in the transmission of a wire or electronic
>>>> communication, to intercept, disclose, or use that communication in
>>>> the normal course of his employment while engaged in any activity
>>>> which is a necessary incident to the rendition of his service or to
>>>> the protection of the rights or property of the provider of that
>>>> service, except that a provider of wire communication service to
>>>> the public shall not utilize service observing or random monitoring
>>>> except for mechanical or service quality control checks.
>>>>
>>>> Note the phrase "to the protection of the rights or property of the
>>>> provider of that service".
>>>> Note the prohibition of service observing/Random Monitoring applies
>>>> to wire communication services only
>>>> (IE telephone companies). If current case law contradicts this
>>>> please feel free to inform us all via the with specific cases etc...
>>>>
>>>> please chris have the EFF lawyers comment on this aspect of ECPA. I
>>>> am sure all us on the list would indeed be fascinated.
>>>>
>>>>
>>>>
>>>> a tor operator
>>>>
>>>>
>>>>
>>>>
>>>> Chris Palmer wrote:
>>>>
>>>>> Parker Thompson wrote:
>>>>>
>>>>> >I'm not so interested in specific legal advice, more a high level
>>>>> >discussion of when it is good to be a bad guy, and when you're being
>>>>> >bad for the sake of being good what are the ethical considerations
>>>>> >and, with respect to Tor (it'll differ case to case) legal
>>>>> >implications of doing so.
>>>>>
>>>>> >I would think this would be a perfect discussion to have in the
>>>>> >context of Tor, and perhaps the kind of thing the EFF could turn
>>>>> into
>>>>> >a compelling policy paper to guide the development of this and other
>>>>> >projects. Further, I see this as far preferable to letting
>>>>> operators
>>>>> >develop their own best practices on an ad-hoc basis.
>>>>>
>>>>>
>>>>> I understand the need, and I'll fly it past our lawyers to see
>>>>> what they
>>>>> think about drafting such a policy paper. They are unlikely to make
>>>>> strong, specific, forward-looking legal statements, of course.
>>>>>
>>>>> I can tell you what I do, which I regard as reasonably safe and
>>>>> polite.
>>>>>
>>>>> I run three Tor servers: one at EFF (confidence), one on a machine
>>>>> some
>>>>> friends and I share (explosivenoodle), and one on my home DSL line
>>>>> (livingcolour). confidence and explosivenoodle I run in middleman
>>>>> mode,
>>>>> to minimize annoyance and potential liability for my employer and
>>>>> friends (respectively). (EFF is considering running an exit
>>>>> server, but
>>>>> we aren't yet.) livingcolour uses the default exit policy. All three
>>>>> servers are rate-limited to about 20Kb/s because bandwidth is either
>>>>> donated and I want to be nice (explosivenoodle), or limited
>>>>> (confidence
>>>>> and livingcolour). I don't sniff traffic on any of these three hosts,
>>>>> and I log at warn level, using debug level only for limited times
>>>>> when I
>>>>> actually am trying to debug something (rarely). All three machines
>>>>> are
>>>>> kept up-to-date and run only services I actually use.
>>>>>
>>>>> I don't commit abuse through Tor when I use it. That's easy --
>>>>> "Oops, I
>>>>> didn't troll on IRC again!"
>>>>>
>>>>> I sometimes drive around in the Tor source tree for fun and learning,
>>>>> but I haven't found any security bugs. If I did, I would simply tell
>>>>> Roger and Nick. I have reported a few security-irrelevant bugs
>>>>> (and, I
>>>>> sheepishly admit, non-bugs) to R and N and they have fixed them fast.
>>>>> There was once a problem with bad interaction between two
>>>>> configuration
>>>>> directives, for example, which caused Tor not to start. Nick fixed
>>>>> it in
>>>>> minutes.
>>>>>
>>>>> Hence, for basic operation and examination, the existing norms of the
>>>>> competent sys admin and white hat security researcher communities
>>>>> apply.
>>>>>
>>>>> As for passing "bad" traffic, so far I haven't heard from my ISP
>>>>> about
>>>>> any problems with my exit node. Maybe I'm just lucky. There are
>>>>> various
>>>>> types of complaints, and different responses are called for in
>>>>> different
>>>>> circumstances. Get legal counsel, possibly the EFF. See also the
>>>>> Legal
>>>>> FAQ and our DMCA response template
>>>>> (http://tor.eff.org/eff/tor-dmca-response.html). Everyone has
>>>>> different
>>>>> responses to complaints, resulting from the specifics of their
>>>>> situation, their beliefs and temperaments, the nature of the
>>>>> complaint,
>>>>> their relationship with the complainant and with their connectivity
>>>>> provider, various jursidictional issues, and so on. It's hard to make
>>>>> any general a priori statements about what to do, other than "Call
>>>>> EFF!". That's obviously what I would do. :)
>>>>>
>>>>> I don't know if that helps you or answers your question. I'll state
>>>>> again that the non-dangerous techniques I mentioned in my previous
>>>>> email
>>>>> have proven helpful in finding bugs in other software products. Roger
>>>>> and Nick welcome substantive bug reports, and they take security very
>>>>> seriously.
>>>>
>>>>
>>>>
>>>>
More information about the tor-talk
mailing list