Roland Perry - "is an ISP a 'Person'?"

[Peter Fairbrother]

Quentin Campbell wrote:

> I am a start up ISP and I buy a turn-key Mail Relay system from Roland's
> Pretty Good Mail Relays Ltd. This is his standard product, written from
> scratch in Concurrent APL (TM). It is a sealed box and only responds to
> TCP/IP connections on port 25.
> 
> The target customers for my new ISP are retired academics who don't like
> receiving junk mail and viruses. I chose PG Mail Relay because this
> system does automatic anti-virus and anti-spam filtering. These are
> necessary requirements for the operation of my new ISP company.
> 
> I plug the PG Mail Relay box in and I see the mail IN and the mail OUT
> lights flickering so I know that it is working. The "system" is exactly
> as I bought it and there has been no "modification" of it to get it
> working on my ISP premises.

But do such systems actually exist? Is it possible to run a mailserver that
scans mail for spam and viruses without occasionally having to look at mail?
Would anyone with practical experience care (or dare) to comment on this
please, as it's an important point?

Suppose a customer phones and asks if you quarantined a message, and you
look for it. Or a customer complains that you have stopped a message in
error, and you have to look at the message in order to find out how to
change the filtering rules. That's RIPA interception*. Whether it's legal or
not is a different matter, but it is interception. No arguments about "no
person" or "made available" would change that.


*The first example may be covered by 2(5), in which case 3(3) can probably
be so widely interpreted that this whole discussion is moot. But I doubt
that. And the second example wouldn't be so covered. You could get around
it, but it would be a hassle and you wouldn't keep many customers. Unless
they were Unix-y types, who would put up with the hassle, but who would
probably want to do their own filtering anyway. No cigar.

> 
> The interesting thing is that Roland's PG Mail Relay system is
> functionally identical to Quentin's pretty cruddy Mail Relay system
> installed at the University of Newcastle.
> 
> Quentin's system was created by bolting together Sendmail + MailScanner
> + Sophos + SpamAssassin. It is neat because it works just as if only
> Sendmail was present except that spam and virus mail is automatically
> deleted.
> 
> Quentin's customers are practical engineering and scientific types and
> now that they can read the UKCRYPTO list, safe from malign viruses and
> annoying spam, they are wondering what all the fuss is from Peter
> Fairbrother?

Leaving the RIPA sh*t, and it is sh*t, out for a moment, if autoscanning
isn't interception then ISP's could autoscan MY mail for anything they
liked, and block mail they thought I shouldn't see. Or from people they
disagreed with. Or to people they didn't want me to write to. Or any mail
that was encrypted. They needn't even tell me about it. It wouldn't be an
offence. And the tort if any would be damn hard to prove - hell, you might
not even know it had happened.

That has to be wrong, and in everyday terms it has to be interception. They
would be looking through my mail and stopping things they didn't want me to
see or send. Bye bye to even the illusion of free speech we still have.

That's what my side is about (and if I found them out I wouldn't be looking
to the law, but getting the LAWS' out of the attic. One of my emails was
stopped as possible spam, and both myself and the intended recipient were
ready to kill over it. That's not a threat or a warning, just information, a
courtesy if you like, if you happen to run anything that stops my mail.
Don't worry, I'm a civilised bloke and wouldn't actually kill you. Much).


Isn't SpamAssassin free? Can't people run it on their own boxes? I have no
problem with that. I don't even have a problem with the idea of ISP's
filtering spam, assuming they get it right, in order to prevent the spread
from blocking up their (and our) systems. Nor do I have a problem with virus
filtering, though I want to be able to know when it has occurred. Couldn't
filterers add a tag, eg [spam] or [virus] in the message line, that just
tags the mail, instead of stopping it? I haven't came across many MUA's
recently that don't have filtering. Some sensible defaults would help.


The other side is that some scanning can be beneficial (and profitable), and
the ISP's want to continue doing it. The way RIPA is written, if
autoscanning is allowed they can continue without restriction on the purpose
and type of scanning they can do, as long as it's done by machine (assuming
that's practical). Otherwise they have to rely on 3(3) (as Lord Bassam
suggested) as the test of what scanning they can continue doing, and 3(3) is
unclear to put it mildly, and probably wouldn't allow them to do some things
they want to do (ignoring the LBPR argument for now).

The ISP's don't know what RIPA really means as far as autoscanning goes (and
neither do I, it's a piece of shit as far as clarity is concerned), so they
are in a bit of a tizzy. I don't want unwanted and unannounced scanning of
my mail, so I'm in a bit of a tizzy too.

That's what all the fuss is about, and the crap writing of RIPA just fuels
it. 

To be fair, I doubt many people thought about these issues when RIPA was
going through Parliament. Lord Bassam's reply is the nearest thing I know
of, and it doesn't address the autoscan question, or spam scanning,
directly. IMO it points in the 3(3) direction and away from autoscanning,
but others have argued against that.

You will be relieved to know that as I'm going to work (on m-o-o-t) now, and
I have a short trip lined up soon, I won't be posting any more for a while.

 :)

-- Peter Fairbrother