Roland Perry - "is an ISP a 'Person'?"

[Owen Blacker]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Fairbrother, quoting Quentin Campbell:
> 
> > I am a start up ISP and I buy a turn-key Mail Relay system from
> > Roland's Pretty Good Mail Relays Ltd. This is his standard product,
> > written from scratch in Concurrent APL (TM). It is a sealed box and
> > only responds to TCP/IP connections on port 25.
> > 
> > The target customers for my new ISP are retired academics who don't
> > like receiving junk mail and viruses. I chose PG Mail Relay because
> > this
> > system does automatic anti-virus and anti-spam filtering. These are
> > necessary requirements for the operation of my new ISP company.
> > 
> > I plug the PG Mail Relay box in and I see the mail IN and the mail OUT
> > lights flickering so I know that it is working. The "system" is exactly
> > as I bought it and there has been no "modification" of it to get it
> > working on my ISP premises.
> 
> But do such systems actually exist? Is it possible to run a mailserver
> that scans mail for spam and viruses without occasionally having to look
> at mail? Would anyone with practical experience care (or dare) to comment
> on this please, as it's an important point?
> 
> Suppose a customer phones and asks if you quarantined a message, and you
> look for it. Or a customer complains that you have stopped a message in
> error, and you have to look at the message in order to find out how to
> change the filtering rules. That's RIPA interception*. Whether it's legal
> or not is a different matter, but it is interception. No arguments about
> "no person" or "made available" would change that.

No, it's not.  It's reacting to a customer's request.  It's not
interception if they've asked you to do it, now, is it?!

> *The first example may be covered by 2(5), in which case 3(3) can
> probably be so widely interpreted that this whole discussion is moot. But
> I doubt that. And the second example wouldn't be so covered. You could
> get around it, but it would be a hassle and you wouldn't keep many
> customers. Unless they were Unix-y types, who would put up with the
> hassle, but who would
> probably want to do their own filtering anyway. No cigar.

I'm not convinced that 2(5) would apply (virus payloads and spam are
certainly content, not traffic data), but I'm sure that, even were this
interception (which I don't believe it is), 3(3) would apply.

> > The interesting thing is that Roland's PG Mail Relay system is
> > functionally identical to Quentin's pretty cruddy Mail Relay system
> > installed at the University of Newcastle.
> > 
> > Quentin's system was created by bolting together Sendmail + MailScanner
> > + Sophos + SpamAssassin. It is neat because it works just as if only
> > Sendmail was present except that spam and virus mail is automatically
> > deleted.
> > 
> > Quentin's customers are practical engineering and scientific types and
> > now that they can read the UKCRYPTO list, safe from malign viruses and
> > annoying spam, they are wondering what all the fuss is from Peter
> > Fairbrother?
> 
> Leaving the RIPA sh*t, and it is sh*t, out for a moment, if autoscanning
> isn't interception then ISP's could autoscan MY mail for anything they
> liked, and block mail they thought I shouldn't see. Or from people they
> disagreed with. Or to people they didn't want me to write to. Or any mail
> that was encrypted. They needn't even tell me about it. It wouldn't be an
> offence. And the tort if any would be damn hard to prove - hell, you
> might not even know it had happened.

No, they really couldn't.  It's not about whether autoscanning is
interception or not, it's about the ~purpose~ for which such scanning is
effected.  3(3) blatantly (imho, ianal) permits virus scanning and (at a
push, but I don't think it's a big one) spam filtering, as these are
arguably "tak[ing] place for purposes connected with the provision or
operation of that service".  Censoring your mail because the Moot list is
full of dangerous radicals(!) really wouldn't pass the 3(3) test.

Yes, RIP is shite, but it's not quite ~that~ shite that it falls to such a
reductio ad absurdum.  :)

> That has to be wrong, and in everyday terms it has to be interception.
> They would be looking through my mail and stopping things they didn't
> want me to see or send. Bye bye to even the illusion of free speech we
> still have.

Indeed.  It would be interception.  And even were it not a contravention of
RIP Chapter I, it would be a breach of your Article 8, 9 and 10 rights
under the Human Rights Act
<http://www.hmso.gov.uk/acts/acts1998/80042--d.htm> (right to privacy,
freedom of thought and conscience and freedom of expression, respectively)

> That's what my side is about (and if I found them out I wouldn't be
> looking to the law, but getting the LAWS' out of the attic. One of my
> emails was stopped as possible spam, and both myself and the intended
> recipient were ready to kill over it. That's not a threat or a warning,
> just information, a courtesy if you like, if you happen to run anything
> that stops my mail.
> Don't worry, I'm a civilised bloke and wouldn't actually kill you. Much).

:)

> Isn't SpamAssassin free? Can't people run it on their own boxes? I have
> no problem with that. I don't even have a problem with the idea of ISP's
> filtering spam, assuming they get it right, in order to prevent the
> spread from blocking up their (and our) systems. Nor do I have a problem
> with virus filtering, though I want to be able to know when it has
> occurred. Couldn't filterers add a tag, eg [spam] or [virus] in the
> message line, that just tags the mail, instead of stopping it? I haven't
> came across many MUA's
> recently that don't have filtering. Some sensible defaults would help.

Depends on what scale you mean ISP.  The CSP I use primarily, for personal
email and such, is a bunch of mates of mine who happen to have given me a
shell on their (jointly owned) servers.  They run various bits an pieces
bolted onto Exim and it wouldn't be unreasonable for them to bolt
SpamAssassin on in the future (they're not likely to, cos they'd just
encourage me to install it myself against procmail, if necessary, but
that's not the point).

> The other side is that some scanning can be beneficial (and profitable),
> and the ISP's want to continue doing it. The way RIPA is written, if
> autoscanning is allowed they can continue without restriction on the
> purpose and type of scanning they can do, as long as it's done by machine
> (assuming that's practical). Otherwise they have to rely on 3(3) (as Lord
> Bassam
> suggested) as the test of what scanning they can continue doing, and 3(3)
> is unclear to put it mildly, and probably wouldn't allow them to do some
> things they want to do (ignoring the LBPR argument for now).

Yeah, I think you might be right on that.  Not sure.  Not yet consumed
enough coffee.  :)

> The ISP's don't know what RIPA really means as far as autoscanning goes
> (and neither do I, it's a piece of shit as far as clarity is concerned),
> so they are in a bit of a tizzy. I don't want unwanted and unannounced
> scanning of my mail, so I'm in a bit of a tizzy too.

They don't seem to be losing ~too~ much sleep over it.  :)

> That's what all the fuss is about, and the crap writing of RIPA just
> fuels it. 

Indeed.  But poorly drafted legislation is the speciality of Western-style
parliamentary democracies all over the globe, isn't it?  *GRIN*

> To be fair, I doubt many people thought about these issues when RIPA was
> going through Parliament. Lord Bassam's reply is the nearest thing I know
> of, and it doesn't address the autoscan question, or spam scanning,
> directly. IMO it points in the 3(3) direction and away from autoscanning,
> but others have argued against that.

Yeah, I'm afraid I'd have to chime in with the "others"  :)

> You will be relieved to know that as I'm going to work (on m-o-o-t) now,
> and I have a short trip lined up soon, I won't be posting any more for a
> while.  
> 
>  :)

Enjoy.  And Bon voyage.  :)


x
- -- 
Owen Blacker
Senior Software Developer and InfoSecurity Consultant   Wheel: Group
See http://www.owens-place.org.uk/pgp.html -- more about my PGP keys
Sig  0xb48e805e | 0e31 ac2a 4ff2 62a0 89da  ddef 4223 99a6 b48e 805e

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
Comment: Pls see http://www.owens-place.org.uk/pgp.html about my keys

iQA/AwUBPZ1aA0Ijmaa0joBeEQISMQCfU2qs/XgkAd+DHfVzavqXjTh+GGYAn1OL
tTtkMhVlZKHjRDnoax9tw8ZY
=JVrv
-----END PGP SIGNATURE-----

_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.