Intended recipient

[Peter Fairbrother]

Roland Perry wrote:
> This man-in-the-mailbox attack brings a whole new perspective to the
> "who is the intended recipient" debate.
> 
> <http://nakedsecurity.sophos.com/2011/09/12/missing-dots-from-email-
> addresses-opens-20gb-data-leak>

I'm pretty sure the intended recipient has to be the person the sender 
intends (in his mind) to send the email to, ie the fortune500 company, 
not the researchers.

If the sender made a mistake and the researchers got the email by 
mistake, then they would be innocent - but that's not what happened, 
they got the emails intentionally.

> 
> Although there's a historical precedent - people sending faxes to a
> typo-phone number. Which of course leads to those long legal disclaimers
> which have been inherited on many corporate emails.
> 
> Would the activity of these researchers (or malicious counterparts) be
> an interception in the UK; and as they've modified the public DNS to do
> this, is it an interception on a public network and therefore criminal?

It would be interception twice over if done in the UK, and it would be 
criminal.


First, the change to DNS is a modification to the system 2(2)(a). 
Second, they are monitoring transmissions sent on a public network 2(2)(b).

Both these actions make content available to a person other than the 
sender or the intended recipient, therefore they are interception as 
defined in Section 2(2).

The actions are done with the purpose of making content available, so 
they satisfy the requirement for intentionality in S. 1(1) - and 
therefore they are criminal actions.


Note that if you did this by mistake (eg if att.com had a division 
called spl, and you registered splatt.com without intending to see any 
ATT mail) it might [1] still be interception - but it wouldn't be a 
criminal offense as there was no intent.




[1] depending on whether the Judge thinks the "as to" in S.2(2) implies 
an element of intent or not - a moot point


-- Peter Fairbrother