On Feb 12, 2012, at 6:31 AM, Harald Hanche-Olsen wrote: > [Jeffrey Walton <noloa...@gmail.com> (2012-02-12 10:57:02 UTC)] > >> (1) How can a company actively attack a secure channel and tamper with >> communications if there are federal laws prohibiting it? > > IANAL, as they say, but I guess they are acting under the presumption > that any communication originating in the company's own is the > company's own communication, and so they can do anything they please > with it. It could be argued that the notion of "tampering" with your > own communications doesn't make sense, and so there is no breach of > federal law. > > I am not defending the above interpretation, nor am I saying for sure > that it holds water. But I think it is a reasonable guess, at least > that that the company's lawyers will use arguments along those lines > (abeit argued in more legalese terms) if they had to defend this > practice.
Although I'm not a lawyer, I've worked with a number of lawyers on the wiretap act, and have been studying it for close to 20 years. I do not see any criminal violation. 18 USC 2512 (http://www.law.cornell.edu/uscode/text/18/2512) bars devices if "design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications". Is a private key or certificate a "device"? Not as I read 18 USC 2510(5) (http://www.law.cornell.edu/uscode/text/18/2510). Paragraph (12) of that section would seem to say that intra-company wires aren't covered. But a better explanation of that can be found in Ruel Torres Hernandez, "ECPA and online computer privacy", Federal Communications Law Journal, 41(1):17–41, November 1988. He not only concluded that the ECPA did not bar a company from monitoring his own devices, he quoted a participant in the law's drafting process as saying that that was by intent. California law bars employers from monitoring employee phone calls, but in 1991 a court there explicitly ruled that monitoring email was permissible -- or rather, that it wasn't barred by a statute that only spoke of phone calls. Beyond that, and as noted, employees likely consented in their employment agreements, or by clicking through a log-in banner. Now -- there may have been a violation of the contract with Mozilla, or a violation of non-US law or of some state law. But I don't think one can make a strong case for a violation of US federal law. --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography