|
|
| Author |
Message |
nenolod
Idler
Joined: 23 Jan 2004
Posts: 334
Location: A box!
|
 Posted: May 11, 2006 12:34pm Post subject: +I and Legality |
 |
|
With all of this talk of +I lately, I have decided to do some research on the topic.
+I qualifies as wiretapping, under US law, and is thus illegal even on private systems (yes! private systems included! Some company just got sued for snooping on phone conversations via their corporate PBX, so yes, wiretapping is not allowed on private systems.).
In addition, vendors providing tools for wiretapping to non-government contacts are violating yet another law. This means that +I patches could be potentially illegal in the US, and that developing them could be classified as illegal as well.
So, the topic for this thread is: "What laws in other countries do you feel would be relative to +I?"
Arguments can be made either way, either in favour of +I or not in favour.
After all, if we're going to bicker about +I, lets do it in some sort of intellectually stimulating manner other than "lolz +I suks cuz they can wch mi cybar the other irc cop for free o:linez."
- nenolod |
|
| Back to top |
|
 |
FuRiOuS
Lurker
Joined: 01 Feb 2006
Posts: 244
|
| Posted: May 11, 2006 12:49pm Post subject: |
|
|
| From a legal perspective I have nothing to add at this point, however I think this is a much better topic than simple slamming +I and those who create it. |
|
| Back to top |
|
|
GXTi
none
Joined: 06 Mar 2004
Posts: 1
|
| Posted: May 11, 2006 12:52pm Post subject: |
|
|
| You could argue that by connecting to an UnrealIRCd server, you forfeit your right to privacy or any other expectations of fair oper practice. It isn't wiretapping if the victim has no expectation of privacy, and I'm only half-joking about this... |
|
| Back to top |
|
|
FuRiOuS
Lurker
Joined: 01 Feb 2006
Posts: 244
|
| Posted: May 11, 2006 1:14pm Post subject: |
|
|
| GXTi wrote: | | You could argue that by connecting to an UnrealIRCd server, you forfeit your right to privacy or any other expectations of fair oper practice. It isn't wiretapping if the victim has no expectation of privacy, and I'm only half-joking about this... |
Well I think the only way you would be correct in this, is if a disclaimer is put into the MOTD that announces the fact that you can be spied on. That way you know upfront that it can happen, etc. Now we all know not everyone reads the MOTD's for each net they log onto, but it would still be posted then. That's the only way I could see your example actually holding up.
However though, Unreal isn't the only IRCd that can use the +I. It's just this particular IRCd has brought the convo back up. Any IRCd can use +I, if the feature doesn't exist already, it just means someone has to write a mod for it to work, which either has happened, or will happen if someone wants it. This isn't just an Unreal issue, it's an IRCd issue. |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: May 11, 2006 1:25pm Post subject: |
|
|
Have you noticed that when you call a technical support line or sales line, they say:
"Calls may be recorded for training purposes"
This is the reason.
If you put in your Message of the day:
"Your PRIVATE messages and PUBLIC messages may be monitored or logged in real time for security purposes", would you expect to keep many users? |
|
| Back to top |
|
|
FuRiOuS
Lurker
Joined: 01 Feb 2006
Posts: 244
|
| Posted: May 11, 2006 1:30pm Post subject: |
|
|
| braindigitalis wrote: |
If you put in your Message of the day:
"Your PRIVATE messages and PUBLIC messages may be monitored or logged in real time for security purposes", would you expect to keep many users? |
Nobody said you would have many users, however the purpose of this thread is the legality of it. Which putting a disclaimer like that in the MOTD would make it more acceptable from a legal stand point. Which is different than the moral or ethical standpoints. |
|
| Back to top |
|
|
upinsmoke
Newbie
Joined: 01 Mar 2004
Posts: 62
Location: pennsylvania
|
| Posted: May 11, 2006 1:40pm Post subject: |
|
|
i am not a lawyer but heres 2 quick sections of the ELECTRONIC COMMUNICATIONS PRIVACY ACT, which can be found here
http://floridalawfirm.com/privacy.html
| Quote: | g) It shall not be unlawful under this chapter or chapter 121
of this title for any person -
(i) to intercept or access an electronic
communication made through an electronic communication system
that is configured so that such electronic communication is
readily accessible to the general public; |
so if your server or channel isnt password protected i would say a /server or /join command makes it readily accessible to the general public
| Quote: | (h) It shall not be unlawful under this chapter -
(ii) for a provider of electronic communication
service to record the fact that a wire or electronic
communication was initiated or completed in order to protect such
provider, another provider furnishing service toward the
completion of the wire or electronic communication, or a user of
that service, from fraudulent, unlawful or abusive use of such
service. |
the network owner would legally be allowed to intercept the activity on a private/password protected channel to protect the network and other users. |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: May 11, 2006 1:48pm Post subject: |
|
|
| upinsmoke wrote: | i am not a lawyer but heres 2 quick sections of the ELECTRONIC COMMUNICATIONS PRIVACY ACT, which can be found here
http://floridalawfirm.com/privacy.html
| Quote: | g) It shall not be unlawful under this chapter or chapter 121
of this title for any person -
(i) to intercept or access an electronic
communication made through an electronic communication system
that is configured so that such electronic communication is
readily accessible to the general public; |
so if your server or channel isnt password protected i would say a /server or /join command makes it readily accessible to the general public
| Quote: | (h) It shall not be unlawful under this chapter -
(ii) for a provider of electronic communication
service to record the fact that a wire or electronic
communication was initiated or completed in order to protect such
provider, another provider furnishing service toward the
completion of the wire or electronic communication, or a user of
that service, from fraudulent, unlawful or abusive use of such
service. |
the network owner would legally be allowed to intercept the activity on a private/password protected channel to protect the network and other users. |
is it just me, or do both those statements contradict?
First one says "its not illegal to log traffic on a public system"
Second one says "Its not illegal to log traffic on a PRIVATE system"
Seems like a contradiction to me or someone selectively pasted. What are chapters 121 and (h)?
Just done some fishing of my own:
| Quote: |
(16) "readily accessible to the general public" means, with
respect to a radio communication, that such communication is
not--
(A) scrambled or encrypted:
(B) transmitted using modulation techniques whose
essential parameters have been withheld from the public with the
intention of preserving the privacy of such communication;
(C) carried on a subcarrier or other signal subsidiary
to a radio transmission;
|
This seems to me that if you connect via ssl (your connection is encrypted) then by intercepting the conversation of that user, you are indeed breaking the law. The solution to this would be simple -- if you do not wish to be evesdropped on irc, use SSL. If you do, intercepting the conversation can be construed as a violation of law  -- Note that this refers to radio transmission - would this be applicable to internet communication, especially as we dont know how our conversation is transmitted, it could pass over a wifi network or anything.
Last edited by braindigitalis on May 11, 2006 1:52pm; edited 2 times in total |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: May 11, 2006 1:49pm Post subject: |
|
|
I disagree with your assessment of the last point. To me that says that all you are allowed to do is record the fact that a user connected to your server ,or typed some text, at a specific point in time.
However, I'd say all of this is a grey area and none of us here (unless there happens to be a lawer versed in international law - specifically that with regards to telecommunications) are qualified to judge the legality.
EDIT: Gah, brain managed to post before I did. :P |
|
| Back to top |
|
|
upinsmoke
Newbie
Joined: 01 Mar 2004
Posts: 62
Location: pennsylvania
|
| Posted: May 11, 2006 1:59pm Post subject: |
|
|
| Quote: | | is it just me, or do both those statements contradict? |
the first statement was giving an example of an open channel i.e not protected by a password and open to the public. the second was an example of how it could be used on a protected channel ...but like i said im not a lawyer and your free to read the entire act and draw your own conclusion or hire a lawyer for an answer |
|
| Back to top |
|
|
Scire
Newbie
Joined: 14 Apr 2006
Posts: 84
Location: IRC
|
| Posted: May 11, 2006 2:01pm Post subject: Re: +I and Legality |
|
|
| nenolod wrote: | With all of this talk of +I lately, I have decided to do some research on the topic.
+I qualifies as wiretapping, under US law, and is thus illegal even on private systems (yes! private systems included! |
I disagree that +I is wiretapping.
You have no reasonable expectation of privacy on an IRC server, especially considering the data packets are flying all over the internet unencrypted and are easily readable. In addition Section 2 of the Electronic Communications Privacy Act grants "an exception for SYSOPs and their employees to the extent necessary to manage properly the computer information system"
Anyone using +I will argue that they are in the channels in question to protect their networks against bots or other forms of malicious actions, thus they would be protected under section 2 even if you can somehow prove that there exists a reasonable expectation of privacy while on the network in question...which I think would be a hard sell.
| Quote: | | Some company just got sued for snooping on phone conversations via their corporate PBX, so yes, wiretapping is not allowed on private systems.). |
In the US you can sue for spilling hot coffee on yourself.. the outcome is what matters, did they win this case and what was the circumstances surrounding that case? Did the person getting 'spied on' join in a conference call with 20+ people expecting the conversation to somehow be private? (like a person joining and IRC chat room per say, if not then I would say this case does not qualify for comparison)
Having said all that, I agree with you that +I is a bad idea and do not support using it or developing it, I do not use it on my network and never will. However I also believe its not a good idea to start 'criminalizing' the act just because one does not agree with it. Users of +I may be very well intentioned and truly just trying to protect their servers. Who has the power to step in and say 'hey you cant use that tool on your private network because it may be used to .<whatever>..' and once we open that door to arbitrary acceptance of loss of private rights, imho we have lost.
my 2 cents worth. 
Last edited by Scire on May 11, 2006 2:04pm; edited 1 time in total |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: May 11, 2006 2:04pm Post subject: |
|
|
Just to point out that depending on your country, other laws may be in effect. Usually you have to abide by the laws where your server is hosted i believe.
Take for example the UK, there is what is known as the data protection act. While not an act forbidding monitoring per se, it has the following basic rules:
Data gathered about individuals must be up to date, accurate, secure and confidential, and a user can request it be updated or removed from a database at any time with nothing more than written notice.
This means that if you live in the uk, and you log private chats, these could be considered data about individuals.
Therefore, it is illegal to give this data to any unauthorized person(s), it is illegal to keep this data if it is no longer relevent (up to date) or is no longer accurate, and if the user asks for it not to be stored or used then you must comply, or you are then breaking the law -- remember you are not the police and you have no legal right to keep this data.
Before anyone comes up with "well, how do you know this, are you a lawyer" no im not, but just about every IT professional in the UK is made aware of the data protection act and it is one of the basic things we must all know the details of to conduct IT related business in this country. I suggest that everyone "Chatter Emptor" (Chatter beware  ) and double check on all local laws before trying anything like spying on users, with or without prior announcement that you are doing so! |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: May 11, 2006 2:34pm Post subject: |
|
|
Hmm, I think I'm going to have to dig out the actual act and have a read. On the face of it I'm not sure it's immediately obvious how it applies to logged IRC conversations, particularly because you don't necessarily have any additional information that ties it to an individual.
Also, it's worth noting that an entity is allowed to charge a reasonable fee for sending you all the data they hold about you. So if somebody asks you for your logs, you know what to do. :) |
|
| Back to top |
|
|
braindigitalis
Idler
Joined: 22 Sep 2003
Posts: 443
Location: IRC
|
| Posted: May 11, 2006 4:22pm Post subject: |
|
|
| magpie wrote: | Hmm, I think I'm going to have to dig out the actual act and have a read. On the face of it I'm not sure it's immediately obvious how it applies to logged IRC conversations, particularly because you don't necessarily have any additional information that ties it to an individual.
Also, it's worth noting that an entity is allowed to charge a reasonable fee for sending you all the data they hold about you. So if somebody asks you for your logs, you know what to do. |
If i say my real name, telephone number or address, and you log it, then you hold personally identifiable information on me (possibly without my consent if you forgot to place a warning in your motd)
And yes i do give out my telephone number and/or address to a few people i trust who ive met in person anyway.
Note that yes this opens a whole new can of worms on the legality of keeping irc logs |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: May 11, 2006 4:39pm Post subject: |
|
|
The following is a quote from the website of the Information Commissioner's Office:
"If you are an individual and you hold information about others, but only do so for personal, family or household reasons (including recreational purposes) then neither the Data Protection Act 1998 (DPA) nor the Freedom of Information Act 2000 (FOIA) impose any legal obligations on you." |
|
| Back to top |
|
|
|
|
| |
Register
Log in
