Yesterday, May 12th, the Federal Trade Commission (FTC) released a new rule under the CAN-SPAM Act.  The new rule seeks to clarify some of the requirements CAN-SPAM imposes on senders of bulk email. 

• First, an E-mail recipient cannot be required by the sender to pay a fee, supply any information other E-mail address and opt-out  preference, or take any steps other than sending a reply E-mail  or visiting a single Web page to opt out.  From personal experience, many commercial websites add you automatically to their mailing list if you purchase something from them. This is fine; however, if you want to unsubscribe, often you have to click on a link in the email, go to a web page, enter your account information, or if you do not have an account - your order number, then find out where the email preferences menu is hidden, and finally fill out a couple of forms to submit an opt-out request.  All of this is gone - there must be a single web page.
• The definition of “sender” has been changed to make it easier  to determine which of multiple entities advertising in a single E-mail  message is responsible for complying with the Act’s opt-out requirements;
• A “sender” of commercial e-mail can include an accurately-registered post office box or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement  that a commercial e-mail display a “valid physical postal address.” 

The new changes provide small, but helpful to the Internet users, tweaks.  Kudos to the FTC for staying on top of the CAN-SPAM to make it more effective and user-friendly regulation.  It is unfortunately, however, that it takes so long to implement some of the more obvious changes.

Many emails happily reach their final and intended destination.  But there are some emails which arrive where they are not intended to. There are two recent stories which suggest not only how people should be careful what the "TO:" field in their email says, but also use some common sense. 

The first story is about the "donotreply.com" domain, whose owner admitted that he receives millions of unintended emails each week, many with substantially sensitive information.   Many senders of bulk email do not want to have each recipient to be able to hit ‘Reply’ and send a return message.  As a result, they just type something that is intended to remind the recipient not to email back, for example, "please@donotreply.com."  However, there are people who send emails back, and according to the owner of the donotreply.com domain, there are some very sensitive wayward emails.  For example, a bank sent to a donotreply.com email address a PDF with a list of all computers within the bank which are not properly patched with up-to-date security settings. 

The second story is about a website promoting Mildenhall, a small town in Suffolk, UK, which owned the domain www.mildenhall.com.  However, Mildenhall also hosted a U.S. Air Force base with 2,500 servicemen and women. As a result, the mildenhall.com started receiving hundreds of emails, intended for the US Air Force personnel at Mildenhall.  Among the emails received, future flight paths for Air Force One.  The domain’s owner tried to warn the US base, but the emails kept coming.  Finally, the domain owner decided to shut down the site as to avoid confusion and leak of potentially sensitive information.

These two stories highlight some of the biggest problems with email as a communication tool, especially for sensitive and unencrypted information.  First is the trend of domain owners turning on their "catch all" email setting whereby all email directed to a particular domain, even if the email address does not exist, is captured and treated as "received" as opposed to being returned as "undeliverable."  The second is the casual approach towards email.  There are plenty of stories about major litigation blunders, competitive information disclosures, or simply embarassing personal stories which have been sent to the wrong party and subsequently leaked to the world.  Email users, especially users dealing with sensitive information, should create a habit, if not a procedure, of checking every outgoing email for accuracy of the recipient, at the least.  Finally, the use of email for transmission of sensitive information without encryption is troubling.  What is the appropriate treshold level for encrypting email - that depends on the organization and the documents being transmitted, but the senders of the list of vulnerable PCs on the network or of the flight path of Air Force One should have known better to use encryption.

The Wall Street Journal reports on a troubling new vector of cyber attacks - emails carrying Trojan-infected Microsoft Word attachments directed to senior executives in major corporations. The emails purported to be from an employment service and offered attachments supposedly containing information on potential job candidates. Luckily for these executives, the emails were captured by MessageLabs, an email security company, which monitors the incoming email traffic of its clients for spam and viruses.

According to MessageLabs, during a two-hour period on June 24, 514 messages tailored to senoir executives were captured. On Sep. 12 and 13, the company captured 1,100 messages in a 16-hour period. Although email security experts are well familiar with phishing, this form of attack seems to go beyond the mass-scale fraudulent emailing with the hope that even a very low response rate would yield some personal information. The new email attack has been seen in the past but in smaller numbers and mainly directed to sensitive personnel in government or military. The new attacks suggest that a fairly low-tech attack can yield an open-door access to a major executive’s computer and all the information stored on it. This potentially places high-value information, such as incoming deals, regulatory or other action, at the hands of criminals who can abuse it directly or profit from it by trading securities before the news reaches the public.

The Sixth Circuit Court of Appeals held on June 18th, in Warshak v. U.S., that people have a reasonable expectation of privacy in the contents of their email so that the government needs to obtain a search warrant before being able to obtain it.

The issue in the case was whether Warshak had a reasonable expectation of privacy in the email stored on his ISP’s servers. The government had obtained an order, authorized by the Stored Communications Act, to compel Warshak’s ISP to disclose  Warshak’s email to the government without notifying Warshak. The defendant argued that this is improper search and seizure under the Fourth Amendment because of his reasonable expectation of privacy in the email.

The opinion by Judge Martin seems to rely on an analogy between email and phone calls. The courts have long established that there is a reasonable expectation of privacy in the content of phone calls notwithstanding the phone company’s ability to listen to calls. Under the established precedent, the government cannot eavesdrop on calls without a warrant. The Sixth Circuit held that email is similar to a phone call, for expectation of privacy purposes, and the phone call expectation of privacy reasoning applies to email.

The court seems to limit the holding, however. If ISP employees regularly look at customer email in the ordinary course of business or if the ISP has a broad authorization (by EULA or something similar) to look at customer email, then the outcome of the case might have been different as customers would have decreased expectation of privacy. It is also interesting to note that the court recognized that inspection of email by computer programs, such as virus or spam checkers, security filters, or other tools that process email based on its contents, does not decrease the expectation of privacy in one’s email - instead, manual (or otherwise human) inspection of email is necessary to erode the privacy expectation.

The pragmatic comment about this outcome is that it may not apply as broadly as one might think. Most ISPs may, if they do not already have, bury somewhere in their EULAs a "no reasonable expectation of privacy in stored email" language  and this would defeat what the privacy expectation SIxth Circuit has carefully carved out. The ruling leaves much details to be fleshed out and subsequent cases interpreting this ruling may turn out to be as important as this one.