Recently, Orin Kerr rightly pointed out that adding a line to the end of your email pointing out that it is covered by the Electronic Communications Privacy Act is silly because all emails are so protected and, further, once the email is delivered, the relevant federal law no longer applies. As a computer scientist, I’m left wondering exactly what it means to be delivered in this context.
First, a quick(ish) review of how email works which involves the interaction of a bunch of different programs. The process begins when the user clicks the Send button (or otherwise initiates the sending) in the email client—also called the mail user agent (MUA). The MUA formats the message as a series of headers followed by the body. The headers contain, among other things, addressing information so that the rest of the programs that will eventually process the email know what to do with it. After formatting the message, the MUA will send the message to a mail transfer agent (MTA).
The MTA has exactly one purpose: it accepts mail and, if it knows how and is configured to do so for the particular sender and recipient, relay the message to another program, often on another computer.
As a simple example, consider Alice who wants to send mail to Bob. Alice writes her message and her MUA formats it as follows.
From: Alice <alice@foo.com>
To: Bob <bob@bar.com>
Subject: Hi!
Hi Bob!
Alice’s MUA sends the mail to her MTA. Her MTA looks at the From
header, sees that it is from Alice and since it is configured to relay messages from Alice, it looks at the To
header to see that it needs to send the message to Bob. The MTA then looks up the MTA for bar.com
and sends a copy of the message along. Bob’s MTA receives the message, looks at the To
header and since it knows who Bob is, it passes the message along to a mail delivery agent (MDA). The MDA finally deposits the message in the recipient’s mailbox.
So the whole process looked something like:
MUA -> MTA -> MTA -> … -> MTA -> MDA -> MUA.
Continuing the example, Bob finally receives the message either by Bob’s MUA reading the mailbox directly or by downloading it from his mailbox’s server.
Finally, the last important bit is that not all of these computers are required to be online and delivering mail at the same time. Frequently, one computer cannot be contacted so the mail is simply stored on the previous server for some period of time before delivery to the next computer is attempted again.
Okay, so after that less-than-quick review I promised, we get to my question. Given that from the point of view of each program, the message has been delivered when it is accepted by the next program along the way, do the federal wiretap laws (18 U.S.C. §§ 2510–2521) apply at each individual server along the way or at some of them or only during the actual transmission between programs?
The trouble comes with the word “intercept” in § 2511(1) which makes it a crime for “any person who (a) intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication.” Section 2510(4) defines “intercept” to mean, “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” It isn’t at all clear to me that this has a particular time frame. I.e., it’s not clear when an email is or is not an electronic communication. Orin’s post indicates that the email is no longer a communication when it is delivered.
The obvious choice of when a message is delivered is when the recipient’s MUA retrieves the message from the mailbox; however, this leads to the strange result that as long as the user never checks that particular email, it’s still undelivered. Worse, what happens if the headers, but not the body are downloaded by the MUA—a very common operation—is it delivered then?
So maybe that’s not the right answer either. Maybe the right answer is that as soon as the MDA is done with the message, it is delivered. The problem with this is that some MDAs can, based on user-defined criteria, forward the message to another account altogether, or send the message through a spam filter, or throw the message away and deliver an entirely different message, or do all of these. So in some cases, the email continues on (e.g., forwarding) and should probably still be protected. In other cases, a copy of the email gets delivered to some external program not involved with mail delivery at all (e.g., spam filter) where it isn’t clear if it should be protected or not. (Assuming the message is protected while an external program is deciding if it is spam or not, should it still be protected after the MUA has downloaded the email but hasn’t run a local spam filter on it?) There are also standalone mail retrieval agents (MTR)—the best known of which is probably fetchmail—which download mail from server and hand the mail off to an MDA for local delivery. Which MDA do we consider to be the one after which the message has been delivered?
Of course, maybe the right answer is that the law should be a little ambiguous rather than strictly defining it in terms of today’s (okay, 1980’s) technology.