Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
America Online

AOL Happily Releases Information to Cops 124

DigDug wrote in with a scary article about how closely AOL cooperates with law enforcement agencies. In the article, a local (Loudoun County, VA) Sheriff's Deputy is quoted as saying, "AOL is extremely law-enforcement friendly ... they don't hold anything back." While I'm sure we all want criminals brought to justice, there are some serious privacy concerns here. If you send e-mail to someone with an AOL account, apparently you'd better be v-e-r-y careful about what you say.
This discussion has been archived. No new comments can be posted.

AOL Happily Releases Information to Cops

Comments Filter:
  • by duckbill ( 47856 ) on Thursday July 22, 1999 @04:39AM (#1790595)
    (1) AOL's policy is located on the article page. In short, they only release emails on a warrant, and will release identities even in a civil action. Even if AOL never stated a policy and specifically contracted with you to withhold information even if presented with a court order, the contract would be null and void. Contracts that are in deference to the law infer no obligation on either party.

    (2) If someone emails you with a credible intent to commit a murder, you're failure to present that to the police does not make you a de facto accessory. In the majority (but not all cases) a failure to act does not impose criminal liability. Most often, you have to give aid, or participate in the planning, with a culpable state of mind to be an accessory. If you go to an extra effort to withhold the evidence, you may be guilty of obstruction of justice. If you intentionally deceive and make false statements about the evidence, you could be charged under one of the many perjury derivatives. (Perjury usually requires a sworn statement, but there are satellite laws that cover filing false reports, etc.) You are correct that someone could come forward with the letter as evidence. This could be very persuasive toward establishing that you were part of a criminal conspiracy. This is especially true if coupled with other circumstantial evidence involving the crime. In mixed situations, your failure to disclose the letter or warn the intended victim could make you a liable for a tort against the victim (and subsequently his estate), or against his close family for wrongful death.

    (3) I think you are correct. I have never had a personal account with AOL, but I was with a company that did business with them in '93. I do not recall there ever being a representation that your handle created anonymity. I don't know what AOL considers from their point of view, but it is in issue as to how cozy they are with authorities. The article seems to imply, without overtly stating, that AOL may cooperate in absence of a warrant. Furthermore, the issuance of these broad warrants in frequency and scope appear to tread real close to constitutional violations of search and seizure.


    IMHO, I think what scares the pants off of these companies is that they do not kiss the a#$ of the authorities, a zealous prosecutor will hit them with RICO charges. I am not a personal fan of RICO, its too big a weapon in the prosecutors arsenal. Its scope for seizure of personal and corporate assets is far too large, and its burden of proof is entirely too small.
  • It's quite clear that this is another example of not underestimating the lack of intelligence of the common criminal. If you are going to engage in criminal activity (not that I am condoning this) then it makes sense to do so in such a way as to minimise the risk of being caught. If you use a general ISP such as AOL to post your Melissa-alikes, then even the slowest lawman is going to use the standard tools at their disposal (such as subpeonas etc) to catch you.
  • If the courts rule in favor of service providers who disclose such informations, people will start forming their own "black-market" networks to avoid these firms.

    This argument could be made against any bar/pub/drinking establishment who employs a bouncer/security person/off-duty cop.

    The message sent by employing these "enforcement" types is clear enough: you might break the law, but we won't let you do it HERE if we can stop it!

    There are, and will be, people who clot into clandestine gatherings for drinking/gambling/fighting* as well as for trading and partaking in illicit things. But limiting access, reporting crimes, etc. removes the legitimacy of these actions and DOES, in fact, deter otherwise-good people who might be tempted to break the law. *standard disclaimer. No diatribe is planned, intended, or insinuated for or against drinking, gambling, fighting, et al, and none should be inferred.

  • This is probably true, but why is AOL keeping logs of personal e-mail. They should, as a normal ISP would, keep it there until it's read and then delete it since it has already been stored locally on the users machine. I worked for an ISP, we logged traffic, not e-mail. I'm not even totally for logging traffic, if we didn't it be quite hard to catch spammers. My point here is basically that if you don't have the information your not going to get a court order for it.

    -Al-
  • I remember.. he had the same name as the convicted
    Okla City bomber - Timothy McVeigh and had 19
    years in with the US Navy. He reached an out of
    court settlement with AOL for $$$$$.

  • Thats IS the real issue.

    Recently there was a big international company with a cracking/phreaking problem (the problem was really with a piss poor attitude by management to enforce a good security policy).

    Their lawyer and CIO wanted to tie together all the intrusion detection systems, the firewalls, some sniffers, a certificate authority, and who knows what else, with the goal of providing a chain-of-evidence that they could hand (or email to) some prosecutor somewhere and have it stand up as evidence in court. Oh, and since the cracking attempts are coming from europe/russia/australia, can the system be completely international and stand up in any court.

    "Looky here, Mr. State Attorney General, we were attacked by a ping flood from these IP addresses, and we carefully recorded each and every ping packet hitting our firewall in this log file. We want you to prosecute."

    For some reason, Dilbert strips weren't funny for weeks after that episode :-)

    But on the flip side, imagine what a naive prosecutor would do if someone handed him a log file with some spoofed IP or email addresses in it, showing some kind of real world crime (drug dealing or car theft). Granted, there should be other evidence to back up any prosecution, but cases have gone to trial on less. That's the scary part.

    the AC
  • AntiOnline recently published a review (http://www.antionline.com/cgi-bin/News?type=antio nline&date=07-12-1999&story=abuse.news) of several ISPs' willingness to look into crack attempts as reported by private citizens.

    Interestingly, while AOL rolls over for the government, they seem to have little interest in helping the net community keep the neighborhood a nice place to live. Of course, any particular individual can't do much to hurt AOL, while falling in the government's bad graces might possibly be fatal to its financial health.

    Jake96

  • That would be my guess. Especially in an "ISP" full of net-newbies, said net-newbies probably crash their e-mail on a regular basis.

    Hell, I've done it on my college account and had to get the sysadmin to do some really weirdoid stuff to get my unread mail back. (Learned some interesting lessons about VMS along the way, but that's another story.)
  • Yep, every other ISP has the same rules as AOL in terms of working with law enforcement. But here's a way to protect yourself: Freedom [zeroknowledge.com].

    I was there to see these guys announce their second beta at DEFCON and the software looks really sweet. In a nutshell, it allows you to create cryptographically secure pseudonyms that are mathematically impossible to trace to you. All packets you send are encrypted multiple times through five different servers in different countries, none of which know anything but the server before and the server after. When your packets leave this "cloud", they can come out in any country you choose: Netherlands, Mexico, Japan, wherever. REALLY controversial stuff, and very very cool!

    The best part is that their client is about as easy to use as the AOL client and handles everything automatically, including a built-in "cookie jar" feature to capture all Web cookies and assign them to the appropriate pseudonym (so nobody can deduce connections between nyms through cookies) and an email service that works with your existing POP clients.

    Unfortunately, the first version is only for Windows 95/98, but even that is part of their great business plan: get it out to that 95% of the computer community first, where it can do the most damage, then make the Linux/Mac/whatever versions later. At least we have VMware and Virtual PC to run it on other platforms in the meantime.

    My only fear is that, even though Zero Knowledge Systems is in Canada, the US will somehow be able to shut these guys down as soon as they figure out what's going on.

    Disclaimer: I'm not affiliated with ZKS in any way other than that I know the guy who drew their icons. :)

  • by Anonymous Coward
    >> What really baffled me about melissa is why people made a huge deal about it.>>

    I agree that a macro virus is not as technically challenging to write as one that encrypts the boot sector, but it seems to me that many hackers are too quick to thumb their nose at it. Consider the following:

    1. Melissa has got to hold the world record for speed of transmission. Isn't that worth something? Vicodin came up with IMHO the best virus transmission scheme yet. Of course, maybe this is just a testament to the number of morons in the world.

    2. The first macro virus I ever saw was also the creation of Vicodin. It was the one that put "Dr. Diet Mountain Dew" in your registry. This virus would concatenate your name and the name of a printer and put that string as a comment on every other line of code. This was done in the hopes of making it harder for scanners to detect. In short, it was a stealth macros virus. It could also override the 'Macros' dialog box so that you couldn't see it was there. Now come on, that's cool!

    I happen to think the people who make viruses should be punished, but I still enjoy looking at the source code. It doesn't matter to me that they're written in cheesy visual BASIC; I recognize a hack when I see one. ;o)

    Chernobyl sounds nasty, but far fewer people have been infected by it. I'm sure that's why the media doesn't talk much about it.

    One last thought... If you are dumb enough to drive into a telephone pole and your air-bag fails to deploy, you can sue the manufacturer of your car. You can sue (and win) even though you are the real idiot.
    The technology to prevent macros viruses from spreading has existed for years. Emacs has a nice solution. So does Java (the Java virtual machine). Why do you think there are no IE or Netscape viruses? It's because these products use a technology that encapsulates the code, be it Java or VB, in a virtual machine. Why doesn't Microsoft use the same technology in Word?? Does this make MS negligent in the same way that a car company could be held negligent? Do you think that's air you're breathing? Hmm...
  • Although I only take partial issue with AOL's willingness to comply with search warrants (more to do with the laws themselves than the warrants), there is something much more sinister afoot here that goes well beyond busting criminals. Please read further in the article [apbonline.com] to the section about civil suits and subpoenas.

    Raytheon wanted to find out which of its employees were badmouthing the company in public via AOL, so they sued "John Doe," which means they filed a lawsuit which said, essentially, "We don't know who we're suing just yet, but by Ghod we're suing somebody." With the civil suit filed all nice and pretty, they typed up some subpoenas demanding the identities of the John Does, and carried them over to AOL, who turned over the true names behind the aliases.

    Here's the absolute best part: as soon as Raytheon knew who the employees in question were, they dropped the lawsuit. Then they either fired or disciplined all the employees involved.

    This is called a tactical lawsuit: it's one where you don't give any sort of damn what the suit's own outcome may be; you file it just to make sure there's a lawsuit in place so you can do things you ordinarily wouldn't be allowed to do. Here's how it works, fable2112 [mailto]: Say for example that I hate you and decide to kick your ass. If I ask servtech [servtech.com] who you are, they will promptly tell me to go to hell, which is as it should be. Since that approach won't work, I'm going to file a lawsuit: I sue John Doe for inducing mental distress in a SlashDot article. Nevermind the suit is complete crap. Nevermind it will never see trial--a lawsuit is a lawsuit, and I can use it to start issuing subpoenas. I send a subpoena to servtech [servtech.com], demanding your name and billing address. Are they going to tell me to go to hell? Of course not! I've got a subpoena--a court order!--demanding to know who you are. So instead of fighting it, they turn over your billing information. Now that I know where you live, I can drop the bogus lawsuit and cheerfully proceed with the asskicking I've decided you deserve.

    Is any of this bothering you yet? Keep in mind that up to the actual asskicking, everything I did was completely legal. The great big question here, whether it's about AOL or any other ISP, is how much cooperation should they have given me? The obvious answer is "none." The legally viable answer is somewhat more nebulous.

    Just something to contemplate.

    Disclaimer: I don't actually want to kick your ass.

    --

  • Let me first state, I am not at all a fan of AOL. However, as I stated in another post, I think the reason they keep the email logs is fear of prosecution on themselves, particularly under RICO statutes. Not too long ago, Ebay caught the justice departments' scrutiny because their customers were selling stolen merchandise. Courts do not look favorably on willful blindness, and there are even ostrich laws in some states against willful blindness.

    A clever prosecutor could argue that: (1) Its common knowledge that criminals engage in conspiracy using the AOL service (2) It would take little effort for AOL to maintain email logs (3) They intentionally looked in the other direction to allow this activity to occur and further their business interests. Prosecuted under RICO, they could seize most of the corporate assets and possibly even the private assets of the executives. The executives would have the burden of proof of showing that their assets were not fruits of the criminal activity.

    Personally, I wish AOL would show a little fortitude and act in the interest of personal privacy. I think that's the trade off you have whenever you choose a big, public business as a service provider. While you may get some corporate stability and perhaps additional services, you can expect them to CYA when push comes to shove.
  • by Anonymous Coward
    AOL will cooperate and even disclose information when there is no warrant. According to the Seattle Times:

    "In 1998, Senior Chief Petty Officer Timothy McVeigh (no, not the bomber) was dismissed from the Navy after being outed by an America Online representative who received a phone call from a Navy investigator--with no warrant, no court order, no proof at all that AOL was legally bound to release the information that connected McVeigh to a user profile that said he was gay."

    Law enforcement does not just pursue criminals, they pursue suspects, and the information they may get from AOL includes information/messages about people other than the suspect. I went through some pretty rough shakedowns by police myself merely because I was friends with someone who was suspected of engaging in illegal activities 8 years ago - of course all his frends also became suspects. Six months later they finally decided he hadn't done anything wrong. In the meantime I was confronted by police and questioned at work, in class, and at home. I was even told by one officer he hoped I got my ass fired from work (since they were confronting me there) because I was obviously a drug dealer!?!?!
  • I am concerned with the blasé response I got from my mother who said both:

    * Why should I care? I don't engage in any of this activity.
    * I don't want people online to be doing these things.

    That's disturbing from a philosophical perspective. However, I think that AOL is engaging in the practice of entrapment for greedy corporate purposes.

    Should you have AOL (I don't thankfully), I challenge you to find a larger area than the "perverted" message boards and to find a member created chat room that has nothing to do with sex. Find me all of the profile advertising escort services. AOL could easily crack down on behavior that would bother mothers. But they don't. Why? I'll bet that 25% of their revenue stream comes from this areana.

    Should someone be allowed to open up a house where no one yells at you for smoking crack and then later calls the police after you've been smoking there for a year? Something is clearly wrong.

    AOL creates a forum in which "perverts" can exchange information extremely easily. They provide message boards which are hardly regulated, rooms which run rampant with sex requests, and eventhe ability to send e-mail from an "anonymous" account (you don't have to input any person information to create additional accounts!). AOL has a way of separating the parents from the perverts: Terms of Service (TOS). This keeps illicit behavior out of the Moms' chatrooms, but who is going to TOS someone in a memeber created chatroom like "LittleGirlPics."

    Another concern I have is the implication of AOL users being cited for online activity that occurs outside of the AOL domain. If you do something within the proprietary service, AOL certainly has a right to stop you. But, if you are surfing Usenet or the Web and come across salacious material, does AOL have any jurisdiction? I think not.

    I think that users should send a message to AOL: prosecute everyone and stop facilitating illicit activity or allow it to happen and do not cooperate with law enforcement agencies.

    There's a solution: use online service where you are afforded more freedom.
  • And that's all there is too it.
    Loser a user or two, or fight the man..
  • Do people here who believe "we need to help out the government, if you have nothing to hide you shouldn't be worried" at least believe that law enforcement ought to at least need the same amount of legal cover to read Email as they'd need to read regular old US mail? Maybe the people who think AOL's actions are no problem will like this proposal: Should the government be allowed to open every letter, read it, reseal it before sending it out again for the public good? It goes through the post office after all. What if the government made consent to having your mail read a requirement to use the post office? Would all the crimes that could be stopped if the government were allowed to read everyones paper mail with the same ease that they can read their Email justify this?

    Of course, I think it's insane to trust AOL, period. I imagine that if someone who ever used their service were to be sued by them (say they started their own, more successful AOL type service) AOL would probably make sure anything uncomfortable or embarrassing to them that they sent through Email on their service would be released to the media. I distrust the government, but I distrust AOL even more.
  • Really. I didn't know I bugged RR for days. Considering the head of security is a friend, and another of the abuse/security staff is a pretty good contact of mine, I find this rather amusing.

    Ask Harris or Mark about Scott Crain. =) They'll set'cha straight.

    Scott
    AOL Spamdinista
  • AOL is just the biggest name in the game of rolling over for law enforcement, so that is why they are getting the most attention. Anne Arundel cops have been able to just drive over to AOL headquarters and take anything they want, just by flashing a badge. No court order needed, just bring your laptop with a lot of disk space. There is even an office for cops in the building, but the cops have to schedule time in it since so many investigators try to use it.

    Well, I guess we now see exactly how bright you are.

    1) AOL's headquarters are in Dulles, VA (Sterling, VA if you want to get picky). Loudon County.

    2) Not only that, Anne Arundel county is in Maryland, not Virginia.

    3) And last, sorry, no. Cops need a court order to get info out of AOL. Noone can just walk up and take any information they want, cop or not.

    Sure, if you want, go ahead and dredge up AOL's past transgressions and claim they're still valid today. But I could just as easily say all the British are bastards cause they want to tax the hell out of us Americans. Sure, it happened some time ago, but it's no longer true.

    ---
  • Not entirely true. If you read the article it is slim on actual cases where the warrant does succeed in finding criminal activity. It also states that the local law enforcement office acts as a proxy for other law enforcement offices around the US. Ask yourself what it takes to get them to do that, a phone call, letter, warrant in the requesting agencies jurisdiction? The article also states that fishing expeditions using John Doe warrants going after people suspected of behavior unfriendly to a lawyered up corporations were honored resulting in loss of livlihood and/or corporate reprogramming sessions.

    The buzz (meaning I have memory of it but no documentation) was also that AOL was in the news a few years ago when it gave the FBI files that were allegedly child pornography. The files, however, were encrypted and the FBI couldn't open them. An almost funny story, except when you stop to think about it. The buzz was that there were no warrants and that AOL monitored and gave up copied files based on a FBI request. AOL took some heat for that in some groups, but because all actions were under the ruberic of 'stopping child porn' many people were willing to overlook it. That ruberic has been the magic phrase every since and was the rallying cry for the CDA (Communications Decency Act). AOL, unwittingly or not, sets precidents for how far privacy can be ignored and I wouldn't be surprized if they are cited as examples in internet privacy legal actions in the future.

    So maybe this isn't so stupid. AOL honors all warrants, frivilous or not, and sometimes doesn't even need one to give up their customers. AOL is setting the tone and raising government expectations of privacy invasions.
  • The "free" AOL thing sounds like a wonderful idea, but it would never work. IMHO there are two primary reasons why AOL is so widely used. First is because it's simple. Now I do think that the linux community could make an easy to use online service. The second reason is because they have POPs EVERYWHERE. There is no way that an online service could have as many dialups as AOL w/o a huge ammount of money, then there is the cost of maintaining the equipment, in order to do that you need to either have someone disgustingly rich to donate a large ammount of money, or you need to charge your customers. Hrm...there goes the free(beer) aspect of it.
  • Indeed. The problem isn't that AOL is giving out the info (any bank or credit card company, etc will do so with even LESS than a court order, like a credit report, say), but that the criminal justice system as a whole hasn't got a clue as to what to do with the information economy.
    Their understanding of the technology is no limited that they'll take a "shotgun" approach to law enforcement where information technology is concerned, taking everything they can get their hands on, without a thought as to what it is, or what it's used for.
    Hopefully, as more technologically savy folks get into the justice system, this will change, but for now, it's really another growing pain of having a fundamental shift in the way things are done.
    That doesn't mean, however, that that's an excuse for some of the things that are done by the criminal justice system. Any violation for fourth amendment (is that the right one? Search and Seizure?) rights in a computer related case should be dealt with just as harshly as it would if it was a non-computer related crime.
  • here's what you need:

    http://www.zeroknowledge.com/

  • Now, wait a minute. Any legitimate business of ANY kind (not just an ISP) tends to have to cooperate when court-ordered to release records pertaining to a possible crime.

    But since the great polarization of all net issues is "the net is full of kiddie porn and hatred" vs. "our right to privacy is being taken away" ... what we have here is an article combining the worst of both.

    You know what really burns me about this article? It's perpetuating the link of "Internet user" to "child molester" in much the way that the media has in the past, say, linked "male preschool teacher" to "child molester." *sigh*

    There are sickos out there, and plenty of them ARE on the net. However, most people on the net are NOT engaged in illegal activities beyond the rather generic sort that might be expected of a more-socially-liberal-than-average sector of the population (smoking a bit of pot here and there, breaking laws against consensual sodomy, providing alcohol to 18-20 year olds, "stealing" the occasional office pens and pencils, that sort of stuff).

    And if people were seriously wasting their time prosecuting THAT, and using it as an excuse to read e-mail, then I'd worry. And the Raytheon bit does bother me. I'd've liked to see an article on that rather than this done-to-death "child molester" and "trench coat mafia" concern. :P
  • 1. ALL businesses do this. Period.
    2. AOL says they will only do this with legal court action - i.e., a search warrant.

    3. If you've got a problem with the consequences, don't freaking do it. If you can't do the time, don't do the crime.
    NOTE: Parse crime as action, not illegal activity.

    Basically, it comes down to this - don't say it online if you wouldn't in real life, and don't worry about this supposed "invasion of privacy". There is none. This article is a fluff piece about the relationship between the local sheriff and AOL. This is nothing new. If you think your ISP/university/ADSL provider/whatever wouldn't release information asked for in a warrant, I got a bridge in Brooklyn you might be interested in.
  • we do know there are some over-zealous prosecutors; they're not in popular fashion right now like during the worst period of the 'war on drugs', McCarthyism or whatever, but the public mood could revert back to a 'zero tolerance' where any perceived infraction is blown out of proportion in someone's quest to bag a big criminal and get the promotion.

    Chuck
  • What really baffled me about melissa is why people made a huge deal about it. It was a harmless macro-virus that wouldn't even be possible if microsoft shipped office with macros turned off. (Btw, does anyone know if there is a way to turn off macros completely in office, i have only been able to set it to warn me before executing them). I would think they would have made a bigger deal about chernobyl (that was the one that ate your bios right), which had the potential to completely trash your system.
  • Posted by Mike@ABC:

    Looking at the outrage here, I have to admit it's a little surprising. It's been common knowledge that law enforcement hangs out in "questionable" chat rooms and that ISPs have to pony up info when ordered by a court.

    The answer is pretty simple: don't say anything online or in e-mail you wouldn't want a police officer to hear in the first place. For most of us, that doesn't put a whole lot of restrictions on our daily conversations. And for those who are dumb enough to say anything otherwise, well, you most likely deserve to be busted anyway.

    Of course, in the immortal words of Dennis Miller, that's just my opinion. I could be wrong.

  • The guy's name is Timothy R. McVeigh (no relation to the guy who blew up the Alfred Murrah building in Oklahoma City - but it makes it easy to remember the name). He was Chief of the Boat on the SSBN Alabama, the position is the highest NCO position on board. AOL just gave out the information w/o any warrant to the Navy after they asked for it. I believe he was forced to retire after something like 17 or 18 years, just a coupld of years shy of a pension. I believe there were some lawsuits involved and the Navy did end up granting him the pension.
  • Have you ever considered that there simply isn't anything earthshattering/newsworthy in your favorite areas today? Hm?
    Of course, there might be, and you might be composing a reply right now saying "yes there is, jerkoff!". Great. Why haven't you submitted it to Rob and Co. yet, then?

    If you've submitted something fairly newsworthy, and Rob n' Co. have ignored it/blown it off, then you've got a reason to complain.
  • Hey! A real uu net person. It's nice to be able to ask you why uunet does not charge its customers for cleanup fees? I know you guys get hit with spammers a lot, and probably half the spam that I get comes from uunet. I think that charging $5000 for cleanup fees would make your life much easier. What do you think?
  • The fact that they called AOL an ISP.

    AOL is definitely NOT an ISP, they are a Content Provider, just like MSN and Compuserve.
    As a tech for an ISP, I have a hell of a time explaining this to new customers that call in and wonder why, when they click on the connect button, it just sits there counting up the time and nothing else happens.
  • Hrm... I work at AOL, and as far as I know, we don't have ANY cable access nationwide. We have DSL and Satellite deals, but no cable.

    I begin to wonder about this one...

    Scott
    AOL Spamdinista
  • Yeah, but then they have to make the extra effort. They don't have the resources to do this to people unless they have real reason to believe that you are guilty of something. This is much different from intercepting email just to see what turns up.

    So maybe the NSA has a cryptanalytic attack against IDEA that effectively reduces its difficulty to that of brute-forcing an 80 bit key. That's good! Then, if they have real reason to suspect someone, they can get the evidence they need. However, they wouldn't have the resources to crack everyone's IDEA encrypted messages just for the hell of it. It's all about balances.
  • Every ISP keeps *logs* of what goes on. AOL doesn't keep read email that long, and contrary to your statements, email is not stored on the member's drive when read unless they specifically set that up in their configuration of the AOL client. See my post further down the page with more details on the time we retain stuff.

    Scott
    AOL Spamdinista
  • Well, since I'm on AOL's mailstaff, I spose I can answer this one.

    Unread mail is kept for 28-30 days (Depending on when that database is reaped). This gives people a decent amount of time to get online and read their stuff. I think you'd be pretty mad if you went away for a few days and your ISP wiped your mail spool cause it was 'too old'.

    Read mail is kept available to be re-read/kept as new mail for about 48 hours. (again, dependent on the reaping schedule). I know this has saved MY butt a couple times when I forgot to save something.

    Deleted mail (read or unread) is deleted after about 24 hours. (That reaping stuff again). Currently AOL members can't retrieve this mail (Much to some people's dismay), but this is changing in the forthcoming 5.0 client, which allows members to access the 'Previously Deleted' folder of their mailbox (What we here on staff call the Recycle folder)

    Scott
    AOL Spamdinista
  • I wasn't talking about AOL there...I was talking about normal ISP's who use POP3. So unless the user selects to leave e-mail on the server. It gets saved locally on the users computer.

    -Al-
  • IIRC, a while back 2600 printed a list of words that you guys scan for. How long are those records kept?

    Or is that a "no comment"?
  • And me, who has to send mail to these people who dont have the knowledge to use PGP or GnuPG.

    So even though I dont use AOL (well aim sometimes) Im affected.
  • I use RR with linux (Debian 2.2 and RH 6.0) here in Portland, Maine. While they do not support it www.maine.rr.com has a number of cool (but rather old) linux-cable-modem-howto's.

    I use RRlogin to authenticate with tas although I'm not sure where it came from (I just have the binary). Has anyone seen a sight with the source? Also, I'd really like to thank the guy who made it and play with the code. (My friend wrote a windows version that is a little slow and may benefit from seeing someone else's ideas)

    -matt
  • In maine. this is Allowed. One may go to the RR webpage and choose advanced access - allowing him to use a RR ID at on any RR modem. Yours might me set to the secure mode and thus requiring your personal modem.

  • I found the address for rrlogin.c [qualcomm.com]

    You can email Phil Karn [mailto] (it's creator) if you'd care to thank him. I did.

  • This is what packages like PGP are for folks...
  • For the record, as a Road Runner employee and admin, Road Runner's policy on it's cable modem service is to not disclose any login, email, or private service related info to "any" party without a court order. Just want to make that clear. =]
  • Frankly, I was already chocked to know that firms often look at our email (there is technicaly no problem about this), but usually firms just look if their employees are not wasting too much time emailing (like I do)...
    They don't send their logs & mailboxes to the police...

    To be closer to the computer world (and to return to Bill Gates), aren't we on Free OSes to avoid a monopoly on information protocols, to avoid that somefirm (M$?) can get information about us and about our lives, our hobbies and our privacy ? If the protocol are closes, we don't know what kind of bomb is inside...

    In France, where I live (excuse my poor english!), the Army has decided to go further into Linux because they fear that their secret could fly away if they rely too much on NT...
    I don't know where they are into their Linuxisation, but I regret they have taken so much time to realize how close computing endanger their secrets...

    For France Telecom (our national Telco), who was very pro-microsoft, they are going deeper into Unixisation... Strange, isn't it?
  • by halbritt ( 30189 ) on Wednesday July 21, 1999 @11:18PM (#1790650)
    I'd be the last person to defend AOL but the conditions under which information would be released, as described by the article, are really no different than any ISP. I'm sure the authorities could gain the same access to information by serving an individual with a search warrant and getting the information from his computer. What really should be questioned here is not AOL's policies for giving information in response to a "valid legal process" but the conditions under which such warrants and court orders are approved.
  • This bit of information lets us know that big brother doesn't need to be watching, the companies are just giving away the information. I'm glad i ditched my aol account so long ago, kinda makes you think "What did I write?"


    -my $0.03
  • For a start, if you actually read the article it states...

    AOL, the world's largest Internet service provider, or ISP, tells its nearly 18 million customers it won't read or disclose private communication or personal identifying information except under a "valid legal process."

    This is standard practise for all ISP's, and for that matter any legitimate business... if the Authorities believe that you have information that will help them solve a crime, they will ask for your assistance...

    For people to see this as a problem is ludicrous, or perhaps the people that see it as a problem have something that they are hiding. The ISP's do not sit there and monitor everything you do, but if they are presented with a warrant to release information to the authorities then they investigate.

    Just chill out and get a sense of reality on this thing... it's for people's benefit...
  • by amayhew ( 16730 ) on Wednesday July 21, 1999 @11:31PM (#1790654) Homepage
    AOL is just acting in the same way that any other common carrier operates. Which is every ISP in the US (along with phone companies and backbone providers). They only release information if there is a subpoena or a warrant and your local ISP probably operates the same way (or should legally). If the police (or anyone else for that matter) gets a warrant or subpoena for logs, user information, or anything else that an ISP keeps on their servers then the ISP has to legally give that information up. Did you actually read the article and realize that AOL's policy is just that? They only release information requested in a subpoena or warrant. It is not like they are giving it away. The only information which they do give out to the FBI is in their chat rooms. Additionally, that information is the screen name of the individual and what kind of complaint some other AOL user made against that person. Notice, an AOL user must make a complaint before they forward any information on to the FBI.

    The only reason this even makes the news is because AOL is so huge. If you would actually read the article and understood even the basic laws that telephone companies and ISPs have to operate under then you would know that AOL is operating no differently then your mom & pop ISP shop in the middle of nowhere when it comes to dealing with the law. So if you would get your head out of your ass and actually think, you would realize that AOL is not the problem in following the laws, but the laws themselves are what are not protecting your privacy.

    If you are really worried about your privacy and you are worried about who is giving out your personal information, then maybe you should find out how that information is protected (or is not, depending on your pov) and then work to have the laws fixed.

    No, I don't have an AOL account, I don't care to have an AOL account, and I could care less if AOL lives or dies. But I have worked for ISPs in the past and I know how they are bound legally and what is stated as the AOL policy for giving out information to the authorities is precisely what is required by law.

    The only reason I felt the need to even make this post was because the comments that I saw were so knee-jerk and unthinking that, aside from the lack of all-caps, they could have come from AOL users. If AOL was voluntarily giving out user information without the benefit of a warrant or subpoena then this would have actually been newsworthy.

    --Andrew
  • Heh! Whatever you're on, can I have some too? Looks like real good shit... ;)
  • This actually makes us think about a very important issue. Where do we draw the line?
    Consider the following. What if a person sends an email message confessing that he purchased a gun, and intends to murder a certain person. In many countries of the world, this constitutes reasonable cause for arrest and interrogation.
    Personally, I think that privacy is more important, because what AOL is doing has only one outcome: People should start ditching their AOL accounts.
    If the courts rule in favor of service providers who disclose such informations, people will start forming their own "black-market" networks to avoid these firms. Just like open source is doing to commercial software.
    In light of what we see, perhaps we should start forming those free network services to rival AOL right now...
  • Whatever ISP you are using, never I mean never use the mailbox given to you by your ISP. Don't give that emailadress to anyone.

    Get a few POP3 account where they don't ask any question about you. They can be hard to find but they do exist. Get also into an anonymous service. It's important to cross as many country borders as possible to make it virtually impossible to get all necessary court orders to reveal your true identity.

    With fetchmail you just drain all your mailboxes to the local Linux account when you connect to the Internet.

    This will make it a real pain in the *ss for anyone prying into your privacy. Use also PGP when emailing your Linux buddies about your latest C++ or Perl tips.

    //Pingo
  • by rde ( 17364 ) on Wednesday July 21, 1999 @11:42PM (#1790658)
    A bunch of people have suggested solutions, from PGP to using real ISPs. That's cool for the /. audience, all of whom are at least slightly technically savvy. AOL's user base, on the other hand, consists mainly of people who know barely enough to stick one of the 68,000 CDs they were sent into the drive and crank it up. This isn't a criticism of these people; they simply don't use computers.
    These people never heard of PGP, and as far as they're concerned, their email is private. These are the people about whom we should worry; the technologically ignorant are most at risk.
  • Also, you could use CFS (Cryptographic FileSystem) to store your private email...

    Haven't used it myself (mainly because I don't have anything to hide), but it doesn't look difficult to set up. I don't know how secure it is, though.
  • I work for a major ISP (check my e-mail address) in the Network Security group, and this here is one of our biggest cans of worms.

    I am not sure whose side I am on on this one.... When we have attacks underway, and customers down, law enforcement is a good thing, and we want the cops to do everything possible.

    However, some of the courts are "rubber stamp", and all it takes to undergo "due legal process" is asking permission.

    The one thing that no one has mentioned yet is enforceability. At one point, AOL had >50Gb dedicated to tree.exe, some stupid xmas windows program, in their mail spool. Our backbone, up to OC-48 (~10 Gbit/sec) in some places, carries a TON of information. What can you use to sniff that? If you can sniff that, what do you do to log the packets that you sniff? And then what do you do to analyze them?

    What scares me is the lack of understanding on the part of law enforcement. You don't tap the 'Net like you tap a phone line, and they just don't get that. "No, no, I don't want everything on the backbone, just the e-mail from this one user." Well, the backbone is fiber across the entire continent, and you want me to filter on layer 7 information?

    What we have to watch out for is legislation like that which recently passed in Australia, forcing ISPs to comply with technologically impossible court orders.

    Eric Brandwine
  • by Anonymous Coward
    Why not do what I do. Don't break the law! Yes, amazing as it sounds I am actually able to spend days at a time without breaking national or international laws! I also don't hang out with drug dealers, pedophiles, military crackers and spies, smugglers, dictators and genocidists, sodomists (in some states), and I even drive carefully and at the speed limit.
  • AOL is just the biggest name in the game of rolling over for law enforcement, so that is why they are getting the most attention. Anne Arundel cops have been able to just drive over to AOL headquarters and take anything they want, just by flashing a badge. No court order needed, just bring your laptop with a lot of disk space. There is even an office for cops in the building, but the cops have to schedule time in it since so many investigators try to use it.

    Smaller ISPs are all learning the hard way the courts always rule for investigators, so at this point most don't even bother asking for a warrant before allowing access. I've watched it happen at a couple of ISPs where I've done business, where the cops wanted either a straight wiretap off a router, or a copy of all email from the main server and backup tapes.

    Its not that difficult to direct traffic from a logon session through a specific port on a router, and I had one ISP pay me two days wages just to do it once (without breaking their network like they did). They had the cops camped in their offices waiting to capture all the traffic from a suspect's sessions, thinking he was dealing drugs from his email account or over IRC. He wasn't, but it took them a few weeks to figure that out. At first, they expected to have an exact copy of his screen based on IP packets going across the network, by the end they were happy enough with a tcpdump file. The guy just played on the web a bit, never even hit any pr0n sites.

    So this doesn't surprise me at all. I'm surprised anyone is shocked by the revelation, tho.

    the AC
  • There's been talk of a linux version of AOL.
  • Wasn't it the Navy that the guy was enlisted in? (yeah, nit-picky, I know...)

  • It depends on where you are. Apparently, in the States you need some rrlogin program to get in. Here in Newfoundland you can get static IP (like me) that you set up like a regular ethernet, or a dynamic IP which uses DHCP.

    As for the company minding, they don't at all. They make sure the NIC they give out works under Linux and they didn't care that I had a three box network when they installed it, in fact, the guy was impressed that I had print/file/intranet database server on it. He was also impressed with Linux itself.

    The coolest thing was when I ordered it the second time (I moved) I told the guy I used Linux and was capable of setting it up myself and he gave a NIC right there so I could have it already set up before the installer came around.

    Now if only they'd relax the packet filters on the routers and "officially allow" IPMasq (though the rules state that stuff in a Windows context...). I knew a guy who decided to try WinGate to connect multiple computers and immediately received an email asking him to stop. Nobody I know using Linux has gotten such an email (including myself).
  • Well then, you won't mind them implanting a tracking device in your head, then either? How about video cameras in your house? As long as you're not breaking any laws, what's the problem? Nice to know there are still people like you who only care about themselves. Good show!
  • Chernobyl was written in Taiwan, though. (or was it Hong Kong?) The US can't arrest someone there, although they could request extradition.
    Practically however, extradition would not happen. If every virus author were extraditied to US courts to be senteced without a trial, it would not only clog the prison system, but the US would appear to be on a witch hunt, marring our appearance even further in international politics. Plus, Chernobyl isn't new anymore, it's not viewed as an issue by the masses. They just pay attention to what they are told by mass media, which went crazy with Melissa and makes a slight mention of Chernobyl on maybe a monthly basis. (around the 26th, of course.)
    This isn't justice. It's a game of saving face. make it look like you're coming down hard on the bad guy, even if he's not all that bad.
  • How hard would it have been to change a log file? It's just 1's and 0's. Is AOL asked to prove that the logs were not tampered with? Of course not. It's impossible to prove such a thing.

    Actually, it is possible to prove such a thing if one:

    a) keeps a hardcopy of the logs as they're generated, or,

    b) uses a very strong hashing algorithm like MD5 on the saved log files.

    Can't say whether or not AOL does either of these things, but it certainly is technically possible.
  • You might want to think a bit before you post this sort of thing. It looks an awful lot like FUD:
    1) AOL's headquarters are in Dulles, VA (Sterling, VA if you want to get picky). Loudon County. 2) Not only that, Anne Arundel county is in Maryland, not Virginia.
    Anne Arundel is, in fact, in Maryland. Maryland is awfully close to Virginia -- right next to it, even. Dulles is certainly a drive away from Anne Arundel. Heck, Wytheville is a drive from Anne Arundel...just a long one. Law enforcement officers will make a drive that long, however, if the return justifies the investment.
    3) And last, sorry, no. Cops need a court order to get info out of AOL. Noone can just walk up and take any information they want, cop or not.
    3. Any evidence for that? I mean, not like he had any to begin with, but this is only a reiteration of the party line. Considering that this is the question at issue, it hardly settles the matter.

    Just pointing out that you didn't really refute anything.

    phil

  • For me, the most important security question for my ISP is: What do you log? And what do you backup? How long do you keep it?

    Of course AOL or any ISP has to comply with search warrents and subpoenae. But they can't produce what they never had, or had deleted. An usually they can't be faulted if it was a reasonable course of business. (Beware the .au initiative!)

    Of course, if you leave stuff on their mailspool, that's your fault. But if they keep their IP/mail-logs forever, beware traffic analysis.

    -- Robert
  • I think he meant that it was harmless since it had to be executed by an Office app before it could do damage. If Microsoft Office didn't have such a moronic setup, it wouldn't have been able to do any damage. They default it to run macros automatically? That seems extremely stupid. If the user doesn't know enough to be able to turn them on or off or use some other setting, then he probably has no business running macros in the first place. He'll just get into trouble, as the whole Melissa episode proved.

    Defaulting to run macros automatically, just because it makes it easier for a user to run things without knowing what they do sounds like poor reasoning to me. It's kind of like putting a sensor above your front door to automatically open it whenever someone walks up to it. If people value their machines and data, you'd think that they might want to learn a thing or two about how to keep them safe.

    Most people really don't have a clue about what their computer does. It's hard to be sympathetic when we've had to deal with a new virus popping up every couple months for years and people still don't think to do anything to prevent things like this from happening. Are any of these people complaining to Microsoft about it's incredibly poor security? Nope. They will just continue to whine about the nasty hackers who crash their computers. It was a freaking macro virus that any 12 year old could write that simply exploited an idiotic flaw in Microsoft's software! If we don't take steps to at least create minimal security for our computers, then we have nobody to blame but ourselves.

  • Whether or not you've broken the law can be a matter of "is this person politically inconvenient for us at this time?" Yes, even in the US, trumped up charges can be brought against people who need to be discredited or destroyed because a powerful corporation, government entity, or member of a rich political family thinks the person needs to be silenced. So the big question is, have you ever, under any circumstances or for any reason said anything that can ever be taken out of context and used in a trumped up case against you? Heck, politicians in this country will make stuff up about what exists or doesn't exist in this world, just read this thing written by Dick Armey [freedom.gov]. Are you absolutely sure that you want people working for him (or someone on the left, if you are a Republican, like bill Clinton) reading an Email you wrote at 3 AM when you had been up for two days straight and were blowing off some steam?

    Just because you do not take an interest in politics doesn't mean politics will not take an interest in you -- Pericles (430 BC)

  • I also work for Mediaone/Road Runner and I just wanted to say. AOLs abuse team will bug us to NO end for days about simple BO scans and small issues. Try and send them an e-mail -you will get no response. If I had my way I would ban the AOL domain entirely for not following internet standards and netiquette. They need to shape up and get real. Also there was something about a crash cart incident... ;)
  • are you on crack ? everyone has to earn a living somehow. GNU software is meant to be coded *in your free/spare time* or if you work for a company which is *involved in its development*. Re-read RMS's discourses on the subject and get a clue. Theres always going to be a difference between GNU/free and commercial software...its time you grew up.
  • (b) uses a very strong hashing algorithm like MD5 on the saved log files

    As long as the hash itself is protected. To be secure, the hash should be printed to hardcopy (or at least widely distributed) as soon as it is created, rather than being kept on the same system, where it can be replaced along with the file.

  • VPN is at both ends. if both ends are not trusted, you have no VPN. any cop could easily get his/her computer on the VPN if anyone can connect to it, thus rendering it useless.

  • ... you see, that wasn't the focus of the article.

    I did read the Raytheon part. And I certainly don't like the implications of that.

    However, is that where the article was focused? No, it is not. The article was focused on murder threats and kiddieporn on the one hand, and "loss of privacy" on the other hand.

    That's what JoeAOL-UsingReader is going to come away with. And that's why I've got a problem with the article. Had it been focused on the Raytheon incident, that would have been another matter. THAT is actually worth focusing on.

    Perhaps a compromise solution would be to disallow accessing ISP records for a civil suit?

    *shrug*
  • IMHO there are two primary reasons why AOL is
    so widely used. First is because it's simple.

    How does extraneous crap like 42 million pop up
    ads and an equal number of splash screens
    before you get where you are going == simplicity? Try
    A) preloaded on new PC's
    B) marketing machine

    I do admit the _setup_ process could possibly be construed as being simple, but without a and b....
  • I think they have the login software to keep people from buying their own cable modems and splicing into the lines for free high speed net access. If you need to authenticate to get part the first router, you don't get far.

    Here in Rohester, they're even going as far as matching the serial number off the cable modem to your ID. I tried using my login over at a friend's house, who also has RR but is on a different subnet, and it would not authenticate.

    I think it might be as a preventative measure against crackers, too. Since it's DHCP, and not everyone uses the NIC they installed for you, they have no idea who's getting what IP addresses unless you have to log in. I doubt they even keep track of the MAC addresses of the NIC's they hand out anyway, for just that reason.

  • That list is about 5 years old, and was a list of words that could get you in trouble in chatrooms. Now, AOL's never officially acknowledged that it existed, and it's even possible that it spread out of the Guide (AOL's remote staff that does a lot of the overseeing in chat and on message boards) program without specific approval.

    There's definitely no 'bad word' filtering in mail.
  • However, is that where the article was focused? No, it is not.

    That's kinda why I focused on it--I get scared when the whole issue gets dumbed down to the point of "Civil libertarians are complaining that AOL helped the police catch a child molester." With that kind of lead-in, nobody notices the significance of the aside: companies and individuals are routinely abusing the system.

    And to boot, less critical readers get the thought-concept "civil libertarian" mapped over to "pro-child-molestation." But that's a rant for another time.

    Perhaps a compromise solution would be to disallow accessing ISP records for a civil suit?

    It is possible to attempt to fight a subpoena, if you are willing to spend the money on lawyers. However, not only is it perfectly legal for AOL to turn over subpoenaed documents, it's a whole hell of a lot cheaper.

    --

  • I read somewhere that the only reason most hackers are convicted is because they confess. Unless they are caught in the act (Mitnick) they can show that the "real" hacker could have changed the logs to frame someone else. Or someone could easily beige-box from your house, use your ISP account, and you'd get "caught".

  • Trust me, I was fully aware of the focus of the article. However, the underlying problem here is that until the sensationalized faction war goes away, the REAL problems aren't going to be covered, or will, at best, be buried in articles about Intrusive Government vs. Child Molesters.

    If this makes any sense, the real issue here is that the real issues are not being focused on.

    :)
  • just because a person is technically cappable does not always meen they are not using a service like AOL. We can also none technical family members that need access, and/or be in the middle of nowhere where our choices are get a T1 or use AOL, now the T1...
  • Now that I know where you live, I can drop the bogus lawsuit and cheerfully proceed with the asskicking I've decided you deserve.

    In this case, surely you get slapped with a suit for launching a frivoulous suit that you never intended to persue?

    - Aidan

  • Let's not take this too far out of context.
    If a crime has been committed, the police obtain a warrant to search a suspect's home, and they find a "to do" list containing such items as, steal hand gun, purchase bullets, and kill John Brown, then I think that we would all agree that this is fair and relevant evidence for the police to look for. The criminal/suspect was well with in his rights to jot down the incriminating evidence, he was just stupid to do so. Likewise, anyone who places incriminating evidence on their computer2 or the internet without any thought as to if some authority might check it, is stupid.

    As for infringing on our rights of privacy, as a sys admin, I have a reasonable idea (and I think most educated users do as well) of what anybody who tries and read/trace, what takes some serious work to find out, and what is nearly impossible to crack. It is simple prudence to keep information that is truly confidential and private in this last category. I would be more worried about some private individual trying to blackmail or steal private information, than the lumbering law enforcement agencies.
  • Although I'm not very proud of it, I do know some things on the subject. (There once was a time when I purchased my first computer with a modem and didn't know any better.)

    AOL employees as a whole don't stand out with their intelligence. I personally know of a few cases where accounts were compromised by just calling AOL tech support and telling them the password was forgotten. Although they're _supposed_ to ask you for full account information including the last 4 digits of the credit card number, some were happy with just some basic information like the name of the account holder and the address.

    What I'm trying to say is that the information could be given out accidentally, against AOL's policies (although the press release doesn't seem to confirm this - that's what they were saying some time ago). When someone calls in and claims to be the Police or the FBI, a person's first reaction is probably to try to cooperate. Of course, if the information was disclosed after a court order, they really should have done that.

    I think some of us may still remember the story about the homosexual marine who revealed his sexual orientation in his AOL profile. The Marine Corps (or whoever) called AOL, and they happily gave out his information without even confirming that they were indeed who they claimed to be. He was "honorably" discharged only because the media caught the story.

    ---
  • Well, I wouldn't exactly say that OSS is "black market" software. The same would apply for the ISPs you're talking about, unless an actual law would be put into effect that would make them illegal.

    ---
  • The problem is that not all AOL employees follow the standard procedures, especially since... well... they're AOL employees. Their peons get paid about 5 dollars per hour, so they could care less. If someone calls in claiming to be the FBI or even just the police, their first reaction is to cooperate.

    This has been demonstrated in meny cases. You can read about the most famous one is when a man was discharged from the marines because AOL revealed his account information (without even confirmation that the people who were requesting the information were indeed the Marines). He listed his marital status as "gay" in his AOL profile.

    ---
  • Hmmmm.

    a) What is AOL's policy? I would think that the subscribers have to abide by some form of agreement stating what rights they can expect, and what conduct (on either part) is acceptable. If it specifically names illegal conduct as unacceptable -- as such an agreement probably would -- then AOL might be free to tip off the authorities, legally. I'm not sure that they could on their own, unless they monitor all involved mail, however.

    b) If somebody states to another person, in uncertain terms, a *credible* intent to murder -- and it actually happens, then might not coming forward with said evidence constitute accessory?

    c) Using an AOL handle might be considered more of a "vanity plate" deal instead of guaranteed anonymity. We drive partly anonymously, in the sense that our automobiles are generally not prominently labelled with our names; however, police may note a plate and get the state DMV to cough up our names. This might be a fair comparison, from AOL's POV.
  • It was not harmless if you value information -- or have you forgotten that it was capable of sending whatever document you were working on, along with itself? That could have resulted in rather unfortunate information leakage.

    That, plus it *did* hamper mail servers.

    Ideally, MS would tone down their macro language capabilities or provide a security model where one could run them in a sandbox-like environment, but eh.
  • Really? You've never, ever jaywalked? Stolen a pencil? Owned shareware past due date, but not paid the registration fees? Made unfair use of copyrighted material? Fed pigeons in certain city parks? Avoided remitting sales tax (on your own, I might add) to your own state whenever you order products from companies without a nexus in your own? Drank while underaged? Played a Halloween vandalism prank? Damaged land in your backyard, that happened to qualify for federal protection as wetlands?

    And, presumably, you are fully acquainted with the entire US Code, and the laws for your state and municipality? And, you read "Congressional Quarterly" and so forth to *stay* up-to-date? Or do you merely *think* you have not violated any laws?

    If you *can* honestly say you do, then congratulations. You're probably a lawyer who's well off and can afford not to be constantly trying cases. Otherwise, your statement seems a tad disingenuous, particularly in light of Gov'ts that tend to inexorably restrict legally permissible behavior.
  • I know where N'rundel county is, I used to live there. Its a short drive around the beltway to Sterling (except in late afternoon trafic :-)

    The cop and I went to school together, we still keep in touch. This info is from last Christmas time. Do you think AOL has completely cleaned up their act since last winter?

    Investigators from many jurisdictions hit up AOL for information all the time, there was even a story about someone being sued in TX because the message went through VA. AOL honors search warrants from any american court, they have to, its the law. They have also cooperated with scotland yard in england, in the big cross-atlantic child pr0n case a couple years ago.

    And AOL has so many cops or DAs coming in with court orders, they don't even check them any more, or supervise what they collect. Many courts require chain-of-possession by an officer of their court, so the cop head into the crime scene (AOL headquarters), records the evidence, and then hand carries the evidence back to a court approved storage site. When the evidence is presented in court, there is a list of every person who handled it from collection point to the courtroom.

    So the cops grab whatever they can while they have free reign on the system, even for cases they don't have a warrant for. Just because it cant be used as evidence in court doesnt mean they cant 'accidently' see some information which leads them to discover other evidence in a legal manner. A fairly common tactic by overworked cops. Only a serious investigation by a defense attorney can dig up the illegal origin of the evidence, and the cops are counting on major incompetence in most cases.

    [And yes, the brits are bastards sometimes, but its the IRS (internal, not inland) that thinks it can tax people all over the world. Grrrr.]
  • i think alot of folks are not readingthe whole article. It does state clearly that AOL releases this info when presented with a subpoena. It would be suicide for AOL to not do this. Also, why are so many crying about AOL and privacy? They act as if the gov't can't already :
    • tap your phone line
    • intercept your e-mail
    • get your financial records
    • interrogate your employerput you under direct surveillance, etc
    for those of you who are complaining about AOL's disclosure policy:
    If you're really worried about privacy, then those are things you probably ought to addres first. AOL has far less information about you than ... phone companies, banks, or your employer.
    I think it makes sense for AOL to comply with the law. If you have a problem with the info that they're providing _legally_ to law enforcement, take issue with the laws, not with AOL.
    -earl
  • The simple fact is that if you aren't encrypting your email, ANY sysadmin on the mail path from you to the destination can read what you've sent. That should send shivers down ANYONE's spine if they are in the least concerned about privacy. AOL isn't to blame here (tho I am far from fond of them for other reasons); it is ultimately the responsibility of end users to protect their own privacy if they are concerned about it.
  • If they are no different, why do they keep user email on record for extended periods of time. Two days for email that has already been downloaded, and a month for email that has not. This is not a necessary action, and serves only to place them in a position to turn the email and other data over to third parties.

    There is certainly nothing wrong with complying with court orders, but AOL should make the effort to take itself out of the path of justice (whether its right or wrong), by not archiving data, and instead simply provide its users with internet access.

    Instead they have deliberatley placed themselves in the position to help law enforcement for dubious reasons (moral high ground, "family" ISP, big brother) whatever, it doesen't matter. They should simply provide access, no more.

  • Possibly. Hopefully. But in the U.S., most "frivolous lawsuit" rules are intended to make the filer pay for any legal fees incurred by the defendant, and no defendant has had any. Since I dropped the suit before it went to court, and since I never actually named a defendant, there isn't anyone who can sue me for this. Even if I discover the name of a John Doe, there is no actual defendant until I have amended the suit, which I am not going to do, since all I ever wanted was to discover John Doe's identity, not actually sue him.

    I'll forfeit my filing fee, which will pay the gov't for its troubles, but even that may be tax-deductible.

    I wonder how many programmers would make good lawyers (and vice-versa)? It seems like both professions require one to navigate pedantic and complex rulesets to arrive at a stated goal...

    --

  • Thanks for the clarification. Yes, I wholeheartedly agree.

    I'd love to audit an "ethics in journalism" class, just to see what's being taught and ignored.

    --

  • You are right on the money. See the post a few up about a free AOL like service. Something that we could feel good putting our newbie friends on where they could get accurate info and have a great first time net experience. I have often wondered how experienced users (linux) could help new ones and I think that is a great idea. Computer help forums..privacy info..et. I would volunteer a few hours each week writing content for a site like this. I might even volunteer to go to their computer and show them how to access and make the site their default homepage.
  • by Anonymous Coward on Thursday July 22, 1999 @02:06AM (#1790716)
    People, what we should really be concerned about is not how readily AOL cooperates with law enforcement, but how readily law enforcement uses that information. Email and log files are not the same as finding someone's fingerprints. It's not physical evidence. These things are stored in databases. Databases which can be altered. No one in law enforcement that I know of seems to realize this.

    Case in point. Do you remember the Melissa virus? It was traced back to a usenet posting made by an AOL user.

    "Who was online at the time?" asked the feds.
    "Um... Our logs say it was that guy" said AOL.

    And as you probably saw on TV, he was dragged from his house. How hard would it have been to change a log file? It's just 1's and 0's. Is AOL asked to prove that the logs were not tampered with? Of course not. It's impossible to prove such a thing.

    And if tampering is not suspected, what about simple errors. Flip one bit and your SSN becomes someone else's SSN. Anyone seen the movie Brazil? A computer glitch causes the wrong person's name to be printed on a warrant for arrest. Do you really believe such errors don't actually occur?

    Finally, it scares me how quickly law enforcement agencies jump on people when there is a media frenzy in the air. It's like they smell blood. The local governor showed up when they arrested the alleged author of Melissa. He was pronounced guilty without any real evidence.

    So, to restate my point, the real problem is not that AOL or any ISP cooperates with law enforcement agencies. The real concern here should be that 1's and 0's are treated like physical evidence by a public so ignorant of technology they actually believe that if they see it on their screen, if it's written in a file, it must be true.

    "I do not fear computers. I fear the lack of them." - Issac Asimov

  • I am a regular on a telnet-to Citadel-based BBS called ISCABBS.

    I know there have been a few HUGE flamewars related to "release of confidential information" to either a minor user's parents, UIowa campus officials (UI is where this thing is based), and/or outside law enforcement agencies. If I remember right, the most recent case allegedly had to do with a child molester (thereby polarizing everyone even more than if, say, it was some guy confessing to the net-at-large that he uses marijuana). Certain fora have also been killed due to possible conflicts with established law.

    However, there IS a policy stating that confidential information would not be released for someone making a suicide threat. (I guess we had too many boys and girls crying wolf on THAT subject.)

    I'm just very glad this never came up back when I used to sysop on The Far Side (another, much smaller, telnet CitadelBBS that is now defunct, unfortunately). Then again, considering that I was one of two American 'ops on an Australian BBS ... though it was amusing when someone tried to buy drugs from the other American 'op because he had "the drug is ready" (from a Tragically Hip song) as his Doing: field. *chuckles* That one should have had his info released by the 'op to the cops just for being so damn stupid. :)

You can tune a piano, but you can't tuna fish. You can tune a filesystem, but you can't tuna fish. -- from the tunefs(8) man page

Working...