8

Context:
I rent two dedicated servers from a hosting provider, one on a yearly basisis, the other monthly. The Terms of Service and AUP state clearly that they are not to access the server or data contained within without a work authorization or valid legal request.

They also provide an internet connection to said servers, as well as several public IP addresses for use on these servers.

Through testing and diagnosis, I have determined (and their support team has confirmed) the existance of a device that intercepts outgoing SMTP traffic from said servers. This device acts as a man in the middle device, and rewrites said traffic to strip out the STARTTLS ESMTP capability (i.e. disables encryption), meaning that all ougoing email communications are either unencrypted, or fail (if encryption is set to be required).

Their reasoning for the presence of such a device is to prevent abuse of their network.

18 USC § 2510 defines a wiretap device as such:

5. "electronic, mechanical, or other device" means any device or apparatus which can be used to intercept a wire, oral, or electronic communication other than—

(a) any telephone or telegraph instrument, equipment or facility, or any component thereof,
(i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business; or
(ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigative or law enforcement officer in the ordinary course of his duties;

This leads to two questions:

  1. Does the usage of this device fall under the classification of "ordinary course of its business," given that it is not providing email service, but internet service?
  2. If not, does such action constitute illegal wiretap, or is there some other law or regulation that makes such action legal?
Improve this question
3
  • The terms of service is a legal contract that you consented to when you purchased their service. If the agreement contains language that allows them to do this, then that contract supersedes the law (unless there is a law that forbids such terms in contracts). In other words, if you agreed to it, it's not breaking the law.
    – Wes Sayeed
    Commented May 11, 2018 at 19:36
  • Any update? Did my answer help?
    – user1521620
    Commented Dec 26, 2021 at 9:29
  • 1
    @WHO'sNoToOldRx4CovidIsMurder To be honest, I didn't press them too much on the issue once I identified and implemented a workaround.
    – Tyzoid
    Commented Dec 29, 2021 at 22:21

2 Answers 2

Reset to default
2
+50

The hosting provider could indeed argue that disabling encryption of your SMTP to protect their network does fall under the category of "being used...in the ordinary course of its business". They are also "the provider of electronic communication", both of which give them a huge argument of immunity granted by section 5(a)(2).

  1. other than— (a)(ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigative or law enforcement officer in the ordinary course of his duties;

It would be on you to prove that deencrypting your data in this way is not ordinary in the course of its business. This of course would likely be very difficult, though not impossible depending on how its argued.

If your contract does state that "they are not to access the server or data contained within without a work authorization or valid legal request", then you could argue that they are indeed technically breaking the contract. Intercepting your SMTP emails and deencrypting them is "accessing" data contained on the server. If they are intercepting this data, then they could easily be recording it and there is likely no way for either party to prove whether its being recorded or not.

As a result, it does seem like you could win for breach of contract. Proving wiretapping could be incredibly difficult on your end without a great legal argument. You would have to be able to show that changing your SMTP data in this way is not an ordinary practice in their business. Their initial argument would probably be that data leaving their servers is deencrypted because they want to make sure that they aren't liable for sending out illegal data, or data that could harm their business such as bulk spam emails that could cause their IP address to get banned by email providers. If that's their defense, it would be on you to prove why this deencryption method of theirs is not "ordinary".

I think your best argument is the breaking of the contract. As they are indeed accessing your data through interception and deencryption. Their perception of this clause is probably that they won't login to your servers and read your files, code and software. It's considered normal practice for hosting providers and telecommunications companies to be able to read all outbound traffic that is leaving their servers. For them to be deencrypting your code, they either figured out how to crack your encryption on their own, or they accessed your servers and are deencrypting it before its sent out through their internet service, or they stole the encryption keys from your server and are deencrypting it that way. How they are successfully able to deencrypt your data could play a large role in this case, as it may be difficult to prove wrongdoing by simply reading the data sent from their servers to requests by web clients.

If you really wanted to go after wiretapping or another class under Federal law, you would have to prove that deencryption of your code is code breaking/hacking/code cracking. And that it's perfectly normal for tech companies to send encrypted data over their network (which it is). Deencryption of your data could possibly be considered illegal under various hacking laws, if you felt that you wanted to build your case around that.

To summarize my thoughts:

As far as wiretapping, the hosting provider will likely be found allowed to read data that it sends from it servers as an ordinary practice of its business. This includes encrypted data.

Changing the data to a deencrypted state could be classified as hacking/code cracking. They are also modifying your data, and infringing on your rights as sending encrypted data is standard practice for websites, apps, and software companies.

Improve this answer
0

I think what they've done is illegal, but not by the law you've quoted or referred to.

Relevant are the laws broken in performing the illegal, warrantless wiretapping AT&T and other major providers nearly went bankrupt for performing at the NSA's behest. (source; more specifics below.)

The telecoms only survived because Congress voted to retroactively make AT&T et. al. immune from prosecution for the violations. What laws were broken? As Wikipedia notes, with 3 sources, "Detroit District Court judge Anna Diggs Taylor ruled on August 17, 2006 that the program was illegal under FISA as well as unconstitutional under the First and Fourth amendments of the Constitution." It also notes that "The Supreme Court held in Katz v. United States (1967), that the monitoring and recording of private conversations within the United States constitutes a "search" for Fourth Amendment purposes, and therefore require a warrant."

Now on to research as to whether that law (which Obama voted for just before becoming president) made future performance of the wiretapping legal, or just past performance. Looking into the bill, which is covered in Wikipedia, I see that it only makes wiretapping legal when ordered by the government. Wikipedia also notes there, "the Wiretap Act prohibits any person from illegally intercepting, disclosing, using, or divulging phone calls or electronic communications; this is punishable with a fine or up to five years in prison, or both.", referring to 18 U.S. Code § 2511 - "Interception and disclosure of wire, oral, or electronic communications prohibited." (viewable here). It appears to make victims entitled to $500 per violation.

Also, importantly, I can suggest a solution. I use a provider and have verified that the bulk of the email I send and receive IS encrypted - it DOES travel over encrypted SMTP. (I've confirmed that only if the other end doesn't support it, is there no encryption.) You can send mail to this provider using an encrypted SMTP protocol, but over ANY port, and your provider can't block every port. FastMail.com

So, to summarize, I see violations of the 1st and 4th Amendments, and the Wiretap act that aren't permitted by FISA.

On the other hand: YMMV. Preventing unrestricted use of SMTP is a common practice of hosts. Somehow, they've been getting away with it. Their argument certainly is reasonable; every legitimate host has spam countermeasures. But so is the counterargument, and less invasive countermeasures are possible, for example, the provider could set a quota on the number of TCP connections made over port 25 per time period. What does your contract say about spam, and preventing it? And does it have an arbitration clause? I doubt these answers would change the legality much because in many cases, courts rule that contracts can't make illegal behavior legal; IANAL; that's one of the points of law I don't know - when it is and isn't possible to sign away one's fundamental rights.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .