[Politech] Three dozen things Liz Figueroa's anti-Google bill would break [priv]

From: Declan McCullagh (declan@private)
Date: Tue Apr 27 2004 - 09:32:39 PDT

  • Next message: Declan McCullagh: "[Politech] Robert Gellman's defense of HIPAA medical regulations [priv]"

    -------- Original Message --------
    Subject: Re: [Politech] Four examples of what Liz Figueroa's anti-Google 
    bill would do [priv]
    Date: Fri, 23 Apr 2004 14:15:48 -0400
    From: Dan Geer <geer@private>
    To: Declan McCullagh <declan@private>
    CC: dan@private
    A prediction: Just as in the 1990s the COTS sector
    caught up with the military sector in applications
    of cryptography this decade will see the self-same
    overtaking but this time of traffic analysis.  You
    do not need to examine content if you can deploy
    enough sensors and make sense of their findings.
    -------- Original Message --------
    Subject: Re: [Politech] What would Liz Figueroa's anti-Google bill 
    really do? [priv]
    Date: Fri, 23 Apr 2004 12:10:15 -0700
    From: James Ausman <ausman@private>
    To: Declan McCullagh <declan@private>
    CC: ausman@private
     >Is there anything I'm missing?
    As it looks now, it would prohibit companies from using things like
    CRM mail systems to manage their workflow. I can imagine a way
    to obtain consent for scanning, but it would be cumbersome and
    a pain for consumers.
    Jim Ausman
    -------- Original Message --------
    Subject: Three dozen things Liz Figueroa's anti-Google bill would break
    Date: Sat, 24 Apr 2004 14:48:43 -0700
    From: Bill Stewart <bill.stewart@private>
    To: Declan McCullagh <declan@private>
    At 06:31 AM 4/23/2004, Declan McCullagh wrote:
    >Figueroa's office admitted the bill would make it illegal for a California 
    >company to offer a "family friendly" email service that filtered dirty 
    >jokes into their own folder, for instance. It would also prohibit 
    >reviewing incoming messages to make clickable hyperlinks out of text 
    >phrases like "www.mccullagh.org." It might ban the practice of discarding 
    >messages with attachments beyond a certain size limit.
    >Is there anything I'm missing?
    Oh, you're probably missing lots of things; certainly Figueroa is :-)
    The law is really terribly broken, as most knee-jerk implementations of
    good intentions are.  I really hope she doesn't mind making
    Yahoo and Hotmail's basic services illegal while she's "fixing" Google's
    new ones.
    For instance, you're missing any automated processing that
    you'd like to have an email provider do for you that you would have
    otherwise had to do on your own mail system on your own computer,
    and any mail services that handle different messages differently,
    even simple things like web-based mail readers that display
    different kinds of messages differently.
    Here are a couple dozen services the law bans that don't involve
    advertising privacy issues; you should be able to think of more.
    - Autoresponders that thank senders for their email about __x__
             Most politicians' email addresses do this,
             and most ISP technical support and complaint email addresses do 
    - Vacationmail responders that say you're not in the office right now,
             especially the smart responders that don't reply to mailing lists.
    - Closed-account responders that say your new email address is __x___
             - the law might even be interpreted to say that SMTP can't
             reject email that was sent to a non-existent account.
    - Autoresponders that notify the sender that the email system does
             automated processing and that their email cannot legally be 
             because the sender is not a subscriber to the service.
    - Autoresponders that inform the sender that if they'd _like_ to
             subscribe to the service and give up lots of private information
             in return for being allowed to send mail to its subscribers,
    here's how.
    - Autoresponders that tell the sender that they can
             complain to
    +1-916-445-6671 about this invasion of privacy.
    - Mail servers that forward high priority messages to your pager
             or to another email account or to your cellphone's email gateway
    - Mailing list managers that accept subscribe/unsubscribe requests by mail.
             This is especially bad, because that's an application
             that you really want to run at an ISP instead of your home PC
             for reliability reasons.
    - Mailing list archivers that make your mailing list list available on 
    the web
    - Email-to-usenet gateways, email-to-ftp gateways (remember those?)
    - Email gateways to cellphone text message services,
             which usually delete all the mail headers and
             turn html and Microsoft formatting into simple text
             so you can read the mail on your phone
    - Automatically sorting email into folders based on content,
             such as putting different mailing lists into different folders
             so you can read it more easily.
    - Saving attachments into specific folders, such as a web photo service
             that lets you send it pictures by email.
    - Automatically downloading URLs for images from a web photo service
             (this arguably involves third-party privacy,
             depending on whether the URL indicates the recipient's info or not,
             but there's no way for the recipient's ISP to know that,
             and it's the recipient's ISP who's being banned here.)
    - Web mail readers that mark high priority messages,
             or let you use different colors for different kinds of mail.
             The recipient may want this, but you can't do this with
             email sent by non-subscribers.  Even your friends or employer.
    - Web mail readers that sort your mail by Subject: instead of date
    - Web mail readers that show the date in your time zone instead of the 
    - Web mail readers that don't show you the boring email headers
             (like Received: or User-Agent: Mozilla Thunderbird 0.5
             just the interesting ones like From: and Subject:
    - Web mail readers that translate different email message formats
             (like Microsoft RTF or Microsoft Word attachments)
             and display them in a form you can read on the web.
    - Text mail readers that output your message in a simpler form that
             text-to-speech readers for blind people can use.
    - Text-to-speech mail readers that also do the audio on the mail server.
             This is not only useful for blind people, but it also
             enables services like calling up your email by phone.
    - Secure Mail services that automatically decrypt your incoming mail if
    they can
    - Secure mail services that automatically encrypt your incoming mail if
    they can
    - Email services that charge by volume of mail that you've received,
             or don't let you receive mail or attachments if you're over quota.
             The law's broadly ambiguous about what "otherwise evaluate" means.
    - Web mail services that automatically maintain address books for you,
             so you can send mail to "Figueroa" instead of typing
    - Instant messaging systems that accept IMs from other providers
             and not just their own subscribers, because those almost always
             have to translate the format.  This is an important
             openness issue in the industry, and the law appears to forbid it.
    - Instant-messaging-to-email gateways (both directions)
    - Calendar systems that let you email appointments to them, if run by an ISP
    - Calendar systems that accept Instant Messages for appointments
             and run on open IM systems
    - Calendar systems that send Instant Message reminders, if they're on open
    IM systems
    - Address-book services like Plaxo which let you send email updates
             to tell their customers that you've moved.
    It's also not clear to me from a first reading of the law
    whether email to the ISP itself, as opposed to email to one of its 
    is also covered by the law - can their sales@private address
    deliver the mail to the right sales person based on sender or contents?
    If one of their employees is out of the office, can their mail system
    send an "I'm out of the office" message back?
    You can't just fix the law by saying "ok, it can do automated processing
    as long as it doesn't involve third parties."  Here are a few examples:
    - Forwarding your email to other ISPs / pagers / cellphones
    - Online polling and political survey services that accept email and
             summarize it for the customer.
    - Web mail readers that use third party services for special processing,
             like translation from English to Spanish or Korean to English
    - Mailing list archives that can be read by non-subscribers.
             For instance, the http://www.politechbot.com archives
             let me read your postings, even though I'm not a subscriber,
             and they let Google's web servers see it.
             Many Yahoogroups mailing lists allow non-subscribers to read them;
             many others don't, and many let you read messages but not
             download files or photos.
    - Web mail readers that automatically download images from URLs,
             which might be online greeting cards, or photos from
             photo sharing services, or annoying spam.
    I haven't even gotten to the usual jurisdictional issues that apply
    when people try to make local laws about the whole internet.
    I'm assuming that California wouldn't try to apply this to
    email or IM companies running outside of California
    just because some subscribers might live in California.
    They might try to impose the rules on companies that have
    non-California-based email systems and also have California presence -
    if Google runs GMAIL from one of their other locations, are they in 
    It's realistically too much trouble for a company to run an
    email server in California that doesn't accept customers from California.
    One problem with the Internet hosting business is that you don't
    always know where your suppliers are unless you do lots of
    due diligence work - cheap web hosting companies often have
    servers in different places, and they'll put your account on
    whatever server has space, and the backup will be on another
    random server, and move servers around if they buy more space,
    so if you're a small company developing interesting
    email processing services, you really might not know
    whether your server's in California this month.
    (I think one of my favorite Australian-run ISPs is currently in New York,
    and another one run by a guy in India seems to be outsourced to a server in
    and both of them have moved since I started using them -
    if I set my vacation-mailer on those accounts, does that make me or them
    the criminal?)
    Bill Stewart  bill.stewart@private
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)

    This archive was generated by hypermail 2b30 : Tue Apr 27 2004 - 10:48:11 PDT