The Electronic Privacy Information Center has a lot of good information on U.S. v. Councilman
January, 1998, directed his employees at an ISP to begin intercepting email between his customers and Amazon. From U.S. v Councilman(June 2004):
According to the Indictment, on or about January 1998, defendant directed Interloc employees to write computer code to intercept and copy all incoming communications from Amazon.com to subscriber dealers.
March and April 1998. From Councilman v. Alibris et al:
The first charged incident occurred in March of 1998 when Warchut, then employed by Interloc, obtained unauthorized access to password-protected data in the computer system of an entity known as Studio 32. Studio 32 is a software development company that was hired by Interloc to design its website and servers. The plaintiff claims Warchut lied to him by saying he gained access to Studio 32's confidential data legally. Relying on this false representation, the plaintiff instructed Warchut to gain access again to Studio 32's confidential data. Studio 32 uncovered the March 1998 invasion of its system and reported the incident to authorities.
The second charged incident occurred in April of 1998 when Warchut, with the assistance of Krotkov, obtained unauthorized access into the computers of an entity called Shaysnet. This incident resulted in the destruction of files and the theft of a Shaysnet password file. David Leonard, the director of Shaysnet, notified the Massachusetts State Police about the intrusion on April 10, 1998 and authorities began investigating immediately thereafter.
Someone got wind of this activity at Councilman's company.
In July, 2001, a grand jury returned a two count indictment. The case is known as United States v. Councilman. Councilman doesn't dispute the facts, but argues the law doesn't apply and that he didn't direct anyone to violate the law.
In June, 2004, The District Court finds that the Wiretap Act didn't protect email in storage and that the prosecutor didn't charge a violation of the ECPA, and so finds Councilman not guilty on that technicality.
The case is appealed, and the decision of the appeals court is written in August 2005.
Whitfield Diffie, Edward W. Felten, John R. Levine, Peter G. Neumann, and Bruce Schneier filed an amici curiae in Appeal.
The U.S. Court of Appeals for the 1st Circuit writes: (U.S. v. Councilman, 418 F.3d 67 (Fed. 1st Cir., 2005)
Looks like it applies to ISPs. Read further:We conclude that Councilman's interpretation of the Wiretap Act is inconsistent with Congress's intent.
We then turn to whether Councilman had fair warning that the Act would be construed to cover his alleged conduct in a criminal case, and whether the rule of lenity or other principles require us to construe the Act in his favor. We find no basis to apply any of the fair warning doctrines.
What this means is that there is no reasonable belief that these laws don't apply to ISPs. The Appeals Court goes on:
It is indisputable that the Wiretap Act's narrower service provider exception would not protect Councilman. His alleged conduct was clearly not "a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service."
It seems that Levine and Bellovin were also wrong in a big way. As the court says, it is indisputable. But Levine and Bellovin dispute it. Is their dispute honest? I don't think so. The court also notes that the good faith defense is a "fact-based affirmative defense", and not "a basis for dismissing an indictment on legal grounds". One must do more than simply assert "good faith", one must actually demonstrate good faith. Acting in obvious bad faith, and then merely claiming "good faith" is insufficient. One must prove good faith.
In 2007, it is reported that Councilman is found not guilty because it was not proved that he directed Warchut and Krotkov to conduct the illegal acts. Levine has a interesting blog entry that misrepresents the court's 2007 findings. Levine writes:
2007 update: In February 2007, Councilman was acquitted of all charges. According to an AP wire service report, the case against him was based on claims by two Interloc employees that he had instructed them to keep copies of the mail. Councilman denied it, a detail that none of the 2005 reports picked up, and in 2007 a Massachusetts jury agreed that the employees' claims were not credible, and Councilman had not told them to do it.
This decision is not yet available electronically. However, some light into the issue is given in Councilman v. Alibris (2005):
Alibris only became aware of the criminal investigation on or about June 8, 1998, a few weeks after the merger with Interloc. In late July, Alibris management requested and received the plaintiff's resignation from the Board of Directors; the company terminated his employment on October 21, 1999. Alibris pled guilty to charges relating to the illegal interception of e-mails and paid a $250,000 fine. On May 31, 2000, Warchut pled guilty to one count of conspiracy to violate laws prohibiting interception of electronic messages and was sentenced to two years probation and fined $2,100.
This case is a very interesting read. Essentially, after being charged with a crime, Councilman sued Alibris and its system administrators (Warchut and Krotkov) for making false statements implicating him in the crime. This suit was dismissed on the grounds that Michael Warchut and Peter Krotkov's statements to the investigators were privileged. Interestingly, Krotkov was only employed by Interloc for one week before Interloc was purchased by Alibris, and there seems little motive for Krotkov to lie to investigators.
John Levine is going around saying that the 2007 decision means this case is bogus. Indeed, it is not 'bogus'. Crimes were commited, and some plead guilty and paid large fines. Unquestionably, the Wiretap Act and the Electronic Communication Privacy Act applies to ISPs, just as Anderson pointed out on Nanog in 1998.