John Levine has a long and respectable career. Levine has been the chair of the IRTF Anti-Spam Research Group (ASRG) since late 2003. Levine has a Ph.D and is an educated person. He also posts frequently on Nanog, and has served as an expert witness in anti-spam cases. He consults on Internet and email topics and is a board member of CAUCE (The Coalition Against Unsolicited Commercial Email).
Levine serves on the board of Directors of a Commerical Bulk Emailing (known as CBE, UCE, or Spam) company called Whitehat.com. Whitehat.com is affilliated with a bulk Postal Mail company called American Computer Group (ACG) and Centergate Research Group (CRG). All three (Whitehat.com, ACG, CRG) were founded by Rodney Joffe. Paul Vixie and Ray Everett-Church also serve on the Board of Directors of Whitehat.com. Similarly, Sanford Wallace's (of Cyberpromo) also sold a spam filter known as "eFilter" to block spam. Like Wallace, they create the problem (sending spam), sell the solution (blackhole), and disrupt their competitors' business via the blackhole.
Levine is head of the IRTF Anti-Spam Research Group, and a board member of a Bulk Commercial Emailer. There is more than just the element of "strange bedfellows" to that relationship.
Paul Vixie stated in 1998, that "There will be a day when folks will need to pay to transit email." That day will make those who collect those fees very wealthy indeed. One needs only look at anti-spammers' business interests to find that they are working on methods to collect these fees. Levine is on the Advisory Board of a company called Habeas, Inc which is working to provide email accreditation services. He doesn't say whether he is an investor. "Email Accreditation" is just a way charge fees to genuine commercial bulk emailers. Note that CAN-SPAM-compliant commercial bulk emailers send only solicited email. But to charge everyone, as Vixie and others want, they need to be able to block even solicited non-spam email. This is why they don't like the ECPA. The ECPA prevents the blocking of email without authorization, and so stands as an obstacle to blocking solicited non-spam email, and solicited commercial bulk email.
Quite plainly, one can give authorization to block whatever, and many people often do give authorization to block spam. Such authorized blocking doesn't violate the Wiretap Act or the ECPA because it is authorized. Anti-spammers often distort opposing views by asserting that such views mean you can't block spam. This isn't true. The ECPA only prevents one from blocking legitimate email.
What Spammer-'Anti-spammers' want to do is be able to block any email they wish, for any reason they wish, thereby allowing them to charge for the privilege of sending non-spam email, as Mr. Vixie described. This also allows them to exort "list washing" services from genuine commercial bulk emailers. See Memoranda in Exactis v. MAPS.
Spammer-'Anti-spammers' (commercial bulk emailers who also operate anti-spam blacklists) very much hate the CAN-SPAM Act, since it enables one to distinguish abuse such as mailbombs and joe-jobs from genuine commercial bulk email. The combination of the CAN-SPAM Act, The Sherman Anti-Trust Act, Extortion statutes, and the ECPA prevent these groups from using blacklists to disrupt the competition.
Anti-spammers don't like privacy domains like .bz because it is difficult to extort "list washing" services from a company one can't communicate with. The case involving Jaynes predates the CAN-SPAM Act, which now requires the bulk mailer to identify themselves with a postal address. The CAN-SPAM Act also supercedes state laws including the Virginia statute under which Jaynes is charged, assuming Jaynes were not guilty of other wrongdoing such as fraud and false advertising. The Jaynes case reveals the key to the legitimate side of email issues: It doesn't matter how one conducts fraud or false advertising. Its the fact of fraud and false advertising that prompts legitimate concerns. By contrast, legitimate business activities not involving fraud and false advertising, in compliance with CAN-SPAM aren't a problem to anyone.
In 1998 (as documented below), Levine asserts that the ECPA doesn't apply to ISPs and that the notion is "ridiculous". Levine keeps quiet while people are threatened with physical violence for reasonably and rationally (and correctly) asserting the contrary. In 2004, Levine changes his tune on the Wiretap and Electronic Communication Privacy Acts and signs an amicus brief with other technical experts in U.S. v. Councilman(2005). The brief asserts that the ECPA does apply to ISPs. No apology is given to anyone, nor any public correction on Nanog or any other list. It is beyond reasonable to assert, as Levine and Bellovin and others on the Nanog list, that these laws apply only to phone companies. Levine's claims were at least intellectually dishonest. It is beyond civil behavior to demonize people for their (vindicated) views, and to incite threats of violence, and then to stand by idly while these events transpired. Levine should apologize to the people who were threatened, abused, and in some cases silenced for their reasonable and rational (and correct!) views on the law.
Is this vindictive? "Vindicate" and "Vindictive" are words with the same base. Levine hasn't ever said "I was wrong", but rather continues to pretend he was right and others were wrong. Levine continues to encourage that view and allow those persons to be demonized and threatened. Setting the record straight is not vindictive when the other party is actively distorting the record.
December 27, 1996 Michael Dillon notes that this behavior was illegal. (emphasis added)
"You and your users should lay charges against AOL. They were in violation of the ECPA which forbids them from deleting email like that the same way the laws forbid a postal carrier from burning letters they don't want to deliver.
"And if anyone else is thinking of taking similar action to block email, make sure you either filter port 25 in the router or you bounce back all the email so that the sending party knows the mail is not going to be delivered. Once you accept an email message you have a legal obligation to deliver it to the addressee. "
December 27, 1996 Paul Vixie acknowledges that Dillon states the letter and intent of ECPA. (Emphasis added)
"I agree that this is the letter, and the intent, of the ECPA. However, as a matter of enforceable practice, none of the above matters. [...]
"The law will not hold you to a higher standard than "reasonable best effort". [...]
"Wow, a network discussion on NANOG that is actually north american in nature. "
Actually, the ECPA and Wiretap Acts require authorization, and acts that are 'necessary incident to the rendition of service'. Intentionally "accidentally on purpose" dropping packets of non-spam email isn't authorized, and isn't necessary to rendition of services. Quite plainly, intentionally blocking packets is not a "reasonable best effort", even if that were the standard (it's not).
January 21, 1998 Dean Anderson reports on Nanog that blocking packets without authorization violates the Wiretap Act. Anderson presentation is supported by facts and citations.
January 22, 1998 John
Levine says that ECPA and Wiretap Act don't apply to ISPs
Levine changes the subject to "re: ridiculous misreadings of laws".
"If anyone still cares, 18 USC 2510 defines the term, and it means a phone company, not an ISP. Enough already."
Levine's claim was dishonest.
January 22, 1998 Jeremy Porter threatens Anderson on the "ridiculous misreadings of laws" thread:
"Maybe with any luck he'll show up at the next nanog meeting and be suprised in a dark alley. I tend to find spammers and spam supporteds to be of such low moral character that they don't have they courage to stand up supporting it in public. "
Susan Harris (Nanog list administrator) does nothing.
January 23, 1998 Jay Ashworth objects to the threats. Ashworth is always civil in disagreements, and wants to understand the opposing view, rather than belittle it, in contrast with many on Nanog.
Susan Harris eventually does something: She bans Ashworth. Jeremy Porter remains a frequent poster as of January 2006. There is a clear message.
Also in January, 1998, someone at Interloc/Alibris directed their system administrators to begin intercepting email between his customers and Amazon. There is more information on this case. Here is a short summary:
Someone got wind of this activity at Councilman's company.
In July, 2001, a grand jury returned a two count indictment. The case is known as United States v. Councilman. Councilman doesn't dispute the facts, but argues the law doesn't apply.
The District Court finds that the Wiretap Act didn't protect email in storage and that the prosecutor didn't charge a violation of the ECPA, and so finds Councilman not guilty on that technicality.
The case is appealed, and the decision of the appeals court is written in August 2005.
Whitfield Diffie, Edward W. Felten, John R. Levine, Peter G. Neumann, and Bruce Schneier filed an amici curiae in this case.
The U.S. Court of Appeals for the 1st Circuit writes: (emphasis added)
"We conclude that Councilman's interpretation of the Wiretap Act is inconsistent with Congress's intent. We then turn to whether Councilman had fair warning that the Act would be construed to cover his alleged conduct in a criminal case, and whether the rule of lenity or other principles require us to construe the Act in his favor. We find no basis to apply any of the fair warning doctrines."
Councilman's interpretation was essentially that the ECPA and Wiretap Act doesn't apply to ISPs. "Fair warning" is a set of legal doctrines that essentially disable a confusing law if one reasonably couldn't understand what was covered. Ignorance is not a defense.
The Court goes on: (emphasis added)
"It is indisputable that the Wiretap Act's narrower service provider exception would not protect Councilman. His alleged conduct was clearly not "a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service."
It seems that Levine was wrong in a big way. As the court says, it is indisputable. But Levine disputes it. I assert that dispute is dishonest. The court also notes that the good faith defense is a "fact-based affirmative defense", and not "a basis for dismissing an indictment on legal grounds". One must do more than simply assert "good faith", one must actually demonstrate good faith. Acting in obvious bad faith, and then merely claiming "good faith" is insufficient. One must prove good faith.
Levine has a interesting blog entry that misrepresents the court's findings. Levine's claims are disputed here
It is notable that Levine now says in his blog entry (2005): (emphasis added)
"Councilman's argument was that at the time that procmail acted on a message, it was in storage, not in transit, and since the electronic communications part of the law doesn't say anything about stored communications, it doesn't apply to them, even though they were only stored for a few milliseconds. This is a clever legal argument, but it would be a disaster for privacy since it would in effect wipe out the ECPA. Every bit of traffic on the Internet is processed by store-and-forward, and it's all stored briefly as it's relayed on its way. Routers store packets before sending them along, so under this theory, one could snoop on packets by doing the snooping in routers. Mail servers store messages, so any snooping in a mail server would be fair game. These happen as well to be the places where it's easiest to snoop, so it'd be open season on net traffic."
Hmm. This is quite a change from what Levine said in 1998 on the Nanog List. I wonder when this great revelation came to him, and why he hasn't apologized to the people he misled and to the people demonized and threatened as a result..
Levine is now saying (2007), that this case is bogus. Indeed, the case is not 'bogus'. It was just not proven beyond a reasonable doubt that Mr. Councilman instructed the system administrators to commit the crimes. However, crimes were commited, and some plead guilty and paid large fines. Unquestionably, the Wiretap Act and the Electronic Communication Privacy Act applies to ISPs, just as Anderson and others pointed out on Nanog in 1998. Anderson was dishonestly silenced from the Nanog list for pointing this true fact, and other facts out.
According to Levine's own account of his testimony in Virginia v. Jeremy Jaynes et al, Levine testified as follows:
"The HELO domains his mail hosts used were obvious forgeries, several being in .bz which I explained was Belize, a nice place to visit but an unlikely place to run an ISP."
This is false statement with false inferences. Persons use the .bz domain because the registry offers privacy for the registrants. Radical Anti-spammers have a habit of threatening with physical violence anyone who disagrees with them. One needs only review the Cyberpromo FAQ to find the solicitation of violence against Sanford Wallace, including Wallace's home address. The FAQ, apparently written by an AOL employee, discusses HackerX, who compromised Cyberpromo's computers, and suggests that people who commit crimes against spammers won't be prosecuted. It is therefore reasoanble for commercial bulk emailers to have domains that hide their home addresses and other sensitive information.
Dean Anderson has also been subject to threats of violence in several cases and Anderson does not even engage in sending commercial bulk email, nor does Anderson host spammers, nor permit spam. Anderson merely disagrees with the claims and methods pursued by Radical Anti-spammers. Anderson has merely advocated a high ethical standard of conforming to the law.
It is understandable that any commercial bulk emailer may want to hide their name and address from such Radical and violent people. In contrast with Levine's misleading statement, one does not need to go to Belize to have a .bz domain name. Radical Anti-spammers also try sometimes to hide their identities, and are fond of the .nu domain (Island of Niue). The .bz domain is actually hosted in Toronto, Canada. The .nu domain is hosted in Medfield, Massachussetts. Using such a domain does not imply "obvious forgeries". This testimony by Levine is false and misleading.
Levine goes on:
"Then the prosecutor asked whether it was likely that mail sent to all of AOL’s addresses was legitimate. “Only if it was AOL who sent it.” "
This is not the only case; there are other cases: AOL may have sold its email address database. Indeed, AOL charges for the privilege of advertising to its members; AOL is not against the sending of unsolicited commercial bulk email, but only against itself not getting paid by the bulk emailer to send the unsolicited bulk email. AOL's interest is purely financial: AOL just wants to have a profitable monopoly control over the unsolicited commercial bulk email sent to its subscribers. The use of 'all of AOL's addresses' by a commercial bulk emailer to send unsolicted bulk email is not, by itself, a universally illegitimate act. Though we note that other evidence was entered that indicated that Jaynes purchased the address database from an AOL employee who had stolen it. Levine's testimony is false and misleading.
Jaynes' operation may in fact be involved in fraudulent schemes and false advertising. However, Levine's claims that there is evidence of forgery doesn't stand up. Levine's testimony contains false and misleading claims that go well beyond any standard of reasonable opinion.
Levine claims that unconfirmed unsubscriptions have never been a problem. (emphasis added)
"I've been running discussion lists for close to two decades, none of which require confirmation to unsub, and this hypothetical problem has never, ever, happened. Indeed, I can't remember any maliciously forged unsubs at all. What does happen is that an ISP screws up and bounces a bunch of mail by mistake (like Earthlink did last week) which makes people bounce off the list, so I have to go put them back on when the ISP fixes the problem."
See Dan Bernstein's page on Namedroppers Mismanagement. Levine is a participant on the Namedropper's list, and knows of this kind of abuse. Levine knows that unconfirmed unsubscription abuse has happened and that it is not a "hypothetical problem [that] has never, ever, happened". This statement by Levine is misleading.