|
|
| Author |
Message |
| 25 new of 116 responses total. |
russ
|
|
response 2 of 116:
| 
Sep 14 22:21 UTC 2003 |
I suggest that Grex staff place a notice in the MOTD that Grex
has never turned any user's records over to LE pursuant to the
USA PATRIOT act. If it ever happens that Grex is required to
do so, the staffer involved could remove the notice without
violating the terms of the law (no user would be identified,
after all). It's far more likely that CALEA would be used
instead of USA-PATRIOT anyway.
|
other
|
|
response 3 of 116:
|
Sep 14 22:39 UTC 2003 |
I like it.
|
mary
|
|
response 4 of 116:
|
Sep 14 23:34 UTC 2003 |
I guess if we were approached under any of the new rulings I'd like
to see us get some advice on the legality of the search or
investigation before being helpful. If it were me, I'd contact the
ACLU staff and ask if they'd care to offer advice or recommend
someone who might help us out. I know they are heavily involved in
fighting this legislation.
It's my understanding that even seeking their advice would make us
punishable under the law. Is that true? Should that matter in
terms of our course of action?
The reason I'd like to discuss what we *might* do is we won't be
able to talk about it if it happens. Would the users want us to
take a position that might be seen as non-compliant even if that
means the system could be seized? Would they be understanding of
those involved if staff simply complied with all requests and
didn't say a word to anyone? Should we do the right thing or the
safe thing?
|
gelinas
|
|
response 5 of 116:
|
Sep 15 00:42 UTC 2003 |
Hmm.... I'm inclined to do the right thing. In most cases, the only way to
get the Supreme Court to review a law is to appeal a conviction.
|
other
|
|
response 6 of 116:
|
Sep 15 00:49 UTC 2003 |
I'm also inclined to do the right thing, and I believe that the ACLU
would happily back us on it. I don't think that we could be subject to
prosecution for consulting an attorney about our rights and obligations
under the law if presented with an order to provide information.
If in doubt, we could simply require proof that the person presenting the
order is actually a law enforcement official and that the order pertains
to a current investigation, and during the delay before that proof is
provided, we could make the attorney contact. After all, we would only
be fulfilling our obligations to National Security to be absolutely
certain that any information we provide is actually going to Law
Enforcement and not some terrorist posing as same in order to subvert the
system.
|
aruba
|
|
response 7 of 116:
|
Sep 15 02:48 UTC 2003 |
Could someone (Mary?) give a primer on what kinds of requests we might
receive, and what the secrecy requirements seem to be?
|
sholmes
|
|
response 8 of 116:
|
Sep 15 03:12 UTC 2003 |
What kind of information are we talking about ? A user's personal files ?>
or say things like party logs ? ( which is public viewable anyway , but does
that mean we have to be careful of what we say in party ? )
|
other
|
|
response 9 of 116:
|
Sep 15 03:56 UTC 2003 |
Re: #7
The only thing that IS clear is that the Patriot Act forbids
revealing to a person whose records have been ordered turned over that
such an order has been given, received or acted upon. Presumably, just
based on the scattered information we do have, the information to be
provided could conceivably be anything at all to which we have access (as
root). Anyone who has actually read the full text of the act, or
consulted with an attorney regarding its impacts, please correct me as
necessary.
|
gelinas
|
|
response 10 of 116:
|
Sep 15 04:12 UTC 2003 |
I've read bits and pieces of the act, but what's really interesting are the
implementing regulations. I've been trying to read through the one jointly
issued by Treasury, the SEC and a few others on limiting money-laundering.
|
scg
|
|
response 11 of 116:
|
Sep 15 06:55 UTC 2003 |
You can always talk to your lawyer about what the law requires you to do in
a specific case. The lawyer may not be able to talk about it with anybody
else.
I'd strongly suggest not going to the ACLU for legal advice. The ACLU is a
wonderful organization, but they have a pretty set agenda. If you've decided
to take a legal stand on something and at that point the ACLU is willing to
provide representaiton, that's great. But Grex needs its own non-ACLU legal
counsel to first define what the legal obligations are.
The way this is supposed to work at companies that get these requests on a
regular basis is that they have a lawyer (or legal department) who has already
agreed to review this sort of request. Any request from law enforcement goes
straight to the lawyer, who says yes or no to the request and decides what
information will be given to who. This is important, as the law enforcement
people often aren't willing to wait for a decision, and the legal consequences
of saying no to a proper request *or* yes to an improper request can be quite
bad.
Really, the only question anybody should be asking at this point in this
discussion is who the good lawyers are in Ann Arbor for dealing with wiretap
law, who might be willing to do some pro-bono work.
|
mary
|
|
response 12 of 116:
|
Sep 15 11:02 UTC 2003 |
Re: #7: Here is a URL the text of the act and a nice summary of
the reasons for concern. In terms of what we might be asked to
hand over? I suspect it could be just about anything on someone
they are interested in knowing more about, all done with extreme
secrecy and lack of oversight.
http://www.aclu.org/SafeandFree/SafeandFree.cfm?ID=12126&c=207
|
asddsa
|
|
response 13 of 116:
|
Sep 15 15:36 UTC 2003 |
Why not move GreX to Canada, where both the patriot act and DMCA don't
matter?
|
dah
|
|
response 14 of 116:
|
Sep 15 18:29 UTC 2003 |
Wrong.
|
other
|
|
response 15 of 116:
|
Sep 15 22:47 UTC 2003 |
There is a major distinction to be made here, by the way, between the
ideals expressed by some of the board and staff about how to justly
respond to a Patriot Act order, and the kind of response our obligations
to Grex might determine. It is easy to imagine that this would be a very
difficult line to draw, but an extremely important one as well.
|
mary
|
|
response 16 of 116:
|
Sep 15 23:29 UTC 2003 |
Exactly. Which is why I was asking for feedback from the
users.
How to respond would need to be a judgement call on the part
of those involved. But I'd sure like to know how the users
at large would feel about Grex taking some chances with our
response.
|
gull
|
|
response 17 of 116:
|
Sep 15 23:31 UTC 2003 |
I think it's more likely we'd be presented with a self-serve DMCA
subpoena than a PATRIOT Act information request, though either is
possible. While we're on the subject we might want to decide what we'd
do if the RIAA filed a subpoena for user information.
|
mary
|
|
response 18 of 116:
|
Sep 15 23:38 UTC 2003 |
In a nutshell, what are the differences between those
three entities?
|
other
|
|
response 19 of 116:
|
Sep 16 00:04 UTC 2003 |
Umm, without input from the membership, our default course of action
should be to comply with the law as fully possible in order to minimize
the risk to the uninterrupted operation of Grex.
The only way I could see clear to differing from that course would be if
a majority of the membership voted to put Grex on the block if it came to
it, in a challenge to the law. It would eat away at me to just comply,
and I might resign in order to register my personal opposition to
compliance even though my proper obligation as a board member would be to
comply.
For that matter, do we even have a policy which would cover a scenario in
which a substantial portion of the board simultaneously resigned?
|
russ
|
|
response 20 of 116:
|
Sep 16 01:08 UTC 2003 |
This response has been erased.
|
newjp2
|
|
response 21 of 116:
|
Sep 16 13:54 UTC 2003 |
19: Rewrite the quorum requirement so that it specifies a percentage rather
than an absolute number.
|
cross
|
|
response 22 of 116:
|
Sep 16 20:34 UTC 2003 |
Has law enforcement ever asked grex for any information before at all?
|
mary
|
|
response 23 of 116:
|
Sep 16 21:31 UTC 2003 |
Yes.
|
cross
|
|
response 24 of 116:
|
Sep 16 22:01 UTC 2003 |
Perhaps if we had some more information about that, to the staff members
who were involved can discuss it without violating anyone's privacy, we'd
be in a better position to discuss it, yes yes?
|
scg
|
|
response 25 of 116:
|
Sep 17 01:40 UTC 2003 |
Speaking in the general case, what would usually happen is some law
enforcement person would call (or in a couple memorable cases show up) asking
for information. To my knowledge there have never been court orders involved.
They would generally get sent to STeve Andre, who would give them public
information from the wtmp, newuser information if publicily visible, and so
on. I don't remember ever seeing the contents of a mailbox or private files
handed over, but this may also have happened. I'm not sure.
It turns out giving out even publicly visible information to law enforcement
was illegal pre-Patriot act. I'm not sure waht the current status of it is.
It was legal to sell your subscriber information, or post it on the web,
because that wasn't regulated, but it was illegal to give that information
to law enforcement without court orders. Nobody on the Grex staff was aware
of the rather counter-intuitive legal situation when this became common
practice, but I don't think the practice changed after this was pointed out.
I'm not sure how this sort of situation is handled now, since I'm no longer
very involved with staff stuff. I would guess it's rarer, because Grex is
a lot harder to find. While Grex used to list an an address where it was
possible to show up and find computers and occasionally people (or at least
scared landlords who would direct law enforcement to people), and used to list
a phone number that got answered, Grex's current whois data points to a PO
box, and my old home phone number that was disconnected more than three years
ago. Given that law enforcement people in active investigations generally
lack the patience to send e-mail and wait for a reply, my guess is that they
probably go to Grex's ISP, which probably has a lawyer who insists on the
proper documentation or court orders before identifying customers. My
experience dealing with this sort of thing in a professional capacity a few
years ago was that asking for legally required procedures to be followed was
almost always sufficient to get the law enforcement people to go away and not
come back.
Really, the above situation in which Grex was giving more information than
was legally permissible to law enforcement is why a lawyer who knows this sort
of law really needs to be involved in setting the policy, and reviewing any
requests that come in to make sure the policy is followed and what Grex does
remains legal. If after consulting with such a lawyer, the only legal policy
to follow seems too burdensome or otherwise unacceptable for Grex to follow
it (either because it requires us to give out too much information, or if
consistent with past Grex practice we're not comfortable withholding
information to the degree required), that should be discussed. But unless
anybody here really understands the current law and can explain it, any
discussion of refusing to follow it is premature.
|
janc
|
|
response 26 of 116:
|
Sep 17 02:28 UTC 2003 |
There haven't been any recent contacts from law inforcement. Steve's memory
of the less recent ones seems to be clearer than mine.
|