Death Threat Woes ---Revisited

Jim Jones jjones at lib.bsu.edu
Mon Nov 3 17:36:36 EST 1997 

Anna wrote:
> 
> All of this is true, but I think the point is that through
> hotmail, rocketmail, etc. the users MUST log into their own
> account first (i.e. identify themselves as the person logging
> in).  From there, if they send "death threats," they are doing
> so through an account they accessed at hotmail, rocketmail, etc.
> 
Actually, that wasn't the point.  There were wonderings about whether or
not a message sent from a hotmail-type of account could be directly tied to a   
computer  (which in turn means a building, or library in this discussion).    
I went ahead
and signed up for a rocketmail account so that I could send myself a message    and analyze the headers.  In the header that I posted, you can clearly see
(if not its pointed out for you) that the IP address of the machine is listed   
from which
I accessed rocketmail and sent the message.

Now to tackle your points.  A person logging into a hotmail account is not
necessarily traceable by the information that they used to get the account in 
the first place.  My name may be Jim Jones, but I can get an account as 
Nancy Drew.  Web-Mail services ask that you to not do this as part of their
Terms of Service agreements, but the only punishment is removal of the offending
account and the reservation of the right to deny present and future access to 
the service.  There exists no authentication process so there exists no direct
tie to one individual or another.  By the way, the sending of threats or      
harassments from such accounts is also prohibited in the ToS.  You note this 
somewhat below.

>
> It is also true that anyone can setup a second, or probably even
> more accounts at these sites (hotmail, rocketmail, etc.), do their
> "dirty deed" (even from a "library" computer) and then "skip-out"
> so to speak.  It's also possible to guess at passwords and borrow a 
> legitimate users' account, and do that "dirty deed" there. 
>

So noted.  No disagreement here.  The darned things are pretty open to 
abuses of this sort.  I think this is why people  were asking about the
ramifications of such in the first place.  The thinking process has been:
(1) This can be done.
(2) Are we (libraries) liable for such abuses?
(3) Can and should we do something about it? 

> Surely, libraries really cannot prevent anyone from accessing/using
> their own e-mail accounts (especially since there is no software that
> is setup on the individual library microcomputers).  Certainly, all

Actually, there exists the ability to prevent users from accessing their
email accounts (both web-based and not).  The question is should they and will
they?  Filtering software can filter specific web sites.  We all know this.
Web-based email requires visiting a specific site to get and send web-based
email.  Therefore libraries have the _ability_ to restrict access to web-based
email by filtering web-based email sites.  Will libraries do it?  Should 
libraries do it?  Those are the questions.  Additionally, libraries can restrict
access to non-web-based email by not providing software (i.e. Eudora, telnet)
to access accounts with.  Email can also be prohibited by library policies.  
Again, the two questions come up.

> of these sites will (and do) keep track of who is accessing and from
> where.
> 

> The real question is what is hotmail, rocketmail, etc. going to do
> about it?  The service they provide is based on their belief that
> access is not a "right"... abuse of that access will be subject to
> revoking the user account.  We (a library) provide the hardward; 
> they (e-mail providers) provide the software.  I don't think we can
> be held accountable, simply because the software is the "key" here.
> 

Actually, the software issue is blurred in the case of web-based email.  
Since the web-sites are accessed with the client on the PC, they are part
of the client software.  The software running on the PC (both provided by the 
library) is needed to interpret the pages on the server (provided by the
service) for the user.  Software and "point-of-access" are the key here.
Libraries provide both.  If a user does not want the threatening message
tied to a computer that is tied to him/her (home or work computers), the
user just has to find an anonymous "point-of-access."  That combined with
relatively anonymous email (remember, no authentification) creates a 
situation where a person can harass or threaten someone else with little
fear of reproach. 

Let's take this a step further.  A patron who has access to the preferences
of a World Wide Web browser does not even need a real email account to 
have the ability to harass or threaten anonymously.  They can set the mail
preferences to identfy them as anyone from any made-up account name.  If
libraries don't have any policies concerning email use they may be leaving
themselves open for potential consequences.

These are the main points that were being tossed around about this topic
on web4lib.  At least that is how I saw it.                  

> Sure they may come back to us, and say that this workstation did
> "such-and-so" on "XXX date and time" and ask "who was using it?"  
> But, are we obligated to keep records of usage?  Are we obligated 
> to log users' ID's and time spect on each workstation?  Are we 
> obligated to keep users "chained" to a particular workstation 
> "because that is where we logged you in?"  None of that would work 
> either.
> 

No one is obligated or few are assuming that obligation if it does exist.  I 
think that it should be talked about though.  Let me ask the net community,
how would you feel as a human being if you found out that your hardware
and software (put out in the public as instruments of learning, research and
fun explorations) were used as a point of presence for someone to harass, 
embarass or threaten someone else?  I know that I would feel very badly about
this, especially if I had never conceived that it was a possibility.  I would
have appreciated the information before hand in order to make an informed
decision.

A lot of what we talk about is theoretical in many fields, organizations and 
careers.  Sometimes we have to step into the problems that we toss solutions
around for and look at them from every single angle, inside and out, and come
to an informed decision about them.  I'm not saying what is right or wrong,
what I am saying is that I do not know and appreciate the perspective that
dicussion brings.

> People with malicious intent will find a way to accomplish what they
> will.  Most people, thankfully, are not like that.
> 

True on both accounts.  But some are.  I can not tell you how many "fake" email
addresses I have cleared from the preferences of my web browsers.  Many of them
didn't sound to friendly.

> 
> 
> At 09:08 AM 10/30/97 -0800, you wrote:
> >To settle some of the ponderings concerning whether or not
> >net-based email can be traced to a machine, here's a copy of
> >a rocketmail email header:
> >
> >
> >
> >
> >Received: from web4.rocketmail.com ([205.180.57.78])
> >	by gw (GroupWise SMTP/MIME daemon 4.1 v3)
> >	; Thu, 30 Oct 97 11:02:11 INDIANA
> >Message-ID: <19971030155546.13824.rocketmail at web4.rocketmail.com>
> >
> >                 Here's the culprit!
> >|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> >VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
> >Received: from [147.226.94.73] by web4; Thu, 30 Oct 1997 07:55:46 PST
> >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
> >
> >Date: Thu, 30 Oct 1997 07:55:46 -0800 (PST)
> >From: Jim Jones <problem_solved at rocketmail.com>
> >Subject: Test of rocketmail headers
> >To: jjones2 at wp.bsu.edu
> >MIME-Version: 1.0
> >Content-Type: text/plain; charset=us-ascii
> >
> >
> >
> >
> >Right next to Received: above you find the originating "from" machine IP
> address
> >from where it originated.  A simple InterNic lookup on the domain (147.226)
> part
> >of the IP address will produce the name and office number of the person to call
> >if you run into issues from traffic originating from that domain.  
> >
> >Quite simple internet sleuthing.
> >
> >I am sure that Hotmail and any others are the same way.
> >
> >Jim Jones
> >
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Visit our Website....  http://muse.palos-verdes.lib.ca.us
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Anna Trupiano				Palos Verdes Library District
> Systems Administrator			701 Silver Spur Road
>   Phone: (310) 377-9584 X258		Palos Verdes Peninsula, CA 90274
>   FAX:   (310) 541-6807	
>  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
> 
>

More information about the Web4lib mailing list