Gwebs Cryptographer

One of the reasons we (yes, it’s a we now) at the Cryptographer are in this business is because we get to laugh at the messes we ourselves will never get into. Take, for example, Guo Li, a Hangzhou lawyer whose email was inadvertently “hung out to dry” online by Baidu (China’s search giant) and WanWang (one of China’s largest hosting providers). He sued for 1,000,000RMB (around $120,000), and the results speak for themselves.

I have translated the following article specifically for this blog.

Private Emails “Hung Out to Dry” for a Month, Victim Sues Baidu for
Violation of Privacy.
8-12-2007 3:35 A.M., Beijing Morning Post
After his private emails hosted in a Baidu (百度) account were posted online for more than a month, Hangzhou lawyer Guo Li (郭力) decided to sue Baidu Inc. and email services provider WanWang (万网) for 1,000,000 yuan in damages, claiming his communication privacy rights were violated. A judgment will be issued tomorrow at the Haidian District Court on this so-called “national precedent-setting email privacy case.” Guo Li stated at the conclusion of the trial, “It’s entirely possible to look into other people’s inboxes online, I’ve searched the information myself. This won’t be the last trial of this type.”

Discovering His Account Was Compromised By Searching

Yesterday morning, Guo Li sat by himself in the prosecutor’s booth and argued his case by alone, and going by his expression, he seemed confident that he would win (see photo). His evidence said that on August 11th of last year, while searching “Zhejiang Golden Road Law Office Guo Li” (”浙江金道律师事务所郭力”) and his email address he unexpectedly discovered a link to an email he had sent a month ago. Using Baidu’s cache feature (百度开照), he discovered that the attachments were also entirely visible.

On seeing that his emails were “hung out” (”晒”), as it’s called in the online world, he was surprised, and immediately demanded an explanation and investigation from Baidu and Wanwang, as well as demanding that the offending emails and links be taken down. The email he received from Wanwang in answer stated that their email server’s cache was “illegally spidered” by Baidu’s search process, and consequently linked and made public.

Guo Li considers the revelation of his personal emails online a serious violation of his rights, which is why he presented the case, and asked for 1,000,000 yuan in damages. “Email is the same as traditional mail in that its users should have a right to privacy, and that this right is legally protected. Wanwang failed to properly guarantee the safety of data on their servers, and Baidu’s illegal spidering process linked and publicized the content of personal email. This has caused me a lot of pressure, and I think these two websites need to take responsibility for their actions.”

At the Trial, Defendants Deny Responsibility

But Wanwang’s lawyer said trial that Wanwang had committed no offense. Wanwang has safety measures in place to guard user email, including 108-bit encryption which would require more than 10 years to crack using normal decryption methods. Guo’s email was made public, he claimed, because Guo had installed a Baidu plugin. * They were not clear exactly how his email was made public. Baidu’s lawyer plead that their company has no relation to searches for personal emails, and that they only offer search services for publicly available websites.  And, being a large search company, it’s impossible to have each indexed website verified manually. Guo Li’s personal emails were made public because they weren’t adequately guarded. In addition, after receiving the plaintiff’s original letter of complaint, all related pages and links were deleted, and because of this prompt response their actions do not constitute a breach of privacy.

Because of the relatively technical nature of the case, the two sides disagreed almost endlessly about technical matters, and court proceeded very slowly. For 14 hours straight there were heated words exchanged, and the judge was forced to limit the all parties to 3 minutes a turn in order for the trial to continue on schedule.

After the judges recessed, Guo Li said to the journalist, “After my email was made public, I did some searching online, and actually discovered that my email wasn’t the only one*. I found others’ documents as well, which I’ve had notarized and sent to the court as evidence.” Guo Li thinks, “The significance of this case is huge. It provides a precedent to remind online service providers to ensure their users’ privacy.” (Journalist: Li Jing/李婧)

*Bolding by poster

Originally from: Beijing Morning Post Link to original (Chinese) text

This is obviously a very important case for China, and we’ll be following up as we find more information. Whatever the result of this case turns out to be, Guo is right in saying that it won’t be the last of it’s kind, and Baidu is right on as well - that the email wasn’t properly shielded — if it’s online, its public. When you don’t use encryption, your email is basically public as it can be read anywhere  long the world-wide internet route it travels. Then again, the baidu plugin may have been at fault for putting his emails in a place where they were indexable, or WanWang might have irresponsibly allowed their databases to be index - Unfortunately of these questions were illuminated by the article… But right now, despite the settlement, all I’m thinking about is how happy I am not to be that guy. The last thing I want to have to put up with is lawyers bickering like 2-year olds over the intricacies of code. Do you see now why we do this?

Oh Yeah…

Marketing message: Gwebs WebmailSafety is a free piece of encryption software for webmail systems like Gmail, hotmail, and Yahoo mail, that Guo could have used to protect his email, download the newest version here.

Security, email, encryption, government, law, personal, privacy Baidu, email, email server, Internet Security, law, lawyer, privacy, search engine, Wanwang, 万网, 晒, 海淀区, 百度, 郭力, 金道律师事务所