Comments on: On privacy in the cyberage (II)

By: A. J. Randall

A. J. Randall — Tue, 01 Jul 2008 04:40:05 +0000

I find the party line analogy interesting, for I would use exactly that to argue quite a different point. In the days of the party line, and for that matter of the human operator, we knew better than to expose anything that we really wanted to be private to the wide world of the telephone. Today, we seem to have graduated from the party line to the radio, and confidently expect that what we broadcast on our radios will be kept strictly confidential. It seems to me to be almost like stripping in the middle of an intersection, then blaming anyone who sees you for violating your privacy.

What the person did to Judge Kozinski was wrong, I agree. But I would hold that the Judge was complicit to the extent that he left information that was private where the miscreant could get it. Easily, apparently.

How much different is this, really, than the misuse of .pdf technology that resulted in the exposure of redacted parts of documents to the opposition in a court case?

If you want it private, don't do it in public, and never rely on technology that you don't understand. Particularly technology designed to connect everything to everything else.

By: Greg Byshenk

Greg Byshenk — Tue, 01 Jul 2008 02:50:24 +0000

...As I see this matter, the problem arises due to a conflation in many people's minds of 'obscure' and 'private', though these are not at all equivalent....
http://www.byshenk.net/article.php?story=20080630210902141

By: mcg

mcg — Mon, 30 Jun 2008 20:49:33 +0000

I didn't realize this was FTP rather than HTTP.

That's because it wasn't. Lessig was wrong.

By: Craig James

Craig James — Mon, 30 Jun 2008 00:05:56 +0000

I didn't realize this was FTP rather than HTTP. This raises a whole new question: Did Sanai plant the evidence?

FTP has many known exploits, and is an insecure protocol that is largely replaced by SSH in modern systems. Most web sites use HTTP, which is a read-only protocol; you have to use add-on features such as PHP, ASP, or CGI programs to enable a user to modify the contents of an HTTP web site. By contrast, FTP is inherently a two-way protocol (hence the name, File Transfer Protocol). It is DESIGNED to allow uses to manipulate the files, and users are only prevented from doing so by carefully-crafted security restrictions. Any mistake in the configuration, and the site is wide open.

Worse, the protocol was designed before security was a huge problem on the internet, so it doesn't even encrypt usernames and passwords. And even worse yet, there have been hundreds of different implementations of FTP, some better and some worse, and some of these have well-known exploits that allow a hacker to gain complete access to a system.

Even if the FTP server was secure, a password-guessing tool such as the ones used by the FBI, can make intelligent guesses based on the site owner's interests. Such a program could have a high probability of success, because Sanai had full access to the site's contents. Most users pick passwords they can remember, and an examination of a family's web site will often be a dead giveaway to a good password-cracking program.

According to court documents and news stories, Sanai was engaged in a long campaign to discredit Judge Kozinski. Is it too much of a leap of logic to ask whether he might have planted these files?

By: Scott Ellington

Scott Ellington — Thu, 26 Jun 2008 05:17:53 +0000

I'd like to believe that substituting a law enforcement official in place of the disgruntled litigant would significantly change the terms of this controversy from pusuit of a private, malevolent agenda to the search for probable cause.
Tim Wu, at NCMR, said that the constitutional protections we enjoy preclude the abuse of public power, yet leave us entirely vulnerable to private spelunking and vendetta. Whether the Kozinski privacy-invasion was effected by a private citizen or an ISP, it seems the downside of internet empowerment is reflected in this two blog installments.
There is not yet a universal protocol for application of The Golden Rule of browsing, but discussions like this one may serve the same important purposes as in 1789, when corruption, abuse and freedom weren't abstractions.

By: Hitek Homeless

Hitek Homeless — Wed, 25 Jun 2008 21:35:43 +0000

I'll go along with most of this, but individuals just cannot expect privacy without taking some basic steps. We may not all need our hard drives encrypted, anonymous remailers for handling our email and SSL anonymizers for our web surfing, but everyone of us has the ability to decide what level of security he is comfortable with.

Sure, B&E is illegal, but that doesn't stop most people from locking their doors. Most folks would call a thief a louse or something stronger, but it does not preclude them locking their doors!

Leaving a web or ftp server wide open is, to me, like the lady that undresses in front of a picture window; if she didn't want to be seen, she'd pull the blinds or go into a different room to undress.

Maybe we should all be able to expect perfect privacy, but the human animal is far too inquisitive. How many of you count your money in the middle of the sidewalk?

By: Oliver

Oliver — Mon, 23 Jun 2008 04:42:12 +0000

There's no need to deny oneself schadenfreude to maintain a clear and fair stand on privacy. That would be like denying yourself the right to use deadly force in self-defense. Yes, it's unseemly, but hey, it's a jungle out there.

By: Seth Finkelstein

Seth Finkelstein — Mon, 23 Jun 2008 01:17:45 +0000

If anyone is still reading, I have a Guardian column published about this now:

http://www.guardian.co.uk/technology/2008/jun/19/hitechcrime.internet

"New technologies bring new ways for people to embarrass themselves - just ask the prominent and colourful judge Alex Kozinski"

I put the issue in the context of competing concepts of "everything not explicitly prohibited is permitted", versus "everything not explicitly permitted is prohibited".

By: KCinDC

KCinDC — Sun, 22 Jun 2008 22:42:53 +0000

Lessig is ignoring the point made again by Sean Fitzgerald and mcg. I don't understand what he believes the conventions of privacy on the web are. If I find something on the web, how can I know whether it's private or not? It seems to me that anything indexed in search engines or accessible by unrestricted URLs can be assumed to be public. If there's something unethical about accessing some such URLs (which Lessig says is equivalent to poking about in someone's home), but there's no way of separating such supposedly private URLs from the millions of public URLs out there, how can I behave ethically?

What Sanai did with the information he obtained is an entirely different ethical question from how he obtained it.

And the point about this being an FTP server, not a website, seems to be not only irrelevant but incorrect.

By: Seth Finkelstein

Seth Finkelstein — Fri, 20 Jun 2008 09:43:53 +0000

If anyone is still reading, I have a _Guardian_ column published now on the subject:

http://www.guardian.co.uk/technology/2008/jun/19/hitechcrime.internet

"New technologies bring new ways for people to embarrass themselves - just ask the prominent and colourful judge Alex Kozinski"

I put the issue in the context of competing concepts of "everything not explicitly prohibited is permitted", versus "everything not explicitly permitted is prohibited".