June 14, 2008  ·  Lessig

I’ve gotten lots of email and comments about my criticism of privacy-revealing behavior related to Chief Judge Kozinski. After reading that criticism, I am more convinced.

  1. Privacy is not determined by technology: The core point that’s important to me here is to reject the sense many have that “privacy” is that stuff you can’t get access to technically. So something’s private if encrypted, but if there’s a way for me to hack into it, it is public. I reject that sense of the norm of privacy. Think of a party line telephone. Anyone on the party line had a simple ability to pick up the telephone and listen to any conversation going on. But if you did that, others would rightly call you a louse. You had invaded the privacy of the people having a telephone call, even though it was technically trivial to listen to that private conversation.
  2. This FTP server was improperly configured (given its use): Though you could access this (or practically any) FTP site through the web, this was not a web site. It was a file server. Just like the server that contains the files for this blog, that means it enables people to get access to files. But it also enables the maintainer to control who gets access to what files. So with this blog, if you download a file I’ve linked from the blog, you can easily figure out what directory that file is located in. But you can’t (without serious hacking) see the other files in that directory, or see the directory structure. That’s because those friends who have helped me set this up have disabled that ability. Yale Kozinski apparently didn’t with the Kozinski server. So again, as with the party line, it was trivial to see all the files in any particular directory, or the directory structure. But that doesn’t make peddling the list of stuff kept on the server to news organizations not a violation of privacy.
  3. Metaphors are metaphors.: My original metaphor here was about someone jiggering a lock and breaking in. That was a metaphor. As with any metaphor, there are an infinite number of ways the metaphor is like the particular example, and an infinite number of ways it is unlike the particular example. The parts I found analogous were these: like someone breaking in, the litigant went where he wasn’t invited; like someone breaking in, the litigant found stuff in a place anyone could have placed it; like the den where anyone could place stuff, you can’t know who is responsible for whatever is there; like the den in a private house, privacy means not having to defend or explain what is in your den. As I explained in the comments, I didn’t mean the metaphor to suggest the litigant was a criminal for trespassing. As many of you know, I am not a believer in the trespass theory of cyberspace. But just because you’re not a criminal doesn’t mean you’re not a chump.
  4. “Hacker”: I called the litigant a “hacker.” That was the nicest thing I said about him. I do not subscribe to the view that “hacker” predicates only of criminals. RMS is famous for his greeting “Happy hacking.” It means nothing more than someone who explores. But again, that it is a good thing to explore does not mean it is a good thing to wander into someone’s den.
  5. The irrelevance of the MP3s.: Some suggest my view would have been different had I known the judge had MP3s on his site. Those sorts are wrong. Indeed, I did know he had a few MP3s on his site — the first reporter calling me about this told me that. That fact does not change anything in the analysis. As the Fed Circuit has indicated in an unrelated case, an unindexed FTP site is not a “public” site. The fact that you have copyrighted MP3s on a nonprivate site does not make you a copyright infringer. Kozinski was not offering this content to the world. The fact that some Russian MP3 sites found it doesn’t change Kozinski’s responsibility. Obviously while I don’t support the practice of wrongful distribution of copyrighted material, I certainly do believe people have the right to space-shift their material, and even share it with a friend (“Hey, listen to this…”) That’s all that’s happening here.
  6. Your privacy should not depend upon your political party.: This also disappoints me here — the schadenfreude. Here’s a Republican judge getting in trouble for racy content with questionable copyright status. So we (or some of us) liberals get all outraged and angry at his bad behavior. But had the politics been different, would the reaction have been the same? Privacy, in my view, is more important than this. A Republican judge deserves his privacy as much as the rest of us.

I’ll add to this as I think of it. Now I’m late to taking my kid to see Alcatraz.

  • Anonymous

    Many thanks for fixing the RSS pagination. My friends will now be much more likely to read your posts when I share them.

  • http://seanfitzgerald.wordpress.com/ Sean FitzGerald

    Ouch! It appears your web server just ate 6 (lengthy) comments.

  • http://www.desjardins.org/david/ David desJardins

    Lessig’s arguments remind me of right-wing pundits who distort reality to support the results they like. Commentators are entitled to their own opinions, but no one is entitled to invent their own facts.

    Previously, Professor Lessig asserted as a statement of fact that a “robots.txt” file protected access to the files in question. Not only is it not true that robots.txt makes files private, it now seems pretty clear, from the investigation that people have done, that the statement is untrue, and there was a robots.txt file but it did not, in fact, deny robots (much less people) access to these particular files. Was there any evidence at all supporting this claim? It seems like Lessig made the claim not because he had evidence to support it, but just because it would have been a convenient fact to justify his chosen conclusion.

    Now, Lessig reverses course completely, and argues that Kozinski didn’t set this system up as a web server, only as an ftp server, and was not aware that it was functioning as a web server. Not only is this completely inconsistent with the previous argument (the existence of robots.txt demonstrates that it was intended as a web server, as the robot exclusion protocol requires http access). But also it is in direct contradiction with the fact (which is or should be known to Lessig, as Seth Finkelstein has posted it in the comments here) that Kozinski in fact disseminated http links to files on this server, and therefore he demonstrably did know that it was acting as a web server, and that anyone could access the web server via http links.

    It’s entirely possible that an analysis of the server logs from Kozinski’s computer will show even more of Lessig’s claims to be false. For example, Kozinski may have accessed the directory listing via http himself, thus demonstrating conclusively that he did know that it was accessible through the web. Or he may have provided the link to others who did so. How does Lessig claim to know that this is not so? Shouldn’t opinions about the facts of the case be based on actual, factual evidence? Not wishful thinking.

    The Wall Street Journal article summarizes the issue well: Legal-ethics professors said the main concerns should be whether the judge took sufficient steps to make sure the material wasn’t accessible, and whether and to what extent it was disseminated. These are reasonable questions, to which we don’t have all of the answers. Lessig’s assertions of a particular answer to these questions (especially when the facts supporting his conclusions don’t even seem to be true) make him seem more of an advocate for Kozinski than an impartial commentator.

  • http://seanfitzgerald.wordpress.com/ Sean FitzGerald

    My second attempt at commenting, edited to remove references to previous, deleted comments:

    Larry: With respect I think your metaphor of jiggering a lock is weak and you seem to be trying to defend it. There was no jiggering of a lock. The lock was unintentionally left unlocked. There was no hacking.

    I think your party line analogy is better analogy, but it doesn’t take into account that a web server is a publishing medium (or at least is perceived as such) that potentially the whole world has access to. A party line is understood to be for private conversations, even if the line is shared.

    It’s hard to find an appropriate metaphor though. I could say this was akin to someone leaving the the front door of a house unlocked, but not only is there a clear cultural understanding that it’s inappropriate to enter someone’s unlocked house, there is the clear precedent that it’s trespassing, and therefore illegal.

    Perhaps it’s like living in a shared house, where one of the more paranoid housemates keeps a lock on their bedroom door. Just because they may accidentally leave the lock off one day doesn’t give us the right to walk into their bedroom and start rifling through their stuff. That would be considered rude. There already exists a clear cultural understanding that this is the case.

    I think this is the point that Stu (in a deleted comment) is making. As he points out, in the old multi-user systems even if you could gain access to someone else’s home directory it would be considered rude to do so. But their was a received cultural understanding there. I think no such understanding, as yet, exists on the mainstream Internet.

    For me part of the problem here is the difference between the physical and digital, non-physical realm.

    In this sense there is a huge similarity with the whole “illegal” file sharing and downloading debate. We don”t call file sharing “stealing” because we are talking about digital objects, not physical ones. Instead we talk about “illegal file sharing” or “copyright infringement” (although it’s still hard to be heard on that – for many it’s still stealing, even when you try an point out the difference between stealing a book and being able to copy and distribute a digital file ad infinitum at no marginal cost).

    We don’t have the same cultural understandings and we can’t use the same language in the digital, non-physical world that we do in the physical realm. Like file sharing, the language of private/public may have to be expanded and redefined for the Internet.

    For the record, I agree that the way Kozinski has been treated is appalling. Possessing sexually explicit but legal images does not necessarily preclude him from presiding over an obscenity trial.

  • http://sethf.com/ Seth Finkelstein

    I posted this in the previous thread, but for people who didn’t see it since it was way down in 100+ comments, take a look at my blog post:

    How “alex.kozinski.com” worked

    I’ve found an old HTML document from Kozinski, posted on a popular law blog, where the links indicate he knew people could retrieve files from his site, even from the “/stuff” directory. I speculate that he thought they needed specific filenames.

  • ogmb

    The most important point that Lessig ignores here is that privacy is not a trump card that can be played after the fact if the information leaked out through one’s own carelessness turns out to be embarassing. But that’s exactly what he’s trying to do here. If you expect privacy for your personal matters you don’t leave them on the back seat of your car or in a web-accessible folder on the www. The law and the rulings on this have been very clear that the onus is on the user who wants privacy on the web to create for themselves. Otherwise my right to assume that what is accessible on the web without authorization is there for public consumption trumps the owner’s expectation of privacy.

  • James Day

    The private form of party line you referenced seems to be what was intended. The server configuration made it the public form of party line instead. An unfortunate error with radically different privacy expectation.

    Privacy may not be defined by technology but publication is. Here, the material was published. Accidentally, perhaps, but still published. Including that list of files. I’m running an FTP server on this laptop computer at home. It uses a password and individual user accounts to limit browsing. If I’d instead configured it without a password and to allow browsing without user restrictions I’d be publishing all of the information on it. The technical distinction is critical to what I’m doing. Unfortunately for the judge the published list is the setting that was used.

    It’s still abuse of the judge by the litigant, given the intent apparent here. The prior connection is not insignificant.

  • http://blog.sandipb.net Sandip Bhattacharya

    > Otherwise my right to assume that what is accessible on the web without authorization is there
    > for public consumption trumps the owner’s expectation of privacy.

    This argument is being peddled by every other person and I really have to say – that this is an oversimplification of what has happened.

    Let us suppose you have a website, with an index page which links and uses certain media on the page. Links to other HTML pages within the website, access other media. Obviously, this set of interconnected links from the home page encompass the view of resources on your website that you would like to make public. Now the locations in your website where this media lie may contain other kind of media not otherwise reachable from any link(or referenced link thereof) from the home page(like auto indexed directories). Mind you, it is not technically impossible to reach this page – you only need to look at the source of the web pages to figure out the possibilities. But clearly, it is not intended to be looked at in a traditional “published content” sense.

    The only entity which can reach these “hidden” locations are robots, which clearly was thought of, and disallowed in this case.

    Now would you consider, a human, nosing around the whole website, looking through every url referenced in every page … a deliberate attempt to invade the website owner’s privacy? I consider it as one.

    - Sandip

  • Chris Ward

    It’s pitting the engineers against the businessmen.

    From a scientific/engineering point of view, this server was on the public Internet, and its contents could have been fetched by a fully-automated process from anywhere in the world. The scientist (or engineer) considers that the information was probably just the same sort of thing that presidential candidates put on their web sites; marketing material, if you will, intended to be read by all.

    From the businessman’s point of view, he might run to his lawyer and try to get the scientist/engineer slapped on the wrist. Or worse.

    Businessmen, it’s hard enough to be a scientist or engineer (and to teach new ones) as it is. Please do not slap us on the wrist. Please ask us for our advice as and when you need it.

    Can we maybe have a rule. If you don’t intend information to be publically-accessible, don’t put it on the Internet at all. If you intend to allow controlled access, then hire a professional (who will take responsibility) to set up the controls; or learn how to do it yourself.

    MP3s and copyright infringement is a whole other debate. We need to have it; but this post is long enough already. Please discuss in another item.

  • http://trurl.freeshell.org/ Stu Black

    (I’m not heartbroken that my earlier comment got wiped out. I saved the text, but it needed to be boiled down or expanded into a full essay, as it went in all directions at once.)

    From my earlier post: by configuring an HTTP server to answer requests indiscriminately, I am symbolically placing whatever content is in the server’s shared directories into the public arena. Additionally, this act is a strong statement of such.

    This is not the only way that someone can express placement of material in the public arena. Take, for example, the old shared environment on Unix machines. If I have a directory that is named /home/stu/pub/, set its permissions to allow anyone to read and write in it, and have a file at /home/stu/PUB_INFO.txt that reads “do whatever you want in the pub directory,” it’s pretty reasonable to believe that the contents of the directory are not at all private. If I have a hidden directory with an obfuscated name (like /home/stu/.doc/real_estate/plans_to_conquer_europe) which I (presumably accidentally) set to be publicly readable and writable, it is less clear whether I intended this to be in the public arena. It still is, after a fashion, as files in it can be found with the “locate” command, but I might feel my privacy violated if someone deleted my plans to win at Trafalgar. (One issue at hand here is how automated tools, like the one that builds the “locate” database, search engine crawlers, and the bots that probably loaded up Kozinski’s Web site with mp3s, cannot read all of the same signs that humans can.)

    There are many signs that can be used to indicate whether I am placing something in the public arena or keeping it private, and how they are interpreted (or whether they are even noticed) depends on the interpreter. To many, putting something in a public HTTP share means, “I want anyone who finds this to be able to read it.” I also believe that this is a reasonable interpretation of this action.

    There may be other signals of varying relative strength (like whether the content being shared is clearly highly personal or the URI naming the resource indicating whether it is public or private), and they should be taken into account, but people of different persuasions will think differently about this. In the case we have here, I don’t think there it is reasonable to say that Kozinski’s files were not submitted to open, public scrutiny.

  • mcg

    Of course privacy is dependent upon technology. It is also dependent upon your environment. Say I wish to communicate a private message to a friend in Minnesota. I can call him on the telephone, or I can buy airtime on a radio station when I know he’ll be listening. I can send him an email, or I can take out a full-page ad in his local paper. If I choose the latter option in either scenario, I can hardly claim that my message is private. I can argue all I want that the message is intended only for him, and that anyone who acts on its content is violating my privacy, but I will of course come across as silly. For a more realistic example: if I am having a private conversation in a restaurant, you cannot claim your conversation is private if you insist on conducting it at an unreasonably high volume. Yes, if you do so, you can expect people to be decent enough not to strain to eavesdrop; but note that there is a certain responsibility that you as the communicator bring to the situation. Now, on the other extreme, in my home I enjoy an extremely high presumption of privacy. I don’t have to do much to insure it: I don’t have to lock my doors, I don’t even have to close my doors, to prevent strangers from legally entering and rifling through my things.

    The point is that different technologies and environments (physical and virtual) place different burdens on the actor to obtain a reasonable expectation of privacy. Laws, traditions, and social mores call all collaborate to dictate what those should be. In the home this burden is the lowest. On the web, the burden is frankly not that high, thanks to technological measures. But that burden is more than it is in the home.

    Saying things like “So something’s private if encrypted, but if there’s a way for me to hack into it, it is public” is a disingenuous simplification of counterarguments that have been made here. Nobody has made that argument, and in fact, I’ve specifically stated the opposite. That is: if you encrypt something, or place any reasonable sort of controls on who can access it, it is private. If I hack into it, it is still private—I have violated your privacy, and I have broken the law. My argument is simply that publication of content of the Web comes with an expectation of public dissemination, and you have to put a reasonable amount of effort into changing that if you so desire.

    I might add as a technical point: it was not an FTP server, it was a Web server. One of the reasons this distinction is important is that FTP servers are far more limited in their authentication methods: anonymous FTP serves public files; password-protected FTP serves private files. Web servers, on the other hand, provide a rich environment of configurable access control and authentication. You can enable directory listings, or you can disable them, on a directory-by-directory basis. You can limit access, on a directory-by-directory basis, to individuals or groups of users. You can provide guidelines, which reputable search engines follow, to govern when robots can scan and index your web site—and yet, even if they fail to follow those guidelines, the same access controls used to keep out undesired users will keep them out as well.

    But Alex Kozinski did none of these things. His web server was configured to serve full directory listings upon request—a configuration that is easily changed. His web server was configured to allow full spider searches from search engines—a configuration that is easily changed. He then proceeded to share links to his web server in documents he published on the web (note the root of the word “publish”).

    Fine, you say; but what about the methods used to discover the information? Isn’t URL truncation inappropriate? Not at all. There are entirely legitimate uses for URL truncation; in the previous post I cited a number of examples. I’m reasonably certain that robots use it as well, in order to fully flesh out the contents of a web site; depending upon external links alone would be significantly more difficult to implement. Would you now pronounce it inappropriate to do under any circumstance? Are you now suggesting that it is the responsibility of every web publisher to now “opt into” the free access of the content on their web site, despite the fact that from the Web’s very inception that has been the default?

  • mcg

    The only entity which can reach these “hidden” locations are robots, which clearly was thought of, and disallowed in this case.

    This is wrong for one and possibly two reasons.

    First of all, the best information we have about Alex Kozinski’s web site is that his robots.txt file did allow full access by robots. Heck, if you Google “site:alex.kozinski.com” now, you’ll see plenty of hits.

    Secondly, a web crawler cannot access anything that a human cannot. That is, if a robot can see it, so can a human. A robot uses the same access protocols and is subject to the same access control measures as a human. A robot.txt file constrains a robot in ways that a human is not, assuming the robot chooses to follow its commands.

  • mcg

    According to Seth Finkelstein’s forensic work (see his link above), here was Alex Kozinski’s robots.txt file:

    User-agent: *
    Disallow: /jurist-l/

    If the robots.txt file were absent or it was just a default file, one could reasonably argue that Judge Kozinski’s site administrator was ignorant or naive. Instead, we find that it was deliberately created, and its creator chose to include only one specific directory in its exclusion list. In particular, “stuff/” was free to be indexed.

    So if I was on a video search engine that respected the robots.txt file, and I searched for, say, Burger King commercials or videos of women wearing pants so tight an outline of their genitals was visible, I could very well have ended up at alex.kozinski.com. He may not have intended to give me permission, but he sure as heck did nonetheless.

  • http://seanfitzgerald.wordpress.com/ Sean FitzGerald

    On further reflection, and after reading other comments, I think my foray into the comparison of notions of privacy in physical and non-physical spaces was a bit of an unneccessary tangent and I would like to modify (and simplify!) my position thus:

    By default the web is a publishing medium. Failing to put a ‘lock’ on a part of it is not the same as failing to put a lock on a house which is, by default, private (as is the party line).

    The norm then, is that everything that is on the web is publicly accessible, unless it has been deliberately made otherwise. Users are free to wander any part of the public web.

    The onus is on the person who wants privacy to make it so. It is their responsibility. If they don’t then what they have posted is fair game, and saying that Kozinski intended to make it private is not an adequate defense.

    What the guy did with what he found was ethically dubious. It isn’t fair and it sucks for Kozinski that he is getting pounded for making an innocent mistake, but there you have it.

    Sorry – no reasonable automatic expectation of privacy.

  • http://johnsmentaldetritus.blogspot.com/ John J.

    I think the problem in this discussion is that we are arguing two different things. Lessig, you seem to more be arguing from an ethical standpoint, while others are arguing whether a law was broken. I think your initial example of the lockpicking was a poor analogy as it implies that a law (breaking and entering, or in the RL case, hacking the server) would be broken. This didn’t really happen as the files were publicly available.

    Your second example of the party line is good, as it hits more toward where your argument is accurate. Another would be reading an open piece of mail that was left in a public place. The reason this hits more accurately is that (to my knowledge) there aren’t any laws against these two actions, but to the general public it is verboten. This is the heart of the ethical part of this argument – it is wrong to access something private, even if there isn’t anything preventing you from doing so.

    Getting to the issue at hand (and thank you for giving me much more detail than I had gotten elsewhere), I still think the judge would be better off recusing himself from this case. It isn’t the judge that should be on trial in this issue, and a recusal is a perfectly legitimate choice. If he stays on the case, it will make him the direct subject of any higher appeals.

    As for the litigant that did the, let’s call it “digging,” I am wary of any prosecution. Any action taken against him could be used to infringe on fair use – “You weren’t supposed to access that web content for that action,” and open up litigation on much wider things, such as the use of satellite feeds that, while openly accessible to anyone with a dish, aren’t meant for general consumption.

  • mcg

    Actually, no, I’m not focusing on law, although I actually happen to think that existing law (e.g., unlawful access to controlled storage) aligns very well with what I consider to be the natural privacy structure of the Web.

    Still, I am far more comfortable discussing the noition, and possibly agreeing with the notion, that the “digging” Mr. Sanai (sp?) did was wrong. Because in doing so, it goes beyond just a discussion of his techniques and actions—I can bring his motives into it as well. A private detective can be inappropriately intrusive, I suppose, even if he used only legal means to obtain information. What I am simply saying was that the techniques he used were not wrong: legally OR ethically. There are entirely legitimate purposes for such techniques.

  • poptones

    Look, you put stuff in a public place – you SHARE something – then it is simple idiocy to then expect some sort of “privacy” with the same material. I find it most ironic you should be defending this in such a way when you have so many posts clearly outlining why, for example, Google should be allowed to take works shared by OTHERS – works intended to be shared with “certain others” (notably, those who have purchased their books or made a trip to the local library to borrow one from others who have) – and REPUBLISH them for the use of folks who likely aren’t in that number.

    I also find it sad who you put all this in the context of the ends justifying the means. You rail about privacy and how we are all bound by some civil justice to reasonable expectations and then make clear exceptions for those who have otherwise done NOTHING wrong except perhaps viewed some material others would find offensive within the privacy of this very same sacred hovel. There is absolutely no proof viewing violence, beastiality, or any other sort of pornographic or “obscene” material alters the behavior of those who view it and yet you blindly accept this “norm” while at the same time heaping shame upon those who have really done nothing more than sharing a “secret?”

    The story isnt whether or not the judge deserved privacy (he does). The story isnt whether or not a judge who (OMG) HAS A SEX LIFE is fit to rule over an obscenity trial. The story (and the question) is what society that claims itself free and open can also defend such political correctness and fascist notions like obscenity trials?

    A PERSONAL computer is just that: personal. It is an extension of the owner’s mind. We have no more right to go digging around someone’s PERSONAL computer than we have to go digging around their mind.

    A PUBLIC computer, OTOH…

  • Alloyed

    I can send him an email, or I can take out a full-page ad in his local paper. If I choose the latter option . . . I can hardly claim that my message is private.

    E-mail is transmitted in the clear; it’s trivial for anyone along the path to read everything you wrote. Therefore because it’s easy to read, it shouldn’t be considered “private?”

  • mcg

    Alloyed, did you misunderstand me? I am placing email in the “private” category. As a former system administrator I’m well aware of the security issues involved. It is *not*, in fact, “trivial” for the average person to read someone else’s email. It’s trivial for certain people “along the path”, but they require special privileges or must exert some effort (read: hacking) to acquire those privileges: a system administrator, or a law enforcement agency in cahoots with said administrator, or someone who has that someone else’s password. It’s safe from the prying eyes of the average joe. Unauthorized reading of emails can and has been prosecuted in the past; concerns about Google’s use of email content to create targeted ads has been scrutinized.

  • mcg

    I do a little bit of patent consulting (technical, not legal) for a well-known high-tech firm. We use an ordinary FTP server to exchange files; we exchange email in cleartext, though with text like “privileged” and “confidential” placed prominently at the top. I commented to my colleague that it seemed a rather weak setup from a security standpoint; FTP isn’t tough to hack, no encryption on email, etc. My colleague’s response is that he really doesn’t care how *hard* it is to intercept our communications, just that it requires a conscious decision to violate our privacy. That alone provides enough *legal* security for our purposes.

    Likewise when I’m talking about private Web content I am not talking about locking everything down with 1024-bit AES encryption, randomly generated passwords, and virtual private networks. I’m talking about the basic access control methods—turning off automatic directory indexing, creating robots.txt files, or using basic .htaccess files when necessary… techniques that have been around for most of the life of the Web. I don’t even care about SSL. Just the simplest of measures to insure that benign web surfers don’t go where you would like them not to go. Is it hackable? Probably. But not accidentally.

    Geez, this is consuming way too much of my time, and Mr. Lessig’s blog space. I should blog.

  • Cyrus Sanai

    I would like to compliment all of the prior commentators on their excellent grasp of the issues and sophisticated discussion. A refreshing change from the nonsense spewed on some other blogs. Now let’s get down to reality.

    Why do you put stuff on a web server? To distribute it. The idea that material on a web server has the same expectations of privacy as material stored in your home just bizarre.

    Next relevant question: was the server a private limited distribution or a public distribution? This is an important distrinction. For example, material put on a law firms internal servers is private, for example, as to persons outside the law firm. However, material put on the public servers is public. Which was Kozinski’s?

    Professor Lessig’s reliance on the FTP case is kind of funny. That case says an unindexed FTP site has some privacy expectations. That’s unexceptional; it’s the same situation as the information on a law firm’s internal intranet.

    Here we had a fully indexed (though I did not know it) web server as to which Judge Kozinski regularly distributed URLs within material he intended to be published in newspapers and on the web. In the case of the /articles/ directory, he distributed that directory link itself to people so that they could see his complete literary output outside the legal reporters. He wanted people to be able to see that directory. I don’t think you could have a situation more opposite on the spectrum.

    Are the mp3′s important? You bet they are. Even private, limited distribution of copyrighted mp3′s is a violation of that copyright. The only rattional reason to upload them from a home computer is to allow third parties to access them. Think of the law firm’s intranet. Suppose the law firm busy a weird Al Yankovic CD. Can it put the ripped mp3′s on its intranet for dowloading by employees? Of course not. While the intranet is private, copyright violations are still ocurring. There is no reason to put up MP3′s on a website other than to distribute them, absent streaming software protections.

    I take no offense by the way at being called a hacker (though truncating a URL is not hacking). I take offense at being called a “burglar”. The bottom line is that Judge Kozinski utilized alex.kozinski.com for personal purposes, and, Prof. Lessig ignores, to commit misconduct in 2005.

    I was not looking at the website to find dirt. The gist of my misconduct complaint in 2005 was (a) Judge Kozinski violated judicial ethics by writing about my case while it was pending before the Ninth Circuit, and (b) he violated judicial ethics by posting, on alex.kozinski.com, case-materials to influence the case’s disposition by the Ninth Circuit. I got an acknowledgement by Kozinski of wrongdoing on (a), while (b) was dismissed on the grounds that alex.kozinski.com did not exist (he took it down at some time before the disposition was issued).

    When Kozinski put the site up, this time with the article he had acknowledged was wrongful in the /articles/ directory, I refiled the complaint again. A month later, I decided to use google, and it was a Merry Xmas for all.

    Even if I had never truncated a URL or peeked at the directory, Judge Kozinski would have been facing negative publicity and misconduct charges for the mp3s. Terry Carter of ABA Journal had been working on the story for weeks (based on my tip) when the LA Times went with the porn angle. His article is up now.

    The bottom line is Judge Kozinski used his sight as a tool for distribution of his artiicles for the distribution of copyrighted material to third parties, and to commit judicial misconduct. There is no principled defense, and arguing that he had an expectation of privacy when he laid these materials out open in the world and pointed to the address is, as I think the prior comments make clear, bizarre thinking indeed.

    Cyrus Sanai

  • cyrus Sanai

    Ungarbled repost of above:

    I would like to compliment all of the prior commentators on their excellent grasp of the issues and sophisticated discussion. A refreshing change from the nonsense spewed on some other blogs. Now let’s get down to reality.

    Why do you put stuff on a web server? To distribute it. The idea that material on a web server has the same expectations of privacy as material stored in your home just bizarre.

    Next relevant question: was the server a private limited distribution or a public distribution? This is an important distinction. For example, material put on a law firms internal servers is private, for example, as to persons outside the law firm. However, material put on the public servers is public. Which was Kozinski’s?

    Professor Lessig’s reliance on the FTP case is kind of funny. That case says an unindexed FTP site has some privacy expectations. That’s unexceptional; it’s the same situation as the information on a law firm’s internal intranet.

    Here we had a fully indexed (though I did not know it) web server as to which Judge Kozinski regularly distributed URLs within material he intended to be published in newspapers and on the web. In the case of the /articles/ directory, he distributed that directory link itself to people so that they could see his complete literary output outside the legal reporters. He wanted people to be able to see that directory. I don’t think you could have a situation more opposite on the spectrum.

    Are the mp3′s important? You bet they are. Even private, limited distribution of copyrighted mp3′s is a violation of that copyright. The only rattional reason to upload them from a home computer is to allow third parties to access them. Think of the law firm’s intranet. Suppose the law firm buys a weird Al Yankovic CD. Can it put the ripped mp3′s on its intranet for dowloading by employees? Of course not. While the intranet is private, copyright violations are still ocurring. There is no reason to put up mp3′s on a website other than to distribute them, absent streaming software protections.

    I take no offense by the way at being called a hacker (though truncating a URL is not hacking). I take offense at being called a “burglar”. The bottom line is that Judge Kozinski utilized alex.kozinski.com for personal purposes, and, Prof. Lessig ignores, to commit misconduct in 2005.

    I was not looking at the website to find dirt. The gist of my misconduct complaint in 2005 was (a) Judge Kozinski violated judicial ethics by writing about my case while it was pending before the Ninth Circuit, and (b) he violated judicial ethics by posting, on alex.kozinski.com, case-materials to influence the case’s disposition by the Ninth Circuit. I got an acknowledgement by Kozinski of wrongdoing on (a), while (b) was dismissed on the grounds that alex.kozinski.com did not exist (he took it down at some time before the disposition was issued).

    When Kozinski put the site up, this time with the article he had acknowledged was wrongful in the /articles/ directory, I refiled the complaint again. A month later, I decided to use google, and it was a Merry Xmas for all.

    Even if I had never truncated a URL or peeked at the directory, Judge Kozinski would have been facing negative publicity and misconduct charges for the mp3s. Terry Carter of ABA Journal had been working on the story for weeks (based on my tip) when the LA Times went with the porn angle. His article is up now.

    The bottom line is Judge Kozinski used his sight as a tool for distribution of his artiicles, for the distribution of copyrighted material to third parties, and to commit judicial misconduct. There is no principled defense, and arguing that he had an expectation of privacy when he laid these materials out open in the world and pointed to the address is, as I think the prior comments make clear, flatly incredible.

    Cyrus Sanai

  • http://www.arkansawyer.com/wordpress/ John A Arkansawyer

    “I was not looking at the website to find dirt.”

    And yet, when you found something others might find dirty, you distributed it and caused it to be published.

    Again, that’s not illegal. If you’d found something genuinely horrible, you’d've arguably been right to do so. But in this case, you strike me as just being a dick.

    Again, I don’t see a legal expecation of privacy in this case. What I do see is a failure of cultural norms to restrain you from doing something creepy.

  • Dierk

    The whole gallimaufry about one minor detail in a metaphor, which, as Lessig himself points out in this very post, are always prone to not fit completely. That’s the nature of metaphors, if ever they match a real situation 1005 they cease to become metaphors and are just a description.

    Take out the dodgy lock. You could even see the window as open [instead of ajar]. You are still not allowed to go in unless *you get express authorisation*. The same holds true – despite missing technological expertise – for electronically stored contents. In this case anything that is on the Internet*. If you do not give me permission to get hold of your files I am not [legally and morally] allowed to fetch them.

    This includes cackhanded sysads not being able to effectively keep me out. Just because your sysad is too stupid to keep a server from my reach – let’s be honest, no server connected to the Internet is safe from reach and access – does not mean I am now allowed to do whatever I want.

    *Neither FTP nor e-mail or Bittorrent are Web, which is a distinct sub-technology of the Internet, like the others mentioend.

  • Dierk

    The whole gallimaufry about one minor detail in a metaphor, which, as Lessig himself points out in this very post, are always prone to not fit completely. That’s the nature of metaphors, if ever they match a real situation 1005 they cease to become metaphors and are just a description.

    Take out the dodgy lock. You could even see the window as open [instead of ajar]. You are still not allowed to go in unless *you get express authorisation*. The same holds true – despite missing technological expertise – for electronically stored contents. In this case anything that is on the Internet*. If you do not give me permission to get hold of your files I am not [legally and morally] allowed to fetch them.

    This includes cackhanded sysads not being able to effectively keep me out. Just because your sysad is too stupid to keep a server from my reach – let’s be honest, no server connected to the Internet is safe from reach and access – does not mean I am now allowed to do whatever I want.

    *Neither FTP nor e-mail or Bittorrent are Web, which is a distinct sub-technology of the Internet, like the others mentioend.

  • http://www.cadenhead.org/workbench/ Rogers Cadenhead

    I have trouble with your suggestion that there’s an expectation of privacy for the files that were exposed on Judge Kozinski’s web server. If a server displays a list of files in a directory in response to a URL, and it serves those specific files upon request, what reason does an outside party have to believe that any of those files was private?

    As Seth Finkelstein has ably demonstrated through his research, linked earlier in this discussion, the files were exposed to search engines and could have been found in that manner without resorting to the practice of “URL hacking,” which is to shorten a URL down to the preceding “/” to see what else is hosted at that server.

    But even if they had been discovered through URL hacking, the act of making web content available in response to a URL request is entirely under the control of a web publisher. It’s not the fault of recipients that Kozinski made available content that he wishes he hadn’t. He could have used password protection or simply removed the files.

    The obligation of any Internet publisher is to know what he’s hosting on his own site and how the servers are configured.

  • http://www.cadenhead.org/workbench/ Rogers Cadenhead

    Incidentally, you are incorrect about the directory structure of your web site being configured to remain private:

    http://lessig.org/images/

    To elaborate on my point, why should I believe that you intend any of those files to be private, since I requested the URL http://lessig.org/images/ and your server helpfully provided a hyperlinked list of files?

  • bobbie

    How is it acceptable to write articles flogging people for having poor taste thereby harming their reputation? This country gets less free by the minute. At the bottom of this hill women should not be allowed to wear nail polish, and there will be no kite flying. In an earlier post the metaphor of someone leaving their picture window open was used. I think it was more like blinds were adjusted so that the outsider had to stand on a chair and look down into the room in order to see. The media became complicit in publishing this voyeuristic view.

  • bobbie

    How is it acceptable to flogg people for having poor taste, especially when it is obviously done to harm their reputation? This country gets less free by the minute. At the bottom of this hill women should not be allowed to wear nail polish, and there will be no kite flying. In an earlier post the metaphor of someone leaving their picture window open was used. I think it was more like blinds were adjusted so that the outsider had to stand on a chair and look down into the room in order to see. The media became complicit in publishing this voyeuristic view.

  • mcg

    Dierk, you’re absolutely right: people should not access your electronically stored information without your permission.

    But if you bought a full-page ad in the newspaper, would it be reasonable to expect everyone to contact you first before they read it? Would it be reasonable for you to put a list of permitted readers at the top of the page, expecting those who are not on that list to avert their eyes? No, of course not, because the very act of publication is a blanket grant of permission.

    So it is with the web: it is a public forum by default. The act of web publishing is a grant of permission. Web servers are designed, and configured by default, with this convention in mind. The robots.txt convention is defined with this convention in mind. Search engines operate with this convention in mind. And so do casual benign web surfers with no illegitimate interests. And yet, the web is superior to other forms of public communication precisely because you can control access through simple authentication and control measures.

    You and our estimeed blog host can deny reality all you want, but it’s not going to change the conventions developed over the course of the Web’s explosive growth—growth that is arguably due in large part to that permissiveness. You are not going to impose a new social structure on the Web that is not already there. The genie is out of the bottle. And we should not shed a tear over that because it in no way prevents anyone from altering this privacy structure on demand.

    It’s kind of like deep linking. A lot of commercial content sites hated it at first when aggregators or blogs would link directly to their stories instead of forcing people to go to the web page and find it for themselves. You see, those direct links were, for a time, denying them ad revenue. If I remember correctly, the issue even made it to the Supreme Court, which upheld the legality of deep linking. (I believe the Danish court reached the opposite conclusion first; they were wrong.) Well, you know what, necessity is the mother of invention. These sites can use existing web conventions to detect when someone is coming in from the “outside”, and they can insert interstitial advertisements when that happens. We as readers may not like it, but it’s a hell of a lot better than some judicial, legislative, or socially imposed rule that we can’t publish deep links.

    What you do not want made public, do not print in the New York Times. Likewise, what you do not want made public, do not host it on an unprotected Web server—and certainly do not publish links to it any of it elsewhere on the web so that search engines can discover it and index it.

  • Jack Florey

    Sean FitzGerald:

    Larry: With respect I think your metaphor of jiggering a lock is weak and you seem to be trying to defend it. There was no jiggering of a lock. The lock was unintentionally left unlocked. There was no hacking.

    I feel like I have some authority to say what constitutes hacking of physical spaces. I am a hacker. By that, I am using a definition which has been around since at least the 70′s. You can learn more about it here. I can assure you, you can do plenty of hacking while never performing any method of entry more advanced than pushing open a door left ajar. You can have fun and leave no trace, or you can, intentionally or by accident, do real damage to people and property. It is important to note that hackers have their own code of ethics, which would certainly preclude publishing private items found while hacking.

    Back on the topic of computer hacking (something else I am not ignorant of), you say

    The norm then, is that everything that is on the web is publicly accessible, unless it has been deliberately made otherwise. Users are free to wander any part of the public web…. Sorry – no reasonable automatic expectation of privacy.

    I think Larry put it best. If someone wanders across my private files because I was careless or unknowledgeable, and chooses to publicize those files, he may not have committed a crime, but I believe there is a good argument he is an ass.

    Speaking more generally, I think society would be a better and happier place with a reasonable expectation of privacy on the internet. This has served us well in the physical world for a long time, and I see no reason to change that.

  • http://seanfitzgerald.wordpress.com/ Sean FitzGerald

    I wonder if anyone else has any thoughts on what I was trying to say about the similarities between this case and file sharing.

    I was trying to point out what I think to be an inconsistency in new media commentators’ positions on file sharing (which I think Lessig may share) and with Lessig’s position on this issue, and I think I have a better way of saying it…

    Once MP3s are made available online there are no technical limitations to stop users from copying them and sharing them (I’m talking about anywhere, I’m not talking about Kozinski’s web server).

    You can’t say to the RIAA and musicians that once they make MP3 files available online they can’t expect people to not copy them and share them just because the the RIAA and the the musicians don’t want people to, and that they just have to adjust to and accept the new reality, and then turn around and say if you can legally access files on a web server you shouldn’t just because the owner doesn’t want you too.

    On a different topic Jack Florey said:

    I can assure you, you can do plenty of hacking while never performing any method of entry more advanced than pushing open a door left ajar.

    OK… fair point, but I was using the term in a way I think most people would think of it where hacking would require some tinkering or tampering. I don’t think defending the good name of hacker culture from it’s poor public image takes anything away from my point.

    Jack Florey said:

    Speaking more generally, I think society would be a better and happier place with a reasonable expectation of privacy on the internet. This has served us well in the physical world for a long time, and I see no reason to change that.

    Back to my discussion on the different laws and ethics for the physical and digital world and file sharing – you can’t use the same rules on the Internet that apply in the physical world. To do so would give comfort to those who say that illegal copying a digital file is the same as stealing a physical book. The Internet has evolved, and continues to evolve, it’s own legal and ethical rules, as mcg keeps pointing out.

    (And I agree… he was an ass.)

  • mcg

    Despite my apparent passion and frustration displayed in my comments I really enjoy a spirited engagement when the topic catches my interest, as this one has. But it’s Sunday evening and I’m probably going to try to beg off to spend time with the wife and prepare myself mentally for the week ahead.

    I will only emphasize once more that the Web supports whatever level of privacy you wish to assign to your content, but its original and continuing intent is a forum for the public dissemination of electronic content. I’m not particularly afraid that those in this discussion who would like to see an different privacy ethic will hold sway, but if their passion leads them to action I would encourage them to consider ways that improvements in technology can provide the kinds of protections they seek. For instance, contact the authors of Apache and other popular web servers and encourage them to change their default behaviors to favor piracy—so that more deliberate action is required to share files.

    Finally I want to add my agreement to those who are uncomfortable with what Mr. Sanai has done with the information he has found. That I believe the methods he used were legal and ethically acceptable in other contexts doesn’t change that. Indeed I am uncomfortable having him participate on this thread because it suggests that I’m taking his side. I’m not. I am taking the side of the public Web, that’s it.

    Be well.

  • Cyrus Sanai

    I’m going to say this again. Read the ABA Journal article by Terry Carter to see what I think is Kozinski’s real problem: file sharing.

    I found prima faciae evidence of file sharing of mp3s by Judge Kozinski. That was what I always though was important, as it was flatly illegal, and Judge Kozinski is a aggressively in favor of expanding the liability for contributory infringement to those who unknowingly assist. It is a plain example of a judge believing he is above the law.

    There is large community of lawyers who condemn any person who exposes judicial misconduct, usually because they are complicit, one way or another, in its creation or maintenance. That’s not surprising; you could not have corrupt jurisdictions like Brooklyn, New York, Louisiana, or Washington State without the support of the bar.

    It has been more surprising to see Prof. Lessig go this way. His statement is that “mp3s are not important” because he believes Judge Kozinski was not “offering it to the world”. The evidence suggests otherwise. Even it was not offered to the world, it was offered to SOMEBODY, and that is a violation of copyright, plain and simple. The web site was used by Judge Kozinski to publicly distribute material. Even if this portion was supposed to be semi-private, it was still wrong to distribute mp3s to friends and family, and he knew it.

    Having discovered this prima facie evidence of misconduct, it was in the public interest that I get it exposed and investigated. I know from past experience that had a just filed a misconduct complaint, Kozinski would again have taken the site down, and I would again have received an order stating that there was no such site. Public exposure was the only way to go. Because Scott Glover was doing the obscenity trial, that was the aspect he chose to cover. Had he not been interested, Terry Carter’s article had been published, as it was in the works for weeks.

    Cyrus Sanai

  • James Day

    Cyrus Sanai,

    Your assertion that the only purpose for putting MP3 files on a server was to redistribute them to others is not accurate:

    1. I have placed MP3 versions of works that I owned in CD form on a third party hosted web server that any member of the public could access. My purpose was not to distribute them to others but to distribute them to me, wherever I was that had an internet connection, so that I could play them whenever I wanted to. I was scrupulously careful to ensure that the directory containing them was not visible to all and that there were no links to the files. Still, anyone who knew the URL could have downloaded the files. The problem for the judge is that someone else got wrong what I got correct: ensuring that the files could not be found and used by anyone other than the judge.

    2. At work we use public FTP to distribute files to individual customers. They are served from a non-browsable directory but anyone who knows the name is able to download the file. The file names used are sufficiently effective at preventing others from obtaining the files.

    If I recall correctly there’s even been an internet RFC covering the use of obscure names in account name/ password form to restrict access to works. No actual password involved, simply the practical obstacle of locating files when you don’t know where they are located and can’t browse to find them, so the combination works as a password system.

    The possibility that anyone could obtain a file is not the same thing as an intent to allow anyone to do so. Such evidence of intent as we have here is that there was no intent for others to access the material and your efforts have clearly demonstrated why that would have been the intent: litigants might otherwise seek to use the material to compromise the judge or in revenge, though I don’t know your own purpose.

    You’re assuming the most negative interpretation. The most positive is the apparently correct one: that the problematic material was intended only for the consumption of the judge and only an error by someone else caused others to be able to obtain the material.

  • http://flickr.com/photos/shandrew/ Andrew S

    Professor Lessig, I rarely disagree with you but in this case i’m afraid that I do. Traversing a site by erasing the end portion of a URL is standard practice for the web, not “hacking”! Doing this is more like going through someone’s front gate to ring their doorbell rather than jiggering a lock and breaking in. If this is a violation of privacy, then all search engines violate privacy thousands of times a day. It is more akin to paparazzi taking a photo through a window of what’s in his house, except EVERYONE can see into the house. The act itself is not trespass because it is common practice for the web.

    Exposing the info was a smear, it’s garbage, crude, wrong and mean-spirited. Being a public figure means that you are subject to these attacks, and unfortunately this is part of living in a society with free speech, free press (that frequently fails on reporting the truth), a large number of people with puritanical values, and most of all, a population that would rather read about some files on a judge’s computer than how to solve corruption in congress. Unfortunately the media is paid by readership and advertisers, not by quality, so readers get what sells. The only real solution is to have a better-educated public.

    There are different levels of violations of privacy. This one was a very low-level violation of privacy, one that took very little effort and resources. The dirtbag in question could have hired a PI and discovered a lot more dirt on the judge, violating his privacy to a far greater degree. You can imagine what things are like when there is more at stake…how many people do you think are out there digging up dirt on McCain and Obama?

    The relationship that this situation has with technology is only that technology has driven the price of all sorts of information transfer to be lower, including those that are violations of privacy. You only went wrong when you started making analogies to a lock and talking about robots.txt.

    (on a technological note, being an FTP rather than web server makes directory traversal even more of a standard practice. Directory traversal is part of the ftp standard (i.e. there’s actually a “cd” command in the ftp protocol), unlike the web where directory traversal is a convenience.)

  • Dierk

    MCG, you are constantly shifting the target and employing far-fetched metaphors to make your point ['There's no provacy on the Internet.'].

    I do not dispute the bad judgement and technical expertise of both Kozinskis. They should have been a bit more careful. Nevertheless, privacy does not come with individual measures taken to ensure it. If that were so, there wouldn’t be any notion of privacy at all [and some legislators in some countries are actually subscribing to this ATM, since any measure can be circumvented. As this is possible no measure can be argued to be 'effective', exactly what you need to define here.

    Let's digress into a more detailed metaphor.

    Say, I invited you and some friends to my house while I am away on holiday. I told you where to find the key to the front door. Accidentally somebody overheard a conversation between you and your wife about where the key is. He now decides to see how I live, rummage through my belongings. He finds some morally dubitable but completely legal items, say, photos of me in women's underwear. And he decides to publish them through teh local newspaper. Would that be alright?

    Now, the so called virtual world adheres to the same moral and legal rules as the real world, though admittedly legislator as well as normal citizens seem to have great trouble to fathom that. Let's redress the metaphor in virtual world mode:

    I have a computer connected to the Internet [which in itself makes it open, regardless of firewalls], the computer is linked to a another computer, which in turn is just my electronic storage space. You can call it an NAT, an on-line hard drive or a server, it doesn’t really matter. I tell you and a handful of family members and friends how to access files on it. Every one of them has his/her own directory, containing files I want to exchange with them. I do not publish – in any meaningful sense – the URI to these, just tell the individuals in private conversation. I can do that because I trust these people to conform to my moral standards, which in this case are coincidentally the same as those of all [Western] civilisations. That is, they will not start rummaging through my storage house to find out what I exchange with other friends.

    Again, unfortunately someone cleverer than me finds the URI to the storage space and starts going through the directories. Does my stupidity make it right for him to invade my [and my friends' and family's] privacy?

    If you answer ‘yes’ to the last question – which you have done repeatedly and copiously over two threads – you simply deny any right of privacy to anyone. Just because you left your front door open does not mean you lose your rights. That, BTW, is the basis for criminal prosecution. I am sure insurance companies don’t like it, and they will deduct a portion of your money for stolen or broken goods if they find out you left your door open. It is also true that often enough a judge will be less harsh in his rule against a thief if one makes it too easy for him. Still, that does not take away from the victim’s rights of privacy and ownership. Just makes him look stupid.

    Before we shift the target again, let’s be clear that there are exceptions, which have nothing to do with political affiliation [yip, rummaging through Karl Rove's cupboards is as wrong as going through Barack Obama' stuff]. IIRC, Mr Lessig mentioned one himself: child pornography. In cases of very strongly illegal material found, one might consider the original illegal breach of privacy minor, although jurisdictionally this will not hold in the US. Unless the word ‘terrorist’ is uttered in connection with the material …

  • mcg

    Dierk, you’re misinterpreting my statements. I am shifting no goalposts whatsoever. I have always focused on nothing but web servers made available through standard means; e.g., submitting links to search engines or posting links on other publicly available web pages. Thus your computer example does not apply; in that case, the owner of the computer in question hasn’t taken the actions to make the system public.

  • mcg

    Dierk, it’s possible you are misinterpreting me because you are laboring under misconceptions about Kozinski’s specific case. Others may need the reminder as well.

    For instance, Lessig claimed that the Kozinski web site had a restrictive robots.txt file; in fact the opposite is true. Evidence from Google searches alone (Google “site:alex.kozinski.com”) make it clear that the robots.txt file was not restrictive. But more important for our discussion is that it was deliberately created. According to Seth Finkelstein’s analysis, the robots.txt file blocked robots from only one subdirectory on the web site—and it wasn’t the offending one. Thus it was clearly the desire of Judge Kozinski or his site administrator with the desire to keep some content private and not others.

    Furthermore, others I have debated with claimed that Judge Kozinski never made public any links to content on his site; that he shared it only with friends. This is also not the case. He embedded links to both his “articles/” subdirectory and his “stuff/” subdirectory on widely available web pages. In doing so he loosed the hounds, so to speak.

    Thus I think my analogies such as full-page ads and radio air time are apt because they represent deliberate choices to use a public medium. I know Kozinski is pleading a certain amount of ignorance here but there clearly were deliberate steps taken to make his web site public.

  • http://sethf.com/ Seth Finkelstein

    FYI, I’ve confirmed the Yahoo search engine indexes directories from file paths. This practice has some
    significant implications for people who claim that trying truncated
    URLs is improper behavior and unauthorized access.

  • ogmb

    [Sandip]: Let us suppose you have a website, with an index page which links and uses certain media on the page

    There was no index.htm file in the directory, which makes the rest of your explanations moot. Without an index.htm file and without restricted permissions, searching a web directory becomes extremely simple if you just have a URL from a file in the directory. If you strip the file name (1914fr.jpg) from http://memory.loc.gov/pnp/bbc/1900/1910/1914fr.jpg you get to http://memory.loc.gov/pnp/bbc/1900/1910/ which is an accessible directory without index.htm file, and you can click on any other file in the directory and view/download it and even surf around in the directory structure. The whole transaction takes less than a second and to claim it involves “hacking” doesn’t even pass the laugh test. The prof clearly has an agenda to make the process appear much more complicated (and sinister) than it was in reality.

    Which also turns the whole robots.txt discussion into a red herring. Anyone who is able to configure a robots.txt file also knows that (1) the simplest precaution to prevent public viewing is to post an index.htm file in the directory, and (2) robots.txt files have no impact on permissions. So to claim that the owner had the competence to create a robot but was unable to take the other, more basic precautions is pretty much self-defeating.

  • mcg

    So with this blog, if you download a file I’ve linked from the blog, you can easily figure out what directory that file is located in. But you can’t (without serious hacking) see the other files in that directory, or see the directory structure. That’s because those friends who have helped me set this up have disabled that ability.

    Hmm. Mr. Lessig, you might want to talk to your friends about this. Your web server is, in fact, configured to allow directory browsing for directories that lack index files. A commenter over on Seth FInkelstein’s blog found one instance of it, and I found a number of others.

    Here is the most interesting example: not only does your web server allow directory browsing, but it will helpfully suggest alternatives if you mistype the name of a URL. For instance, I entered the following URLS:

    http://lessig.org/news/2008/
    http://lessig.org/news/2007/

    http://lessig.org/news/2001/

    All of which it happily served up for me. Then I tried this one:

    http://lessig.org/news/2000/

    This directory does not exist, but your web server’s response was particularly, um, helpful: “Multiple Choices: The document name you requested (/news/2000) could not be found on this server. However, we found documents with names similar to the one you requested.” and preceded to suggest all of the above.

    Again, I do not believe that any content that you have intended to keep private has been exposed by your web site’s configuration. Nor has my “hacking” (your term not mine) exposed any more about your directory structure then is apparent by reading your URL’s. If either of these had been the case I would have emailed you privately. Given that it did not I think it is useful for our discussion here.

    It’s also very easy to fix if you so desire, requiring no more than a single change to your master configuration file.

  • Dierk

    No, MCG, I do not misinterpret, and I am quite certain you are shifting goalposts. One thing, you are insisting the Kozinskis were operating a ‘Web server’. Which is neither right nor in any way of interest. Even if it were a server on the WWW it stands to reason if it was public on purpose. While technically, as you and I have pointed out, any computer connected remotely is open it is not necessarily public. You see the difference between ‘open’ and ‘public’? That is the difference Lessig and several others [me included] point out. Just because you have access to my storage space does not mean it is public.

    I go one step further, even if I give you express [another operative word in this context] permission to rummage through my storage space, this does not give you the right to publish what you find. The exception is the same as before, evidence for very serious criminal offences. It does not matter in the least which precautions I did or did not employ to secure my privacy.

    It would be quite different if the Kozinskis, specifically the judge, intentionally made their server and its whole structure public. From all accounts I gathered they didn’t. They were just uneducated, probably stupid. Laughing-stock.

    To end on another, inane, metaphor, just because you are allowed to carry a gun, thus having the potential to kill someone, does not allow you to do so.

  • mcg

    One thing, you are insisting the Kozinskis were operating a ‘Web server’. Which is neither right nor in any way of interest. Even if it were a server on the WWW it stands to reason if it was public on purpose.

    Are you suggesting that he did not intend for his server to be public? The server he attached to the domain name “alex.kozinski.com”? He has used that server to publicly disseminate a number of articles? As for the now-infamous “stuff/” directory, he used it to serve a video referenced on this indisputably public web page.

    I go one step further, even if I give you express [another operative word in this context] permission to rummage through my storage space, this does not give you the right to publish what you find.

    We share common ground on this point. As I said earlier, I expressed some discomfort in sharing this forum here with Cyrus Sanai, because I am not seeking to justify what he did with the content he found. I am only talking about the legality and appropriateness of viewing the content in the first place.

  • http://seanfitzgerald.wordpress.com/ Sean FitzGerald

    After scanning the previous thread (and realising much of what’s being said here has been said before!) I’ve had another thought… another way of looking at this.

    Maybe Lessig doesn’t realise this but people, particularly geeks, make files available on web servers in directories with no index.html all the time. It’s standard practice.

    If observing a directory that doesn’t have an index.html can be a violation of privacy when the owner of the website doesn’t want me to look at it, then how the heck am I supposed to know when a directory I stumble across is meant to be public or meant to be private?

    The onus is on the owner to protect the files in a directory if he doesn’t want me to see them… not on me trying to guess which exposed directories were intended to be private.

    p.s. I want to apologise for calling Cyrus Sanai, an ass earlier. I didn’t realise the person in question and was on this thread. Passion got the better of me, but it was inappropriate (and a lesson in how to use the open web I am passionate in defending!) I still think what he did was ethically dubious though.

  • mcg

    Good question, Sean. So for instance, how do you know if this URL is public or private?

    http://lessig.org/images

    So with this blog, if you download a file I’ve linked from the blog, you can easily figure out what directory that file is located in. But you can’t (without serious hacking) see the other files in that directory, or see the directory structure. That’s because those friends who have helped me set this up have disabled that ability.

    Mr. Lessig, you might want to have a talk with your friends.

  • http://jonturkler.wordpress.com mehmet

    Actually, no, I’m not focusing on law, although I actually happen to think that existing law (e.g., unlawful access to controlled storage) aligns very well with what I consider to be the natural privacy structure of the Web.

    Still, I am far more comfortable discussing the noition, and possibly agreeing with the notion, that the “digging” Mr. Sanai (sp?) did was wrong. Because in doing so, it goes beyond just a discussion of his techniques and actions—I can bring his motives into it as well. A private detective can be inappropriately intrusive, I suppose, even if he used only legal means to obtain information. What I am simply saying was that the techniques he used were not wrong: legally OR ethically. There are entirely legitimate purposes for such techniques.

  • Cyrus Sanai

    To Sean Fitzgerald:

    That’s the first apology I have received, and I thank you for it.

    I want to point out something which gets lost in the shuffle. The reason I was looking at alex.kozinski.com was because he had placed material concerning a case I was litigating before his court on the website, connecting to it via a link on an article he published personally attacking me.

    When I filed an initial misconduct complaint, the investigating judge found that there was no evidence of this, as Kozinski had erased the evidence, denied its existence, and taken the web site down for a period prior to the decision being issued.

    When the site went up, I filed a new complaint, and was looking for evidence of what else Kozinski might be doing with that site. If I could find evidence that Kozinski was doing something problematic to influence judges on cases he was not assigned to, it would have helped my litigation strategy.

    Well, as everyone knows, I found something else. But if Kozinski had not used his site to attack me in 2005, I would never have bothered to look for it.

    That’s why I have to call “BULLSHIT!” on Prof. Lessig, Prof. Volokh, and the Kozinski couple. The Kozinskis lost any expectations of privacy when he distributed links and used it to violated the canons of judicial ethics. As for attorney ethics (very different from judicial ethics or normal human ethics), once Kozinski inserted himself into my litigation inappropriately, it’s my duty and right to undo the negative consequences and turn the situation to my litigation advantage. That’s what good lawyers do: take lemons handed out by judges and turn them into sweet lemonade.

    I’ve achieved my first litigation objective, as Chief Justice of the United States Roberts has appointed an investigative committtee from the Third Circuit. I have two more to accomplish from this, though I’ll them under my hat for now. However, I will see that seeing Judge Kozinski humiliated, as he has been, was never my goal. I was a big fan of his before he decided to use me as a pinata.

    Cyrus Sanai

  • SB

    “When the site went up, I filed a new complaint, and was looking for evidence of what else Kozinski might be doing with that site. If I could find evidence that Kozinski was doing something problematic to influence judges on cases he was not assigned to, it would have helped my litigation strategy.”

    Let me finish that sentence – “And I didn’t find anything to indicate that – but I found something I could humiliate him with, so being the classless guy I am, I made that public anyway and came up with some excuses for it after the fact.”

  • ogmb

    [Dierk] While technically, as you and I have pointed out, any computer connected remotely is open it is not necessarily public. You see the difference between ‘open’ and ‘public’? That is the difference Lessig and several others [me included] point out. Just because you have access to my storage space does not mean it is public.

    Compare this to the ruling dvan posted on the previous thread: “It shall not be unlawful under this chapter or chapter 121 of this title for any person-(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public .” — “Through the World Wide Web, individuals can easily and readily access websites hosted throughout the world. Given the Web’s ubiquitous and public nature, it becomes increasingly important in cases concerning electronic communications available through the Web for a plaintiff to demonstrate that those communications are not readily accessible.”

    As a number of people have demonstrated by now, the effort to access the files took less than a second and required no technical knowledge, and the files were not protected by even the most rudimentary security mechanisms. As such they were clearly readily accessible.

  • AJK

    “But you can’t (without serious hacking) see the other files in that directory, or see the directory structure.”

    Here is a directory listing from your own site

    Index of /blog/2008

    Name Last modified Size Description
    Parent Directory -
    01/ 17-Jun-2008 08:03 -
    02/ 16-Jun-2008 00:50 -
    03/ 11-Jun-2008 06:16 -
    04/ 17-Jun-2008 04:12 -
    05/ 13-Jun-2008 13:05 -
    06/ 17-Jun-2008 09:02 -
    Apache/2.2.8 (Fedora) Server at lessig.org Port 80

    There was no hacking involved. I started with the URL of this page and stripped off the last term. That got me to http://lessig.org/blog/2008/06/ I then deleted the 06 and got the directory listing shown. Tell me again how I have “hacked” your site. If I did the same at any other site, for example alex.kozinski.com, it is not hacking.

    If alex kozinski wanted to keep files on his home server private, he wouldn’t have registered alex.kozinski.com and pointed alex.kozinski.com at his home server.

  • John Millington

    “Privacy is not determined by technology”

    Perhaps the expectation of privacy (I guess “reasonable expectation of privacy” has become a technical legal term, but I’m talking about laymen’s terms) is determined by culture and convention.

    Culture and convention are that a building is private by default; if you’re invited or there’s otherwise some _reason_ to believe it’s public, then maybe it’s public. If you don’t know, and can’t figure out what kind of place it is, assume private.

    Culture and convention on a file server connected to an open network, is that something is public by default. If it denies anonymous requests for information, then it’s probably private. If it fills all requests, without conditionally granting or denying requests based on who is asking for it, then it’s probably public. If you don’t know, and can’t figure out what kind of server it is, assume public.

    Beyond that, back to the tech. I don’t think someone needs to be a computer guru to expect privacy, but shouldn’t they take _some_ responsibility for what they do? The analogy is someone who doesn’t even *know* whether they’re whispering in a bedroom or shouting in the town square. For example, what *is* kozinski.com? Oh, it’s a name and address pairing, deliberately published — by the Kozinskis — to DNS servers all over the world. Why are they advertising their server’s existence and address to the public, if there isn’t at least _some_ expectation that their server will be visited by the public? Why is their agent, the file server, giving out stuff to anyone and everyone, through “normal” ftp or http requests (I’m not talking about abusive exploits here)? Are these just MISTAKES, like me getting drunk and then running around naked on the sidewalk in front of my favorite bar? Afterwards, can I accuse the newspapers of violating my private sidewalk romp?

  • Ezra

    The one thing I don’t understand is why Mr. Sanai chose to pursue this. Wouldn’t Kozinski be perhaps the most sympathetic judge he could hope for?

  • Ezra

    Scratch that. I was under the assumption that Mr. Sanai was the defendant in Judge Kozinski’s pornography trial.

  • http://sethf.com/ Seth Finkelstein

    If anyone is still reading, I have a _Guardian_ column published now on the subject:

    http://www.guardian.co.uk/technology/2008/jun/19/hitechcrime.internet

    “New technologies bring new ways for people to embarrass themselves – just ask the prominent and colourful judge Alex Kozinski”

    I put the issue in the context of competing concepts of “everything not explicitly prohibited is permitted”, versus “everything not explicitly permitted is prohibited”.

  • http://dcdl.org KCinDC

    Lessig is ignoring the point made again by Sean Fitzgerald and mcg. I don’t understand what he believes the conventions of privacy on the web are. If I find something on the web, how can I know whether it’s private or not? It seems to me that anything indexed in search engines or accessible by unrestricted URLs can be assumed to be public. If there’s something unethical about accessing some such URLs (which Lessig says is equivalent to poking about in someone’s home), but there’s no way of separating such supposedly private URLs from the millions of public URLs out there, how can I behave ethically?

    What Sanai did with the information he obtained is an entirely different ethical question from how he obtained it.

    And the point about this being an FTP server, not a website, seems to be not only irrelevant but incorrect.

  • http://sethf.com/ Seth Finkelstein

    If anyone is still reading, I have a Guardian column published about this now:

    http://www.guardian.co.uk/technology/2008/jun/19/hitechcrime.internet

    “New technologies bring new ways for people to embarrass themselves – just ask the prominent and colourful judge Alex Kozinski”

    I put the issue in the context of competing concepts of “everything not explicitly prohibited is permitted”, versus “everything not explicitly permitted is prohibited”.

  • Oliver

    There’s no need to deny oneself schadenfreude to maintain a clear and fair stand on privacy. That would be like denying yourself the right to use deadly force in self-defense. Yes, it’s unseemly, but hey, it’s a jungle out there.

  • http://hitekhomeless.net Hitek Homeless

    I’ll go along with most of this, but individuals just cannot expect privacy without taking some basic steps. We may not all need our hard drives encrypted, anonymous remailers for handling our email and SSL anonymizers for our web surfing, but everyone of us has the ability to decide what level of security he is comfortable with.

    Sure, B&E is illegal, but that doesn’t stop most people from locking their doors. Most folks would call a thief a louse or something stronger, but it does not preclude them locking their doors!

    Leaving a web or ftp server wide open is, to me, like the lady that undresses in front of a picture window; if she didn’t want to be seen, she’d pull the blinds or go into a different room to undress.

    Maybe we should all be able to expect perfect privacy, but the human animal is far too inquisitive. How many of you count your money in the middle of the sidewalk?

  • Scott Ellington

    I’d like to believe that substituting a law enforcement official in place of the disgruntled litigant would significantly change the terms of this controversy from pusuit of a private, malevolent agenda to the search for probable cause.
    Tim Wu, at NCMR, said that the constitutional protections we enjoy preclude the abuse of public power, yet leave us entirely vulnerable to private spelunking and vendetta. Whether the Kozinski privacy-invasion was effected by a private citizen or an ISP, it seems the downside of internet empowerment is reflected in this two blog installments.
    There is not yet a universal protocol for application of The Golden Rule of browsing, but discussions like this one may serve the same important purposes as in 1789, when corruption, abuse and freedom weren’t abstractions.

  • Craig James

    I didn’t realize this was FTP rather than HTTP. This raises a whole new question: Did Sanai plant the evidence?

    FTP has many known exploits, and is an insecure protocol that is largely replaced by SSH in modern systems. Most web sites use HTTP, which is a read-only protocol; you have to use add-on features such as PHP, ASP, or CGI programs to enable a user to modify the contents of an HTTP web site. By contrast, FTP is inherently a two-way protocol (hence the name, File Transfer Protocol). It is DESIGNED to allow uses to manipulate the files, and users are only prevented from doing so by carefully-crafted security restrictions. Any mistake in the configuration, and the site is wide open.

    Worse, the protocol was designed before security was a huge problem on the internet, so it doesn’t even encrypt usernames and passwords. And even worse yet, there have been hundreds of different implementations of FTP, some better and some worse, and some of these have well-known exploits that allow a hacker to gain complete access to a system.

    Even if the FTP server was secure, a password-guessing tool such as the ones used by the FBI, can make intelligent guesses based on the site owner’s interests. Such a program could have a high probability of success, because Sanai had full access to the site’s contents. Most users pick passwords they can remember, and an examination of a family’s web site will often be a dead giveaway to a good password-cracking program.

    According to court documents and news stories, Sanai was engaged in a long campaign to discredit Judge Kozinski. Is it too much of a leap of logic to ask whether he might have planted these files?

  • mcg

    I didn’t realize this was FTP rather than HTTP.

    That’s because it wasn’t. Lessig was wrong.

  • http://www.byshenk.net/article.php?story=20080630210902141 Greg Byshenk

    …As I see this matter, the problem arises due to a conflation in many people’s minds of ‘obscure’ and ‘private’, though these are not at all equivalent….
    http://www.byshenk.net/article.php?story=20080630210902141

  • A. J. Randall

    I find the party line analogy interesting, for I would use exactly that to argue quite a different point. In the days of the party line, and for that matter of the human operator, we knew better than to expose anything that we really wanted to be private to the wide world of the telephone. Today, we seem to have graduated from the party line to the radio, and confidently expect that what we broadcast on our radios will be kept strictly confidential. It seems to me to be almost like stripping in the middle of an intersection, then blaming anyone who sees you for violating your privacy.

    What the person did to Judge Kozinski was wrong, I agree. But I would hold that the Judge was complicit to the extent that he left information that was private where the miscreant could get it. Easily, apparently.

    How much different is this, really, than the misuse of .pdf technology that resulted in the exposure of redacted parts of documents to the opposition in a court case?

    If you want it private, don’t do it in public, and never rely on technology that you don’t understand. Particularly technology designed to connect everything to everything else.