Comments on: On privacy in the cyberage (II) http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/ Blog, news, books Fri, 03 Feb 2017 16:59:00 +0000 hourly 1 http://wordpress.org/?v=3.8.2 By: A. J. Randall http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12747 Tue, 01 Jul 2008 04:40:05 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12747 I find the party line analogy interesting, for I would use exactly that to argue quite a different point. In the days of the party line, and for that matter of the human operator, we knew better than to expose anything that we really wanted to be private to the wide world of the telephone. Today, we seem to have graduated from the party line to the radio, and confidently expect that what we broadcast on our radios will be kept strictly confidential. It seems to me to be almost like stripping in the middle of an intersection, then blaming anyone who sees you for violating your privacy.

What the person did to Judge Kozinski was wrong, I agree. But I would hold that the Judge was complicit to the extent that he left information that was private where the miscreant could get it. Easily, apparently.

How much different is this, really, than the misuse of .pdf technology that resulted in the exposure of redacted parts of documents to the opposition in a court case?

If you want it private, don’t do it in public, and never rely on technology that you don’t understand. Particularly technology designed to connect everything to everything else.

]]>
By: Greg Byshenk http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12746 Tue, 01 Jul 2008 02:50:24 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12746 …As I see this matter, the problem arises due to a conflation in many people’s minds of ‘obscure’ and ‘private’, though these are not at all equivalent….
http://www.byshenk.net/article.php?story=20080630210902141

]]>
By: mcg http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12745 Mon, 30 Jun 2008 20:49:33 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12745 I didn’t realize this was FTP rather than HTTP.

That’s because it wasn’t. Lessig was wrong.

]]>
By: Craig James http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12744 Mon, 30 Jun 2008 00:05:56 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12744 I didn’t realize this was FTP rather than HTTP. This raises a whole new question: Did Sanai plant the evidence?

FTP has many known exploits, and is an insecure protocol that is largely replaced by SSH in modern systems. Most web sites use HTTP, which is a read-only protocol; you have to use add-on features such as PHP, ASP, or CGI programs to enable a user to modify the contents of an HTTP web site. By contrast, FTP is inherently a two-way protocol (hence the name, File Transfer Protocol). It is DESIGNED to allow uses to manipulate the files, and users are only prevented from doing so by carefully-crafted security restrictions. Any mistake in the configuration, and the site is wide open.

Worse, the protocol was designed before security was a huge problem on the internet, so it doesn’t even encrypt usernames and passwords. And even worse yet, there have been hundreds of different implementations of FTP, some better and some worse, and some of these have well-known exploits that allow a hacker to gain complete access to a system.

Even if the FTP server was secure, a password-guessing tool such as the ones used by the FBI, can make intelligent guesses based on the site owner’s interests. Such a program could have a high probability of success, because Sanai had full access to the site’s contents. Most users pick passwords they can remember, and an examination of a family’s web site will often be a dead giveaway to a good password-cracking program.

According to court documents and news stories, Sanai was engaged in a long campaign to discredit Judge Kozinski. Is it too much of a leap of logic to ask whether he might have planted these files?

]]>
By: Scott Ellington http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12743 Thu, 26 Jun 2008 05:17:53 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12743 I’d like to believe that substituting a law enforcement official in place of the disgruntled litigant would significantly change the terms of this controversy from pusuit of a private, malevolent agenda to the search for probable cause.
Tim Wu, at NCMR, said that the constitutional protections we enjoy preclude the abuse of public power, yet leave us entirely vulnerable to private spelunking and vendetta. Whether the Kozinski privacy-invasion was effected by a private citizen or an ISP, it seems the downside of internet empowerment is reflected in this two blog installments.
There is not yet a universal protocol for application of The Golden Rule of browsing, but discussions like this one may serve the same important purposes as in 1789, when corruption, abuse and freedom weren’t abstractions.

]]>
By: Hitek Homeless http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12742 Wed, 25 Jun 2008 21:35:43 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12742 I’ll go along with most of this, but individuals just cannot expect privacy without taking some basic steps. We may not all need our hard drives encrypted, anonymous remailers for handling our email and SSL anonymizers for our web surfing, but everyone of us has the ability to decide what level of security he is comfortable with.

Sure, B&E is illegal, but that doesn’t stop most people from locking their doors. Most folks would call a thief a louse or something stronger, but it does not preclude them locking their doors!

Leaving a web or ftp server wide open is, to me, like the lady that undresses in front of a picture window; if she didn’t want to be seen, she’d pull the blinds or go into a different room to undress.

Maybe we should all be able to expect perfect privacy, but the human animal is far too inquisitive. How many of you count your money in the middle of the sidewalk?

]]>
By: Oliver http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12741 Mon, 23 Jun 2008 04:42:12 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12741 There’s no need to deny oneself schadenfreude to maintain a clear and fair stand on privacy. That would be like denying yourself the right to use deadly force in self-defense. Yes, it’s unseemly, but hey, it’s a jungle out there.

]]>
By: Seth Finkelstein http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12740 Mon, 23 Jun 2008 01:17:45 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12740 If anyone is still reading, I have a Guardian column published about this now:

http://www.guardian.co.uk/technology/2008/jun/19/hitechcrime.internet

“New technologies bring new ways for people to embarrass themselves – just ask the prominent and colourful judge Alex Kozinski”

I put the issue in the context of competing concepts of “everything not explicitly prohibited is permitted”, versus “everything not explicitly permitted is prohibited”.

]]>
By: KCinDC http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12739 Sun, 22 Jun 2008 22:42:53 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12739 Lessig is ignoring the point made again by Sean Fitzgerald and mcg. I don’t understand what he believes the conventions of privacy on the web are. If I find something on the web, how can I know whether it’s private or not? It seems to me that anything indexed in search engines or accessible by unrestricted URLs can be assumed to be public. If there’s something unethical about accessing some such URLs (which Lessig says is equivalent to poking about in someone’s home), but there’s no way of separating such supposedly private URLs from the millions of public URLs out there, how can I behave ethically?

What Sanai did with the information he obtained is an entirely different ethical question from how he obtained it.

And the point about this being an FTP server, not a website, seems to be not only irrelevant but incorrect.

]]>
By: Seth Finkelstein http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12738 Fri, 20 Jun 2008 09:43:53 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12738 If anyone is still reading, I have a _Guardian_ column published now on the subject:

http://www.guardian.co.uk/technology/2008/jun/19/hitechcrime.internet

“New technologies bring new ways for people to embarrass themselves – just ask the prominent and colourful judge Alex Kozinski”

I put the issue in the context of competing concepts of “everything not explicitly prohibited is permitted”, versus “everything not explicitly permitted is prohibited”.

]]>
By: Ezra http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12737 Wed, 18 Jun 2008 20:47:22 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12737 Scratch that. I was under the assumption that Mr. Sanai was the defendant in Judge Kozinski’s pornography trial.

]]>
By: Ezra http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12736 Wed, 18 Jun 2008 20:40:53 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12736 The one thing I don’t understand is why Mr. Sanai chose to pursue this. Wouldn’t Kozinski be perhaps the most sympathetic judge he could hope for?

]]>
By: John Millington http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12735 Wed, 18 Jun 2008 03:07:50 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12735 “Privacy is not determined by technology”

Perhaps the expectation of privacy (I guess “reasonable expectation of privacy” has become a technical legal term, but I’m talking about laymen’s terms) is determined by culture and convention.

Culture and convention are that a building is private by default; if you’re invited or there’s otherwise some _reason_ to believe it’s public, then maybe it’s public. If you don’t know, and can’t figure out what kind of place it is, assume private.

Culture and convention on a file server connected to an open network, is that something is public by default. If it denies anonymous requests for information, then it’s probably private. If it fills all requests, without conditionally granting or denying requests based on who is asking for it, then it’s probably public. If you don’t know, and can’t figure out what kind of server it is, assume public.

Beyond that, back to the tech. I don’t think someone needs to be a computer guru to expect privacy, but shouldn’t they take _some_ responsibility for what they do? The analogy is someone who doesn’t even *know* whether they’re whispering in a bedroom or shouting in the town square. For example, what *is* kozinski.com? Oh, it’s a name and address pairing, deliberately published — by the Kozinskis — to DNS servers all over the world. Why are they advertising their server’s existence and address to the public, if there isn’t at least _some_ expectation that their server will be visited by the public? Why is their agent, the file server, giving out stuff to anyone and everyone, through “normal” ftp or http requests (I’m not talking about abusive exploits here)? Are these just MISTAKES, like me getting drunk and then running around naked on the sidewalk in front of my favorite bar? Afterwards, can I accuse the newspapers of violating my private sidewalk romp?

]]>
By: AJK http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12734 Wed, 18 Jun 2008 01:03:28 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12734 “But you can’t (without serious hacking) see the other files in that directory, or see the directory structure.”

Here is a directory listing from your own site

Index of /blog/2008

Name Last modified Size Description
Parent Directory -
01/ 17-Jun-2008 08:03 -
02/ 16-Jun-2008 00:50 -
03/ 11-Jun-2008 06:16 -
04/ 17-Jun-2008 04:12 -
05/ 13-Jun-2008 13:05 -
06/ 17-Jun-2008 09:02 -
Apache/2.2.8 (Fedora) Server at lessig.org Port 80

There was no hacking involved. I started with the URL of this page and stripped off the last term. That got me to http://lessig.org/blog/2008/06/ I then deleted the 06 and got the directory listing shown. Tell me again how I have “hacked” your site. If I did the same at any other site, for example alex.kozinski.com, it is not hacking.

If alex kozinski wanted to keep files on his home server private, he wouldn’t have registered alex.kozinski.com and pointed alex.kozinski.com at his home server.

]]>
By: ogmb http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12733 Tue, 17 Jun 2008 14:44:15 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12733 [Dierk] While technically, as you and I have pointed out, any computer connected remotely is open it is not necessarily public. You see the difference between ‘open’ and ‘public’? That is the difference Lessig and several others [me included] point out. Just because you have access to my storage space does not mean it is public.

Compare this to the ruling dvan posted on the previous thread: “It shall not be unlawful under this chapter or chapter 121 of this title for any person-(i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public .” — “Through the World Wide Web, individuals can easily and readily access websites hosted throughout the world. Given the Web’s ubiquitous and public nature, it becomes increasingly important in cases concerning electronic communications available through the Web for a plaintiff to demonstrate that those communications are not readily accessible.”

As a number of people have demonstrated by now, the effort to access the files took less than a second and required no technical knowledge, and the files were not protected by even the most rudimentary security mechanisms. As such they were clearly readily accessible.

]]>
By: SB http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12732 Tue, 17 Jun 2008 11:22:09 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12732 “When the site went up, I filed a new complaint, and was looking for evidence of what else Kozinski might be doing with that site. If I could find evidence that Kozinski was doing something problematic to influence judges on cases he was not assigned to, it would have helped my litigation strategy.”

Let me finish that sentence – “And I didn’t find anything to indicate that – but I found something I could humiliate him with, so being the classless guy I am, I made that public anyway and came up with some excuses for it after the fact.”

]]>
By: Cyrus Sanai http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12731 Tue, 17 Jun 2008 10:47:34 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12731 To Sean Fitzgerald:

That’s the first apology I have received, and I thank you for it.

I want to point out something which gets lost in the shuffle. The reason I was looking at alex.kozinski.com was because he had placed material concerning a case I was litigating before his court on the website, connecting to it via a link on an article he published personally attacking me.

When I filed an initial misconduct complaint, the investigating judge found that there was no evidence of this, as Kozinski had erased the evidence, denied its existence, and taken the web site down for a period prior to the decision being issued.

When the site went up, I filed a new complaint, and was looking for evidence of what else Kozinski might be doing with that site. If I could find evidence that Kozinski was doing something problematic to influence judges on cases he was not assigned to, it would have helped my litigation strategy.

Well, as everyone knows, I found something else. But if Kozinski had not used his site to attack me in 2005, I would never have bothered to look for it.

That’s why I have to call “BULLSHIT!” on Prof. Lessig, Prof. Volokh, and the Kozinski couple. The Kozinskis lost any expectations of privacy when he distributed links and used it to violated the canons of judicial ethics. As for attorney ethics (very different from judicial ethics or normal human ethics), once Kozinski inserted himself into my litigation inappropriately, it’s my duty and right to undo the negative consequences and turn the situation to my litigation advantage. That’s what good lawyers do: take lemons handed out by judges and turn them into sweet lemonade.

I’ve achieved my first litigation objective, as Chief Justice of the United States Roberts has appointed an investigative committtee from the Third Circuit. I have two more to accomplish from this, though I’ll them under my hat for now. However, I will see that seeing Judge Kozinski humiliated, as he has been, was never my goal. I was a big fan of his before he decided to use me as a pinata.

Cyrus Sanai

]]>
By: mehmet http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12730 Tue, 17 Jun 2008 03:34:32 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12730 Actually, no, I’m not focusing on law, although I actually happen to think that existing law (e.g., unlawful access to controlled storage) aligns very well with what I consider to be the natural privacy structure of the Web.

Still, I am far more comfortable discussing the noition, and possibly agreeing with the notion, that the “digging” Mr. Sanai (sp?) did was wrong. Because in doing so, it goes beyond just a discussion of his techniques and actions—I can bring his motives into it as well. A private detective can be inappropriately intrusive, I suppose, even if he used only legal means to obtain information. What I am simply saying was that the techniques he used were not wrong: legally OR ethically. There are entirely legitimate purposes for such techniques.

]]>
By: mcg http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12729 Tue, 17 Jun 2008 02:04:00 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12729 Good question, Sean. So for instance, how do you know if this URL is public or private?

http://lessig.org/images

So with this blog, if you download a file I’ve linked from the blog, you can easily figure out what directory that file is located in. But you can’t (without serious hacking) see the other files in that directory, or see the directory structure. That’s because those friends who have helped me set this up have disabled that ability.

Mr. Lessig, you might want to have a talk with your friends.

]]>
By: Sean FitzGerald http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12728 Tue, 17 Jun 2008 01:40:45 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12728 After scanning the previous thread (and realising much of what’s being said here has been said before!) I’ve had another thought… another way of looking at this.

Maybe Lessig doesn’t realise this but people, particularly geeks, make files available on web servers in directories with no index.html all the time. It’s standard practice.

If observing a directory that doesn’t have an index.html can be a violation of privacy when the owner of the website doesn’t want me to look at it, then how the heck am I supposed to know when a directory I stumble across is meant to be public or meant to be private?

The onus is on the owner to protect the files in a directory if he doesn’t want me to see them… not on me trying to guess which exposed directories were intended to be private.

p.s. I want to apologise for calling Cyrus Sanai, an ass earlier. I didn’t realise the person in question and was on this thread. Passion got the better of me, but it was inappropriate (and a lesson in how to use the open web I am passionate in defending!) I still think what he did was ethically dubious though.

]]>
By: mcg http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12727 Tue, 17 Jun 2008 00:00:17 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12727 One thing, you are insisting the Kozinskis were operating a ‘Web server’. Which is neither right nor in any way of interest. Even if it were a server on the WWW it stands to reason if it was public on purpose.

Are you suggesting that he did not intend for his server to be public? The server he attached to the domain name “alex.kozinski.com”? He has used that server to publicly disseminate a number of articles? As for the now-infamous “stuff/” directory, he used it to serve a video referenced on this indisputably public web page.

I go one step further, even if I give you express [another operative word in this context] permission to rummage through my storage space, this does not give you the right to publish what you find.

We share common ground on this point. As I said earlier, I expressed some discomfort in sharing this forum here with Cyrus Sanai, because I am not seeking to justify what he did with the content he found. I am only talking about the legality and appropriateness of viewing the content in the first place.

]]>
By: Dierk http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12726 Mon, 16 Jun 2008 23:29:05 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12726 No, MCG, I do not misinterpret, and I am quite certain you are shifting goalposts. One thing, you are insisting the Kozinskis were operating a ‘Web server’. Which is neither right nor in any way of interest. Even if it were a server on the WWW it stands to reason if it was public on purpose. While technically, as you and I have pointed out, any computer connected remotely is open it is not necessarily public. You see the difference between ‘open’ and ‘public’? That is the difference Lessig and several others [me included] point out. Just because you have access to my storage space does not mean it is public.

I go one step further, even if I give you express [another operative word in this context] permission to rummage through my storage space, this does not give you the right to publish what you find. The exception is the same as before, evidence for very serious criminal offences. It does not matter in the least which precautions I did or did not employ to secure my privacy.

It would be quite different if the Kozinskis, specifically the judge, intentionally made their server and its whole structure public. From all accounts I gathered they didn’t. They were just uneducated, probably stupid. Laughing-stock.

To end on another, inane, metaphor, just because you are allowed to carry a gun, thus having the potential to kill someone, does not allow you to do so.

]]>
By: mcg http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12725 Mon, 16 Jun 2008 23:00:56 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12725 So with this blog, if you download a file I’ve linked from the blog, you can easily figure out what directory that file is located in. But you can’t (without serious hacking) see the other files in that directory, or see the directory structure. That’s because those friends who have helped me set this up have disabled that ability.

Hmm. Mr. Lessig, you might want to talk to your friends about this. Your web server is, in fact, configured to allow directory browsing for directories that lack index files. A commenter over on Seth FInkelstein’s blog found one instance of it, and I found a number of others.

Here is the most interesting example: not only does your web server allow directory browsing, but it will helpfully suggest alternatives if you mistype the name of a URL. For instance, I entered the following URLS:

http://lessig.org/news/2008/
http://lessig.org/news/2007/

http://lessig.org/news/2001/

All of which it happily served up for me. Then I tried this one:

http://lessig.org/news/2000/

This directory does not exist, but your web server’s response was particularly, um, helpful: “Multiple Choices: The document name you requested (/news/2000) could not be found on this server. However, we found documents with names similar to the one you requested.” and preceded to suggest all of the above.

Again, I do not believe that any content that you have intended to keep private has been exposed by your web site’s configuration. Nor has my “hacking” (your term not mine) exposed any more about your directory structure then is apparent by reading your URL’s. If either of these had been the case I would have emailed you privately. Given that it did not I think it is useful for our discussion here.

It’s also very easy to fix if you so desire, requiring no more than a single change to your master configuration file.

]]>
By: ogmb http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12724 Mon, 16 Jun 2008 18:51:02 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12724 [Sandip]: Let us suppose you have a website, with an index page which links and uses certain media on the page

There was no index.htm file in the directory, which makes the rest of your explanations moot. Without an index.htm file and without restricted permissions, searching a web directory becomes extremely simple if you just have a URL from a file in the directory. If you strip the file name (1914fr.jpg) from http://memory.loc.gov/pnp/bbc/1900/1910/1914fr.jpg you get to http://memory.loc.gov/pnp/bbc/1900/1910/ which is an accessible directory without index.htm file, and you can click on any other file in the directory and view/download it and even surf around in the directory structure. The whole transaction takes less than a second and to claim it involves “hacking” doesn’t even pass the laugh test. The prof clearly has an agenda to make the process appear much more complicated (and sinister) than it was in reality.

Which also turns the whole robots.txt discussion into a red herring. Anyone who is able to configure a robots.txt file also knows that (1) the simplest precaution to prevent public viewing is to post an index.htm file in the directory, and (2) robots.txt files have no impact on permissions. So to claim that the owner had the competence to create a robot but was unable to take the other, more basic precautions is pretty much self-defeating.

]]>
By: Seth Finkelstein http://www.lessig.org/2008/06/on-privacy-in-the-cyberage-ii/#comment-12723 Mon, 16 Jun 2008 18:28:58 +0000 http://lessig.org/blog/2008/06/on_privacy_in_the_cyberage_ii.html#comment-12723 FYI, I’ve confirmed the Yahoo search engine indexes directories from file paths. This practice has some
significant implications for people who claim that trying truncated
URLs is improper behavior and unauthorized access.

]]>