Your Rights Online
Posted: Tue Apr 12, 2011 4:22 pm
[With apologies to /. for the namesteal.]
Continuing this thread, about various issues at the intersection of technology and law...
<hr>While I have unfettered access to the database here on Bulldrek, I still don't know your password. I can read everything in the database, but I still can't read your password. This is because, behind the scenes, the board software hashes your password into something that isn't human-readable, and that isn't easily reverse-engineerable [but, since the hash doesn't ever change, the board still recognizes that when you type "IHeartPonies," that's the same thing as the "AG65DA65" hash that's stored].
This sucks for me, because people tend to use the same passwords for multiple services, so in theory if I knew Bone's Bulldrek password, I could use it to log into his email and send tons of invitations to sexual adventures to myself, which he would thus be required to fulfill. ["You emailed me an offer for a Cleveland Steamer! That's a contractual obligation!"] But for you, it's great: it means you can sign up to sites willy-nilly, without concern that someone out there will know about your secret love for ponies.
However, this sucks for an additional group of people who have slightly more power over your daily affairs than I do: governments. See, they love unhashed passwords, preferably retained for as long as possible, so they can go back to some account you used three years ago, subpoena your password, and have their way with you. Do they really need the password? In most cases, no: a subpoena will get them the data they require. But they want the password, for many of the same nefarious reasons I do: not only would they like to be able to log into your same-password site in a country that doesn't recognize their subpoena, they'd also like to be able to have your password in the event that the information itself is not accessible without a password, as in the case of encrypted sites and files.
Governments have slightly more power than I do, and they're making their move. Now, the EU has been doing some dangerous things with data retention for a while now - holding records longer than I think is necessary, making ISPs government gatekeepers: leaving information hackers would love to have accessible for years behind walls built by ISPs.
But the French have an idea: they want to go beyond the draconian EU data retention regulations, and bar all sites from hashing passwords. They want this unhashed password - and user's names, postal addresses, phone numbers, etc. - to be available for one full year, to "police, the fraud office, customs, tax and social security bodies."
Now, the hash issue is arguable - various sources claim a hashed password would be fine - but the retention is not: for a year, in France, thousands of people would have access to an unprecedented amount of personal information. I detailed in the other thread why this is seriously bad news, so I won't belabor the point here, but this new action by the French government is deeply worrying, plaintext passwords or not. It's predictably being challenged by the corporations involved - many of whom don't want to do the government's job, and almost none of whom want to have to completely redesign their services for one nation's idiosyncrasies - so one can at least hope that the courts will act rationally and in the best interests of the populace.
I'll keep abreast of the case, of course, and update the thread as I learn more.
<hr>When you do a Google search for my name, you get my Facebook and LinkedIn profiles, and my public Picasa page, and not a whole lot else. I'm not searched for very much, or linked to very much [as I like it]. But when you start typing my name into the search field, Google's autocomplete starts making suggestions: ESPN, for instance, for "E." Once you get to my whole first name, it suggests, "Early signs of pregnancy," which presumably is the most-often-searched-for term people go for that starts with "earl."
But what if people didn't like me very much? What if, when people searched for my name, their most common searches were things like, "Earl Hollar truffatore" or "Earl Hollar truffa?" If enough people performed this search, eventually, when searching for my name, the autocomplete would suggest these words...Italian for "con man" and "fraud," respectively. Google didn't assign those words to go with me, but their algorithm did. So, are they liable for what their algorithm does to the actions of others?
Italy thinks so. Italy, who believes Google's managers are personally responsible for videos posted to YouTube. Italy, who clearly doesn't comprehend the internet and how it works. As far as Italy is concerned, if one of you posts a work that harasses someone, I'm responsible for it, even if I haven't seen it. So of course, Italy won this case, which will either presumably force Google to no longer use Autocomplete in Italy, or else change their algorithm to filter out any libel. Both of those things are impossible, so what Google appears to be doing is trying their best at the latter and then claiming that's enough, and it'll probably work out for them.
The long-term impact, though, of this type of legislation is chilling. Much of the legislation going on in the EU right now points toward one possible future of the internet, one which looks a lot more like real-life expectations of behavior than the wild west internet we have today. Unfortunately, their real-life expectations don't seem to be informed by the technological realities.
Mind you, I don't support the wild west as a vision for the future: as much as I enjoy it, this can't be how we run our infosphere. But there are major cautions to be made moving forward, actions whose effects could be troubling or even catastrophic. We must move forward with law and order on the internet, absolutely, but we must assure we do so in the most logical, rational, well-informed, just and fair way possible.
<hr>Lunch now. More later.
Continuing this thread, about various issues at the intersection of technology and law...
<hr>While I have unfettered access to the database here on Bulldrek, I still don't know your password. I can read everything in the database, but I still can't read your password. This is because, behind the scenes, the board software hashes your password into something that isn't human-readable, and that isn't easily reverse-engineerable [but, since the hash doesn't ever change, the board still recognizes that when you type "IHeartPonies," that's the same thing as the "AG65DA65" hash that's stored].
This sucks for me, because people tend to use the same passwords for multiple services, so in theory if I knew Bone's Bulldrek password, I could use it to log into his email and send tons of invitations to sexual adventures to myself, which he would thus be required to fulfill. ["You emailed me an offer for a Cleveland Steamer! That's a contractual obligation!"] But for you, it's great: it means you can sign up to sites willy-nilly, without concern that someone out there will know about your secret love for ponies.
However, this sucks for an additional group of people who have slightly more power over your daily affairs than I do: governments. See, they love unhashed passwords, preferably retained for as long as possible, so they can go back to some account you used three years ago, subpoena your password, and have their way with you. Do they really need the password? In most cases, no: a subpoena will get them the data they require. But they want the password, for many of the same nefarious reasons I do: not only would they like to be able to log into your same-password site in a country that doesn't recognize their subpoena, they'd also like to be able to have your password in the event that the information itself is not accessible without a password, as in the case of encrypted sites and files.
Governments have slightly more power than I do, and they're making their move. Now, the EU has been doing some dangerous things with data retention for a while now - holding records longer than I think is necessary, making ISPs government gatekeepers: leaving information hackers would love to have accessible for years behind walls built by ISPs.
But the French have an idea: they want to go beyond the draconian EU data retention regulations, and bar all sites from hashing passwords. They want this unhashed password - and user's names, postal addresses, phone numbers, etc. - to be available for one full year, to "police, the fraud office, customs, tax and social security bodies."
Now, the hash issue is arguable - various sources claim a hashed password would be fine - but the retention is not: for a year, in France, thousands of people would have access to an unprecedented amount of personal information. I detailed in the other thread why this is seriously bad news, so I won't belabor the point here, but this new action by the French government is deeply worrying, plaintext passwords or not. It's predictably being challenged by the corporations involved - many of whom don't want to do the government's job, and almost none of whom want to have to completely redesign their services for one nation's idiosyncrasies - so one can at least hope that the courts will act rationally and in the best interests of the populace.
I'll keep abreast of the case, of course, and update the thread as I learn more.
<hr>When you do a Google search for my name, you get my Facebook and LinkedIn profiles, and my public Picasa page, and not a whole lot else. I'm not searched for very much, or linked to very much [as I like it]. But when you start typing my name into the search field, Google's autocomplete starts making suggestions: ESPN, for instance, for "E." Once you get to my whole first name, it suggests, "Early signs of pregnancy," which presumably is the most-often-searched-for term people go for that starts with "earl."
But what if people didn't like me very much? What if, when people searched for my name, their most common searches were things like, "Earl Hollar truffatore" or "Earl Hollar truffa?" If enough people performed this search, eventually, when searching for my name, the autocomplete would suggest these words...Italian for "con man" and "fraud," respectively. Google didn't assign those words to go with me, but their algorithm did. So, are they liable for what their algorithm does to the actions of others?
Italy thinks so. Italy, who believes Google's managers are personally responsible for videos posted to YouTube. Italy, who clearly doesn't comprehend the internet and how it works. As far as Italy is concerned, if one of you posts a work that harasses someone, I'm responsible for it, even if I haven't seen it. So of course, Italy won this case, which will either presumably force Google to no longer use Autocomplete in Italy, or else change their algorithm to filter out any libel. Both of those things are impossible, so what Google appears to be doing is trying their best at the latter and then claiming that's enough, and it'll probably work out for them.
The long-term impact, though, of this type of legislation is chilling. Much of the legislation going on in the EU right now points toward one possible future of the internet, one which looks a lot more like real-life expectations of behavior than the wild west internet we have today. Unfortunately, their real-life expectations don't seem to be informed by the technological realities.
Mind you, I don't support the wild west as a vision for the future: as much as I enjoy it, this can't be how we run our infosphere. But there are major cautions to be made moving forward, actions whose effects could be troubling or even catastrophic. We must move forward with law and order on the internet, absolutely, but we must assure we do so in the most logical, rational, well-informed, just and fair way possible.
<hr>Lunch now. More later.