Someone posts a fake profile of you on MySpace casting aspersion on your character. You may be justifiably angry, but unless you are willing to specify the defamations and provide proof they are untrue, don't expect to be able to unmask the profile author.
On Friday, Cicero, Ill., Town President Larry Dominick dropped his request for a court to force MySpace to identify the creator of several spoof profiles in his name that he claimed were defamatory. His petition filed last month (PDF) did not provided details about the profiles and exactly what was defamatory. The pages were removed after Dominick complained.
The profiles had photos and "questionable comments about his sexuality and ethics," according to the Chicago Tribune.
The Electronic Frontier Foundation filed a friend of the court brief last week arguing that fulfilling the request would violate the author's First Amendment right to remain anonymous unless Dominick could demonstrate a viable legal claim. The EFF also argued that the federal Stored Communications Act, which prohibits government entities--including Dominick acting in his official capacity as Cicero town president--from obtaining identifying customer information through the ordinary civil discovery process.
EFF Senior Staff Attorney Matt Zimmerman says the organization doesn't oppose all claims of Internet defamation, only those that fail to provide details about the alleged defamation and proof that the statements aren't true, as well as those that don't provide notification to the person whose identity is being sought.
"It's far too easy for someone to go into court and simply ask a third party like MySpace or Facebook to turn this information over if there is no attempt to notify the person whose rights would be affected," he told CNET News.com.
The concern is that without First Amendment safeguards for anonymity people will use the courts merely to find the identity of people whose opinion or actions they disagree with and use that information to chill criticism.
Most of the time, the cases arise from postings made on blogs. But social network pages are increasingly being used for anonymous self expression.
For instance, a judge in Indiana ordered Facebook to name the person who created a fake profile for a high school dean last month.
LOS ANGELES--If Jim Brady had his way, there would be no guaranteed anonymity for those who post comments to Washingtonpost.com.
Brady, executive editor of The Washington Post's online division, said during a panel discussion at the Digital Hollywood conference here that he would like to see a technology that could identify people who violate site standards--and if need be--automatically kick them off for good.
Brady has a notable history with this issue and I'll get to that. First, his position must be made clear. In an interview following the panel discussion, Brady said he doesn't want people's personal information for any other reason but to hold them accountable for what they post. He said he's not--as he has been accused by some--an enemy of free speech. He just wants to oversee a site where readers engage in civil discourse and debate without fear of it degenerating into a "back alley environment."
"I think part of the problem is that people aren't held accountable on the Web," Brady said. "People say things online they would never say when disagreeing with someone at the dinner table. I think heated debate is fine, but when there are (flame wars), many people won't take part for fear they will be attacked and bashed over the head with the (Internet-equivalent) of a steel pipe."
Brady knows how intensely many Internet users disagree with him. He made headlines in January 2006 after shutting down the comments area of a blog where outraged readers gathered to rebuke the Post's ombudsman, Deborah Howell.
Following the Jack Abramoff lobbying scandal, Howell erred when she said that the lobbyist gave campaign donations to Democrats as well as Republicans. Abramoff gave only to Republicans. The paper's Web site saw more than 1,000 comments, many from people who accused the Post of conspiring with the Republicans.
Things got worse when Howell posted a clarification. When Brady saw that many of those comments violated the paper's policy against the use of profanity or personal attacks, he blocked users' ability to post. The decision was widely criticized. In defense of his decision, Brady wrote that many of the posts weren't comments at all, but the kind of thing "you might find carved on the door of a public toilet stall."
I reminded Brady that many people feel strongly about their right to privacy online. He responded that he feels strongly about it too, but there are plenty of sites that take an anything-goes approach and that people who want to drop F-bombs and blast each other should go there. "We don't want our site to be sanitized, but we have the right to create a different kind of community," Brady said.
Brady also lamented that closing user accounts doesn't keep bad eggs off a site. They just come back and create new ones. He said that his site can identify someone's IP address, but it's not an elegant solution because blocking them can be tricky. "You don't want to end up blocking the entire Department of Energy or something like that," he said.
Pluck, a company that provides social-networking software, helps maintain some of the Post's blogs and has implemented a "bozo filter," which can isolate comments that include banned words or phrases, according to Brady.
But this isn't a solution. Brady believes that in the next five years people will be required to identify themselves in some way at many sites. "I don't know whether we do it with a credit card number, a driver's license or passport, but I think making people responsible would raise the level of discourse."
Greg Sandoval is a former Washington Post staff writer.
For more photos of the New York protest, click here
Hundreds of Internet users stood outside for hours in the cold on Sunday morning, and they weren't waiting for a shipment of Nintendo Wiis. They were Anonymous, a group of online activists standing outside the New York City Church of Scientology to protest the organization's policies. The protest was one of many conducted across the world at major Scientology centers on that day.
The New York City protest saw between 200 and 300 Anonymous gather outside of the Church of Scientology New York. Other prominent "raids" included 150-200 Anonymous meeting in Sydney and 500 Anonymous meeting in London to protest the Church. The protests were a part of "Operation Chanology," Anonymous' efforts to discredit the Church of Scientology.
The raids were generally peaceful, with few disturbances reported. In New York, Anonymous cooperated with the NYPD to ensure the safety of its members and a minimum of disruption. NYPD officers escorted Anonymous from their meeting place in Bryant Park up to the Church of Scientology New York building, where they stood behind cordons to allow traffic to continue down 46th Street.
Like its name implies, Anonymous is less an organization than a loose confederation of Internet message board readers and IRC chat network users. Sites like 4chan.org (warning: content may not be work-safe) brought together thousands of Internet users with a variety of interests and vocations. Anonymous seldom meet physically in large numbers outside of their message boards and chat channels. The February 10 "raids" presented one of the first examples of major Anonymous movement outside of the Internet. The February 10th date was chosen because it was the birthday of Lisa McPherson, a Scientologist Anonymous alleges was killed due to the Church of Scientology's actions.
While "Anonymous" was initially a joke directed at certain news organizations, the group began to come together in January as a response to the Church of Scientology's request for Youtube to remove a Scientology video involving Tom Cruise. Since then, Anonymous groups have protested the Church of Scientology, distributed anti-Scientology materials, and allegedly performed "Denial of Service" attacks on the Church's telecommunications systems.
The Church of Scientology issued a statement on February 10 in response to the Anonymous attacks. According to the statement, released by Rev. John Carmichael, President of the Church of Scientology New York, Anonymous has been committing hate crimes against the Church. The release described Anonymous as "cyber-terrorists," and alleged that Anonymous members threatened the Church and mailed "white powder" to dozens of its branches. The Church went on to denounce Anonymous as individuals who hide behind masks and Internet anonymity.
According to Anonymous, its members wear masks and hide their identity to protect themselves against the Church of Scientology's "Fair Game" policy. Anonymous claims that "Fair Game" is a Church policy that states that any "Suppressive Persons" may be prevented from speaking out against the Church by any means necessary. According to the Church of Scientology's web site, the "Fair Game" policy was canceled in 1968, and the Church does not condone illegal or unethical activities committed in its name.
Correction: The authors of the Netflix de-anonymization study contacted me to point out that they originally published a draft of their results a mere two weeks after Netflix released its dataset. Netflix has known about their study for over a year.
Over the past year, there have been a number of high-profile incidents in which sensitive user data was accidentally revealed to the Internet at large. As a result, I believe that high-tech companies will never again share anonymized data on their users with academic researchers, at least not without requiring contracts and nondisclosure agreements. For the users and privacy advocates, this is probably a good thing. However, for researchers, the scientific community, and Internet users who want cool new technologies, this is almost certainly a change for the worse.
Netflix
(Credit: Flickr / thebluedino)In 2006, Netflix released over 100 million movie ratings made by 500,000 subscribers to their online DVD rental service. The company then offered $1 million to anyone who could improve the company's system of DVD recommendation. In order to protect its customers' privacy, Netflix anonymized the data set by removing any personal details.
Researchers announced this week that they were able to de-anonymize the data, by comparing the Netflix data against publicly available ratings on the Internet Movie Database (IMDB). Whoops.
For Internet privacy geeks, this Netflix incident is just another version of an all-too-familiar tale: A well-meaning company releases a large data set of user data, which it has scrubbed to remove any identifying information. Armed with this data set, researchers are able to trace backwards, and match names to the profiles and their online behavior.
The same thing happened back in 2006 when AOL released the search records of 500,000 of its users. Within days of the database's release, journalists from the New York Times had revealed the identity of user number 4417749 to be Thelma Arnold, a 62-year-old widow from Lilburn, Ga. Over 300 of the woman's searches were traced back to her, ranging from "60 single men" to "dog that urinates on everything."
The fallout from the AOL incident was devastating, both for the company and the industry as a whole. The CTO of the company and the researchers responsible for sharing the data were all fired. In addition to pulling the data set, the entire Web presence for AOL's research division was taken offline. More than one year onward, the AOL Research group still does not have a working homepage.
The shockwaves spread to the entire search engine industry. Google's CEO Eric Schmidt spoke to journalists shortly after AOL posted the data. After calling the data release "a terrible thing," he assured the public that "this kind of thing could not happen at Google."
The end result was that no search engine would ever again release anonymized log data to the research community.
Big Brother
(Credit: Flickr / surfstyle)The announcement by researchers of their Netflix project is so recent that it has yet to be seen how the company will respond. The data has been public for over a year, and With a $1 million prize, the release almost certainly required the sign-off from executives (and so the company cannot blame rogue researchers as AOL did). While search engine logs are obviously extremely sensitive, video rental records are also very private. Enough so that Congress has given video rental records a higher level of protection than almost any other form of personal data (this was prompted by the worry that the politicians' own rental records could be published by journalists).
Companies do not make money by giving researchers access to data. They do it to promote and encourage research in the field. Based on the AOL and Netflix incidents, I suspect that we will see a major chill hit the industry. No high-tech company with large amounts of user data will ever again risk making it available to researchers without first requiring them to sign a lengthy contract. The risk of the data being de-anonymized (and the resulting public relations and legal trouble) is simply not worth it.
So, what if companies require researchers to sign agreements before the firms hand over anonymized user data? Isn't that a good way to protect users, yet still enable researchers to do their thing? Unfortunately, research is rarely respected by the community when the data comes with strings. It is for good reasons that people are dubious when drug companies sponsor research into the safety of one of their drugs. When a company holds the keys to the data, they can stop the publication of anything which will make them look bad.
As a privacy advocate and end user, I think the shift against sharing anonymized data is probably a good thing. After all, I don't want some random student browsing through my search history, anonymized or not. However, if I take the end-user hat off, and put on my PhD student hat, then this is a really bad thing. Researchers depend on accurate data in order to do their work. Without the data, we don't get new exciting research, and thus no new cool technologies. For the research community, this Netflix incident will be the final nail in the coffin of information sharing from the dot-coms.
In a recent blog posting, a German operator of a Tor anonymous proxy server revealed that he was arrested by German police officers at the end of July. Although he was released shortly afterwards, information about the arrest had been kept quiet until his lawyers were able to get the charges dropped.
Tor Project Logo
(Credit: Tor Project)Tor is a privacy tool designed to allow users to communicate and browse anonymously on the Internet. It's endorsed by the Electronic Frontier Foundation and other civil liberties groups as a method for whistle blowers and human rights workers to communicate with journalists. Tor provides anonymous Web-browsing software to hundreds of thousands of users around the world, according to its developers. The largest numbers of users are in the United States, the European Union and China.
The police were investigating a bomb threat posted to an online forum for German police officers. The police traced one of the objectionable posts on the forum to the IP address for Janssen's server. Up until his arrest, Alex Janssen's Tor server carried more than 40GB of random strangers' Internet traffic each day.
Showing up at his house at midnight on a Sunday night, police cuffed and arrested him in front of his wife and seized his equipment. In a display of both bitter irony and incompetence, the police did not take or shutdown the Tor server responsible for the traffic they were interested in, which was located in a different city, more than 500km away.
Janssen's attempts to explain what Tor is to the police officers initially fell on deaf ears. After being interrogated for hours, someone from the city of Düsseldorf's equivalent of the Department of Homeland Security showed up and admitted to Janssen that they'd made a mistake. He was released shortly after.
Germany is clearly not going out of its way to make computer security researchers and activists feel too welcome. Germany recently passed a law that "renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in. This includes port scanners like nmap, security scanners like nessus [as well as] proof of concept exploits."
Back in summer 2006, German authorities conducted a simultaneous raid of seven different data centers, seizing 10 Tor servers in the process. Agents took the servers believing them to be related to a child porn investigation. Furthermore, in 2003 a German court ordered the developers of the Jap anonymity system, a completely different project than Tor, to create a back-door in their system to be used in national security investigations.
This event does raise some interesting legal questions. If 40GB of other people's Internet traffic flows through your own home network, can authorities, be they the RIAA or FBI, reasonably link anything that has been tracked to your computer's IP address to you?
Does setting up a Tor server give you the ultimate plausible deniability card? "No officer, that BitTorrent download wasn't mine. It was from one of the thousands of people who route their Internet traffic through the anonymizing sever on my home network."
The ability to have a believable claim to plausible deniability is something that some of us have been attempting to get for a while by having an open wireless access point at home. And 40GB of Internet traffic from perfect strangers may be more significant in the eyes of a court than the possibility of one or two of your neighbors connecting to your wireless network. All of this, for now, remains theoretical. No Tor-related case has made it to the courts.. but it's just a matter of time until one does.
- prev
- 1
- next
