[IP] Google search and seizure, etc. vs. technologists

To: ip@xxxxxxxxxxxxxx
Subject: [IP] Google search and seizure, etc. vs. technologists
From: David Farber <dave@xxxxxxxxxx>
Date: Sun, 4 Dec 2005 05:52:21 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <200512040153.jB41rMRo007610@xxxxxxxxxxxxxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Lauren Weinstein <lauren@xxxxxxxxxx>
Date: December 3, 2005 8:53:22 PM EST
To: dave@xxxxxxxxxx
Cc: lauren@xxxxxxxxxx
Subject: Re: [IP] Google search and seizure, etc. vs. technologists

In the 1980s, the "average user" would never
need a local area network in his home. In the early 1990s, the
"average user" would never understand or need the Internet. And so on.


In fact, the reality of the current security and privacy mess with
the Internet helps to prove my point.  For example, talk to the folks
who drive around plotting all of the open wireless LANs that are
literally everywhere in virtually every neighborhood.  The vast
majority of them have *no* security at all -- not even cruddy old
WEP.  This includes businesses, medical offices, you name it, as
well as vast numbers of private homes.  Yet, for years every WLAN
product has included at the very least WEP capabilities, and
instructions on how to set it up.  Despite this, many people's open
WLANs are constantly being abused, sometimes with tragic results.

That situation is gradually starting to improve, but only because the
setting up of *some* level of security has become part of the
standard installation scripts for many products.  But until this
became the *default*, even when it was easy to use, most people
didn't bother.  Why?  Most of the time, simply because they didn't
believe that any associated risks applied to them -- and that view
is easy to understand.  The computer industry is great at promoting
the vast benefits of their products, but do their best to keep the
downsides to the fine print, buried in click-through license
mumbo-jumbo that even many lawyers would have trouble understanding,
along with lilliputian quick-start guides that are the only
instructions many people read.

The same thing goes for Internet services.  It is utterly reasonable
to expect that the *defaults* provided will respect people's privacy,
security, and other rights.  We are a society of laws and those laws
are there (at least in theory) to help protect those rights.  It is
unfair in the extreme to suggest that anyone who doesn't jump
through hoops to protect themselves from information abuse is
somehow negligent, while asserting that legislative efforts should
not be made to rein in the way that the services behave -- so that
those services meet a reasonable standard that society agrees is
appropriate.

Yes, imposing society's will on such firms can be tough to do,
especially when dealing with powerful and well-heeled interests.
But not to do so -- to not even try -- is just surrendering to what
most of us know in our hearts is just plain wrong.

--Lauren--
Lauren Weinstein
lauren@xxxxxxxx or lauren@xxxxxxxxxx or lauren@xxxxxxxx
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, EEPI
  - Electronic Entertainment Policy Initiative - http://www.eepi.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

 - - -



Begin forwarded message:

From: Phil Karn <karn@xxxxxxxx>
Date: December 3, 2005 7:10:30 PM EST
To: dave@xxxxxxxxxx
Cc: ip@xxxxxxxxxxxxxx
Subject: Re: [IP] Google search and seizure, etc. vs. technologists

From: Lauren Weinstein <lauren@xxxxxxxxxx>

1) Any practical attempt to "swamp" Google's database in such a
   manner is unlikely to succeed, given the sheer volume of legit
   queries that they receive.  I suspect they'd be smart enough to
   detect abuse patterns fairly easily.  That kind of analysis is
   their bread and butter.


The idea is not to "swamp" Google. It's simply to create a little
plausible deniability -- i.e., reasonable doubt -- that a given
search was entered by the user and not by the automatic daemon.

2) Attempts to purposely "abuse" Google in such a manner (faked
   requests) may well violate their Terms of Service, and if they
   don't now you can be sure that they will in some future version
   of the ToS.  The likely result will at a minimum be bans and ISP
   actions, and at the max lawsuits.  Pull out your wallet.


Again, "swamping" or "abusing" Google is not the intent, nor is it
very likely given Google's strong emphasis on performance and
scalability. The idea is simply to create doubt that a given query
was generated by a human, not by the robot. The "quality" of the
synthetic queries is much more important than their quantity.

Still, the extra traffic just might have the effect of encouraging
Google to adopt a stronger privacy policy. Not that I'd place much
stock in that, of course (see below.)

3) Routing queries through anon proxies will provide some protection
   for the technological elite who understand such things.  They will
   not protect the average user, who most likely doesn't understand
   the risks and issues, and will never use such proxies, even
   assuming that they were trivial to use.


I wish I had a nickel for everything I've been told "the average
user" would never understand, need or be able to use. Back in the
1970s, the "average user" would never understand, need or be able to
use a personal computer. In the 1980s, the "average user" would never
need a local area network in his home. In the early 1990s, the
"average user" would never understand or need the Internet. And so on.

It is no more necessary that the "average user" understand how an
anonymizing Google proxy works to use it effectively than to
understand the fields in TCP/IP packet headers. The whole idea of
civilization and commerce is that many people can benefit from
specialized knowledge and skills that they themselves lack. The open
source movement and the Internet itself have certainly demonstrated
this.

Personally, I prefer the anonymizing proxy over the random query
generator. The proxy is likely to be more effective, and it generates
no extra load. I mention the generator mainly to be complete. My
point is that there *are* technical defenses against potential
privacy abuses, and we can implement them ourselves instead of
naively demanding that Google respect our privacy against their own
commercial interests.

And even if Google were completely honest, they would still be
subject to Patriot Act abuses that we would never know about.

The sad fact is that "national security" has become the root password
to the Constitution. The only effective defense against a "rooted"

system is not to put any sensitive information in it in the firstplace.


--Phil



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on re: 2029, A Worldwide Mesh?
Next by Date: [IP] more on Google search and seizure, etc. vs. technologists
Previous by thread: [IP] Google search and seizure, etc. vs. technologists
Next by thread: [IP] Free WiFi for all in Sunnyvale
Index(es):
- Date
- Thread