L'Ombre de l'Olivier

The Shadow of the Olive Tree

being the maunderings of an Englishman on the Côte d'Azur

15 September 2006 Blog Home : September 2006 : Permalink

The Border Between Private & Public on the Internet

The question arises from time to time, most recently in the Schwarzenegger "Hot" Tape case, about what parts of a webserver are public and what parts are not. And thus whether locating hidden files on such a server is "hacking" or not. And more importantly whether it is a criminal offense, an ethical lapse or completely justified as a way to show the idiocy of the web site owner (or some combination of the above).

[Another somewhat related example is the craigslist suckering reported on slashdot and waxy:

"On Monday, a Seattle web developer named Jason Fortuny started his own Craigslist experiment. The goal: 'Posing as a submissive woman looking for an aggressive dom, how many responses can we get in 24 hours?' He took the text and photo from a sexually explicit ad in another area, reposted it to Craigslist Seattle, and waited for the responses to roll in ... '178 responses, with 145 photos of men in various states of undress. Responses include full e-mail addresses (both personal and business addresses), names, and in some cases IM screen names and telephone numbers.' In a staggering move, he then published every single response, unedited and uncensored, with all photos and personal information to Encyclopedia Dramatica."

discussion below]

This is a subject that does not lend itself well to non computer metaphors, which means that chosing the wrong metaphor gets you down the wrong logic path. I believe that at Big Lizards, Dafydd and his commenter bpilch are guilty of precisely this in the Schwarzenegger case.

To recap (from the comment I made over at the Big Lizards post) the way the Angelides campaign claim* to have located the wav file was as follows:

As I understand it all they did was go from http://www.host.com/some/path/pressrelease.htm to http://www.host.com/some/path/ or possibly http://www.host.com/some/ and discover that instead of an index page or permission denied notice it contained a directory listing. And amongst the files listed were this particular bit of audio.

The question in this case is whether cropping a URL - from http://www.host.com/some/path/pressrelease.htm to http://www.host.com/some/path/ is in fact illegal, unethical, etc.

All this hangs on the question, as I state above, of what parts of a webserver are or should be considered public. The metaphor prefered by Dafydd is:

.... If we follow Weintraub's reasoning, that means if I forget and leave my front door unlocked, you have the legal right to burgarize the joint.

Morally and ethically, whenever an unauthorized person is trolling around the private area of someone else's website, he is hacking -- whether security was adequate or not. It's completely irrelevant, no matter what the law says.

The lack of good security procedures does not release Democrats from the necessity to act in a morally responsible way, any more than the lack of a good lock releases them from moral responsibility for black-bagging Republican campaign offices and Xeroxing donor lists.

This is, IMHO, wrong. The correct metaphor is a place constructed entirely (or primarily) for the general public but where certain parts may be off limits to those unauthorized to visit. This is more like a shop, church, gallery or theatre. A website is designed and intended to be visited by the public, just as shops, churches, galleries and theatres are. Indeed a public website quite frequently is an online shop, church, gallery or theatre. A private house or club, on the other hand, is not intended for public access and neither is a secure website where access requires some sort of authentication and prior approval by the proprietor. We as humans are not compelled to have public shops, churches etc. and neither are we compelled to have public websites, hence if we do have them there is a reasonable assumption that we expect people to visit, and hence, if we find members of the public poking their noses into places where they shouldn't it is our fault for not locking them up and/or not putting up clear signs about "Authorized personnel only" or "no entry except between the hours of 9am and 5pm". Precisely the same applies to websites. If we don't want people to crop a URL and find something private (such as the new version of a page or something we are publishing explicitly for one particular person) we need to make sure that the page that results returns some sort of sensible error message and not a directory listing - which is what appears to have occured in the Schwarzenegger case. Hence, IMHO, wandering around someone's website is, at worst, the equivalent of tresspass and more like the sort of thing tha happens when some visitor wanders into a non-public part of a shop etc. looking for the restroom.

Given that accidentally displaying a directory listing is a fairly common and basic web config mistake (and one that is usually rectifiable in a one line server config change) I think that you may be on some ethically challenging grounds - i.e. obeying the letter of the law rather than its spirit - and you probably ought to inform the proprietor if you figure out that you went the wrong way rather than not tell him but tell your friends, but ethics are not laws and there are plenty of other situations where an ethical person should show greater respect than that which is strinctly required by law. Great example: smoking in public places where you may annoy neighbouring non-smokers. Legally (in many cases) if it doesn't say "No Smoking" you can light up, ethically you ought to ask whether it will bother those who seem likely to be downwind.

So I agree that the Democrats did not behave in a morally responsible way but I don't think it is a crime or should be. In fact there are plenty of cases where cropping of the URL is a good idea. Some blog archives for example forget to have links the blog's home page (or as with this one, no links to adjacent posts) and hence if you are curious about what else the author has written cropping the URL is the only way.

Email Privacy

The publishing of emails sent to craiglsist story has resulted in howls of protest from people who seem to think that emails are automatically private unless explicitly permitted to be made public. This seems curious. I tend to agree with Michael Z Williamson:

I learn the most amazing things online.

Apparently, if someone sends you personal information, it is "illegal" for you to give said information to anyone else. There's an implied non-disclosure agreement that negates free speech. I'm sure the people who send out credit card applications will be shocked to hear that, and will cease their heinous crimes at once.

And if someone stupidly sends out personal information and photos to an unconfirmed requestor, I should feel pity and outrage on their behalf and help them "sue" for the damage done to them by releasing information they should never have released in the first place.

It may indeed be ethically dispicable to publish such emails - after all you are deliberately seeking replies under false pretences - but that doesn't mean that you have no responsibility to retain your own privacy if you think that is important. Hence (for example) those idiots who reply from a work email address, use their real name wen replying to someone posting pseudonymously etc. are guilty of the one real capital crime - stupidity. I'm highly tempted to say that publicising these intimate details has been a public service because, with luck and wide enough coverage, it will make people think about what they are sharing on the Internet.

*the democrats could be lying - there are elements of the story which make me wonder if there was not something else involved

I despise l'Escroc and Vile Pin