Security quotes of the week [LWN.net]

The implications of this gladden my "right to be forgotten" hating heart. If you're an EU user searching for Joe Blow, and the EU has forced removal of a search result related to him on, say, google.fr, the warning notice informing you that results have been removed for that search give you an immediate cue that you might want to head over to google.com to see what the EU censorship bureaucrats deemed unfit for your eyes. In essence, it's a built in Streisand Effect, courtesy of the EU itself! Before this, you might not even have noticed the result in question among other results for that search .

— Lauren Weinstein

I think it provides a vivid illustration of how invasive this technology is and how the courts regulate its use. It’s one thing to have a generic description of how it’s used; it’s another thing to read a first-hand account of how people are walking up to people’s doors and windows sending powerful signals to [cell phones] inside. This transcript illustrates both the fact that bystanders' phones were being tracked and that the police operating the device knew that’s what the device was doing.

— ACLU attorney Nathan Freed Wessler on cell phone tracking devices known as "stingrays"

The question that remains is this: What should we expect in the future -- are there more Heartbleeds out there?

Yes. Yes there are. The software we use contains thousands of mistakes -- many of them security vulnerabilities. Lots of people are looking for these vulnerabilities: Researchers are looking for them. Criminals and hackers are looking for them. National intelligence agencies in the United States, the United Kingdom, China, Russia, and elsewhere are looking for them. The software vendors themselves are looking for them.

— Bruce Schneier

Of course, we in the real world know that shaved apes like us never saw a system we didn't want to game. So in the event that sarcasm detectors ever get a false positive rate of less than 99% (or a false negative rate of less than 1%) I predict that everybody will start deploying sarcasm as a standard conversational gambit on the internet. Trolling the secret service will become a competitive sport, the goal being to not receive a visit from the SS [Secret Service] in response to your totally serious threat to kill the resident of 1600 Pennsylvania Avenue. Al Qaida terrrrst training camps will hold tutorials on metonymy, aggressive irony, cynical detachment, and sarcasm as a camouflage tactic for suicide bombers. Post-modernist pranks will draw down the full might of law enforcement by mistake, while actual death threats go encoded as LOLCat macros. Any attempt to algorithmically detect sarcasm will fail because sarcasm is self-referential and the awareness that a sarcasm detector may be in use will change the intent behind the message.

— Charlie Stross

to post comments

Security quotes of the week

Posted Jun 5, 2014 8:11 UTC (Thu) by rvfh (guest, #31018) [Link] (15 responses)

> what the EU censorship bureaucrats deemed unfit for your eyes

Lauren Weinstein is missing the point here. It's not about what the EU <abusive text removed> deem unfit, it's about what the person deems unfit where they are concerned.

For example, if a friend takes a picture of you after you got drunk and ended up in an embarrassing situation, and then posts it on Facebook, the EU want you to be able to have this photo deleted. For ever.

This obviously an impossible aim to reach, as other sites/persons may have copies of the photo. Also, the filter as implemented today only works on your local Google search engine as pointed.

This being said, I find the idea laudable as the aim is to allow the individuals to protect their privacy.

Security quotes of the week

Posted Jun 5, 2014 8:39 UTC (Thu) by Tjebbe (guest, #34055) [Link] (4 responses)

Additionally, why are a handful of private commercial companies allowed to have millions and millions of search results removed automatically, and is there so much commotion about a few thousand of removal requests that even have to be vetted?

I have a number of concerns about the approach as well, especially potential abuse for censorship (which the EU actually does share, btw), but indeed, the idea is laudable, and the issues raised so far are missing the point.

Security quotes of the week

Posted Jun 5, 2014 12:20 UTC (Thu) by freemars (subscriber, #4235) [Link] (3 responses)

Imagine if SCO, at the height of their trials, had been able to have millions and millions of search results removed.

Security quotes of the week

Posted Jun 5, 2014 13:53 UTC (Thu) by drag (guest, #31333) [Link]

Or the NSA.

This isn't about protecting privacy it's about creating some stupid law so that some big corporation, government, politician or other powerful entity can go and try to control it's public image.

Security quotes of the week

Posted Jun 5, 2014 14:43 UTC (Thu) by Kwi (subscriber, #59584) [Link] (1 responses)

The right applies only to individuals. The EU, for now, does not recognize corporations as people.

Security quotes of the week

Posted Jun 12, 2014 15:40 UTC (Thu) by raven667 (guest, #5198) [Link]

But I would expect the wealthy and powerful to build an automated service that curates their public image so that no uncomplimentary information about them is ever allowed to exist. In the future, anyone who claims a particular bit of malfeasance against a powerful individual is going to be seen as part of the tinfoil-hat brigade because of the difficulty of finding any corroborating evidence, much like stories about the NSA pre-Snowden.

Security quotes of the week

Posted Jun 5, 2014 13:52 UTC (Thu) by drag (guest, #31333) [Link] (1 responses)

> Lauren Weinstein is missing the point here. It's not about what the EU <abusive text removed> deem unfit, it's about what the person deems unfit where they are concerned.

Point still stands. By trying to eliminate something from 'search' you are creating a beacon that points to what you want hidden.

> This being said, I find the idea laudable as the aim is to allow the individuals to protect their privacy.

It's a silly law. Might as well pass a law trying to make the world flat for all the good it will do.

'Lets all just ignore how things actually work and pass laws that pretend to make a the world suit our personal biases completely regardless of facts, practicality, technology, and physics'.

Security quotes of the week

Posted Jun 12, 2014 15:43 UTC (Thu) by raven667 (guest, #5198) [Link]

> 'Lets all just ignore how things actually work and pass laws that pretend to make a the world suit our personal biases completely regardless of facts, practicality, technology, and physics'.

It's surprising how much damage can be done by taking that approach, it can even work for a while, depending on how much resistance there is, it can work for the foreseeable future.

Security quotes of the week

Posted Jun 6, 2014 11:55 UTC (Fri) by robbe (guest, #16131) [Link] (6 responses)

The friend(?) from your example very probably did not have the rights to publish your photo in the first place. That the Facehugger is trying to hang on as long as possible to data, even everybody who should be in control of it wants it removed, is a different kettle of fish. You already had the right to get it deleted before this case, although enforcing it is hard (as Max Schrems can attest).

The birth defect in this case seems to be that *only* the links are removed. Perhaps a better balance would be to forbid publishing this kind of information in unredacted form. Then one could go after all copies and (now stale) links.

Doing it the other way around seems ... strange.

Security quotes of the week

Posted Jun 6, 2014 15:19 UTC (Fri) by Funcan (guest, #44209) [Link] (5 responses)

If the friend took the photo in a generally public situation, they absolutely own the copyright to the shot and have the right to post it...

Security quotes of the week

Posted Jun 7, 2014 14:17 UTC (Sat) by HIGHGuY (subscriber, #62277) [Link] (4 responses)

Not really. You need consent of everyone in the photograph before you can publish a picture.

Security quotes of the week

Posted Jun 7, 2014 14:34 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

Incorrect. A photo taken from a public place can be published without consent of its participants (and that includes businesses and companies).

See: http://www.krages.com/phoright.htm

Security quotes of the week

Posted Jun 7, 2014 14:54 UTC (Sat) by mpr22 (subscriber, #60784) [Link] (1 responses)

Depends where you are; rights over your personal likeness are not uniform worldwide. (AIUI France has much stricter law on the subject than countries with legal systems descended from English common law tend to.)

Security quotes of the week

Posted Jun 7, 2014 18:31 UTC (Sat) by HIGHGuY (subscriber, #62277) [Link]

Correct, the article is about the EU after all, not about the US.
(Even though the US is great at forcing their laws upon unsuspecting countries...)

Security quotes of the week

Posted Jun 12, 2014 21:33 UTC (Thu) by andreasb (guest, #80258) [Link]

> See: http://www.krages.com/phoright.htm

That page says not a single thing about publishing photos.

People have a right to their image and you need their consent before publishing (and that's unrelated to copyright, as someone upthread claimed). Exceptions apply for persons of public interest and when persons just happen to be in but not the focus of the picture (lots of tourists in a photo of a tourist attraction, say).

Security quotes of the week

Posted Jun 6, 2014 16:32 UTC (Fri) by sorpigal (subscriber, #36106) [Link]

Your goal is noble but at odds with reality. The only two effective ways to avoid something spreading on the internet are (1) don't ever let it be on the internet, (2) have it be uninteresting.

People trying to put the cat back in to the bag are doomed to failure. I don't personally see the value in this kind of futility. It would be far more productive to talk about, and make laws about dealing with, dealing with the aftermath of things getting out there.

I try to explain this to my IRL associates who seem not to understand: Posted on facebook, or anywhere else, is forever. It's not what you'd want but you still have to cope with that.

EU right to be forgotten

Posted Jun 5, 2014 13:41 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

If only such a right extended to the tax authorities, so that one could be forgotten WRT all of the entitlement programs which one might find objectionable, and would request emancipation.

Existing Law

Posted Jun 12, 2014 12:26 UTC (Thu) by Wol (subscriber, #4433) [Link] (14 responses)

What I've almost never seen in all the discussions over this, is that this is merely an attempt to extend existing law to the internet.

After a certain length of time, it is illegal to retain certain data in official records, and it is illegal to punish people for long-ago past misdeeds.

This is simply an attempt to make sure voyeurs can't access information that should no longer be available. (Or that should never have been available in the first place.)

Cheers,
Wol

Existing Law

Posted Jun 12, 2014 15:46 UTC (Thu) by raven667 (guest, #5198) [Link] (9 responses)

Once someone publishes it should be difficult to impossible to un-publish information. Maybe the standards in the EU are different but we don't generally allow the wealthy and officials to destroy magazines, newspapers and books because they document things which the powerful don't want to be known, which is how this kind of law will be predictably used.

Existing Law

Posted Jun 12, 2014 18:33 UTC (Thu) by Wol (subscriber, #4433) [Link] (8 responses)

Standards IN THE UK (which has a similar system of law to the US) say that say that certain records (especially criminal) should be destroyed after a certain period of time. It rather defeats the object if a simple Google search can find out things which are (deliberately) no longer available through official channels.

While this law might not be popular (or make sense) to the American point of view, Europeans place a rather higher value on privacy. Personally, I would love to see long-lens photographs of people on private property made illegal.

Something Americans don't seem to see is that others DON'T see personal freedom as so important! I've mentioned it before but there appears to be *three* things people as a whole value, but societies in practice seem capable of only emphasising *two*. If we Europeans value the other two over personal freedom, who are you to tell us we're wrong!? One of those is a caring, cohesive society, which I place great store by, and the fact that America does not have it is a great reason not to want to go near the place!

At the end of the day, this is a moral question of where to draw the line. The American viewpoint seems to be that the only place they are prepared to draw the line is the point where I can intrude into your life as much as I like, publish all the intimate details of you I can find (even using long lenses to get all sorts of embarrassing photos!) and if you object, well tough. My freedom is more important!

Okay, I know I'm exagerating for effect. But seriously, I see that as the logical end of your line of argument! And it's not somewhere I want to end up! And as the only way to draw a line is to make a value judgement, then I'm only too happy with "the right to be forgotten".

Under German law I gather even truth is no defence in a libel action, if malicious intent (and maybe some lying) can be proven. I think it was Bild - was planning to run an article on a scandal that "had been covered up". Except that it had been all over the press 20 years earlier, when it actually happened, and they got done and barred from publishing, on the grounds that it was an old scandal that was best forgotten. More importantly, the information was all there in public records for anyone who cared to dig.

And that, I think, is the point of this law. Not to hide the facts of what happened, but to keep stuff that is best forgotten, forgotten. After all, aren't even a lot of Americans worried about all the records that are ending up freely searchable on-line (bank statements, utility bills, all that stuff!!!) And it's not asking for the originals to be deleted, just for them to not be easily searchable.

At the end of the day, the reason I am so often anti-American (as you may have noticed) is that America is the *last* place (in the civilised world, at least) I would want to go and live. Yet so much American propaganda (and policy) is based on the presumption that everyone wants to live in America, and the best thing for America to do is to turn the rest of the world into an extension of America.

I don't want to live in America, yet America seems hell-bent on turning Britain into a "little America" - how on earth do you expect me to react?

Look at your own values. Look at the logical extension of those values, and where they are likely to lead you. And then respect other people who have different sets of values.

Cheers,
Wol

Existing Law

Posted Jun 12, 2014 18:55 UTC (Thu) by dlang (guest, #313) [Link] (6 responses)

> Standards IN THE UK (which has a similar system of law to the US) say that say that certain records (especially criminal) should be destroyed after a certain period of time. It rather defeats the object if a simple Google search can find out things which are (deliberately) no longer available through official channels.

Please go back and look at this case again

first, these aren't official records, these are articles

second, the articles aren't being taken down, only the google links to the articles

the US also has a concept that official records older than some amount can't be used against you legally, but that's not what's being dealt with here

Unless you somehow consider Google "official channels" but don't consider the articles that google links to "official channels"

Existing Law

Posted Jun 12, 2014 19:18 UTC (Thu) by raven667 (guest, #5198) [Link] (3 responses)

> second, the articles aren't being taken down, only the google links to the articles

While the two aren't completely equivalent, how is one supposed to build a worldview consistent with reality if they are unable to find relevant documents in the sea of information, if the people referred to those in those documents don't want the information to be found? Making linking a crime has much of the same effect of taking down the original, is that what we want?

Existing Law

Posted Jun 12, 2014 19:37 UTC (Thu) by dlang (guest, #313) [Link] (2 responses)

but what's the point of taking down links to an article if you don't take down the article itself?

if it's a crime to link to the article with a search engine (but note that it's not a crime to have some other article with a link to the offending data), why isn't it a crime to have the article up in the first place?

I don't agree with the censorship of allowing people to have published data removed because they don't like it, be it on the Internet or Print media, but if you are going to try and remove the data, it seems that it makes sense to first remove the content, then try and remove people linking to it and any caches that they have.

going after the links without removing the data that is being linked to is just silly.

Existing Law

Posted Jun 12, 2014 19:49 UTC (Thu) by raven667 (guest, #5198) [Link] (1 responses)

> going after the links without removing the data that is being linked to is just silly.

Why not, you get to have your cake and eat it too, you can plausibly claim to be anti-censorship and still get to shape public opinion because most people will be unable or unwilling to make the effort to get after the source material. The information may still be out there but how much effect can that have if you can't find it? If a tree falls in a forest and no one can hear it, does the sound matter?

Existing Law

Posted Jun 12, 2014 21:21 UTC (Thu) by viro (subscriber, #7872) [Link]

You are missing the point - it's about optimising the blackmail value of the stuff on the net. Of course it will be collected and kept - no way to ban that, short of mandating read and write access to all private data. The problem being, its value is undermined by its accessibility; blackmail, after all, is about "If X has information Y, your life will become unpleasant; we'll increase the odds of X having it unless you do what we want you to do". The weight of such threat obviously depends on the odds of X getting that information anyway.

In that respect the "right to be forgotten" is perfect - it doesn't harm the ability to collect the blackmail material (in fact, it slightly improves it by lowering the apparent cost of having such things posted in the first place) *and* it makes the collected material more valuable at the time (E)TLA (or any other blackmailer with sufficient resources) decides to put it to use.

Existing Law

Posted Jun 12, 2014 19:54 UTC (Thu) by Wol (subscriber, #4433) [Link] (1 responses)

> Please go back and look at this case again

Please go back and look at what I actually wrote

> second, the articles aren't being taken down, only the google links to the articles

And what I actually wrote? "And it's not asking for the originals to be deleted, just for them to not be easily searchable."

To quote one of our authors - "the past is another country" - many things are best abandoned there.

I'd rather not start off a privacy flame war, but the fact is that many people value their privacy. And they object to *other* *people* eroding that privacy. What's the saying? "Your right to swing your fist ends at my nose"? Your right to freedom of expression does not extend to trashing my right to privacy.

Okay, a lot of this fuss is probably down to people wanting records of ancient misdemeanours not widely available, but there's plenty of other stuff. I'm sure (if you knew where to look) you'd find loads of stuff on facebook, for example, about me. Except I don't have a facebook account. I've never given permission for my details to published on facebook (or anywhere, for that matter). If I don't want my details made public, then you shouldn't be making them public for me. And I should have the right to do something about it if you do. Given the nutters on the internet, it's a pretty safe bet a fair few people are dead because other people posted information they shouldn't have :-(

At the end of the day, as I said, it's a difficult value call. But my European viewpoint is you shouldn't have the right to be a nosey parker... it can kill :-(

Cheers,
Wol

Existing Law

Posted Jun 12, 2014 23:30 UTC (Thu) by dlang (guest, #313) [Link]

have you looked at the requests that are piling up at Google? Hint, it's not primarily about "ancient misdemeanours"

and if you are really saying that you have a right to be forgotten, then go after the people publishing the information, not people indexing it.

If you really don't want things made public, then go after the people making them public.

> Given the nutters on the internet, it's a pretty safe bet a fair few people are dead because other people posted information they shouldn't have :-(

sure, and it's an even safer bet that more people are dead due to things published in the local newspapers and other local rumour mills (if only because killing someone requires physical proximity)

Also, look at what Google is doing to comply with they law. If they remove a link, they only remove it for people in the EU (people elsewhere in the world still see it), and people in the EU are told that there is other data out there, but that Google has been prohibited from telling them about it.

Existing Law

Posted Jun 12, 2014 21:44 UTC (Thu) by madscientist (subscriber, #16861) [Link]

> Look at your own values. Look at the logical extension of those values,
> and where they are likely to lead you. And then respect other people who
> have different sets of values.

That's easy for you to say, because you happen to agree with these values. However, as soon as you start carving out special categories that you like, the next person will come along and define ones you don't like so much.

So if Google, which is a US company, has information about an EU citizen that it obtained completely legitimately stored in its servers in the USA, your position is that this EU citizen should have the right to force Google to delete this information from their servers because other EU citizens can access these servers over the internet?

Now suppose that instead of Google it's a London newspaper's web site and instead of an EU citizen there is an article critical of the monarchy of Morocco, where lèse-majesté laws allow criminal prosecution. I guess Morocco should be able to force the London newspaper to remove its article from its website? You may think that public figures should have a different set of rules than private figures, or that you should only have to remove information after some number of years, but those are just YOUR values... you should be respecting other peoples' values!

Existing Law

Posted Jun 12, 2014 18:18 UTC (Thu) by dlang (guest, #313) [Link] (3 responses)

so there is an existing law that says that people can demand that newspapers and magazines stores in library archives must be destroyed if the contain 'obsolete' information about someone?

Official records are not what we're talking about here.

And to make it worse, they aren't even saying that the articles in question must be taken down, just that the links in the search engines must be removed.

so it's saying that the card catalogs of the libraries must remove the information.

Existing Law

Posted Jun 14, 2014 8:56 UTC (Sat) by kleptog (subscriber, #1183) [Link] (2 responses)

> so there is an existing law that says that people can demand that newspapers and magazines stores in library archives must be destroyed if the contain 'obsolete' information about someone?

Well, it's an implementation of a fundamental privacy principle that existed long before the EU was born. People keep pretending this is a new thing, but in fact it's really old. People have the right to have their privacy protected, but there is a public interest exception for media and history preservation, but it's not absolute.

Since paper archives are not easily searchable they are not really considered a problem anyway. If someone wants to do the legwork to find something that's fine, but if you try to publish it you'll still have a problem. You can't just go digging up someone's past and publish it for the fun it.

This issue comes up all the time, the way media in NL deal with it is to simply not mention the surname of people in the first place, unless the person is already a publicly well known person. And even otherwise, you don't scrap the article, you simply change the name in some other way. This is arguably the same as removing a link.

I know all sorts of people have filed requests with Google but nothing is going to happen here for a while yet. If I were Google I'd set up a policy where the person applying has to provide some proof they tried to get the original article removed and failed. I.e. delegate to the appropriate authorities, don't try to work it out themselves.

Existing Law

Posted Jun 17, 2014 14:30 UTC (Tue) by dlang (guest, #313) [Link] (1 responses)

> If I were Google I'd set up a policy where the person applying has to provide some proof they tried to get the original article removed and failed. I.e. delegate to the appropriate authorities, don't try to work it out themselves.

Except the ruling from the Eu court doesn't say that the original article should be taken down, only that Google should not link to the article.

Existing Law

Posted Jun 18, 2014 7:16 UTC (Wed) by kleptog (subscriber, #1183) [Link]

Well, clearly the original site as an exemption and Google doesn't.

I'm just saying that determining if there is an exemption or not is a judge's decision, not Google's and I don't think they should take it on themselves to be the arbiter here. There are too many jurisdictions here to expect them to know all the details in all of them. Ask people to provide a court judgment saying they the site has an exemption and the workload is cut significantly.

The EU decision doesn't say they have to be proactive about it, there are no fines for delaying.