Defenses of Gmail and criticisms of encryption everywhere [priv]

[Declan McCullagh <declan () well com>]

-------- Original Message --------
Subject: RE: [Politech] A criticism of Gmail and a call for encryption 
everywhere [priv]
Date: Tue, 27 Apr 2004 19:41:17 -0400
From: Adam Goldberg <adam_g () yahoo com>
To: 'Declan McCullagh' <declan () well com>

This argument seems to boil down to:

"Someone had some very private information available unencrypted and
unprotected in any way available from a HTTP server accessible via the
internet.  He was then surprised to find that it was available to anyone
over the internet."

The privacy violation isn't that google monitored the browsing (you gave
them permission).  Nor is it that google indexed it (you gave them
permission).  The privacy 'violation' is that private information was made
freely accessible by the owner of the information.

Adam Goldberg
adam_g () yahoo com



-------- Original Message --------
Subject: Re: [Politech] A criticism of Gmail and a call for encryption 
everywhere [priv]
Date: Tue, 27 Apr 2004 18:51:46 -0700
From: Jim Barbour <jbarbour () qualcomm com>
To: Declan McCullagh <declan () well com>

Hello Declan,

It seems to me that google (inappropriate so) displayed the unlinked
web page to others.  Gmail is scanning your email to figure out what 
targeted
adds to display back to *you*.  If Gmail were to hang on to, or
redistribute to other people, information about your mail, then and
only then is the contract no longer between you and Google.

--
Jim Barbour --- Staff Engineer, Systems Programmer/Administrator


-------- Original Message --------
Subject: Re: [Politech] A criticism of Gmail and a call for encryption 
everywhere [priv]
Date: Tue, 27 Apr 2004 15:07:38 -0400
From: Greg Vassie <gvassie () well com>
To: Declan McCullagh <declan () well com>
References: <408E8B72.40006 () well com>

Hi Declan -

> Subject: Opposing view of Gmail issues (Cypherpunk tie in)
> From: J.A. Terranson <measl () mfn org>

<snip>

>    The senders of email to users of Gmail are in the very same
> position as our friend above: they know nothing of the agreement, 
they are
> not participants in the Gmail program - they have never agreed to allow a
> third party to access *their* private thoughts and utterances, yet they
> too are caught in the middle.
>
>    As much as it goes against my gut reaction, I must admit that
> Gmail has some very serious privacy implications, some of which almost
> definitely fall under EU privacy laws.

I've been seeing this argument quite a bit in the uproar over Gmail,
but it has one large flaw - it applies to every single email system in
existence.  When I send a piece of email to a user of yahoo or hotmail
or even a personal domain hosted elsewhere, I didn't agree to any
terms of service with those mail service providers, the account holder
did.

This is not a privacy argument, it's an anti-free market argument.


--
Greg Vassie



-------- Original Message --------
Subject: Re: [Politech] A criticism of Gmail and a call for encryption 
everywhere [priv]
Date: Tue, 27 Apr 2004 12:03:08 -0700
From: Paul Hoffman <phoffman () proper com>
To: Declan McCullagh <declan () well com>
References: <408E8B72.40006 () well com>

>    The senders of email to users of Gmail are in the very same
>position as our friend above: they know nothing of the agreement, they are
>not participants in the Gmail program - they have never agreed to allow a
>third party to access *their* private thoughts and utterances, yet they
>too are caught in the middle.

In what way is this is different than sending mail to someone
@aol.com, @yahoo.com, @msn.com, etc.? Only in that Gmail made their
searching activities more obvious. The result of this will be that,
in the future, webmail providers will better hide the fact that they
retain the right to search your mail.

>Pity that people will spend thousands of hours, and millions
>of dollars arguing over the best way to protect us from ourselves, but
>that we won't spend five minutes learning to use a simple encryption
>system that could completely erase these very issues.

Further pity that people who write to you haven't thought about how
reading encrypted mail on a webmail system would be impossible
without the webmail provider having a copy of your private key.

--Paul Hoffman

[Except ala Hushmail --Declan]





-------- Original Message --------
Subject: Re: [Politech] A criticism of Gmail and a call for encryption 
everywhere [priv]
Date: Tue, 27 Apr 2004 14:24:21 -0400 (EDT)
From: Chris Beck <chris.beck () pacanukeha net>
To: <declan () well com>
CC: <sysadmin () mfn org>
References: <408E8B72.40006 () well com>

Dear Alif, Declan
One named Declan McCullagh was heard to whisper
>
> -------- Original Message --------
> Subject: Opposing view of Gmail issues (Cypherpunk tie in)
> From: J.A. Terranson <measl () mfn org>

<snip>

>    My opinion was altered by a gentleman in England, who used the
> following story to illustrate his point:
>

<snip>

>
>    One day he had a firewall issue when trying to retrieve a file,
> and the person who was hosting it offered to put it on a "private"
> (i.e., unlinked) page for him to grab over HTTP.  He accepted,
> downloaded the document, and promptly forgot about it - until this
> document, which had extremely personal information on it (personal to
> the person *hosting* it, not the person retrieving it) showed up on
> Google a short time later.  You see, the toolbar had seen him go to a
> web page that Google did not have, and so they indexed it right away.
>

A very enlightening story Alif, very enlightening indeed.  Have either of
you gentlemen heard of a system that allows for encrypted webmail?  I
haven't.  Aside from Hushmail, of course, but that is server-side
encryption.

I guess we should ask webmail providers if they can refrain from
auto-indexing unknown URLs encountered in emails.  What would you consider
to be the necessary and sufficient conditions to use Gmail with the
prerequisite that it needs the targetted ad revenue to survive?



--
Chris Beck
"Nihil tam munitum quod non expugnari pecunia possit." - Cicero




-------- Original Message --------
Subject: Re: [Politech] A criticism of Gmail and a call for encryption 
everywhere [priv]
Date: Tue, 27 Apr 2004 19:51:05 -0400 (EDT)
From: Dean Anderson <dean () av8 com>
To: Declan McCullagh <declan () well com>

Declan,

I would like to add that if the person in Alif's anecdote had put proper
HTML access controls on their web page, the Google toolbar would not have
caused any problem. As it was, it just cataloged a public page.  Anyone
can use HTML access controls, and should use them on private data.

I've had a number of personal and professional conflicts with Alif
Terranson over privacy issues, which included lawyers for his employer,
and my own lawyers. He has some "interesting", but very wrong ideas about
privacy, as his employer's lawyers agreed with my lawyers.

But the call for "encryption everywhere" is similarly misguided. The
following quote is from "Statement of [Senator] Patrick Leahy on the
Introduction of the Electronic Communications Privacy Act of 1985',
September 19th, 1985" (the law was not passed until 1986)

        "At this moment phones are ringing, and when they are answered,
the message that comes out is a stream of sounds denoting one's and
zero's. Nothing more.  I am talking about the stream of information
transmitted in digitized form, and my description covers everything from
interbank orders to private electronic mail hookups".

Senator Leahy goes on in the Sept 19th, 1985 statement to say:

        "It is no solution to say that anybody concerned about the privacy
of these communciations can pay for security by paying for encryption.

        Encryption can be broken. But more importantly, the law must
protect private communications from interception by an eavesdropper,
whether the eavesdropper is a corporate spy, police officer without
probable cause, or just a plain snoop."


Of course, this was amended by the USA PATRIOT Act, but how true it still
is.

Secure encryption is hard, because there are many ways to mess it up, such
as lack of entropy and other mistakes that aren't obvious to
non-cryptographers.  It is very easy to surround a "bank vault door" with
glass windows in cyberspace, and not even know you did that.

Consider also that quantum computers are reported to be amazing at
breaking cryptography, and that we may see such machines in the next 10 or
20 years. Of course, perhaps cryptography will keep pace, but perhaps not.
Perhaps, it is possible that we will be able to use quantum crytography on
transmissions, but not storage.  I don't know how it will fall out, but I
think Senator Leahy spoke some very timeless words in 1985.  As he said
nearly 20 years ago, it is no solution to say that anybody concerned about
privacy can simply use encryption.

Dean Anderson
Av8 Internet, Inc







_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)