[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87ptiya8ao.fsf@deneb.enyo.de>
From: fw at deneb.enyo.de (Florian Weimer)
Subject: Re: Popular Net anonymity service back-doored
"Drew Copley" <dcopley@...e.com> writes:
> I would think, I would know, there would be a moral obligation to tell
> their users. Moral... A conscience obligation, an obligation of
> conscience.
I usually interpret German privacy law much more liberally than ICPP
and was really surprised that they would do what they did, I was even
downright offended (even though I've never been a JAP user). But
apparently they decided to fight within the legal system, so they
didn't have much choice. Personally, I increasingly view the other
option (terminating the service and informing the former users) as a
cheap exit strategy. The conflict would have ended there, and the
legal limits of anonymity would not have been tested in court (which
still might not happen, but there's now a realistic chance).
The JAP team has broken the unconditional promise not to spy on users,
right. But the project continues, on another level and with fewer
users, and I hope we will still learn quite a bit from it.
> At the very least, they could have exposed this anonymously on the
> Usenet or someplace. (Indeed...)
They did, in a rather convoluted way. I don't think it's fair to
criticize them on this point.
I'm worried mainly by three things:
(a) Quite a few pieces of information are public now. Why don't
they update their web pages accordingly, including the Official
Declaration? (Maybe the ongoing criminal investigation
interferes with that, maybe some employees are on vacation.)
(b) The ICPP claims that "only the access to the IP address
mentioned in the judicial instruction will be recorded". The
mix source code implements something else, which allows for far
broader surveillance (and not for monitoring of a specific IP
address). Why is there such a discrepancy?
(c) An employee of TU Dresden (the university that operates the main
mix chain used by AN.ON) described the logging extension in
2001, and announced its implementation for 2002. But this
didn't happen, and the JAP team didn't fix the fundamental
weakness of the service, either: TU Dresden still operate both
ends of the most usable mix cascade.
> Who cares if they watch their own wires? But, they have no right to put
> code on people's systems outside of Germany.
In fact, they didn't. The surveillance is implemented in the mixes.
It is not compiled in by default. The binary they ship does not
contain the code.
Actually, this is the main weakness of the JAP service: The JAP team
could implement logging on their own mixes (and this was even
documented).
> Are they saying they do not believe in boundaries anymore?
It's modern to sue German companies in the U.S. because law offers
punitive damages there (which don't exist in German law).
Legal relationships between countries are quite messy. International
treaties are blatantly ignored or carefully undermined. U.S. courts
claim jurisdiction over any place in the world (except the other 49
states). In most countries, courts have applied local law to foreign
companies offering services over the Internet.
Of course you can sue the Federal Republic of Germany over the alleged
breach of your privacy, but ICPP's way of tackling the matter is more
likely to succeed, IMHO.
Powered by blists - more mailing lists