lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.NEB.4.63.0609081446160.716@panix3.panix.com>
Date: Fri, 8 Sep 2006 14:46:28 -0400 (EDT)
From: Jay Sulzberger <jays@...ix.com>
To: full-disclosure@...ts.grok.org.uk
Cc: 
Subject: [Privacy] Sexbaiting Social Experiment on
 Craigslist Affects Hundreds (fwd)



---------- Forwarded message ----------
  Date: Fri, 08 Sep 2006 09:00:51 -0700
  From: Anthony Baker <anthony@...nkbigideas.com>
  To: No List <noend@...chna.com>
  Subject: [Privacy] Sexbaiting Social Experiment on Craigslist Affects Hundreds


  Hey MB,

  Was just trolling through some of my RSS feeds and came across this post
  from www.waxy.org on something that I think might be of interest to many of
  you.

  It's a great read -- involves Craigslist, LiveJournal, online privacy,
  stupidity, and bloggers. What more could you want for your Friday morning?

  Have to say, the point towards the bottom about how expectations of privacy
  haven't been challenged yet are soooo true. Most people have an assumption
  of privacy, but just aren't aware of how true or false those assumptions
  are.

  Enjoy!


  -------------------------

  Recently, a blogger named Simon Owens ran a social experiment on Craigslist.
  He wandered into the "Casual Encounters" section of the personal ads where
  countless men and women were soliticing for no-strings-attached sex and
  wondered, Is it really that easy? As a test, he composed several ads with
  different permutations of assumed identity and sexual orientation:
  straight/bi men/women looking for the opposite/same sex. He then posted it
  to New York, Chicago, and Houston, and tallied the results.

  Overwhelmingly and instantly, the ads from the fake women looking for male
  partners were inundated with responses, sometimes several per minute. All
  the other ads received lukewarm responses, at best. These results weren't
  surprising, but some of the observations were... Many of these men used
  their real names and included personally identifiable information, including
  work email addresses and home phone numbers. Several admitted they were
  married and cheating on their spouses. Many included photos, often nude.

  His first conclusion was very reasonable: "If a really malicious person
  wanted to get on craigslist and ruin a lot of people's lives, he easily
  could."

  Jason Fortuny's Craigslist Experiment

  On Monday, a Seattle web developer named Jason Fortuny started his own
  Craigslist experiment. The goal: "Posing as a submissive woman looking for
  an aggressive dom, how many responses can we get in 24 hours?"

  He took the text and photo from a sexually explicit ad (warning: not safe
  for work) in another area, reposted it to Craigslist Seattle, and waited for
  the responses to roll in. Like Simon's experiment, the response was
  immediate. He wrote, "178 responses, with 145 photos of men in various
  states of undress. Responses include full e-mail addresses (both personal
  and business addresses), names, and in some cases IM screen names and
  telephone numbers."

  In a staggering move, he then published every single response, unedited and
  uncensored, with all photos and personal information to Encyclopedia
  Dramatica (kinda like Wikipedia for web fads and Internet drama). Read the
  responses (warning: sexually explicit material).

  Instantly, commenters on the LiveJournal thread started identifying the men.
  Dissenters emailed the guys to let them know they were scammed. Several of
  them were married, which has led to what will likely be the first of many
  separations. One couple in an open marriage begged that their information be
  removed, as their religious family and friends weren't aware of their
  lifestyle. Another spotted a fellow Microsoft employee, based on their
  e-mail address. And it's really just the beginning, since the major search
  engines haven't indexed these pages yet. After that, who knows? Divorces,
  firings, lawsuits, and the assorted hell that come from having your personal
  sex life listed as the first search result for your name.

  Possibly the strangest thing about this sex baiting prank is that the man
  behind it is unabashedly open about his own identity. A graphic artist in
  Kirkland, Washington, Jason has repeatedly posted his contact information,
  including home phone, address, and photos. He's already received one threat
  of physical violence. Is he oblivious to the danger, or does he just not
  care? Since his stated interest is "pushing people's buttons," I'm guessing
  the latter.

  Legality and Privacy

  But was any law actually broken? Fortuny obviously misrepresented himself
  under false pretenses, which is itself possibly actionable, but the privacy
  implications beyond that are very interesting. Does emailing someone your
  personal information act as an implicit waiver of your right to privacy? I'm
  not a lawyer, but as far as I can tell, no.

  If taken to court, he's at risk of two primary civil claims. "Intentional
  infliction of emotional distress," while notoriously hard to prove in court,
  is certainly easier here based on his own writings. The second, more
  relevant claim, is "public disclosure of private facts." This Findlaw
  article on the Washingtonienne scandal sums it up nicely:
  The disclosure must be public. The facts must be private. The plaintiff must
  be identified. The publication must be "highly offensive." And there must be
  an "absence of legitimate concern to the public" with respect to the
  publication.

  It certainly seems like this clearly fits the criteria for a tort claim, but
  I'd love to hear some legal interpretation from the law bloggers out there.
  Does volunteering your information in a private context somehow invalidate
  your privacy rights? I don't think so. (For more information, see the EFF's
  Bloggers' FAQ on Privacy.)

  I contacted Anil Dash, VP of LiveJournal's parent company Six Apart, to see
  how he felt about the breaking drama. He was clearly disturbed by it, but
  after contacting LJ's support staff, realized there wasn't much they could
  do. If they find abusive information, they act quickly to remove it, but in
  this case, all the identifiable information is on a third-party site. "There
  are always people who aren't going to be productive members of a community.
  We try to be consistent in honoring requests if an individual's personal
  info is being posted without their permission," said Anil. "The hard part,
  of course, is that nobody can control every site on the web, so there's
  always somewhere else for a person to go if they really want to be malicious
  or destructive.."

  I haven't contacted Craigslist, but it's clear that as this story develops,
  it will inevitably have a profound impact on the community. A friend put it
  simply: "Adults are stupid on the Internet." More likely, their expectations
  of privacy just haven't been fundamentally challenged yet. They send naked
  photos of themselves to strangers because it helps get them noticed by the
  women they're emailing, and it's never backfired on them.

  On a final note, this is just getting started. Sex baiting is so simple and
  so effective, I thought immediately that others would be inspired to do the
  same thing. And yesterday morning, a commenter confirmed that the first
  copycat prank is already complete in Craigslist Portland. 94 replies so far,
  with 60 photos. It won't be the last.




  ------------------ Humanize A Little Bit Everyday -------------------
     http://www.noend.org/lists/noend/ login: noend password: nnpgolr4
          Wiki: http://www.noend.org/wiki/index.php/Main_Page
        Hosting donated by ServePath - http://www.servepath.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ