| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Sep 2006 14:46:28 -0400 (EDT)
From: Jay Sulzberger <jays@...ix.com>
To: full-disclosure@...ts.grok.org.uk
Cc:
Subject: [Privacy] Sexbaiting Social Experiment on
Craigslist Affects Hundreds (fwd)
---------- Forwarded message ----------
Date: Fri, 08 Sep 2006 09:00:51 -0700
From: Anthony Baker <anthony@...nkbigideas.com>
To: No List <noend@...chna.com>
Subject: [Privacy] Sexbaiting Social Experiment on Craigslist Affects Hundreds
Hey MB,
Was just trolling through some of my RSS feeds and came across this post
from www.waxy.org on something that I think might be of interest to many of
you.
It's a great read -- involves Craigslist, LiveJournal, online privacy,
stupidity, and bloggers. What more could you want for your Friday morning?
Have to say, the point towards the bottom about how expectations of privacy
haven't been challenged yet are soooo true. Most people have an assumption
of privacy, but just aren't aware of how true or false those assumptions
are.
Enjoy!
-------------------------
Recently, a blogger named Simon Owens ran a social experiment on Craigslist.
He wandered into the "Casual Encounters" section of the personal ads where
countless men and women were soliticing for no-strings-attached sex and
wondered, Is it really that easy? As a test, he composed several ads with
different permutations of assumed identity and sexual orientation:
straight/bi men/women looking for the opposite/same sex. He then posted it
to New York, Chicago, and Houston, and tallied the results.
Overwhelmingly and instantly, the ads from the fake women looking for male
partners were inundated with responses, sometimes several per minute. All
the other ads received lukewarm responses, at best. These results weren't
surprising, but some of the observations were... Many of these men used
their real names and included personally identifiable information, including
work email addresses and home phone numbers. Several admitted they were
married and cheating on their spouses. Many included photos, often nude.
His first conclusion was very reasonable: "If a really malicious person
wanted to get on craigslist and ruin a lot of people's lives, he easily
could."
Jason Fortuny's Craigslist Experiment
On Monday, a Seattle web developer named Jason Fortuny started his own
Craigslist experiment. The goal: "Posing as a submissive woman looking for
an aggressive dom, how many responses can we get in 24 hours?"
He took the text and photo from a sexually explicit ad (warning: not safe
for work) in another area, reposted it to Craigslist Seattle, and waited for
the responses to roll in. Like Simon's experiment, the response was
immediate. He wrote, "178 responses, with 145 photos of men in various
states of undress. Responses include full e-mail addresses (both personal
and business addresses), names, and in some cases IM screen names and
telephone numbers."
In a staggering move, he then published every single response, unedited and
uncensored, with all photos and personal information to Encyclopedia
Dramatica (kinda like Wikipedia for web fads and Internet drama). Read the
responses (warning: sexually explicit material).
Instantly, commenters on the LiveJournal thread started identifying the men.
Dissenters emailed the guys to let them know they were scammed. Several of
them were married, which has led to what will likely be the first of many
separations. One couple in an open marriage begged that their information be
removed, as their religious family and friends weren't aware of their
lifestyle. Another spotted a fellow Microsoft employee, based on their
e-mail address. And it's really just the beginning, since the major search
engines haven't indexed these pages yet. After that, who knows? Divorces,
firings, lawsuits, and the assorted hell that come from having your personal
sex life listed as the first search result for your name.
Possibly the strangest thing about this sex baiting prank is that the man
behind it is unabashedly open about his own identity. A graphic artist in
Kirkland, Washington, Jason has repeatedly posted his contact information,
including home phone, address, and photos. He's already received one threat
of physical violence. Is he oblivious to the danger, or does he just not
care? Since his stated interest is "pushing people's buttons," I'm guessing
the latter.
Legality and Privacy
But was any law actually broken? Fortuny obviously misrepresented himself
under false pretenses, which is itself possibly actionable, but the privacy
implications beyond that are very interesting. Does emailing someone your
personal information act as an implicit waiver of your right to privacy? I'm
not a lawyer, but as far as I can tell, no.
If taken to court, he's at risk of two primary civil claims. "Intentional
infliction of emotional distress," while notoriously hard to prove in court,
is certainly easier here based on his own writings. The second, more
relevant claim, is "public disclosure of private facts." This Findlaw
article on the Washingtonienne scandal sums it up nicely:
The disclosure must be public. The facts must be private. The plaintiff must
be identified. The publication must be "highly offensive." And there must be
an "absence of legitimate concern to the public" with respect to the
publication.
It certainly seems like this clearly fits the criteria for a tort claim, but
I'd love to hear some legal interpretation from the law bloggers out there.
Does volunteering your information in a private context somehow invalidate
your privacy rights? I don't think so. (For more information, see the EFF's
Bloggers' FAQ on Privacy.)
I contacted Anil Dash, VP of LiveJournal's parent company Six Apart, to see
how he felt about the breaking drama. He was clearly disturbed by it, but
after contacting LJ's support staff, realized there wasn't much they could
do. If they find abusive information, they act quickly to remove it, but in
this case, all the identifiable information is on a third-party site. "There
are always people who aren't going to be productive members of a community.
We try to be consistent in honoring requests if an individual's personal
info is being posted without their permission," said Anil. "The hard part,
of course, is that nobody can control every site on the web, so there's
always somewhere else for a person to go if they really want to be malicious
or destructive.."
I haven't contacted Craigslist, but it's clear that as this story develops,
it will inevitably have a profound impact on the community. A friend put it
simply: "Adults are stupid on the Internet." More likely, their expectations
of privacy just haven't been fundamentally challenged yet. They send naked
photos of themselves to strangers because it helps get them noticed by the
women they're emailing, and it's never backfired on them.
On a final note, this is just getting started. Sex baiting is so simple and
so effective, I thought immediately that others would be inspired to do the
same thing. And yesterday morning, a commenter confirmed that the first
copycat prank is already complete in Craigslist Portland. 94 replies so far,
with 60 photos. It won't be the last.
------------------ Humanize A Little Bit Everyday -------------------
http://www.noend.org/lists/noend/ login: noend password: nnpgolr4
Wiki: http://www.noend.org/wiki/index.php/Main_Page
Hosting donated by ServePath - http://www.servepath.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists