Full Disclosure mailing list archives
Re: Re: Popular Net anonymity service back-doored
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 22 Aug 2003 01:40:47 +0200
"Drew Copley" <dcopley () eeye com> writes:
I would think, I would know, there would be a moral obligation to tell their users. Moral... A conscience obligation, an obligation of conscience.
I usually interpret German privacy law much more liberally than ICPP and was really surprised that they would do what they did, I was even downright offended (even though I've never been a JAP user). But apparently they decided to fight within the legal system, so they didn't have much choice. Personally, I increasingly view the other option (terminating the service and informing the former users) as a cheap exit strategy. The conflict would have ended there, and the legal limits of anonymity would not have been tested in court (which still might not happen, but there's now a realistic chance). The JAP team has broken the unconditional promise not to spy on users, right. But the project continues, on another level and with fewer users, and I hope we will still learn quite a bit from it.
At the very least, they could have exposed this anonymously on the Usenet or someplace. (Indeed...)
They did, in a rather convoluted way. I don't think it's fair to criticize them on this point. I'm worried mainly by three things: (a) Quite a few pieces of information are public now. Why don't they update their web pages accordingly, including the Official Declaration? (Maybe the ongoing criminal investigation interferes with that, maybe some employees are on vacation.) (b) The ICPP claims that "only the access to the IP address mentioned in the judicial instruction will be recorded". The mix source code implements something else, which allows for far broader surveillance (and not for monitoring of a specific IP address). Why is there such a discrepancy? (c) An employee of TU Dresden (the university that operates the main mix chain used by AN.ON) described the logging extension in 2001, and announced its implementation for 2002. But this didn't happen, and the JAP team didn't fix the fundamental weakness of the service, either: TU Dresden still operate both ends of the most usable mix cascade.
Who cares if they watch their own wires? But, they have no right to put code on people's systems outside of Germany.
In fact, they didn't. The surveillance is implemented in the mixes. It is not compiled in by default. The binary they ship does not contain the code. Actually, this is the main weakness of the JAP service: The JAP team could implement logging on their own mixes (and this was even documented).
Are they saying they do not believe in boundaries anymore?
It's modern to sue German companies in the U.S. because law offers punitive damages there (which don't exist in German law). Legal relationships between countries are quite messy. International treaties are blatantly ignored or carefully undermined. U.S. courts claim jurisdiction over any place in the world (except the other 49 states). In most countries, courts have applied local law to foreign companies offering services over the Internet. Of course you can sue the Federal Republic of Germany over the alleged breach of your privacy, but ICPP's way of tackling the matter is more likely to succeed, IMHO. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Popular Net anonymity service back-doored Florian Weimer (Aug 21)
- RE: Re: Popular Net anonymity service back-doored Drew Copley (Aug 21)
- Re: Re: Popular Net anonymity service back-doored Florian Weimer (Aug 21)
- Re: Popular Net anonymity service back-doored Thomas C. Greene (Aug 21)
- Re: Popular Net anonymity service back-doored Aron Nimzovitch (Aug 21)
- Re: Popular Net anonymity service back-doored Barney Wolff (Aug 21)
- RE: Popular Net anonymity service back-doored David Schwartz (Aug 21)
- RE: Popular Net anonymity service back-doored Drew Copley (Aug 22)
- Re: RE: Popular Net anonymity service back-doored felix . roennebeck (Aug 22)
- Re: Popular Net anonymity service back-doored Bernhard Kuemel (Aug 24)
- Re: Re: Popular Net anonymity service back-doored Dave Howe (Aug 27)
- Re: Popular Net anonymity service back-doored Aron Nimzovitch (Aug 21)
- RE: Re: Popular Net anonymity service back-doored Drew Copley (Aug 21)
- Re: Popular Net anonymity service back-doored Alex Russell (Aug 21)
- Re: Popular Net anonymity service back-doored Michael Schlenker (Aug 22)