Re: Feds tell Web firms to turn over user account passwords from Michał 'rysiek' Woźniak on 2013-07-30 (public-fedsocweb@w3.org from July 2013)

From: Michał 'rysiek' Woźniak <rysiek@fwioo.pl>
Date: Tue, 30 Jul 2013 09:36:16 +0200
To: public-fedsocweb@w3.org
Message-ID: <3094847.o6MixZ2bFz@laptosid>
Dnia poniedziałek, 29 lipca 2013 08:34:34 Kingsley Idehen pisze:
> On 7/28/13 11:49 PM, Sandro Hawke wrote:
> > On 07/28/2013 05:06 PM, Melvin Carvalho wrote:
> >> On 26 July 2013 15:13, Sandro Hawke <sandro@w3.org
> >> 
> >> <mailto:sandro@w3.org>> wrote:
> >>     [dropping crossposting lists]
> >>     
> >>     On 07/26/2013 08:20 AM, Kingsley Idehen wrote:
> >>         On 7/26/13 5:17 AM, Melvin Carvalho wrote:
> >>             http://news.cnet.com/8301-13578_3-57595529-38/feds-tell-web-f
> >>             irms-to-turn-over-user-account-passwords/>>         
> >>         Yep!
> >>         
> >>         In a centralized system, a Govt. can simply request (or
> >>         covertly demand) keys, passwords, and salt used for hashing.
> >>         
> >>         In a decentralized and distributed system they will have to
> >>         ultimately follow due process for accessing private property
> >>         such as:
> >>         
> >>         1. private keys
> >>         2. passwords
> >>         3. anything else.
> >>         
> >>         
> >>         The problem is that myopic Web 2.0 patterns have created one
> >>         hell of a privacy mess, for all the wrong reasons. This isn't
> >>         what the World Wide Web was supposed to be delivering, far
> >>         from it.
> >>         
> >>         Anyway, the net effect of all of this will be that Web 2.0
> >>         patterns will now be seen for what they are i.e., utter
> >>         rubbish that's completely clueless when dealing with privacy
> >>         and security matters.
> >>     
> >>     I've said things a lot like this over the years, and I'm 100% in
> >>     favor of decentralizing, but I'm no longer confident it'll reduce
> >>     government access to personal data.   Yes, going from a handful
> >>     of service providers to millions would make the job of obtaining
> >>     keys harder, but I don't think it would make it much harder, not
> >>     technically.   It would make it harder to keep secret, it's true.
> >>     But now that this stuff isn't even plausibly deniable any more,
> >>     the lawmakers basically have to decide whether to give the NSA
> >>     the keys to everything or not.   If they decide to, then they can
> >>     just demand that every Internet connected system have an
> >>     NSA-approved back door.    Okay, that might be going a bit far,
> >>     but I'm sure folks will be pushing for that, and we'll probably
> >>     settle on a compromise that multiuser and/or commercial systems
> >>     get a backdoor.   And then when you let your kids use your phone,
> >>     does it qualify as a multiuser system?
> >> 
> >> I've been thinking about this for a while.  I think the argument is
> >> flawed.  And the reason is that technology tends to lead law.
> >> Decentralization was fundamentally baked into the web as an axiom,
> >> whereas if a lesser genius had designed it, it may have had more of a
> >> centralized tree like structure.  Lawmakers have accepted the
> >> decentralization of the web because the technology was there.  If we
> >> had followed lawmakers we could have had SOPA and PIPA, but people
> >> protested against that to keep the technology in place.  Lawmakers
> >> are not as well aligned on this issue with technologists in terms of
> >> protecting user's privacy rights (which are often constitutionally
> >> defined).  I think it's the responsibility of technologies to create
> >> tools that benefit society, and even to make things that they'd like
> >> to use themselves.  As we've seen with the web, if it becomes
> >> popular, the laws will follow.
> > 
> > Yeah, I've been thinking about it, too, and I think I overstated to
> > case.     I sure hope so.    Anyway, we might as well do the best we
> > can with the tech while we see what the lawmakers end up doing.
> > 
> >         -- Sandro
> 
> Remember, there is no law that mandates storage of data in unencrypted
> form. It just so happens that the Web 2.0 brigade decided to impose that
> on their user base. I still can't even believe the ex. head of the CIA
> would actually use GMAIL let alone end up where he did, since GMAIL
> won't support S/MIME due to the effect it would have on their business
> model (viewing your email and inserting ADs).
> 
> If I recall, it is illegal to open mail as they travel from source to
> destination. It is even illegal to open someone's mailbox without their
> permission.

Yup. In Poland we even have this in our Constitution: secrecy of 
correspondence (regardless of the medium!) is quaranteed there. This is a 
biggie for a 25 year old state that had both "communism" and Nazi occupation 
in its recent history.

> In my eyes, the Govt. isn't totally at fault in this complex privacy
> matter. The tech firms that lure users into their privacy challenged Web
> 2.0 solutions have a lot to answer for -- since they are the one's that
> have actually compromised the privacy of their users.

So long as we're talking about "users" and not "citizens", we will keep losing 
the battle:
http://rys.io/en/43

Users have needs to be fulfilled and cash to be rid of; citizens have *rights* 
to be protected. That's a crucial change of perspective here.

-- 
Pozdrawiam
Michał "rysiek" Woźniak

Fundacja Wolnego i Otwartego Oprogramowania
Received on Tuesday, 30 July 2013 07:45:30 UTC