Hacker News new | ask | show | jobs
by msandford 4655 days ago
Yeah that's the immediate counter analogy to what I'm suggesting.

I think the way I would go about arguing against it is that people on the street/sidewalk have no expectation of privacy. There are literally no access controls of any kind. Anyone can walk on the street; billionaires and homeless alike. There are no societal conventions that privacy is assured on the street and if you end up in someone else's picture it's your fault, not theirs.

Houses are not the street. They are private property. We do have a reasonable expectation of privacy there (NSA notwithstanding) and a part of privacy is access control. So the right of the owner of a house to control access to his house is fairly well understood and accepted even in the case where a house might be unlocked or a door left open.

The real question is this: Is the internet like the street or a house? The answer, in my opinion, is that "it depends" because websites can act both ways depending on how they are designed and implemented.

HN is basically a street in that it has no access controls to view content. Very nearly every page on HN can be accessed by the public (linked to or not) without being logged in. The URL of your comment is https://news.ycombinator.com/item?id=6434945 for which I didn't have to type in a password. What about comment https://news.ycombinator.com/item?id=6434944 or https://news.ycombinator.com/item?id=6434946? Should they be "protected" by virtue of them not being displayed on the webpage right now?

My credit union's website is a bit of public street and a lot of house. I can view their promotional materials without any authorization but in order to get to the good stuff I have to enter both a username and a password, then pass a captcha. That is an access control.

What is the case with the AT&T website? Did they do anything to secure the content with a technological access control like a username/password? Did they filter the service such that the webservice would only return an email address if it was accessed by the same MAC address of the iPad that was sold to the customer? No, they did none of these things. Their only "access control" was a user-agent string which isn't guaranteed ANYWHERE to be accurate.

EDIT: changed a couple of words
1 comments
icambron 4655 days ago
I don't understand your argument. You seem to agree that the reason the unlocked house is not like the street is shared social conventions. That house across the street is definitely private property whether it's signed that way or not, and I'm expected to know that because, duh, it's a house. At least, that's how I understood this:

> So the right of the owner of a house to control access to his house is fairly well understood and accepted even in the case where a house might be unlocked or a door left open.

Then you discuss the technical and interface features of websites that differentiate them as analogs of houses and streets, respectively, like whether they have access control (locks). But we just agreed that the technical and design features of the door aren't what make a house not like the street. The differentiating feature of a house is not the security of its door, or even whether it has one; it's that it's a house and we're expected to know it's private. I don't get how that difference is analogous to access controls on a website. What's the social convention that's appropriate for determining whether a piece of information on the internet can be fairly accessed or not?

To be clear, I'm not saying there aren't good answers here (e.g. a house has walls which imply privacy, so you need some analog for walls on your site [1]). Or you could argue that the analogy is bogus (e.g. houses and streets just aren't like the internet). Or you could even argue that technical safeguards are the analogous social convention to private homes (I don't get it, but it's noncrazy). Or you could argue those conventions simply haven't been established yet, and that we should consider there to be no such thing as unlocked houses on the web. I'm just saying you have haven't made any of those arguments.

[1] completely off-the-cuff and, like my other suggestions here, in need of some substance.

link
msandford 4655 days ago
Basically I'm trying to draw out the differences and similarities.

In meatspace private property is default-closed (with certain exceptions) but some ability to in good faith. For example I can walk on your land to walk up to your front door and knock. You could then tell me I need to leave or you'll call the police. This is how it's worked for a long time and thus we think it's normal. You have this right even without building a fence around your property. Again, default-closed.

On the 'net the same rules of private property don't apply because the default on the 'net tends to be default-open. What I mean by this is that the simplest configuration for any webserver tends to have no access controls. So it'll serve up whatever it can to whoever asks. Furthermore the default on the internet for a long time was everyone can access everything since it was originally designed for precisely that purpose: sharing knowledge. The internet defaults to a street.

If you want to make your internet site NOT like a street (which is what it defaults to) you have to take steps to make that happen because HTTP doesn't have the mechanisms built in to do so. You have to build your access control on top of HTTP. If you do not, I would argue that we are right to assume that you meant for it to be a street for two reasons. First is that's how HTTP works and we've got some 20 years of history backing this up. Second is that to argue otherwise would place an incredible burden on everyone to have to divine the intent of the person/organization that served up the page.

What I'm getting at is to argue that weev "should have known better" strikes me as really nuts. In meatspace it would be like secretly passing a new law that divvied up all the roads to the landowners that border them so that I own the street in between my lot-lines and up to the middle of the road. Nobody knows about this so everyone keeps driving and nobody's the wiser. Then a real douchebag drives down the road in front of a rich guy's house. He hates it so he calls the cops and because he's rich and influential the DA manages to dig up this secret law and prosecute the douchebag with it.

If that law were to become non-secret and enforceable it would turn the world upside down in the US as nobody would be able to drive anywhere, walk anywhere, or generally do anything without the express permission of all the millions of people who now own the streets, sidewalks, etc. Even if you live in a big city and you could take the subway (which perhaps is still public) you wouldn't be able to walk to it unless the entrance happened to be on your land.

I think this would clearly be insanity as it would turn however many hundreds or thousands of years of convention on it's head. And to me, this is what the prosecutors are trying to argue. I understand that they probably don't really understand the technical aspects of it but to me it's really clear and their arguments sound like nonsense. But that's because we're looking at it from completely different viewpoints.

link