Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Crime Privacy The Courts

Judge: No Privacy Expectations For Data On P2P Networks 230

An anonymous reader writes "A federal judge in Vermont has denied a motion to suppress evidence filed by three defendants in a child porn case. The three had alleged their Fourth Amendment rights were violated when police used an automated P2P query-response tool to gather information from their computers. That information subsequently led to their arrest and indictments. The judge held (PDF) that the defendants had either inadvertently, or otherwise, made the information available for public download on a P2P network and therefore couldn't assert any privacy claims over the data."
This discussion has been archived. No new comments can be posted.

Judge: No Privacy Expectations For Data On P2P Networks

Comments Filter:
  • by turkeydance ( 1266624 ) on Tuesday November 12, 2013 @02:26PM (#45404121)
    nothing has ever been private on the internets.
    • but..... (Score:5, Funny)

      by BreakBad ( 2955249 ) on Tuesday November 12, 2013 @02:35PM (#45404251)

      my privates have been on the internet.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        my privates have been on the internet.

        From this day forth you shall refer to them as your publics.

    • Re:well, of course (Score:5, Insightful)

      by Anonymous Coward on Tuesday November 12, 2013 @02:36PM (#45404259)

      Especially on a P2P network like Gnutella where you can do search by keywords and then directly view what people have on their computers. It's like hanging a poster in your living room of a child being abused and someone walking by seeing it. They made the materials available for the public to see. I hope more people who are into sick stuff like that make the mistake of having the files publically visible. Especially p2p users since given the nature of p2p they can also be slapped with a distribution charge which will add years to their sentence.

      • I say keep em out of jail, castration is a much nicer option, it also will eventually breed those traits that cause it out of the gene pool.
        • by EdIII ( 1114411 )

          That's assuming that it's genetic and not environmental.

        • by amiga3D ( 567632 )

          You make the assumption this is genetic. If sexual proclivities were genetic then homosexuality would much rarer.

  • by sideslash ( 1865434 ) on Tuesday November 12, 2013 @02:30PM (#45404167)
    So when AT&T made their iPhone subscriber list "available for public download" that implicitly gave people on the internet permission to access this private information? Oh wait, they sentenced Weev to jail time for that [slashdot.org]. I'm so confused.

    And no, I'm not defending child porn users. Well, I guess I sort of am. But not... Darn it, you guys know what I mean.
    • by NettiWelho ( 1147351 ) on Tuesday November 12, 2013 @02:32PM (#45404191)
      Silly peasant, aristocracy have their own set of laws and courts.
    • by Jah-Wren Ryel ( 80510 ) on Tuesday November 12, 2013 @02:35PM (#45404247)

      And no, I'm not defending child porn users. Well, I guess I sort of am. But not... Darn it, you guys know what I mean.

      Kiddie porn pirates are not the problem, the problem are all the people involved in the production. If you believe the MAFIAA's rhetoric the pirates are the solution since they are destroying the jobs of all the hard-working people in the kiddie porn industry.

      • by NettiWelho ( 1147351 ) on Tuesday November 12, 2013 @02:43PM (#45404337)

        If you believe the MAFIAA's rhetoric the pirates are the solution since they are destroying the jobs of all the hard-working people in the kiddie porn industry.

        I was gonna say the same but couldnt come up with a way of saying "think of the children and download kiddie porn" without it coming across the wrong way.

    • It would potentially mean it could be used as evidence against people without a search warrant. It certainly mean it could be used as evidence against AT&T if it showed evidence of a crime since they were the ones who made the mistake.
    • I don't think you understand what Auernheimer did. The database wasn't "available for public download" It was exposed due to poor design and poor security. This is directly counter to purpose of P2P software which is to make accessible files and/or information on one's computer.
      • by Hatta ( 162192 )

        The database wasn't "available for public download"

        It most certaily was. Because the public did download it.

        This is directly counter to purpose of P2P software which is to make accessible files and/or information on one's computer.

        And what is the purpose of a web server?

        • Are you even aware of the particulars of the script kiddie attack that Weev did to get that data? It wasn't published in any kind of manner where you could get it without prompting for it.

          By your logic just because someone has something on a web server they are sharing it with everyone. Let me guess, you think credit cards and health records are fair game too?

          • This. Apparently Hatta doesn't understand what what Auernheimer did as well.
          • Re: (Score:3, Interesting)

            by Hatta ( 162192 )

            Are you even aware of the particulars of the script kiddie attack that Weev did to get that data?

            Weev wrote a script. In this case the police used "an automated P2P query-response tool". What's the difference?

            By your logic just because someone has something on a web server they are sharing it with everyone

            If you fail to put any authentication on it, then yes. How else is the web supposed to function?

            Let me guess, you think credit cards and health records are fair game too?

            If you post your credit card num

            • I would love to see you try say that to a judge in a court of law with a straight face.

            • by geekoid ( 135745 )

              WeeV's script was a spoof to gain access.

              "If you fail to put any authentication on it, then yes. How else is the web supposed to function?"
              AT&Ts site DID have authentication. WeeV wrote a script to lie about who he was. i.e. spoof.

              "If you post your credit card number on a public website, then yes it's totally fair game for me to download that information. Using that information to commit fraud is still illegal of course."

              Only if by public you mean anyone can openly connect by design, then you are corre

              • by Hatta ( 162192 )

                AT&Ts site DID have authentication.

                Authentication is something you know, have, or are [cornell.edu]

                All approaches for human authentication rely on at least one of the following:

                Something you know (eg. a password). This is the most common kind of authentication used for humans. We use passwords every day to access our systems. Unfortunately, something that you know can become something you just forgot. And if you write it down, then other people might find it.

        • by bws111 ( 1216812 )

          You seem confused on the differences between access and authorization. The question in the AT&T case was about authorization. Was the guy authorized to access the things he did? Clearly he could access the data, but was he authorized to do so? If you have my bank credentials you have access to my account, but you do not have authorization to do anything with the account. Yes, you have the ability to do things, but that is nowhere near the same as being authorized.

          In cases like that the courts will

          • by Hatta ( 162192 )

            In cases like that the courts will use a 'reasonable person' test.

            I don't see how any reasonable person can determine that a publicly facing web server without any sort of authentication is not free to access. Authentication is how authorization is implemented on the internet. Any other policy will break the internet.

            If there was a link off of att.com

            How do you know you are authorized to visit att.com in the first place? You submit a query, and see if you get a response. Exactly what weev did.

            The poli

    • Weev took advantage of a poorly secured access on their part. That is hardly the same thing as putting something on a peer to peer network. It's akin to saying that just because someone secured their house with screen doors that they were okay with people taking their contents.

      Now you can fairly criticize AT&T for poor security, and you can certainly criticize Weev for taking their data and publicizing it, but try to keep the criticism grounded in reality, eh?

      • by Hatta ( 162192 )

        Weev took advantage of a poorly secured access on their part.

        And the police here took advantage of poorly secured access on these guys P2P program. The only evidence that these guys intended to share this data is that the data was shared. The same evidence exists for AT&T's data.

        It's the exact same thing.

    • Leaving pie on a window sill to cool vs. giving away pies.

      If I leave a pie on my window sill to cool, you don't have a right to steal it. That AT&T data sounds like the pie to me.

      If I left a pie on a table in front of the house with a sign that said, "free pie for anybody who wants it", and a health inspector came by and cited me for distributing food in an unsafe manner and/or without a permit, that'd be like putting illegal data on a p2p network.

    • by geekoid ( 135745 )

      You know they had to do spoofing to get that information, right?
      In other words, they had to trick(lie to) the server into thinking they where the iPad owner.

      If AT&T had simple left a file with all the info in it on a public site that any person could get to it, there would have been no legal consequences for WeeV

  • Hold on (Score:5, Interesting)

    by Hatta ( 162192 ) on Tuesday November 12, 2013 @02:34PM (#45404231) Journal

    If you run a service on the internet, you have no expectation of privacy of the data you serve. That sounds reasonable enough. But why then was weev [wired.com] imprisoned for downloading data from a publically facing web server?

    If weev can be imprisoned for computer hacking by using a publicly facing server in ways not intended by the owner, why aren't the police here facing similar charges?

    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Tuesday November 12, 2013 @02:39PM (#45404275)
      Comment removed based on user account deletion
      • Re:Hold on (Score:5, Insightful)

        by Hatta ( 162192 ) on Tuesday November 12, 2013 @02:46PM (#45404379) Journal

        And what is the purpose of publicly facing web servers without authentication?

      • by Trepidity ( 597 )

        But the court's decision doesn't argue that. It argues that intention is irrelevant, and there is no privacy expectation in this case even if the files were accidentally or otherwise unintentionally made available.

      • by vux984 ( 928602 )

        Because that WAS the intention of the owner: to share their data with random, unknown 3rd parties. That's pretty much the entire purpose of P2P networks.

        No. The intention of the owner, and the purpose of P2P was to share the files, not information about themselves.

        You can argue that it is a natural function of the software, doing what it was designed to do, but that didn't get Weev anywhere either, now did it?

      • Because that WAS the intention of the owner: to share their data with random, unknown 3rd parties. That's pretty much the entire purpose of P2P networks.

        According to the summary, intent is non sequitur:

        The judge held that the defendants had either inadvertently, or otherwise, made the information available for public download on a P2P network and therefore couldn't assert any privacy claims over the data.

        inadvertently == no intent.

    • Re: (Score:2, Insightful)

      by Fwipp ( 1473271 )

      Well, if you share something on a P2P network, you intend for people to download it.
      If you accidentally reveal a list of other people's sensitive information (because you're bad at the web), you arguably didn't intend to make that data publicly available.

      Not meaning to side against weev or anything here, just pointing out a meaningful difference between the two.

      • by Hatta ( 162192 )

        Well, if you share something on a P2P network, you intend for people to download it.

        And if you post something on a web server and don't implement any authentication?

        If you accidentally reveal a list of other people's sensitive information (because you're bad at the web), you arguably didn't intend to make that data publicly available.

        What if I "accidentally" share my root directory on P2P and you download something. Should I be able to have you imprisoned under the CFAA?

        Not meaning to side against weev or

        • by Fwipp ( 1473271 )

          You don't see any difference between "Shit, we left some of our internal DB data accessible" and "I love downloadin things from this P2P network, huh I wonder what peer-to-peer means..." ?

          Besides, this is a different legal question. It's not "are the cops breaking the law against hacking," it's "are the cops violating the 4th amendment?"

          • by Hatta ( 162192 )

            You don't see any difference between "Shit, we left some of our internal DB data accessible" and "I love downloadin things from this P2P network, huh I wonder what peer-to-peer means..." ?

            I don't see any difference between "Shit, we left some of our internal DB data accessible" and "Shit, I shared the wrong folder on my P2P app". There is no difference whatsoever.

            Either you can infer intent from public availability or you cannot. You cannot have it both ways.

      • by DarkOx ( 621550 )

        You have to be pretty darn "bad at the web" to put stuff on a web server unintentionally. I doubt the guy in this article had any more intent to reveal what he was downloading and who he was than AT&T had to publish that customer list. He did publicly because he did not fully understand the nature of how the application worked, just like AT&T apparently did not understand how .htaccess, or or whatever the problem was worked.

        Finally its not other people's sensitive information its AT&T's sensi

    • by TWX ( 665546 )
      Probably because weev's lawyers didn't do a good job arguing that by putting content on a public web server , AT&T was publishing it for all to see.

      Analogies like printing free newspapers with this information at the bottom of page 36 and placing them in those hoppers on street corners could have been drawn; it's unlikely that very many people will get to page 36 and read the bottom, as that's usually buried among all of the crap advertising spots, but that information was made available in publis
      • by geekoid ( 135745 )

        They probably didn't argue that because that wasn't the case. Weev had to do spoofing to get the data.

    • by anagama ( 611277 )

      There is a distinction between this and the situation in weev. It doesn't seem like a big distinction to people who are even vaguely familiar with URLs but to many legal professionals, a large percentage of whom are technically incompetent (the number of law offices I've seen running open access points or WEP encrypted wireless networks in my office building is pretty astounding). This isn't true for all in the legal community, and I'm sure it is getting less common as time goes by, but there are still a

      • by Hatta ( 162192 )

        Anyway, Weev had to manipulate a URL to get the information. He even wrote a script to do this.

        Police used "an automated P2P query-response tool".

        • by anagama ( 611277 )

          Point taken.

          Either the police and weev should be in jail, or both should be free. This is a good example of the double legal standard applied to pleebs and those in power.

      • That is not the distinction you are looking for. The distinction is that AT&T was not accused of committing a crime and these guys have been. It might seem related until you understand something about the legal system: there are different rules for different things.

        In the case of Weev, he accessed data without authority. (No, I haven't reviewed the case to see exactly what the charges were, but it was something along those lines). Weev was then accused of having broken a law (pertaining to unauthorized

    • If you run a service on the internet, you have no expectation of privacy of the data you serve. That sounds reasonable enough. But why then was weev [wired.com] imprisoned for downloading data from a publically facing web server?

      If weev can be imprisoned for computer hacking by using a publicly facing server in ways not intended by the owner, why aren't the police here facing similar charges?

      Your argument is total rubbish. The "expectation of privacy" or lack thereof means that "weev" whoever that is probably was allowed to tell the world that a company is careless with customers' data. That doesn't give him any right to the actual data. It's private information. He can't get the right to download information belonging to X, Y, Z and over hundred thousand other people just because someone who is neither X, Y, Z or any of those other people makes a mistake.

    • by jafac ( 1449 )

      If one has gone through the trouble to contract with a PKI provider for an ssl certificate, and taken other reasonable precautionary measures, I would think that the secured traffic provides a reasonable expectation of privacy, by a legal definition, even if technically, that privacy is not bulletproof. If you're sending plaintext over the wire, then, of course, you should know you could be listened to. But not secured traffic.

    • Because he brute force hacked the IMEI's and downloaded information for specific users. He was convicted because he used IMEI's that did not belong to him and therefore masqueraded as the phone owner to gain the information.

      In this case the police used standard P2P queries to get the information. It is not hacking when one does not fraudulently misidentify one's self.

  • by Lando ( 9348 ) <lando2+slash@@@gmail...com> on Tuesday November 12, 2013 @02:34PM (#45404233) Homepage Journal

    The ruling is on, "made the information available for public download on a P2P network" there are plenty of private p2p services. If you make your information available to everyone then of course the police don't need to go through red tape to get that information. Non-story

  • In other news... (Score:5, Interesting)

    by sirwired ( 27582 ) on Tuesday November 12, 2013 @03:06PM (#45404581)

    In other news, the Police also do not need a warrant to attend your public meeting. They don't need a warrant to read the book you published on the rack of the local bookstore. They don't need a warrant to browse around your open store in the local strip mall.

    And they don't need a warrant to download data you offered up to any member of the public and browse through it to find incriminating evidence.

  • *Disclaimer* I did not read the article. (Anyone surprised)
    By claiming that their 4th amendment rights were violated, they basically just pled guilty. The proper defense is "ZOMG some sicko hacked my WiFi!"

    • *Disclaimer* I did not read the article. (Anyone surprised) By claiming that their 4th amendment rights were violated, they basically just pled guilty. The proper defense is "ZOMG some sicko hacked my WiFi!"

      Not at all. There are plenty of circumstances where a 4th Amendment challenge may exist in addition to other legal and factual defenses. For example, let's say you are driving a convertible and get pulled over by the police for no good reason, and they proceed to search your car without probable cause and find a baggie of drugs in the back seat. You have two 4th Amendment challenges here - both to the stop, and also to the search. You also have a defense that the baggie in the back seat of a convertible

      • This is correct. The first stage of any criminal prosecution after arraignment is decisions on motions to exclude different type evidence that the prosecutor is required to disclose that they intent to use at trial. This could be 1) physical evidence, like the smoking gun, 2) statements such as interviews with the police or other admissions 3) or electronic evidence such as this.

  • So if one allows access to P2P indexers, those people cannot retroactively claim their privacy was violated. Reasonable enough. However, if Google records unencrypted WiFi broadcasts over public spectrum they are guilty of wiretapping? It seems like there's a double standard being applied by the courts.

  • Why do some of the biggest legal questions and issues seem to revolve around child pornography prosecutions?

No spitting on the Bus! Thank you, The Mgt.

Working...