Slashdot Mirror
Deja News Privacy Questioned
theGEEK writes "An
internet 'watchdog' discovered
that Deja News is
actually logging their users e-mail traffic." Is
this related to the recent thing about them tracking every
click through redirector scripts? Personally I'm not threatened,
but I'm not a privacy nut either. What do you think?
If I worked at the company you're doing sysadmin for, and I found out you were reading my EMails as they went through the company mail server, I would file a formal complaint that my privacy was being violated. If the company had a policy that said it was basically OK for anyone to read the EMail going through their systems, I would quit. (Although in that case, I probably never would have started working there to begin with, or I would never use the corporate EMail system to send anything that I would consider even slightly private or sensitive.)
Just because you don't care, don't make the false assumption that others don't care.
users use the service for free.
customers pay for advertising.
Ahhh... yes. Mail logs. As has been pointed out, most ISP's will have default logs of your mailing activity. The valid reasons for these logs have also been mentioned.
What hasn't been mentioned is what valid reason does Dejanews have for logging this traffic?
Nobody can have complete freedom in a large society. For example, I give up the "right" to drive my car anywhere I want to. Instead, I am forced to follow specific rules like staying on the right side of the road, stopping at red lights, etc... Without these rules, society would be pure chaos. As society grows larger and more inter-connected with the Internet, there is no doubt the "rights" of the individual will decrease. I'm not saying Dejanews is right or wrong, but this is just something to ponder.
Also, what I personally find really funny is how the Slashdot "community" is vehemently opposed to patents and copyrights on music but when it comes to their personal stuff, they scream bloody murder.
Scott
The man's right. Would you want marketing agencies watching your car licence plates, tracking you down through them and sending you crap based on where you work, what you drive and what sunglasses you wear?
We all know the answer to the one about our puters sending info back to Microsoft, of course.
As for the PIII stuff, I'm so paranoid I still use a 486. And that is the reason, honest. As for wossname from Sun saying 'You don't have privacy, get over it' - well he can just go and piss up a rope. I won't get over it, because my privacy is important to me. That's why I'll refuse any move to bring in ID cards in the UK - if I want someone to know who I am, I'kll tell them myself.
What are ya going to compile the open source software with? gcc? What was gcc compiled with?
By the way, your e-mail can be read at any of the hosts through which it travels between your e-mail client and the recipient's e-mail client. So don't forget to do a traceroute and lodge a formal complaint
I hope your sysadmin can keep from laughing in your face when you lodge your "formal complaint." I know that I couldn't keep a straight face.
-Another Privacy Advocate who grows tired of false alarms
you're concerned about privacy, but a quick click over to your homepage nets me your name, birth data/place, and you employer's name, etc. i'm not sure just what you think deja was getting from you, but i doubt it was anything more than you're giving away yourself.
Save me from self-appointed experts. This is the same joker who "helped trace" the author of the Melissa worm with the GUID?
Hello? The GUID didn't point to the guy they've arrested! It pointed to someone who allegedly wrote a virus which was the starting point for Melissa. I can't see this as helpful and it could have potentially wasted the time of the investigators.
This sounds like another "computer security expert" who has figured out he can get more mileage from self-promotion and buzzwords than from actually doing anything.
As far as I'm concerned, adding your IP to messages is a good thing. Not as far as privacy is concerned, but for the quality of Usenet on the whole -- there's several reasons most NNTP servers add a NNTP-Posting-Host header to messages, and one of these is to track down off-topic/obscene/etc. postings so that readers can complain to the right sysadmins. If such an easy and accessible method as Dejanews for completely anonymous posting existed, I have a feeling that we'd see a lot more junk posts on usenet than we already do. Look - if you are really serious about privacy, find a news server that does not include posting IP info. Otherwise, feel free to stick with Dejanews.
What was gcc compiled with? Probably gcc. It's called bootstrapping.
You're responsible for mail you relay. DejaNews is not responsible for the mail I send to Joe User with my own resources.
*Every* mailto: link goes into DejaNews' log, even when I'm *not* using DejaNews as a mail server.
I think the comment wondering about what your copy of gcc was compiled with is a reference to a paper that was done by Kernigan or Ritchie or Pike (or one of those early C/unix guys). He created a backdoor in the compiler so that it would recognize when the compiler itself was being recompiled, and it would reinsert the backdoor into the object code even when the backdoor had been deleted from the compiler source. Therefore the compiler source could go public with no indication of the backdoor, but a recompile would not remove the backdoor.
The point of the paper was that you could never be 100% certain of the security of your programs unless you were 100% responsible for the tools (all the way back to the beginning - no bootstrapping allowed).
If they just put the email addresses on the
web site, then it would make life very easy for
spammers who want to harvest them. So if you need
to click to get the email address they can limit
the number you get, or some other such measure.
Most of the commercial web archives of mailing
lists do this as well. It makes sense to me.
Say I'm bill@a.invalid, and I click a DejaNews link to ted@b.invalid. They log my IP my browser is using and the destination address, and then redirect my browser to mailto:ted@b.invalid. The mail goes straight from a.invalid to b.invalid, never touching DejaNews' servers. Yet they're spending cycles on remembering which machine sent it, and to whom. Is there any defensible reason for a good person to want to know that?
Traffic analysis is almost as big a problem as non-confidentiality of messages. Even with GPG, without trusting a good remailer network They will know who to bribe/rubber-hose/subpoena, simply because They know who you were talking to.
Whoa baby! Does anybody else see the stupidity
in this? Log files are DISCOVERABLE by
attorneys! In other words, if you find yourself
at law, lawyers can get discovery orders and have
you spend weeks reviewing old logs at their
behest. Smart sysadmins ROTATE their logs on a
regular basis and exclude them from backups.
Remember all those archived E-mail messages that
got Microsoft in trouble? Somebody sue them,
quick! They'll be spending useless man-years!
nuff said
You gutless AC
I do have an expectation of privacy when the site bears the TrustE logo and the DejaNews website has no mention of the fact that they're logging stuff like this.
I wish we had topics for discussion like this in my "Computers in Society" class.
CiS here consisted a semester of brain-wracking questions like "is it wrong to save a copy of the software developed at work, and sell it out of your garage, after you signed a bulletproof NDA and are under a strict military security clearance?" hm.
Some very good points...
Re: the robots.txt thing, though, I was under
the impression that DejaNews (and perhaps other
archives) respected a header called x-no-archive
that serves much the same purpose.
Any machine that isn't secure from vandalism should be behind a firewall that is. And that's nothing like what hackers really do anyway.
The method that they used for logging is pretty easy to infer from the links that show up in the pages your browser receives.
Why does anyone owe DejaNews "confidentiality" with respect to this?
If you're so concerned about your "so called" privacy, then why the hell...
...talk to other people
...go shopping
etc.
Did you know that dejanews attaches your very own ip address to the message you sent to a newsgroup. This is in my opinion much more damaging than logging someone's e-mail (I would certainly log mail if I had my e-mail server). So forget sending
anonymous posts into newsgroups with dejanews if you can be identified by the ip address..
I believe this article was referring to traffic
to accounts on my-dejanews.com, which provides
web-based e-mail if I am not mistaken. They can
track this, with a few scripts to track outgoing
mail, and a Procmail recipe or some other method
of storing incoming mail. This must make things
hell of convenient for organizations like the FBI.
Sadly, if the direct links were stored on the pages as you suggest, unscrupulous spammers and bots would use them as a direct method of harvesting user email addresses. By having the level of indirection, it becomes trivial to spot such abuse.
Worse, they could use the facilities of the Deja News search engine to target posts from people using key words and phrases. I get quite enough spam as it is and this is one of the problems with using Usenet directly.
You know, I don't know too many people who would be even the slightest bit concerned about this. I know people who, when I try to talk about the P-III ID debacle, say, "So? How would that affect me?" Well, I personally don't give a flying f**k how it's going to affect you, but because you don't care, it's going to go on, and that will affect me and that's what bugs the $h!t out of me.
Those of us who actually are concerned about their privacy are a dying breed. I feel like when I'm an old man, I'm going to be constantly saying things like "Back in my days, we didn't have browsers that tracked everything you did and uploaded your bookmark list to the software company so they could send us targeted advertising and to the FBI every night so they could make sure you're not looking at anything 'illegal' or 'obscene'! Our operating systems didn't take inventories of our hard drives and send them back to Microsoft and the SPA to make sure we're not using any software that we're not supposed to. We didn't have EMail clients that CC'd everything we sent to the software company so they could send targeted advertising to everyone we talk to and to the NSA so they could make sure you're not talking about doing anything 'wrong' to anyone in government. We didn't have tracer implants that the police track 24 hours a day 7 days a week to 'make sure we're safe', but you know, since nobody cared about privacy, when all those things happened and nobody complained, the rest of us were forced to comply and we didn't like it!"
I worked there and it doesn't surprise me. They have, in common I suspect with many "internet" companies a rather contemptuous attitude towards their customers. They regard them, at least some of the time, a only a resource to be exploited, like some sort of human strip mine. I don't think this was malicious, just careless and born of an attitude that doesn't care.
Posted by Mojoski:
It's all you need to be secure...
- pri-vate (prI vet) adj. [[ME pryvat privatus, belonging to oneself, not to the state privare, to separate, deprive privus, separate, peculiar, prob. akin to OL pri: see PRIME]] 1 of, belonging to, or concerning a particular person or group; not common or general [private property, a private joke] 2 not open to, intended for, or controlled by the public [a private school] 3 for an individual person [a private room in a hospital] 4 not holding public office [a private citizen] 5 away from public view; secluded [a private dining room] 6 not publicly or generally known; confidential [...] 7 tending to keep one's personal matters to oneself [...] 8 carried out on an individual basis [...] 9 engaged in work independent of institutions, organizations, agencies, etc.
Nope, I don't see your definition of "private" in there. I think your definition of that word is just an extension of anonymity.And how does DejaNews go out of it's way to find out who emails who when people are willingly using their service to send email to one-another? I mean, if you're that anal about it, I hope you don't ever send anyone mail via the postal service. How do you think some of the junk mail companies get your address, anyway? You think they don't have a deal with the post office to send random crap out to your own mailbox? (At least in the US, that's the case.) The only way to avoid that is to not get a mailbox in the first place or to just never use your mailbox. Pretty bloody likely, right?
Think of DejaNews as a sort of post office and the 'net in general as just a carrier (which is a half-way decent, though not fully correct, analogy IMHO) and my rant will make a bit of sense.
But now the bigger issue: Privacy. What no one seems to think of is that allowing extensive anonymity on one's system does not a privacy policy make. These are two almost totally separate things. If you want privacy, you should be using PGP or GPG or some other form of encryption technology. If you want anonymity, go to the Anonymizer folks. (Although even they blur the line between the two.)
Privacy is a good thing. If I only want one person to be able to read an email intended for them, I'll bug them into getting and using PGP or something similarly strong. I hope that such people would bug me in return. It's also pretty hard to abuse someone's privacy. Invade it, yes. But cracking a PGP-encrypted message tends to be quite difficult and as long as you have good password policies, it's just that much more difficult.
Anonymity is also pretty good, to an extent. There are some times when you need to say something that would get you in trouble. (I'm talking more than the kind of stuff that gets you flamed; I mean the kind of stuff that'll get you fired from your job or something equally undesirable.) There needs to be that option. It is also very easy to abuse anonymity as is seen every day, over and over again, by spammers and flamers and trolls and their ilk on USENET and many other public "forum"-ish places. That is what needs to be controlled and I don't blame companies like Deja News who need to cover their asses so they can avoid being sued for doing any sort of logging. (Now, if they wanted your private PGP key and password, that's something entirely different and I won't go into that. Key escrow sucks, bigtime. (Okay, so I lied. But I won't get into it any further than that. (Unless you provoke me.)))
Get it straight, folks:
- Privacy != Anonymity
Mmmkay?Anonymity != Privacy
These aren't subscribers, the are users using a free service. Collecting metrics on your user base and selling them is quite legal.
If you choose to use DejaNews for anything, any information you provide to them is thiers. Accept it. You are responsible for your own privacy, they are prefectly justified in tracking every link you click on. It's a FREE SERVICE. If you don't like it, don't use it.
(And I AM a privacy nut)
I could buy that if the url contained a reference number that the CGI looks up for you, but that's not the case. The poster's email address is shown in full, and is repeated in the href attribute of the 'a' tag. Address harvesting software will have no problem getting the address without sending the query.
FedEx, UPS, USPS only know what they need to know to perform their service. What DejaNews is doing is more like the paper boy going through your mailbox.
Most of the comments here are about keeping logs of mail that goes through their servers. IMHO, that's normal and expected, nobody should have a complaint there. (If you do, use a remailer)
The problem is that they have a link for the sender's email address. One might expect it to be a simple mailto: but it is not. It is a link to a CGI on their server which logs the information, and then redirects to an actual mailto.
In other words, they go out of their way, and add load to their already busy server in order to log that you decided to email the user. That happens even if the email does NOT go through their servers.
Personally, I doubt very much that they would add all that load to their server in order to NOT use the information gathered. I sure wouldn't.
Unlike a mail log, this IS a violation of privacy for the simple reason that they are collecting user information beyond what is customary, and they are not informing the user. As a side note, most ISPs DO inform the customer that their email is not to be considered private and that it may (read will) be logged.
This is that whole accountability vs. anonymity thing. That is, complete anonymity == no accountability (whether that truth is exploited or not). Of course, this is all your basic food for thought in that mandatory CS Ethics class that they require now, so I'll just shut up. =)
Pax -- Ob
Shoot, the sysadmin can even delete all your files if he wants to. "What was your username again? *clickety-click*". But he doesn't. Logfiles aren't necessarily a privacy invasion; it's only a privacy invasion if inappropriate use is made of those logfiles. Using them to track down a spammer would be appropriate use. Using them to sell info to advertising companies would be inappropriate use.
BTW, by using the pronoun "he" for sysadmins I do not mean to imply that all sysadmins are male. It's just more convenient to use the generic "he".
-----
The real meaning of the GNU GPL:
"The Source will be with you... Always."
Yeah, DejaNews and just about every other mail
server on the planet does this. How is this news?
Logging source address/ip and dest address is
common practice and pretty requisite for running
a mail server.
--
Kevin Doherty
kdoherty+slashdot@jurai.net
Kevin Doherty
kdoherty+slashdot@jurai.net
| Why is nobody up in arms with UPS/USPS/FedEx?
...
| They can also track your packages. They know
| your address. They know what you have sent and
| where it is going.
| Its amazing how in one light, this tracking is
| a paid for feature, while in another light..
| its an invasion of privacy.
The only issue of merit here is consent, really. Nobody's up in arms over UPS and Fed Ex because their tracking *is* a feature. We pay for it because it does something useful for us - namely, allowing us to know if package Y we sent to customer X was delivered. We know about this tracking up front, and - as you say - it's an advertised feature.
It's people tracking covertly that gets privacy advocates up in arms - especially if they lie about it (which is what the ZD article seems to be implying - whether it's true or not I have no idea, as I don't use Deja for anything other than searching usenet). If it's upfront, well, that's just the price of the service.
Just so long as Deja doesn't start selling "1000000 GOOD EMAIL ADDRESSES"
-- Rick
just wanted to say that this comment is mine and I somehow got logged out.
... and missing.
grrrrr
---------------------------------------
The art of flying is throwing yourself at the ground...
and that is why I use an earlier version of NS
... and missing.
---------------------------------------
The art of flying is throwing yourself at the ground...
And these reasons are what? To track how much usage from what hosts are coming throught the server? Oh my... thats sounds just like what they are doing with the email things.. just keeping track of how much people actually use their system.
The whole thing (still) boils down to WHAT they plan on doing with this data. If they make pretty graphs to make management happy.. that good. If they make pretty lists of e-mail addys to make mass mailers happy.. thats bad.
I still see no problem with collecting this data IF they use it for internal use only.
---------------------------------------
The art of flying is throwing yourself at the ground...
I just thought of something.
... and missing.
If people had all the privacy that they aparently so desire, we would be reduced to anarchy.
There would be no logs of who did what. No records of finger prints. Nothing.
Keeping records is what people do. Must be some DNA thing or something (which we are also trying to record) HEY ROB... You better delete all the comments 1.342 seconds after they are posted or you may be keeping illegal logs!
::sigh:: Tiz a sad society when we have children shooting each other, and all some worry about is that an IP was logged with an e-mail.
(i dont feel like previewing.. hope this looks good)
---------------------------------------
The art of flying is throwing yourself at the ground...
log files have been around since the dawn of computers. The e-mail tracking does not surprise or even worry me. This is how it was and how it will be.
:)
... and missing.
Why is nobody up in arms with UPS/USPS/FedEx? They can also track your packages. They know your address. They know what you have sent and where it is going.
Its amazing how in one light, this tracking is a paid for feature, while in another light.. its an invasion of privacy.
As for taking an inventory of ones computer and sending it without said uses authorization, that is an invasion of privacy.
WWW tracking... hmmm, thats an interesting one. If the tracking is done from the server side (which would be practically impossable), I dont believe this is a problem. But if its a client side 'feature' that is enabled without the user knowing, that is where the problem starts.
Its not that I dont value my privacy, I just do not see it threatened by this. If netscape starts tracking url's... I'll switch browsers. If MS starts keeping track of my HD, I'll switch OS's (well, bad example for me, I run linux
0 1 --- just my 2 bits
paul
---------------------------------------
The art of flying is throwing yourself at the ground...
This is so stupid. According to everything I read on that ZD page,they know what email was sent and to whom AND they (oh my gosh) know the IP's too!
/var/log/maillog and tell you the EXACT same info. Hell, I can even tell you when people are checking their mail.
... and missing.
Lets see, I am currently in charge of the e-mail server at work. I can go into
Does this mean I'm collecting email addresses because I keep a log file of the traffic on my server? I even back up the server to tape so I must be archiving this info for my evil plan to send e-mail to everyone on the planet.
The bottom line is... Who gives a shit. Its a log file. People are becoming WAY to sensitive about this kind of stuff.
The smallest company to the largest corperation should have backups of their data. If this includes log files of when email was sent.. so-be it.
Hmmm, I also have root on the mail server which gives me the ability to read the email too. Why havent I seen a news-flash on the admins ability to read e-mail that is not their own?
I'll just file this one under FUD
---------------------------------------
The art of flying is throwing yourself at the ground...
Is there some reason why DejaNews would want to help out the FBI in this way?
As another poster noted, DejaNews accounts are not anonymous - at minimum, they are always tied to an ISP-based email address.
At any rate, the real problem for privacy advocates is rather different - it's as I state above, and is entirely unrelated to the DejaNews mail or posting accounts. After all, by their very nature, you have to send the text of mail sent or messages posted to DejaNews through their service.
D
----
They put redirects on the email addresses, but they can't track the actual mail being sent - that's between you and your mail server, not DejaNews.
I'm not clear on what commercially valid use could be made of this information - I can see how they want to know, in the aggregate, what URLs their users visit, but I can't see any commercial merit in knowing who I write to. Perhaps someone from DejaNews can respond to this.
Of course if you're concerned about this, there is an easy fix - don't click on the email link. The email address is easily visible in the message headers, and you can bring up a new email window and cut/paste or type in the address yourself. The link is just a convenience for lazy people - such as myself, and - probably - most of us.
D
----
"We didn't have tracer implants that the police track 24 hours a day 7 days a week to 'make sure we're safe'"
I like my tracer implant, but sometimes it kind of aches in wet weather, and sometimes it tells me to do things I don't want to do.
Is there a bug fix I can download for this?
Thanks for being the voice of reason. You're right that DejaNews is going out of their way to generate this log. It's not just a matter of standard mail server procedures.
My concern is how issues like this are handled. The best solution to this is don't use DejaNews. But the article hints that congressional bills may address the issue.
DejaNews has crossed the line! What do we do!?! Somebody call Strom Thurmond or Ted Kennedy! Maybe Al "Alpha Geek" Gore could help.
Everyone has a hard-on for the DOJ to slap Microsoft, but once government steps into the ring, they become the only true player. The internet (and the computer industry in general) has been blissfully free of congressional interference. Don't encourage the alterantive.
The privacy concern isn't about my-dejanews e-mail accounts (which are logged, as you note, through sendmail or Exchange or whatever they're using, and would be expected to do so).
This is about clicking on e-mail addresses on a dejanews Usenet post, which would normally be between you and your browser. They redirect this mailto link, presumably to track it. Perhaps they're just counting how often this happens, but one has to wonder why they need the information. Particularly since they don't disclose it -- you have to notice it, and most people wouldn't have any idea that it was different from a normal mailto: link.
lake effect weblog
{Network engineer in Chicago--looking for work!}
Since I have been doing this crazy online thing (1982) it has been absolutely positively known, and I believe impossible for a company to assert otherwise, that electronic mail is viewable by the administrator of the system. Now perhaps outgoing mail might be less available to a particular admin but the fact is that the information is sitting on someones computer... FURTHERMORE since folks don't seem to get it, I will repeat something I used to say on IRC back in 1993... EVERYTHING I SAY IS EASILY MONITORED BY ANYONE WHO GIVES A DAMN. There are too many access points to monitor any given persons communications. Thats why we needed PGP and why the battle for encryption is so important. The issue of merely logging sendmail or otherwise is trivial. It is my mailserver. I definately want to know what is going on with it. Personally I don't read my users mail, but sometimes they ASK me to check something that is wrong with their mail. Sometimes they DON'T want that 6meg file that some idiot sent them which is beating on their poor windows ppp session. So as an administrator, the fact is that I got ROOT for a reason. How I USE the information I have access to is what is important. If Dejanews is doing something with the info they are collecting that is counter to the wellbeing of those who are using their services then by all means make a fuss, and tell people. But if what they are doing is collecting data to analyze for the purposes generally suspected, that of usage monitoring, security, optimization, well who the hell cares.
The fact is that one cannot technically prove anything based on logs. Those logs can be forged, or tampered with. There is no verification that the person who sent the email was represented appropriately, or that the person recieving the email ever truly did. Email is still a format that has not been defined well officially. Until we see official signatures and other methods, we are in a zone where the legality of an email message is dependent on many things that can't be controled by the user or admin...
I have spoken to friends about this, people who handle the email of law firms and security traders... The lawfirms try to clear the email off the systems because of discovery (if they deleted the message then a subpoena doesn't matter). The ones with the brokerages have to back up every email sent in or out, because THEY are required to have all communications documented by the the SEC...
So go figure. And truly, free email accounts cost you nothing and while they don't cost MUCH for the server, they do cost something. It is easy enough for a person to get a tcp/ip connection, and hook up a linux box to have their own mail server. Then log all you want or don't want...
Blah...
------
This message is under surveilance by the NSA. If you are reading this message you will be contacted by the NSA. The code word is 'excuse me'... If someone contacts you with this information, you submit immediately to a fullcavity strip search...
Thank you for your cooperation.
If your so concerend about your "so called" privacy, then why the hell are you on the internet?
End Transmission....
Since "mailto" is a "special purpose" type of tag that may have new features added to its specification at some point in the future, the programmer may have provided the redirection link as a modular layer of abstraction that would allow for changing the way addresses are handled.
For instance, if the user is a DejaMail customer, it might load the DejaNews "compose" page instead of telling your browser to send mail. Or perhaps it could add a Refers-To-Article: header or something to the email, but only if the browser could handle it.
Who cares, really? I went to DejaNews and wanted to email someone. I just copy-and-pasted their email address after I looked at my browser's status line and realized it wasn't a mailto: link.
I've read all the arguments: everyone does this, people can get the information other ways, the information isn't useful anyway.
Not with my Deja account, they don't.
I just deleted my Deja Community, and sent Deja instructions to delete my email account and my profile.
Deja needs to be slapped.
-- "In order to have power, I must be taken seriously." -Mojo Jojo
Uhh, the first sentence of that last paragraph should've been, "Realistically, I DON'T think it's that big of a deal."
- exactly
what's going on.Go to DejaNews and look at a Usenet posting. Next to the Author's name, you'll see that DejaNews was nice enough to provide a link with the authors email address so that with a simple click you can email the author. Fair enough, that's helpful (and something I expect). The problem is, it's NOT a simple mailto:foo@bar.com link. It links back to DejaNews. DejaNews sees this, and says to itself, "Hey, Joe Blow just clicked on a link to email foo@bar.com." Then it redirects to something link mailto:foo@bar.com, which causes your mail client to pop up, all ready to email to foo@bar.com. At this point, DejaNews is out of the picture (you're sending email to foo@ on your PC using your mail client and your IPS' SMTP server). But DejaNews has already made a note that you at least clicked on the link to email them (you could change your mind and cancel and DejaNews wouldn't know the difference). The point here is that DejaNews doesn't have to do it this way. They could've simply put the link to the person's email directly on the page (which would've been much simpler), in which case they would have no way of knowing if you clicked it. They're specifically going out of their way to make note of the fact that you clicked on the link to email someone. Someone, somewhere, made a deliberate, conscious decision to go to the extra trouble of logging this. It's not some incidental log.
Randy Weems
rweems@home.com
There seem to be a lot of people out there (especially sys admins), who are saying, "This is no big deal. Everyone store logs, etc." Hello. Excuse me...you're not getting it. Lets all be clear here on exactly what's going on.
Go to DejaNews and look at a Usenet posting. Next to the Author's name, you'll see that DejaNews was nice enough to provide a link with the authors email address so that with a simple click you can email the author. Fair enough, that's helpful (and something I expect). The problem is, it's NOT a simple mailto:foo@bar.com link. It links back to DejaNews. DejaNews sees this, and says to itself, "Hey, Joe Blow just clicked on a link to email foo@bar.com." Then it redirects to something link mailto:foo@bar.com, which causes your mail client to pop up, all ready to email to foo@bar.com. At this point, DejaNews is out of the picture (you're sending email to foo@ on your PC using your mail client and your IPS' SMTP server). But DejaNews has already made a note that you at least clicked on the link to email them (you could change your mind and cancel and DejaNews wouldn't know the difference). The point here is that DejaNews doesn't have to do it this way. They could've simply put the link to the person's email directly on the page (which would've been much simpler), in which case they would have no way of knowing if you clicked it. They're specifically going out of their way to make note of the fact that you clicked on the link to email someone. Someone, somewhere, made a deliberate, conscious decision to go to the extra trouble of logging this. It's not some incidental log.
Realistically, I do think it's that big of deal. But this is not the simple sendmail log that all the I-love-to-jump-to-conclusions idiots who've only skimmed the story without actually understanding it are claiming it is.
Randy Weems
reems@nospam.hotmail.com
Alright, so dejanews knows which ip address sent an e-mail to whom. Well, Rob right here on slashdot can know precisely at what time of the day i visited his site. Microsoft can have a detailed log of their visitors. Logging is something that any sensible sysadmin does. Someone who manages a service as important as dejanews' or any other site needs some info. It could be to improve performance in certain areas, or to show some people who work with ties (people with big salaries who decide where the money goes) that the thing they're paying for is worth it. They need to show advertisers (their main source of revenue) that their investment is not worthless.
It is true however that such info could have some use. But such things should remain confidential to the company and not be publiczed such as on zdnet. This stuff has been going on for more than a yer now, and it didn't bother anyone, even if they didn't know it. Why should they start today?
True. Maybe Dejanews should have said somewhere in the fine print that they were doing this (and actually, maybe they do). But don't say that because they log who you e-mail to infringes your privacy. Please...
Maan
bsat@iprolink.ch
(I hope you don't mind that I log the e-mails I receive. Do you really wanna see this kind of disclaimers on sites...)
Of course sendmail does logging but this is something entirely different. DejaNews isn't logging mail that's going through their server, they're keeping track of email addresses that users click on in Usenet posts. This clearly is not something that they need to track for system admin purposes. It's snooping. The article quotes DejaNews reps as saying that "the logging is incidental" and "they have no intention of keeping the records for any purpose at all." Then why do it?
I have to wonder... . This has nothing to do with running a mail server. This has nothing to do with loging for sys admin purposes. One more time: When a user clicks on an email address in a Usenet post, Dejanews records that address. What your SMTP server does is not the issue here.
They could be doing it for all the big brother reasons people are suggesting, but they are probably also doing it for accountability reasons. We run a free email provider, and we keep the typical sendmail logs that everyone else does. Why? Because we have a responsibility to the Internet public to stop abuse of our systems (and subsequently other systems). The most common use here is spam. In the rare event that someone sends out a "spam" (which by many supposed anti-spam activists has been expanded to the mean email from anyone you don't know), we need to do what we can to stop that person. The only way we can do this is by checking the IP they sent the mail from. If someone is doing someing illegal, like child pornography, law enforcement will request logs. These are really the only reason for having them. We dont have reports on all our users, we dont use logs for demographic targetting, but keeping this information is essential to keeping the Internet a usable environment. My personal opinion is that the anonyminity the Internet used to provide was an anomaly, not a right. You should be willing to accept the consequences of your actions.
This is not the greatest sig in the world, this is just a tribute.
if tracking your habits gives them a valid
excuse to give you a free email account, stop
complaining.
This is only true if you are informed up front of that aspect of the deal. Since they did not -- since in fact their privacy policy said otherwise -- your admonition is way out of line.
--
Some keywords for the NSA in the Lord of the Rings universe: One Ring bind find Sauron quest Nazgul freedom
They have to make their money somehow, and if tracking your habits gives them a valid excuse to give you a free email account, stop complaining.
-gonzo
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Although I do worry about online privacy, I think
it is unfair to single out DejaNews like this. By
default Sendmail logs the sender and recipient of
every piece of email it handles, and Sendmail is on
something like 90% of all computers that handle
Internet email. This information has valid uses,
such as tracking down spammers, and identifying
misconfigured mail servers and clients.
I am an engineer with a Dutch search engine, and I had this discussion with my colleagues once: whether or not we should add link-redirection. We had a very good technical reason to do so, since the poularity of links can be used to improve the relevance ranking of the engine big time (cf. DirectHit). Now, this is a much better reason than just "adding another layer of abstraction". However, the proposal was immediately discarded by my superiors, on privacy grounds. They felt people were much too itchy about this stuff and we'd better leave it alone.
I am positive that Dejanews knew exactly what they were doing, and what the risks involved were.
It is not coincedence that a problem like this pops up at a company like Dejanews. Dejanews' core business has always been on the verge of privacy violation. We all love Dejanews because it helps us tame the mind boggling amount of information that flows through usenet every day. And DejaNews' value will only continue to increase as the years go by. Imagine what a valuable research tool it will be to the future anthropologist trying to trace the evolution of certain memes through the history of internet.
However, there is a darker side. The same power that we have all come to love allows us to trace individuals just as easy as those interesting memes. And you don't need a subpoena to do so. Imagine the amount of information you can find about yourself on DejaNews in fifty years! Even if you are a mildly active usenet personality, your whole life will be out there, ready to get datamined by any dirt-digger, biographer, stalker or power-hungry megacorporation.
Sure, it's possible to "trick" DejaNews by using different aliases or email addresses. But that is a major pain in the *ss (try teaching your mum just how to do that), and forces you to actively defend your privacy instead of being able to trust yourself to remain reasonably anonymous. (And besides that, you can pretty sure that within a couple of years there will be plenty computing power to recognize a poster just by her verbal fingerprint instead of her email address. Think spelling errors here: how many people know how to spell "potatoe"?)
Dejanews has been a mixed blessing right from the start. It feeds on semi-private information and offers us a great tool in return. What we witness with the mail-click thing, is that people are irritated at the fact that they don't get anything in return for this information, not at the bare fact that their privacy is violated. Their privacy has been systematically violated by Dejanews all along, and they didn't really care.
Maybe we should have something like robots.txt for usenet. That would help, at least a little bit.
--
Being well balanced is overrated. -- John Carmack
In his writeup in Risks 20.36 Richard Smith (one of the folks that reported the tracking policy) points out that keeping too much information poses a risk to the Website or ISP collecting the information as well as to the users who are being monitored. To summarize his argument, the more information these sites collect, the more likely they are to get dragged into a legal dispute that doesn't really involve them directly. So, an argument can be made that respecting users' privacy is beneficial for users and ISPs alike.
-r
If you read the article... it says that anyone cane actually search this info...
-
BlackNova Traders