Slashdot Mirror
Deja News Privacy Questioned
theGEEK writes "An
internet 'watchdog' discovered
that Deja News is
actually logging their users e-mail traffic." Is
this related to the recent thing about them tracking every
click through redirector scripts? Personally I'm not threatened,
but I'm not a privacy nut either. What do you think?
You know, I don't know too many people who would be even the slightest bit concerned about this. I know people who, when I try to talk about the P-III ID debacle, say, "So? How would that affect me?" Well, I personally don't give a flying f**k how it's going to affect you, but because you don't care, it's going to go on, and that will affect me and that's what bugs the $h!t out of me.
Those of us who actually are concerned about their privacy are a dying breed. I feel like when I'm an old man, I'm going to be constantly saying things like "Back in my days, we didn't have browsers that tracked everything you did and uploaded your bookmark list to the software company so they could send us targeted advertising and to the FBI every night so they could make sure you're not looking at anything 'illegal' or 'obscene'! Our operating systems didn't take inventories of our hard drives and send them back to Microsoft and the SPA to make sure we're not using any software that we're not supposed to. We didn't have EMail clients that CC'd everything we sent to the software company so they could send targeted advertising to everyone we talk to and to the NSA so they could make sure you're not talking about doing anything 'wrong' to anyone in government. We didn't have tracer implants that the police track 24 hours a day 7 days a week to 'make sure we're safe', but you know, since nobody cared about privacy, when all those things happened and nobody complained, the rest of us were forced to comply and we didn't like it!"
I worked there and it doesn't surprise me. They have, in common I suspect with many "internet" companies a rather contemptuous attitude towards their customers. They regard them, at least some of the time, a only a resource to be exploited, like some sort of human strip mine. I don't think this was malicious, just careless and born of an attitude that doesn't care.
But now the bigger issue: Privacy. What no one seems to think of is that allowing extensive anonymity on one's system does not a privacy policy make. These are two almost totally separate things. If you want privacy, you should be using PGP or GPG or some other form of encryption technology. If you want anonymity, go to the Anonymizer folks. (Although even they blur the line between the two.)
Privacy is a good thing. If I only want one person to be able to read an email intended for them, I'll bug them into getting and using PGP or something similarly strong. I hope that such people would bug me in return. It's also pretty hard to abuse someone's privacy. Invade it, yes. But cracking a PGP-encrypted message tends to be quite difficult and as long as you have good password policies, it's just that much more difficult.
Anonymity is also pretty good, to an extent. There are some times when you need to say something that would get you in trouble. (I'm talking more than the kind of stuff that gets you flamed; I mean the kind of stuff that'll get you fired from your job or something equally undesirable.) There needs to be that option. It is also very easy to abuse anonymity as is seen every day, over and over again, by spammers and flamers and trolls and their ilk on USENET and many other public "forum"-ish places. That is what needs to be controlled and I don't blame companies like Deja News who need to cover their asses so they can avoid being sued for doing any sort of logging. (Now, if they wanted your private PGP key and password, that's something entirely different and I won't go into that. Key escrow sucks, bigtime. (Okay, so I lied. But I won't get into it any further than that. (Unless you provoke me.)))
Get it straight, folks:
- Privacy != Anonymity
Mmmkay?Anonymity != Privacy
If you choose to use DejaNews for anything, any information you provide to them is thiers. Accept it. You are responsible for your own privacy, they are prefectly justified in tracking every link you click on. It's a FREE SERVICE. If you don't like it, don't use it.
(And I AM a privacy nut)
Most of the comments here are about keeping logs of mail that goes through their servers. IMHO, that's normal and expected, nobody should have a complaint there. (If you do, use a remailer)
The problem is that they have a link for the sender's email address. One might expect it to be a simple mailto: but it is not. It is a link to a CGI on their server which logs the information, and then redirects to an actual mailto.
In other words, they go out of their way, and add load to their already busy server in order to log that you decided to email the user. That happens even if the email does NOT go through their servers.
Personally, I doubt very much that they would add all that load to their server in order to NOT use the information gathered. I sure wouldn't.
Unlike a mail log, this IS a violation of privacy for the simple reason that they are collecting user information beyond what is customary, and they are not informing the user. As a side note, most ISPs DO inform the customer that their email is not to be considered private and that it may (read will) be logged.
log files have been around since the dawn of computers. The e-mail tracking does not surprise or even worry me. This is how it was and how it will be.
:)
... and missing.
Why is nobody up in arms with UPS/USPS/FedEx? They can also track your packages. They know your address. They know what you have sent and where it is going.
Its amazing how in one light, this tracking is a paid for feature, while in another light.. its an invasion of privacy.
As for taking an inventory of ones computer and sending it without said uses authorization, that is an invasion of privacy.
WWW tracking... hmmm, thats an interesting one. If the tracking is done from the server side (which would be practically impossable), I dont believe this is a problem. But if its a client side 'feature' that is enabled without the user knowing, that is where the problem starts.
Its not that I dont value my privacy, I just do not see it threatened by this. If netscape starts tracking url's... I'll switch browsers. If MS starts keeping track of my HD, I'll switch OS's (well, bad example for me, I run linux
0 1 --- just my 2 bits
paul
---------------------------------------
The art of flying is throwing yourself at the ground...
This is so stupid. According to everything I read on that ZD page,they know what email was sent and to whom AND they (oh my gosh) know the IP's too!
/var/log/maillog and tell you the EXACT same info. Hell, I can even tell you when people are checking their mail.
... and missing.
Lets see, I am currently in charge of the e-mail server at work. I can go into
Does this mean I'm collecting email addresses because I keep a log file of the traffic on my server? I even back up the server to tape so I must be archiving this info for my evil plan to send e-mail to everyone on the planet.
The bottom line is... Who gives a shit. Its a log file. People are becoming WAY to sensitive about this kind of stuff.
The smallest company to the largest corperation should have backups of their data. If this includes log files of when email was sent.. so-be it.
Hmmm, I also have root on the mail server which gives me the ability to read the email too. Why havent I seen a news-flash on the admins ability to read e-mail that is not their own?
I'll just file this one under FUD
---------------------------------------
The art of flying is throwing yourself at the ground...
They put redirects on the email addresses, but they can't track the actual mail being sent - that's between you and your mail server, not DejaNews.
I'm not clear on what commercially valid use could be made of this information - I can see how they want to know, in the aggregate, what URLs their users visit, but I can't see any commercial merit in knowing who I write to. Perhaps someone from DejaNews can respond to this.
Of course if you're concerned about this, there is an easy fix - don't click on the email link. The email address is easily visible in the message headers, and you can bring up a new email window and cut/paste or type in the address yourself. The link is just a convenience for lazy people - such as myself, and - probably - most of us.
D
----
There seem to be a lot of people out there (especially sys admins), who are saying, "This is no big deal. Everyone store logs, etc." Hello. Excuse me...you're not getting it. Lets all be clear here on exactly what's going on.
Go to DejaNews and look at a Usenet posting. Next to the Author's name, you'll see that DejaNews was nice enough to provide a link with the authors email address so that with a simple click you can email the author. Fair enough, that's helpful (and something I expect). The problem is, it's NOT a simple mailto:foo@bar.com link. It links back to DejaNews. DejaNews sees this, and says to itself, "Hey, Joe Blow just clicked on a link to email foo@bar.com." Then it redirects to something link mailto:foo@bar.com, which causes your mail client to pop up, all ready to email to foo@bar.com. At this point, DejaNews is out of the picture (you're sending email to foo@ on your PC using your mail client and your IPS' SMTP server). But DejaNews has already made a note that you at least clicked on the link to email them (you could change your mind and cancel and DejaNews wouldn't know the difference). The point here is that DejaNews doesn't have to do it this way. They could've simply put the link to the person's email directly on the page (which would've been much simpler), in which case they would have no way of knowing if you clicked it. They're specifically going out of their way to make note of the fact that you clicked on the link to email someone. Someone, somewhere, made a deliberate, conscious decision to go to the extra trouble of logging this. It's not some incidental log.
Realistically, I do think it's that big of deal. But this is not the simple sendmail log that all the I-love-to-jump-to-conclusions idiots who've only skimmed the story without actually understanding it are claiming it is.
Randy Weems
reems@nospam.hotmail.com
Alright, so dejanews knows which ip address sent an e-mail to whom. Well, Rob right here on slashdot can know precisely at what time of the day i visited his site. Microsoft can have a detailed log of their visitors. Logging is something that any sensible sysadmin does. Someone who manages a service as important as dejanews' or any other site needs some info. It could be to improve performance in certain areas, or to show some people who work with ties (people with big salaries who decide where the money goes) that the thing they're paying for is worth it. They need to show advertisers (their main source of revenue) that their investment is not worthless.
It is true however that such info could have some use. But such things should remain confidential to the company and not be publiczed such as on zdnet. This stuff has been going on for more than a yer now, and it didn't bother anyone, even if they didn't know it. Why should they start today?
True. Maybe Dejanews should have said somewhere in the fine print that they were doing this (and actually, maybe they do). But don't say that because they log who you e-mail to infringes your privacy. Please...
Maan
bsat@iprolink.ch
(I hope you don't mind that I log the e-mails I receive. Do you really wanna see this kind of disclaimers on sites...)
Although I do worry about online privacy, I think
it is unfair to single out DejaNews like this. By
default Sendmail logs the sender and recipient of
every piece of email it handles, and Sendmail is on
something like 90% of all computers that handle
Internet email. This information has valid uses,
such as tracking down spammers, and identifying
misconfigured mail servers and clients.
The problem is that the information is collected regardless of whether the user has an email account with DejaNews or not. The idea is that if you click on a link in an article you retrieved from DejaNews, you are not sent to the link you see on the screen. Instead you are sent to a script on the DejaNews site that records whatever statistics they keep and then redirects you to the link you thought you were following. So, in other words, if the highlighted link reads:
http://mailto:rlink@indiana.edu
The actual link is:
http://x12.dejanews.com/jump/mailto:rlink@india
Now, this is easy enough to avoid by simply cutting and pasting the displayed URL into your browser's location field, but the point is that most users would not think to do this because there is no indication that the link is anything other than what it appears to be. Regardless of what you think about privacy, collecting this information covertly is, at best, underhanded.
While we're on the topic, several other people have replied comparing this practice to sendmail's logging. I think this analogy is flawed. Sendmail records logs of local activity; these logs are necessary to administer the local mail server. DejaNews, on the other hand has no legitimate reason to keep this information, since the mail is not going through their server. Moreover, if my local administrator misuses the information in the system logs he is accountable under the terms of service that I agreed to when I got my account. No such accountability exists with DejaNews, since I have never made any formal agreement. I find this troubling.
Finally, some people have said that they don't really need privacy, since they don't care if people know who they send mail to. They are welcome to make that choice, but many people do have legitimate reasons for wanting to keep their correspondence private. The burden should not be on them to prove their need for privacy; instead let those who want us to waive our privacy show some compelling reason why we should.
-r