
How Verizon and Turn Defeat Browser Privacy Protections - fortmeaded
https://www.eff.org/deeplinks/2015/01/verizon-and-turn-break-browser-privacy-protections
======
randomwalker
Some additional research that came out today, with more details of the various
things Verizon is doing / plans to do with UIDH: [https://freedom-to-
tinker.com/blog/englehardt/verizons-track...](https://freedom-to-
tinker.com/blog/englehardt/verizons-tracking-header-can-they-do-better/)

(We collaborated with Mayer on this research.)

Code and data that you can play with to verify these results / do other
similar experiments, using our web privacy measurement tool OpenWPM:
[https://github.com/englehardt/verizon-
uidh](https://github.com/englehardt/verizon-uidh) /
[https://github.com/citp/OpenWPM](https://github.com/citp/OpenWPM)

~~~
x0x0
quantcast was sued for resuscitating browser cookies when flash LSOs persisted
[1], ie taking the cookie value from the LSO and recookie-ing the browser.
quantcast and clearspring settled for $2.5m [2]. The crux of the matter seemed
to be that users didn't know such data was in flash cookies or associated with
quantcast, making it hard to opt-out, though I'm not sure if this is illegal;
and violated quantcast and the 3rd party sites' privacy agreements, which
appears to be illegal. A lawsuit outline for one plaintiff is here [3] and the
full text of the initial filing here [4]. I naively assume there is a clear
parallel to this case, though perhaps verizon and turn have thoroughly privacy
policied their way out, somewhere in 30 pages of legalese.

According to Jonathan Mayer,

    
    
       Commercial supercookies, fingerprinting, and zombie cookies are tolerated 
       (if not permitted) under current United States law. [...] Any associated 
       consumer deception, however, is a violation of the Federal Trade Commission 
       Act and parallel state statutes. [5]
       
    

[1] [http://www.wired.com/2010/07/zombie-cookies-
lawsuit/](http://www.wired.com/2010/07/zombie-cookies-lawsuit/)

[2]
[http://www.lexology.com/library/detail.aspx?g=bc3a4358-6692-...](http://www.lexology.com/library/detail.aspx?g=bc3a4358-6692-4c82-94b5-6a1a160bbaaf)

[3]
[https://www.privaworks.com/Details/AlertReference/PrintPrevi...](https://www.privaworks.com/Details/AlertReference/PrintPreview.aspx?guid=%7Bb7a1afcf-7795-4138-9401-27272896f095%7D&p=1)

[4]
[http://www.wired.com/images_blogs/threatlevel/2010/07/CV10-5...](http://www.wired.com/images_blogs/threatlevel/2010/07/CV10-5484-GW-
JCGx-Complaint-Summons-Civil-Case-Cover-Sheet1.pdf)

[5] [http://webpolicy.org/2015/01/14/turn-verizon-zombie-
cookie/](http://webpolicy.org/2015/01/14/turn-verizon-zombie-cookie/)

------
username223
Classic soulless PR-drone reply here:

[http://www.turn.com/blog/in-response-to-
propublica](http://www.turn.com/blog/in-response-to-propublica)

"Clearing cookies is not a reliable way for a user to express their desire not
to receive tailored advertising,..." Okay, but is it a reliable way for me to
express my desire for you not to track me? I assume you ignore the DNT header,
and I already block your ads, but still...

"Turn fully supports enabling consumers to express their choice and consent in
regards to data use for digital advertising." Choke on a bag of dicks, you
sleazy, lying scum.

~~~
toufka
>"It is Turn’s policy to always honor the consumer opt-out as enacted through
either the Turn website or the NAI or DAA."

What does this actually mean, and how can I do it?

~~~
fortmeaded
The original research checked the Turn / NAI / DAA opt out. According to
Mayer, it does't respawn. This part of Turn's response is a lie.

~~~
gergles
They claim the opt-out is stored on their servers and associated with the uid
(implying that the optout=1 cookie isn't necessary)

~~~
cpeterso
It's convenient for them that their server-side opt-out code cannot be
audited. It would have been easier for them to just set an anonymous, client-
side opt-out cookie.

~~~
dspillett
A client-side cookie is not sufficient, you'd have to set it in every browser
you ever use. Practically speaking it needs to be server-side, but should be
(but never would be) _opt-in_ rather than opt-out.

The other option is respecting DNT, but that is never going to happen as a
default behaviour for all companies.

------
acdha
Discussion for the original researcher's post:

[https://news.ycombinator.com/item?id=8889224](https://news.ycombinator.com/item?id=8889224)

[http://webpolicy.org/2015/01/14/turn-verizon-zombie-
cookie/](http://webpolicy.org/2015/01/14/turn-verizon-zombie-cookie/)

~~~
fortmeaded
OP here, I'd be OK with swapping in Mayer's blog post. Will let the mods
decide.

If you haven't seen it before, this guy's stuff is absurdly good. Encyclopedic
knowledge of privacy tech and law.

~~~
acdha
Yeah, that was main reason why I wanted to share his original post – the EFF
(or ProPublica) stories aren't bad but he's done a great job writing about
many things of interest to the HN community.

~~~
dang
Didn't see this yesterday, and I'm sorry we didn't, because we would have
switched out the URL. HN prefers original sources, and it's always nicer to
give credit (and traffic) to the original creator or researcher.

Unfortunately, it's too late to make a difference now, so we'll just leave
things as they were. However: if you (or anyone) notice something like this in
the future, the best way to alert us is to email hn@ycombinator.com. We can't
read all the threads but we do see all those emails, and usually pretty
quickly.

------
hackuser
Someone who understands this well needs to write a very short 'elevator'
explanation for non-technical end-users that we all can copy and paste. That
small act would be invaluable to spreading awareness, which is necessary for
any progress.

I was going to send the EFF article to some Verizon customers I know but I
realized they would have no idea what it meant. I don't have time to read it
thoroughly and write an accurate, succinct summary.

Any volunteers? (The EFF is doing a disservice to the cause by not doing it
themselves.)

~~~
noonespecial
How about:

Because your mobile device really belongs to the carrier and not to you,
whenever you browse the web with it, they know who you are no matter what.
They are now refusing to keep that information secret even if you want them
to, instead selling it to advertisers without your consent (even despite your
obvious non-consent).

They do this by sabotaging your mobile browser so it can't really delete
certain cookies. When you try, they put them right back the next time you use
the browser. They also have a way (called a UIDH header) to tell other sites
that its you (so they can track your visits) even if you don't have a cookie
in your browser.

~~~
guelo
It doesn't have anything to do with who owns the device.

~~~
noonespecial
Sure it does. If my verizon iphone wasn't 3 months into a locked two year
contract I'd just put in a different sim and forget the whole thing.

~~~
Shivetya
but cannot phones simply be tracked by their own id regardless of carrier. Say
you swap from Verizon, if you hit one of their towers they could theoretically
use that information even if your not a direct customer.

We know the FBI is reading the traffic so I am wondering why someone is
surprised a company does it. Its not right for either party

~~~
gcb0
they could also follow you non stop on the street and enter every store you go
and take note of all your purchases by looking over your shoulder. and i don't
think much of it is illegal unless you can prove it distress you but I'm not a
layer (I'm a productive member of society :)

------
shkkmo
There are two solutions I see.

1) Regulation. Maybe it'll happen, I don't have much hope of it being done
intelligently.

2) Feed them garbage data.

We just need a database of live UIDH numbers and a browser extension to inject
a random UIDH number from that list into the header.

~~~
nl
You can't feed them garbage.

Verizon operates at the network layer - if you are on their network presumably
they will copy the real value over your garbage value.

If you aren't on their network then they can check IP address and ignore
values not from the Verizon subnets.

There are a couple of other solutions you haven't mentions:

VPNs: Annoying and currently too hard for most people. Perhaps it is time for
device (PC and mobile) manufactures to consider offering VPNs integrated with
their devices.

Competition: If the US had a more competitive broadband market then people
could choose other providers.

Legal action: If Verizon was sued and lost over this then it could have a
cautionary effect. However, the loss would have to be _huge_ for it to have an
impact, and large financial settlements generally require proof of significant
harm. That's going to be hard in this case.

~~~
JohnTHaller
True, but an enterprising individual could write an extension to cause non-
Verizon users to start feeding fake unique identifiers into their own streams.
Heck, you may even be able to hijack a website login using it.

~~~
julianj
something like this? [https://github.com/lightswitch05/Bogus_X-
UIDH](https://github.com/lightswitch05/Bogus_X-UIDH)

~~~
JohnTHaller
Exactly. But instead of using it to try to change your UIDH within Verizon, it
should encourage non-Verizon customers to just pollute the space with random
UIDH values from all over the place.

~~~
nl
And (as I previously noted) all Verizon has to do is *check the IP address of
the client(!). They know the IPs they own.

Assuming that your adversary is dumb as well as malicious is a mistake.

~~~
julianj
True, but this header is presented to all sites visited. This wouldn't pollute
Verizon's tracking (they could do this without the header). This may instead
pollute the third parties which are taking advantage.

------
doctorshady
It's frustrating, the internet has become such a creepy "you are the product"
medium. The more of this I see, I start to feel like I don't want to be a part
of it anymore.

~~~
pastycrinkles
Keep your head out of the past. The internet is becoming the way we do
everything now; it's a necessity.

~~~
pdkl95
Just because you don't value your privacy doesn't mean you get to project
those values on the rest of us. Spying on your customers doesn't magically
become moral simply because technology has made it easy. It most certainly is
not _necessary_.

Really, the only reasons surveillance as a business model has worked is most
people don't realize the extent that it is going on and by the time they do a
monopoly or oligopoly has already established itself. Taking advantage of
ignorance is at best rude and offensive, and at worst it _should be_ criminal.

Unfortunately, the laws have yet to catch up to abuses like Verizon's MitM
rewriting of HTTP headers. Worse, fixing laws and enforcing them against these
modern abuses is going to be very hard: regulatory capture's a 'helluva drug.

------
jimktrains2
Since Verizon is no longer simply a dumb pipe, does this make them liable for
the traffic crossing over their network?

------
cyanbane
If you were an author (of any sort) could you claim that the transmissions of
your material (text) that are under copyright were circumvented (DMCA) via a
permacookie under your "moral rights" as an author to publish anonymously?

~~~
roque
If you are a content provider you may choose not to serve ads on your content.

~~~
cyanbane
hmm, not talking about the content provider. I am saying if I am an author who
was publishing something under anonymity and I assumed I was anonymous because
I "cleared my cookies/Enabled Do Not Track settings" during the publication of
the material - only to discover that my cookies had been circumvented via
permacookie by a commercial entity - is my "moral right" of anonymity is now
gone? could I claim the permacookie method was a circumvention under the DMCA?

~~~
dangrossman
There is no "moral right of anonymity" in copyright law. Even supposing there
was, de-anonymizing you would not violate anything in the DMCA. The anti-
circumvention section prohibits circumventing technical _access control
measures_ , not circumventing "rights" in general. Circumventing the rights
that copyright law does provide an author is just called copyright
infringement.

------
roque
My guess is that the "entrepreneurial" solution here would be a combination
of: \- A browser that doesn't support cookies and provides the server with a
client controlled session-id (perhaps a user-id also). \- Only uses SSL
sessions to avoid middle-box injection of HTML headers (this still leaves the
provider with the ability to inject data as IP options / TCP headers). \- A
micropayment solution that allows content providers to get revenue from
content rather than ads.

Anyone working on the later ?

~~~
hrjet
> A browser that doesn't support cookies

We are working on a browser ([https://gngr.info](https://gngr.info)) that
supports cookies but doesn't enable them by default for all websites. We also
don't enable JavaScript by default. User needs to enable these on a per-site
basis. Enabling for all sites at once is also possible if the user so wishes.

In the near future, we also want to support https only sessions (opt-in to
begin with and opt-out once https becomes more commonly deployed).

About micropayments, there are many. Flattr comes to mind. But I am sure there
are more.

~~~
JadeNB
Why was this downvoted? It seems like a productive contribution to the
conversation—in fact, it's a direct response to another user's question. I can
imagine plenty of technical objections, but it seems that they should be made
_via_ responses, not downvotes.

------
covercash
Somewhat related, does anyone know about Verizon FIOS TV commercial injections
and how they possibly relate to FIOS internet tracking?

I have IBD and have been spending a lot of time on UC/IBD related sites
lately. I've noticed quite a lot of tv commercials for IBD drugs on TV and
mentioned it in passing to my friend. He said Verizon uses tech from RGB
Networks and similar companies to inject custom commercials into the FIOS TV
streams based on FIOS internet data.

Does anyone know more about this program?

------
evmar
It's strange to read this and then simultaneously read people complaining
about HTTP2 requiring SSL. It'd surely be nice if law protected us from bad
actors but SSL protects from this in a way that (hopefully) can't be
circumvented.

~~~
scintill76
SSL can't really stop it, I think. Here's a thread where I've speculated on a
way to inject metadata into SSL handshakes[0] just like they're doing with
HTTP headers. If that doesn't work (I'd be interested to hear why), someone
else suggested using TCP-IP source/destination metadata queried from the ISP
to resolve to a customer.

[0]
[https://news.ycombinator.com/item?id=8506492](https://news.ycombinator.com/item?id=8506492)

~~~
guelo
It's simpler then that. The advertising based site wants to show you the ad,
they have no incentive to implement SSL. There's no
[https://espn.com](https://espn.com), for example. Even if they did implement
https it would be mixed content because the ad networks' iframes or whatever
are http.

The solution is things like NoScript or Adblock on Firefox (not Chrome which
downloads the ad and just hides it). Or blackholing the ad networks in
/etc/hosts.

~~~
eunice
>(not Chrome which downloads the ad and just hides it)

I thought this hadn't been the case for several years now? Am I wrong?

~~~
magicalist
No, it hasn't been the case since 2010:
[http://www.theregister.co.uk/2010/07/20/chrome_does_resource...](http://www.theregister.co.uk/2010/07/20/chrome_does_resource_blocking/)

------
julianj
Maybe instead of adblock for turn, someone should put together a plugin to
generate a random header string sized at about 16k just for *.turn.com.

On a side note, if your browser automatically filled up the remaining allowed
characters in the header (depends on the server of course), it'd be
interesting to know how that would be handled by Verizon's support since all
sites would get a 400 error when their header injection is enabled.

------
rapht
It's a wonder to me how no Verizon competitor has jumped at the opportunity to
advertise this on a large scale with a message along the lines "it's evil, we
don't do that".

If the users really care about this issue, that's what would happen on a
functioning market anyway...

~~~
Normati
I doubt most people care. This isn't going to drive customers away. The only
way it'll be stopped is if they're legally forced to. For example, see the
history of cookies themselves and how most people never cared about them.

~~~
jimktrains2
It would if I had options.

------
TheMagicHorsey
Verizon really does come across as a Bond-style corporate villain in stories
posted to Hacker News. I'm currently a TMobile customer, and I wonder how many
of Verizon's shenanigans are actually just the common MO of all American
telecoms.

It would otherwise seem egregious if only Verizon is throttling customers on
"unlimited" plans, and only Verizon is selling their privacy for money, and
only Verizon is pushing garbage smartphones onto customers that don't know any
better.

How can they be so big if they suck so much ass? Are they successful only
because they get their network deployment right? Are regulatory barriers
protecting them from competition (I find that hard to believe because
wireless, unlike broadband, seems to have multiple competitors in every
market).

Maybe we just need to take public spectrum away from these donkeys and give it
up for use by ad-hoc technologies. I suspect that if we make some standards
(or even just broad rules of the road) some peer2peer telecom technologies
might emerge and surprise us with their quality (just like BitTorrent is
surprisingly good for file downloads, even though its decentralized
completely).

------
tempodox
Indeed, this kind of behaviour on the part of Verizon and Turn should result
in criminal prosecution.

------
jes
If someone chooses to work for a sleazy company, say one that aggressively
violates a person's expressed desire to not be tracked, I would not want to
hire them or otherwise associate with them.

Should the engineers who enable companies like Turn be shunned by other
engineers?

~~~
fauigerzigerk
I don't think that's a good idea. Yes the ad based business model has gone
completely off the rails with their aggressive privacy violations and
disgusting deception schemes. I think they should be stopped, if necessary by
regulating them off the face of the earth.

But personally blaming and shunning regular employees of corporations that
break the law or some ethical standard has far reaching ramifications. Bitter
ideological battles would take over the personal lives of people who have no
say in whether or not their employer decides to use a particular marketing
scheme or do business in a particular country.

I think personal blame should be reserved for decision makers. If an employee
knows about serious crimes committed by their employer they should simply
report it to the police.

~~~
jes
I'd rather not do things that give the state more power and control over
individuals. So I'm not a big fan of regulation in general. I'd rather pursue
voluntary means of encouraging virtuous action where and when I can.

Engineers who directly enable this kind of technology are (in my view) not
materially different from individuals who write malware. These engineers are
members of the group of decision makers, because they know exactly how the
code they are writing will be used. I think it's right to not encourage or
support their behavior.

In other words, the degree to which I would shun someone is proportional to
the knowledge and control they had in the situation under consideration.

~~~
fauigerzigerk
I don't think state control over individuals can be adequately characterised
in terms of "more" or "less". Sometimes what governments do is to shift power
and control from some groups of individuals to others, as in the case of
consumer protection laws. In other cases they grab power for themselves,
building a survaillance state.

I think the debate should be more about what governments should do and why,
not just how much they should do, i.e big or small government.

------
userbinator
I feel like injecting headers is only the start of something far more
pernicious; even SSL/TLS can't stop an ISP from determining and tagging where
your traffic goes (and consequently, passing that information onto third
parties) - all your traffic goes through equipment on their network, after
all. As long as your connection to the Internet is tied to your identity in
some way (and there is basically no way a non-free ISP is going to let that be
anonymous), they can track you. "Obfuscatory routing systems" like Tor can
help, but as long as ISPs can observe the traffic on their networks, they
know.

~~~
mkjones
How would ISPs tag requests going over HTTPS as being from a particular
subscriber?

~~~
mkjones
OK, I can think of a few ways they might do this (DNS tricks and per-user IPv6
addresses, <src ip, src port, dst ip, dst port> => user mapping). These all
seem significantly more complex than HTTP header injection though.

------
canvia
Does anyone know how flash cookies are handled on cell phones? Is there any
way to block or clear them?

[https://en.wikipedia.org/wiki/Local_shared_object](https://en.wikipedia.org/wiki/Local_shared_object)

This add on is good for clearing them using firefox:
[https://addons.mozilla.org/en-
US/firefox/addon/betterprivacy...](https://addons.mozilla.org/en-
US/firefox/addon/betterprivacy/)

~~~
kxo
Considering phones haven't had Flash (easily installable, that is) for a
considerable amount of time, I doubt you're affected.

------
jamesdee
well, this explains Verizon's desire to have anti-class action lawsuit
contracts with their customers...

------
ferdi265
Couldn't you fake a false UIDH header if you don't use verizon?

If yes, then people could publish their UIDH and have other people use it as
well. If many do this, the unique identification aspect of UIDH is lost.

Something like using a random UIDH from a list of published ones every
request.

~~~
zo1
Or just get everyone to use the same UIDH, making it useless for whatever
tracking purposes.

------
Aissen
It's like they are trying to push HTTPS everywhere. It better happen soon.

------
karlb
Seeing as “turn” is also a verb, this is a great example of a headline that
would have been less confusing in sentence case:

“How Verizon and Turn defeat browser privacy protections.”

------
yellowapple
> In fact, Turn has told EFF that they do not believe that either Do Not Track
> or a user deleting their cookies is a signal that the user wishes to opt out
> from tracking.

What the fuck, Turn? You got a different explanation for what the fuck "Do Not
Track" means?

Are they for fucking real right now? I mean, I've seen my share of grade-A
corporate double-speak, but this takes the goddamn cake. Holy fucking shit.
Thank God I'm not a Verizon customer in any capacity (that I know of). With
this kind of bullshit, I don't plan on that changing any-the-fuck-time soon.

~~~
quesera
> What the fuck, Turn? You got a different explanation for what the fuck "Do
> Not Track" means?

Easy there.

IE10 defaults to Do Not Track enabled. So sending the header is not explicitly
representative of the user's wishes.

Convenient, isn't it?

~~~
hackuser
> IE10 defaults to Do Not Track enabled. So sending the header is not
> explicitly representative of the user's wishes.

> Convenient, isn't it?

That might be an excuse, but it's not the reason. They easily could read the
DNT header and the user agent, and trust DNT headers from non-IE10 browsers.

~~~
quesera
Absolutely. They're interpreting the situation with strict literality because
it is in their benefit to do so.

They have a perfectly valid _reason_ for what they do: it's strongly
beneficial to their business model to operate in a scummy but probably-legal
way. They are hardly unique in this.

Since we have little market recourse (Verizon is often the only option, and we
are not customers of Turn), and we have no legal recourse (again, scummy but
almost certainly legal in almost all circumstances)...what is left?

Well, there are technical solutions to the problem. TLS is a good start.
Browsers can be smarter about third party cookies. The Verizon Overcookie can
be stripped by a proxy. VPN can solve many problems... This glommed on
tracking junk is fragile.

I strongly resent being drawn into the arms race, but it _is_ winnable.

It will take something dramatic (and who knows how long) for our outrage to be
shared by a critical mass of customers/voters, so for now, I think technology
is the solution.

But I donate to EFF too.

------
joelthelion
That should be illegal, plain and simple.

------
mhuffman
I wonder if classifying the Internet as a utility might have any effects
through possible regulation of this?

------
Animats
I'm amazed that they're still doing this. Start pushing for Congressional
hearings.

------
DyslexicAtheist
is i just me or is Verizon the most evil operator out there? Being based in EU
I have no idea of course but there are hardly ever positive news coming out of
that firm.

------
dredmorbius
This may be a tortious (sueable) offense under the Intrusion Upon Seclusion
principle. Possibly as a class action:

“It is unnecessary to determine the extent to which the right of privacy is
protected as a constitutional matter without the benefit of statute.” Beaney,
The Constitutional Right to Privacy in the Supreme Court in 1962 The Supreme
Court Review 212 (Kurland ed. 1962); Olmstead v. United States, 277 U.S. 438,
478, 48 S.Ct. 564, 72 L.Ed. 944 (1928) (dissenting opinion of Brandeis, J.);
“Dykstra, The Right Most Valued by Civilized Man”, 6 Utah L.Rev. 305 (1959);
Pound, The Fourteenth Amendment and the Right of Privacy, 13 W.Res.L.Rev. 34
(1961). '[I]t is sufficient to hold that the invasion of the plaintiffs'
solitude or seclusion, as alleged in the pleadings, _was a violation of their
right of privacy and constituted a tort for which the plaintiffs may recover
damages to the extent that they can prove them._ ‘Certainly, no right deserves
greater protection…’' Ezer, Intrusion on Solitude: Herein of Civil Rights and
Civil Wrongs, 21 Law in Transition 63, 75 (1961).

To make an intrusion on seclusion claim, a plaintiff must generally establish
4 elements:

First, that the defendant, without authorization, must have intentionally
invaded the private affairs of the plaintiff;

Second, the invasion must be offensive to a reasonable person;

Third, the matter that the defendant intruded upon must involve a private
matter; and

Finally, the intrusion must have caused mental anguish or suffering to the
plaintiff.﻿

h/t Lisa Borel on G+

[https://plus.google.com/113175636916099066477/posts/PBi3NECR...](https://plus.google.com/113175636916099066477/posts/PBi3NECRGfx)

More at Wikipedia:

[http://en.wikipedia.org/wiki/Privacy_laws_of_the_United_Stat...](http://en.wikipedia.org/wiki/Privacy_laws_of_the_United_States#Intrusion_of_solitude_and_seclusion)

Intrusion of solitude occurs where one person intrudes upon the private
affairs of another.

Intrusion upon seclusion occurs when a perpetrator intentionally intrudes,
physically, electronically, or otherwise, upon the private space, solitude, or
seclusion of a person, or the private affairs or concerns of a person, by use
of the perpetrator's physical senses or by electronic device or devices to
oversee or overhear the person's private affairs, or by some other form of
investigation, examination, or observation intrude upon a person's private
matters if the intrusion would be highly offensive to a reasonable person.

h/t paul beard on G+

[https://plus.google.com/u/0/104092656004159577193/posts/5XKX...](https://plus.google.com/u/0/104092656004159577193/posts/5XKXud65ajj)

Google, as guardian of Android, should look hard at ensuring user protections
from this sort of behavior. Ubiquitous HTTPS might be an option (I haven't
looked yet to see if the UIDH header can be defeated via that).

------
terranstyler
Frankly, I don't see how regulations or laws should protect the user for
several reasons:

Firstly, there are already privacy laws yet it doesn't look as if they apply
and that Verizon thinks that even in the case of a law suit Verizon will be
able to benefit more than this law suit will cost.

Secondly, even if a court determines that the conduct of Verizon in this case
is not legal, the verdict will still be special enough to not be applicable in
a loop hole case. So I see protection provided by law as limited.

Thirdly, enforcement is rather difficult and not as obvious as, e.g., a
daylight robbery, especially for non-technical observers which I presume to be
the vast majority of law enforcement personnel.

And finally, (and rather an opinion) I think government is rather delighted to
know who does what on the internet, so I don't see a real motive for them to
move decisively apart from some half- __ __* voter appeasement.

