Hacker News new | past | comments | ask | show | jobs | submit login
Court says tracking web histories can violate Wiretap Act (wired.com)
122 points by Oatseller on Nov 11, 2015 | hide | past | web | favorite | 18 comments

The original intent of the Wiretap Act was to place a distinction between content and metadata.

The problem now is that there is JUST SO MUCH metadata that it is losing that distinction. If someone calls a known pot dealer once a week, then it doesn't matter whether you hear the call or not, you can still infer that the caller picks up every week.

A DOJ lawyer once said to me that "when survellience is ubiquitous, the role of law enforcement becomes the role of a prison warden, where everyone is an infraction waiting to happen."

Yeah. Some anonymous web poster pointed out to me that changes in the law regarding marijuana & homosexuality would have been impossible with perfect surveillance.

Advancement in the social code is only possible because people can get away with violating it.

I think this is a really good point - if we can never break a law, we can never change one.

There is another good point as we move towards more perfect surveillance and enforcement of laws; so many of our laws are designed with the idea that you will only catch x% of infractions. If we knew we would catch 100% of the violators when we created these laws, we might have chose different thresholds and punishments.

For example, take speeding - if we knew that we would catch 100% of people driving faster than the speed limit, we might set a higher speed limit and a lower penalty. We set the current penalty based on the idea that it needs to be high enough to offset all the times that we speed and don't get caught. For example, if we get caught 1% of the time we speed, then we can expect a $500 fine for speeding to cost us about 5 dollars per time we speed. If we are caught 100% of the time, that jumps to $500 per time we speed.

Also, the speed limit is lower because we can't enforce it perfectly - we need a little bit of a buffer, so that a cop can be sure the person is speeding before issuing a ticket. This means speeds are lower than they should be with perfect enforcement.

We really need an overhaul of our laws if we are going to allow automated and perfect enforcement.

It also reminds me of incidents like http://slashdot.org/comments.pl?sid=3106555&cid=41288357

In fact, one of the reason I dislike anti-discrimination laws are because enforcement using things like statistical analysis was really only designed for unskilled labor and the like.

Of course. Just imagine a country such as Saudi Arabia, where many of the things we consider "normal" in more developed societies are crimes, often punished by death. If Saudi Arabia gets to have perfect surveillance and law enforcement, that society will never reach our modern standards for a developed society. Only those that will be able to bribe their way out of it will survive.

Thinking about it, ideally the arrests should hit the news in cases like this. I am thinking that jury nullification should be replaced with a temporary stop on enforcement.

moxie marlinspike wrote a really good editorial to this point awhile back http://www.wired.com/2013/06/why-i-have-nothing-to-hide-is-t...

The court is really saying that the url isn't even metadata, and I agree with that finding. The url is itself content. It's a request for content. On static pages it exposes the entire content of the communication.

I don't think the court would have a problem with the police discovering you buy weed because you call a weed dealer every week.

But this URL isn't just telling them who you are "calling" / httping with, but what exactly it was about.

I think the internet equivalent to phone number is the IP address.

SEO URLs usually contain a summary of the content of the page. The URLs are literally content. You can plug the URL into the browser and get all the content the person has looked at.

Show me a person, and I will tell you his crime.

Frankly results like this are inevitable from either the courts, or congress if advertisement companies continue to refuse to self regulate in a reasonable way.

The only reason its not a bigger issue right now isn't because "nobody cares, privacy is dead!". It's because people for the most part do not understand the mechanism.

Explain exactly how ads track you to common people, just how many do you suppose will approve and be comfortable with the arrangement?

The entire industry is built on sand.

The headline is in theory true, in practice not.

"In their ruling, the panel of three appellate judges found that Google and its co-defendants hadn’t violated the Wiretap Act because they were a “party” to the communications rather than a third-party eavesdropper—"

This is consistent with the ruling, but buries the part that is important for most folks: http://www2.ca3.uscourts.gov/opinarch/134300p.pdf (page 35).

Because they were the intended party of the communication, they will never be liable under the wiretap act. Ever.

So yeah, if some third party you aren't communicating with grabs your cookies (cough cough), that may be an issue.

Otherwise, no.

Does this mean the facebook like button slathered all over the web is now illegal?

No. Because, as the ruling says, they are an intended party of the communication.

Does anyone have a summary of the actual case? Because, according to the article: "(...) Google and its co-defendants hadn’t violated the Wiretap Act because they were a “party” to the communications rather than a third-party eavesdropper—the users were visiting their websites when the cookies were installed."

So it's rather unclear if they're saying that if you go to eg: plus.google.com, google is party to the communication, or if they're saying that if you go to example.com, and example.com has installed google's analytics tracking, then google is also "party to the communication"?

The latter might make sense from the perspective that any party to an organization could invite any other party to secretly record it? (Eg: You might be on the phone with a person, and without telling that person, invite your lawyer to listen in on the call. As the person you're talking to doesn't have any expectation of privacy from you AFAIK that'd be legal (in many jurisdictions, anyway)).

So, it would seem that tracking someone visiting example.com via cookies at a third-party site, might be legal wrt. wire-tapping, but may violate requirements to alert the user of tracking/cookie use?

Hmm. I didn't intend for them to track me. I didn't know their 'like' button was on the website I intended to, and then in fact, visited. I intended to visit the website, I didn't intend for facebook to visit the website with me.

The website author apparently intended for facebook to visit, but I was not privy to that information. That's like me attending a meetup. I wanted to go to the meetup, but if my ex was there, and I knew that ahead of time, I wouldn't have gone. Now my ex has information about me I didn't intend for said ex to have.

I'm not sure if I've convinced myself that the 'like' button is legal or illegal now.

Analytics. Illegal!

Uhm, nope. Just not "legal because it just grabs URLs", but for other reasons..

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact