June 13, 2008

"This was a private file server, like a private room, hacked by a litigant with a vendetta."

Lessig thinks that accessing Judge Kozinski's on-line porn stash was an invasion of privacy "perfectly" analogous to entering his house through a badly locked window and looking through his belongings:
The site was not "on the web" in the sense of a site open and inviting anyone to come in. It had a robots.txt file to indicate its contents were not to be indexed. That someone got in is testimony to the fact that security -- everywhere -- is imperfect....
In the comments, after a challenge — "I'm sorry, but there's no way that typing a URL into a web browser is analogous to jiggling a lock for 30 seconds" — Lessig backs away from the idea that the analogy is perfect:
I don't accept that this is a "public place" just because the public can easily get to it. But I'm also not arguing that someone should be treated as a trespasser because he or she wanders through a directory structure. My only point is that it was plain beyond doubt that this was not intended as a public place where anyone was invited to come and browse. Norms of privacy should therefore apply.
Another commenter — James Nightshade — pushes back:
Robots.txt is a voluntary access control mechanism, but it does not prevent resources from being "on the Web" in any sense. The document describing the robots.txt standard refers specifically to web robots. Robots.txt was not intended to apply to interactive web browsers. It is roughly analogous to a sign one might find beside a residential street: "No trucks except for deliveries." The street is still a part of the road network, even if some vehicles are asked not to visit.

Another example is the form I'm typing this into. It has an accompanying CAPTCHA form to identify robotic spam submissions. Blocking these robots doesn't effectively take the submission form off the Web. If one wants to avoid public access to a Web resource, there are access control mechanisms which can do that. Passwords are one example; robots.txt is not an example.
I'm not buying the analogy, but I get it that Lessig is trying to promote privacy on the web. Or not on the web. Whatever. I have a lot of trouble seeing what the "disgruntled litigant" did as "hacking" or trespassing.

Seems to me, when you're on line, you can poke around as much as you want and look at anything you can click to. Isn't that what most of us think? That's how we behave on line. In the physical world, we know we can't just go anywhere we can physically get to. Forget badly locked window. We won't even pull open an unlocked screen door to a house. I was going to say a "private building," which assumed the answer to the question about privacy, but that ordinary usage — public/building — shows that we have a deeply embedded expectation about privacy.

But Lessig's idea about privacy on the web is something I'd never even heard of. Lessig, of course, knows that. He prefaces his analogy with: "Cyberspace is weird and obscure to many people. So let's translate all this a bit." Are we just at the beginning of forming our expectations of privacy on line, or have we already decided we are free to look wherever we can go?

IN THE COMMENTS: MCG notes: "Alex Kozinski provided public links into his "stuff/" directory in the past." He points to this email Kozinski sent for publication on a high-profile blog. Kozinski thus eagerly invited the whole world into his back pages.

43 comments:

Salamandyr said...

I'm not sure Lessig's den analogy is the best. I think a better one is if you told a friend, "I'll leave the back door unlocked. Just make yourself at home til I get back" and some stranger, not your friend wandered in your unsecured backdoor.

Personally, nothing I've heard about this makes me think any less of Judge Kozinski--and I'm more comfortable with the bias of someone who views porn than one who doesn't.

Salamandyr said...

addendum to last post-I'm more comfortable with someone who views porn in judging obscenity. They're more likely to have a wider opinion of what is acceptable than one who doesn't.

Outside of that narrow category; I don't care what you like at one way or the other.

former law student said...

The expectation is that whatever you find by sneaking around you keep to yourself.

It's like the Playboys in Dad's drawer when you were a kid. You find them while you're being nosey, you enjoy them, you return them so as to leave the dresser look undisturbed. Most of all, you keep the secret. You do not brandish them in front of Mom, saying "Do you know what Dad keeps in his dresser drawers?"

Moreover, is any of it really porn (I haven't looked at the videos) besides, arguably, the auto-fellator? Pictures of naked people are not porn. Part of the problem is cultural differences: Europeans like the Bucharest-born Kozinski are not as prudish as Americans.

dmfoiemjsof said...

Lessig is an idiot.

Pogo said...

Looks like the vendetta by "the tipster", Cyrus Sanai, was successful.

Best reponse Kozinski would have is to googlebomb the attorney Mr. Sinai so that potential employers, clients, judges, and acquaintences are met with evidence of his true character on the first hit.

rhhardin said...

Seems to me, when you're on line, you can poke around as much as you want and look at anything you can click to. Isn't that what most of us think?

Actually no, but it may be a carryover from geek culture.

People used to share a computer and a file system, and stuff under /usr/rhh for example, although readable by anybody, was expected to be fairly private to rhh unless pointed to, on the grounds that it's nobody's business, just as your desktop at work is more or less nobody's business.

Although for some office business you may rifle through things.

Non-rifleable stuff even on office business would get some name to indicate that level of expectation, like a directory named ``pers''.

These were informal rules to make life simple and liveable in that environment.

I don't know that they carry to the web, but they'd tend to if you came from that culture.

Palladian said...

Lessig's analogy is not convincing. But that doesn't change the fact that Sanai is a bitter, disgruntled douche-bag and that the files "discovered" were hardly porn. I posted this comment in the thread yesterday:

I just looked at some of the "shocking" material over at Patterico and, um, this is the most ridiculous, nonsense story I've seen in a long time. Some sleaze bag lawyer who Judge Kozinski raked over the coals had a hard-on to dig up some dirt on the Judge and found this pathetic nonsense. The "video of a half-dressed man cavorting with a sexually aroused farm animal" is this classic internet clip of a man being chased by a randy donkey.

A pathetic non-story which helpfully reveals the true purpose and nature of news outlets: cheap gossip and scandal sheets.

Ger said...

"Seems to me, when you're on line, you can poke around as much as you want and look at anything you can click to. Isn't that what most of us think?"

Actually yes.

The web is different from a file system on an internal network share so I disagree with rhhardin.

Most web sites are the equivalent of glass houses by intent - open to view to anyone that wanders by.

If you want certain rooms of your glass house to not be transparent to stray passers-by then there are, as mentioned, easy mechanisms to "drop the blinds" to block those prying eyes.

John Burgess said...

I guess it's just me--though I hope not--but if I end up inadvertently in somebody's root directory, I back out. I don't consider it fair game to go poking around to see what else I might find.

Am I legal prohibited from being nosy? Probably not. But I wouldn't object to a law stopping it. I do think the analogy of an unlocked window is pertinent.

Accidents do happen in structuring a website. That should not be construed as an invitation to come in and loot the place any more than an unlocked window exculpates the burglar.

downtownlad said...

Not buying it. If he wanted it to be secure, he could have used https or a digital certificate.

mcg said...

I've posted a number of comments over there. And I'm firmly in the camp that Web is a public place. So if you put something there without authentication measures, it's your problem. There are plenty of measures you can take to lock down stuff that you don't want the public to see---and there are laws that make circumventing such measures illegal.

gophermomeh said...

If you're going to half-ass keep it secure, that's your problem.

Some would not pursue it further if they accidentally found them selves in someone else's root directory. Others, would. It's a chance you take...

Ben Coates said...

"Moreover, is any of it really porn (I haven't looked at the videos) besides, arguably, the auto-fellator?"

The auto-fellator is pretty obviously a non-porn joke as well, some sort of meta mastercard "priceless" joke about pictures of you auto-fellating being spread over the internet: priceless.

Chip Ahoy said...

Perfectly analogous. Those two words are antipolar they send you sailing deep into rhetoricaland, hopelessly remote from logiciaville.

[message contains coinages, may be dangerous to children]

KLDAVIS said...

"Seems to me, when you're on line, you can poke around as much as you want and look at anything you can click to."

It's my understanding that there was no way to get to the page by 'clicking'. The data was on a page that was not linked to, and only accessible if you knew the right sub-folder to append to the website URL.

Maybe it's more like checking under the mat to find the hidden key and letting yourself in. Private, but not very well protected.

Tibore said...

If a file was accessible over the web - forget searchable, if it was merely accessible - then the fault lies with the administrator of the server (in this case, the Judge's son Yale). You shouldn't put items in the www or users' shared directories of your web server unless you intend to serve them, so even if you did it by accident, you were still the one making it public.

And yes, it is public. As was said in the comments at the story, "A server that responds to valid HTTP requests from the open Internet is by definition publicly accessible."

It is part and parcel of running a web server to know how to configure which directories are open to public browsing and which are not, and it doesn't matter if you're talking Apache, IIS, Tux, lighttpd, or whatever. As the owner/administrator, it's your job to know how to lock it down, just like it's a car owner/operator's job to know how to drive a car safely. That someone else pried into that judge's website by leafing through the directory structure was bad, but the items in question shouldn't have been there to begin with. Saying there was an expectation of privacy by maintaining files in web accessible folders is saying there's an expectation of privacy by having sex in your front yard. By the nature of the front yard, you can still be seen. Likewise, by the nature of web servers, the files are viewable, and the fact that the server admin was negligent or ignorant in his configuration doesn't change that fact.

Chip Ahoy said...

Com'on, it's useful to back though an address by eliminating the end bits in the address bar to look at the directory the page you're reading was inserted. It's a legitimate form of navigation. I've often written the owner to thank them for information found on their site on a page I backed into. So far, they've all cheered my having found it.

Tim Sisk said...

The anology I would use is the bay window. Yeah, you can see inside the house from the street but it is creepy and harassing to stand out in the street and crane to see all that you can see in the house. We would not defend such conduct with a "if the didn't want us to see within they would have hung blinds". Especially when the peeper invitedvthe whole world to the sidewalk to see within.

That said, was no one else offended by the priest molesting images and costumes? Either from Catholic perspective or respect for the victims?

KLDAVIS said...

I suggest everyone read dominik's posts over at the Lessig blog...great stuff.

B-schooler's getting in trouble for 'hacking' a system in the same way AK's website was accessed:

http://blogs.law.harvard.edu/philg/2005/03/08/business-schools-redefine-hacking-to-stuff-that-a-7-year-old-could-do/

Plus, a much more apt analogy than the one Lessig posits.

Smilin' Jack said...

Kozinsky obviously thinks it's perfectly fine to look through and (literally) judge someone else's porn, so I don't see any moral objection to doing it to him. The fact that his "porn" is just lame crap only makes the offense worse, in my view. I'd give him at least a year's home detention--without internet access, of course.

Salamandyr said...

Smilin' Jack, since Kozinsky is not the prosecutor who chose to bring the case to trial, merely judge assigned to oversee it, and he has not even made a ruling yet, your reasoning is specious at best.

John Burgess said...

Hey, my address is public information: it's in the phone book.

Using that, you can go to Google Maps and find out how to get to my home.

If I leave a window open inadvertently, that may be a very stupid mistake.

But it is not a legal invitation to come in that open window and loot my place. It's not even an invitation to look around, though the law seems to permit that 'in plain sight' exception to breaching my privacy.

I could certainly do more to secure my home. Three-inch steel doors will keep most unwanted visitors out. Steel shutters on the windows could do the same. Luckily, the law does not require me to encase myself in Ft. Knox to avail myself of privacy protections.

If I invite you to visit my living room, I may extend the invitation to visiting the bathroom. And while I can suspect you're going to snoop through the medicine cabinet, I will continue to think of you as a sleazeball if you do. Most would agree. After all, just because I'm inviting you to my living room should not have to mean that I re-arrange my life to protect my privacy.

The invitation to my living room is not an invitation to go into my bedside table or look under my socks in the dresser.

'Give them an inch and they'll take a mile' seems to be the operating principle of several of the commenters here. That's as juvenile as 'Information wants to be free!' They can be sure they'll not be invited to my living room. Their manners aren't good enough.

George said...

This has all the potential of being 2008's Willie Horton moment.

Ask Sens. Obama and McCain whether they think the Judge should step down or be sanctioned or whatever. It does not matter legally whether he should or should not or if there is the slightest reason he should. It's all about how this plays in Peoria.

I predict Sen. Obama will defend the judge, McCain will not or take a more censorious attitude, and we can only imagine the TV ads that will be produced.

Revenant said...

I don't know if the site was set up to be private and got hacked, or was misconfigured to begin with. Either way, who the hell cares? Kosinski didn't do anything unethical, illegal, or otherwise wrong. If looking at porn and sharing dirty jokes renders a man unfit to serve in any capacity other than "priest" then almost every adult man in America is unfit.

matthew said...

Are we just at the beginning of forming our expectations of privacy on line, or have we already decided we are free to look wherever we can go?

Well, do you google your friends just to see what's out there? Or in Wisconsin, do you go a step further and CCAP them to see if they have any criminal records?

Maybe yes, but for me the answer is no. Somehow I just don't think it's 'polite.'

Chip Ahoy said...

kidavis, you're right, that is an interesting thread over there. Thanks for the link.

mcg said...

Claiming a web site has the same expectation of privacy as a home is ludicrous, and contradicts the very foundation of the Internet.

When a baby is born, its parents don't take it home to a web site. It isn't part of the American Dream to own your own web site. When you get married, you don't carry your wife across the threshold of your new web site.

The point being that a Web site is not a natural part of our physical existence like a home is. It's purpose is not to provide us with physical shelter and personal privacy like a home is. It is constructed by a deliberate act of its creator for the purpose of... here it comes... sharing something with the public. That is its default configuration.

If you then want to keep people out of certain sections of it, there are a variety of means to do that, involving encryption, authentication, and the like. Feel free to avail yourself of those technologies. But barring that, don't assume that the public portion of your web site enjoys any privacy whatsoever.

Revenant said...

MCG,

The pictures were not put "on a web site". They were put on a computer that was connected to the internet. The website itself did not contain any links to the images.

However -- and I'm not sure if you know this -- a normal website is just a directory structure on a computer. Files in other directories can be accessed if the security permissions for the computer are not properly configured. This isn't exactly "hacking", but it isn't normal web browsing either. The family members had an expectation of privacy in the sense that they were neither advertising the content of the computer nor providing links to it.

One of the folks over at the Volokh Conspiracy what the lawyer did to going through a person's trash and finding papers they'd forgotten to shred. That's decent metaphor. When you throw something away you are, in a literal sense, making it accessible to the public -- but simple decency says that you don't go digging through another person's trash. Similarly, you don't rummage through a person's computer to see what you can find, even if they DID forget to secure it.

Revenant said...

That said, was no one else offended by the priest molesting images and costumes?

I saved them to my home computer and mailed them to a couple of friends.

I'm sure plenty of people were offended, but it is a little late to be worrying about Catholic priest molestation jokes. That horse left the barn years ago.

Tibore said...

People are drawing the wrong examples here. Having something accessible on a webserver is not analogous to it being behind a window inside your house. It's analogous to putting it on your driveway in plain sight.

Web servers are like billboards: They're specifically for easy mass communication. If you want to restrict access, then you either put up passwords or do not store files in public viewable sections of the server's filesystem. In short, you change the nature of the billboard into something that displays its message privately. But you do not store files there and expect people to not find them just because the address is obscure.

This is basic website security. Webservers respond to requests. Thinking otherwise by drawing analogies of windows and blinds misses the point.

Pogo said...

it is a little late to be worrying about Catholic priest molestation jokes.
About 50 years late, I think.
That stained glass window is hilarious.

Revenant said...

It's analogous to putting it on your driveway in plain sight.

No, it isn't. If something is sitting on your driveway in plain sight then anybody passing by your house can see it with no effort. They'd have to go out of their way to avoid seeing it, in fact.

In order to see the so-called "offensive" content of kozinski's site, you had to specifically look for it. If you typed "kozinski.com" into your browser, you wouldn't see it. If you clicked on any link there, you wouldn't see it. The only way to see it was to fiddle around with the URL until you hit the right directory.

Web servers are like billboards: They're specifically for easy mass communication.

And windows are specifically to let people look through them. So what's the complaint when an outsider looks in through your windows? If you didn't want them peering in your windows you should have closed your blinds.

Steven said...

No, I think a big window is pretty analogous. Imagine, say, you've got one set up to show off your Christmas tree; obviously, you're publicly displaying that to people in the street. If you didn't want people looking in, you could put up drapes, blocking the view. You didn't.

Now, imagine you had intended to put up sheets behind the tree, but you screwed up and there were gaps in it that somebody looking through the window could easily see through, to the area behind the sheets . . . where you happen to be making love to your SO.

You are, of course, having sex in front of a display window, where anybody can look in and see you. You set up a public display, and you failed to properly block visual access to the areas behind the tree. Your fault.

But it's still creepy and rude for somebody to stare through the gaps in the sheet, take pictures, and publish them. Certainly they're jerks if they deliberately made an effort to look through the gaps in order to find something with which to pursue a vendetta against you.

Jim Hu said...

It's simply untrue that having everything on the net accessible to everyone all the time is somehow the foundation of what the internet is all about, or why it was created. Remembering the role of DoD in creating the internet should demolish that idea.

Putting up any website is not the same as announcing an intention of broadcasting its content to the general public. The web is used for all kinds of things that are meant to be confidential, in addition to things (like blogs) that are not.

I didn't look at the site, so I don't know how it was set up. But it sounds to me like Kozinski's son tried the a method of web security "security by obscurity? that works about as well as the rhythm method of contraception. I take that back... it works less well than the rhythm method. Nevertheless, I know plenty of web newbies who think that they're too small to be noticed on the web, so they don't have to lock down their site. The Kozinskis probably intended the site (at least the racy part) to be shared among friends who knew the URL.

The robots.txt file wasn't going to keep anyone out, but it was presumably intended to keep people from finding the site via Google. Perhaps that's how Yale Kozinski finds things on the net himself, so he didn't think about the alternatives.

I think a better analogy than a den in a house is a hotel room in the Toronto Skydome. For those who don't follow baseball, the Skydome has a hotel with rooms overlooking the field. Guests there have made the mistake of thinking the windows were one-way glass and have, how should I say this - unintentionally entertained the crowds.

These unintentional exhibitionists had a mistaken expectation of privacy. I also fully understand why people would look. But it seems to me like people are arguing that there should not have been an expectation of privacy in the first place.

Tibore said...

"No, it isn't. If something is sitting on your driveway in plain sight then anybody passing by your house can see it with no effort. They'd have to go out of their way to avoid seeing it, in fact."

Which is why I drew the analogy for web servers. Web servers serve data. When that data is in their accessible directories, they give it out on demand. Putting data in those directories renders them viewable by anyone who requests them. If you drive past it by sending it a URL, you get the info. The act of sending it the URL is what's equivalent to driving by.

"And windows are specifically to let people look through them. So what's the complaint when an outsider looks in through your windows? If you didn't want them peering in your windows you should have closed your blinds."

Windows are not intended for mass communication; billboards are. Webpages are intended for mass communication. Web servers are the means to deliver web pages. The lesson here is don't put private information on the publicly available folders on a web server unless you want them to be available.

KLDAVIS said...
This comment has been removed by the author.
KLDAVIS said...

Tibore said...

Which is why I drew the analogy for web servers. Web servers serve data. When that data is in their accessible directories, they give it out on demand. Putting data in those directories renders them viewable by anyone who requests them. If you drive past it by sending it a URL, you get the info. The act of sending it the URL is what's equivalent to driving by.


Putting files in a hidden folder that is not linked to on any page on the Internet is the same as putting something in your driveway on a public street?

Typing in verbatim the name of a folder into your browser that you'd need to know the specific and exact name of, even though you'd have no real reason to know it even exists unless you were a friend or acquaintance of the owner...that's equivalent to driving down a public street?

I love the technologically illiterate people here trying to make analogies.

If you don't get Lessig's point, you are either misinformed of the facts of this case or woefully uninformed on the nature of networks.

mcg said...

In order to see the so-called "offensive" content of kozinski's site, you had to specifically look for it. If you typed "kozinski.com" into your browser, you wouldn't see it. If you clicked on any link there, you wouldn't see it. The only way to see it was to fiddle around with the URL until you hit the right directory.

This is overstating the difficulty of this. It's actually quite a legitimate and common practice when browsing the web to do a bit of "URL truncation." For instance, suppose I'm reading a paper from an academic; it's in a directory called "papers/". I'm interested in reading more of his work; where do you think I should look?

Web servers are designed to permit this kind of exploration. It is very easy to configure a server to block access to a raw directory, if you choose. Or, you can just put an "index.html" file in that directory, in which case you get to decide just what the user sees when he drops down like that. Or, you can simply allow someone to browse the raw files there. It's up to you.

Anything you deliberately put on the Web without authentication or encryption is public. If you don't like it, don't put it there. This is not even remotely like someone entering your home uninvited. The Web is by default a public forum, and you made the deliberate choice to place documents outside of your private sphere when you publish them on the web.

mcg said...

If you don't get Lessig's point, you are either misinformed of the facts of this case or woefully uninformed on the nature of networks.

No, it would seem you're woefuily naive about the practice of web surfing. There are a variety of legitimate ways to have accessed the content on Kozinski's site. I cited the legitimate use of URL truncation above.

Furthermore, since it had been indexed by various search engines---and the existing evidence is that they did not disable search engine spiders on his site---then you'd have happened onto some of these supposedly "hidden" file simply by typing in the right keywords. For instance, if you get off on seeing videos of women whose pants are way too tight, thus exposing the contours of their genitals, then you could very well have ended up viewing some of Kozinski's files. Or, for a more benign example, maybe you're into classic Burger King commercials. (Yes, these are both actual examples from the files he had placed there.)

For a snooper, finding his files was like shooting fish in a barrel.

On the Lessig web site, Jim Treacher disingenuously argued that I was saying that something is public simply because someone is capable of accessing it---akin to leaving your front door open while you are away. Certainly not! The point is that every forum has a certain expectation of privacy attached to it. Your home is paramount: without an explicit invitation inside you're not permitted in, no matter how easy the access. In a restaurant, you're expected to keep your voice down if you don't want someone to hear your private conversation; but assuming you do that, it's not appropriate for someone to strain to eavesdrop.

Well, the Web is about as public as it gets by default. Anything you put within reach of a casual URL typist or a search engine is fair game. There are a variety of effective ways to block access, or limit access to only those people you choose or who have an appropriate password. And there are already laws on the books to support prosecution of those who circumvent those protection measures. But if you do not avail yourself of those measures, it's your own damn fault.

Alex Kozinski did absolutely nothing to prevent those files from being found. That a snooper found them quickly doesn't change the fact that they weren't private. I have great sympathy for the unfair treatment he is receiving as a result of this mess, but the mess itself is in large part of his own making.

mcg said...

The robots.txt file wasn't going to keep anyone out, but it was presumably intended to keep people from finding the site via Google. Perhaps that's how Yale Kozinski finds things on the net himself, so he didn't think about the alternatives.

Actually, according to this analysis, which is by no means conclusive, the robots.txt file was not blocking search engines. If you search for "site:alex.kozinski.com" in Google, you'll get a ton of hits, still!

KLDAVIS said...

The URL truncation argument is a non-starter, as applied to 99.99% of the human population. As the webpage in question did not contain any links at all, the only people who would have had a legitimate link to work backwards from would have been people who were friends/acquaintances of the person maintaining the server.

mcg said...

Incorrect. Alex Kozinski provided public links into his "stuff/" directory in the past; for instance, here. This in turn opens up those links, and the directories themselves, to a variety of search engines.

Whowants said...

Kozinski sought to keep out only other judges on his subnet. This opens the question of who was paying for this child porn and animal sex-with-humans porn? The public?

Here is a copy of his robot.txt file specifically set to keep judges out, naturally it lets other in, so he knew he was in fact sharing this smut.

User-agent: *
Disallow: /jurist-l/

http://web.archive.org/web/20070622010132/http://alex.kozinski.com/robots.txt

For an interesting blog on his previous ruling on an internet case where he ruled no proof is needed for a conviction, see here