Feeds

Your space, MySpace, everybody's space

A closer look at the privacy issue

SANS - Survey on application security programs

There is no doubt that, if there was a threat of imminent harm and releasing the records of the NUMBER of registered sex offenders would prevent that harm, MySpace could release that information without a subpoena, both under its privacy policy and under the ECPA. Indeed, if there was evidence of criminal activity, MySpace could release the data, at least under its privacy policy. The aggregated data (e.g., the number of registered sex offenders on the site) may not be protected under the exact terms of the ECPA. Does this mean the AGs have a RIGHT to the data? Not really.

Privacy is about protecting data when somebody wants it for some purpose. It is easy to protect data that nobody wants. If State Attorneys General ask for the information just because they want to know, why can't other groups ask for the same, or similar information? Do I have the right to demand that Yahoo business scan posters for felony fraud convictions and provide ME (an investor) with the data? To what extent are we demanding that ISPs, website operators, communications service providers not only act as law enforcement agents, but also waive both privacy AND legal restrictions in doing so?

Clearly the AGs argument that there was an imminent threat from the people removed from the service was what was disingenuous. Moreover, if the information was SO important, what kept the AG from getting a subpoena? Apparently nothing. Instead, the law enforcement agents responsible for enforcing privacy laws and policies were hoist by their own petard - they found the privacy laws as applied inconvenient, so they attacked the service provider. Indeed, they insinuated that not only was MySpace PERMITTED to turn over subscriber or other data to the cops, but that it was legally obligated to do so, just because the cops wanted it.

Sex Offender Crimes

The Attorneys General appear to insinuate that there is some law that precludes all sex offenders from using online social networking services, noting that they have "no business" being there.

Certainly, sexual predation and using computers in furtherance of sexual predation is a crime. For example, according to the National Conference of State Legislatures, a 2006 Colorado statute prohibits an unrelated person from using a computer network to communicate with a child under age 15 without consent of the child's parent if the person is at least four years older.

Measures in Kansas and Oklahoma establish the crime of "electronic solicitation" as a felony, while a Virginia law made it a felony to pay for any online sexually explicit material that includes children. A Hawaii legislative proposal Hawaii H 1763 (2005) would have made it a crime to use a computer while impersonating another for the purpose of committing a sexual offense against a minor under the age of 16. North Carolina proposal S. 472 (2005) would have made it an offense to use a computer to solicit a child under the age of 16 for a sexual offense.

But the AGs didn't ask for the information in furtherance of the investigation of a particular crime. Rather, the Connecticut AG argued that: "Many of these sex offenders may have violated their parole or probation by contacting or soliciting children on MySpace."

But the AGs didn't demand the records of those who had such parole or probation restrictions. They didn't present any evidence to MySpace of probation violations. They never explained how the information would prevent a crime, or empower parents, or more importantly why drafting a subpoena was an excessive burden. Indeed, it apparently wasn't, as the AGs eventually got them.

Clearly, there will be cases where there are exigent circumstances or serious crimes where companies will simply turn information over to the cops because it's the right thing to do to prevent imminent harm. What the AGs seem to insinuate is that whenever they believe a crime MIGHT be committed, Internet companies have a legal duty to produce records to law enforcement without anything more than a demand. We could do away with subpoenas entirely. If the cops want it, they must have a good reason. And all internet companies become the agent of the cops. And that would be a dangerous thing. Almost as dangerous as the public relations nightmare that might befall you if you have the audacity to say no to the cops in the first place.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

High performance access to file storage

More from The Register

next story
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Whoever you vote for, Google gets in
Report uncovers giant octopus squid of lobbying influence
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.