Networking: January 2008 Archives


January 29, 2008

MySpace has been under a lot of pressure to do something about the alleged threat from "sexual predators" using their service. As I've observed before, there's not really much they can do unilaterally. They appear to have decided to deal with this problem New York Attorney General Cuomo has proposed legislation to restrict sex offenders use of the Internet:
MySpace and Facebook, said Cuomo, asked for new legislation to help them make their social networks safe. And that's what the E-STOP Act aims to provide. Cuomo described it as a Megan's Law for the age of the Internet. Megan's Law, named after murdered seven-year-old Megan Kanka, refers to a collection of state and federal laws enacted in the 1990s that require sex offenders to register so that communities can be informed of their presence.

"The law that we're talking about today does two things," said Cuomo. "First, as a mandatory condition of parole or probation for serious sex offenders, it will prohibit them from going on social networking sites that attract young people or from communicating on the Internet with any person under 18 years old. Second, it sets up an e-mail registry where every parolee will have to give their e-mail or their on-screen identities to a state registry. And it establishes a process whereby the social networking sites or Internet sites can take that Internet registry, run it against their site, and screen or delete the users who are on both lists. It also allows Internet service companies to notify law enforcement, who can then take the appropriate action."


"Rather than treating the online and offline worlds differently, our goal at MySpace has been and will continue to be to make our virtual neighborhood as safe as our real one," said Hemanshu Nigam, chief security officer of Fox Interactive, which owns MySpace. "We keep a watchful eye on predators who leave our jails and prisons into our physical world. If we fail to do so in our online world, we unwittingly provide an advantage to these predators, an advantage that they can and they will exploit."

OK, so at some level this isn't completely insane. As I said earlier, clearly MySpace can't do this alone, so if your plan is to keep sex offenders off MySpace, then you're going to need some kind of legislation to let you identify them. That said, it's not really clear why this is thought to be valuable. Presumably if you get busted for being a sex offender it's not like you're not going to be overconcerned about whatever odditional penalty you're going to get for failing to register your email address or illegally using MySpace.

Nigam makes the analogy to having to register your physical address, but this doesn't really make much sense. You've got to live somewhere, so it's kind of noticeable if you don't register your physical address, and the parole officer can come by and check up on where you live. So, to the extent to which you think it's important to figure out where sex offenders live (again, it's not clear it really is), it's fairly doable. By contrast, you can have as many email addresses as you want and it's not particularly difficult to get yourself an untraceable or at least hard to trace email address, so it's extremely hard to verify that sex offenders have actually registered their addresses if they make any attempt to evade this law.

And of course this assumes that it's particularly useful to be able to keep sex offenders off of services like MySpace and Facebook. That's not really clear. I'd be interested to see if there is any good data on how many sex offenses actually result from solicitations on services like this.


January 22, 2008

The EU has decided that IP addresses need to be treated as personally identifying information.
Google and other companies maintain that I.P. addresses are not personally identifiable information. One part of the argument is that I.P. addresses identify a computer, not the person using it. True. But that’s the same as a telephone; just because a call was made from a number doesn’t tell you exactly who was talking. Nonetheless, I suspect that most people believe their phone number is quite personal.

The other part of the argument has to do with dynamic I.P. addresses, the practice by Internet providers of switching the I.P. address of home users. Even there, I.P. addresses are not as anonymous as they would appear. Internet service providers keep records of what I.P. addresses are assigned to which customers at what times. Combine these I.S.P. records with a log file from a Web site, and you have a map to who has done what on the Internet.

Look, this isn't even close. It's certainly true that many home users have IP addresses that are assigned via DHCP, so in principle they're dynamic, but that doesn't mean that you don't regularly get the same IP. From what I hear, common practice for full-time Internet connections is to regularly assign the same IP addresses to the same host. The IP addresses change occasionally, but mostly they're semi-static, so the IP address is generally a pretty useful identifier. And of course, even if your IP address does change regularly, it's still possible to cross-correlate activities at multiple sites at the same time.

Of course, this doesn't tell you how IP address information should be handled. Web servers routinely log client IP addresses and your average small Web site has zilcho in the way of policies or mechanisms for purging this kind of information from their logs. So, saying that IP addresses need to be kept confidential would entail pretty significant changes to operational practice. So, it's a balancing act, but it's certainly not true that there's no privacy risk from IP information leaking; quite the contrary.