Paranoid about Cookies...

[Mike Coleman]

[I know this is becoming a bit tiresome, even though I think it's important,
so I'll let Jeffrey have the last word.  If you're interested in these sorts
of issues, take a look at the ACM Privacy Forum Digest at
'http://www.vortex.com'.  --Mike]

Jeffrey Watts <watts at jayhawks.net> writes:
> So how is this different from what DoubleClick is(was) trying to do?  I
> believe the only difference is that you don't necessarily know in advance
> who their member websites are.

True, plus you also *do* know in advance that the data is going to be used for
a purpose other than facilitating the transaction between you and the company
in question.

I believe there was a case recently in which a dentist went out of business
and all of their patient's records were auctioned off.  As I recall, the
records were sold to whomever; there was no legal requirement that the buyer
even be in the medical field.

I see these two cases as similar; they're both an unethical redirection of
private information without prior permission (or even notice).

> > I wouldn't mind it if it was strictly opt-in, and great care was taken
> > to anonymize the target groups (including outside auditing, etc).  
> > That's not what's happening at all, though.
> 
> Banner ads _are_ opt-in.  You opt to go to that web site.  You can avoid
> the adverts by _not_ going to that web site.  I know it's kind of lame,
> but look at what we have now with billboards.

Okay, but I'm not objecting to banner ads, and I happen to believe that many
of the banner ads I'm seeing are in fact being used in an ethical way.

I do "opt out" of (I believe most of) DoubleClick's ads by stripping their
domain with JunkBuster (see junkbuster.org).  I imagine, though, that if lots
of people begin doing what I'm doing, DoubleClick will start hiding the origin
of their ads to prevent this.

If an industry list of URLs with unethical privacy policies were mandated, so
that I *could* meaningfully opt in or out, I wouldn't have a problem.

> > Maybe.  The market didn't bring us seat belts or the Internet, though
> > they are highly desirable and very economical for society as a whole.
> 
> Depends on how you look at it.  One could say that the government is an
> extension of our market, given that it lives and breathes with tax money,
> which is directly proportional to the health of the economy.

You could, but I think most capitalists would regard anything more than
minimal economic behavior by the government as anti-capitalist.

> > It was bad because Intel was trying to ram something their customers
> > generally didn't want.  I believe the CPUID "feature" is a privacy
> > disaster, and I'm glad it's gone.
> 
> The feature itself has no privacy concerns.  The software changes that
> Intel was proposing MS implement were the problem.

AFAIK, the CPUID is not privileged, which means that *any* program that runs
on the system can disclose the serial number.  No assistance is required from
the OS.  Serial number access can be purportedly be disabled at boot time, but
this exploit (http://www.zeroknowledge.com/p3/home.asp) can grab it anyway,
under some conditions.

> Heh.  Never had a support contract, have you?  The serial numbers are
> there to facilitate support and identify machines.  It's much easier for a
> sysadmin in California to tell a support person the serial number of a
> machine in New York when all he has to do is type a simple command at the
> command line, instead of reading a label on the back.  That's pretty much
> all I do at Sprint with those numbers.

Actually, I did work at SPCS's data center for about nine months and did the
whole support thing.  I suppose 'hostid' might have been easier under some
circumstances, but it doesn't work if the box is unpowered or won't start.  I
believe we almost always used the printed number.  (Actually, Sun was always
very helpful as soon as they figured out who we were, without being overly
sticky about these numbers, which IMO is good business.)

> If you go to my site, it is my business as well as yours.  It's not
> private information, but it can lead to problems though when the
> government is involved, or the information is distributed.

...which is probably 90% of the time.

> > I think I sense a contradiction here.  If you don't think the behavior
> > is unethical or illegal, why object to it?  And why would it bother
> > you so much that you'd even quit your job, just on that basis?
> 
> It's the slippery slope I fear.  Although I feel the individual actions
> are innocent and ethical, I agree with you that we need to watch for the
> precipice past which we cannot turn back.

I agree about the slippery slope, but you're not quite answering my question.
I think the reason that you would quit is the same reason that any free,
reasonable person would--because that employer's behavior would in fact be
morally offensive.

> I just don't believe that the solution is to condemn and blast entities like
> DoubleClick (though it does send a reminder out to business that people care
> about privacy).

I agree, but it's one of the best tools we have at the moment.

> I think that the government needs to agree to restrict itself in its use of
> power.

:-)  :-)  :-)

--Mike

-- 
Any sufficiently adverse technology is indistinguishable from Microsoft.