1. 20

Note: title taken from author’s tweet https://twitter.com/bsdphk/status/593018124787646464

  1.  

  2. 14

    The argument about it taking development resources is certainly fair enough.

    The “political postscript” is… bizarre. “The next big issue is that there are people who do not have a right to privacy. In many countries this includes children, prisoners, stock-traders, flight-controllers, first responders and so on.”

    Okay, so children and prisoners are each completely different cases which don’t belong with the others.

    I’m not aware of any country where prisoners are allowed computers, so this… seems to be a non-issue? Correct me if I’m wrong?

    Children, well, personally I happen to feel that there are a ton of good reasons for children to keep secrets from their parents, and in the US there’s no law that says they can’t, though there’s also no law that says the parents can’t snoop. Anyone who grew up queer, transgender, in an abusive household, or all three, … is going to agree that children have a valid interest in their own privacy. I very much object to the notion that technology should enable parental control. Yes, there are government and social mechanisms which are supposed to make all parents be good ones, in which case this would be unnecessary, but… come on.

    Flight controllers and first responders are also a bit odd to include - is there an oversight requirement there? They’re performing vital functions, but not ones that lend themselves to abuse. But I’ll assume that there is one, similar to stock traders, and deal with these together.

    And that’s very, very simple. If you’re working for your employer using a computer they provide, all they have to do is watch your traffic using a browser extension which they install. If, as someone in these positions of trust, you uninstall or sidestep their monitoring, and are subsequently accused of something, good luck explaining yourself in court. There’s no need to use a proxy at all for these situations, since the traffic originates on a device the user doesn’t control.

    It’s very odd to see someone who I have no reason to think doesn’t know what he’s talking about, degenerate into this completely nonsensical argument.

    Does anybody have any idea where this is coming from?

    1. 2

      I’m not aware of any country where prisoners are allowed computers, so this… seems to be a non-issue? Correct me if I’m wrong?

      Go look at Nordic prisons

      https://www.youtube.com/watch?v=2g56susrNQY

      1. 1

        I’m fascinated by the topic, actually, but video and audio recordings are only very slightly accessible to me and I wasn’t able to handle this one. I guess of course they can’t show video of prisoners' typical days (and it would be impossible to trust the realism of if they did), but without being able to listen to explanations I didn’t get anything out of this.

        But I assume you linked it because prisoners under that system have some degree of contact with the outside world. If so, I’m very glad to hear it, and also quite astonished.

        Thank you for the attempt. :)

        1. 2

          I only have limited knowledge about the Danish system (not the others), but in general yes, one of the main goals is to keep prisoners in contact with the outside world and integrated or re-integrated into communities. The theory is that recidivism is less likely for those who have good community ties, which might allow them to find work and social support on release, versus those who feel alienated and isolated from broader society. There’s also a goal of reducing the extent to which a separate, isolated “prison culture” develops (prison gangs, etc.), by redirecting prisoners' socialization outward as much as possible.

          The SSL/privacy argument seems pretty weak in this situation, though. SSL doesn’t really pose a barrier to monitoring inmates' computer usage: the facility can just install its own certificates in the browsers and MITM everything, or even just videorecord the screen if they want.

          1. 1

            It’s a good theory! I’m glad to hear it!

            Yes, agreed that this is like the employer case that I pontificated about up-thread. :) When it’s unencrypted, the prison administration is not the only party who can MITM…

      2. 1

        Children, well, personally I happen to feel that there are a ton of good reasons for children to keep secrets from their parents

        Do you think the OP disagrees with you? Is “I feel children have good reasons to keep secrets” the same as “children have a right to privacy”? I certainly don’t see them as the same thing. (I say this sincerely. Surely, the words “right” and “privacy” have a litany of different interpretations.)

        1. 1

          Heh - I posted on a thread elsewhere on this site, last week, about the many meanings of privacy, since that’s what I do for work so I have some thoughts on it. :)

          They’re not the same statement, I agree. But I will make a stronger one and say that yes, the severity of the harm that can result when they don’t means children should have a right to privacy. Of course, in the legal sense of “right”, they don’t.

          Edit to add: I can’t read the author’s mind, but the text was “… there are people who do not have a right to privacy. In many countries this includes children …”, which makes it vaguely clear that the author is using primarily a legal sense of “right”.

          Which is actually a bit odd come to that, because the Children’s Online Privacy Protection Act (wikipedia) in the US does, in fact, establish a legal right to privacy for children, although that is a different sense of “privacy”… but he didn’t define “privacy”, either, just mentioned it in the context of a thing someone else might argue for that he said shouldn’t be an overriding concern.

          So I can’t tell whether the author disagrees with me or not, but I think there’s enough doubt that I wanted to give my view by way of context.

          1. 2

            So I can’t tell whether the author disagrees with me or not, but I think there’s enough doubt that I wanted to give my view by way of context.

            I think that’s totally reasonable, but I also think that if that’s the case, we should try to be more charitable than “degenerate into this completely nonsensical argument.” All it takes is for someone to use the word “right” slightly differently and the entire meaning of the author’s statement could change. :-)

            On top of all of that, it also isn’t clear if the author is being descriptive or prescriptive. It’s easy to blur that boundary when talking about rights (and privacy).

            1. 2

              That’s fair. I mean, I suppose I should have said that it was nonsensical to me because I couldn’t tell what he was saying… but, yes, that sort of sentiment is better to not express at all.

              And yes, actually, my feelings about the argument change quite a bit if they’re trying to say something like “this is how it is, you don’t have to like it but we should know how it stands”.

              I appreciate the advice on tone, and that’s not sarcasm. Hyperbole is a difficult habit to unlearn!

            2. 1

              Um… That’s a little incoherent of me, sorry. I guess you can figure it out. :)

        2. 3

          I agree that SSL everywhere is a bad idea - why should general information sites require SSL?

          I trust my own self-signed Certificates more than from most of the Certificate Authorities out there, yet companies like Google penalise me for using self-signed and also penalise me for not using SSL.

          1. 7

            why should general information sites require SSL

            So that the coffeeshop I’m at, or the hotel I’m staying in, can’t inject crap in to the page! (Yes, this does happen.)

            1. 1

              Yeah, it’s actually getting really common, since of course there’s money in ads… :(

            2. 6

              I agree that SSL everywhere is a bad idea - why should general information sites require SSL?

              I’m a bit on the fence on this. While that’s certainly a fair point, I could also see it as “why should an arbitrary passive eavesdropper be allowed to see any of my traffic at all?” Further, being able to see that someone’s accessing a “general information” site could still be pretty revealing in the right context.

              1. 12

                Yes. It’s the difference between knowing that you looked at something on WebMD for about ten minutes, and knowing that you looked at a series of pages on a specific venereal disease. Like many other general-information sites, WebMD has no SSL support. Yet they’re a really important source of information, and many users might wish to go there. Why should anyone sharing their wifi be able to snoop?

                1. 2

                  “why should an arbitrary passive eavesdropper be allowed to see any of my traffic at all?”

                  This is an excellent argument for SSL everywhere. I used to solve that issue with providing the same content on https with a self-signed certificate, but the persistent warnings and complaints from browsers made me decide it wasn’t worth the pain.

                2. 2

                  “Why should” is a bad argument - since at least some sites need SSL, it’s simpler to have SSL everywhere unless there’s a good reason to complicate the spec by adding the ability to be non-SSL.

                  Browser treatment of self-signed certificates is ridiculous, but that seems unrelated to the main point.

                  1. 2

                    Do you want HTTP 2.0 support for reduced latency for page loads?

                  2. 3

                    “Sunshine is said to be the best of disinfectantants” wrote supreme court justice Brandeis, SSL Everywhere puts all traffic in the shade.

                    I’m not sure I follow this argument.

                    It seems to characterize traffic into three segments (a) traffic that needs to be secure, (b) traffic that doesn’t deserve to be secure, and © evil traffic. Then, we’re lead to believe that if we don’t use SSL for (b), then we’ll easily be able to find ©. The problem of telling (a) from © is left unsolved. That’s really the hard problem - if you have any legitimately secure traffic, isn’t finding the evil traffic just as hard as if you encrypt all traffic?

                    1. 1

                      Note that PHKs views on this aren’t exactly new.

                      http://www.infoq.com/presentations/HTTP-Performance (minute 13:00 and on). He starts talking about “all or something” at ~23:00.