[HN Gopher] 230, or not 230? That is the EARN IT question
___________________________________________________________________
230, or not 230? That is the EARN IT question
Author : jbegley
Score : 125 points
Date : 2020-04-08 17:37 UTC (5 hours ago)
(HTM) web link (signal.org)
(TXT) w3m dump (signal.org)
| ocdtrekkie wrote:
| EARN IT is pretty disingenuous in how it is designed, of course,
| but I am all for making it harder and harder to retain Section
| 230 immunity: It's a mistake that we allow it in the first place.
|
| We should indeed continue to erode the eligibility for Section
| 230 to the point that either the limitations of remaining
| eligible for immunity makes it easy for competitors to produce
| better offerings without immunity, or that these companies accept
| legal responsibility for their actions as a cost to doing
| business the way they want to. Perhaps this is a vehicle upon
| which we gradually sunset immunity-reliant platforms.
|
| Section 230's supporters constantly push hilariously insane
| narratives about it's importance, suggesting that without it
| companies would be inherently violating the law any time one of
| their users violated the law, or that taking reasonable measures
| to prevent platform abuse is "impossible" at the scale Big Tech
| operates at.
|
| It's more than past time that we regulate tech companies and hold
| them responsible for massive abuses permitted by their platforms
| just as we regulate every other sector of business.
| IAmEveryone wrote:
| > suggesting that without it companies would be inherently
| violating the law any time one of their users violated the law,
|
| Well, that's almost literally what immunity means in this case.
| I've read that post of yours you linked downthread, and you're
| basically just saying "courts will be wise enough and make
| reasonable decisions".
|
| I'm somewhat sympathetic to some expansion of liability.
| Revenge porn, for example, shouldn't exist. That's real harm
| being done every day to real people. And the tube sites are not
| just unwilling to spend money on moderating uploads. They
| obviously know that a large percentage of uploads are made
| without full consent, and that content represents a significant
| chunk of their revenue.
|
| BUT Sec 230 is specifically aimed to indemnify websites that do
| try to moderate content. Before Sec 230 there was a brief
| period of time where that theory everyone on the internet
| believes in even though it is completely stupid was actually
| true, namely that the act of moderating _some_ content somehow
| creates an obligation to moderate _all_ content.
| marcinzm wrote:
| Regulation of this sort generally just helps the incumbent
| players create a better moat around themselves. They can pay
| for the AI and humans to moderate things while newcomers can't.
| So it's question of trading of user benefit against giving even
| more power to Big Tech.
| ocdtrekkie wrote:
| This is the standard scream of incumbent players when they
| want to discourage regulation. It both ignores the fact that
| what's "reasonable" for an incumbent monopoly and a small
| startup are different, and that the law generally accounts
| for scale.
| saferalt wrote:
| Does it "generally account for scale"? Citation needed. The
| GDPR has a fine structure of up to 4% of world-wide
| turnover or EUR20 million. Whichever is HIGHER. That means
| for any company doing less than say, EUR20 million in
| revenue and found to be non-compliant, GDPR gives the legal
| authority to fine them out of existence. I only mention
| GDPR as a specific example because of the familiarity here,
| but the general pattern of non-scaling regulation that
| results in regulatory capture and monopolization is the
| norm, not the exception.
| IAmEveryone wrote:
| You're conveniently ignoring that the percentage-based
| fine structure in itself is almost literally "accounting
| for scale".
|
| The minimum (of the maximum) set by the "whichever is
| higher" clause is needed to remain effective with non-
| and low-revenue entities. Something like Clearview
| (universal face recognition but startup with little
| revenue) would otherwise be free to ignore the law.
|
| If your small company does enough damage to warrant a 20
| million fine, it probably deserves to die. These fines
| also aren't assessed arbitrarily: there's a specific list
| of factors to take into account, and all decisions are
| subject to judicial review under the established
| principles of proportionality.
| novok wrote:
| > These fines also aren't assessed arbitrarily: there's a
| specific list of factors to take into account, and all
| decisions are subject to judicial review under the
| established principles of proportionality.
|
| You hope bureaucrats do not act mechanistically and do
| not apply proportionality, but over and over again in
| recent history you see that exact behavior. Which is why
| no business trusts a statement of 'they'll be might be
| nice, but nothing is effectively stopping them from not
| being nice other than some platitudes'!
| TheSpiceIsLife wrote:
| > You hope bureaucrats do not act ... nothing is
| effectively stopping them from not being nice other than
| some platitudes
|
| One argument goes something like this:
|
| The _state_ always reserves the right to _extinguish_
| you, either by execution or permanent non-judicial
| incarceration, regardless of laws.
|
| We all can only always hope state-level actors don't
| abuse their powers.
|
| Whether they are or aren't at any particular time is
| somewhat subjective.
| TheSpiceIsLife wrote:
| Context matters:
|
| _The fines must be effective, proportionate and
| dissuasive for each individual case. For the decision of
| whether and what level of penalty can be assessed, the
| authorities have a statutory catalogue of criteria which
| it must consider for their decision. Among other things,
| intentional infringement, a failure to take measures to
| mitigate the damage which occurred, or lack of
| collaboration with authorities can increase the
| penalties. For especially severe violations, listed in
| Art. 83(5) GDPR, the fine framework can be up to 20
| million euros, or in the case of an undertaking, up to 4
| % of their total global turnover of the preceding fiscal
| year, whichever is higher. But even the catalogue of less
| severe violations in Art. 83(4) GDPR sets forth fines of
| up to 10 million euros, or, in the case of an
| undertaking, up to 2% of its entire global turnover of
| the preceding fiscal year, whichever is higher._
|
| https://gdpr-info.eu/issues/fines-penalties/
| dfee wrote:
| this is an interesting counter-counter-argument i've not
| seen before. does discussion of this sort of derivative
| behavior exist elsewhere? i.e. is there an established
| narrative of incumbents pushing against regulatory capture,
| or examples of this behavior?
| ocdtrekkie wrote:
| It's just a general behavioral trend I (and plenty of
| others) have noticed in arguments against regulation
| coming from monopolies. When a big tech company claims a
| regulation it dislikes would hurt newer players from
| competing with it, you have to ask... why are they so
| opposed then?
|
| Is it out of the goodness of their hearts that large
| companies complain about regulation hurting small
| businesses? Or is it because the regulation will cost
| them a ton of money they'd rather keep in the bank, and
| they know they already have enough market capture to
| continue to obliterate small businesses either way?
|
| When someone says that regulations on large companies
| will actually hurt small businesses, the first thing you
| should do, is look who is claiming that, and see where
| they get their funding from. It's almost always a think
| tank funded by the biggest player in the market being
| discussed.
| marcinzm wrote:
| There is a difference between short term and long term
| impact. Short term regulation costs money and a large
| player doesn't want that since it'd hurt their stock
| price. Long term they probably benefit from it but wall
| street doesn't care as much about that.
| btreecat wrote:
| Why not look at who wrote the regulations?
| cookie_monsta wrote:
| Because lobbyists tend not to appear in the credits
| novok wrote:
| The GDPR does not explicitly account for scale in practice,
| but pretends you're a $300 million dollar business, with
| the resources to do proper GDPR compliance, which is why
| the response of many small businesses is to stop serving
| europeans. And these businesses had nothing to do with
| privacy invasion, such as classes you pay for, paid note
| taking apps an so on.
| marcinzm wrote:
| >the law generally accounts for scale.
|
| Not in a useful way I've noticed because a small company
| can service hundreds of thousand easily thanks to the power
| of the internet. CCPA, for example, essentially sets the
| cutoff at 50000 users which you can get to pretty quickly
| with a consumer startup. The cutoff helps the local
| pizzeria I guess but not any actual competitor to
| incumbents.
| seibelj wrote:
| Uhh... disagree? Even a 5 person startup should be responsible
| for every single thing their users post? Or do you want some
| arbitrary line of employees above which it's illegal and below
| which it's fine?
| ocdtrekkie wrote:
| I'll refer you to my response here, on why people claiming
| that's the alternative isn't really accurate:
| https://news.ycombinator.com/item?id=22815922
|
| But no, there shouldn't be an arbitrary line. Judges can make
| fair determinations on when a company is or is not doing a
| reasonable job controlling abuse on their platform, and the
| profit motivations behind those decisions.
| ori_b wrote:
| Do you think that any blog with a comments section should be
| legally responsible for spammers posting on it?
| kevingadd wrote:
| The fact that your proposed scenario is scary / unpleasant /
| difficult does not _automatically_ make the alternatives
| better, as we have learned over the last two decades. We need
| to seriously consider that perhaps these things are not
| actually simple unless you ignore the consequences.
| tigerstripe wrote:
| It would certainly change the face of the modern web. In the
| early 2000's, many blogs and news sites did not have comment
| sections.
|
| Maybe a service like a third-party Disqus would come out that
| would split the user-generated content from the actual sites
| (and source the content via P2P networking).
| ocdtrekkie wrote:
| No, and they wouldn't be by any informed understanding of the
| law. That's not how the law has ever worked in any developed
| society.
|
| Generally, law has both the concept of intent and
| reasonableness. As such, a company that inadequately polices
| malicious and abusive content because that content is wildly
| profitable (hi Google and Facebook), we should have the legal
| ability to fine these companies into oblivion, because their
| behavior is not reasonable and the intent behind it can be
| divined from their records.
|
| Meanwhile, if you an individual with a blog, see someone
| making a bad comment on your blog and you ban the person, the
| law would recognize that as a pretty reasonable moderation
| practice.
| root_axis wrote:
| How would the law distinguish between reasonable moderation
| and unreasonable removal?
| ocdtrekkie wrote:
| "Unreasonable removal" isn't actually much of a concern
| here under our current legal doctrine: As these companies
| are private entities, they can decide that they simply
| don't want this or that on their platform, and that can
| be as unreasonable as they like.
|
| Presumably, platforms which profit off user content have
| a financial incentive already to allow user content as
| much as they can, Section 230 only removes the financial
| incentive to remote bad content. Removing Section 230
| will restore balance: Companies will still be motivated
| to keep as much non-abusive content as they can, but will
| face legal challenge if they fail to remove abusive
| content.
|
| (There's an argument to be made that Facebook and Google
| represent "public spaces" in the modern Internet era, but
| we currently have no legal precedent for applying first
| amendment rights to privately owned properties. Either
| we'd need a huge legal shift to apply the first amendment
| to private spaces or we'd need to nationalize online
| platforms.)
| IAmEveryone wrote:
| > Section 230 only removes the financial incentive to
| remote bad content.
|
| Please go read the actual law. It's neither long nor
| complicated.
|
| Section 230 corrected a problem in other law that made it
| dangerous to even attempt to moderate content. Before it
| became law, websites basically had to choose between not
| moderating at all, or assuming liability for all content.
|
| Hell, I'll just quote the relevant part in full:
|
| _(2) Civil liability_
|
| _No provider or user of an interactive computer service
| shall be held liable on account of--_
|
| _(A) any action voluntarily taken in good faith to
| restrict access to or availability of material that the
| provider or user considers to be obscene, lewd,
| lascivious, filthy, excessively violent, harassing, or
| otherwise objectionable, whether or not such material is
| constitutionally protected;_
| danShumway wrote:
| > No, and they wouldn't be by any informed understanding of
| the law.
|
| You are misinformed about the history of 230. 230 was
| proposed exactly because the law was interpreted the way
| you're saying it wouldn't be.
|
| From Wikipedia below, added emphasis mine:
|
| > This concern was raised by legal challenges against
| CompuServe and Prodigy, early service providers at this
| time. CompuServe stated they would not attempt to regulate
| what users posted on their services, while Prodigy had
| employed a team of moderators to validate content. Both
| faced legal challenges related to content posted by their
| users. In Cubby, Inc. v. CompuServe Inc., _CompuServe was
| found not be at fault_ as, by its stance as allowing all
| content to go unmoderated, _it was a distributor and thus
| not liable for libelous content_ posted by users. However,
| Stratton Oakmont, Inc. v. Prodigy Services Co. found that
| _as Prodigy had taken an editorial role with regard to
| customer content, it was a publisher and legally
| responsible for libel committed by customers._
|
| > [...]
|
| > United States Representative Christopher Cox (R-CA) had
| read an article about the two cases and felt the decisions
| were backwards. _" It struck me that if that rule was going
| to take hold then the internet would become the Wild West
| and nobody would have any incentive to keep the internet
| civil"_, Cox stated.
|
| ---
|
| It's become increasingly popular for people to say that
| Section 230 was a mistake. Usually they support that with
| claims that concerns about its repeal are purely
| theoretical fearmongering, despite the fact that we
| literally have case president on the books right now about
| what the Internet would look like without Section 230, and
| how the existing laws were being interpreted.
|
| When people raise concerns that without Section 230 the
| Internet would be divided up into completely unmoderated
| platforms and aggressively curated gatekeepers, that's not
| fearmongering. It's history.
|
| Ironically, the only websites that wouldn't be affected by
| a repeal of Section 230 are the completely unmoderated
| hellholes we want to discourage online, because they have
| Compuserve's precedent and the 1st Ammendment to hide
| behind.
| ocdtrekkie wrote:
| But in a world where we feel it was backwards that
| moderators were punished and unmoderated platforms
| weren't... Congress decided "let's just make everyone
| immune" was the right way to go?
|
| And again, I think the examples here are missing the same
| concept that Section 230 fails to recognize: Profit, as I
| discussed here:
| https://news.ycombinator.com/item?id=22816016 It seems
| like the author of Section 230 failed to recognize we're
| in a capitalist society when this regulation was drafted.
|
| When platforms are taking a cut out of illegal activity,
| as Big Tech platforms do when they operate ad networks,
| courts would have to agree that any platform party,
| regardless of whether or not they currently moderate,
| should be held to some manner of responsibility.
|
| Right now, when an old lady clicks a Google search result
| for "mapquest", clicks the top link for "Maps Quest"[0]
| because Google ads aren't distinguishable from real
| search results to the untrained eye, is pushed to install
| a browser extension (from the Chrome Web Store) that
| hijacks her browser's new tab and search, injects
| malicious ads, and scrapes her private info to relay to
| an attacker, Google makes money. And is wholly protected
| by Section 230 for that activity and unable to be held
| responsible for refusing to delist the malicious ad.
|
| In what world is that the right legal position?
|
| [0] (This is a very real world example, I've done a lot
| of senior citizen tech support, and this is how 90% of
| them get owned.)
| IAmEveryone wrote:
| That example has absolutely nothing to do with Sec 230.
| Google's ad design is all on Google. If it were illegal,
| Sec 230 wouldn't protect them. And while Google might be
| protected against liability for Mapquest's business
| practices, Mapquest isn't. If their behavior is harmful
| and illegal, they are liable.
| ocdtrekkie wrote:
| MapQuest did nothing wrong in this example. The problem
| is the fake sites that are taking the top spot in search
| results above the legitimate MapQuest link when you
| search Google for MapQuest, and Google refuses to delist
| them. And of course, Google lets people buy ads for other
| companies' trademarks, which is a whole different ball of
| issues.
|
| (MapQuest is a popular one for malicious sites to pretend
| to be because most of the people searching for it are
| seniors... they heard about it twenty years ago and then
| never moved on from searching for it when they want
| directions somewhere.)
| spaced-out wrote:
| What does this have to do with Section 230?
| ocdtrekkie wrote:
| The moment someone points out Google makes a huge amount
| of money on scams and malware, and due to Section 230,
| can't really be held responsible for it.
| danShumway wrote:
| To follow up, we've also tried going in the opposite
| direction from 230 more recently with SESTA/FOSTA.
|
| From that Wikipedia page, some of the current effects
| (again, emphasis mine):
|
| > Craigslist ceased offering its "Personals" section
| within all US domains in response to the bill's passing,
| stating _" Any tool or service can be misused. We can't
| take such risk without jeopardizing all our other
| services."_ Furry personals website Pounced.org
| voluntarily shut down, citing increased liability under
| the bill, _and the difficulty of monitoring all the
| listings on the site for a small organization._
|
| > _The effectiveness of the bill has come into question
| as it has purportedly endangered sex workers and has been
| ineffective in catching and stopping sex traffickers._
| The sex worker community has claimed the law doesn 't
| directly address issues that contribute to sex
| trafficking, but instead has drastically limited the
| tools available for law enforcement to seek surviving
| victims of sex trade. Similar consequences of the law's
| enactment have been reported internationally.
|
| > A number of policy changes enacted by the popular
| social networks Facebook and Tumblr (the latter having
| been well known for having liberal policies regarding
| adult content) to restrict the posting of sexual content
| on their respective platforms have also been cited as
| examples of proactive censorship in the wake of the law,
| _and a wider pattern of increased targeted censorship
| towards LGBT communities._
|
| ----
|
| Now, this kind of effect doesn't get as much mainstream
| attention because people are primed not to think of sex
| censorship as "real" censorship. But again, we have
| examples on the book of what happens to legitimate
| services (both large and small) when laws like this get
| passed. It's not fearmongering, it's history.
|
| People have these assumptions that laws are going to be
| reasonably applied -- that's not a safe assumption to
| make if you pay attention to the history of these laws.
|
| I'm largely unsympathetic to those arguments for the same
| reason that I'm unsympathetic to all of the lawmakers
| saying, "well this time we regulate encryption it will be
| different." We have a number of examples of how this can
| go wrong (and has gone wrong). If somebody wants to
| propose that it'll be different the next time we weaken
| 230 or add exceptions, then I think the onus is on them
| to provide some kind of compelling evidence as to _why_
| it 's going to be different this time.
|
| What makes you certain that the policies you propose
| won't have the same effect as FOSTA/SESTA?
|
| ----
|
| As to why these laws primarily affect platforms that are
| already trying to moderate and not free-for-all
| hellholes, that's in part because of existing case law
| around the difference between a publisher and a
| distributor.
|
| From Wikipedia's entry on Compuserve's case (once again,
| emphasis mine):
|
| > The court held that "CompuServe has no more editorial
| control over such a publication [as Rumorville] than does
| a public library, book store, or newsstand, _and it would
| be no more feasible for CompuServe to examine every
| publication it carries for potentially defamatory
| statements than it would be for any other distributor to
| do so._ "
|
| Bills like SESTA/FOSTA have managed to pass without a lot
| of opposition because, again, people are primed to think
| that sex censorship isn't real censorship. But where more
| mainstream content is concerned, you should understand
| that proposing punishments for distributors is a pretty
| big change to existing libel/speech laws. Big enough that
| I don't even feel comfortable speculating on what the
| legal challenges or possible effects would be. That's a
| radical departure from how we currently think about
| speech in the US, not just on the Internet but in
| physical/print spaces as well.
| drenvuk wrote:
| I don't like this malware example. Yes Section 230
| protects Google from that and yes google is in a position
| of trust for the content they serve up but there's
| something wrong with your stance.
|
| The point in your old lady's chain of actions where a law
| was and should be considered broken was when the malware
| ads were injected, not before. You can't go that far up
| the chain, there are too many proxies, too many people
| with intents that are not obviously malicious. People
| should be given the benefit of the doubt in most cases.
|
| In addition, in your profit explanation that you linked
| to you stated that if the service can't scale up human
| interactions to match with complaints then that service
| shouldn't exist. That's laughable. To do so would make
| service owners so vulnerable to automated complaints that
| legitimate ones would never make it through, that goes
| for up and down the business scale. What your proposal
| ends up doing is creating a non-anonymous internet by
| necessity.
| akersten wrote:
| > Section 230's supporters constantly push hilariously insane
| narratives about it's importance, suggesting that without it
| companies would be inherently violating the law any time one of
| their users violated the law,
|
| Can you explain in your own words what you think Section 230
| actually does? Because yes, without it, that was very much the
| case (see Stratton Oakmont, Inc. v. Prodigy Services Co.)
| unless the company decides not to moderate _at all_ , which is
| not an Internet that most of us want.
| ptudan wrote:
| I can understand companies not being protected from profiting
| off of ads that come before viral lies (facebook, youtube),
| especially when the companies have a hand in spreading them
| with algorithms promoting addiction.
|
| But if they're not promoting the content, and aren't profiting
| from it in a different way than other content, we can't hold
| them responsible. These providers create platforms. Would you
| hold CVS responsible for selling me the tape/sharpie/poster
| board to make a racist sign?
|
| If I create a twitter clone, post it online, and it somehow
| blows up overnight with child porn and terrorism, why do I
| deserve to be punished?
| ocdtrekkie wrote:
| "Would you hold CVS responsible for selling me the
| tape/sharpie/poster board to make a racist sign?"
|
| No, but I'd hold CVS responsible for displaying the sign in
| their stores.
|
| "But if they're not promoting the content, and aren't
| profiting from it in a different way than other content, we
| can't hold them responsible."
|
| That's the biggest issue Section 230 fails to account for:
| These companies are _profiting off it_. When Google or
| Facebook take down content, they still keep the profits they
| got from advertising it. Some of the most long-running ads on
| high traffic search terms on Google distribute malware, and
| they refuse to delist them due to the amount of money they
| make. Facebook refuses to restrict blatant lies on political
| ads because those political ads make it a huge amount of
| money.
|
| Section 230 is a failure because Section 230 removes any
| financial incentive for platforms to moderate responsibility.
| If we were to replace Section 230, rather than removing it
| entirely, we would need a solution that makes it inherently
| expensive to host bad content, such that platforms are
| strongly incentivized to hire qualified staff to moderate and
| manage content.
|
| If I report harmful content on Twitter or Facebook or Google,
| we need a system that ensures I receive a non-automated,
| competent response, and that the company is legally
| responsible for the decision they just made, such that they
| can't pawn it off on an algorithm or someone making 5 cents
| an hour.
| akersten wrote:
| > Section 230 is a failure because Section 230 removes any
| financial incentive for platforms to moderate
| responsibility.
|
| What in the world does "moderate responsibility" mean? It's
| their site, they get to decide what goes on it as long as
| it's legal. If it's not legal, it has to be removed anyway!
|
| > If I report harmful content on Twitter or Facebook or
| Google, we need a system that ensures I receive a non-
| automated, competent response, and that the company is
| legally responsible for the decision they just made, such
| that they can't pawn it off on an algorithm or someone
| making 5 cents an hour.
|
| Yeah okay, fight for that then. This legislation isn't
| that.
| ftvy wrote:
| >If it's not legal, it has to be removed anyway!
|
| Isn't that the original intent of section 230? Because
| these websites couldn't possibly moderate all possible
| user submissions for illegal content, that when illegal
| content is discovered that liability is held with the
| user and not the website hosting it?
| akersten wrote:
| Yes, that's the point of 230. It doesn't make anything
| legal that wasn't before, or illegal that was legal
| before. It simply assigns the responsibility of illegal
| content to the party that created it. Which is just a
| reasonable application of common sense.
|
| I simply do not understand the motives behind people who
| want to abolish 230 - they would turn the internet into a
| stark split between heavily moderated websites, looking
| out only for their own liability because should they lay
| a finger on anything, they are culpable for everything -
| and unmoderated hellholes. Maybe they enjoy the hellholes
| and want more sites like that? Misery loves company.
|
| I suspect most of the posters arguing against 230 are:
|
| * Uninformed about what the law actually does
|
| * Purposefully antagonistic and contrarian, or part of a
| coordinated troll campaign to sow discord
|
| * Folks who have a bone to pick with big tech and will
| support any law, no matter how ridiculous, thinking it
| would cause big companies grief
|
| * Spiteful that their post got moderated off a popular
| platform, and want websites to be forced to broadcast
| their content (despite this being a clear 1A violation of
| the company's rights)
|
| * Really, truly, think that sites on the Internet should
| be either a wasteland or approval-only-posting, and you
| have to pick one
|
| In any case, this kind of discussion around 230 is kind
| of burying the lede of the EARN IT act, which is a
| desperate attempt at not only further eroding 230
| protections after the monstrosities of FOSTA/SESTA, but
| to allow the government to take away these common sense
| protections from a site unless they capitulate to
| government spying.
|
| Which really should be the focus here, but somehow we're
| all distracted in the comments dismantling the faulty
| "platform or publisher, pick one!" argument again.
| gknoy wrote:
| > If I report harmful content on Twitter or Facebook or
| Google, we need a system that ensures I receive a non-
| automated, competent response
|
| That seems extremely prone to being DOS-ed by bots or a
| brigade of complaint-heavy users.
| ocdtrekkie wrote:
| If a platform can't scale to handle content moderation
| requests, it shouldn't exist at scale. Presumably a
| company shouldn't be responsible to respond to bot
| submissions, and could potentially ban complainants who
| abuse the system. (Although doing so would potentially
| open them to legal recourse if they were banning someone
| for filing legitimate reports they just didn't want to
| deal with, for example.)
|
| There are reasonable controls that can be put in place,
| but ultimately, Big Tech companies' responsibility needs
| to be seated in the legal system, and there needs to be a
| way to escalate to the legal system when these companies
| operate in a societally harmful fashion.
|
| "We're just a platform, it's not our fault" should never
| be a conclusive answer to conversations about these
| companies' operations.
| cookie_monsta wrote:
| > If a platform can't scale to handle content moderation
| requests, it shouldn't exist at scale.
|
| Agreed. This whole "we got so big chasing crazy growth
| that making us responsible for cleaning up our own mess
| would make us lose money" argument is very tiresome and
| one that I can't see holding any water outside of tech.
| ocdtrekkie wrote:
| Exactly. There's an exclusive mindset in tech that it's
| okay to automate human problems and then just say there's
| nothing they can do when automation isn't adequate. Other
| businesses have huge percentages of their workforce
| tackling problems that tech companies just say they're
| not responsible for, like content moderation, customer
| service, etc.
| yuliyp wrote:
| No human review system can scale to automated reporting;
| the number of attackers you have is not bounded by your
| legitimate user base.
|
| The system you describe would basically mean every online
| service that allows human interaction would always run
| under risk of any trolls being able to permanently take
| them down by abusing content moderation requests.
| ftvy wrote:
| Begs the question: who defines "bad content"?
| reggieband wrote:
| I thought it was interesting when Twitch partners started talking
| about a Twitch policy that seems to hold the partner responsible
| for moderating their own chat. That is, if you are a partner and
| you have community members posting prohibited content into your
| Twitch chat then you stand to pay the penalty through a ban or
| losing your partnership. You are forced to moderate your own chat
| thereby relieving Twitch of having to do so (and presumably
| giving them some plausible argument that they are enforcing some
| level of site wide moderation).
|
| It was interesting to see the reactions of these streamers since
| they aren't typical business people or legal experts. There was
| quite some debate amongst them about the fairness of the streamer
| being held responsible for random trolls that entered their
| chats. When I considered the viewpoint of individuals instead of
| corporations it did expand my view of
| responsibility/accountability.
| seemslegit wrote:
| Is signal still demonstrating their commitment to my privacy by
| notifying everyone with my number in their phone contacts who is
| also on signal when I join ?
| spacephysics wrote:
| That's a good question I'd like to know, too. Perhaps they hash
| the phone numbers then compare to their master list for
| matches?
| tialaramex wrote:
| Specifically they use the first ten bytes of
| SHA1(phoneNumber) where phone number is like +12345553215 for
| the US phone number 1-234-555-3215 or say +4424061184 for the
| number I had as a child in a village in England.
|
| This form of number is also the one your (mobile) phone
| actually uses, although they let you type in any sloppy human
| attempt at a phone number and translate.
|
| Signal apps periodically reach out to Signal's servers to do
| two things: Confirm that this specific user does still have
| Signal (and so messages to them should be accepted) and
| optionally upload a set of these hashes for their contacts to
| see if any of those have Signal and so messages to those
| numbers can go securely via Signal instead.
| seemslegit wrote:
| That's hardly helpful if I just don't want people who happen
| to have my number to know I'm using signal.
| doomrobo wrote:
| How would a messaging app work without contact discovery?
| You try a friend's number, and see if the message goes
| through? Well if that's what you want, then you can do this
| for all your phonebook numbers, and all the ones that go
| through are on Signal, and all the ones that error are not.
| Oops, you've reinvented contact discovery.
| seemslegit wrote:
| A. You can design it in such a way so that sending a
| message to a non-user is indistinguishable from having a
| user see it and not reply/acknowledge it.
|
| B. You can exchange identifiers with people whom you want
| to communicate it just like with any other non-phone-
| based system: "Hey I'm @username on signal", "Cool, I'm
| @username2" - composes well with method A.
| doomrobo wrote:
| Solution A does not compose well with how Signal does
| encryption. In order to make this indistinguishable,
| Signal would basically have to man-in-the-middle all non-
| existent users. And if one of those users signed up for
| Signal it would have to stop man-in-the-middling them,
| causing all the people who were talking with their ghost
| to observe a key change. It's complicated at best, and
| sketchy at worst.
|
| Solution B ties in to a bigger argument I won't address
| seemslegit wrote:
| There would be no key change because there would be no
| initial key, signal facilitates contacts anyway the only
| difference is that the sides have no ability to control
| with whom it takes place. Messages to non-contacts will
| not be sent because there would be noone in your contacts
| to send them to, hence indistinguishable.
| doomrobo wrote:
| I don't follow. I'm sending (or trying to send) messages
| to my contacts. If I know their phone number, I'm going
| to try to initiate a Signal conversation with them. So I
| ask the Signal server for a signed prekey. Your argument
| is that Signal should not respond with "I don't know this
| person" and should instead respond with something
| indistinguishable from a "real" response. So they must
| send me something that looks like a signed prekey, right?
| Well then I would use that in order to do a key exchange
| and now we're in the situation I described above.
| seemslegit wrote:
| Signal server should respond with "I either don't know
| this person or they have not approved to be contacted by
| you". You should only get a prekey if they are in fact a
| signal user and have opted in to be discoverable by
| everyone or only by select people including you.
| andrewzah wrote:
| > How would a messaging app work without contact
| discovery?
|
| "Hey, add me on telegram, my username is @andrewzah".
| This isn't a hard problem.
|
| I don't know why we decided apps hoovering up our contact
| lists in exchange for convenience was so important. For
| an app that touts itself as private and secure, I still
| had to explain to my brother why giving it his contact
| list wasn't a good idea.
| UncleMeat wrote:
| This is a hard problem. The evidence for this is the
| decades of failed attempts to get people to use pgp and
| other systems where I need to have a freaking party in
| order to figure out who I can message and how before I
| actually start communicating.
| lotyrin wrote:
| I guess I just don't value "contact discovery" as a
| feature?
|
| I just don't see it as a casual thing the way the target
| users of these apps apparently do.
|
| I want to explicitly control, per any form of
| communication, each person who is to be made to know that
| I operate that form of communication and whether or not
| that form of communication with me is open to them.
|
| I do not want to open up a new app and have a large
| populated list of past acquaintances appear, I absolutely
| do not want to appear in such a list, I would rather not
| use a given app than risk having someone show up
| messaging me uninvited.
| TheAdamAndChe wrote:
| That's great! Signal may not be for you then, which is
| okay.
| cortesoft wrote:
| or....make this an opt in feature?
| UncleMeat wrote:
| In order to do this, the signal server must maintain a
| list of who is allowed to talk to who, otherwise the list
| of people available on signal can be obtained through
| enumeration.
|
| This is a privacy trade off. Some services chose to keep
| this list. Signal chose to use phone numbers.
| cortesoft wrote:
| At least that requires the other person to have my
| contact saved, and actively try to reach me. I don't
| clear out my contact list frequently, so I don't want old
| contacts to be PROACTIVELY messaged about me joining
| Signal... if they are looking for me, fine.
| seemslegit wrote:
| How does it require them to actively try to reach you ?
| cortesoft wrote:
| Because it requires the customer to try to send a message
| to the contact. They would have to continuously do that
| if they wanted to be notified when I joined.
|
| This is very different than Signal doing it automatically
| when I join.
| leetcrew wrote:
| personally, I have admitted defeat and accepted that most
| people will not use my favorite messaging app. so I just
| default to sms and ask people who I talk to often if they
| have (or would consider installing) my favorite app. at
| this point, it's only slightly less convenient to
| exchange usernames.
|
| the contact prepopulation isn't even that useful.
| telegram in particular seems to drop notifications if you
| don't exclude it from power management on Android. if you
| don't know the user has notifications turned on and has
| jumped through the hoops to make them actually work, you
| may as well send messages into a black hole. this is part
| of why I never assume it's a good way to contact someone
| without explicitly asking.
| tlb wrote:
| Hashing phone numbers isn't useful for privacy. You can test
| the entire space of 10^10 phone numbers against a list of
| hashes in hours, and you only have to do that step once.
| ajconway wrote:
| They use Intel SGX to keep themselves from being able to
| access their users' contact lists.
|
| Still, one has to possess and reveal a valid phone number to
| use the service. This must help to grow the user base.
| seemslegit wrote:
| This misses the point, just because someone sometimes added
| me to their phone contacts and uses signal does not mean I
| want them notified when I start using signal too.
| Macha wrote:
| This has been my blocker to using Signal or Telegram
| also.
| 333c wrote:
| With Telegram at least, you do not have to share your
| contacts with the app. You can build up a Telegram-
| specific list of contacts based on who you message on the
| platform.
| Macha wrote:
| This is the inverse of the issue. I don't want everyone
| that has my phone number to be able to see/add me on
| telegram. That would require those users not to upload
| their contacts, which is out of my control.
| 333c wrote:
| I agree with your point, and I suspect that part of this
| comes from the Signal android app, which can be used as a
| replacement for all messaging (including SMS). Like
| Apple's Messages, it automatically upgrades from SMS to
| Signal when the recipient supports receiving messages on
| that platform.
| TechBro8615 wrote:
| Telegram does the same thing. In fact, so does Instagram, which
| I find most egregious, since it asks for your number for 2FA
| purposes then notifies anyone who has your number saved that
| you've joined.
|
| Every coach, recruiter, drug dealer or one night stand I've had
| in my life doesn't need to know when I sign up to Instagram.
| Some of them might not have even had my real name until they
| got that notification.
|
| IMO this should be illegal, now that I think about it.
| BubRoss wrote:
| That's almost worse than having no volume control in their
| interface, even for their desktop site.
| [deleted]
| AndyMcConachie wrote:
| Why is this downvoted?
| dublinben wrote:
| It's off topic of the submitted article.
| [deleted]
| eximius wrote:
| Contact Discovery is not seen as privacy invasive, I guess.
| It says, X has Signal, but that's it. So I see how it is,
| strictly speaking, broadcasting 'private' information, but it
| is hard to care terribly. I'm far more concerned by the
| privacy of my conversations than the fact I at one point
| installed signal.
| ape4 wrote:
| But it means they have slurped all your contacts. How are
| they stored? Who are they shared with? etc
| ajconway wrote:
| It's really not a secret https://signal.org/blog/secure-
| value-recovery/
| eximius wrote:
| The DO NOT slurp your contacts.
|
| They invented a way to do contact discovery in a secure
| way: https://signal.org/blog/private-contact-discovery/.
| From the article:
|
| "Using this service, Signal clients will be able to
| efficiently and scalably determine whether the contacts
| in their address book are Signal users without revealing
| the contacts in their address book to the Signal
| service."
|
| This is why Signal gets so much benefit of the doubt from
| the cryptography/security/privacy community. Their
| default approach to these problems is conservative in
| favor of the user until they can invent the technology
| needed to support a feature with security/privacy.
| ape4 wrote:
| Thanks. That's actually great, I was wrong.
| propinquity wrote:
| The Signal App, which is open source, periodically sends
| truncated cryptographically hashed phone numbers to the
| Signal server, which is also open source. The server does
| not store the truncated hashes that the app sends to the
| server. So, they only temporarily have partial hashes
| which they do not store or share with anyone.
| seemslegit wrote:
| See, there's an apparently archaic concept in software
| called user preference - they could ask people upon joining
| if they want to be contact-discoverable or not.
| eximius wrote:
| And that's fair! It's not perfect. And, ignorantly, I
| would assume it'd be easy to add, so they probably
| should.
|
| But I can understand why this is a trade-off they'd make
| in terms of your comfort level (relatively rare to care
| about this) vs. massive use-ability and onboarding gains.
| seemslegit wrote:
| What you call "comfort level" is in fact the primary
| value proposition of a tool like signal and the fact that
| they have chosen to compromise on it to drive adoption is
| symptomatic of the many things wrong with the setting in
| which this decision was made. Not unlike calling out the
| EARNIT senators on using child abuse justifications in
| bad faith to promote the agenda of censorship and
| surveillance.
| clarkevans wrote:
| Perhaps the parent is downvoted not because of the underlying
| content of the message, but because of the black/white
| framing.
|
| Every tool has a barrier to use, and even with a strong
| commitment to security/privacy, Signal seems to have decided
| that it's more beneficial for their users know which one of
| their friends are on Signal, than there is potential for
| abuse. Further, there may come a time where this calculus
| changes, for example, if spammers arrive on the Signal
| platform and start decreasing usability.
| rapnie wrote:
| > Signal seems to have decided that it's more beneficial
| for their users know which one of their friends are on
| Signal
|
| I feel the reason might be more as a way to promote more
| widespread use of Signal itself, rather than directly
| serving their users.
| dublinben wrote:
| The creators of Signal surely believe that 'promoting the
| more widespread use of Signal itself' benefits their
| users. They're not for-profit company that exists for
| some other purpose.
| hawkice wrote:
| Plenty of people have complex opinions about 230, but it's a law
| that says, if you see a comment that defames you, sue the person
| who made it, it's got nothing to do with e.g. whoever runs the
| skateboarding forum. Who opposes this? It's just codifying the
| common sense understanding of the internet.
| core-questions wrote:
| OK, so please do tell me how to sue `sk8rboy2020` on the forum
| then?
| Macha wrote:
| How do you sue the guy that shouted at you as they left the
| restaurant? Who stuck a defamatory sign on the electric pole?
|
| I don't see why the issues these present should move
| responsibility to the restaurant or electric company,
| however.
| hawkice wrote:
| I mean, 230 doesn't entitle them to immunity to subpeonas for
| records about which IP address made a comment, and internet
| providers routinely translate those to real identities in
| response to valid legal requests.
|
| But that might work. Maybe they don't keep records. How do
| you sue defamatory information scrawled on a bathroom wall?
| Sometimes we don't have records for things. That's life.
| toast0 wrote:
| Sue John Doe, and ask the court to issue a subpoena to the
| forum for identifying information, and then to the ISP, and
| once you have that, add the account holder as a defendant to
| the suit.
|
| It's not fast, and it's not easy, but such is life.
| core-questions wrote:
| I'm really coming more from the perspective of valuing
| anonymity. I'd prefer a world where you simply can't sue
| the guy, and have to suck it up that people say things you
| don't like.
| Der_Einzige wrote:
| Proxy server usage would skyrocket if this became common -
| as it should.
| hawkice wrote:
| Whoever is running the proxy can also get a subpeona. If
| you run it yourself the ISP will know who you are.
| Someone is paying to access the internet, so they
| probably have records.
___________________________________________________________________
(page generated 2020-04-08 23:00 UTC)