Privacy in Internet cafes
An article was posted recently in which a sysadmin for an Internet café describes catching a 419 scammer.
(For those who don't know, 419 scams are those "I have access to a lot of cash, help me retrieve it and you can have some" messages. A lot of people fall for them; the most interesting aspect to me lately is that several people who've lost huge amounts of money to this scam and have been informed that it's a scam have steadfastly refused to believe they were being scammed.)
All to the good, right? 419 scammers are bad. But I find the article kind of disturbing, and the utter glee of the online geek community even more so.
My first big problem with the piece turns out to have been mostly a matter of unclear storytelling (although the author doesn't seem to understand how problematic his phrasing/organization of the story appears to be). The author finds out that someone has been sending 419 scam email from the Internet café in Dublin where he's a sysadmin. He writes: "I asked around, and a man, described as being black (or is the word African-American these days?), roughly 30, with an accent which seemed half London and half African had been in the cafe with a laptop. . . ." The implication seemed to me to be that he asked whether there had been a black man in the café, and immediately decided that the only one who'd been in there lately must be guilty. It turns out (as the author reveals in a snide Slashdot posting) that what he was actually asking around about was to find out who was the most suspicious-appearing person in the café at the time the mails went out, and the answer was that it was the guy who reserved a somewhat secluded booth and received an unusual number of phone calls on his cell phone. (~I'm sure that the fact that the man was black was completely irrelevant to his appearing suspicious, and that the author's choice to mention the guy's blackness first on the list of identifying characteristics is merely an identifying feature that has nothing whatsoever to do with race.~)
Anyway, so fine, let's skip the race question. The part of the story that disturbed me most is that the author of the piece, acting on his suspicion that the person in question was a 419 scammer, proceeded to monitor all the traffic from the scammer's computer, picking up (and later publishing) his passwords and information about what he was searching for online as well as making a record of all the mail the scammer sent.
It's not all that surprising, I suppose. Any communication you do with the Internet has to pass through the local Internet connection, and sysadmins (and sometimes others) are always capable of monitoring such connections. I'm not sure whether the guy was using wireless, but if so, wireless communication is even more insecure than wired; anyone in the area can, with the right tools, listen in on wireless connections. And for all I know, the café may well have had a published notice reminding people that anything they did using the café's resources was subject to observation. (My company has recently made explicit their policy that any email sent or received using a company computer should not be considered private; always good to have a reminder of such policies where they exist, and this time I'm not being sarcastic.) But it bothers me that everyone in the geek community (including BoingBoing, usually way strong on privacy issues) seems to feel that this was a good and appropriate approach. Perhaps because geeks know better than to use unencrypted connections?
The sysadmin concluded that it's exciting to "[dig] up evidence on criminals," and (more or less) that sysadmins should do more stuff like this. And noted that "there doesn't seem to be sufficient clarity among those employed in law enforcement concerning the legalities of spam. Hell, I don't know what the laws regarding this sort of thing are. I just know it sucks." The suggestion seems to be that the legality is irrelevant; that it's a good idea for sysadmins to act as vigilantes regardless of the law, because (I'm extrapolating here) sysadmins are the good guys and anyone they suspect is probably guilty anyway. It's the superhero code of ethics; it conveniently ignores any possibility that the good guys can sometimes be wrong.
What I take away from this story is a very different message: it's essential to encrypt as much traffic from your computer as you can, especially if you're using a wireless network in a public place, because there's no telling who may be listening or what they may do with the information.
Unfortunately, I don't have a good way to encrypt my email traffic; Pair doesn't yet offer SSL for POP email (though they hope to do so in the future). However, they do offer SSL for webmail; I've never been fond of web-based email, but maybe I should start using it when I'm (for example) using wireless in Starbucks. I don't generally have anything to hide, but I'd still rather that unintended recipients not read my email.
