I had the same story, until Google started asking for my mobile phone number as verification to link to my Google account. IMO, this is over the edge, as in this country you have to use your real identity to get a mobile number.

Then, I switched to a self-hosted Tiny Tiny RSS and never looked back. I don't use Google accounts anymore, and don't have cookies or javascript enabled for any of Google's websites.

Except search and maps, I self host everything (email, websites, Jabber, RSS reader, calendar, etc.) on a dedicated server. There's a small price to pay, but as an example, I have the same email address for the last 10 years. I have all my emails for the last 10 years. There's no worry about privacy. As a programmer, it's useful to run irssi from it under screen, host my own websites, pretty much run anything network oriented..

The bad sleep well indeed.

The law doesn't care.

Stop thinking about your Wifi device. You emit a lot of information without knowing about it anyway. Read about TEMPEST.

Some people even believe that just cause they have swapped CRTs with LCDs, they are not vulnerable. They are usually wrong.

There are way many things that are private to you, but that anyone can collect on a mass scale and raise hairs. Like the time period during which your home's lights are on, and when they are off, the contents of your trash, what type of car you use, what colors/types of clothes you wear, etc. just by noticing you in public. Not all such information may be useful or cost-worthy to use today, but it's all information that says something about you.

These arguments on technicality are sidestepping the point.

Use of encryption has no bearing on whether listening in is legal or not.

Encryption is tough to get right in practice. It is tough for someone to learn all the nuances behind encryption. You can believe you have mastered it in a public multi-implementation environment, and have some sort of consolation that your data is safe, or was safely transmitted. But there are no guarantees. Algorithms, software and the general implementation may be weak. I provided the example of a rogue CA in an earlier comment. Encryption is a measure that _you_ and your recipient take to protect your data. It doesn't give anyone the right to snoop.

We don't know if Google snooped, or intended to snoop. It's for the courts to decide.

You broadcast a lot of information anyway. Don't think of just devices built as radio transmitters.

TEMPEST was available eons ago. Think what is possible with technology today.

I don't know if it's legal to snoop or not. I don't think we can even tell if this data collection was malicious or just a stupid mistake, going by the information that is available to us. It's for the courts to judge.

But the possibility of data that might have been collected by such passive listening alarms me. It is not compatible with their "Do no evil" ethic. No corporation should be allowed to collect data like this. You can also add all sorts of excuses like "Use encryption", etc. As a techie, my data and network are secure. But not everybody in the general public is savvy about such things.

It was an example :) With technology available these days, it doesn't matter if you are in a park or not. TEMPEST is old stuff. You put out a lot of signals out there. Try and enumerate the information one can access (if they could) based on the signals that you transmit (don't automatically think just of devices built as radio transmitters).

I am a techie. But how about my relatives who live two doors down? They use WiFi. They don't know what makes it all work, except that it lets their laptops "use the internet" without any wires. Read your wireless router's documentation. It most probably uses fancy words like WPA, encryption keys, etc. How many of the general public really understand it? Encryption is VERY difficult to get right and one of the main elements is educating the proper use of it.

Do you know how SSL works? Have you kept track with all the latest in how SSL clients validate certificates, OCSP, what the various classes of CA validation are and what difference does it make in practise? If you use SSL, are you sure a rogue CA in China won't help its government thanks to the Chinese CA certificates registered in your web browser?

Encryption is a layer I use for my peace of mind, knowing that my data is very likely not listened to by some MITM. But this has no bearing on whether listening in is legal or not.

I am upset that Facebook keeps stuff that I have deleted in their records.

If I leave my door unlocked, I don't think it's right to strangers to come in and snoop around.

I don't know what you'll think.. whether I am naive or you are.

Yes, if you can prove malice.

You have a private conversation about your MP3 collection with your friend in the park. A 3rd party picks it up with a mic. Don't broadcast that stuff?

You route your data through your ISP. Your ISP records whatever it wants. Don't broadcast that stuff?

You post a comment on Facebook. It's forever in Facebook's database. Don't broadcast that stuff?

Your phone calls are recorded by your phone provider, who gives you a "convenient web-based interface to replay conversations whenever, wherever you want." (Gosh, all email is like this, and people are fine with it.). Don't broadcast that stuff?

No, the data is really private to you and whoever you intended it for. Anyone who thinks otherwise is either stupid or malicious.

There are ways to fight software patents within the current legal system.

Create a very large patent pool, but one that isn't defensive. All it takes is for every single company with commercial interest in free software to pool their patents together. Let's call this the good-pool. The companies donate legal fees to this entity. Now,

1. Wait for _ANY_ other software patent licensing pool to be created, such as the MPEG-LA. Call this the bad-pool. Such a group basically consists of companies that have 'donated' their software patents for threatening/suing others and getting paid. Once such a pool is formed, go after the member companies by asserting relevant patents from the good-pool. Don't wait to defend, but go on the offensive. Also, if any individual company threatens/sues another company with software patents, the good-pool again goes on the offensive.

After some time, no company will dare join a pool, or threaten another company again. This works, except for patent troll companies that have no valid business, but that of suing others. We'll come to this in a moment.

2. Software engineers in the community *read the patents in the bad-pool*, and engineer methods very similar to such patents, but those that do not infringe claims in the patents. This is not so tough. Most software patents are ridiculous. Create a wiki and provide alternative methods to avoid each patent.

After some time, no company will dare join a pool again.

In the case of patent trolls, where the company's only reason for existing is to sue others, follow the money. Find out who's behind the company. Even if litigation happens, and there's a payout, the matter doesn't end there. Find out who is benefiting. These people definitely have investments in other companies. Use the good pool to sue these other companies.

Note that this approach is much like the MPEG-LA licensing pool and does not involve companies giving up patents to the pool.

Say you work for a big company like Google or Goldman Sachs, and their magic secret program uses libraries and other code distributed under the GNU GPL license.

They are under no obligation to publish as they use the code internally and do not distribute anything.

What if an employee leaves the company and takes the code to the magic secret program with him? It uses GNU GPL licensed code, which grants _him_ a license to redistribute it, because he has a copy of the program already.

Didn't they (the famed Red Adair) use explosives to put out the fire in Kuwait? Did they use explosives to cap a leak? I don't remember it that way.

Good comeback :) Here are my replies:

I don't think this will hold up in many countries as snooping. Snooping would include you being a MITM, or information that you gather monitoring a conversation between two parties. However, in our case, the malicious party is actually your peer. You are communicating with him and sending him the data as intended for him.

It doesn't work like this in practice. I'll explain, assuming you are familiar with the .torrent file format, and protocols for Bittorrent tracker and peer communication.

Most torrents that entities such as RIAA are interested in investigating _are_ public. Supposing there is a website like the Pirate Bay that hosts "Britney-Spears-Songs.torrent". That provides the hashes and points to a bunch of trackers. The malicious party's software gets the torrent file, and connects to the tracker, from where it gets peer addresses. The malicious party connects to peers, requests pieces for the hashes and it is the peers that supply it with content that matches the hashes.

Once the malicious party has downloaded the torrent fully, it knows that all peer addresses it downloaded from were interested/involved in the content distribution (and had parts of this content, if not seeds that had all of it).

Of course, if your torrent and tracker are not public, but restricted to a secluded group of people, you don't have to worry.. but then, most people don't use Bittorrent like this.

Encryption without any kind of authentication makes no difference if the malicious client is in the pool. Bittorrent's encryption made sense for working around ISP throttling (which involved actual snooping btw).

1. If you don't use Tor for the client-to-client traffic, you would have to reveal your real IP to the tracker, so other clients (including malicious ones) can connect to your client.

2. What when you serve the content in question when a malicious peer using that tracker connects to your client, encrypted or not?

This is with a stock dnscache from djbdns-1.05:

[muks@misha ~]$ dig +short rs.dns-oarc.net txt
rst.x476.rs.dns-oarc.net.
rst.x485.x476.rs.dns-oarc.net.
rst.x490.x485.x476.rs.dns-oarc.net.
"178.63.21.2 DNS reply size limit is at least 490"
"178.63.21.2 lacks EDNS, defaults to 512"
"Tested at 2010-04-30 13:41:05 UTC"

This seems to say dnscache lacks EDNS. Can anyone with more knowledge of DNS comment whether djbdns is affected?