All stores and restaurants have private areas -- the stock room, the kitchen, etc.-- that are *not* open to the public. If you're found in one of those employee-only areas then at best you'll be politely asked to leave -- at worst they'll call the cops. A website can be the same way, with public and private areas served up from the same domain.

I am neither a lawyer nor a cop (IANALNAC?) but that fits my definition of trespassing pretty well. Most stores and restaurants are open maybe nine or ten hours a day. That means they're closed more often than they're open. The only reasonable assumption you can make is that you're not welcome unless you're obviously invited to come in.

If you check the law I think you'll find that businesses are not public spaces at all. Rather, they are private spaces into which the public is invited to enter. There are many cues we can use to determine if we are allowed in. Some of them are overt (does the sign say "Open" or "Closed"?) and some of them are subtle (are the lights on?) but nobody would deny that it's usually obvious when the invitation is being made and when it's not. The same holds true for a website. Anyone competent enough to find an unpublicized page on a website is also competent to know that they aren't welcome there. You wouldn't tolerate someone snooping behind every unlocked door in real life so why make excuses for it when it happens on the Internet?

When *I* was in high school, myself and four or five of the top students had access to the full Windows 3.1 shell interface instead of the very restrictive toy shell the other students were forced to use. No hacking was necessary -- the teacher set it up for us. We even had his admin password so we could fix problems for other students.

I think the teacher was a bit overwhelmed by the school's new-fangled Pentium computers and appreciated the help. Actually, I think between us, we students probably did most of the network administration tasks he was supposed to do. None of us abused the privilege and nobody ever got accused of hacking.

I don't think you've thought out what would happen if Google took option #2. If they started to selectively block certain ISPs then they would be facing a *huge* antitrust lawsuit. You can't use your dominance in one market to unfairly influence competition in another.

A better option for Google would be to start charging the customers of these ISPs. After all, isn't that what any corporation does when faced with rising costs? They pass those costs right on to the customer so it doesn't affect their bottom line. Suddenly "free access to Google" would be a real selling feature for any ISP that *doesn't* try to extract money from Google. In the end you'd have the same effect: customers would switch to ISPs that are more favorable to Google, but they'd definitely have a strong defense against any antitrust charges.

Why is the law based on what a person expects? Which person are we talking about here? I think it's fair to say that the average computer user considers e-mail to be like regular mail, where reading the contents requires that you "open" the e-mail. Heck, every e-mail program I can think of uses that metaphor! But I know that e-mail is more like a post-card, with the contents right out there in the open for anyone to see. Because of that, I don't expect a whole lot of privacy. Does that mean I deserve less protection under the law?

This shows the flaw in the idea that some information (to and from addresses, etc) is on the "outside" of the envelope while the contents are on the "inside". There is no "inside" when it comes to e-mail! Anyone who has access to the "outside" information has access to everything. What does it matter if the average user expects their e-mail to behave like regular mail when the reality is more like a postcard? Making the law fit people's perceptions seems like trying to impose some kind of schizophrenic world-view on our law-enforcement officers. They can't both read the e-mail headers and ignore the contents, that's a recipe that's just asking for abuse.

We need a reality check, people, and the solution seems painfully obvious to me: if you want privacy then use end-to-end encryption. It's the only way to be (reasonably) sure that no-one is reading your mail except for the intended recipient.

Never assume your adversary is incompetent. If they can easily find and block all IP addresses used by this program, then why would they choose not to? I can think of one possibility, and it doesn't bode well for people who are using this program under the belief that it will protect their anonymity. We all know that monitoring *all* Internet traffic into and out of a country (especially one as populous as China) is a futile task. But suppose you could identify which fraction of those connections are specifically trying to evade government controls? Wouldn't it make sense to focus your attention on those connections? And instead of blocking them out right, why not trace them back to their source? Even if you can't decrypt the traffic, you can at least identify those "subversives" that could be in need of "reeducation". And remember that just because you choose to block those connections *right now* doesn't mean you can't start blocking them at some point in the future.

What you describe is not so much security through obscurity as simply security through not being worth the effort to crack. In some sense that's true of *every* security solution. Not every bank vault needs to be Fort Knox, not every e-mail needs to be protected by 4096 bit encryption. You match the level of security to the value of the target. So what you really have is a low-security solution protecting a low-value target, which is fine so long as you really don't value your bike (or your porn collection) very highly.