Friday, February 10, 2006

Suicides, ISPs and IP addresses, online forums, social networking, email privacy, "anonymity vs liability" again, Japan, and euthanasia

Now here's a really fascinating issue. I was reminded of it today by Michael Williams' blog, although I remember reading about it last year, probably on SlashDot. The article linked to is this one, and it says:

A total of 91 people committed suicide in 34 Internet-related incidents across Japan last year, but police managed to prevent several potential victims from killing themselves by cooperating with Internet service providers, it has been learned.

Police began cooperating with Internet service providers in October last year, based on guidelines created by an organization on Oct. 5.

Under the cooperation system, Internet providers hand the names and addresses of people who post suicide-related messages on the Internet in emergencies.

Two of the 14 people police managed to contact were in the process of committing suicide at the time of their discovery, but they were taken to hospital and survived. Nine others were persuaded not to commit suicide. The remaining three did not actually intend to commit suicide.

This is actually saving lives! Neat, huh?

Now, all they say is that this system finds "people who post suicide-related messages on the internet", which implies forums, message boards, and so on. Remember that forums and message boards are NOT private. A good samaritan - it could be anyone, like a search engine, the forum owners, or even anyone with a web-crawling program, like Amazon - just reads non-private things posted online, and alerted the police. So far, no privacy problems.

But how do the police find out what actual person posted those messages? Here's where things get tricky.

Say "suicideboy1982" posts about killing himself. The person writing the post probably feels safe that no one will find out that HE is "suicideboy1982". The people with access to that kind of information will keep it private, right?

The log files on the forum host's computer can say what IP address posted what message and when. And the ISP can say who was accessing the internet from that IP address at that time.

The IP information in the log files may or may not be private. Depends on the forum's privacy policy. For the record, if you ask me to look at my site's log files to ask me what IP address accessed what and when, I'd be happy to tell you (because nowhere on my site do I specify or imply that your access to my site is private. There are hosting companies that take the same approach, so that they are not liable for stuff hosted there, like illegal MP3s or whatever - they just say "IP address so-and-so did it"). Some online forums even automatically write, under each post, the IP address from which the request came that generated the post (in other words, the IP address that supply the information you supply when you click on "Submit"). On the other hand, some social networking services make a big deal about NOT handing over IP addresses without a court order, subpoena, or other justice / law enforcement communication. So if someone writes me a mean note on my orkut page, the orkut people will NOT tell you the IP address behind that message, unless a court tells them to (because, say, the note is defaming you) or unless a police investigation asks them to (because, say, the note is threatening you). I know because I used to be one of those orkut people.

People broadcast an IP address when they do anything online. While some people think that this IP address is private and will not be revealed to people who ask "Who did THIS?", these people are usually wrong.

Now, going from IP address to individual person is currently a little trickier, usually. For that, you need the ISP's help, because the ISP is the one who assigns IP addresses to different computers. The "ISP" is AOL, Comcast, SBC, a university, a workplace, whoever gives the user his internet access. Most ISP's privacy policies usually specify that they will not reveal who used what IP address at what time, unless told to reveal it under subpoena, court order, etc. This has come into play recently when the RIAA went after people who downloaded songs illegally. All the RIAA knew is that certain IP addresses shared certain copyrighted songs. The ISP sometimes "gave up" the culprit (i.e. revealed what person was using that IP address at the time), and sometimes refused to snitch on its users. So the knowledge that YOU were the person using a certain IP address is usually private, actually, thanks to the privacy policies in the ISPs' contracts. This may not protect you if you do something illegal or just really bad, though (there's that "liability vs anonimity" thing I talked about earlier), or if your ISP decides to no longer consider your IP address private and changes the privacy policy in the contract.

So, back to where we started... These Japanese ISPs are revealing to the police who used what IP address when, if the police says that it's to stop a suicide. And it's working! Are these ISPs violating the user's privacy? Depends on what they specify on the Privacy Policy part of the contract. But even if they DO specify that the identity of users of IP addresses would not be revealed except under court order, in which case this IS an invasion of privacy... I still think it's OK. I mean, it's like an ambulance breaking the speed limit to save a life. It might be almost-illegal, it might be inconvenient to lots of people, but it's for a good reason. The article mentioned that, out of 14 people contacted by the police from this kind of monitoring, three were NOT about to commit suicide. I can imagine those three might initially have felt mad, betrayed by their ISP, whatever. But they feel that way due to the harmless error of a process, a process that is saving lives. Being annoyed at this for too long would be like being annoyed that you have to pull over when an ambulance goes by.

Michael, who posted about this on his blog, says:

I don't think there's any legal privacy issue if a private company decides to monitor the traffic that goes through its servers.

In general, I agree. But here's an interesting question: What if it were email? I mean, in this case, public posts are being monitored, but what if it were email (the one thing in the online world I agree always is and should be super-private)? Someone reading my email without my permission is not really different from someone stealing my snail-mail or going through my closets and drawers without my permission. Does a company have the right to "monitor" my email just because it goes through their servers? Depends on what "monitor" means.

I agree with Michael that a company should have the right to monitor what goes through their servers. But with email you have to be careful. Does my landlord have the right to open my mail because it is in "his" house? Does the post office have the right to read my letters? Well, they have the right to scan packages for bombs and anthrax, and I think they can X-ray international packages to make sure drugs (and expensive things not mentioned in the customs form) aren't being smuggled...

Thing is, though, the ISPs in this case aren't just monitoring the information, they're acting on it. That is also relevant to the question. Does a company have the right to act on stock tips that go through their servers? I don't think so.

Say these Japanese ISPs did set up a system where emails were monitored for suicide-related content. If the email is read by some automatic system that then determines "suicide probability: high, call police", this may be all right. That's not too different from Gmail computers reading your email to give you targeted ads. But I bet there would have to be a real person in there somewhere, who would actually READ the stuff to decide if he/she really ought to call the police. In other words, I doubt they'd just take the computer's word for it. And if they do this with people reading emails, then it might be a violation of privacy. Again, if it saves lives, it's probably all right, though.

Still, the article only talks about "posting messages", which are public anyways, so the email discussion is hypothetical. It's still an interesting one, though: WOULD it be all right to alert a human operator when one user's emails seem to contain many suicide-related words? To then allow the human operator to read the emails and to call the police?

Well, just as ISPs may reveal IP addresses when users break the law, in this case the invasion of privacy would probaby be justified if

a) suicide is illegal (which I think it actually is, at least in California, which has led people like Brian Copeland to say "And what is the punishment for committing THAT crime? DEATH?!")

b) preventing suicide is so important as to over-ride privacy concerns, Privacy Policy contracts, and possibly even privacy laws (like the ones about email).

Now, that last one is REAL tricky and goes a little beyond the scope of this blog. Do people have a right to commit suicide? Is it really "saving a life" if the person who owns that life doesn't want it anymore? Of course, as a society we have decided that much inconvenience is more than justified if it keeps a person from committing suicide, but this IS an interesting question. I personally think that euthanasia is ok. And if a suicidal person is PERSUADED not to commit suicide, then his life WAS saved. These questions are not terribly relevant to the privacy issues surrounding the screening of different kinds of online communication for suicide information, but it's tangentially related, in that this screening may or may not be justified.

As far as this blog is concerned, the question is: Am I OK with my ISP possibly revealing that I was the person behind my IP address, just because someone (or some computer) read some posts (or, say, some emails) and decided that, in their opinion, I was probably going to commit suicide? Personally, I'm ok with that - I don't really do anything online where it is important that my real identity NOT be easy to connect to my IP address (well, I do download the occasional illegal song or video, but I'm ok other than that).

Most of this blog is about users being aware of the privacy policy. In this case, though, an ISP may have to violate the Privacy Policy in order to lead police to the address where a suicide-related communication originated. I say it's ok because it's saving a life. The fact that suicide is illegal also helps. But I can see that some people may disagree, and in this case, they may have a point.

Still, this whole thing is just another reminder that, when you're online, you should not do thing you'd be ashamed of later. The internet is almost ALWAS less private than you think... even when you DO read the Privacy Policy...


Anonymous DeoDuce said...

I'm torn on this one because while I want to save lives and help people, I think there is a slippery slope aspect to this issue. On one hand, I think that suicidal people who post suicidal messages on public forums are subconciously/conciously trying to get help and should therefore be helped. Why else tell a bunch of complete strangers that you are going to kill yourself? One the other hand, as you mention, I don't want "big brother" trolling my emails and personal info. Maybe a moderation of those two aspects can be reached, but in the end I just don't trust "big brother" agencies with any power to be going through my private stuff.

9:58 AM  
Blogger Brian said...

I agree with deoduce - this is a slippery slope. Two reasons:

1) If suicide is important enough to override privacy concerns, what about other crimes? Can my ISP monitor my posts (or e-mails) and tell the police if I'm going to rob a bank? Download an illegal MP3? Get out of a parking ticket? Cheat on my spouse? Different people can draw the line in different places, which makes the whole thing stink of subjective enforcement to me.

I say, if the police want to find suicidal internet posters, let the ISP's give them the spider technology to surf the web themselves. If the police find a message I posted saying I'm going to commit a crime (any crime), then they can get a warrant for the ISP to reveal my real name. That seems much more by-the-book to me.

2) Working with ISP's to find people committing crimes is just one small step away from requiring ISPs to find people committing crimes. How long do you think this would last before someone commits suicide after posting about it on some forum, and his/her distraught parents sue the forum owners (or the ISP) for not notifying the police (or not notifying them fast enough)? If they have these spiders running and they don't get to someone in time, is that negligence? Is it legally actionable? Sad truth is, we live in a litigious society. The first time something like this happens, you'll have a lot of forums/ISPs refusing to get involved...

9:12 PM  

Post a Comment

<< Home