[Discuss] Reusing Passwords on Different Sites Should be OK

Matthew Gillen me at mattgillen.net
Sat Sep 19 13:38:29 EDT 2015 

On 9/18/2015 12:09 PM, Edward Ned Harvey (blu) wrote:
>> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
>> Behalf Of Chris Markiewicz
>>
>> This is such a bizarre interpretation of "Third-party". A password
>> should be considered a secret between two parties: client and server.
>> But again, conceded that this is a problem.
> 
> I get what you're saying - You're not saying that I'm trying to twist third party doctrine into something it's not. You're saying third party doctrine is itself a bizarre interpretation, that contradicts what a rational person would expect to be held private.
> 
> And you're right. The case example to demonstrate this is lavabit. He created that whole business for the explicit purpose of providing privacy and security. That's the premise on which he gained all his users, and yet, when the feds came after him, they told him his users had no reasonable expectation of privacy.

As usual when talking about the law I got quickly over my head.  Even
so, this was an interesting article that talks about how there is
growing recognition of the ridiculousness of the third-party doctrine in
modern technology.

http://www.theatlantic.com/technology/archive/2013/12/what-you-need-to-know-about-the-third-party-doctrine/282721/

What was particularly interesting was that the third-party doctrine has
been re-interpreted by the Supreme Court to catch up with technology at
least once before:
In 1928 the court ruled that warrentless wiretapping was ok, since they
didn't have to enter the person's property.  In 1967, the court
re-interpreted the law as protecting people, not places, which all of
the sudden make warrentless wiretaps a 4th amendment violation.

So while it may be true that we're in a strange place right now where
the interpretation of the law hasn't caught up with technology and
culture, but I wouldn't count on it being like that forever.

------

Also, just wanted to point out that all this talk of privacy laws is
ONLY applicable to putting limits on what the /state/ can do to access
your data without your permission.  There are basically no laws
protecting you from the businesses you deal with or their employees.  It
is really just professional reputation that motivates these companies to
keep your data private.  To wit:
https://nakedsecurity.sophos.com/2015/03/03/facebook-explains-when-and-why-it-peeps-at-your-account/

More information about the Discuss mailing list