A System For Handling 'Impostor' Complaints 165
When I first heard that Yahoo had been sued because they refused to remove a page created by the ex-boyfriend of a woman named Cecilia Barnes to impersonate her -- portraying her as a slut looking for sex with strangers (who obliged by hounding her office with phone calls and e-mails) -- I thought Yahoo's conduct was indefensible. Even though, as the court ruled, they may have been exempt from liability under the Communication Decency Act of 1996, what possible excuse could Yahoo have had for the way they handled the situation, exposing Barnes to months of harassment, when it would have taken them only seconds to review the page, see that it was obviously causing harm, and remove it?
Then I thought more about the consequences of the rule that I was implicitly advocating by making that argument. Obviously, if an ISP has a policy of removing a user's page if some third party merely complains that the page is impersonating them, then one of your enemies could get your page removed by filing a complaint saying that they were really "you", and that your page was impersonating them. But if the ISP has a policy of not acting on such complaints, then someone could create a user account pretending to be you, and you wouldn't be able to get it removed.
In both cases, there are two problems. One is the fact that the ISP has to have a way to figure out who is telling the truth. The second is that the solution has to scale well, even for a company like Yahoo that probably gets so many complaints about user conduct every day that it would be impossible to read them all. It should be possible for genuine complaints about impostors, to reach the attention of the right people and get an account closed, without accounts being shut down because of (a) people who file complaints about 'rude behavior' that get unintentionally mixed in with 'impostor' complaints by someone who is too overworked to read them all very carefully; or (b) people who file outright false complaints that a given account is an 'impostor', just to get it shut down; or (c) people who are really sneaky, and file complaints about things like rude behavior, but who craft the complaints in a way that is deliberately designed to get them mixed in with the 'impostor' reports, in order to get the account shut down (this way, if the complainer ever sued or otherwise confronted about the complaint that they filed, they can say that they "didn't lie"!).
It's hard to think of a solution that covers all of these bases. For example, John Morris of the Center for Democracy and Technology explained how many ISPs use faxed driver's licenses to decide impersonation complaints:
In many cases involving real people, the challenged site (whether it is a legit site or a bogus site) contains one or more photographs of the person involved. What service providers do in this case is to get the person to submit a copy of their driver's license, and the provider decides whether the person submitting the license is the same person depicted in the photos. And if so, that person is the one who can control whether the site stays up or not. This works in lots of cases (because pictures are often, but certainly not always, involved).
The problem is that even this could be abused when used against a company like Yahoo that handles an extremely high volume of complaints. Suppose that Yahoo publishes a standard procedure for submitting complaints about impersonation, that includes the requirement of a faxed driver's license. Abusers of the system would figure this out, and they could start filing "complaints" against users and websites by faxing in complaint letters along with a copy of their driver's license, where the letters were not complaints about impersonation at all, but just bogus complaints about other things like "This guy was mean to me". Because the driver's license accompanying the letter is real and the statements in the letter are true (or at least a matter of opinion), the complainer can't be accused of lying or forging government documents. And if anyone ever challenged them and asked, "Why did you send your driver's license with the complaint letter? Weren't you trying to trick the ISP into thinking that this was an impersonation complaint so they would take it seriously?", the complainer could play dumb and say, "Well, I heard that if you file a complaint against someone, you're supposed to fax your driver's license with it." But if Yahoo is still getting too many messages to sort through them carefully, some of these crank complaints could still get users' accounts shut down.
So now you have an interesting, non-trivial problem. Before reading further, it's worth thinking about how you would solve this. What's a good policy that would honor legitimate complaints, without giving cranks a way to get their enemies' pages shut down for no reason, and that would scale well for large companies like Yahoo? There are really two questions here: (1) What would you do if you were drafting an ISP policy and trying to balance the interests of all parties? and (2) What would you do if you were drafting a law requiring ISPs to implement certain policies, also while balancing the interests of all parties? (The best solution may be no law at all, but I think you would have to argue that position, rather than taking the default libertarian stance and simply assuming that. After all, the "no law" status quo didn't do much good for people like Cecilia Barnes who had a legitimate grievance and couldn't get anybody to listen.)
The non-verifiability of complaints is the same problem that I've posed to hard-core anti-spam advocates who have said that ISPs should have a zero-tolerance policy towards spam and cancel any account that is generating spam complaints. The problem with that is that unless the ISP has logs of all mail sent out by a customer (and if the customer is leasing a dedicated server, this would usually not be the case), the ISP can't tell for sure if a spam complaint is real or not. If they adopt a policy of removing a site in response to a complaint (or three or ten complaints), then someone could easily get one of their enemies' sites shut down by filing phony spam complaints sent from multiple Hotmail or Gmail accounts. (You would have to forge some e-mail headers to make it look convincingly like the spam came from the site in question, but this is not very difficult.) If the hosting company has a policy of kicking customers off in response to some threshold number of spam complaints, then a dedicated adversary could just file that many complaints until the customer was terminated. On the other hand, if the hosting company won't kick off customers for any number of spam complaints, then they have no deterrent against their customers spamming. (This is mostly an academic question, because I tried filing complaints against all the dozens of spammers who spammed me in a given one-day period a few years ago, and none of the hosting companies terminated any of the sites I complained about. I wouldn't have expected any of them to terminate a customer based on one complaint, but I assume that some of the hosting companies were getting spam complaints about those customers from other people as well.)
The big difference between spam incidents and impersonation incidents, is that while there may be no reliable record of whether a piece of mail was sent in the past or not, the fact of whether the Yahoo user "bennetthaselton" really is Bennett Haselton is something that can be determined with evidence that still exists in the present day. Some kinds of evidence are more readily available than others. If I were drafting an internal policy for an ISP on when to remove pages in response to an impersonation complaint, I would take care of the low-hanging-fruit cases first:
-
If the page directs people to contact the page owner at an e-mail address or phone number (as the page created by Barnes' ex-boyfriend did), and you e-mail the address or call the number and someone answers by saying, "No, I didn't create that page, it's a fake", then you don't need to do any checking of the real-world identities of the parties involved -- all you need to know is that the page purports to be created by the owner of that phone number, but it isn't, so it's a fake and should be removed. This would take care of the most vicious cases of goading visitors into harassing someone directly.
(Although I'd make clear in the policy that this wouldn't apply to consumer pages about companies, telling visitors to call such-and-such a company to complain about their conduct. Encouraging people to air their grievances is legitimate as long as the page owner isn't claiming to actually represent the company. I'm ducking the question of whether this should apply to pages about individuals -- if I make a page saying, "My ex is a skank, call her at this number for a 'good time'," am I infringing on her rights? But since I'm not claiming to be her, the situation wouldn't be covered by a policy about impersonation pages.)
-
If the page is created by a paid user, then you can check if the real name on file with their credit card information, matches the name on the site. If it doesn't, that doesn't necessarily mean the page is a fake (possibly one person paid for the account while another one created the content), but if it does match, the page owner is probably not guilty of impersonating anyone. (Here I'm ducking the question of what to do if someone shares their name with a celebrity -- for example, if your name really is Julia Roberts and you create a page saying "Hi, I'm Julia Roberts", that's probably not enough to count as impersonation. But what if you talk about your interest in film and your exploits as an actress in local community theater, how much are you allowed to let people think that you might be "the Julia Roberts?)
-
If the page violates the hosting company's Terms of Service in other ways, then it can be removed without determining whether the page owner is guilty of impersonation or not. The Yahoo Terms of Service doesn't actually mention sexual content (they used to allow users to post "adult profiles" in their Yahoo Profiles accounts as long as the profile owner flagged them as such), but the document prohibits content that is "vulgar" or "...otherwise objectionable". I haven't seen the page created by Barnes's ex-boyfriend soliciting strangers for sex, but it probably violated the Terms of Service in itself.
And there may be other low-hanging-fruit options that I'm not thinking of. But what if there is no easy call, because none of these simplifying factors apply? A user creates a profile on a free site claiming to be Mr. X. A third party complains that they are the real Mr. X and that the profile is fake. What should the ISP do, if they don't want to spend money verifying the real-world identities of the parties involved, every time they get a crank complaint about any users on their system?
This is essentially an economics problem. Cecilia Barnes wasn't asking Yahoo to do anything that would have been too burdensome for them -- the "labor" required to look at a faxed copy of her driver's license probably wouldn't have cost more than $5, at which point Yahoo could have initiated the process of shutting the page down, which they already have built-in procedures for. The benefit to her of getting the page shut down could have been valued in the hundreds or thousands of dollars. Normally, when you need someone else to do something that costs them $5 worth of effort and brings you $1,000 worth of benefit, the natural arrangement is to pay them, but Yahoo doesn't offer this as an option.
In fact, I assume the real cost to Yahoo here would not have been actually reviewing Barnes's complaint, but actually finding it buried among all the bogus complaints that they receive, and noticing that it had real merit. Again, including a $5 payment would be one way to ensure that your complaint gets taken more seriously than all the others. But while the $5 fee might have helped in this specific situation, it's easy to imagine how that could set a bad precedent -- ISPs charging exhorbitant fees for users to submit abuse complaints to them, or users not filing complaints because they didn't want to share their payment information or pay money at all.
So, rather than paying a small fee directly, a better approach might be to require complainants to post some sort of "bond" -- which may not be something financial, as some examples will show -- in order to get their complaint to the front of the queue. Recall the example of submitting your driver's license along with an impersonation complaint. It's important to understand the subtle reason why this procedure actually works. It's not because someone couldn't still file a bogus complaint with a phony ID. (While it's somewhat hard to create a fake driver's license that you can hold in your hand, creating a fake faxed driver's license would be easy.) It's because if the complainant is lying, now they can be prosecuting for forging government documents. Essentially the complainant is posting their freedom as a "bond", going out on a limb and saying: "I can't prove to you that I'm telling the truth. But now you know that if I'm lying, I'll go to jail. Bet you the other guy won't be willing to make a binding promise like that."
So naturally I'd put that in the ISP's policy as well: If someone sends in a complaint about our user impersonating them, and they're willing to fax in a copy of their government ID proving that they are who they say they are, and we can verify that the page owner is claiming to actually be that person (and not merely complaining about that person or their business), then we would remove the page unless the account owner can submit even more compelling evidence that they are who they say they are.
This addresses the problem of the impersonation complaints that are completely fake. However, you still have the problem of what to do about people who fax in their driver's license along with letters saying "This guy is a jerk", hoping to get someone's account closed down. If a company like Yahoo is too big to read through all the complaints carefully, then it becomes hard to sort through the complaints to see which ones are really about impersonation and which ones are about other behavior that doesn't violate their TOS.
What might be a solution would be to borrow some of the non-terrible aspects of the Digital Millenium Copyright Act. The two most controversial provision of the DMCA are (1) a ban on software that enables the user to circumvent copyright restrictions, and (2) a requirement that ISPs have to respond to copyright-violation "takedown" notices in a certain manner. As I've said before about the DMCA, I'm opposed to #1 in principle because I think software should be protected by the First Amendment; I'm not against #2 in principle, but just concerned about how it could be abused in practice.
But one thing the DMCA does is solve the "sorting problem" -- how to get complaints about copyright violations to the top of the pile. Service provides often have a procedure for handling DMCA complaints that is separate from the regular complaint channels. The DMCA also provides protection for users against phony complaints, by stipulating that anyone who files a false complaint can be sued for statutory damages and attorney's fees, as in a case where Diebold, Inc. agreed to pay $125,000 as a penalty for sending false "takedown" notices. In other words, the DMCA solves the "bonding" problem too -- by sending a DMCA complaint, a user is effectively saying, "I agree to pay big money if I'm lying. So, I'm probably telling the truth."
So, a law addressing how ISPs should handle "impersonation" pages, modeled after the DMCA to solve the "top of the pile" problem and the "binding promise" problem, might go something like this:
- For a user to file a complaint, the complaint should cite the name of the anti-impersonation law, as in, "This complaint is being filed under the Anti-Impersonation Act of 2009". This gives ISPs an easy way to sort these complaints to the top of the pile, the same way that they have specialized channels for handling DMCA complaints.
- In the complaint, the user has to assert unambiguously that the page they are complaining about is impersonating them, and is not merely posting gripes about them or their business.
- The complaint should include a copy of a government-issued ID. (Again, this is not because this is hard to forge, but because now the complainant is promising, "If this is fake, I'll go to jail.")
- If the impersonation page is directing visitors to call a phone number or e-mail an e-mail address, and the takedown notification to the ISP includes a request to call that number or e-mail that address to verify that it doesn't actually belong to the page owner, then the ISP should follow up on that within a given time period of receiving the complaint. (And once they call that number or e-mail that address and get a response saying, "No, that page is definitely not mine", then the ISP should shut the page down.)
- Anyone who files a phony complaint citing that statute, can be held liable for statutory damages and attorney's fees, and if they faxed a phony government ID, then they can be prosecuted for that as well.
The problem-solver in me says that this is one way to ensure that legitimate complaints will be acted on, while making phony complaints much harder and riskier. It also seems to me that this is a minimal solution, in the sense that if you remove any part of it, it no longer solves the problem. For example, if you remove the part about complaints having to cite the anti-impersonation law, then you no longer have an effective means for these complaints to get to the top of the pile. And if you remove the part about civil penalties for filing phony complaints, then you no longer have any disincentive for people to tie up the system with crank complaints trying to get their enemies' accounts cancelled. Perhaps others can come up with an alternative solution that meets the logical requirements of enabling real complaints while discouraging fake ones. Meanwhile, the civil libertarian in me doesn't get a queasy feeling from it right away. It seems that it could only be used to stop cases of actual impersonation, and even as a free speech advocate I don't think that you have the moral right to impersonate someone else in a non-satirical manner for the purpose of actually deceiving or harassing people.
But even the absence of such a law is hardly an excuse for what Yahoo did. All they had to do is go to the page, look at the phone number, call the number and hear her say, "Yes, this is me and no that's not my page", and shut it down. The fact that they couldn't do this, shows a contempt for the process of handling legitimate complaints. Apart from the harm caused to Cecilia Barnes directly, incidents such as these might lead to Congress narrowing the scope of the immunity given to providers for hosting content posted by their users. Of course I'm technically suggesting a law that would narrow the scope of that immunity too, but only in a very narrowly prescribed way. If, on the other hand, Congress or the courts ever adopt the vague principle that providers can be held "jointly responsible" for whatever their users say once they've been "made aware" of it, it's going to get a lot harder for people to find Web hosting who have anything controversial to say.
Who's the Real Victim Here? (Score:4, Funny)
A woman sued Yahoo because they wouldn't remove a page created by her ex-boyfriend pretending to be her and soliciting strangers for sex.
And as someone who responded to said page with a naked picture of myself (SOP) [slashdot.org], I'm suing Yahoo for having never received my sex! I tendered naked pictures of myself and now expect advertised sexual activities to occur upon my person--caveat emptor, indeed!
So, Mr. Haselton, how does your proposed solution protect me, the man-boobed basement dweller suffering from acute sexual frustration?
Re:Who's the Real Victim Here? (Score:4, Funny)
I think you are using the wrong word.
Don't you mean vermin and not victim?
Re: (Score:2)
Given your self-description, are you certain the diagnosis is acute and not chronic?
Re: (Score:2)
I am, for having subjected myself to the entirety of that summary.
tl;sr
Question . . . (Score:2, Insightful)
I would think that even if there was the possibility that a page was not right, that either someone could comment on it or it just be taken down.
Re: (Score:3, Interesting)
Wouldn't it be better just to take the page down and worry about hurt feelings later? I would think that even if there was the possibility that a page was not right, that either someone could comment on it or it just be taken down.
Scenario: You and I have had words on message boards before. Not friendly words. I have nothing better to do than troll your pages looking for your pages and marking all of them as offensive and hounding Yahoo! to take them down. I can make a ton of different users and gang-warn your pages into oblivion and harass you until you give up or Yahoo decides we're too big of a problem to deal with.
Granted it's much more feasible than Haselton's idea to attempt contact with thousands of users over potentia
Re: (Score:2)
Re:Question . . . (Score:4, Informative)
Wouldn't it be better just to take the page down and worry about hurt feelings later? I would think that even if there was the possibility that a page was not right, that either someone could comment on it or it just be taken down.
Because if it were their policy to just remove pages and worry about hurt feelings later (or not at all), and it became widely known that this was their policy, they would get about a hundred thousand demands for pages to be removed every day.
Even if only one tenth of one percent of internet readers are jerks who would abuse the system by spamming out phony requests to delete pages from people they don't like, there are a lot of jerks out there who take offense to pages that they disagree with.
Re:Question . . . (Score:5, Insightful)
By doing that Yahoo would be accepting some liability for the content of the page, and would open themselves up to being sued if the complaint turned out to be bogus.
The obvious thing to do is let a court sort it out. That is, after all, what they are for. Just because it's on the internet doesn't change anything, it's a simple case of libel.
Re:Question . . . (Score:5, Funny)
Good answer. Quick one, too. But you should rewrite it, reiterating your basic insight in a few meanderingly different ways, clearly in love with your own inflated prose, so that it will match the article.
Yahoo sucks. (Score:5, Funny)
It's not that they can't handle a high volume of complaints. It's that they can't handle ANYTHING.
Have you ever tried to reach a human being through yahoo? Good luck.
Re:Yahoo sucks. (Score:4, Interesting)
True. I have a Yahoo account, $20 a year. I've had a few issues over the years and sent queries in. All I get back are cut and paste from FAQs that I've already read. I've pointed out they didn't answer my question, asked again. A week later, another copy of the same fucking FAQ. And recently I've tried to contact them about a problem with a Yahoo Auction posting, two weeks later not a response at all. And looking at their web pages, no direct email contact, and no phone or snail mail address. Seems you have to get some firearms and take people hostage before you can get a response that isn't a copy of a FAQ..
Re:Yahoo sucks. (Score:5, Funny)
Don't worry, once you take hostages, it won't be Yahoo responding, it'll be SWAT. :) But when your demands list are solely "I want a human to respond to me from Yahoo", you'll have to deal with the hostages for two weeks, to finally receive a faxed copy of the FAQ.
Trust me, it's one thing to live with an extended family. It's another to have 20 strangers whining about how they want to go home, or they don't like sleeping on the hard floor, or they want more than the bread and water that you're providing, or they need their medication so they don't die. Whine, whine, whine, that's all hostages ever do. And if shoot one as encouragement for the rest to behave, they all just start crying and whining even more. God forbid you release one as a good faith offer. They'll all want to be that one person, and the other 19 that you still have will whine even more about how they should have been the one released. "I have children", "I have a heart condition", "I need my insulin". It's a lose lose situation. 5 minutes after you start, you'll wish you hadn't. By the two weeks it takes to send the fax, you'll have killed half the hostages because they were driving you nuts, and wanted to shoot yourself but realized you already ran out of bullets. Don't worry though, just run out of the building with your empty guns drawn screaming "I'll kill you all", and SWAT will put you out of your misery. Hopefully the shoot to kill. If you're just wounded, now you'll be in pain for a long time, and prison for the rest of your life. Maybe the courts will take some sympathy on you, when they try to get a response from Yahoo regarding the incident and just get faxed back:
Yahoo Legal FAQ
#666
Q: Where should legal subpoenas for Yahoo be sent?
A: All subpoenas from the courts should be faxed to us at (555) 382-5968
And the courts will realize, that's where they sent the request to.
Re: (Score:3, Interesting)
True. I have a Yahoo account, $20 a year. I've had a few issues over the years and sent queries in. All I get back are cut and paste from FAQs that I've already read. I've pointed out they didn't answer my question, asked again. A week later, another copy of the same fucking FAQ.
You're lucky you don't have to deal with them over something serious. I have a string of e-mails archived somewhere of me corresponding with HMRC (the UK equivalent of the IRS) over how the tax system works; general enquiries about
Re: (Score:2)
At least they took your money. I decided to upgrade my Yahoo Mail to Yahoo Mail Plus and had a problem on their order form. Repeated attempts to contact them resulted in no progress so I decided to stick with the free Yahoo Mail. Upon reflection, though, I think you're worse off.... At least my problem occurred *BEFORE* Yahoo got my money.
As a followup, the feature I wanted to upgrade to Yahoo Mail Plus for appears on GMail not too much later as a free feature. So I wound up not needing to pay Yahoo for
The story implicitly forgives them (Score:3, Insightful)
If your business model is based on your customer being unable to actually reach a real live human being, your company either should be set up to avoid complaints whenever possible, or your company is going to get a (probably well-deserved) reputation for crap customer se
Re: (Score:2)
What's interesting to note is that most of the steps outlined in the article for submitting a complaint could be automated on a form, so you don't actually need to reach a live human being.
Take this, troll. (Score:5, Funny)
It's not that they can't handle a high volume of complaints. It's that they can't handle ANYTHING.
Have you ever tried to reach a human being through yahoo? Good luck.
Yes, and here are ten facts you must know
1. You are reading my comment
2. Now you are saying/thinking that's a stupid fact.
4. You didn't notice that I skipped 3.
5. You're checking it now.
6. You're smiling.
7. You're still reading my comment.
8. You know all you have read is true.
10. You didn't notice that i skipped 9.
11. You're checking it now.
12. You didn't notice there are only 10 facts
Beat that.
Re: (Score:2)
Bennett, TL;DR.
On the high volume as mentioned by the parent, it's that they can't handle it profitably. If you set up a site designed to make money from user-generated content, be prepared to support it professionally, or don't bother.
One would think (Score:2)
Re: (Score:3, Interesting)
That makes me wonder. Can't she sue him for identity theft?
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
I agree there's a problem on Yahoo's side here, but I'm not sure of the best solution. That being said, if she had the right resources (money, a good lawyer who didn't need a deep-pockets defendant to take the case), she could have laid the smack-down on her ex, who--if he knew what was good for him--would have taken down the post immediately. In the end, she can probably take him for everything he's got, but because that probably isn't much, her
Suing the wrong person (Score:5, Insightful)
Re:Suing the wrong person (Score:5, Insightful)
Re:Suing the wrong person (Score:4, Interesting)
s/fewer lawyers/less money/g
And the answer is revealed...
Re: (Score:3, Interesting)
This is often why companies settle for undisclosed amounts - there's no fault assigned, it av
Re:Suing the wrong person (Score:4, Insightful)
Yahoo has the money. I'm not saying this particular person decided to sue because of the money, but you can damn well bet the lawyers who got involved told her she could get a big payout from Yahoo - millions of dollars. The obvious incentive for the attorneys is to take a 50% (or whatever it is) cut of whatever she gets.
Re: (Score:3, Insightful)
Suing the ex would get the court's attention enough that they could make a legal ruling, issue a restraining order/C&D, as well as direct Yahoo to remove the page. He, however, is a low-life with nothing to take in a settlement. Yahoo has the money. I'm not saying this particular person decided to sue because of the money, but you can damn well bet the lawyers who got involved told her she could get a big payout from Yahoo - millions of dollars. The obvious incentive for the attorneys is to take a 50% (or whatever it is) cut of whatever she gets.
While YAHOO did not have to remove it per the CDA; they apparently promised to remove it and then didn't resulting in a possible breach of contract and hence the suit. If YAHOO indeed said they'd pull it and then didn't I would not find it unreasonable for them to assume some liability over results of leaving it up longer.
As a side note, she should have gone after the ex as well; IMHO. Not for cash, but to get a court to order him not post the material again and take existing copies down. That way she'd
DMCA (Score:2)
Yep, going after the ex was the right way. However, if she just wanted the page down fast, she could simply send a nice DMCA take-down notice claiming copyright to all material related to whatever her name is. It works beautifully for corporate lying bastards, why not her?
Re: (Score:2)
Yep, going after the ex was the right way. However, if she just wanted the page down fast, she could simply send a nice DMCA take-down notice claiming copyright to all material related to whatever her name is. It works beautifully for corporate lying bastards, why not her?
She would be in deeply illegal territory then, because the material on that page is actually _not_ copyrighted by her. The copyright holder is the bastard who put the stuff there.
Re: (Score:3, Insightful)
Actually, if they are pictures of her person legal use requires the permission of both the copyright holder (i.e. the person who took the photograph or the person they sold the copyright to photo to) and the model in the photograph.
This is why candid-camera TV shows and the like must blur the faces of anybody who doesn't sign a consent form. They can still distribute their film/photos, but they can't legally show a person who hasn't given them consent.
Note that there may be fair use situations that would a
Re: (Score:2)
If Yahoo removed it, in theory he could post several more the next day under new accounts, and the problem only gets worse.
I'm not sure how the Yahoo posting works in this specific case, but if she can show somehow that it was his Yahoo account that posted it, she should be able to get the police to lock him up. There have been articles about people being arrested for posting photos/videos/private info of an ex without permission (it is against the law, after all). If he posted her photo, number, or address
Re: (Score:2)
Certainly if they're in a different country that makes things a lot more complicated, but I think in the majority of cases like this it's going to be someone in the same country (and frequently even the same town). If they are in another country though, I'd still contend that Yahoo it's not the guilty party. Get the service provider working with you,
Re: (Score:2)
Re: (Score:2)
But not as a defendant. Take a page from the RIAA playbook: Sue the creator of the page as a "John Doe", and subpoena Yahoo for the actual owner.
Re: (Score:2)
Civil suits (aka lawsuits) have a much lower burden of proof than criminal cases. You only have to show that it was more likely than not the person you claim it is - i.e. there are not alternatives more substantial than a "yeah, but what if ". If the only one who had motive for the action was the defendant, and the action wasn't for some reason impossible for him, he'll probably lose the case.
Now, even criminal cases don't require "proof" in the sense that you are 100% positive the defendant is guilty. I
Too many words in the story (Score:5, Funny)
I can't read all that. Can you summarize it in a few sentences, preferably using a car analogy?
Re:Too many words in the story (Score:4, Funny)
I can't read all that. Can you summarize it in a few sentences, preferably using a car analogy?
So your car has a really bad super-ex-carfriend. And this ex-carfriend has not been leaving your car alone. Like your car always sees this ex-cf on the road when you're on the highway. Well, one day your car starts getting all these service calls from like multiple different auto-repair shops all asking if they could stick their dipsticks in her oil reserve. Well, when your car goes online, she finds a false picture of her [autotrader.co.uk] and her phone number and name and address and all that on her. When she calls cars.com, they say her ex-cf made it and instead she sues cars.com ... you know how cars get.
So how'd I do?
Re: (Score:2)
Is your place of employment hiring?
Re: (Score:3, Insightful)
If your ex wrecks your car into a tree using an old copy of your key, and then sicks the cops on you claiming DUI via the tree's owner, you can sue the cops for not figuring out that you didn't do it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Notary Public (Score:5, Interesting)
Is it possible to forge such a certification? Of course. Just like it's possible to forge any document. Would I blame an ISP that had a notarized attestation and supporting evidence? Nope. Why the convoluted logic for a relatively simple problem?
Re: (Score:2)
Exactly. The issue isn't that the problem is hard to solve, it's that the relevant parties don't want to bother solving it.
The basic idea behind DMCA takedown notices could work (though you'd have to solve the problems that currently has). A statement under penalty of perjury that the page is impersonating would be sufficient to take it down, and a statement by the poster that it wasn't would restore it, and then the courts could sort it out. At a start, though, you would have to find a way to have penal
Re: (Score:3, Insightful)
Except this isn't about establishing identity. There are plenty of ways to establish identity, like (as suggested in TFA) faxing a drivers licence copy (or other government-issued ID), which has the advantage of being much cheaper than getting a document notarised (which, at least where I'm from, can cost non-trivial s
Speaking as a Notary Public (Score:3, Interesting)
I am a Notary Public here in SC, and at least in SC what you stated is correct. All a Notary does is verify someone's identity and witness statements made by the individual, either clearly written or implied. (e.g. when selling a vehicle, you are implying that you are the individual named on the title as the owner and not someone else who happens to have the same name. A notary will check the name on the ID against the name on the title and then ask the "seller" to verify that he or she is the same person.)
Re: (Score:3, Informative)
It's interesting this topic should come up this afternoont -- and annoying that you hit the solution I could not find.
I just this morning wrote a piece for RISKS about SSNs and why they make bad authenticators, and why that leads directly to identify theft.
The hole was "how do you authenticate yourself to vendors as the person a credit record belongs to if *not* by either an SSN or a "real" National ID Card #... and some system involving notaries is probably it.
Maybe PKI and short hex signatures...
but the n
Re: (Score:2)
PGP + Notary Public (Score:2)
Thats probably a better solution.
The problem with PGP as-is, is that there is no designated central party you can trust. Sure, theoretically I could create a web of trust with the CEO of yahoo, with less than N degrees of separations, but the link trust is going to be very weak... Trusted party such as a Notary Public solve this issue
Pay the fee to the Notary public once to verify your ID and sign your PGP key. Then send PGP signed request to Yahoo. Yahoo and others can automate that part.
Yahoo and other co
Also, imposters who aren't (Score:2)
If you hit Google, for instance, you'll find at least 3 Todd Knarrs out there. What's an ISP to do when they receive a complaint from one of them claiming that another's using his name? And I'd add that Google isn't complete, I know of at least a 4th Todd Knarr who doesn't show up. Names aren't unique identifiers.
I sum it up as "One in a million? That means there's 250 like me in the US alone.".
Re: (Score:2)
Getting back to the case that started this, the ex-boyfriend posted name and address.
I know you're going in the broader sense, but while a name alone isn't a unique identifier, it can be combined with other things to create one... address, phone numbers, or photographs as examples.
1100 students is small? (Score:2)
Re: (Score:3, Funny)
Solution is to sue the individual (Score:5, Informative)
If this guy were printing out leaflets and handing them out in a parking lot, would she sue the owner of the parking lot? The maker of the guy's printer? Maybe the car manufacturer of the vehicle he drove there in?
No. She'd sue HIM.
He is the one that needs to take it down using his account. If he's doing something illegal, that's for the courts to decide. If he's doing so anonymously, that's still for the courts to decide, before forcing Yahoo to hand over information.
The only problem with this is how poorly the courts have scaled. But that's still where the responsibility lies. People just go after Yahoo because they're easy target. It's often cheaper for them to comply than to send a lawyer to defend against a lawsuit.
Re: (Score:2)
If the owner of the lot has been notified and doesn't take reasonable steps to remove the leafleteer[1] then I don't see why not. [1] it is now.
Re: (Score:2)
I'm not sure if that's true. Most places don't allow leafleting, making it a moot point. If you notify them that someone is leafleting, they'll ask them to leave, and then follow up with the police if the person refuses. But the reason they do this is because it trashes up their parking lot and annoys their customers.
Can you really sue a grocery store for NOT removing a leafleter and his leaflets? Specifically based on the truthfulness of the content of those leaflets? I would be very surprised if anyo
Re: (Score:2)
Can you really sue a grocery store for NOT removing a leafleter and his leaflets? Specifically based on the truthfulness of the content of those leaflets?
Obviously, IANAL. But why not? They're providing a place for him to distribute libel. I mean, if you allow someone you know to be drunk to get in your car and drive it and they hit a pole, you're liable. Why shouldn't the grocery store be partially liable for the distribution of libels?
Re: (Score:2)
Heh, yeah, IANAL either so this is all guesswork anyway. But saying he's "providing a place for him to distribute libel" is like suing the government because someone was shot in a public park. The government "provided a place for a guy to shoot someone". Quick, charge the government with murder!
I think there's an extent where it becomes gross negligence if the provider of the public space is knowingly allowing or encouraging the activity, but I'm not sure how far it has to go to cross that line.
Craigslis
Re: (Score:3, Informative)
You're absolutely correct. You'll note that the courts basically agreed with you, with one caveat. The ruling suggested that she could potentially bring a new suit, on the basis that Yahoo specifically agreed to take down the page and then failed to do so. They didn't have any such obligation until they made that agreement. This actually seems entirely reasonable to me.
Re: (Score:2)
If this guy were printing out leaflets and handing them out in a parking lot, would she sue the owner of the parking lot? The maker of the guy's printer?
No, but how about if he got those leaflets printed by the local Kinko's? If the leaflets said, "My name is Karen Smith and I'm a dirty slut and will bang you if you call me at [work number]" and the fellow asking the clerk to run off 1000 of them for him is clearly not Karen Smith by any stretch of the imagination, and the clerk runs them off anyway, I'd say that Karen's got a pretty good case against Kinko's for negligence at the very least.
Re: (Score:2)
Do you think that Kinko's reads and validates the information contained on/in every item they print? Would it be remotely reasonable to expect this?
What if a kid comes in and prints a poster that says the field mouse is an endangered species. Can I sue Kinko's for letting that kid print false information on a poster which he then used to mislead his kindergarten class? Does Kinko's have to proofread and fact-check every piece of paper that comes out of their printers?
It would certainly be nice of Kinko's
Re: (Score:2)
Do you think that Kinko's reads and validates the information contained on/in every item they print?
Yes. They absolutely do. They do primarily because they're looking for copyrighted materials, which they refuse to copy. But even so, they have eyes. They have to at least glance at the thing they're copying at the very least to make sure they stick it in the machine the right side up. If I were a clerk, I'd at least give the guy a sideways glance and ask for the story. To suggest that the clerk would take the flyer in this circumstance, look at it, look back at the pervy looking customer and say, "Okie dok
Re: (Score:2)
Sure there is: You can ask. If the guy lies to you, then you're off the hook, because you've exercised due diligence (the bar here is not very high).
Re: (Score:2)
Hey, maybe "Karl" likes to dress up as a "Karen" on the weekend.
As I said in another reply, if the clerk asks and that's the answer, then yes, the clerk will probably comply. But by asking for the explanation, the clerk is no longer negligent.
Re: (Score:2)
I see your point and your logic is sound. However, remember that there may be no evidence that it is her ex-boyfriend who is the one doing this, thus no one to sue.
To use your analogy, it would be as if you hired a guy to hand out leaflets on your behalf, Bobb Sledd. Then I come along and say, "hey! stop that! I'm Bobb Sledd!" and the guy goes, no you're not! Bobb Sledd HIRED me!!! And he doesn't stop.
So I go to the parking lot owner, driver's license in hand, saying "Kick this guy off your property,
Re: (Score:2)
I mentioned John Doe lawsuits in another thread, but in your particular scenario here is what I imagine is the correct/ideal way for it to be handled:
-You call the police
-Police arrive and make a judgement call on whether you or the leafleter is more likely correct. In this case you are Bobb Sledd and have a driver's license saying so.
-The police arrest/detain the leafleter and get more information out of him for your upcoming lawsuit (the leafleter's ID, and any information they can about his employer)
-Yo
Re: (Score:2)
But there's a further problem with the analogy: If you are doing this in my town, I can call the local police and they have jurisdiction to stop that.
But call the police in your town to stop Yahoo? What 'police' DO you call?
Re: (Score:2)
I'm not being argumentative, just curious, how do you sue the guy if you don't know for sure that it's him?
Re: (Score:2)
I believe in this case you file a John Doe lawsuit against the individual, to find this "John Doe" guilty of defamation (or whatever), at which point you have grounds to obtain John Doe's real identity from Yahoo for enforcement of the court's ruling.
(IANAL though =D)
tl;dr (Score:2, Offtopic)
Re: (Score:2)
Sorry, your comment was too long. I didn't read it. Perhaps you could summarise it in a single letter, rather than two of them?
Hmmm...even with cases like the phone #.... (Score:5, Informative)
The problem is that systems like a phone number can still be subverted by the phony person.
Say I know the phone number that Yahoo will call me from, or heck, even the first 6 digits(area + 3).
I post a VOIP number that redirects all numbers BUT that of Yahoo to the person I'm annoying.
When Yahoo calls, I pretend to be that person and play it off like it's legit.
Yahoo thinks I'm really the person answering of all the calls. The person I'm attacking still receives 99.999% of the phone calls. The person can, at best, call in and say "Wait, that # is not mine but it's calling me!!!" but whenever yahoo calls, you confirm, that it is indeed the person under attack's #.
Unless Yahoo can disguise THEMSELVES to not be distinguishable from any other caller.
Re: (Score:3, Insightful)
Hey Joe, that moron is giving out conflicting info regarding the phone number listed on that page, and the voice sounds different when we call versus when we get a call. Check it out, will you?
K. Beep-boop-beep.
OMFG STOP CALLING ME.
Wait, I'm from Yahoo!. I called from my cellphone, and I get routed to you. When I call from the office phone, I get routed to the other person. HMMMM.
HMMM.
Re:Hmmm...even with cases like the phone #.... (Score:4, Insightful)
I foresee Joe getting something like this in the future:
TO: JOE
FROM: YAHOO HR
RE: Use of personal device for Yahoo business
Joe,
It has come to our attention that you have used your personal cellphone for Yahoo business. At this time, in Employee conduct and code booklet, section 5.a.1-No employee of Yahoo may use a personal communication device and conduct business on the behalf of Yahoo. All communication and conduct must be done on Yahoo approved devices.
Need we remind you that all communication on the behalf of Yahoo needs to occur with either prior legal approval for non-approved devices or only on preapproved devices.
You are docked 1(one) day personal leave and will need to attend a employee conduct class to continue to receive full benefits.
Thank you,
Yahoo HR
As you can see, Yahoo, not Joe, must disguise themselves. If that means buying up a temporary phone # that get's thrown away after every call, so be it. A business asking it's employees to use personal cellphones for company business just sounds like a bad idea, when you're the size of Yahoo anyways.
Re: (Score:2)
Oh, and requiring a faxed driver's license accomplishes nothing. Every time I post random sex ads giving out my ex's phone number, I use pictures of women much hotter than her! (Disclaimer: I've actuall
Re: (Score:2)
I think when they find out it was you who posted her # in the first place, it won't matter the means in which she got dialed.
I believe there's also a way to spoof the CID on demand(I know my voip provider allows such things...) making it a tad more difficult to block the #.
Honestly, I can't imagine anyone going to this amount of trouble unless they've really got it in for a person.
Re: (Score:2)
Re: (Score:2)
Unless Yahoo can disguise THEMSELVES to not be distinguishable from any other caller.
You can pretend to be yahoo - anybody can spoof callerId.
Standardize the form and involve real people (Score:4, Insightful)
Ultimately, there is no substitute for having an actual human being review the complaints and make a judgment call on whether they are actionable.
The federally-imposed system for uniform handling of credit card and charge card complaints might be an ideal model to use. It requires the customer to choose one of about a dozen specific complaints, supply supporting information and evidence depending on the nature of the complaint, and submit a signed statement. If the form is filled out properly and the story is plausible, the bank issues a chargeback and it is then up to the merchant to fight it if they wish. While the system has flaws affecting both sides, it works reasonably well and costs are minimal.
The structure of the safe-harbor provisions in the DMCA is similar but simplified.
Pushing individual cases out to the courts doesn't work because the anonymity of the person posting the libelous content is not known and often can't be determined with certainty.
Yahoo, like eBay, is trying to claim that customer service is too expensive to fit their business model. So abuses flourish because of their arrogance. Some sort of judicial or legislative backlash is inevitable if this continues. Even Wikipedia will take down clearly libelous material if you ask.
legal identity proof (Score:3, Interesting)
why not just have a system where yahoo(or any other site for that matter) would charge $10-20 for the complaint and refund the money if the complaint was found valid
the validity could be established by asking for a scanned copy of the driving licence, passport,etc
this would prevent spamming
if her photos or personal information uniquely identifying her is published, then, it would not be too difficult for her to give an id proof conclusively linking her to the article
somewhat similar to the policy my college has about exam result reevaluation
if you think that you have got less marks than you deserve, then you pay them Rs 500, if there is any correction found, your money is refunded
this is to prevent everyone from asking for reevaluations
Simple Solution (Score:2)
The woman sues her ex-boyfriend for harassment and possibly identity theft (claiming to be her while setting up the account). Part of the settlement is a requirement that he take the page down.
Yahoo shouldn't be held responsible for other people's bad behavior as long as they take reasonable steps to prevent their site from becoming a nuisance (allowing anonymous accounts, etc.).
Caveat Lector (Score:2)
Issue a DMCA takedown notice (Score:3, Informative)
Yahoo removed a few pages (Score:4, Interesting)
that someone had created to defame me. They had used my real name, and real phone number, and I was able to get them removed with just an email from my paid ISP SBC/AT&T Yahoo account. I guess they could check my billing information to see that it was me.
Sad part is that the web pages had been going for a few years before I noticed them. Even indexed in Google. Eventually someone tipped me off about them. It may have cost me a few jobs and disqualified me for being hired for a few jobs.
There ought to be some Internet service that searches for your real name in search engines and is able to tell if the pages are fake or not. Some sort of identity theft service. I think such a service exists, but I don't know how to find them.
Re: (Score:3, Funny)
There ought to be some Internet service that searches for your real name in search engines and is able to tell if the pages are fake or not. Some sort of identity theft service. I think such a service exists, but I don't know how to find them.
If there is one, I haven't found it. :(
-Ryan Goatse
These are fundamental problems that when solved... (Score:5, Interesting)
This question is asking the fundamental cryptography question of resolving identity. Whomever comes up with a solution for this problem will have an opportunity to become filthy rich as banks, military organizations, and other entities strive to verify that the data Bob receives is from Alice and not that cunt Susan who is up to no-good. This is very similar to the question last week asking us to solve the business model case for a publisher. No one knows how to post material to the internet and make a profit. The person who solves that will have every publisher lining up at his door throwing wads of money inside.
I appreciate the idea of getting the masses of Slashdot to seek a solution, but to tell you the truth, if I had a solution I would not reveal it here.
Refundable charge on Debit/Credit card/Bank Acct (Score:3, Interesting)
Assuming that the majority of us have credit/debit cards ( at least in the U.S.)
Get each user to post a fee in their name to their credit card. Person who's name matches the fee wins & gets refunded.
Users without a card, can use a verifiable bank account number. ( doesnt even need to be billed, just call bank X, and verify banking info.)
At the worst case, someone else now has the identity verification problem.
Small Businesses have Found the Answer (Score:3, Insightful)
I believe the term is referred to as, "Customer Service."
tl;dr DMCA (Score:3, Informative)
After the first paragraph I said, "This is what the DMCA is for".
I work for a large provider, we host a number of inflammatory sites. We obviously are not in a position to verify anyones claims, nor do we usually have direct access to remove the content in question to begin with. This is precisely one of the things the DMCA was made for (as bad as it may be, it works well for this). We receive a complaint that anyone can fill out, we give our customer the legally required time to respond. If they choose not to respond with a counter complaint they must take down the offending content. If they do respond, the content stays up. After that we are only required to act upon a legal decision.
Isn't this the "Two Generals" problem? (Score:2)
Or the "byzantine generals" problem perhaps?
I don't think it's something you're going to be able to solve effectively if you eliminate human judgment from your policies.
This is what the courts are for (Score:2)
What about parody? There have been some classic impersonating websites such as the fake Steve Jobs site. These are legal because it's parody.
What about multiple people with the same name? There is more than one person on the net with the name "Cecilia Barnes". What if one "Cecilia Barnes" calls up yahoo to complain about a website that is about a different one? Each can produce government ID. [I know, in this case, there was a phone number, but a law or new rule needs to be general.]
This sort of issue
Make a Tech Solution Popular (Score:2)
The technical problems with this solution are (1) finding someplace everyone knows is mine for me to host the key (Facebook or MySpace would work well for this) and (2) making it easy to sign arbitrary things with that key while still
Re: (Score:2)
Facebook, MySpace, and virtually all websites lack any real rigor in their sign-up process. With the exception perhaps of a CAPTCHA, it's designed to be as streamlined as possible, because most websites are focused on creating value by quickly growing their user base. Drawn out identity verification doesn't fit with this model.
What's to stop someone from signing up under someone else's name, generating a PGP key, and then using it as you have described? I don't see how the situation is changed in any way
The Bible solved this long ago... (Score:2)
What about Slashdot? (Score:2)
A while ago I remember some guy was posting troll messages from an account with a name that implied he was someone famous. I looked up Slashdot's policy about impersonation and found that the policy was basically "let the moderation system handle it".
I just looked at the FAQ and I could not find the section I remembered. Did Slashdot change this policy?
As a for-instance... suppose the user name "esr" was not registered, and someone registered it and started posting troll messages that superficially looked
Really? (Score:2)
If little ol' mrs smith who can ba
Re: (Score:2)
You can't stop identity theft, but you can narrow it down...
Re: (Score:3, Insightful)