Maybe Maimed but Never Harmed

Open information is fantastic, open networks are essential. But the truth won’t set us free until we develop the skills and the habit and the talent and the moral courage to use it.

—Margaret Heffernan

Decontextualization is a useful tactic for spin, but thankfully transparency is its most effective counter. Molly Ren wrote a lucid (if error-filled) post, offering a place to start reversing the spin.

TL;DR

• The FetLife Proxy on my site did not make anything Google-able; a select fraction of FetLife was made google-able months ago using a FetLife account backup tool.
• FetLife’s blocking of this or any proxy (or me, personally) is the equivalent of sticking their fingers in your ears so you remain complacent.

Myth: The FetLife Proxy made FetLife Google-able

In the very first sentence of her post, Molly repeats this myth:

Maymay created a mirror site which made everything on FetLife not set to ‘friends only’ visible and searchable on Google.

Fact: Google cached pages from people using the FetLife Export tool, a utility enabling FetLife users to download a backup of their account history much like Google’s Data Liberation feature, weeks and months before the FetLife Proxy was even written. The reality is that the FetLife proxy I installed on my domain didn’t cause anything to show up in Google’s public index. (Moreover, the FetLife Export tool offered users the option to export their account history without adding their pages to Google’s Index.)

Don’t take my word for it. In fact—and here’s the moral in many of my stories— never take only anyone’s words for anything. Not mine, not John Baku’s, and not Molly Ren’s.

Instead, examine plainly-available facts, which are literally a click away. Read the URLs of the pages in Google’s index. Note they each have dates, as shown in the screenshot below originally captured on August 13^th at 11:38 PM, and annotated as I’m writing this post, August 16^th:

These dates are created by (line 11 of) the FetLife Export tool’s Web interface. All of this exported content in the Google cache is the result of either

1. people who voluntarily used the FetLife Export tool to create a backup of their account and who opted to let Google make their export searchable,
2. public personalities within the BDSM Scene (such as John Baku), or
3. rape apologists who vocally decried Proposition 429’s adoption, whom I noted due to their comments on FetLife.

This cache was useful for getting you—yes, you—to pay attention to the privacy-compromising and victim-blaming nightmare FetLife has long been ignoring. At the same time, potential collateral damage was curbed by limiting the cache to the activity of deliberately selected, relatively few FetLife accounts—such as those of public figures like John Baku—rather than all 1.5+ million of them (as is being falsely claimed).

Quoting (with permission) from a private conversation I had with someone who used the exporter and felt concerned about how easy it was to expose others’ data:

I’m still wrestling over putting my shit out there on google using the exporter. Because it does mean I outed everyone that had any tangential connection to me. The photos were particularly appalling—it pulled things I’d liked or commented on.

I agree. That’s precisely why inter-user privacy controls are so important. That’s been the punchline of this multi-year campaign from the very start. In popular BDSM anti-abuse activist Kitty Stryker’s words:

If you’re concerned about keeping your nudie pics private, you need to be on a site that allows you to lock your profile down. #fetlife

And *even then*, your privacy can be breached, so it’s no guarantee. Yelling at @maymaym for pointing that out doesn’t change it. #Fetlife

And he had been pointing out breaches of #fetlife’s security for years, so apparently it did take him being an asshole for you to hear it.

Many people, even self-proclaimed technology professionals, are evidently getting things wrong. They’re saying, implying, or simply not choosing to correct the misperception that the proxy I installed caused FetLife to get indexed by Google merely because they’re searching Google and seeing some exported FetLife pages showing up in the index. To wit, WryGuy wrote:

I searched on Google for “FetLife WryGuy“. There’s a lot there that’s expected for me personally (ex: my Twitter page), but lower down on the first page you’ll find this link:

http://fetlife.maybemaimed.com/JohnBaku-2012-07-21/fetlife/group_posts/2587139.html

The proxy has been taken down, so that link is dead now.

That link isn’t dead because the proxy is down. That link has nothing to do with the proxy—read the URL. It’s not dead because John Baku magically removed it, and it wasn’t removed by DMCA takedowns, as FetLife Greeter @Pairadox claimed. (As an aside, though, I have been getting numerous DMCA takedown notices. After consulting an Intellectual Property lawyer, I’ve learned BitLove, Inc. has very likely invoked the DMCA improperly, which may also be illegal. Perhaps that’s a topic for another post….) WryGuy saw a “404 Page Not Found” error because, point having been made, I removed the content from my domain.

In their knee-jerk panic, many people seem to have missed what’s been under their noses this whole time.

If Google had indexed pages through the proxy, every single result would have included “proxy.php” in the URL. I explained why this is so in the post many people are linking to:1

A simple URL substitution pattern can be used to make an arbitrary FetLife page visible to everyone.

Replace https://fetlife.com with http://fetlife.maybemaimed.com/proxy.php?page=

So, for example, to see the events page, ordinarily at:

https://fetlife.com/events

Simply point your browser to:

http://fetlife.maybemaimed.com/proxy.php?page=/events

This works on any arbitrary content within FetLife, as well. For instance, to view the group post at:

https://fetlife.com/groups/53559/group_posts/2811205

Simply point your browser to:

http://fetlife.maybemaimed.com/proxy.php?page=/groups/53559/group_posts/2811205

See the pattern?

In fact, not a single URL currently showing in Google’s index contains the proxy’s signature, as shown in this screenshot (also captured on August 13^th):

Moreover, if you run the above Google search, as of this writing, the only page showing up in the index is actually content on GitHub.com, not even maybemaimed.com:

This happened because I redirected requests away from the proxy before Google Bot indexed the content made available by the proxy:

~/fetlife.maybemaimed.com$ cat .htaccess 
# Point made. Redirect.
Redirect /proxy.php https://github.com/meitar/fetlife-proxy/

My “point [was] made” the moment FetLife published their announcement of this “attack”—their own obvious “spin,” to use @ColdStorage’s word from that very thread. And, what was the point? Molly Ren links to FetLife user Kirr’s post, which I’ve already quoted heavily:

FetLife gives the impression of being “private,” while it really isn’t. Anyone on the Internet can make an account and see anything on the site[…]. This is the point Maymay was trying to make with his proxy, but FetLife’s reaction to it is the opposite of what it should be. By effectively saying “we fixed the problem; all of your information is safe,” they’re giving people the impression that what they post here is private. What they should have done is reminded people that anyone at all could (and still can) do what Maymay did, and reminded users to treat FetLife as public, not private. Their reaction is one that will lead to users of the site being less safe, but thinking that they’re safer.

If, as Kitty Stryker warned, you have a desire to protect your nudie pics from public view, a mere promise from FetLife that you are “secure” is not good enough. Since FetLife is, in Thomas Millar’s words, “the single largest online organ in the BDSM universe,” it is FetLife’s responsibility to offer you effective ways to protect your privacy. At the risk of sounding like a broken record, FetLife can start by adding granular, inter-user privacy controls.

Promises are bad premises for privacy

As I explained to a technology professional who doesn’t have a FetLife account on Facebook several days ago:

Sigh. […] I am not saying YOU need to care. I am not even saying your FRIENDS who use FetLife need to care. Ordinary users need not [be forced to] care about the technology of privacy implementations on the Web to stay private [any more] than I need to [be forced to] care about physics to heat up my dinner in a microwave.

I am saying FetLife.com needs to care. But they don’t. They don’t because they don’t perceive it a threat to their business. They don’t perceive a threat to their business because, you’re right, users are caught unaware.

Look at the situation now. Users are no longer unaware. And now FetLife hopefully perceives a threat to their business large enough to force them to change.

[…]

Do not make the mistake of believing that I am careless or thoughtless in my actions.

And, consider: you can do something to make tomorrow better. It’s easy to do.

Some people, including Molly, are using the analogy of a bomb. Molly Ren writes:

I’m having flashbacks to The Dark Knight Rises, where Bane does a great job of seeming to turn Gotham into an Occupy-style anarchist paradise, except in reality he has an atom bomb and just really wants to blow the place up. Just as how his actions reveal that Bane doesn’t really care about the populace of Gotham, the very fact that Maymay did this to hundreds of people’s data shows that he doesn’t really care about anyone in “The Scene”, no matter how many blog posts he writes about how “anyone could have done this”[…].

Like nearly all analogies, this one fails when stretched too far, but it’s nevertheless useful for now. If we must use it, think of it as though I created a time bomb and then took deliberate actions to set the fuse for longer than the disarming mechanism. One of those “disarming mechanisms” was being very loud about the fact that I had done this in the first place:

Compare the actions I took to the actions someone actually trying to do harm would take:

• I woke up yesterday morning and spent an hour or so writing a trivial (even stupid) 50 line PHP proxy, with no attempt, technically or socially, to hide what I was doing. Then, immediately, I publicized that fact as loudly as possible to focus intense attention on the technicalities.
• An actually malicious person would at least spoof referer and user-agent headers, and re-route their traffic through an anonymizing network like Tor, not to mention not publishing their work publicly and loudly shouting from the Internet’s rooftops that they were doing this! (Obviously.)

The proof of this is in the very thing people are yelling inaccuracies about—Google’s own index is the pudding.

The fact that this metaphorical “bomb” was real is important because, quoting Kirr again, “anyone at all could (and still can) do what Maymay did.” Others, like @whipartist, even said so:

@Mollena I could whip up that proxy in maybe two hours of coding, if that. I think I could do it with any site that requires authentication.

This is a real threat—one that’s causing ever-more serious harm the longer it remains unaddressed—and it has been swept under the rug for years. Shooting the messenger will not change the message.

To borrow a phrase from Driftglass, a Kink On Tap panelist and awesome political blogger:

First of all, a robust and powerful investigative media is necessary to a democracy. And secondly, citizens have to take responsibility for knowing shit and getting angry about shit and then taking action about it.

Be angry, if you’re angry—cast me as Bane if it makes you feel better, or if it makes you popular. No one’s saying feelings are invalid, or recognition isn’t valuable. But at least take responsibility for knowing shit. Because many things many people are saying right now are just that: shit.

Doesn’t it behoove us all to be able to tell the difference?

Privacy is not dead. Privacy tools for you and me already exist, and they have for many years. We ought be given the opportunity to use them. FetLife not only offers no such opportunity, it actively interferes with efforts to increase privacy.

We need to be clear about this: FetLife.com is not some land of milk and honey for kinksters. FetLife.com is a piece of closed-source, proprietary software developed by a privately owned company that has business interests. Given that, it’s easy to compare FetLife to myriad social networking websites, notably Twitter, Facebook, or Foursquare, each loudly decried by many of the very same people who laud FetLife as being different! Better! Safer!

Here’s what Ken from PopeHat has to say about Twitter:

It’s easy to forget that Twitter is private[ly owned] because it’s become such a behemoth and because it’s become such a primary information source and venue for communication for so many. But it is private. It’s a for-profit business, and it’s going to act like a for-profit business, and it’s irresponsible to trust it to act like something else. Criticizing it as if it were a public entity is an attempt to shift responsibility. It’s our responsibility to choose, and police, our private communications platforms. If Twitter acts like this, and won’t repent, then if we care we have to be prepared to dump it for something else — or to find some way to inflict consequences on it so it won’t act that way again.

[…]

Twitter has become a very popular widget among revolutionaries. Someone should probably tell them that if this is the way Twitter acts, they may be using a dangerous product that will get them killed.

Replace “Twitter” with “FetLife,” “revolutionaries” with “kinksters,” and “killed” with “outed,” and the above holds true, making FetLife an exceptionally dangerous entity to trust. That’s why, as Tor developer Jacob Appelbaum reminds us:

Every time you use proprietary software, you have to ask yourself, “Why is this provided to me for free?” […] If you log in to Skype on a computer you’ve never used before, you get all your chat history. Well, why is that? Well, that’s because Skype has it. And if Skype can give it to you, they can give it to the feds. And they will.

And everybody that has that ability will. Some will fight it, like Twitter. But in the end, if the State asserts it has the right to get your data, sometimes without you even knowing that that’s happening, they’re gonna get it if they can get it.

So we have to solve these privacy problems with mathematics, because it’s pretty hard to solve math problems with a gun or a threat of violence.

In her post, Molly Ren cites the creepy “Girls Around Me” app, a mashup of Facebook profiles and Foursquare check-ins:

Surely, Maymay has to realize that most people in The Scene are at the same level of knowledge of internet security that American culture is as a whole—that is, they suck at it? In March of this year Violet Blue blogged about the stalker-ish Girls Around Me app, which scraped publicly available information off of Facebook without female user’s knowledge. Cult of Mac blogger John Brownlee called it a “Facebook privacy wake-up call”, blogging eloquently about his friends’ reactions to the app, and what it said about our larger culture’s technological literacy[.]

For the record, Molly, yes, I’m intimately familiar with the tech illiteracy plaguing most people in The Scene. The part you, and so many others, seem to consistently ignore is that it’s not the responsibility of users to jump through hoops for privacy, but rather the responsibility of the service provider to make their offering private by default.

Perhaps Molly Ren missed this equally-eloquent followup by John Brownlee on the very same issue of the Girls Around Me app. Replace “Foursquare” with “FetLife” and “Girls Around Me” with “maymay’s FetLife Proxy” and we clearly observe history repeating itself:

Foursquare was quick to respond [to Girls Around Me] within hours, cutting off the API access that the app relied upon to function.

Foursquare’s swift response to the issue effectively killed Girls Around Me[…]. And for a lot of people, the story ended there. The app’s gone. Why keep talking about it?

That’s exactly the way Foursquare (and Facebook) wants things.

If there was one thing in Foursquare’s eyes that Girls Around Me was guilty of, it wasn’t tracking women and getting information about them without their consent. It was getting people to talk about privacy, when Foursquare’s entire business model is based upon getting as many people as possible to share as much about themselves as possible.

When most privacy advocates get upset about services like Foursquare and Facebook, it’s not necessarily because they are grumpy gronards [sic] about social networks. What they are specifically concerned with is that Foursquare and Facebook’s privacy settings default to sharing pretty much everything, and that these social networks want to keep that fact as obfuscated as possible so that they can continue to sell the information about you that they collect. Your personal information—your life—is their product.

[…]

In fact, all of Foursquare’s privacy options are opt-out, not opt-in.

[…]

It’s exactly because of Foursquare and Facebook’s cavalier and selfish attitudes towards their users’ privacy that an app like Girls Around Me could work to begin with.

But that’s not how Molly Ren’s thinking about this issue at all. She continues:

If Maymay really cared about making a change without also being malicious, he could have created the script and sent it to John Baku as a warning, rather than actually going through with it. He could have taught more classes teaching people in the scene the importance of Internet security and intros to basic code. He could have joined with the many other scenesters with technical knowledge and helped to build something that was safe.

Here, Molly Ren has effectively done what she and oh-so-many (pop) social justice types are vocally loathe to ever condone: they cast characters as villain and victim and then they blame the victim. Don’t trust me, trust Molly Ren’s own source, John Brownlee:

Just because Foursquare and Facebook are invested in getting users to share their data online, though, doesn’t the real fault lie with the women sharing more about themselves online than they are comfortable with? After all, a woman (or man, for that matter) with her privacy settings locked down couldn’t have her information exposed by an app like Girls Around Me. Shouldn’t these women have known better? Aren’t they just inviting disaster by being so woefully informed about what they are showing the world?

I have to admit, there was a time when I thought this way. That’s before I saw the looks on the face of friends — all of whom were smart, all of whom were more or less technically savvy — absolutely terrified by what an app like Girls Around Me could do. That’s before I heard from hundreds of women over the weekend who had absolutely no idea Foursquare and Facebook shared so much about them by default. And the reason they have no idea? Not because they’re stupid, or careless, but because Foursquare and Facebook ultimately don’t want them to know.

Let’s say there’s a dark alley in your neighborhood between two popular local bars, and you know that many women have wandered down that late at night and unwittingly been attacked. How long until you stop saying it’s the women’s fault for being stupid or careless enough to be victims, and start parceling out some of the blame to the two bars that don’t care enough to install a street light to keep that alley well-lit?

It’s the same thing. Foursquare and Facebook could shine a light on privacy issues, but they don’t. They keep privacy matters murky and dark. And that makes a lot of us closer to being victims than even the smartest of us could possibly know.

So, ask yourself, what should be done about this debacle? Should you:

1. spend time and energy you, as someone who in Molly’s words, “sucks” at computer security, probably don’t even have researching the privacy options and technologies available to you (if there even are options available to you, which isn’t the case on FetLife),
2. “don’t post anything to the Internet you wouldn’t want to be made public,” i.e., stop using the Internet for your sexual self-expression, or
3. force FetLife to make privacy a priority, and a default?

Molly Ren’s already answered:

Why, after taking my own data from me and putting my less-tech savvy friends at risk, would I join you to “FORCE something better”?

You can deny the very real danger of becoming the next Cpl Jim Brown if you want. In fact, anyone who wants to do so can stick their fingers in their own ears. But for their part, FetLife and John Baku in particular continue to stick their fingers in your ears:

• FetLife’s selective enforcement of their own TOU is seriously corrupt.
• FetLife’s improper invocation of the DMCA is petulant at best.
• FetLife’s continued silencing of sexual assault survivors is fundamentally callous.

The people who really need privacy on FetLife—”lock your profile down,” in Kitty’s words—are already more vulnerable than others. Telling them to spend their own already-limited resources educating themselves or to simply quit using the tools of self-expression available to them is no better than leaving them all to drown. As the saying goes, “people who attend communication workshops are not the people who most need communication workshops.”

Quoting Tor developer Jacob Appelbaum again, from his KinkForAll San Francisco presentation, “Anonymity on the Net”:

[In America], people often say that they don’t need privacy, and it’s often from a position of privilege that they say that. Like, if you’re not out in the communities that you’re a part of, then maybe you don’t have that viewpoint, and you recognize that that privilege is perhaps one that is easily afforded to some but not to yourself.

What kind of person or company tells you you’re secure when you aren’t, and that it’s your own fault if something bad happens to you if the expectations you were given didn’t match up with reality? As I’ve said before, when these people are telling you not to post personally identifiable information to the Internet, what they are saying is, “You don’t deserve to have an online safe space for your self-expression.”

As author Quinn Norton said, “If you want a complacent population, ruining their lives and then getting them to believe they did it themselves is a pretty good way to start.”

1. For the technical among you, read lines 54 and 55 of the proxy.php file. [↩]