Notification of need to cooperate with LEO?
December 27, 2005 6:48 AM   Subscribe

I expected this question had been asked before, but I couldn't find it. Also, I'm assuming that there are logs to be subpoenaed, which I might be wrong about.
posted by justkevin at 6:49 AM on December 27, 2005

As I mentioned in the "falsifying a prescription" thread, Matt wouldn't be able to comply with such a demand. Discussed here and here and many other MeTa threads. Every Anonymous AskMe is actually posted by Matt himself, so they all have Matt's IP address. Matt has no way to tie it back to an individual user, for precisely situations such as these.
posted by Gator at 6:58 AM on December 27, 2005

That's good to know. Matt's comment said that there's nothing in the database linking the poster to the question. What about the httpd logs? Couldn't they get the IP address by looking at the time of posts to the anonymous posting preview page and their response size?
posted by justkevin at 7:11 AM on December 27, 2005

Matt has no way to tie it back to an individual user, for precisely situations such as these.

... uh, except for the anonymously-submitted question that matches the text of the eventually-posted question, yes?
posted by docgonzo at 7:24 AM on December 27, 2005

Assuming he has kept the anonymous submission around to be matched to.
posted by cortex at 7:29 AM on December 27, 2005

What about the httpd logs? Couldn't they get the IP address by looking at the time of posts to the anonymous posting preview page and their response size?

Most sites this large don't keep logs for individual users, since it would be a huge waste of space.

uh, except for the anonymously-submitted question that matches the text of the eventually-posted question, yes?

Um, the original isn't stored anywhere.

---

However, I don't personally feel that the anonymous system we have here is really that good, because matt or jess need to keep a copy of that in case the original poster wants to post a follow-up. So all a prosecutor/defense attorney has to do is subpoena matt or jess' email to find out whom originally posted the question. That's why I think it's important to build a real anonymous reply system if we want true anonymity. (rather then relying on emails that have to sit in people's email boxes)
posted by delmoi at 7:31 AM on December 27, 2005

well, the text itself won't appear in the http logs, so it's going to be a bit more complex - exactly how easy and with how much certainty you can trace from http log to database entry is going to depend on a number of things, like:
- how long are access logs kept for?
- does the database table have a timestamp?
- if not, is there some internal oid that can be used as an equivalent?
- do the http logs have a record of the size of data transferred?
- how often are anon posts made?
- how many anon posts are discarded?
- whether the original submitted data are deleted from the database after processing
- whether an exact match is required, or whether you need confirmation that a certain IP was one of perhaps tens of possible candidates.
and related to all that, how easy is it to use this technical information in a court? i wonder what the "cost" is of going thorough a rather complicated argument. perhaps it is worth tracing back for someone posted saying "i have murdered X", but not for "my wife altered a prescription"?
also, has matt ever been subpoenaed? if not, then for minor things like the examples above experience suggests there is little risk.
[on preview - is anon submission still through email? i thought it was a tickbox on the form; questions do get queued somewhere because we've seen them in the past]
posted by andrew cooke at 7:44 AM on December 27, 2005

Hoax.
posted by uncanny hengeman at 7:53 AM on December 27, 2005

Andrew raises some good points. While I suspect that most anons could be traced back to their original IP if the standard httpd logs are still available, convincing a judge to issue a subpoena and then combing through the records for a possible match isn't going to be done lightly, say for a typical divorce or minor felony.

But as a smoking gun in a felony or multi-million dollar lawsuit, I'm sure someone would be willing to go through the trouble.
posted by justkevin at 7:57 AM on December 27, 2005

Based on comments like this and this, it really doesn't seem to be much of an issue. Matt initially knows who we are when we ask anonymously, but as he has to approve each one, it seems that he would consider his personal risk before posting anything he thought might open him up to prosecution/lawsuits. Once he's determined that a question is safe to post, that's that as far as identifiable information is concerned.

Some of the questions raised here are good ones, though, and I think it's high time we got all of the misconceptions about Anonymous AskMe cleared up -- and it's past high time for there to be something, anything, on the Wiki about it. Seriously, search for "anonymous" over there and the only result you get is "Login"? The hell?
posted by Gator at 7:59 AM on December 27, 2005

So don't use the anonymous feature if you've committed a serious crime, duh. Though I feel the prescription drug guy really doesn't think his wife was doing anything bad, hopefully he no longer is blinded by love. I think this may be a very good case of AskMetafilter helping him realize he needs to see a lawyer now and stop yapping about it. If you believe you're innocent you don't take such precautions.
posted by geoff. at 8:22 AM on December 27, 2005

hey andrew, did you ever get your apache config problems figured out?
posted by delmoi at 9:04 AM on December 27, 2005

nope - i can have ssl or php5, but not both. and i've configured apache before to do this (many times). no idea what is happening in this case - i'm hoping it's a bug that will fix itself come some new release...
posted by andrew cooke at 9:21 AM on December 27, 2005

I'd like to think this site follows the privacy policies of pretty much every other big site out there -- I do everything possible to maintain your privacy, but if the feds come knocking on my door, I have to do whatever they say. If someone did want to know the IP/identity of the person that posted that, there are ways (with enough work) that I could provide that and if there's a cop at my door asking for it, I can't refuse it. That's obstruction.

I designed the ask mefi anon system to be as anon as possible, but I knew someday there could be a question about an illegal act, suicide, etc, that would force me to figure out who posted it so I left one way that I and I alone could link users to anon questions, but they're anonymized in the database.

Read the fine print at your webhost, favorite search engine, or favorite e-commerce store. They're all about keeping your details private to the point where the cops show up and request info, which will be turned over.
posted by mathowie at 9:49 AM on December 27, 2005 [1 favorite]

Could you clarify a little, Matt? Because you had previously stated, "I currently have no way of knowing who asked what except for one tiny indicator that only I see at the moment someone asks a question." I thought you had also once posted that you delete the emails you get in which Anonymous AskMe questions are asked, but I may be misremembering that part.

Do you keep records personally (like in your inbox as opposed to on the server) showing who asked what? I was under the impression that you would never refuse to comply with law enforcement, but that you would simply be unable to provide information because it wasn't kept.
posted by Gator at 9:57 AM on December 27, 2005

so if there's valid legal pressure they're not anonymous. it's not a question of if/maybe, but a direct, permanent (although encrypted, apparently) link?

aren't some of the previous comments a bit misleading? i'd assumed that, while you'd not designed the system to be hard-core/cipherpunk anonymous, you'd done everything basic to make it so. the idea that you'd have implemented a backdoor never crossed my mind.

i agree that what you're doing is no worse than other sites - better, in that at least some kind of anonymity is available. still, i'm surprised.

[on preview - i felt the same as gator, except that i had less confidence that it would be impossible, if you understood the low-level technology]
posted by andrew cooke at 10:06 AM on December 27, 2005

Do you keep records personally (like in your inbox as opposed to on the server) showing who asked what? I was under the impression that you would never refuse to comply with law enforcement, but that you would simply be unable to provide information because it wasn't kept.

The "one tiny indicator" is an email that the police could get from my inbox if they pressed me for it. I don't always delete them all -- esp. when I only check on the anon questions once a day.

I guess my point is that if there's a FBI agent at my door with a subpeona to take down the servers for investigation and I'm asked for any record whatsoever of an anon question, I have to comply, and someone might be identified.
posted by mathowie at 10:13 AM on December 27, 2005

Also, from recent threads it didn't seem that total anonymity was important to most users. If people want to anonymously respond on their own anon question, I'll have to redesign the anon system to tie anon questions to user_IDs, and just hide them when posted to the website.

People seemed pretty unanimous that they prefered more functionality at the cost of total anonymity.
posted by mathowie at 10:15 AM on December 27, 2005

I don't always delete them all

Okay, that's good to know.

In that case, justkevin's original suggestion is probably a good idea: An explicit warning on the Anonymous AskMe page that if you're asking about something illegal, there's a possibility, however slight, that you could be identified to the authorities.

Me, I'd prefer total anonymity, or at least the almost-total anonymity we have now, at the cost of a bit of functionality.
posted by Gator at 10:23 AM on December 27, 2005

i'm confused. maybe 6 months back, it was possible to see queued anonymous posts (can't remember how - some bug). how did that happen if anon posts are handled via email? the queue included many posts that weren't published, so it's not just you (matt) selecting the emails you want to publish and putting them in the database.
sorry, but something doesn't make sense to me. sorry for being stupid...
posted by andrew cooke at 10:28 AM on December 27, 2005

Sidenote: mathowie writes:

If people want to anonymously respond on their own anon question, I'll have to redesign the anon system to tie anon questions to user_IDs, and just hide them when posted to the website.

Another scheme that might even be easier to implement would be that when an anon question gets posted, the submitter gets a randomly-generated password good for posting anonymous followups to that question only.
posted by jacobm at 10:33 AM on December 27, 2005

Matt gets an email when someone sees an anon post, as well as it getting posted to the anon queue. I saw that queue. What ever happened to that really old virgin? He posted like three versions of the question, did it get posted?
posted by delmoi at 10:58 AM on December 27, 2005

I don't think we need a system for real 100% anonymity. My concern was that some people might assume that anonymous meant "it's impossible for anyone to trace this question back to me" as opposed to "the general public/spouse/mom&dad won't be able to trace the question back to me."
posted by justkevin at 11:22 AM on December 27, 2005

"What ever happened to that really old virgin?"

He had a hit movie.
posted by mr_crash_davis at 11:33 AM on December 27, 2005

i'm confused. maybe 6 months back, it was possible to see queued anonymous posts (can't remember how - some bug). how did that happen if anon posts are handled via email? the queue included many posts that weren't published, so it's not just you (matt) selecting the emails you want to publish and putting them in the database.
sorry, but something doesn't make sense to me. sorry for being stupid...

Everything is in the database, but anonymized, only tied to the one anon user account I setup especially for it. I get an email when new ones are submitted.

For a few hours, I had forgotten to filter a history page for the anon user account for all unposted questions, so the unposted ones showed up, because they were in the db already. The email is just a notification system, not a delivery system.

The virgin eventually got to ask his question, if I recall.

Another scheme that might even be easier to implement would be that when an anon question gets posted, the submitter gets a randomly-generated password good for posting anonymous followups to that question only.

What about when there are three anon questions posted at once. Do I maintain a table of temp ids and temp passwords for every question ever? Seems like a messy implementation to me.
posted by mathowie at 12:11 PM on December 27, 2005

mathowie:

What about when there are three anon questions posted at once. Do I maintain a table of temp ids and temp passwords for every question ever? Seems like a messy implementation to me.

I don't think the system I'm imagining would have a problem with multiple questions at once; I probably didn't explain it well enough.

I was imagining that there's some table somewhere that currently has a row for each anonymous question (maybe the same table that has a row for each, um, nonymous question too). To that table, I was imagining you'd add just a password field; in each row, that field would hold the randomly-generated password for that question (if it's anonymous).

Then, on the anonymous question page, there's a link to post an anonymous followup. On that page you've got to type the special secret password, but there's no UID check — anyone can view the "post anonymous followup" page for any question, and anyone who knows the password for a particular question can post an anonymous followup to it.

So the way I'm imagining it, the current system would need to change in three places: (1) there's an extra password field in some questions table somewhere; (2) that password gets filled in randomly and its value gets mailed to the anonymous poster when the question gets posted; and (3) there's a new anonymous followup page that has a password field in addition to the regular comment field. When a user submits a comment on that page, the system verifies that the password submitted matches the password in the appropriate row of the questions table before allowing the comment to be posted (as user "anonymous").

Of course this all depends on the highly dubious assumption that my wild guesses about how the metafilter database is arranged are correct.
posted by jacobm at 1:21 PM on December 27, 2005

What about if someone shares the anon password, so that others can comment anonymously too?
posted by mathowie at 1:55 PM on December 27, 2005

Hoo. That's a damned good point.
posted by cortex at 1:56 PM on December 27, 2005

Well, the worst a user can do is let other people post anonymously in his or her own anonymous thread if desired; I'm not so sure that's a bad thing. If you didn't want that, though, it seems like you just ask people not to do that? Throttle the rate at which anony followups get posted? Seems like a smallish and solvable problem.
posted by jacobm at 2:03 PM on December 27, 2005

I really, really like jacobm's idea, but Matt's point isn't easily dismissed. Without even the threat of a banhammer (since it's unknown who the poster is), people could post their Anon password all over the place -- other forums, blogs, their Geocities site, etc. Of course, that might make it easier to find the culprit, or Matt could pull out the "if the FBI shows up" magic and find the original poster... but still. It's a pretty decent risk. I think the benefit would outweigh the cost, but once anonymous drops fifty inline elephant poo images to one of his thread, we might change our (hive) mind.
posted by SuperNova at 4:16 PM on December 27, 2005

Have a button on your userprofile -- "Generate anonymous question token". When pressed, some supaspecial code serverside generates a token that is unique and identifiable only to the extent that it was generated by Metafilter.

On AskMe, have a field to paste in a token. The thread appears posted by 'anonymous' rather than by usernameX. Presumably Matt could make it such that there is no record in the db against usernameX's record that he or she has posted that thread. The user could post through an open proxy, if he or she were concerned about IP addresses.

In addition, that same token could be used -- for that thread only, of course -- to post followup comments, which would also appear as 'anonymous'. Token is good for one thread only. Lose it, too bad. You can get another one in a week, for a new thread.

Problem solved?
posted by stavrosthewonderchicken at 4:41 PM on December 27, 2005

I like jacobm's idea. Sure, someone could share the anonymous password for that thread, but someone could share their regular metafilter username/password too. And if Bad Things (tm) happened, I imagine the consequences would be the same: suspend the account. There will never be a perfect system that makes anonyminity fool proof. But the benefits of a good anonymous system generally outweigh the potential annoyances/abuses, in my opinion.

Of course, I pretty much gave up on anonyminity years ago. I hope for universal encryption, but I end up putting my real name on pretty much everything (like my metafilter profile page). Still, for those people that seek it out, having anonymous options are very important.
posted by afflatus at 6:42 PM on December 27, 2005

I've always pictured the process and setup much easier than what jacobm described.

New anon questions are tied to your user_id in the db, but anonymized with a simple flag set when you ask the question. Then, in the thread your comment box has a checkbox for "mark answer as anonymous" so that the question asker can post followups. It'd be pretty easy to implement this, but I would add a small message to the anon page that your id is tied to the question in the background and you could be identified easier someday.

Optional additional option would be to add the checkbox for everyone, so that they could post anon followups as well, perhaps identified by number (anon answerer 1, anon answerer 2, etc).
posted by mathowie at 7:09 PM on December 27, 2005

And of course, now that I think about this -- we might as well plan for the inevitable when anon followups are allowed: someone will ask a potentially controversial anon question (like the pot growing one) and then use their anonymity to fight back, knowing I'm not going to out them to everyone on the site no matter how nasty they get with others. I could imagine this being a potential problem very quickly.
posted by mathowie at 7:23 PM on December 27, 2005

mathowie : "then use their anonymity to fight back, knowing I'm not going to out them to everyone on the site no matter how nasty they get with others. I could imagine this being a potential problem very quickly."

Or just ban them, privately.
posted by Gyan at 7:36 PM on December 27, 2005

I agree that there are simpler systems; I just wanted to point out that it is possible to allow anonymous followups without having the database actually record which uid asked which anonymous question. If you don't care about that, then your way is definitely simpler.

Anyway, about anonymous followups, it seems like a simple-to-implement policy would be to just disable anonymous comment posting (e.g., change the password if you used my scheme or flipping a per-question flag somewhere under other schemes) if anonymous followups get out of hand, and let them know up front that for anonymous posting you're hyper-sensitive. Alternately, if you love doing extra work you could make anonymous comments go into a queue like anonymous questions do currently. Just my 2 cents ...
posted by jacobm at 7:37 PM on December 27, 2005

Ooh I got an idea! (Granted I know nothing about how flags work; this may be impossible.)

Anyway, my thinking is, maybe if the anon. poster's followups receive X number of negative flags (or a certain flag:post ratio?), anon replies are automatically temporarily disabled until an admin can drop by and either say, "No big deal" (and re-allow posting), or decide $user needs an anon-reply timeout, or decide $user needs a full timeout/ban, depending on severity. Meantime, the anon user could see a temporary message like, "SuperNova, your anonymous commenting rights have been suspended due to flags, pending a review by an administrator."

Might be too much work for mathowie and jessamyn.
posted by SuperNova at 7:51 PM on December 27, 2005

I'm wondering what's wrong with my suggestion above. It seems like a neat, clean way to solve all the problems mentioned here.
posted by stavrosthewonderchicken at 8:04 PM on December 27, 2005

It seems like it's very similar to the "random, secret password" scheme and that it would have the same problems. Or is there some subtlety I'm missing?
posted by jacobm at 8:11 PM on December 27, 2005

Perhaps I didn't explain as well as I could have, either. To be honest, what you're calling a 'password', I'm calling a 'token'. The reason I say 'token' is that if it's programmatically generated, it can, for example, have the usernumber of the thread originator encrypted into it, which means that sharing it out won't work.

But even if that were the case, you're right in what you said above, that that requires some link, however circuitous, back to a userid.

But having serverside logic to check if the thread token string has the currently logged-in usernumber encrypted in it when the person tries to post an anon comment inthread eliminates the password-sharing problem.

The problem of traceability -- and thus no true anonymity -- remains, though, with that scheme.

I need to think about it some more.
posted by stavrosthewonderchicken at 9:01 PM on December 27, 2005