I have a question for Australian legal-eagles or even legal-eagles from other countries.
Suppose someone’s theory is that Brandon Shollenberger’s connecting to a computer and obtaining data in some way that violated some statute somewhere. (For example, Eli suggests things like “Eli Rabett (Comment #130142) Better look up the Queensland and Illinois laws.”.
Now, further suppose the fact pattern includes:
- That computer would be the one that hosted ‘mysecretdomain.com’ in this address “2929 http://secretdomain.org/tcp_results.php” discussed at Brandon’s blog. (Note: the actual domain is not ‘mysecretdomain.com’. That’s made up to obscure the real domain name.)
- The IP of the server in question is 98.129.229.16, which corresponds to a machine physically located in San Antonio, Texas, USA.
- When accessing that computer Brandon’s butt was sitting in Southern, Illinois
- The access was accomplished using a service providing ISP that is located in the US so his IP is US based. (No proxies were used to connect to the machine in San Antonio, TX.)
- The existence of ‘mysecretdomain.com’ was discovered by crawling ‘sksforum.org’ which appears to be served from IP=208.111.41.41. That IP is owned by a provider that operates ‘cloud’ hosting, but appears to be headquartered in either in California or Washington State.. The IPs in the range used by SkS are in the US. The company does own some machines that appear to be in Europe. None appear to be in Australia or on any other continent.
- Brandon is not an Australian citizen and is not incorporated in Australia.
Given this fact pattern:
- Does Australian jurisdiction extend to this sort of thing? I think I’ve found the document that describes jurisdiction on computer crimes. It’s “15.1 Extended geographical jurisdiction – category A” in this document I think this Australia would not have jurisdiction for any alleged computer abuse crime. Further, it doesn’t even recognize the possibility that the fact pattern above would be against Australian law as it seems to fall under “does not commit the offence unless”. But perhaps I am mistaken.
- Those in other countries: Do you think there is any possibility that any other country might have jurisdiction in the event some infraction occurred.
I ask the former because many people want to discuss the hypothetical that some suit could be brought forward in Australia, and the latter someones has throw around principles of law (‘computervredebreuk’) in the Netherlands.
While I respect the fact that other countries laws can and do apply in those other countries, if someone is discussing whether any action could be brought against someone, the issue of jurisdiction matters. I’d be interested in knowing jurisdiction under a fact pattern like this. If there are other facts relevant to jurisdiction, please let me know and I can fill in to the extent I know the facts.
Update: Interestingly, sks regular Collin Massae snipped the IP address of the server in question which I posted in a comment at his blog 98.129.229.16. Your guess why is as good as mine. That “is” the relevant IP and it is in TX.
Dear Lucia,
You may find it helpful to read the section entitled “Extra-territorial issues”, in this article, Computer Crime in a World Without Borders, I found on the Australian Federal Police’s website.
Will,
That’s interesting. It’s interesting to compare their example to something a little more analogous to my hypothetical. Here is theirs
But if we change this a little: If a resident of Chicago goes to Albania for a month or two and falls victim to a telemarketer while in Albania, the Chicagoan is likely to be SOL if he tries to bring charges against the Alabanian in Chicago. That would be true even if whatever the Albanian to the Chicagoan while both were in Albania violated some US, Chicago, Cook County or Illinois statute.
This wouldn’t even be a matter of extradition, expense or lack of sympathy. US, Illinois, Chicago and Cook County courts would not consider themselves to have jurisdiction and beyond that, it’s likely our laws themselves say they don’t apply to behavior that occurred entirely in Albania. So no US etc law would have been broken.
I realize there are a few US laws that make it illegal to do something to an American overseas– but this is a very small subset of our laws.
So basically, none of the traffic Brandon generated went outside the US.
The only possible connection to Australia would be that the data on the server belonged to an Australian citizen (or Australian University).
Stilgar,
As far as I can determine everything seems to have happened in the US.
Yes. But my reading of the Australian statute indicates that would not make Aussie law apply– as far as I can tell. I know it’s a server and the intertubes. But it’s a bit like John Cook or UQ coming to the US bringing their stuff here, buying stuff, putting up a display in the lobby of an American hotel, and then getting huffy if an American who they were hostile to came to the lobby of the American hotel and snapped photos of their display. And the legal theory for why he can’t look at it seems to be that he’d previously asked them to look at the display while it was hung on the wall of their private residence, and so — somehow– he’s supposed to ‘know’ that he can’t look at it when it’s on public display in the open-to-the-public lobby in an American hotel.
With respect to jurisdiction though: whatever happened here, it looks like the jurisdiction would be the US not the Australia. As far as I can tell, that IP does go to a server in the US– that’s not a contend delivery network. (My stuff is on dreamhost– but the IP you usually can look up is Cloudflare and content delivery network).
If this is true, I think speculating what Aussie law might or might not do goes out the window. Disputes would all land in American courts– but Austrlian lawyers would be more authoritative than I on that.
Very minor** nit, but – the physical machine isn’t in San Antonio – that’s the hosting co. headquarters. I had to do some work work in the data center it sits in during a customer datacenter migration. The physical location is in Grapevine TX (right by DFW, but closer to Fort Worth than Dallas – so we referred to it as the Fort Worth DC).
** Very minor because it’s in Grapevine/DFW, not San Antonio.
TerryMN,
Wow! Good going. So you’ve been physically “near” the data!!
Heh – it was about 1.5 years ago, so chances are I probably walked right past the server(s) – and all I would have noticed were blinking green lights and lots of AC. For making a living w/software, I hate having to be in big data centers…
“Does Australian jurisdiction extend to this sort of thing? ”
Possibly..
On a side issue..
Several years ago, a jewish family in Australia, took umbrage at some form of slander/vilification of their deceased family member.
The person who caused the family grief was located in the US.
The family (from memory) won a court case in the US with damages I believe.
Re the jurisdiction:
The only crimes of which I am aware which has application outside Australia are those relating to sexual assaults against minors. Australian law will be broken by an Australian who has sexual relations with a minor outside of Australia even if it is not a crime in the external jurisdiction.
My answer to your direct question would be “No jurisdiction in Australia in relation to the facts as you have presented them”.
I am bound to add that I offer this opinion for the sake of discussion on this blog and would warn anybody seeking to act in reliance upon it that I take no responsibility for any consequences whatsoever.
Drapetomania
Yes. US slander/libel law jurisdiction works that way. If an American in the US slanders someone the Americans can be sued in the US where the slander occurs. Also, I think our laws permit Americans to sue people who slander use when they are in other countries because it has “an effect” on us– sitting in the US.
The issue can sometimes be where an action has “an effect”.
Different actions can have different geographical jurisdictions.
That’s why I read (and linked) the Australian statute. And it doesn’t read “having an effect in Australia” it reads “occurring in Australia”. The “having an effect in X” type language would result in broader jurisdiction — but this one seems narrower.
I think most slander law in the US has the “an effect” type language in the jurisdiction statement while many other crimes have “occurs in” (e.g. murder, rape, theft, wire fraud, mail fraud are all “occurs in”. Note however, that wire fraud involving a phone call ‘occurs in’ both the location from which a call was placed and one where it was received. )
By the way: this jurisdictional issue does matter. Andrew “the weeve” who was convicted for hacking won his appeal because he was tried in New Jersey, but nothing about what he did “occurred in” NJ. The Feds basically tried to stretch the law to apply for “having an effect (on customers living ) in NJ ” to “has occurred in NJ”. The appeals court knocked them back. The actions occurred in Arkansas, California, Texas, Atlanta (I think) and one other state. They had 5 states to pick from: but not New Jersey.
Hmmm since Collin snipped the IP, he must think there’s something to keep out of public view, even though by definition an IP address is a public address. Maybe he thinks showing IP addresses is “hacking”, it would certainly fit his crazy world view on the issue where he accuses Brandon of criminal behavior with nothing to back it up.
Maybe I’ll invest in buying that reverse IP lookup report after all. There are over 1400 domain names on the same server IP at 98.129.229.16, but the one report I get shows only 600+ of those, and the double-secret SkS hidey hole server isn’t on the list AFAICT.
This list shows 1000 of them.
http://viewdns.info/reverseip/?host=98.129.229.16&t=1
Anthony Watts,
I’m intrigued he snipped it. You are correct there are scads of domains on that IP different services trying to figure out all the domains on that IP get different numbers. I happen to know the domain name because I used the grey cells and google to guess after Brandon listed the 18,000 uris obscuring the domain name as ‘secretdomain.com’. Then I found the IP. The IP doesn’t give you much of a clue on the domain name.
I”m not entirely sure why Collin would even snip the domain name if I posted it. Most of his readership likely knows it anyway. He ought to know if I can post it in his comments, I can post it here. But… who can delve the mind of a heavy moderator? ( Don’t answer that!)
I think we need a contest.
A contest to do what? See who can guess the name of the domain? Or to guess why Collin deleted the IP?
Yes 😉
But any guess about Collin that is right he’ll simply deny. That leaves us with the former.
Anthony,
The trouble is that you’re assuming there’s a method to Collins snipping madness. There may be, and you may be correct, but look at the statute he snipped and later posted (I didn’t actually verify this but read about it on this thread). This doesn’t look all that meaningful to me, it seems more around the ‘I don’t like you so let me find something to snip’ level of sophistication in my view.
~shrug~
(Edit – err, I didn’t read about it on this thread, it was on the prior thread about hacking.)
.
So you didn’t have the opportunity to check the data for signs it had been molested and tortured?
Anthony,
I don’t think we can have a ‘guess the domain name’ contests now. I already guessed it. Seems like you know it too. Too many people know it!
Now I’m starting to get curious. Is it something really silly? http://www.unicornssavetheearth.com or something similar?
For what it’s worth, the domain name will likely become public knowledge within a week. FreedomWatch submitted an FOI request to the University of Queensland for any communication with or regarding me on May 15th. I believe they are allowed one month to respond, meaning it should be only a couple days until they do. I imagine the name of the domain will show up in some of the results.
Unless, of course, they somehow conducted their forensic investigation of my “hack” and reported the results without ever writing anything regarding me.
It’s also worth noting an unrelated person filed an FOI request for material related to the ethics approval for the paper about a week later.
Edit: I just checked, and it turns out my e-mails to John Cook have been to his University of Queensland e-mail account. The FOI request would even cover a couple e-mails I sent him last year. It’ll be interesting to see if they all turn up.
lucia, I don’t think anyone but you has figured it out. Anthony asked me about the list of domain names he found, and I told him it wasn’t on the list.
Mark,
That doesn’t happen to be the domain name. But the correct domain name is no less silly sounding.
Brandon,
I repeated my method of “finding” it a day later, and was unable to do so. They may have asked google to delist pages. Or…. I just missed a thing to search when picking out addresses. So, it may be that others didn’t act as quickly and now my method of guessing has been foreclosed. That said: Knowing the IP means someone could click the link at the site anthony linked and email to request the remaining domains. Presumably it’s on that list.
Most people will prefer to just wait for the FOI.
Yeah I think they have de-listed a bunch of stuff from Google, I went through the 18,000 list looking for obvious search candidates, and nothing relevant was returned.
They may have simply changed robots.txt on the double-secret SkS hidey-hole.
Mark Bofill:
Be careful!
By guessing this URL [*] you are guilty of hacking!!!
[*] According to the techno noob Collin Maessen.
Carrick,
Oh.
I thought I was only hacking if I typed it into my browser.
Of course, it makes for an interesting loophole in the ‘URL manipulation’ theory of hacking:
1. I didn’t access it, I just put up the link I manually created.
2. Somebody else didn’t manipulate the URL, they just clicked a link I provided.
hmm. Was it me or the clicker who hacked? Maybe Eli will come by and enlighten me.
Oh no, I got it now. I don’t need you to explain Eli.
I’m not a virgin, and everybody knows unicorns only authorize access to virgin maidens, ergo I should have known I shouldn’t have manually created a link by which the secret cherished unicorn data could be ravaged by the filthy masses.
I feel better now that I’ve sorted that out.
I did pings and traceroutes of that server (19.129.229.16). It is about 50 ms (round trip) from Washington, DC. That’s 25 ms one-way.
At the speed of light, that would only be about 7,500 km. That’s a good bit less than the distance from DC to Australia. So, server must not be in Australia.
Bob
PS. Signals in optical fibers do not travel at “the speed of light” where “the speed of light” means the speed of light in free space (approx 300×10^6 meters/sec). And, there are delays in the routers, etc. So, the server is probably more like 2,500 km from DC. The map shows that Fort Worth is about 2000 km from DC.
Re: bob (Jun 12 12:49),
And the route(s) may not be a good approximation of the most direct route either.
“Mark Bofill (Comment #130332)
June 12th, 2014 at 12:29 pm
Carrick,
Oh.
I thought I was only hacking if I typed it into my browser.”
Logically, if you first type it in to notepad, copy, then paste it into browser you can’t have hacked.
I don’t think you can apply logic to their argument.
Drapetomania (Comment #130308):
Perhaps there’s some wrinkle to the case that makes your memory correct, but if the trial was in a US court, it would have been under US federal or state law, and under that law, damages can’t be awarded for defaming the dead.
So you didn’t have the opportunity to check the data for signs it had been molested and tortured?
In that facility, each company has their servers in their own separate cage…
Not sure why they’re so up in arms about all this.
If they were researchers of any integrity and credibility they’d be happy to share the data with others interested in verifying (and thereby strengthening) their research.
Scott,
I’ve seen various claimed reasons for why time stamp data ought not to be released. One claim to be that somehow the time stamp data can be used to “attack” people– or something like that. (I think under this theory testing whether people might have sufferred ‘fatigue’ or whether average rating correlates with the individual is ‘an attack’.) Another claim seems to be that the raters were promised anonymity. But that anonymity was blown when the published the paper and posted graphs sharing the names of all the raters with each other. So… odd…
lucia:
Only because John Cook deanonymized the subjects by posting figures showing their identities. So any harm that is done, is done because Cook has already failed to properly protect his subjects.
Note from Tom Curtis’s reply to me, he is under the misguided impression that he was never a subject. Remember that he participated in this project, but withdrew. So it’s interesting that he claims that he never signed a consent form. The upcoming FOIA response from Queensland will be interesting in that respect.
(On another ethics note, I view it as improper for UQ to not release any documentation associated with the confidentiality and protection of subjects at the point where they used this argument to not release data.)
Anyway, if people want to attack or badger the participants, they can already do so! I’m not sure what additional ammo (in practice, not in theory) releasing the files using anonymized user ids. IMO the real “damage” was already done.
Here seems to be the full list of domains for that IP address
http://whois.webhosting.info/98.129.229.16
@ Carrick,
Assuming that there is a FOIA request of UQ specifically asking for the signed documents, it is indeed inappropriate to refuse to provide them. I am familiar with the U.S. FOIA, and in such a cirumstance the document would be provided but with any personally identifiable information redacted.
I agree with you Lucia. I was thinking about the other jurisdictions that may be involved.
Also, I found a site that lists just about all the domains for that IP address. http://whois.webhosting.info/98.129.229.16
It says it has 1116 but the link you provided shows a total 1165. I got through the first few hundred, then my eyes glossed over and I quit.
Carrick
I see Tome Curtis wrote this.
The problem with what he claims is that any agreement between Cook and Curtis only binds Cook and/or Curtis legally or ethically. It does not bind anyone who did not enter into the agreement: so it doesn’t bind Brandon in any way. While Curtis somehow wants to see the agreement between Cook and Curtis as “not giving Brandon a right”, it also can’t take away any right. Absent the agreement between Cook and Curtis, Brandon could divulge whatever he wished. Of course Cook and Curtis’s agreement doesn’t create this right for Brandon. But that’s a silly observation because Brandon’ had that right all along. Cook and Curtis’s agreement doesn’t have any effect on Brandon’s rights.
Now, someone might observe that Cook and Curtis’s agreement might affect whether Brandon could exercise his right to share the data. It could– but the only reason Cook’s agreement to keep reviewers names secret could affect whether Brandon revealed names to anyone is that if Cook had kept his agreement Brandon wouldn’t have known them. In that case he couldn’t share data not because he had no right to do so but because he didn’t have the data.
But Cook published the names on a public facing web site making it available to all and sundry. If any agreement to keep that data confidential existed then Cook violated it either through lack of care or on purpose or something. But Brandon didn’t.
Earle, of course legally and ethically they must produce the documents if they exist when served by an FOI request.
However, my point is that public institutes which need the public trust should be completely open and transparent about these sorts of things. If they are going to employ the argument that the data are protected by a confidentiality agreement, they should have produced the documents at the time they employed that argument, and not wait until an FOI request is made to release them.
Lucia, Tom Curtis’s account is also from memory. Since the primary method that these guys communicated on this was via their secret forum, they should be able to produce the actual statement from Cook which made any assurances of confidentiality. That one hasn’t been produced smells a bit fishy to me. We’ll see what the UQ response to the FOI is.
But the main point is:
IRB rules require printed, signed consent forms that are kept on file, as well as a formal review and approval process before data collection can begin. Unsigned agreements are of course not audit-able (you can never verify that the participant in the study saw the email in question), and so not an acceptable substitute for printed, signed documents.
As you point out, Cook also published the data by putting it on a public-facing website without any protection for the files (not even a simple encryption). However, Brandon says this is without the raters names (so it is already anonymized). So it is only by looking at the hacked files—which Cook had already disseminated to as many as 200 people thus violating any confidentiality agreement that was in place—that any outsider can even infer which rater ID in Brandon’s file corresponds to which person.
Thus it is Cook’s negligence in putting this data on the public-facing web server and his irresponsibility in producing figures that have the name of the reviewers on them that is causing problems.
And Brandon neither violated a confidentiality agreement, nor the confidentiality of the subjects, nor would he were he to release this data to the public. That has already been accomplished by Cook’s general incompetence and negligence.
US Supreme Court contra distributed processing
U.S. Supreme Court Makes it Harder to Establish Infringement of Process Patents: Court Overrules Federal Circuit’s “Divided Inducement” Theory of Infringement
From a US point of view, this strict US patent ruling suggests that it would be difficult for an Australian to win when the data is “offshore” from Australia. Australia may consider common law arguments.
Lynda J. Oswald proposes: Simplifying Multiactor Patent Infringement Cases Through Proper Application of Common Law Doctrine Article first published online: 26 JAN 2014
DOI: 10.1111/ablj.12024
If there is some form of ethics review/approval, Cook’s volunteers would turn into research participants. The paper would become ‘Nucitelli and Jokimakki’s Classification of Climate Papers’.
shub:
They are research participants regardless of whether they had IRB approval. Under Australian regulations, they needed IRB approval, and it needed to happen before they started collecting data.
We’ll see what the UQ FOI request yields.
Carrick, while it’s true the data file(s) with rater ids for each rating is somewhat anonymized (using SkS ID number), there was another file on the same page which listed the rater ID and handle of every rater.
So rater identities were publicly available on that page.
So the file contained Rater IDs (numbers?) and Handles? From your blog I understood that some of the handles are anonymous and cannot be connected with actual identities.
SkS, the gift that keeps on giving! IIRC, it has been almost 2 years that the clowns of SKS have been performing their keystone kop klutz act, and the laughs are still coming.
“”Carrick, while it’s true the data file(s) with rater ids for each rating is somewhat anonymized (using SkS ID number), there was another file on the same page which listed the rater ID and handle of every rater.”” I feel like Dave Berry, where I have to exclaim, “I am not making this up!”
“On the contrary. From memory assurances of confidentiality were made when the raters were recruited.”
Easily remedied, release the data with raters names replaced with Rater A, Rater B, Rater C, etc. Do they still have a problem?
Lucia, there are different types of jurisdiction. All of which may be involved in this hypothetical, but the differences should be understood.
stan,
I understand there are different types of jurisdiction. That’s why this post was intended as a question, not “the answer”. It seems to me the people who would know whether Australia has jurisdiction would be attorneys who practice in Australian.
Maybe somebody can explain this to me. But if there are pages on SkS website like this one
http://www.skepticalscience.com/tcp.php?t=home
That suggest the data is freely available. What is all the fuss. What extra info has Brandon got his hands on. Sorry I haven’t followed this closely enough to know the difference.
HR
I think the extra information is timestamps when reviewers posted their reviews. I think (though am not sure) there is also data that permits people to compare how one reviewer rated things vs. another. This data is relevant to assessing some disputes about what the study showed. My impression is that Cook’s ‘side’ of why it should not be released has several elements, but includes claims that amount to if his team didn’t consider those data quality issues than noone should be allowed to see that data because it means his team made no claim about whether reviewers might or might not have gotten too tired to really read and assess the abstracts. Another argument I’ve read is that somehow one could “attack” the reviewers if one knew the time stamp. (It’s not clear in what sense they would be ‘attacked’. Would the observation that you thought people get fatigued if they reviews a shit-wad of articles in a very short time be ‘an attack’? I think not. But even if it were ‘an attack’ it’s still relevant to assessing the quality of the methology and so the believability of the results.
And.. no… the fact that one could replicate a study doesn’t mean that data should not be released. There is no scientific principle that decrees that the only way one should determine whether results are believable is by re-doing a time consuming experiment. In fact, if that was a “scientific principle” peer review ought not even to exist. Everyone should just publish and everyone else should just go out, replicate and report what they found. That would be a big waste of time. That’s why peer reviewers and readers can and should evaluate the believability of studies based on data from that study– and the data should be available to the extent that is possible.
Lucia – re “Another argument I’ve read is that somehow one could “attack†the reviewers if one knew the time stamp. (It’s not clear in what sense they would be ‘attacked’. Would the observation that you thought people get fatigued if they reviews a shit-wad of articles in a very short time be ‘an attack’?”
You do need to go back and read your own post here where you have done the legwork.
http://rankexploits.com/musings/2014/fury-if-you-can-harm-you-need-consent/
The issue is that people need to be protected from becoming the subject of research without their consent. It may be innocuous or it may be harmful. That does not matter. As soon as the research starts focusing on the person then they become a human research participant. This was what finally tripped up Lew out of his many ethical lapses on Fury.
Note that a lot of researchers hate IRBs which are generally quite rigid in how they apply the Human Research criteria. See
http://suffocatedscience.com/
I still take the view that reviewer performance could be an issue for the 97percent paper and therefore support the request for an anonymised version to be made available.
clivere-
I’m not sure that addresses whether a particular evaluation is an “attack” which — my understanding– is the way this is spun.
What you say does address whether some sort of consent might have been required by Australian law. But saying something requires ‘consent’ is not the same as decreeing that thing would constitute “an attack”. Australian law does not require the ‘harm’ to rise to the level of ‘attack’ to require consent on the part of the subjects.
Another things: with respect to the cases, there are some differences. There is no doubt the reviewers for the TCP project in some sense consented to be involved in the TCP research project. Whether they granted formal consent is an issue and whether their consent was informed consent given the fact that their own behavior might be scrutinized at some point could be debated. But certainly, they reviewed the abstract and submitted their ratings voluntarily knowing this input was going to be used in the study. In fact, they seem to have “competed” to get their names on the paper — and many of them are named authors.
In contrast in Fury, the authors did not get any sort of consent at all. One can debate whether it was ‘required’ (with the journal deeming it necessary while the authors of Fury thinking otherwise) but it’s clear that the ‘subjects’ or “Fury” did not consent because they didn’t even know they were involved.
That said: I agree it would seem that the TCP project ought to have obtained informed consent. But in which case, this should have been done whether or not revealing their names or evaluating whether a person might get “tired” constitutes an “attack”.
I agree. This would have been the ideal.
However, TCP authors refused. It appears based on Brandon’s discussion that the stuff someone posted at “the secret domain” combined with material available from the SkS forum hack (which happened before the paper was even published) resulted in it being possible to name individuals.
It’s my opinion that revelation of their names is not Brandon’s fault, and he is not the one bound by Australian privacy issues. The person who may have tripped up on that would seem to be John Cook or whoever put stuff up on “the secret forum”. (Gosh it is so hard not to put the actual domain name up! I hope it’s revealed in the FOI soon because it’s hilarious!.)
Clivere,
That’s an interesting way of looking at it. I’m not sure going over the records of the execution of a procedure looking for flaws (regardless of whether or not the procedure addressed the flaws) is the same as doing research.
…
But I could be wrong.
The fundamental question being examined isn’t about the researchers, but the results of their research. Does this make no difference?
HR, the issue of what data is available is complicated. In reference to the resource you link to above, I’d suggest reading this. Long story short, Cook et al haven’t even released all the data they claim to have released.
That piece also touches on another point, timestamps. Cook et al’s response to Richard Tol’s paper claims:
Which is odd because John Cook told a UWA representative:
I suspect the discrepancy is due to a semantic trick. The data I came across included datestamps, not timestamps. I’m guessing Cook didn’t make that distinction while talking to his university, but he’s now hiding behind it in order to deny refusing to release data.
Additional data I found shows the rater ID# for each rating. That lets us tell which raters were responsible for which ratings. Because the rater ID#s are the same as the Skeptical Science ID#s, it’s possible to tell which handles performed which ratings (and often, the full names which go with the handles are publicly available). In theory, this could allow us to “attack” a person by associating individual ratings with them.
Now then, you might wonder how datestamps could be used to attack someone. The issue isn’t the datestamps themselves. The issue is datestamps make it impossible to anonymize the rater ID#s. Normally I could protect rater identities while releasing all the data just by assigning them new ID#s. The problem is we have some information about who performed how many ratings, and when. There were discussions in the released forum, and John Cook even posted graphs for it (on publicly accessible pages, no less).
I came across a bit of other material as well, but I’ve never suggested it should be released. For example, John Cook filtered out a few of the self-ratings from their released data set because it’d be possible to tell which of the contacted authors performed them. I have the unfiltered list. I don’t see any value in releasing it (there are only ~6 extra entries).
Another thing I’ve never suggested I should release is the file Cook posted listing the rater ID# and user handles of all 24 participants. I have no idea why that file was made, much less posted on a web page (public or otherwise).
The domain is on that list.
12por3.com, 1lovebaby.com, 1lovediaper.com, 1lovediapers.com, 1lovethe80s.com, 3321qpqp.biz, 365detroit.com, 3w-pd.com, 529irislane.com, 86pu.com, 9barfinancial.com, aboutdotnyc.com, acarisborn.com, acikogretimsinavsonuclari.net, adashofkindness.com, adashofkindness.net, advantage1goal.com, aemalls.com, aemalls.net, af1251.com, alamancedemocratsnc.org, alcovalibertina.com, allfaithfuneralhome.com, alwissaleg.com, andyawes.com, animatedvideos4theweb.com, animatedvideosfortheweb.com, arebuyingthecow.com, aresayingido.com, artcollectionneurs.com, artrekkers.com, asocialconnection.net, assistdynamics.com, astronauticamusic.com, auditdynamics.com, backyardelement.com, baclocal.info, baclocal.net, baclocal.org, beneficioswanda.com, bestofunt.com, bio-us.com, blackeyecafe.com, blockexpertise.com, blockexpertise.net, blueloyal.net, bonuswow.com, boot2gekco.com, brandswbas.com, brandswbass.com, brandwbas.com, brandwbass.com, bureauofcerebralpenetration.com, burgerofthemonthclub.net, buyblackberryspin.com, cageflix.com, cangart.com, carlincomedyfund.com, carlinrainydayfund.com, carolinamercantile.com, carstenbur79.info, cdlcontracting.com, centimart.com, cfcex.com, chaoticgamingstudio.com, chaoticways.com, chefchangsasiangrill.com, chefparsons.com, chipotlejoe.com, chipotlejoes.com, ciaobellaaccents.com, claeris.com, claimdynamics.com, coloradocyclingmag.com, coloradocyclingmagazine.com, cooperstownfamilydentist.com, countrynize.com, countrynizeme.com, cpltrend.com, cross-culturalexperts.com, crowncityeurope.com, crowncityeurope.net, cureduchennenow.com, cursodecontabilidade.com, cursofinanciero.net, customgolfbooks.com, dantesanjuan.org, daryagrup.com, daryagrup.net, dashofkindness.com, dashofkindness.net, daviesward4.com, debtstopper.info, diplomaglobal.com, dogumgunupastalari.net, dokifilms.com, donandglory.com, donkeysforjesus.org, dpianotuning.com, dragoneats.com, drceed.com, drceed.net, e-ulc.com, eaglecasino.net, eastwestco.org, easygotousa.com, egglectable.org, egglectible.org, einformed.net, elementpoolsupply.com, elementspoolsupply.com, elitetacticaloperations.com, everydaypetscare.com, evetoptankoltuk.com, evetoptanmobilya.com, evimister-sikayet.com, evocel.com, eyes4change.com, eyesforchange.com, ezlegalcloud.com, faioforum.com, fandoon.com, fastestpianist.com, fastestpianoplayer.com, feltonangusfarms.com, ferrouscarbonate.com, fiberartsatglenecho.com, fightflix.net, finalprose.com, flatcreekconsulting.com, floridasunshineins.com, flourishdomains.org, flsunshineins.com, franzhorstrup.info, freeatlanta.net, fromtheaire.com, frondeus.com, frothinghamdesign.com, fruitsnroyals.com, furryfriendgear.com, furryfriendgear.net, gaslightent.com, georgecarlincomedyfund.com, gigalu.com, globaltacticaloperations.com, gmrnetwork.org, graphicsource.org, gudthings.com, hackforumsupgrade.com, happyearthco.org, happytailbrands.com, hdpit.org, helpdynamics.com, himemory.net, hisolerbeachresort.com, hkphotocanvas.com, hostgator-turkiye.com, hostype.com, howtoprojectplan.com, hugobaratagomes.com, hungryriders.com, i-queenmall.com, ibeevil.com, ilovethe80sfest.com, improvebuilding.net, imsacademy.info, incidentdynamics.com, indiebooksdirect.com, indiumhydroxide.com, ingennus.com, ingovarnhorn.info, innovabrands.com, inquiredynamics.com, insightsmaster.com, insightsmasters.com, inversionsostenible.org, itsnotjustbusinessitspersonal.com, jeddah-airport.com, jubadental.org, julyackerman.com, jumpingjackpiano.com, justcron.com, kandyanhost.com, katemillsphoto.com, kch814.com, laptoware.com, lasernudel.com, loschuperamigosinc.biz, loschuperamigosinc.org, loschuperamigosinc.us, lovelightmedia.com, lulubellesa.com, lutech-energie.com, madewhereveryouare.com, magentoenterprisejobs.com, makefreenrg.com, makefreenrg.net, manualreview.com, marbleblockexpertise.com, marbleblockexpertise.net, mariaawes.com, marinacityband.org, marvinarriaga.com, marvinarriaga.net, marziehzepf.info, mas-dos.com, mastifffilms.com, mediakit123.com, memehaven.com, miamidadehomeinvestments.com, miamidhi.com, micropreneurnews.com, miesnewyork.com, millsconstruction.biz, miwimo.com, moorhuhnslot.com, mowfuggers.com, myaccworld.com, myfinalprose.com, mysticsecretsslot.com, mytabletllc.com, n2lose.com, nakilea.com, nassergroups.com, ncseniordemocrats.com, ndotoconference.org, neaig.com, newlifeprotein.com, newmexicovideoservices.com, nonagzone.com, nong21.com, nonprofitadvisorgroup.com, northernspie.com, norwichfreeacademy.net, novatacticaloperations.com, oberhofer00.info, obscuresolutions.biz, occasionbid.com, oceanrcn.net, oceanrcn.org, oferte24.com, ographicsdesign.com, okemahsports.com, ollileppanen.com, onelovebabyco.com, onelovediaper.com, onelovediapers.com, orgvid.org, orienti.org, otvetonline.net, outlinearchitecture.com, pandelcielo.org, paulaarweiler.info, peicsac.com, penbayboating.com, penobscotbayboating.com, philawlzophy.com, photocache.net, planenjoyshare.com, poolsupplyelement.com, poolsupplyelements.com, publishwholesale.com, publishwholesale.info, publishwholesale.net, qhpquote.com, qhpquotes.com, quotedynamics.com, rednvm.org, religiousscience.info, remainorganic.com, rentarab.com, rentnyctoday.com, renudayspa.info, requestdynamics.com, rexslot.com, rjhlawyer.com, roaringfortiesslot.com, rock-a-bum.com, rock-a-bums.com, rockabum.com, rockabums.com, rockadipe.com, rockitpockets.com, roenasher.com, roenasher.net, roenasherspiegel.com, roenasherspiegel.net, roenspiegel.com, roenspiegel.net, rosconsulting.net, ruh-airport.com, samuelpires.com, sandy111.info, sapphiremarketingsolution.com, scanmytag.com, schmees11.info, secondchancecreditrepair.org, secretelixirslot.com, sensacheck.com, sensatrend.com, sensibleactivity.com, sensibleenterprise.com, sensibleoperations.com, sensiblesurgery.com, sensibleundertaking.com, shakkhatkar.com, shixinperfectconfession.com, shoemodel.net, shoepattern.net, shottacticaloperations.com, silkcontact.com, singaporesuntec.com, slatermuseum.com, slatermuseum.net, smartpuppylearning.net, sonatunes.com, sonatunes.net, southsudandental.org, squaremagnets.com, squareprinted.com, ssdtek.com, ssrnv.com, sugarphoneaccessories.com, summitglobaldevelopments.com, sunteccitysingapore.com, superengracado.com, swiminkorea.com, tacticalactivity.com, tacticalblackoperations.com, tacticalgamingoperations.com, tacticaloperationscarbon.com, tacticaloperationscentre.com, tacticaloperationsjobs.com, tacticaloperationsmanual.com, tacticaloperationsteam.com, tacticalsurgery.com, tacticalundertaking.com, tarannellis.com, teaq.org, temphouseingmgmt.com, tepelus.com, theaudia2.com, theaudia3.com, theaudia6.com, theaudia7.com, theaudia8.com, theaudiq5.com, theaudiq7.com, thebmw1.com, thebmw3.com, thebmw4.com, thebmw5.com, thebmw6.com, thebmw7.com, thebmwm3.com, thebmwx5.com, thechefsbag.com, thechinagateway.com, thedetailingsolutions.com, thehipsterscloset.com, themoonglade.com, theostheatrical.com, theostheatricals.com, therawtalent.com, therythmman.com, thesundaydispatch.com, thetallhouse.biz, thetallhouse.info, thetallhouse.org, thinkbusinessmastermind.com, tie-dyes-togo.com, toffaa.com, tootsme.com, torontohomeandinvestment.com, touchofclassrealtyllc.com, touchtender.com, travelbrookings.com, treichelwoell.info, trumpethang.com, turkyiegambling.com, turkyiegambling.info, turkyiegambling.net, turkyiegambling.org, ultrahotslot.com, uniquesolution.org, unlockblackberryspin.com, untbest.com, untbestvalue.com, untinfo.com, urbantacticaloperations.com, urbny.com, uzablemuzik.com, valleytowersllc.com, velvetcontact.com, visionarygroupstl.com, wc2brasil.com, weledo.com, weleetka.org, weleetkaok.com, weleetkaok.org, wellmonth.com, welloiledcatherd.com, wetumka.org, wetumkaok.org, wetumkaokla.com, wholesalebestonline.com, williamawallace.com, worlds-of-minecraft.com, worldvoicewinner.com, worldvoicewinner.info, worldvoicewinner.net, worldvoicewinner.org, wowbonus.com, wowbonus.net, wowbonus.org, xn--daryainaat-k9b.com, xn--daryainaat-k9b.net, yangsmartialarts.com, yellowleaf.us,
Many will guess that the ‘correct’ domain is htaccess protected (as sks forum is now. ) I recommend stepping through in reverse alphabeticall order.
lucia, I’m going to write an e-mail to the person who filed the first FOI request in just a few minutes. I’m not sure if he’s received a response from the University of Queensland or not. I think they were obligated to respond to his request already, but I might be wrong.
I think they have until Monday on the other FOI request. I’ll check with its author to see if I have the time frames right.
Actually lucia, the domain name isn’t on the list you posted. Look a little closer 😛
Mark
Difference to what issue? This is not rhetorical. For example, I think the answers are as follows
1) Does it make any difference to BRANDON’s legal obligations regarding whether he released it or not: Nope. Brandon has no legal obligation to release or not release. He can do whatever he wishes.
2) Does it make any difference to Brandon’s ethical obligation. I think not. Brandon made no implied promise of any sort. He doesn’t have any ethical obligation to not release stuff. ( Analogy: If I see a neighbor out on an adulterous tryst with some one else, I have no legal or ethical obligation to not tell their spouse. OTOH: If I’d promised confidentiality when encouraging them to discuss their problems with me, I would have an ethical obligation. I might not have a legal one– because some types of promises aren’t legally binding.)
3) Does it make a difference to whether Cook should have gotten signed consent forms after providing proper information about how the data might be used? It might not. Depending on how the law is written, it’s possible Cook should have gotten informed consent from each ‘researcher’ in writing even though someone might not consider them a “subject”. Or maybe not. This just depends on Australian law.
4) Does it make any difference to whether Cook’s handling of the data resulted in that data being posted on a public facing web site with no access controls? It’s possible it matters. If the are “human subjects” and the researchers are “human subjects” Cook screwed up. If they aren’t maybe not.
We can come up with lots of questions. In some cases, ‘it makes a difference”, in others “it doesn’t matter”. People have to delve into Australian law to see if it makes any difference. It seems Carrick above has, I haven’t.
But the person whose actions are not governed by those laws is Brandon. And Brandon is also not ethically bound by any promise or contract Cook might have entered into with people who are not Brandon.
Ahhh!!! You’re right! Close but no cigar. But did you notice the ‘.com’ and ‘.org’ versions of the name were both registered and renewed nearly simultaneously. 🙂
Mark Bofill – I have been researching a number of ethics issues relating to the Fury paper. There is a huge amount concerning the ethics of human research. Reading it is like wading through treacle.
The problem for researchers is that there is a clear line in the sand concerning what is human research and they cross over that line without IRB consent at their peril. They may wish the line was elsewhere but once you understand it then there is really no where else where a line can be placed.
Carrick provided a helpful definition and explanation of the issues here
http://rankexploits.com/musings/2014/what-constitutes-hacking/#comment-129946
It should also be noted that John Cook (as lead author) and UQ as (apparently) the Institution that provided IRB clearance have different roles and whilst there is some overlap people need to distinguish between their different responsibilities. Even if John Cook has made lapses then that probably does not allow UQ to make them as well.
Hopefully if FOI comes through then the release of information about the approval process could be very interesting.
Lucia,
Sorry, I meant does it make a difference in deciding whether or not reviewing data is doing research on the people who produced the data.
My thought was just that this isn’t human research. The focus of the research (Brandon looking at the date/timestamp info) doesn’t draw some conclusion about the people who executed a procedure (John’s merry men), but instead supports or damages the position that the results obtained by those people executing their procedure were correct. If that makes any sense. Let me re-read it.
Yeah, that’s what I meant to say.
Thanks clivere. I posted my gut reaction, but I wouldn’t be all that amazed to discover I’ve got this wrong. Mostly I was surprised at the idea. 🙂
lucia, yeah, but I wasn’t sure if it meant much. The domains are registered via a third-party company which serves as a middleman to give registrants privacy. It’s possible both domains were registered by the same customer of that company, or it could be that the company had both domains and is only renting one out to that customer.
Mark Bofill
I think it’s fair to say that Cook & Crew didn’t intend this to be research on the behavior of the raters. The difficulty is that ‘human research’ might not be defined by the intentions of the researchers.
The intention/effect distinction arises in the US too. Suppose you explode a nuclear bomb over Boise, Idaho. Your “intention” was to study the dispersal of contaminants– you didn’t really give a hoot about the effects on humans. You take no measurements of effects on humans.You didn’t report that. And so on.
But the humans were in the blast zone. Was this “human research”? IRB’s get involved in these things. (And they would not let you explode the nuclear bomb over Boise, Idaho.)
Oh. I see that I’ve misunderstood Clivere. Sorry.
Brandon,
While you may be right, the coincidence exists.
Mark
My understanding is Brandon’s intention is not to draw any conclusions about the mental states or behavior of “John’s merry men” other than whether it appears they might have experienced “fatigue” and/or whether the ratings of abstracts are correlated with who did the rating. (Both of the later are things one might consider in laboratory research. For example: if one technician is tall and one short, they may tend to read meniscus levels differently on an instrument because one might need to stand on tip-toes and another might need to bend down. It’s considered ‘good practice’ to see if a bias exists– though often this is not thought about and not done.)
This is why for Brandon’s purpose, it would be sufficient to have anonymized data. You would just find out the average rating from “rater 1” was different from the average for “rater 2”.
It just so happens that Cook at one point declined to supply anonymized data when requested through official channels. He did however, elect to release de-anonymize-able data to the public at a web site of his choice.
Thanks Lucia. That addresses what I was thinking. I suddenly doubted whether or not that was what Clivere was talking about.
I’m starting to wonder if my toothache is making me mildly delirious. Probably time to stop stalling and go see a dentist.
:> If I can’t puzzle out the domain name at this point, I’ll know there’s something seriously wrong with me.
lucia, yup.
By the way, I uploaded a new post a few minutes ago. I wanted to share it here because it follows up on a post I wrote here last year. For those who want just the highlights, here’s the important part:
So if you are saying now that the issue is limited to the ethics of naming of the raters then again it seems that Brandon has been trumped by the authors already.
The paper is either co-authored by raters or those not co-authors are acknowledged at the end. According to theconsensusproject.com website these names cover 94.7% of the rating. Presumably also these names are also the ones released by the SkSforum.
So things seem to be very narrowly limited to the ability to link a particular rating to an individual. I wonder how that puts people any more open to ‘attack’ than putting their name on the paper in the first place?
Does the argument go that people are only driven to ‘attack’based on finding out the rater of paper 999999 rather than the overall content of the paper.
LOL.
I haven’t been able to verify it, but there’s only one name on that list that seems to me to merit the mirthiness.
Wasn’t much of an upgrade, was it? :p
Mark Bofill,
I must be more easily amused than you because I think several names on that list are ridiculous (at least as sites to share “science”!)
Meh. You’re right. I’ll have to look at it. 🙂
Mark:
Consider any of these for a ‘science’ site particularly one that UQ intimated was used for a research project associated with UQ:
1lovediaper.com, donkeysforjesus.org, furryfriendgear.com, furryfriendgear.net, hackforumsupgrade.com, ilovethe80sfest.com, miamidadehomeinvestments.com, rock-a-bum.com, rock-a-bums.com, rockabum.com, rockabums.com, rockadipe.com, rockitpockets.com, tie-dyes-togo.com, tootsme.com, welloiledcatherd.com, worlds-of-minecraft.com, wowbonus.com, wowbonus.net, wowbonus.org.
Heck a bunch of others would be pretty hilarious as domain names for ‘the super secret forum used to discuss issues of interest to the sksforum.org boyz. Some might be prefectly fine under other circumstances: ‘smartpuppylearning.net’ might be perfectly reasonable for a site selling dog training videos, ‘ furryfriendgear.com’ might be a good site for marketing cat and dog toys and clothes or hamster playgrounds and ‘velvetcontact.com’ might be a good domain name for an escort service. But they would be pretty funny for “the super-secret sks-forum”.
For what it is worth, if people want a comprehensive list of all FQDNs that have resolved to a particular IP address I can usually get that for you. I can even give you (some) timestamps about WHEN that particular FQDN was active on a particular IP. This could be useful if people are moving web sites from onehosting provider to another
Also, and because it is part of $dayjob, I checked and that IP address has hosted malware in the past – see e.g. http://www.alienvault.com/apps/rep_monitor/ip/98.129.229.16/
FrancisT–
I’m not surprised it’s hosted malware. Lots of servers that offer shared hosting host malware from time to time for various reasons. (Amateur bloggers get hacked or the hosting service isn’t picky about customers or …. )