[Discuss] Reusing Passwords on Different Sites Should be OK

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of Matthew Gillen
> 
> > https://en.wikipedia.org/wiki/Third-party_doctrine This is like a
> > person writing their password on a postcard and assuming the mail
> > carriers will never bother to look at it.
> 
> I don't think that is actually sound legal reasoning.  Has that
> interpretation come out of a court?

http://lavabit.com/


> Just because a malicious FedEx
> employee could open your package doesn't mean you forfeit your right to
> privacy.  

No, no - This is actually a court case, referenced by the above wikipedia article. The case example is a postcard versus a letter in an envelope. Even though the envelope is a trivial security measure, it means the sender had a "reasonable expectation of privacy," and therefore has not forfeited the right to privacy. But the postcard could be seen by the mail carriers, and therefore has no reasonable expectation of privacy, and therefore no right to privacy.

In the case of lavabit, even though their service explicitly was marketed for the purpose of privacy, the mere fact that their employees *could* access user information meant that legally they were required to. Which violated Ladar's principles, so he shutdown the business instead of betraying his customers' trust.


> Likewise, just because a malicious employee could run
> wireshark on the production boxes doesn't make me forfeit my expectation
> of privacy.

That's exactly what it means - as long as you with your wireshark are *able* to access some information, because it's not encrypted and the user hasn't gone to any effort to conceal it (another one of the measurements described in the aforementioned court case) that means it's like a postcard and not like a sealed envelope.