pageok
pageok
pageok
Congressional Committee Asks Web Site for Information on Anonymous Posters:

The House Committee on Energy and Commerce is investigating alleged withholding of clinical trial data in a pharmaceutical trial. Anonymous posts on the CafePharma.com site suggest that posters knew about the trial results months before they were publicly released, so the House Committee on Energy and Commerce asked CafePharma for "all records relating to any posting on CafePharma.com related to the ENHANCE study, including but not limited to ... e-mail and internet protocal addresses of anyone creating such a post." (This was indeed just a letter requesting this, not a subpoena, but I take it that there was an implicit threat of a possible subpoena, and the letter speaks of the possibility that the Committee would "require" more information.)

CafePharma responds:

[W]e do not collect any user information with anonymous posts (including IP addresses). Therefore, we do not believe we will have any information to provide regarding these posts.

Oren:
I have repeatedly advised everyone that I work for on the web to delete their logs as often as possible. It's the only way to be safe. . .
2.14.2008 3:00pm
Scote (mail):
Hmm...I wonder if this site has ever ben asked for info?
2.14.2008 3:05pm
explain please? (mail):
When you say "delete their logs," could you clarify? Do you mean "clear their history,"? (Because that wouldn't seem to affect someone else's record of your IP address.) Do you mean use a different name and password?
2.14.2008 3:51pm
Dan Weber (www):
Now we see what happens when Congress decides that "sorry, I don't have that information" isn't good enough.

Bring popcorn.
2.14.2008 3:56pm
45 (mail):
This is being posted through a proxy chain.

Congress will just have to ask the NSA for help... Politely, of course: “Pleeeeze National Security Agency dudes, get your friends at the telcos and the ISPs to help us strike down anonymous posting.”


Wilkes and Liberty!
45
2.14.2008 4:34pm
Brett Bellmore:

Now we see what happens when Congress decides that "sorry, I don't have that information" isn't good enough.


Pity we can't go to town on Congress, when they hold those "voice votes" in order to make sure that they can tell US that, when we want to know who voted for something, and if a quorum really was present.
2.14.2008 4:35pm
45 (mail):
This is being posted through a proxy chain.

Congress will just have to ask the NSA for help... Politely, of course: “Pleeeeze National Security Agency dudes, get your friends at the telcos and the ISPs to help us strike down anonymous posting.”


Wilkes and Liberty!
45
2.14.2008 4:35pm
Dave N (mail):
Nothing is truly anonymous on the Internet--at a minimum, a website could register the IP address of everyone connecting to the site. That said, this seems like a Congressional fishing expedition that CafePharma should resist to the absolute best of its ability.
2.14.2008 4:43pm
eck:
Dave N says Nothing is truly anonymous on the Internet--at a minimum, a website could register the IP address of everyone connecting to the site.

And indeed, a typical httpd logfile contains that information. But "could" is not equivalent to "did in fact," and Cafepharma seems to be saying that they didn't and don't log such information. Absent some other identifying information (e.g., in the anonymously posted items themselves), the postings in question are for all practical purposes truly anonymous.
2.14.2008 4:55pm
Oren:
When you say "delete their logs," could you clarify? Do you mean "clear their history,"? (Because that wouldn't seem to affect someone else's record of your IP address.) Do you mean use a different name and password?
I mean for people that host blogs/forums and whatnot to delete all information about which IPs connected at which time or are associated with which accounts. There's absolutely no compelling reason to keep such information and every reason to scrub it.

If you are concerned with staying anonymous then it's pretty trivial to drive down the street until you find an open WiFi access point. Don't ever use the same one twice though.

And indeed, a typical httpd logfile contains that information. But "could" is not equivalent to "did in fact," and Cafepharma seems to be saying that they didn't and don't log such information. Absent some other identifying information (e.g., in the anonymously posted items themselves), the postings in question are for all practical purposes truly anonymous.
That depends on the competence of their admins. Let's hope they know what they are doing.
2.14.2008 6:23pm
john q (mail):

If you are concerned with staying anonymous then it's pretty trivial to drive down the street until you find an open WiFi access point. Don't ever use the same one twice though.


Why not twice? What can happen?
2.14.2008 6:34pm
Scote (mail):

Why not twice? What can happen?

Repetition creates patterns.

However, to be truly anonymous you must keep separate computers and never connecting the second computer directly to your ISP and never visit the same sites you normally would using the regular computer, especially sites you log into like email.

When you connect to a WiFi hotspot you WiFi transmitter transmits its MAC address. Depending on the WiFi hotspot, this information can be logged along with all of the websites you visited. If your post is traced back from CafePharma back to your WiFi hotspot, your MAC address and other session info could be traced back to you, depending on what sites you visited using that WiFi hotspot (keeping in mind that all your sessions (over weeks, months, years), if logged, can be traced to your MAC address. You only need to visit a site like gmail once in all those times to mess you up.

If you want to be anonymous you have to practice strict compartmentalization. It is a bit harder than one might think.. And of course, there are lots of "ifs" in the above scenario. "If" CafePharma logs your IP and if the hotspot logged your session or MAC address and if you didn't spoof your MAC address, and so on. But, it only takes one minor trip up to get caught and people are foolish to assume they are anonymous on the net.
2.14.2008 7:18pm
Sean O'Hara (mail) (www):
Nothing is truly anonymous on the Internet--at a minimum, a website could register the IP address of everyone connecting to the site.


IP addresses are associated with locations, not identities (and not even that if you use dialup). All you have to do is go to a Starbucks, leach of someone's WiFi, or use a Tor network, and the IP address is meaningless.
2.14.2008 7:26pm
Oren:
however, to be truly anonymous you must keep separate computers and never connecting the second computer directly to your ISP and never visit the same sites you normally would using the regular computer, especially sites you log into like email.
Sounds like a perfect application for virtualization. Just whip up a virtual machine before you go and nuke the entire thing when you get back.

If you want to be anonymous you have to practice strict compartmentalization. It is a bit harder than one might think.. And of course, there are lots of "ifs" in the above scenario. "If" CafePharma logs your IP and if the hotspot logged your session or MAC address and if you didn't spoof your MAC address, and so on. But, it only takes one minor trip up to get caught and people are foolish to assume they are anonymous on the net.
Yes, if you are foolish enough to use your real MAC or do anything that could identify you then you will be caught. It seems to me that anyone with even a passing expertise in computers would be able to figure these things out fairly easily.
2.14.2008 7:40pm
45 (mail):
Yes, if you are foolish enough to use your real MAC or do anything that could identify you then you will be caught.


It depends who your adversary is and what their capabilities are.

If you're up against the NSA for seditious libel then your anonymity is a whole different problem than if you're up against the
Hackers R Us” gang from Advanced Investigation Services.

You need to carefully develop your threat model and analyze your risk —just like every other security problem.

(Btw, sorry about the previous double post... there were some technical difficulties.)


Wilkes and Liberty!
45
2.14.2008 7:52pm
45 (mail):
Stupid url rewriting engines... argh.

Everyone, please DON'T CLICK on the above two links.

Instead, please use: “Hackers R Us” from Advanced Investigation Services.

(In case anyone can't tell, I'm experimenting right now.)


Wilkes and Liberty!
45
2.14.2008 8:07pm
darelf:
It seems most "professional" admins don't seem to be aware that you can fake your MAC address.... along with every other bit of information that is transmitted over the internet... if that's what you wish.

I remember just holding my tongue in my Cisco classes. ( It doesn't pay to make the teacher look ignorant )
2.14.2008 8:18pm
Tony Tutins (mail):
There's nothing sinister about not keeping records. Because they believe in freedom of information, good library practice for years has been to delete borrowers' records as soon as the books are returned.
2.15.2008 10:57am
occidental tourist (mail):
On a guess, this is one of the threads that has inspired interest. The clearest thing is that pharmaceutical bloggers are nowhere near as polite as folks here at the conspiracy. Thank you all.

The thread appears to devolve into an anonymous name calling match between partisans of Merck and Astra Zeneca (Merck owned the first statin reduction drug Mevacor. Astra Zeneca developed competing drug Crestor. 'Then' (whole lot of other maneuvering inbetween) comes Merck (in partnership with Schering-Plough so that the combined interest is sometimes referred to as MSP) with Zetia (of which Vytorin is a derivative) that operates by a different mechanism intervening with digestive uptake of lipids.

The study at issue compaares Vocor, a later Merck statin, to Vytorin -- a combination of Vocor and Zetia looking for the double whammy. Zetia itself was approved independently because evidence from other effectiveness studies indicated that it lowers serum LDL about 20% on its own)

It appears to be of some interest comparing this cafepharma thread and the dates of posting to the chronology of study administration posted by Thomson's and presumably written internally at Pfizer. That obviously is of interest to Congress.



The Spitzer inspired line here is that Merck knew about negative results of the study for some time. The Merck version in the chronology claims that there have been questions about the reliability of the results since 2005 as the study was ongoing leading to multiple reviews of methodology and so forth unrelated to the unknown outcome of Vytorin vs. Vocor.

They talk about biologically implausible results, as in major swings in plaque thickness between ultrasound imagings, unrelated to any knowledge of which drug the study participant was taking.

If anything though, this tends to enhance the position of skeptics of our understanding of arterial sclerosis in the first place who don't necessarily believe that LDL reduction through statin's or otherwise should necessarily be the main focus. Of course folks like this are close to falling in the Global Warming deniers kind of category, given the lemming like quality of today's popular science.

Focusing on just the results of this study and whether some flaming bloggers had any inclination of the results I think it pretty fair for a resonable observer to assume that the study wasn't blowing the doors off of anything whether the results had actually been unblinded or not. The chronology and something that might have indicated a concern to fans of vytorin early on seems to indicate that, read in blinded batches (meaning the ultrasound reader did not know the treatment adminstered to the subject), some patients were showing anamolous increases in plaque deposition but that none appeared to be showing vast improvements compared to previously existing treatments. You don't need the results to be unblinded to see that it didn't appear to be a very favorable result.

People are so reactionary in this arena and I think it is largely not because drug company tests aren't transparent. It is because costs aren't transparent. If Congress should be worried about anything, it should be a clear system of transmitting the cost of these treatments to those choosing them. Instead they are playing Eliot Spitzer in trying to make a fairly mundane case of corporate footdragging which, in and of itself, should be read by any sophisticated investor as a danger signal.

Further, it took me very little work to find at least one of the purported threads on cafepharma without joining or getting a membership or the like, so sophisticated investors placing a significant stake on these companies had access to this speculation, informed or not, all along.

But in caveat emptor fashion, I'm not sure that one should assume they have a great deal of privacy on the internet. People on the cafepharma are talking about this as censorship, but that is only derivative

People certainly used to talk like this at cocktail parties and generally imagine that it wasn't going to get back to their employers. But I don't think they had an entitlement to privacy if the person they spoke to spilled the beans. OK so what if the person who hosted the party spilled the beans -- based on who knows a note left behind or the conversation is overheard or the person who had the conversation is disturbed by it and tells the host or ... Maybe nobody will come to their parties anymore. Cafepharma has an interest in not disclosing the info but do they owe a duty -- even if they said they don't disclose info -- not to disclose in this circumstance. It seems to me it is their self interest at play and not that of the bloggers.

They claim they don't have the info, probably the smart way to go, get rid of it. So Congress in typical reactionary fashion can try to regulate blogs the same way that Sarbanes-Oxley has boiled down saying they have to keep track of this crap and are criminally liable if you throw out some e-mails that become the subject matter of a subpoena. Maybe that's a good idea because maybe that would mean the average bloghoster would get the idea that Sarbanes-Oxley might not be all its cracked up to be.

Sorry for the long thought process here, but the substance of these disputes really tends to inform my opinoin. while the process questions are theoretically substance independent, I do think the idea of the contested case applies philosophically as well as jurisprudentially.

Just as with steroids in baseball, there is no there there insofar as I can tell. I have a hard time thinking that this is the case over which Congress should test the anonymity of posters on the internet.

And for those alarmed by the cyperspace occupied by this run-on imagine how much I'm cursing Eugene for making me go figure look into this crap before posting.

Brian
2.15.2008 11:03am
zippypinhead:
Most systems administrators have been taught to retain web access logs as a self-defensive method of tracking unauthorized access intrusion attempts. This practice goes back to the dawn of the Internet, and was glamorized in Cliff Stoll's book "The Cookoo's Egg," where Stoll described how he uncovered KGB intrusions into Lawrence Livermore and other national interest computers. The logs are arguably even more useful today to maintaining system integrity, given increasing problems with malicious intrusions, malware, industrial espionage, etc. from sources ranging from foreign governments to international organized crime syndicates to pimple-faced teenage "script kiddies." Logging is also useful for various other innocuous business reasons, including evaluating system performance, figuring out geographic popularity of a site, etc.

In fact, the Electronic Communications Privacy Act, 18 U.S.C. §2701, et seq., specifically permits providers of electronic communications to the public to voluntarily disclose to law enforcement both records and even substantive communications under certain, limited circumstances. e.g., §2702(b),(c). Much of the rest of ECPA details how the government may legally compel such information from ISPs and other providers.

Law enforcement commonly relies on server logging to obtain the IP address of hits of interest to a web server, then issue compulsory process to the ISP or server assigned the IP address to determine subscriber information and/or the next IP address from which the query "hopped." Given good logs, one can eventually trace any hit or communication back to a specific users' computer. Proxy servers are no barrier, provided the proxy provider itself has logs. All this relies only on historic logging, without the need to resort to Title III or FISA real-time surveilance (that's a topic for a whole 'nother thread).

Bottom line, you're naive if you think you have any reasonable expectation of privacy on the Internet, at least not without taking extraordinary measures. Contrary to the famous old New Yorker cartoon, "on the Internet, everybody knows you're a dog."
2.15.2008 2:27pm
John M. Perkins (mail):
Kudos to occidental tourist.
2.15.2008 4:03pm
David W. Hess (mail):
Most if not all operating systems can be configured either inherently or though a separate application to assign a random MAC address to each ethernet adapter. In some cases, this extends to doing so every time that an adapter negotiates an ethernet connection. For some hardware, this has to be done because the default MAC address stored on the adapter was never assigned by the manufacturer.

Even when using IPv6 where the IPv6 address is usually a concatenation of the local subnet address and the ethernet adapter's 48 bit MAC address (exposing the local MAC address to the general internet), this can be changed to either use the randomized MAC address to generate the IPv6 address or a completely independent random 48 bit number can be used. Microsoft Windows supports the later inherently for security reasons.

On my own web server, I only maintain logs going back for about a week. Anything longer just takes up excessive space and would only rarely be useful. If something happens that I want to keep track of, I can start a specific separate logging process.
2.16.2008 11:33am