TinyChat Responds to Inquiry Regarding Public IP Disclosure

This is a follow up to the story TinyChats Privacy Policy and IP Disclosure

I requested information from Tinychat regarding what their policies on disclosing members IP addresses publicly when a chat room is closed and they claim it is specifically to allow law enforcement to see IP addresses when a room is terminated.  Here is what I asked them:

1. Why do you feel the need to display users IP addresses of individuals in a room that has been closed by Tinychat staff/moderators?
2. How long does this list containing users IP addresses remain up on your server for?
3. Is it possible for an individual to request to have their IP removed from this list?
4. Do you feel you are acting responsibly and providing safety and security to your users by publicly displaying their IP addresses in a room that has been closed?
5. Do you believe there is any security risk or privacy concern by displaying individuals IP addresses publicly in this way?
6. Do you have any further comments on why you have this policy at Tinychat and if you plan to continue to do so in the future?

Their response:

Room closures can happen when a federal or state law enforcement officer contacts us, requesting us to do so. Regrettably, the option to close or not close a room is not always in our hands, as we have to obey requests from law enforcement just like any other company. We would of course like to never have to close a room but as I said, this is not always in our control. We have been publicly posting the IP's for the ease of the LEO Agent in those situations, however I do agree that this data should not be posted publicly and I will be discussing internally and with law enforcement ways that we can continue to obey their requests without publicly showing this data . Additionally, if you can give me the room name in question, I can expedite the removal of that from public view. 

Regards

-Tinychat 

So, Tinychat claims that their room closures happen when law enforcement contacts them.  I do not believe this is always the case, as I'm sure law enforcement officers aren't sitting back and waiting for girls to get nude on Tinychat so they can close a room a post IPs.  Furthermore, if violations do occur and law enforcement requests information about a room, there is no distinguishing information as to who was active, who was displaying a cam, who was moderating the room or etc, making it nearly impossible to determine anything relevant that could be used as an investigation or a prosecution.

I believe Tinychat simply does this to embarrass users and discourage them from returning.  Obviously Tinychat wants to run a clean service that does not include nudity or issues of persons under legal age, which brings up a whole host of problems for a site like this due to COPPA, the Children's Online Privacy Protection Act.  I believe Tinychat is technically in violation of COPPA since they allow unregistered users to display themselves on camera in public chat rooms viewable by other anonymous visitors.

At this point, I do not believe anyone in the misc who was in a Tinychat room and has had their IP publicly posted should be concerned about being contacted by law enforcement.  But, I will try and determine more about the situation from Tinychat directly.

If any user wanted to continue to use the Tinychat service, regardless of their highly questionable privacy policy, I would recommend using some form of proxy tool, such as Anonymizer, to mask their IP address from being viewed and logged by Tinychat.

It is a plus on Tinychat's end that they are reviewing this policy internally, as they say, and hopefully will mend their ways.  I will contact them back further and post more updates as they come in.  Feel free to add your comments, questions, concerns and input.

UPDATE: TinyChat failed to respond to my further inquires about their policies, as did the EFF when I put the question to them regarding the legality of TinyChat's policies.  I have heard no further updates or complaints from users about having their rooms closed and their IPs posted, so this issue may have been resolved.  However, if you know otherwise, please let me know by leaving a comment or sending me an email through my contact link on the right.  It appears that TinyChat is no longer publicly posting users IP addresses when rooms are closed.  If you find information showing otherwise, please let me know.

TinyChats Privacy Policies and IP Exposure

TinyChat is a service that provides users with a web based chat room and the ability to stream multiple live webcams in their rooms.  Their service is very simplistic and uses an IRC like interface, similar to Justin.tv, which the exception of the ability to have more than one cam streams going at a single time.  Like most cam sites, they have terms of services and privacy policies that disallow certain behaviors, such as vulgarity or nudity on cam.  But, TinyChat goes a step further with their polices when they feel that users have misbehaved and punishes them by not only closing the room, but publishing a list of all the users who were present when the room was running along with their full IP addresses.

Tinychat may terminate any user's access to the network, Web site and service and remove any content posted, for any reason. Tinychat reserves the right to modify or discontinue and portion or component of the service at any time and with or without notice. Tinychat shall not be liable to any user or any third-party for any termination or modification of service. By using the tinychat service you agree, that should any room be closed for any reason that all users data who may be in the room may be disclosed publicly.

 TinyChat Privacy Policy and Terms of Service

This is an abhorrent practice on TinyChat's part to expose any members IP address publicly without any way for the user to request it be removed.  This information can give away a users location and allow individuals with malicious intent to potentially attack the IP address using denial of service attacks or port scans to look for vulnerabilities or holes in the users system.

The Misc Incident


Last night on Bodybuilding.com's Misc section a user started a thread that linked to a Tinychat room with him and a female companion.  According to the user, franchise16, no nudity was recorded on cam during the chat session, but in the end, the Tinychat staff felt it necessary to close down the room and then proceeded to display the IP addresses of all the users who were currently in that room at the time.

As of the time of this posting, Tinychat still has left this information up.  As a further example of the abuse potential this opens up, a number of users took the entire list of IP addresses and claimed to post them on 4chan, to allow the members their to potentially exploit the list for nefarious purposes.  I cannot verify this claim however.

I spoke to the user who started the Tinychat room, franchise16, and asked him for an overview of the events. Here is a summary of what he said happened:

Made thread bout POF [Plenty of Fish] girl comin over

[She] Came over, had webcam open and screen off on macbook, told them mac was for music

Carried it around with me

Brought on to porch where we fooled around, was too dark to see

Had about 500 users viewing it in the room

Brought it inside and into the room

We made out for a big on bed

Took titties out, no nudity was recorded I dont believe

[The feed] Was cut about 2 min after mac was brought into room

Rest happened off cam

All IPs were posted in tinychat room but for some reason not me or any other canadian brahs

I asked him if there was any nudity shown on cam and he responded that there was not.  He also confirmed that the girl was of legal age (18) and was therefore not any sort of situation of child pornography.  franchise16 said that no Tinychat staff warned him in advance that he was violating in terms of that he should stop the cam feed before the room was closed and all the users IPs were posted.  Regardless if there even was nudity displayed on cam in the Tinychat room, Tinychat should not endanger it's users security by publicly "outting" them by posting their IP addresses when a room is terminated.

Because of this incident, I would recommend that no one use Tinychat.  The risk of having your IP posted without any warning or notification is not one that you should be willing to risk.  When using IRC servers that do not obfuscate IP addresses, users are aware that their IPs are being displayed publicly, but Tinychat doesn't do this openly or have any sort of whois command so that users IPs can be displayed to other users, outside of Tinychat staff.

I will contact Tinychat's support and report back with their response.

UPDATE: Tinychat has responded to my inquiry.  See the post TinyChat Responds to Inquiry Regarding Public IP Disclosure  for the follow up.