Monthly Archives: February 2012

The White House Releases a Blueprint for Privacy in the Information Age

The Obama administration has released details of a consumer-privacy strategy to help protect users online. Dubbed the “Consumer Privacy Bill of Rights”, it is being positioned as a blueprint for privacy in the information age. Key elements include clear guidance on what consumers should expect from those who handle their personal information, and a set of expectations for companies that process and use that personal data.

“Never has privacy been more important than today, in the age of the Internet, the World Wide Web and smart phones,” Pres. Barack Obama wrote in a cover letter for the report. “In just the last decade, the Internet has enabled a renewal of direct political engagement by citizens around the globe and an explosion of commerce and innovation creating jobs of the future. Much of this innovation is enabled by novel uses of personal information. So, it is incumbent on us to do what we have done throughout history: apply our timeless privacy values to the new technologies and circumstances of our times.”

In specific terms the proposals calls for:

Individual Control
Consumers have a right to exercise control over what personal data companies collect from them and how they use it.

Transparency
Consumers have a right to easily understandable and accessible information about privacy and security practices.

Respect for Context
Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

Security
Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy
Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.

Focused Collection
Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability
Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Probably the most powerful of the provisions is the right of Individual Control. The report says that companies should provide consumers appropriate control over the personal data that consumers share with others and over how companies collect, use, or disclose personal data. With the recent scandals about how much data companies like Facebook and Google collect about their users, the ability to be able to opt-out or at least exercise some form of control is long over due. In talking about individual control the report says that “companies should enable these choices by providing consumers with easily used and accessible mechanisms that reflect the scale, scope, and sensitivity of the personal data that they collect.” Additionally, the report says, “companies should offer consumers clear and simple choices, presented at times and in ways that enable consumers to make meaningful decisions about personal data collection.” With regards to opt-outs, something sorely missing from Google’s recent privacy policy changes,  companies should offer consumers means to withdraw or limit consent that are as accessible and easily used as the methods for granting consent in the first place.

It isn’t clear if this privacy bill of rights will ever make its way into law. The report repeatedly uses phrases like “encourage stakeholders”, “codes of conduct” and “discretion in how [to] implement them.” However there is hope as the text does mention working “with Congress to enact these rights through legislation,” while Obama wrote “my Administration will work to advance these principles and work with Congress to put them into law.” The report does also recognize the need for FTC enforcement to ensure that responsible companies are not disadvantaged by competitors who play by different rules.

Twitter Stealing Smartphone Contacts

In another blunder by a top social networking site, Twitter has confirmed that its iPhone app copies the entire address book from a users’ smartphone and stores the data on its servers, for up to 18 months, without the users’ permission. As with many privacy breaches, the “need” to take private, confidential data comes wrapped in innocence and convenience. In the case of Twitter it is the “Find Friends” feature. This feature, which uploads names, phone numbers and email addresses, is used to identify possible friends who also use Twitter. Twitter’s blatant privacy blunder has two parts. First the app should notify the user that it will now upload the entire contents of the users’ address book to Twitter’s servers. This is something that isn’t make clear by the app, but it might be written somewhere in tiny print in Twitter’s privacy policy. Secondly the data should never, never be stored. Even if I do want Twitter to snoop around my address book to automatically find my friends and even if I might let them upload my data to their servers to do this, I will never give my permission for this upload to remain on their servers for 18 months. This upload should be temporary and deleted as soon as the find friends search is complete.

What about other social networking sites?
The first time this problem was seen, was not with Twitter but with Path, a social media service which provides a “simple way to keep a journal, or ‘Path’, of your life on the go.” Developer Arun Thampi was looking into the way the Path protocol worked when he noticed that his entire iPhone address book (including full names, emails and phone numbers) was being sent to Path. He blogged about his discovery, this in turn caused the CEO of Path David Morin to issue an apology: “We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.” Path then issued a statement that it had deleted the entire collection of user uploaded contact information from its servers.

This then caused privacy experts to start looking at other socail networking sites including Facebook, FourSquare, Instagram, Foodspotting and Yelp. It turns out that they all send data from your smartphone’s internal address book to their servers. Several do so without first asking permission. Instagram and Foursquare now ask for permission, but only after the issues found at Path.

Apple and Congress

Apple run a very tight ship when it comes to their App Store with apps taking days (even weeks) to be approved before being published. According to Apple’s guidelines: “Apps that read or write data outside its designated container area will be rejected” and “Apps cannot transmit data about a user without obtaining the user’s prior permission.” Unless you are Twitter, Facebook or Path that is! This slip-up by Apple has led two US congressmen to write to Tim Cook, the CEO of Apple, asking why the company allows the practice on the iPhone. In the letter they ask if “this incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts.”

Back to Twitter

Path issued new versions of their app (for iPhone and Android), as have Instagram and Foursquare. It seems that Twitter will do the same:

“We want to be clear and transparent in our communications with users. Along those lines, in our next app updates, which are coming soon, we are updating the language associated with Find Friends – to be more explicit,” Twitter spokeswoman Carolyn Penner said to the BBC.

Facebook’s Deleted Photos That Never Go Away

The problem with digital media (as opposed to physical media like books and real photographs) is that it is very hard to delete. What do I mean by that? On a computer just deleting a file doesn’t actually mean it has gone, it just means that the file has been marked as deleted and when you ask the computer to display a list of files in a folder the deleted files are skipped. However the actual data is still on the hard drive. This problem is multiplied once you upload something to the Internet because a) you don’t have any control over the server where the file is stored, b) the viral nature of the Internet means that files can be quickly copied and cached and so multiples instances can come into existence in just seconds.

The problem was illustrated this week by CNN who published a report condeming Facebook for keeping images live and available on the Internet three years after they were deleted! According to Facebook its older systems for storing uploaded photos “did not always delete images from content delivery networks in a reasonable period of time even though they were immediately removed from the site.” Where I am guessing Facebook defines “a reasonable period” as anywhere under five years! The problem is synonymous with deleted files on a hard drive. Although the deleted photos no longer appear in a user’s photo album, they do actually still exist and can be accessed years after they were deleted via a direct link.

The persistent photos issue was first discovered in 2009 when Ars Technica noticed that even if a Facebook user had second thoughts about a picture they had posted and deleted from their album, it remained accessible if anyone had a direct link to the image file in question. At the time Facebook said it was “working with [its]content delivery network (CDN) partner to significantly reduce the amount of time that backup copies persist.”

The ramifications of this action by Facebook are huge. The CNN report highlights the story of one Facebook user who discovered that a friend had innocently posted a picture of  his toddler crawling naked on the lawn. He asked his friend to take it down, which he did. This was back in May 2008. Today, nearly four years later, the picture is still online! There is a whole gamit of photos that people have posted online which they then later decide to remove including photos of ex-boyfriends or ex-girlfriends, ex-husbands or ex-wives and all those embarrassing photos which seemed funny at the time but then later, once sanity had returned, you realised that it was better to delete them.

I am very sensitive about photos of my children being posted online. I just don’t do it. But from time to time others, who are unaware of my wishes post photos of them. Even if I ask them to remove them (which they nearly always do) the damage has been done.

So what can you do?

  1. Never, never, never upload pictures in haste. Always check what you are uploading. Once you hit the upload button and they disappear into the ether, it is almost impossible to ensure proper deletion.
  2. Never, never, never upload photos of other people without their permission. This is an invasion of privacy.
  3. Make sure you use tools like Ace File Shredder which prevents deleted files (on your hard disk) from being recovered.

 

Google Makes Big Changes to its Privacy Policy

The company whose mantra is “do no evil” has been accused this week of doing evil when it announced some big changes to its privacy policy. The controversial changes mean that Google will get rid of over 60 different privacy policies across the company and replace them with one. There are two reasons for concern. Firstly Google will now monitor and collate user activity across all of its major Web services including YouTube, Gmail, and its search engine. The videos you watch, the things you search for and your email will all be cross-referenced and analysed by Google, who are now basically spying on you.  “Our new Privacy Policy makes clear that, if you’re signed in, we may combine information you’ve provided from one service with information from other services” wrote Alma Whitten, Director of Privacy, Product and Engineering. The second concern is that there is no opt-out except to either a) stop using Google products all together or b) sign-in and sign-out every time you move from say Gmail to YouTube or YouTube to Google Search, so that Google can’t track your movements.

Microsoft has been quick to comment on these new changes (as they want users to move over to their products). “The changes Google announced make it harder, not easier, for people to stay in control of their own information,” said Frank Shaw Corporate Vice President for Corporate Communications at Microsoft, in a blog post. “We take a different approach–we work to keep you safe and secure online, to give you control over your data, and to offer you the choice of saving your information on your hard drive, in the cloud, or on both.”

Of course, Google has been collecting this information all along, however this is the first time that it will start combining the data across its services to create a full profile of each of its millions of users. However the problem is that there is no way that we can really comprehend the implications of Google collecting all this data across all of its services. Will the profile it builds about you include  information about your health, political opinions, religion and financial concerns? Is the giant computer system portrayed in the popular Person of Interest TV show starting to become a reality?

The irony here is that according to Google’s Privacy principles users have the right to make meaningful choices to protect their privacy – “People have different privacy concerns and needs. To best serve the full range of our users, Google strives to offer them meaningful and fine-grained choices over the use of their personal information.” This is no longer true with the new Privacy Policy. There are no meaningful choices other than yes or no and there is certainly no fine-grained control of any sort.

However there is something positive to say about Google’s latest privacy move, it does simplify everything. Who had the time, energy or experience to read 60 different privacy policies? Now there is just one. And in all fairness Google have tried to write it in a simple to understand manner. Of course that doesn’t mean it is a good policy!

You can preview the changes here. Google’s new Privacy Policy will take effect from March 1, 2012.