Monday, June 28, 2010

Mandatory Disclosures of Privacy Breaches in Saskatchewan

This headline popped up in my Star Phoenix news feed the other day:

"Province Ponders Revealing Privacy Breaches"

I quote, from the article:
"The issue here is this is people's private information," said NDP house leader Kevin Yates. "When your private information has been given to a third party, people have a right to know that, not only the individual but the public also has a right to know that if their information guarded by SGI . . . or held by any agency is allowed to be made public. That is of concern to everybody."
Kudos, Kevin Yates and everyone who agrees with this idea! Citizens should absolutely have a right to know about when their private data has been accidentally distributed to third parties.

To those of you who are on the fence: other organizations know a lot about you. Saskatchewan Health Region knows your health, the U of S knows your academic record, the Government knows your name, address, and SIN number. The fact that organizations are not legally obliged to disclose privacy breaches is crazy!

Here's an even better idea. What if the law required organizations to notify citizens of ANY time their personal information is disclosed (en masse) by any organization. This would mean that any time your information is lost, leaked, sold, accessed or otherwise distributed, you know about it. Let's assume there's a fair use exception, like if a contractor needs to let a subcontractor know your address for work you've hired the contractor to do.

There would be two immediate benefits to this system: For one, citizens have the benefit of knowing who is holding their private information. Secondly, if violators faced significant fines, organizations would have to tighten their control of private data - especially in Regina, where medical records have been found blowing around on the street.

On the scale of confidential, need-to-know, and right-to-know, I'd argue that when your personal information is involved, notification of privacy breaches should be a right.

Friday, June 25, 2010

Add my name to the "Traditional Media Sucks" list.

Robyn wrote a post about how Cineplex is scamming movie-goers out of Scene points by making their website unnecessarily difficult to use and making their customer service robots exceptionally useless. Her experience reminded me of this graphic that had its day of fame on the internet a few months back, which highlights how difficult it is for an honest, paying customer to access content with no strings attached.

Tech and media bloggers have covered this idea to death, but I need to add my name to the "traditional media sucks" list.

I am not the ideal consumer of traditional media (I'm mostly thinking about everything but music):
  • I don't have a cable or satellite TV subscription, and the farmervision at my place is so fuzzy it's unwatchable. 
  • I don't have any newspaper or magazine subscriptions (I read the Star Phoenix's RSS feed). 
  • I watch/access/download all of my video media online, through various channels and to various devices.
  • I read/discover/find all of my written media online, mostly with blog subscriptions through Google Reader, but also through link discovery sites like Reddit and "I feel like looking up X" sites like Wikipedia. 
  • I am opposed to DRM that makes media that I pay for harder to enjoy in ways I choose to enjoy it, like watching it on multiple devices. 
  • I DO listen to CBC Radio! That's about it for traditional media. 
Each month, I'm as happy as a clam to give Shaw Cable tons of my hard-earned dollars for (practically) unrestricted and unlimited access to the internet, as fast as they can deliver it. It's the most brilliant business model out there. I give you a bunch of money, and you give me every type of entertainment I could possibly want, no strings attached. 

There are exceptions to the everything-but-the-internet-is-free rule. When something is really, really awesome - you pay extra. A good example is Xbox Live. After not playing video games for most of university, I'm hooked again - it's $60/year (plus associated costs for games and hardware) for some of the most fun group or solo entertainment out there. In my opinion - totally worth it, at least for me. 

The problem is when un-awesome things want you to pay extra. This could mean payment in money (obvious) or your time (perhaps not as obvious). For example, Rupert Murdoch's Times newspaper has just put a "registration wall" on their site. This means you have to register to read the news. No payments (yet). Guess what happened - their readership immediately dropped by 50%, because consumers don't want to waste their time - even if it's as trivial as entering your name and email address. 

With Cineplex, not only do you pay for the content ($11 per movie per person! Insane!), you pay full price with your time: inefficient pre-payment systems, an absurdly non-integrated Scene card system, lineups, commercials, previews, a few more commercials, and then the movie. If I can modestly suggest my time is worth, say, $20 per hour, it cost me nearly $30 in my own time just to anticipate seeing Toy Story 3 (tickets, lines, waiting in the theatre, commercials, previews, etc). It's a good thing I enjoyed the movie!! 

Here's the point: Content always trumps everything else, accessibility is a close second. If your content is high-quality and is in some way unique, I will be a happy consumer and gladly pay you for it. If your content is hard to access and is replaceable, it will be replaced (quickly). If you go out of your way to make it hard to pay for and enjoy your content, I will go out of my way to enjoy it for free. 

So, Rupert, good luck getting me to subscribe to the Times when there are 4,999,999,999,999 other websites out there. And Star Phoenix, THANK YOU for allowing me to access previews of your content through RSS - I frequently click through to read the articles (and therefore see your ads). 

And Ciniplex/Galaxy Cinemas - count yourself lucky that I tolerate your crap a few times per year. But make no mistake, I don't want you and I don't need you!

Tuesday, June 22, 2010

Canadian Privacy Commissioner's Google Street View Probe: Let's Drop It

On Friday, May 14, 2010, Google announced that their camera-laden Street View cars had been inadvertently been collecting unencrypted wifi data:

"...we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products." (source: Google)
I recommend reading Google's entire explanation for an example of a perfect admission of wrongdoing and accompanying apology. Straight out of the good communication textbook, Google:
  1. Acknowledged their wrongdoing (collection of unsecured wifi data);
  2. Recognized feelings of anger, frustration, disappointment and betrayal;
  3. Took full responsibility for their actions;
  4. Explained their error without assigning blame;
  5. Offered a sincere apology;
  6. Offered an immediate fix for the problem (grounding of all Street View cars, contacting government regulators about how to dispose of the data).
In response, Canada's Office of the Privacy Commissioner is launching a full investigation into what happened (see link for news release).

Says Privacy Commissioner Jennifer Stoddart:

“We have a number of questions about how this collection could have happened and about the impact on people’s privacy. We’ve determined that an investigation is the best way to find the answers.”
But... don't we already have the answers? Google collects data, Google realizes mistake, Google releases details of exactly what happened and how, Google gets in touch with governments so they can delete this data properly. And because Google collected the data and not evil hackers, guess what the impact was: nothing.

I like the Office of the Privacy Commissioner. They're a taxpayer-funded office who promote and protect the individual privacy rights of Canadians - and I'm down with that. They've slapped Facebook into shape on more than one occasion. But do we need to be spending taxpayer dollars on an investigation where there isn't anything to investigate?

Canada isn't the only country getting up in arms. The Consumerist is reporting that 30 American states are banding together for an investigation of their own. 

Here's the real issue. The data in question that was collected by Google was pulled off unsecured wireless networks. In layman's terms, that's a network without a password and encryption. People were (in all fairness, unknowingly) broadcasting their internet interactions for the world to see. Yes, that includes emails and passwords!

Forget about Google, what about Wardriving? There are far less-responsible people and organizations than Google who are pulling information from unsecured networks all of the time. Suddenly, the fact that Google's sitting on information from our private networks is awesome - now that they have it, they can protect it, they know they have to get rid of it, and they can't use it maliciously. And they're good at security. When Chinese hackers hacked Google, Google hacked them back.

The Office of the Privacy Commissioner should be helping Canadians by lowering the number of people who are accessing the internet over unsecured networks. They should be developing ways to make sure products like routers and laptops are safe (privacy-wise) to use out of the box, and to promote the use of secure protocols to websites that handle sensitive information (banks, social networks, email, etc). They should be finding ways to better educate the public on taking privacy matters into their own hands. They should be working with Google to dispose of that private data as quickly as possible, rather than work against them through an investigation. They should be developing programs so that everyone can understand privacy and data in the digital age.

Forget about this investigation. It should be the end-user's responsibility to take steps to protect their own privacy. No user is perfect - I've helped lots of people with different computer issues, and I've made plenty of mistakes myself. No hardware is perfect - many wireless routers are "broken" out of the box, in that their out-of-box settings are terribly insecure. Lastly, no software is perfect - Google's Street View cars were obviously flawed.

Still, individuals must accept a higher degree of responsibility for their digital privacy and security. Nobody would paint their SIN number on the side of their house, yet there are plenty of unsecured wireless networks doing just that.

Sunday, June 20, 2010

Professional Memberships and Value

As a recent engineering graduate, I've had lots of opportunities to think about professional memberships over the past few weeks.

For instance, I've submitted an application to register as an Engineer-In-Training ("EIT") with APEGS, the Association of Professional Engineers and Geoscientists of Saskatchewan. I need to demonstrate four years of mentored, acceptable engineering experience before I can be licensed to practice engineering in Saskatchewan - until then, others will approve ("stamp") my work for me. This is similar to a doctor's residency or a teacher's practicum/internship. There are clear benefits to this membership: a government-recognized professional designation that will enhance my ability to practice engineering, earn wages, and accept work. The fees are around $150/year, but my employer covers them. Either way, good value!

Another example: As a student, I was a member of the SESS, the Saskatoon Engineering Students' Society. Some years I was an active member, others not - but the $20/year fee was completely reasonable for a free mug and stack of problem paper, plus discounts on other engineering merchandise throughout the school year. Decent benefits for a low cost = good value.

Which brings me to the IEEE.

The IEEE is a huge international association "for the advancement of technology related to electricity" (Wikipedia). They have lots of responsibilities and areas of expertise, but most people have heard of the IEEE through international standards like IEEE 802.11 for wireless internet.

When I entered my second year of Electrical Engineering at the U of S, I was told to join the IEEE and stay in it because "employers look for membership on resumes." So I joined for about $35/year (student rates) and added it to my resume.

As a student, there were some good perks. The IEEE student branch at the U of S is very active, and they profile students with great academic, technical, and social resources. The best perk, however, was an under-advertised one: free, completely legitimate software through the Microsoft Developer's Network Academic Alliance. Thanks to the IEEE, I'm running a legitimate copy of Windows 7 on my desktop. I grabbed some other licenses as well - SQL Server 2008, Visio, and a spare XP SP3 license.

As far as other benefits go, I have my doubts about whether it was my IEEE membership that trigged multiple interviews and job offers during my job hunt. I'd like to think that my experiences outside of my IEEE membership were what qualified me.

Now that I'm done school, the ONLY communication I get from the IEEE is constant, never-ending insurance offers in the mail. Every 2-3 months, I have another group insurance offer - no joke. I have one on my desk right now. Oh, and my dues will now be $160/year and I don't get the free software perk because I'm not a student member. Is this what an IEEE professional membership is all about?

(Creative Commons image by Clay Larsen on Flickr)

When I was doing some research for this post I found this video where people were interviewed about member benefits of the IEEE. They mentioned benefits like leadership opportunities, social activities, reading articles online, going to conferences, hands-on experience, and connecting with colleagues. That's great, but these are all things I can do without this membership. When asked, "why is your IEEE membership important," one interviewee responds with, "Well, I can't envision not being in the IEEE." You haven't sold me.

I'm getting my point in a convoluted way. My revelation was similar to the one in my last post about Facebook: If I don't need it and it doesn't add value to my life, why put up with it?

A lot of people find value in the IEEE, and I believe they're an important global organization. But I think they've failed to maintain communication with the "little member" - the upcoming or recent graduate who wasn't as involved with local student IEEE events and really can't see the bigger picture. I've received a dozen insurance offers, and zero newletters or updates about the IEEE otherwise (though I do receive a magazine, Spectrum, that's really interesting).

By pelleting me with insurance offers, the IEEE has cast itself as a robo-caller; a spammer; an insurance salesman. Organizations can't build trust like this. There is a disconnect between the trustworthiness of the IEEE Student Branch (who organize events and provide members with tangible benefits) and the massive IEEE organizational machine that seemingly just wants to sell me insurance.

The IEEE haven't demonstrated their value to me, and that's why I won't be renewing my membership once it expires.

(full hypocrisy disclosure: I am going to the IEEE Graduates of the Last Decade BBQ in July - organized by former IEEE Student Branch members)

Saturday, June 19, 2010

The Internet Beyond Facebook

I deleted my Facebook account just before it was "cool" - at the end of April 2010. See? This is the Google Search Trends for the query "delete Facebook":
It was just after I read the Eroding Privacy Timeline, published by the Electronic Frontier Foundation, and right before these events happened:
Yes, May 2010 was a bad month for Facebook and I am glad I got out when I did (not that my account was actually deleted).

Here's a fair question of me: If I care so much about online privacy issues, why do I have a blog, a homepage, a Google/Gmail account, a Twitter account, etc?

For one, most of the online services I subscribe to have fairly easy-to-read and easy-to-digest privacy policies (example: Gmail. Counterexample: Facebook's privacy policies over time). Second, my favourite services often give me an easy way out - it's easy to delete accounts, unlike Facebook. Third, most of these services have spent a lot of time building and earning my trust as a user - Facebook has always been sketchy. Fourth, and perhaps most importantly, the services don't radically change over time, at least not to the insane degree that Facebook has changed from privacy-centric to advertiser-centric.

(I'll admit that the services I like aren't without flaws. I am a fan of Google products but they dropped the ball with Google Buzz when it was released).

There's a difference between leading a private life and the expectation of the right to privacy. For example, from Fall 2008 to Spring 2009 I spent months trying to get more information on the secret yellow tracking dots that colour laser printers use to identify document owners (it's not a conspiracy theory!). I got in touch with Lexmark and they eventually offered to give me a full refund on my years-old colour laser printer, but I was more concerned with the overall privacy issue at hand, not my personal privacy. I declined the offer.

Back on topic. Privacy issues aside, Facebook had evolved into a service that just wasted my time. I'd log in (several times per day, usually) and just creep updates. Then, I realized that the reasons most people used Facebook suddenly no longer applied to me!
  • Photo sharing - Facebook does this well, but there are free alternatives with more flexible privacy controls like Flickr and Google's Picasa.

  • Staying in touch with friends and family - That's why I have a phone (voice/text/BlackBerry Messenger) and email.

  • Reconnecting with old friends - There are lots of other ways to do this.

  • Connecting with organizations through Fan Pages - Often congested and ugly for big organizations and under-used and neglected for small ones. Also, this feature is now less about connecting and more about marketing.
I'm not arguing that everyone should delete their Facebook account; I am arguing no-one should feel trapped by something they optionally use. If you feel trapped, it's a sign you need to escape.

I felt cut off for the first few days after deleting my Facebook account, but now that it's gone, I don't feel like I am missing anything - I can waste my time doing other things! My subconscious urge to constantly check it is gone - I've escaped from the trap!

About Me

My name is Brahm. I finished University in April 2010, and already I miss writing. I am hoping this blog can satisfy that craving!

I'm interested in technology, privacy, communication, geeky stuff, technology, consumerism, Canadian and Saskatchewanian (is that a word yet?) news, and more. I've been thinking about some of these topics for a few weeks now and have a "to-write" list that I'm hoping to get through.

For more about me or the projects I've worked on, check out my website -