Monday, June 28, 2010

Mandatory Disclosures of Privacy Breaches in Saskatchewan

This headline popped up in my Star Phoenix news feed the other day:

"Province Ponders Revealing Privacy Breaches"

I quote, from the article:
"The issue here is this is people's private information," said NDP house leader Kevin Yates. "When your private information has been given to a third party, people have a right to know that, not only the individual but the public also has a right to know that if their information guarded by SGI . . . or held by any agency is allowed to be made public. That is of concern to everybody."
Kudos, Kevin Yates and everyone who agrees with this idea! Citizens should absolutely have a right to know about when their private data has been accidentally distributed to third parties.

To those of you who are on the fence: other organizations know a lot about you. Saskatchewan Health Region knows your health, the U of S knows your academic record, the Government knows your name, address, and SIN number. The fact that organizations are not legally obliged to disclose privacy breaches is crazy!

Here's an even better idea. What if the law required organizations to notify citizens of ANY time their personal information is disclosed (en masse) by any organization. This would mean that any time your information is lost, leaked, sold, accessed or otherwise distributed, you know about it. Let's assume there's a fair use exception, like if a contractor needs to let a subcontractor know your address for work you've hired the contractor to do.

There would be two immediate benefits to this system: For one, citizens have the benefit of knowing who is holding their private information. Secondly, if violators faced significant fines, organizations would have to tighten their control of private data - especially in Regina, where medical records have been found blowing around on the street.

On the scale of confidential, need-to-know, and right-to-know, I'd argue that when your personal information is involved, notification of privacy breaches should be a right.

Friday, June 25, 2010

Add my name to the "Traditional Media Sucks" list.

Robyn wrote a post about how Cineplex is scamming movie-goers out of Scene points by making their website unnecessarily difficult to use and making their customer service robots exceptionally useless. Her experience reminded me of this graphic that had its day of fame on the internet a few months back, which highlights how difficult it is for an honest, paying customer to access content with no strings attached.

Tech and media bloggers have covered this idea to death, but I need to add my name to the "traditional media sucks" list.

I am not the ideal consumer of traditional media (I'm mostly thinking about everything but music):
  • I don't have a cable or satellite TV subscription, and the farmervision at my place is so fuzzy it's unwatchable. 
  • I don't have any newspaper or magazine subscriptions (I read the Star Phoenix's RSS feed). 
  • I watch/access/download all of my video media online, through various channels and to various devices.
  • I read/discover/find all of my written media online, mostly with blog subscriptions through Google Reader, but also through link discovery sites like Reddit and "I feel like looking up X" sites like Wikipedia. 
  • I am opposed to DRM that makes media that I pay for harder to enjoy in ways I choose to enjoy it, like watching it on multiple devices. 
  • I DO listen to CBC Radio! That's about it for traditional media. 
Each month, I'm as happy as a clam to give Shaw Cable tons of my hard-earned dollars for (practically) unrestricted and unlimited access to the internet, as fast as they can deliver it. It's the most brilliant business model out there. I give you a bunch of money, and you give me every type of entertainment I could possibly want, no strings attached. 

There are exceptions to the everything-but-the-internet-is-free rule. When something is really, really awesome - you pay extra. A good example is Xbox Live. After not playing video games for most of university, I'm hooked again - it's $60/year (plus associated costs for games and hardware) for some of the most fun group or solo entertainment out there. In my opinion - totally worth it, at least for me. 

The problem is when un-awesome things want you to pay extra. This could mean payment in money (obvious) or your time (perhaps not as obvious). For example, Rupert Murdoch's Times newspaper has just put a "registration wall" on their site. This means you have to register to read the news. No payments (yet). Guess what happened - their readership immediately dropped by 50%, because consumers don't want to waste their time - even if it's as trivial as entering your name and email address. 

With Cineplex, not only do you pay for the content ($11 per movie per person! Insane!), you pay full price with your time: inefficient pre-payment systems, an absurdly non-integrated Scene card system, lineups, commercials, previews, a few more commercials, and then the movie. If I can modestly suggest my time is worth, say, $20 per hour, it cost me nearly $30 in my own time just to anticipate seeing Toy Story 3 (tickets, lines, waiting in the theatre, commercials, previews, etc). It's a good thing I enjoyed the movie!! 

Here's the point: Content always trumps everything else, accessibility is a close second. If your content is high-quality and is in some way unique, I will be a happy consumer and gladly pay you for it. If your content is hard to access and is replaceable, it will be replaced (quickly). If you go out of your way to make it hard to pay for and enjoy your content, I will go out of my way to enjoy it for free. 

So, Rupert, good luck getting me to subscribe to the Times when there are 4,999,999,999,999 other websites out there. And Star Phoenix, THANK YOU for allowing me to access previews of your content through RSS - I frequently click through to read the articles (and therefore see your ads). 

And Ciniplex/Galaxy Cinemas - count yourself lucky that I tolerate your crap a few times per year. But make no mistake, I don't want you and I don't need you!

Tuesday, June 22, 2010

Canadian Privacy Commissioner's Google Street View Probe: Let's Drop It

On Friday, May 14, 2010, Google announced that their camera-laden Street View cars had been inadvertently been collecting unencrypted wifi data:

"...we have been mistakenly collecting samples of payload data from open (i.e. non-password-protected) WiFi networks, even though we never used that data in any Google products." (source: Google)
I recommend reading Google's entire explanation for an example of a perfect admission of wrongdoing and accompanying apology. Straight out of the good communication textbook, Google:
  1. Acknowledged their wrongdoing (collection of unsecured wifi data);
  2. Recognized feelings of anger, frustration, disappointment and betrayal;
  3. Took full responsibility for their actions;
  4. Explained their error without assigning blame;
  5. Offered a sincere apology;
  6. Offered an immediate fix for the problem (grounding of all Street View cars, contacting government regulators about how to dispose of the data).
In response, Canada's Office of the Privacy Commissioner is launching a full investigation into what happened (see link for news release).

Says Privacy Commissioner Jennifer Stoddart:

“We have a number of questions about how this collection could have happened and about the impact on people’s privacy. We’ve determined that an investigation is the best way to find the answers.”
But... don't we already have the answers? Google collects data, Google realizes mistake, Google releases details of exactly what happened and how, Google gets in touch with governments so they can delete this data properly. And because Google collected the data and not evil hackers, guess what the impact was: nothing.

I like the Office of the Privacy Commissioner. They're a taxpayer-funded office who promote and protect the individual privacy rights of Canadians - and I'm down with that. They've slapped Facebook into shape on more than one occasion. But do we need to be spending taxpayer dollars on an investigation where there isn't anything to investigate?

Canada isn't the only country getting up in arms. The Consumerist is reporting that 30 American states are banding together for an investigation of their own. 

Here's the real issue. The data in question that was collected by Google was pulled off unsecured wireless networks. In layman's terms, that's a network without a password and encryption. People were (in all fairness, unknowingly) broadcasting their internet interactions for the world to see. Yes, that includes emails and passwords!

Forget about Google, what about Wardriving? There are far less-responsible people and organizations than Google who are pulling information from unsecured networks all of the time. Suddenly, the fact that Google's sitting on information from our private networks is awesome - now that they have it, they can protect it, they know they have to get rid of it, and they can't use it maliciously. And they're good at security. When Chinese hackers hacked Google, Google hacked them back.

The Office of the Privacy Commissioner should be helping Canadians by lowering the number of people who are accessing the internet over unsecured networks. They should be developing ways to make sure products like routers and laptops are safe (privacy-wise) to use out of the box, and to promote the use of secure protocols to websites that handle sensitive information (banks, social networks, email, etc). They should be finding ways to better educate the public on taking privacy matters into their own hands. They should be working with Google to dispose of that private data as quickly as possible, rather than work against them through an investigation. They should be developing programs so that everyone can understand privacy and data in the digital age.

Forget about this investigation. It should be the end-user's responsibility to take steps to protect their own privacy. No user is perfect - I've helped lots of people with different computer issues, and I've made plenty of mistakes myself. No hardware is perfect - many wireless routers are "broken" out of the box, in that their out-of-box settings are terribly insecure. Lastly, no software is perfect - Google's Street View cars were obviously flawed.

Still, individuals must accept a higher degree of responsibility for their digital privacy and security. Nobody would paint their SIN number on the side of their house, yet there are plenty of unsecured wireless networks doing just that.

Saturday, June 19, 2010

The Internet Beyond Facebook

I deleted my Facebook account just before it was "cool" - at the end of April 2010. See? This is the Google Search Trends for the query "delete Facebook":
It was just after I read the Eroding Privacy Timeline, published by the Electronic Frontier Foundation, and right before these events happened:
Yes, May 2010 was a bad month for Facebook and I am glad I got out when I did (not that my account was actually deleted).

Here's a fair question of me: If I care so much about online privacy issues, why do I have a blog, a homepage, a Google/Gmail account, a Twitter account, etc?

For one, most of the online services I subscribe to have fairly easy-to-read and easy-to-digest privacy policies (example: Gmail. Counterexample: Facebook's privacy policies over time). Second, my favourite services often give me an easy way out - it's easy to delete accounts, unlike Facebook. Third, most of these services have spent a lot of time building and earning my trust as a user - Facebook has always been sketchy. Fourth, and perhaps most importantly, the services don't radically change over time, at least not to the insane degree that Facebook has changed from privacy-centric to advertiser-centric.

(I'll admit that the services I like aren't without flaws. I am a fan of Google products but they dropped the ball with Google Buzz when it was released).

There's a difference between leading a private life and the expectation of the right to privacy. For example, from Fall 2008 to Spring 2009 I spent months trying to get more information on the secret yellow tracking dots that colour laser printers use to identify document owners (it's not a conspiracy theory!). I got in touch with Lexmark and they eventually offered to give me a full refund on my years-old colour laser printer, but I was more concerned with the overall privacy issue at hand, not my personal privacy. I declined the offer.

Back on topic. Privacy issues aside, Facebook had evolved into a service that just wasted my time. I'd log in (several times per day, usually) and just creep updates. Then, I realized that the reasons most people used Facebook suddenly no longer applied to me!
  • Photo sharing - Facebook does this well, but there are free alternatives with more flexible privacy controls like Flickr and Google's Picasa.

  • Staying in touch with friends and family - That's why I have a phone (voice/text/BlackBerry Messenger) and email.

  • Reconnecting with old friends - There are lots of other ways to do this.

  • Connecting with organizations through Fan Pages - Often congested and ugly for big organizations and under-used and neglected for small ones. Also, this feature is now less about connecting and more about marketing.
I'm not arguing that everyone should delete their Facebook account; I am arguing no-one should feel trapped by something they optionally use. If you feel trapped, it's a sign you need to escape.

I felt cut off for the first few days after deleting my Facebook account, but now that it's gone, I don't feel like I am missing anything - I can waste my time doing other things! My subconscious urge to constantly check it is gone - I've escaped from the trap!

About Me

My name is Brahm. I finished University in April 2010, and already I miss writing. I am hoping this blog can satisfy that craving!

I'm interested in technology, privacy, communication, geeky stuff, technology, consumerism, Canadian and Saskatchewanian (is that a word yet?) news, and more. I've been thinking about some of these topics for a few weeks now and have a "to-write" list that I'm hoping to get through.

For more about me or the projects I've worked on, check out my website -