Safe Harbor: How Your Business Can Respond

You may not think it, but the recent decision by the European Court of Justice related to the EU-US Safe Harbor Agreement could easily affect your business. And if you’re confused, you’re not alone. – See more at:

2015: The year in Data Privacy

Data Privacy Day was being celebrated for the 9th year this January 28th. Known as Data Protection Day in Europe, the date comes from the Convention for the Protection of individuals with regard to Automated Processing of Personal Data, which was opened for signatures at the Council of Europe on that date in 1981. A plethora of organizations, from regulatory authorities to cybersecurity organizations to industry trade groups to businesses across the globe are getting involved. The goal is to raise awareness among consumers about data privacy issues and encourage businesses to respect privacy in their operations and products. -

Auto Privacy

From police planting GPS devices on automobiles to lawyers seeking black box data in vehicles, automobile privacy has never been a hotter topic. In fact, it’s so hot that auto manufacturers recently pledged to adopt new auto industry privacy guidelines.20140513_080829(1)

Automobiles have never had the highest of 4th amendment privacy protections, and for years courts have struggled with the proper line. With the technology changes afoot, the automobile is positioned to become one of the forefronts of the privacy debate in the coming years. The issues are plenty

This, of course, doesn’t even begin to address the significant security issues at stake when combining a computer with a 2000 lb hunk of metal that can move at 80mph.

Unfortunately, the auto industry is woefully unprepared for tackling this problem. Having experienced first hand a company that was transitioning from manufacturing to software, I know that the mental shift is huge. I’ve twice gotten in heated discussions with auto industry representatives about vehicle privacy issues only to find the representatives clueless beyond belief. It’s the same tired old refrain, privacy versus security (or in this case safety). Sure, there are anecdotal stories that showcase how privacy invasions save a life, but they don’t outweigh the societal interest of protecting privacy as a whole. The industry espouses the safety benefits of telemetrics to improve vehicle safety. Understanding what causes crashes and how crashes occur can reduce deaths and injuries. However, they won’t invest the time and resources to developing techniques to gather statistical data without siphoning in reams of individual data about individuals drivers and driving habits. Ultimately this individual data can be used against the individual, either in higher insurance rates, automated traffic citations, in legal proceedings, or by nefarious ex-lovers. Technology like differential privacy or similar techniques like the one recently employed by Google to improve Chrome’s performance.

What they auto industry should be investing in (and they are but maybe not enough) is reducing the biggest risk and danger to driver safety: the driver and other drivers. Every year 1.2 million people die in car accidents, countless others are wounded. Some 93 percent of accidents are caused by human error.

The win win solution for privacy AND safety thus is driverless cars that aren’t tied to the identify of the passengers. I hail the nearest car (ala Uber), it picks me up and takes me to my destination. Unfortunately, it isn’t a boon for the auto industry long term because fewer drivers and fewer accidents mean fewer auto sales every year. One estimate says a shared autonomous vehicle may replace 11 individually owned vehicles. The auto industry doesn’t really have much choice, but privacy and safety may not be in their long term interest.








Triple Initial Syndrome

I’ve used the term T.I.S. or Triple Initial Syndrome for years to refer to people’s seeming natural gravitation to using three initials. It appears there is something soothing about three letters places together. It’s sufficiently long to convey actual information but not too long as be unwieldy. I was searching the term the other day and only found a handful of responsive web pages. All of them, perhaps not coincidentally, stem from old school punk bands that fell prey to the syndrome. There are a number of bands than I remember quite vividly from my punk days: C.O.C., D.R.I, M.D.C., G.B.H..  Thinking back, the I initially heard the term T.I.S. from a punk friend of mine back in the 80’s. Clearly this was a term that developed back that I had expected had reached a more mainstream audience but apparently had not. I’ve been using it in reference to corporate America’s propensity for such initialisms for years. It seems almost every conceivable three letter combination has some acknowledged meaning to some corporate constituency.

Cloud Privacy

It’s been quite some time since I’ve written about Cloud Privacy specifically. Wow, 2011? Really! Anyway, the IAPP and CSA deemed fit to hold a joint conference that brought the concepts of cloud and privacy front and center. If you’d like to learn more, head on over to the Collaborista Blog where I share some of the insights I learned.  Here is a preview

Last week I attended a joint conference of the International Association of Privacy Professionals (IAPP)

Matt from the IAPP.
Matt from the IAPP.

and the Cloud Security Alliance(CSA) in San Jose, California. Cobranded as the Privacy Academy/CSA Congress, the joint conference recognized the increasing importance and interdependence of the two disciplines, cloud security and privacy. The barely three day event was filled with nearly 100sessions, including six keynote speakers and nine preconference workshops. Choosing which sessions to attend was almost as hard as defending the cloud from cyber-attacks; there were just too many interesting topics.- See more at:

As soon as I have some space time, I’ll be devoting a lengthy blog here to the problem of collective action in cloud contracting and its impact on security and privacy.

Credit cards, Apple Pay, Bitcoins and Cash

Apple’s recent introduction of Apple Pay, it’s foray into a digital wallet service,  marks Apple’s continued march into being the go-between between consumers and businesses. Many retailers have been reluctant to invest in new technology to secure credit cards because of a desire not to invest in a technology they weren’t sure would be the winner amongst all the alternatives. However, with Apple’s considerable market share and the backing of the major card networks and issuing banks, retails are much more comfortable that this is a technology that has a good chance at surviving.

Credit cards have a long history (over 40 years) and they were invented in an era before the Internet, before identify theft and before anybody really thought about cyber security. The problem has only been getting worse and at some point it had to come to a head. The credit card itself is an insecure device (all the information necessary to steal it is printed right on the card) and the payment mechanism is insecure (all the information necessary to steal it is transmitted through the payment networks). Apple’s solution addresses both of these security concerns through tokenization. The credit card number is neither stored on your iPhone nor transmitted through the network. Now the only way to fake payments is to have physical control of the device, which can also be shut down remotely using Apple’s find my phone feature.

Apple Pay[As a side note, I’m heartened to learn that security and privacy, especially in the wake of Apple’s Celebgate, are playing a very prominent role in the promotion of Apple Pay.

“Easy, Secure, and Private

“We are not in the business of collecting your data. Apple doesn’t know what you bought, where you bought it, how much you paid for it.”

“Cashier doesn’t see your name, credit card number or security code.”]

Without diminishing the scope and scale of what Apple Pay has tried to accomplish, they seem to be setting their sights rather low. Now, I can’t predict what Apple has in store for the future, but credit cards and debit cards are only one piece of the puzzle. A wallet, to many, is much much more than credit and debit cards. Tim Cook talked about card based payments being a $4 trillion dollar a year business in the United States. No doubt that is huge. But consider how many of those people making those payments have iPhones? How many of them have the iPhone 6 with NFC necessary to do payments? How many of those are among the unbanked who don’t have access to credit and debit cards?

The fact is, there are many many more ways to pay than credit and debit cards. Card payments are roughly $11 trillion a year in the global economy. Cash? Try $70 trillion. And what about airline points? Store loyalty points? Canadian Tire money? Bitcoin?

The fact is the digital wallet can be so much more. As Edward Castronova and Joshua Fairfield talk about in their recent NY Times op-ed, the digital wallet of the future will combine all of these different payment mechanisms and optimize them to make sure you pay the least amount possible.

Many people have suggested that Apple Pay may prove to be a killer to Bitcoin, but the fact is they serve different purposes and there is room for both in this market. Michael Casey suggests that perhaps Bitcoin can serve a better purpose as a backend payment mechanism for business to business transfers of funds. Larger value transactions will benefit from both the small transaction fees of Bitcoin and the highly subsidized security costs.

To Castronova and Fairfield’s point the real killer app will be achieving frictionless exchange between the varied payment mechanisms. Will this be Ripple? Or some other yet undetermined service?

One of the complaints economists leverage against Bitcoin’s widespread adoption as “money” is it lacks utility as a unit of account. True, very few people price goods in bitcoin. But if the frictionless future is to be achieved, perhaps we need a paradigm shift away from pricing goods in a monetary unit. Doing so hides information in the economy. When the price of gas goes up, in reality it is the value of the dollar dropping. That reality is masked when we price gas in dollars.




The Keys to the Kingdom of Data Security and Privacy….

CollaboristaBlog – Sharing the Secrets of Safe Sharing

In my last blog post, I discussed the importance of location in data protection. Not physical location but rather legal, political and logical location — which will be the driving factors of data storage in the coming years.

A mere three days after my previous post, a Federal judge upheld the validity of a warrant to Microsoft for email stored by its Irish subsidiary. Microsoft has vowed to continue its fight to protect the privacy of its users from extraterritorial demands. But the ruling….. read the rest of post at the CollaboristaBlog.

A match made in privacy heaven?

If you read my previous blog post, you’ll note that my company recently launched an Android mobile phone app called 1ncemail. The goal of 1ncemail is to prevent merchants from tracking your purchase while still enabling them to send you your receipt via email. By opening up 1ncemail, you get an email alias that forwards to your regular email but the alias disappears after it is used such that the merchant can’t spam you or sell your email address or more importantly track you across your purchase. This is especially important where the company tracking you might not be an individual merchant but a payment processor (say Square, cough cough).

So fast forward to today where, as an avid user of random password generating security browser plug in LastPass, I had an epiphany. You see LastPass will generate a random string of characters (using constraints you set like upper and lower case, special characters, numbers, etc) to use as your password on a site. LastPass stores the password for you, encrypted with a master password, so you don’t have to remember “O6ff$4dr9#.” Now, I’ve had people suggest to me that 1ncemail provide aliases for use for registering to websites but I rejected it because it didn’t fit the onetime use model of 1ncemail because people need to be able to reset their passwords, get updates, etc. So if you haven’t figured out my epiphany, I’ll spell it out for you:

What if, just imagine if,,,,not only did LastPass provide a unique password (which protects you against security breaches of your password spilling over from one site to the next) but actually also provided a unique email alias. That alias would ONLY be good for that domain and only allow them to send you emails. It wouldn’t prevent tracking of you on their site but it would prevent them from selling your email or providing it to a data aggregator who could cross reference your purchases from one site to another. While you could do this with LastPass now, using mailinator or one of the other random email websites, the process is laborious, akin to generating your own unique passwords. Seemless integration with LastPass would be amazing!

LastPass remembers your passwords so that you can focus on the more important things in life.

So what do you say LastPass? Want to partner up? Now, I’m under no illusion. The geniuses at LastPass may have already considered this and rejected for some reason I haven’t though of or they could just take my idea and run with it. Nothing patentable about what I’m doing with 1ncemail. However, I’d love to partner up with them or at the least get credit if they decide to implement this idea. I’m just excited to use it.

Oh, and LastPass, please start accepting #bitcoin for premium use.


Update: Looks like my idea was proposed 2 years ago. See I thinking i should just create a browser add-on that supports this feature even if not integrated seamlessly with LastPass.

Email confusions

It always amuses me when people don’t know their own email address. I mean, I can understand typos and forgetting some overly complicated string of characters but some people fundamentally seem to always get their own email address incorrect.

I’ve currently been involved with an issue with Redbox whereby one of their customers consistently enters MY email address as their own and I get their receipt (along with what they rented, when they rented, from where they rented it and the last 4 digits of their credit card number). This isn’t just a typo because they do it consistently. I’ve called Redbox (now 3 times) asking them to block my email address. At least the first two times the customer service representative probably just “unsubscribed me.” The third time I asked to speak to a manager and they allegedly marked it such that if the customer attempts to enter my email address at a location they will be presented with an error. It remains to be seen.

Curiously the manager suggested I hit the “unsubscribe” button on the email, to which I pointed out there was none (see picture below). Even more curiously, the manager said that sometimes people have the same email address. Huh? I can only hope that she meant something else to which I’m not sure. I tried to explain that email addresses were unique and someone else couldn’t have the same one though maybe a similar one. She glossed over my explanation. We’ll see if they actually blocked my email address.

Unfortunately this particular email address (I have nearly a dozen) is overly simplistic so I could easily see someone mistaking theirs with mine. This reminds me of Steve Wozniak’s early acquisition of the phone number 888-888-8888, which proved completely useless because of the number of inaccurate calls he received.

Apparently I’m not the only one who has this problem, as this ArsTechnical article points out.