2015: The year in Data Privacy

Data Privacy Day was being celebrated for the 9th year this January 28th. Known as Data Protection Day in Europe, the date comes from the Convention for the Protection of individuals with regard to Automated Processing of Personal Data, which was opened for signatures at the Council of Europe on that date in 1981. A plethora of organizations, from regulatory authorities to cybersecurity organizations to industry trade groups to businesses across the globe are getting involved. The goal is to raise awareness among consumers about data privacy issues and encourage businesses to respect privacy in their operations and products. –

Auto Privacy

From police planting GPS devices on automobiles to lawyers seeking black box data in vehicles, automobile privacy has never been a hotter topic. In fact, it’s so hot that auto manufacturers recently pledged to adopt new auto industry privacy guidelines.20140513_080829(1)

Automobiles have never had the highest of 4th amendment privacy protections, and for years courts have struggled with the proper line. With the technology changes afoot, the automobile is positioned to become one of the forefronts of the privacy debate in the coming years. The issues are plenty

This, of course, doesn’t even begin to address the significant security issues at stake when combining a computer with a 2000 lb hunk of metal that can move at 80mph.

Unfortunately, the auto industry is woefully unprepared for tackling this problem. Having experienced first hand a company that was transitioning from manufacturing to software, I know that the mental shift is huge. I’ve twice gotten in heated discussions with auto industry representatives about vehicle privacy issues only to find the representatives clueless beyond belief. It’s the same tired old refrain, privacy versus security (or in this case safety). Sure, there are anecdotal stories that showcase how privacy invasions save a life, but they don’t outweigh the societal interest of protecting privacy as a whole. The industry espouses the safety benefits of telemetrics to improve vehicle safety. Understanding what causes crashes and how crashes occur can reduce deaths and injuries. However, they won’t invest the time and resources to developing techniques to gather statistical data without siphoning in reams of individual data about individuals drivers and driving habits. Ultimately this individual data can be used against the individual, either in higher insurance rates, automated traffic citations, in legal proceedings, or by nefarious ex-lovers. Technology like differential privacy or similar techniques like the one recently employed by Google to improve Chrome’s performance.

What they auto industry should be investing in (and they are but maybe not enough) is reducing the biggest risk and danger to driver safety: the driver and other drivers. Every year 1.2 million people die in car accidents, countless others are wounded. Some 93 percent of accidents are caused by human error.

The win win solution for privacy AND safety thus is driverless cars that aren’t tied to the identify of the passengers. I hail the nearest car (ala Uber), it picks me up and takes me to my destination. Unfortunately, it isn’t a boon for the auto industry long term because fewer drivers and fewer accidents mean fewer auto sales every year. One estimate says a shared autonomous vehicle may replace 11 individually owned vehicles. The auto industry doesn’t really have much choice, but privacy and safety may not be in their long term interest.








Triple Initial Syndrome

I’ve used the term T.I.S. or Triple Initial Syndrome for years to refer to people’s seeming natural gravitation to using three initials. It appears there is something soothing about three letters places together. It’s sufficiently long to convey actual information but not too long as be unwieldy. I was searching the term the other day and only found a handful of responsive web pages. All of them, perhaps not coincidentally, stem from old school punk bands that fell prey to the syndrome. There are a number of bands than I remember quite vividly from my punk days: C.O.C., D.R.I, M.D.C., G.B.H..  Thinking back, the I initially heard the term T.I.S. from a punk friend of mine back in the 80’s. Clearly this was a term that developed back that I had expected had reached a more mainstream audience but apparently had not. I’ve been using it in reference to corporate America’s propensity for such initialisms for years. It seems almost every conceivable three letter combination has some acknowledged meaning to some corporate constituency.

Credit cards, Apple Pay, Bitcoins and Cash

Apple’s recent introduction of Apple Pay, it’s foray into a digital wallet service,  marks Apple’s continued march into being the go-between between consumers and businesses. Many retailers have been reluctant to invest in new technology to secure credit cards because of a desire not to invest in a technology they weren’t sure would be the winner amongst all the alternatives. However, with Apple’s considerable market share and the backing of the major card networks and issuing banks, retails are much more comfortable that this is a technology that has a good chance at surviving.

Credit cards have a long history (over 40 years) and they were invented in an era before the Internet, before identify theft and before anybody really thought about cyber security. The problem has only been getting worse and at some point it had to come to a head. The credit card itself is an insecure device (all the information necessary to steal it is printed right on the card) and the payment mechanism is insecure (all the information necessary to steal it is transmitted through the payment networks). Apple’s solution addresses both of these security concerns through tokenization. The credit card number is neither stored on your iPhone nor transmitted through the network. Now the only way to fake payments is to have physical control of the device, which can also be shut down remotely using Apple’s find my phone feature.

Apple Pay[As a side note, I’m heartened to learn that security and privacy, especially in the wake of Apple’s Celebgate, are playing a very prominent role in the promotion of Apple Pay.

“Easy, Secure, and Private

“We are not in the business of collecting your data. Apple doesn’t know what you bought, where you bought it, how much you paid for it.”

“Cashier doesn’t see your name, credit card number or security code.”]

Without diminishing the scope and scale of what Apple Pay has tried to accomplish, they seem to be setting their sights rather low. Now, I can’t predict what Apple has in store for the future, but credit cards and debit cards are only one piece of the puzzle. A wallet, to many, is much much more than credit and debit cards. Tim Cook talked about card based payments being a $4 trillion dollar a year business in the United States. No doubt that is huge. But consider how many of those people making those payments have iPhones? How many of them have the iPhone 6 with NFC necessary to do payments? How many of those are among the unbanked who don’t have access to credit and debit cards?

The fact is, there are many many more ways to pay than credit and debit cards. Card payments are roughly $11 trillion a year in the global economy. Cash? Try $70 trillion. And what about airline points? Store loyalty points? Canadian Tire money? Bitcoin?

The fact is the digital wallet can be so much more. As Edward Castronova and Joshua Fairfield talk about in their recent NY Times op-ed, the digital wallet of the future will combine all of these different payment mechanisms and optimize them to make sure you pay the least amount possible.

Many people have suggested that Apple Pay may prove to be a killer to Bitcoin, but the fact is they serve different purposes and there is room for both in this market. Michael Casey suggests that perhaps Bitcoin can serve a better purpose as a backend payment mechanism for business to business transfers of funds. Larger value transactions will benefit from both the small transaction fees of Bitcoin and the highly subsidized security costs.

To Castronova and Fairfield’s point the real killer app will be achieving frictionless exchange between the varied payment mechanisms. Will this be Ripple? Or some other yet undetermined service?

One of the complaints economists leverage against Bitcoin’s widespread adoption as “money” is it lacks utility as a unit of account. True, very few people price goods in bitcoin. But if the frictionless future is to be achieved, perhaps we need a paradigm shift away from pricing goods in a monetary unit. Doing so hides information in the economy. When the price of gas goes up, in reality it is the value of the dollar dropping. That reality is masked when we price gas in dollars.




Email confusions

It always amuses me when people don’t know their own email address. I mean, I can understand typos and forgetting some overly complicated string of characters but some people fundamentally seem to always get their own email address incorrect.

I’ve currently been involved with an issue with Redbox whereby one of their customers consistently enters MY email address as their own and I get their receipt (along with what they rented, when they rented, from where they rented it and the last 4 digits of their credit card number). This isn’t just a typo because they do it consistently. I’ve called Redbox (now 3 times) asking them to block my email address. At least the first two times the customer service representative probably just “unsubscribed me.” The third time I asked to speak to a manager and they allegedly marked it such that if the customer attempts to enter my email address at a location they will be presented with an error. It remains to be seen.

Curiously the manager suggested I hit the “unsubscribe” button on the email, to which I pointed out there was none (see picture below). Even more curiously, the manager said that sometimes people have the same email address. Huh? I can only hope that she meant something else to which I’m not sure. I tried to explain that email addresses were unique and someone else couldn’t have the same one though maybe a similar one. She glossed over my explanation. We’ll see if they actually blocked my email address.

Unfortunately this particular email address (I have nearly a dozen) is overly simplistic so I could easily see someone mistaking theirs with mine. This reminds me of Steve Wozniak’s early acquisition of the phone number 888-888-8888, which proved completely useless because of the number of inaccurate calls he received.

Apparently I’m not the only one who has this problem, as this ArsTechnical article points out.



The Importance of Location to data privacy.

Intralinks' The CollaboristaBlog

As with many multi-national companies, Microsoft maintains corporate subsidiaries worldwide, often to optimize its operations under various legal regimes. While the justification for this is usually tax related, increasingly, compliance with local data security and privacy regulations are a driving factor. In light of the Snowden revelations about the NSA, other countries are closely scrutinizing the activities of American companies within their borders. Germany, for instance ousted Verizon in favor of local Deutsche Telekom, citing Verizon’s cooperation with the U.S. government as a determining factor.

Continue reading on my guest post on the CollaboristaBlog.

Theme Parks and the de-evolution of privacy therein.

I recently went to Universal Studios and Islands of Adventures with a friend. I usually go every few years and try to stay at one of the on-site hotels. Though they can be ungodly expensive, the benefit of being right there (and being able to return to your hotel midday to escape the Florida heat), combined with early park admission and unlimited express pass ride entrance almost makes up for the costs.

I haven’t been to any of the Disney parks in quite some time, just owing to a number of circumstances. I keep threatening to return, but haven’t been in almost ten years. Interesting since I use to go annually as part of my summer family vacation. I remember back in the days of yore, Disney actually issued a booklet of tickets f or each area of the park (Tomorrowland, Adventureland, etc…). Sometime before 1981, when Epcot opened, Disney began issuing entire park passports which would give you admission to all the rides in the park, with no need to use up tickets for each ride. The modern day equivalent of Express Passes, which grand someone willing to pay more priority admission to the ride.

Universal Studios Express PassesIn those days, if you wanted to leave the park and come back in you got your hand stamped indicating you had left the park and that along with a ticket valid for that day would suffice to allow you re-admission. As the ticketing system continued to evolve they eventually got rid of the ticket system and moved to an electronic ly read ticket, which eliminated the stamp as all the data was centralized. I still have one of these tickets today which was last used in 2001 and still has 2 days left on it (I had to make notes on my ticket otherwise I wouldn’t have a clue if it still had any days left). Also back in the 90’s Disney and other theme parks began issuing yearly passes (mostly to state residents in an effort to get them to come often especially during non-peak times). The yearly passes, issued to an individual, as opposed to the bearer, needed to be identifying. They included crude pictures and the persons name. Eventually, the entire ticketing system transmogrified over to to one precipitated on identification. Initially, the park attendants just had you sign the ticket when you first used it and allegedly validated that signature against some form of identification upon future ticket uses. Now, the more common practice is to require you to state the name of ticket bearer upon purchase which is imprinted on the ticket. Upon initial entry, the bearer does a finger scan which is matched against future entry attempts. Somewhat sensitive to customer concerns you are able to opt out by showing your ID which is supposed to be matched by the attendant against the name of the ticket. In the 5-6 times I entered the park last weekend, only once did at attendant look carefully (too carefully in my opinion). Most attendants realize that your one of the few people who won’t scan their finger so you probably aren’t trying to skip the line by standing out like that Interestingly enough, though I’m quite used to making a fuss about privacy, my friend who came with me said she felt like she was being treated like a criminal when she had to ask not to scan her fingers. Way to make people feel wanted, Universal!

The scanner are not, allegedly, finger print scanners but rather finger geometry scanners which just get some statistically significant measure to match you to your ticket. It’s unclear whether they match your name with your scan across multiple tickets or do anything else with the data. According to this old article, they purge the finger scans 30 days after the ticket expires, which in the case of my older ticket it does not. Then again, I never scanned my fingers so they have nothing to purge.

In addition to the whole name/finger scan issues, I was irked during my recent trip to learn that I need to have my picture taken for my Express pass. The pictures are printed onto small Express Pass cards. I’m assuming it was supposed to be that the attendant would look at your picture to compare it against you to make sure someone else wasn’t using your Express Pass. Two reasons why this may not be the case:

1) I never had an attendant look at the pass and look at me. Many times I held my thumb over my picture just to see. They mainly wanted to scan the barcode to make sure the pass was valid and wasn’t one of the limited use passes (once per ride, remember the OLD Disney ticket system?)

2) The pictures are of such low quality that you could barely use them to distinguish people. To demonstrate, I’ve even posted mine and my companion’s passes here with nary a worry that they are going to be used for facial recognition.

One of my major pet peeves was that there was very little (if any) disclosure at the point of collection about how they use this image, how long they are storing it, etc.  It may be buried in their privacy policy but if so it’s not clear and certainly not conspicuous.

I just found this article which talks about the Express pass system at the Universal hotels and the need to prevent “fraud.”

I’m certainly not the only one to recognize the failings of the Theme Parks at privacy. Bob Siegel over at Privacy Ref discusses his run in with automated call centers providing details about a person based on an entered telephone number.

FOLLOWUP: 7/28/2014 I’ve been receiving solicitations from Universal (seems like almost daily since my trip.) Interestingly, though not unexpected, clicking the unsubscribe link in the bottom of the email brings you to a page that a) requires to you to enter an email address and requires you to further check a box to affirmatively opt out of email marketing (for each of 4 different services).  This is a far cry from industry best practice, which is one click unsubscribe. If one wants to know how to do privacy wrong, one need only look to the practices of the Theme Parks.


Passwords are only one piece of the puzzle

Something I’ve argued for in the past is the need to not treat passwords as an all or nothing access. It’s not binary. It’s shouldn’t be grant or not grant; on or off. Passwords are just one piece of the authentication puzzle. Someone entering a password should be viewed with more confidence that they are who they say they are but not with complete confidence. When analyzing access to information, a more nuanced analysis should be done to assess the sensitivity of the information and the need for confidence in authentication. If you need X confidence, require X level of authentication. If you require Y confidence, then you need Y level of authentication.

Many websites require you to log in (again) if you’re accessing sensitive information or making a significant account change (such as changing an email address on the account). This is because the fact that someone is logged in only leads to small level of confidence that they are who they say they are. After all someone could log into a public terminal and walk away allowing someone else to sit down and the computer. Or a hacker could be using a tool such as FireSheep to impersonate someone’s web session on an public network.

Joseph Bonneau has a related post on Light Blue Touchpaper discussing that authentication is becoming a machine learning problem.

Multi-factor authentication is really a method for adding confidence in your authentication, but it still should never be viewed as 100% or 0%.  If you’ve ever forgotten your password, you know that your failure to remember it is not proof that you aren’t who you say you are. Similarly, knowing your password is not proof that you are. It just tends to suggest one way or the other. Financial websites are the most common ones adopting other signals of authentication, such as your user agent or a previously placed cookie on your machine. Facebook also looks to see that you’re in the same country you’re usually in, or that you’re using a browser you’ve used in the past. If not, they place additional hurdles before you can access your account. If you’ve ever phone your credit card company from a phone they don’t have on record, you will have noticed they require additional verification.

As you develop your applications, you should identify critical information or controls that may require additional confidence. Then look for methods of increasing that confidence: requiring additional information from the user, verifying keyboard cadence, identifying IP address, user agents, biometric requirements, FOBs or dongles, etc.





Desensitization as a privacy harm

“The Internet age means that a whole generation is accustomed to the idea that their digital lives are essentially in the public domain ” say Tyler Dawson in the Ottawa Citizen. While I’m not sure I agree with Mr. Dawson’s stereotyping a generation, I get his drift in terms of what I term desensitization. That is the idea that increase scrutiny into one’s private life leads to increased expectation of that scrutiny and thus reduced moral outrage.

In risk analysis we often look towards objective consequential harms or damages that may occur as the result of some action or inaction. The prototypical example is the risk of financial theft as a result of having one’s credit card or identity stolen. And while tangible harm is certainly important it is not the only type of damage that may result. Courts are loathe to recognize intangible harms, such as emotional distress, except in rare circumstances. But very few people would deny the very intangible harms to one’s psyche if nude photos were to be circulated of oneself (unless of course one is in the business of circulating such pictures). Many privacy harms are ethereal. Very few of us would be comfortable with the notion of constant surveillance by someone without our consent, even if nothing could ever affect us in a tangible way. I remember being provided a thought experiment at one point. If a space alien could use a telescope and follow your every movement, see everything you do, inspect every thought in your head, does a privacy harm exists? If you knew about this observation does that change your answer? Many people would feel judged in their behavior and thoughts and may alter their routine to prevent adverse judgment about them. I, as would others, would argue that is sufficient to rise to the level of a privacy harm. You are having to change your thoughts and behaviors as a result of the invasion into your personal space.

I return then to the idea of desensitization. The constant surveillance and invasion of privacy changes our social mores. It alters our thoughts and feelings towards the very notion of privacy and does so without our consent. To that extent, I would suggest that invasion without consent itself is a privacy harm. There need not be anything else.