Not many answers but lots and lots of questions!!!

Web pboake.blogspot.com

Global Investigative Journalism Conference

Thursday, April 08, 2004

Google Gmail privacy debate shows we are big brother but we just don't want to admit it to ourselves. 

The World Privacy Forum in conjunction with 27 other privacy and civil liberty organisations wrote a letter (dated April 6, 2004) outlining their concerns and calling on Google to 'suspend Gmail service' citing major privacy concerns even though Google's Gmail press release announced on April 1 that "a handful of users will begin testing the preview version of Gmail."

I admit I'm a Google fan, but in Gmail's defense there's not much privacy to be had on the 'net anyway. Keep in mind the Internet was intended for the open sharing of information. Any form of discourse on the 'net is akin to having a conversation on a crowded bus. The only thing that keeps it private is social convention.

What is Google doing that's so wrong? E-mail is already scanned for viruses and spam and we'd be upset if it wasn't. E-mail would be unusable without filtering and to expect service providers (commercial or otherwise) to ask every e-mail user for permission before opening a 'private' message is to place an undue burden on organisations that could conceivably be held responsible if they let the wrong message through. While that's not the same as letting a for-profit enterprise open e-mail and stick ads in it they're only held apart by an opt-in check box.

In practical terms, one mouse-click on a registration form (and sometimes not even that) is all it takes to give up the same level of privacy that Gmail would take from its users. Subscribing to Gmail is the same as opting-in to receive ads when you join Lavalife.

No criticism of Lavalife's privacy policy is intended here. I just picked it arbitrarily as an example of how deeply personal information about something like our dating and mating behaviours is exposed on the 'net.

Lavalife's privacy policy states they are "a licensee of the TRUSTe Privacy Seal Program which is an independent, non-profit initiative dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world." It states; what personally identifiable information is collected through the web site, how the information is used, with whom the information may be shared, the choices available regarding collection, use and distribution of the information, their security procedures and how you can update your information.

Essentially it says they do analyse your online behaviour for advertising purposes but avoid personally identifying you. What people may not think about is that the advertising they facilitate may have different privacy policies Lavalife can't control. Privacy policies interlock into a lowest common denominator patchwork where the protection efforts of many well-intended, ethical entities can be obviated by one unscrupulous or simply negligent one.

We may feel better reading a company's privacy policy but the truth is there is nothing to stop an organisation from collecting one sort of data from one source and another somewhere else, aggregating them and putting together a dossier on an individual.

More deeply disturbing to me is that, as a computer tech that has worked with the confidential data of literally hundreds of businesses over twenty years, nobody has EVER checked my background or asked me to formally declare my respect for any sort of confidentiality. There are no licensing programs for IT staff. We've been looking down your data pants from the word go.

There are hundreds of thousands of IT people on the planet. Any number of them can, with a few keystrokes, siphon off reams of confidential information for personal gain. Even if the breach is discovered, if they have taken steps to falsify their identity going in or cover their tracks going out, there is little that can be done about it after the fact. The only thing protecting confidential data is the possibility of legal repercussions and social convention. Given the lenient sentences handed out for white-collar crime (in Canada at least) somebody could decide the financial gain is worth a short stint in Club Fed.

Keeping things in perspective, this is not a phenomena unique to the 'net. In the physical world locks and alarms only keep out honest people. A determined professional will circumvent or simply ignore these and go in and get what they want anyway.

There is another point that needs to be made here. So far I have only talked information flowing in one direction: from the individual to the organisation. What about information that comes _to_ us from the 'net? Continuing with the example of a social network like Lavalife, how much should we trust the other people in that network? It's rather doubtful they have all been honest about who and what they are. There is no way for the administrators of a social network to verify this without checking the personal information of the users. How much privacy would you give up to know that everyone else on your dating board is who they say they are?

Gmail quite openly states they are going to look at every message. This will be done by machines, mostly because there's no practical way for humans to do it, but there will be errors and exceptions that will have to be handled by humans and you can be sure human programmers will be looking at some of the messages of the test users for the purposes of correcting and improving the code.

What if Google is on to something here? All we're hanging onto at this point is the tenuous illusion of a permeable shell of privacy. What if we just dropped the rotting veil of pretense and opened everything up? We have the technical and storage capacity to track everything and audit the smallest transactions. There are some potentially awesome benefits. How would our public servants and elected officials behave if they knew that anyone could see everything they did on our behalf because certified and licensed IT staff manned secure systems that recorded everything?

If we expect transparency from others we have to be ready to offer transparency ourselves. Me, I believe that *all* information should be free. Not because no harm will come from that but because the good that comes from it outweighs the potential harm. Trust is too valuable a commodity for us to bandy about willy-nilly and besides, I don't trust trust - I want to know for sure.

This page is powered by Blogger. Isn't yours?

Links to this post Permanent link for this article Post a Comment


Sign up for PayPal and start accepting credit card payments instantly.

Monday, April 05, 2004

RFID Tracking the Homeless in the U.S. and by that we mean hoaxing the media 

I was listening to a 'View from Space' on Mojo Radio (AM 640) hosted by local conspiracy theorist Spaceman (AKA Gary Bell (sic?)) and he started talking about how the U.S. government is planning on tagging the homeless with Radio Frequency IDentification (RFID) chips to track their movements in real time.

I called him and talked with him on the air about how it probably wasn't practical because most RFID readers need to be pretty close to the chip to read it as RFID tags don't have their own power source. The tags re-use the power from the radio waves transmitted by the reader to transmit their response. He just went on about how it was in the news implying, I suppose, that it must be true.

While no mainstream media (and by that I mean professionals that actually fact-check their stories) picked it up a quick Google Search on the terms; homeless rfid track UPI shows several hits like this story by thunderbay.indymedia.org who seemed to have bit the hardest given that their dateline is April 3.

Several of the hits ascribe the original story to this post on Declan McCullagh's technology and politics mailing list. In defense of Mr. McCullagh, who is journalist, photographer and chief political correspondent for CNET's News.com, he prefixes the post with "This is a joke... I hope!"

Contacted via e-mail Mr. McCullagh said "Yes, of course it was a hoax -- I sent a note a few hours after the original one on April 1 saying just that. As for the origin, I think it's fair to say that I may have been one of the first to recirculate the faux UPI story, but beyond that its provenance remains unknown."

The U.S. Department of Health and Human Services (HHS) Health Resources Services Administration (HRSA) spokesperson Kay Garvey stated by phone that while the HRSA person 'quoted' in the article does exist the story was a complete fabrication, an April Fool's hoax.

Phillip Mangano, director of the U.S. federal Interagency Council on Homelessness first heard the story from an HHS deputy assistant secretary at a meeting of cabinet secretaries and other high-level people on the topic of homelessness that takes place every four months in the White House.

"We're busy trying to put children in houses not chips in heads." Mr. Mangano said. "The farfetchedness [of it] is just out of this world."

The story carried a United Press international (UPI) dateline and copyright notice but the UPI web site doesn't seem to be responding well today so I can't check out a tip that they have put out a disclaimer.

There are several U.S. government initiatives to 'track' data on the homeless as can be seen in this collection of reports and materials to provide communities with direction and technical assistance resources on strategies to collect information on homeless persons from Housing and Urban Development (HUD). A quick scan shows they seem to be taking precautions regarding privacy.

Given the bizarre litiginous and contingency fee allowances of the U.S. legal system can you imagine the lineup of lawyers that would appear to sue the U.S. government on behalf of some homeless person whose privacy has been violated?

Copyright (C) 2004 Patrick Boake All Rights Reserved

This page is powered by Blogger. Isn't yours?

Links to this post Permanent link for this article Post a Comment


Sign up for PayPal and start accepting credit card payments instantly.