Identity / Profiles / Trust

Information Age:

Rapid7 discovered the files by searching for storage 'buckets' - logical pool of storage capacity - whose access setting has been changed to 'public', from the default setting of 'private'. This means that a list of the contents of the bucket can be seen to anyone that knows or guesses the URL.

The company successfully guessed the URL of 12,328 buckets on the S3 service, by inserting the names of Fortune 500 companies into the standard URL format for S3.Of those, 1,951 of which were set to 'public'. These buckets contained a combined 126 billion files, so Rapid7 analysed a cross section of 40,000 files. These files were found to contain such sensitive information as sales records, employee personal information, unencrypted passwords and the source code for a video game.

Ooops.

Goes right back to the absolute basics of Security theory, i.e. nothing f*cks up a secure system quite like the "Man in the Middle" giving it all away, whether by design or accident. If you are going to put data in the cloud, make certain the company security procedures are up to it.

Clouds. Caveat Emptor.

Story in the Grauniad on the Social Media Tracking Big Data system built by Raytheon, ample demonstration of what the art (if that is the word) of the possible (see Guardian video above):

It's called RIOT and is an an "extreme-scale analytics" (Extreme data?) system created by Raytheon, a large US defence contractor, and gathers vast amounts of information about people from Facebook, Twitter, Gowalla and Foursquare, i.e it used different Social Media devices to cross collate individuals with different data, including the latitude and longitude co-ords in smartphones, and mashes it with Google Earth. The Grauniad notes that:

The technology was shared with US government and industry as part of a joint research and development effort, in 2010, to help build a national security system capable of analysing "trillions of entities" from cyberspace.

The power of Riot to harness popular websites for surveillance offers a rare insight into controversial techniques that have attracted interest from intelligence and national security agencies, at the same time prompting civil liberties and online privacy concerns.

The sophisticated technology demonstrates how the same social networks that helped propel the Arab Spring revolutions can be transformed into a "Google for spies" and tapped as a means of monitoring and control.

Using Riot it is possible to gain an entire snapshot of a person's life – their friends, the places they visit charted on a map – in little more than a few clicks of a button.

Quite. And here is the future, imperfectly spread, in these vignettes of RIOT:

The Employee as Corporate property

"We're going to track one of our own employees," Urch says in the video, before bringing up pictures of "Nick," a Raytheon staff member used as an example target. With information gathered from social networks, Riot quickly reveals Nick frequently visits Washington Nationals Park, where on one occasion he snapped a photograph of himself posing with a blonde haired woman. "We know where Nick's going, we know what Nick looks like," Urch explains, "now we want to try to predict where he may be in the future."

Digital Stalking Made Easy

The video shows that Nick, who posts his location regularly on Foursquare, visits a gym frequently at 6am early each week. Urch quips: "So if you ever did want to try to get hold of Nick, or maybe get hold of his laptop, you might want to visit the gym at 6am on a Monday."

Big Brother

Mining from public websites for law enforcement is considered legal in most countries. In February last year, for instance, the FBI requested help to develop a social-media mining application for monitoring "bad actors or groups".

Underlying all this is the issue that most people don't have a clue about what is really possible with Big Data. Ginger McCall, an attorney at the Washington-based Electronic Privacy Information Centre:

"Social networking sites are often not transparent about what information is shared and how it is shared," McCall said. "Users may be posting information that they believe will be viewed only by their friends, but instead, it is being viewed by government officials or pulled in by data collection services like the Riot search."

Add to this the developents in automatic face recognition software, and you start to see Big Brother's face emerging from the matrix.

But, we have been consistently over-optimistic when we have predicted people will start to realise what these systems can do, but we seem to way over estimate user concern for privacy. Maybe it's one of these things that has a slow fuse, and then one particular episode ignites it (like Millie Dowler in the phone-hacking cases). In which case, can we predict a riot at that point?

Yesterday a UK Was-Once-Important Politico got found guilty for speeding, and transferring the penalty points to his wife (illegal, but lots of couples do it) to avoid a driving ban. Anyway, after he did the original speed deed, there was then a rather textbook affair/acrimonious divorce/etc etc, and the points swopping somehow ( ) got into the public arena, cue faux meedja outrage (as if no-one else does same...), cue the politico still lying about it in public, cue the Wheels of Justice finally grinding out a verdict - and he gets done (backround here - BBC).

So far, so good, I hear you say - justice was done, a speed cheat was punished, what's the issue? (apart from the nagging worry that the only way the British seem to be able to get the Great and Good-gone-Bad into the clink is by going after minor misdemeanors like speeding and expenses rather than oh, lying to parliament, crashing the economy, fiddling the global LIBOR rate etc etc. Mind you, as Sophia Bennet reminded me, it was ever thus - Al Capone would be smiling wryly....).

But the point of this post is that the issue for digital media watchers to note is this one. Some of Huhne's teenage son's anguished private texts to his father were presented as evidence in court, but in such away that the Press were then allowed to publish them. And that the Press did then publish them, all over the front pages, despite there being no public interest at all. There are two major lessons from this, to mark very well:

1. You would have thought that this close to the Leveson Inquiry into phone hacking, what with the UK Free Press being under considerable pressure post-Leveson to form a self-regulation system that can constrain their excesses (or the State will do it for them), that they would have - now of all times - restrained themselves. That they just couldn't, just shows that they will always race for the bottom (news)feeding as fast as they can.

2. For the general public, the lesson (again) is that anything you put down, on any digital media, at any time - may find itself in a court of law and then splashed all over the newspapers, to be picked over by all and sundry*. As Tim Berners Lee noted yesterday, the emergence of permanent data retention is going to be a very, very bad thing for Jo Public unless some form of originator control is enshrined.

In the Olde Days of email, it used to be said that you should never write what you didn't want to be read out in a court of law. In Social Media days it needs upgrading to "you should never write what you don't want to be read out in a court of law, picked over by millions on social media, and stored forever on multiple databases". Episodes like this show that there clearly needs to be a far stronger discussion about the rights people need to have over their own data, especially if it is going to be stored and datamined into perpetuity. The new media tools are a wonderful thing, but there needs to be a new social contract, backed up legally, about how they handle private data. If the new technology becomes seen as Just More Big Brother, it won't be trusted, which will - eventually, one byte at a time - massively reduce if not kill its utility

*And I mean sundry - the poor kid is now being lambasted online for some of the words he chose in those private texts, in his anguish. O Tempora, O Mores...

Very good summary of the fine art of datamining by the WSJ, all you ever need to know is contained in this sentence:

Consider Dataium LLC, the company that can track car shoppers like Mr. Morar. Dataium said that shoppers' Web browsing is still anonymous, even though it can be tied to their names.The reason: Dataium does not give dealers click-by-click details of people's Web surfing history but rather an analysis of their interests.

In other words, they know who you are, its just that Dataium haven't decided to sell that data on - yet. That "yet" is turning to "now" though:

The use of real identities across the Web is going mainstream at a rapid clip. A Wall Street Journal examination of nearly 1,000 top websites found that 75% now include code from social networks, such as Facebook's "Like" or Twitter's "Tweet" buttons. Such code can match people's identities with their Web-browsing activities on an unprecedented scale and can even track a user's arrival on a page if the button is never clicked.

In separate research, the Journal examined what happens when people logged in to roughly 70 popular websites that request a login and found that more than a quarter of the time, the sites passed along a user's real name, email address or other personal details, such as username, to third-party companies. One major dating site passed along a person's self-reported sexual orientation and drug-use habits to advertising companies.

To repeat "One major dating site passed along a person's self-reported sexual orientation and drug-use habits to advertising companies". All it takes is a decision by some company who has a bit of your datato cross the Rubicon of unique identity handoffs, and bingo - you're outed. No one will tell you, so you have no say.

Now this has been happening for a while - heck, we've been railing about it for 5 years - but I don't think most people realise how prevalent it is:

Today, a single Web page can contain computer code from dozens of different ad companies or tracking firms. These separate chunks of code often share information with each other. For example: If, like Mr. Morar the car-shopper, you give your name to a website, it can sometimes be seen by other companies with ads or special coding on the site.

It's so easy to share such information that many of the sites the Journal contacted said they were doing so accidentally. The problem is easy to solve, but it has persisted for years.

Craig Wills, a computer-science professor at Worcester Polytechnic Institute, published research in 2011 showing that 56% of more than 100 websites leaked pieces of private information in ways similar to those found in the Journal's study. "Information goes in, but we don't know if it's being dropped and ignored or saved for later use," he said.

And if you are on a Social Network, its worse:

The rise of social networks is also making it easier to tie people's real identities to their online behavior. The "Like" button, for instance, can send information back to Facebook whenever Facebook users visit pages that have the button, even if they don't click it.

These buttons and related code give social networks, which often know people's real names, an unprecedented overview of online behavior. The Journal found that Facebook code appears on 67% of the more than 900 sites of the top 1,000 that were scanned by BuiltWith.com, a service that examines websites and the technologies they use. That is up from about 63% a year or so ago. Code from Twitter Inc. was on nearly 54% of sites, up from 43%. Code from the Google+ social network was on almost 30% of sites examined, up from just 12% in December 2011.

We have been continually amazed at how little people seem to care about privacy, our experience in talking to people over the last few years is they don't seem to be able to conceive that these organisations could do this, sually don't believe they would, and seem to have very little grasp of what the outcome could mean.

Hopefully an article like this, in something like the WSJ, will help increase awareness among the sort of people who could change opinion.

A few days ago I wrote about "Greshams Law of Information" where, given equal transaction values (ie Google links) then bad information drives out good. This is demonstrable on Google these days as it gets (i) gamed and (ii) all sorts of paid for or belief based sites garner far more links than the boring truth with their superior resources (and now, maybe (iii) allowing interested parties to pay for link manipulation).

I defined 2 types of "crap info" on the web:

Case 1 - Info that is largely aimed at flogging something (ie marketing/advertising), where nearly everyone knows its probably crap and ^will try and seek the truth
Case 2 - Info that is largely aimed at promoting a belief, where many people will believe so will "self filter" out any inconvenient facts - and in fact try and repress them

Now, in economic theory, "Thiers law" enters the cycle later on into any new ecosystem, correcting this imbalance for crap currency as one currency becomes the "go to" trusted currency:

For money, the argument is that, in the absence of legal tender laws, Gresham's Law works in reverse. If given the choice of what money to accept, people will transact with money they believe to be of highest long-term value. If required to accept all money, good and bad, they will tend to keep the money of greater perceived value in their possession, and pass on the bad money to someone else. In short, in the absence of legal tender laws, the seller will not accept anything but money of certain value (good money)

In that previous discussion I could see how Thiers law for Information will work for avoiding Ad-crap (my Case 1 above), mainly via social nmediation (recommendation sites for example) but I didn't work out how the Truth would Out against Belief Based Dis-information (My Case 2). Except for a small bunch of people who would pay a premium for the facts, I could not see a viable dynamic that woulld reverse Gresham's Law as the wall of self-interested money and time promoting crap is far, far greater than that promoting truth.

I did, however, forget about looking more carefuly at Wikipedia as a possible solution, but meeting Jimmy Wales last week got me thinking about it. In essence, the only resource as freely available and as dedicated to Truth that can counter the vested interests of crap-spreaders is a very large voluntary effort of crowd-sourcing, that creates a "trusted currency" of truth - of which at the moment, Wikipedia is the best example (Though I did like the advice to Marrissa Meyer given in joyoftech - see comic strip at top).

Which makes it all the more imporatnt to ensure it stays that way, as the vested interests are way ahead of me and have have already sussed that it is the Trusted Currency of the web, and know their best bet is to subvert it

Quora have made an "interesting" decision - Liz Gannes on AllThingsD:

Quora today is introducing a feature that shows which of its users have read each Quora post, and how they found it. It’s another move by a social Web service to share passive activities, making the simple act of looking at a page on Quora something that other people can easily trace. “Views” is meant to make Quora more lively — users will now see real-time trending stories in their Quora feeds when multiple people they’re following have viewed a story.

It seems - at first glance - to be an easy way to annoy a lot of people with no real benefit - so why are the doing it?. Quora has some fairly sensitive subject areas, I'm not sure everyone wants to be seen to be cruising those boards. Also, this doesn't tell you who actually read it, ony whose cookie it was. It's not just them by the way, quite a few of the Social Nets we love are al rying to put an end to "online lurking" (which sounds a bit weighted - can we use the word "anonymity" instead?). Apparently Quara don't like pseudonyms either, in common with Facebook.

Quora exec Marc Bodnick said that the Views project is part of a larger effort to help Quora content creators get broader distribution. Views gives the authors better insight into how their contributions are spread.

“People on Quora are writing to be read,” Bodnick said. “What we’re telling you is that Quora is a distribution mechanism that works.”

But you don't need to display who browsed a piece to all and sundry, merely so authors can see who read their stuff. You just make it visible to authors only, so that can't be the reason, surely? I can see why power-writers will like it, but they are a small minority on any social network.You can disable it, but I have in the past been amazed at how much inertia people show to opting out of privacy reducing tools, and how little care some people have for their own privacy. But I still can't see how this is a great leap forward, and the risks to me seem to outweigh the benefits.

One for us "Digital Lurkers" to watch....

For some odd reason* Twitter chose to alert NBC about a British journalist who was being rude about NBC's coverage of the Olympics, so that NBC could then complain and Twitter could then ban him. He was banned because he suggested that those who did not like the Olympic coverage should email a specific NBC executive, and then quoted his email on Twitter. Now that's just the sort of pro-activeness you want your social network to take against you when you want to campaign against Big Brands - not. He did seem to be the sacrificial lamb though - you should have seen the Twitterstream, it was far, far more than one person who was being rude! The Atlantic is as good as any summary of the main issues of the story:

Let's stipulate that Twitter banning journalist Guy Adams for posting NBC executive's Gary Zenkel's corporate email address was a very bad idea. They have begun fixing the damage they did by reinstating his account. NBC retracted its complaint, according to Adams.

Now, whether it was a craven decision or merely bad judgment comes down to whether Zenkel's NBC email address is public or private information. In today's world, this is not as obvious a question as it might appear. (It may help to imagine that you are Gary Zenkel and you are the one getting hundreds of nastygrams from people with axes to grind.)

On the one hand, as Adams himself has pointed out, anyone with the Google can find it and it is now available on thousands of web pages, though not nearly as widely before.

Exactly - finding someone's corporate email address is hardly rocket science. Anyway, cue hullabaloo (on Twitter and elsewhere), cue Twitter apology:

That said, we want to apologize for the part of this story that we did mess up. The team working closely with NBC around our Olympics partnership did proactively identify a Tweet that was in violation of the Twitter Rules and encouraged them to file a support ticket with our Trust and Safety team to report the violation, as has now been reported publicly. Our Trust and Safety team did not know that part of the story and acted on the report as they would any other.

No doubt the fault can be blamed on The Intern....

But you kinda know where this is all going to go, don't you. This won't be the last time.....the interests of Social Networks looking for Ad funding, and those Social Networks' own users, are not aligned here. There probably needs to be some form of regulated code of conduct, weg email addresses fine, house addresses not fine etc etc.

* Did we mantion that Twitter and NBC are business partners - sorry, how remiss of us

Much to no-one's surprise, Google still has some of the data its streetcars desired so much - TCUK:

Today Google confirmed that it had located additional payload data collected by its Street View cars prior to May 2010 and the ICO [Information Commissioner's Office], which has repeatedly asked Google to delete the extra data, has thrown a few choice words in Google’s direction. While the ICO’s head of enforcement Steve Eckersley wrote in his reply to Google that he was “grateful” for the information about the data, and noted Google’s “commitment to continued cooperation with the ICO on this matter,” it’s not all hearts and roses.

The ICO says this data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010, according to the ICO.

In their letter to the ICO today, Google said they wanted to delete the remaining data and asked for instructions on how to proceed.

I love that last line....

The answer of course is first to save it to another secret stash, then hit the delete key and smile innocently.....

I think this reluctance to delete data is best explained by a recent McKinsey report on the benefits of holding user data, when they noted wistfully that, sadly for companies:

"Other risks involve breaches of consumer privacy, which could constrain a company’s ability to develop the most revealing consumer insights"

You can stop reading at "The Most Revealing...." as all is revealed

The ICO is going to need something stronger than words to force these companies to give up their big data motherlode, and ever more so in my view - Roosevelt said "walk softly, but carry a big stick". A blunt (financial) instrument and a large digital crowbar are going to be increasingly necessary....

This was a fascinating article that has been on the spike for a few days, Alan Mitchell from Ctrl-Shift arguing that YOU (the digital citizen) are actually a digital vegetable crop:

Consider some differences between a human being and a vegetable. A human being has some sort of ownership and control over their own assets, a vegetable doesn’t. The farmer grows cabbages, wheat or coffee, and appropriates what they produce. The coffee plant doesn’t have any say over what its beans are used for. The only agenda that matters is the farmer’s: how to maximize the yield; what different uses to which the crop can be put; how to make more money out of it.

In today's online environment, where users' activities and behaviours are tracked across the web, we are the crop whose role is to yield up personal data to Big Data farmers. And online marketers’ only interest is how they can maximize the amounts of data we yield; the different ways that they can analyze, refine, and process this data; and maximize the money they make.

Another important difference is that human beings can participate in markets in their own right; vegetables can't. Human beings can decide if the price is right, and if it’s not, they can walk away. On the farm, the produce is simply appropriated by the farmer.

In a Big Data world, where personal data is seen as a corporate asset to be mined and analyzed, we can’t negotiate over the price at which our data is traded. The data is simply appropriated. Online services, such as Google and Facebook, insist there is a value exchange. They provide us with a free service and they get our data in return. It sounds great.

As he points out, if only the buyer can set the price of your data, its hardly going to favour YOU

The problem with the model – free services in exchange for personal data – is that it makes it impossible for individuals to establish the real market price of their data. Is it worth $1 a year or $10? $100? $1,000? $1 million? With "free" services they’re all equivalent: the individual gets a service but the Big Data farmer gets the cash – without limit. The individual is the crop; the service is the data farmer.

Alan argues that technology is emerging to empower the YOUser, and needs to be used:

New technologies are also giving individuals the chance to hide behind anonymity shields if they want to. Privacy is becoming a personal setting, rather than a corporate policy. After all, only the individual knows what information he or she is happy sharing with whom, for what purposes, under what terms and conditions.

In this world, individuals can participate in the data economy as equal, active contributors; not just as data crop plants. If they feel able to do this – in a context where their data is respected, and where they can maintain control over who uses this data and how – they are likely to yield far more data than they are prepared to do so now.

In the 20th century, communist countries experimented with collective farming. In collective farms, peasants no longer had an interest in producing more produce because whatever they grew was appropriated by the farm. Today’s Big Data companies, including Google and Facebook, are the collective farmers of the 21st century. They are creating a low trust, adversarial economic system where individuals have every reason to be withholding, and no reason to become active contributors.

This has been the aim of VRM for some time, to give people the tools to participate more or less equally in the market, and, as the whole issue of privacy becomes more understood (and fought for) one can only hope that we do not become cash crops. But it still has to be worked at, powerful interests want to reap what you sow.

So next time you jump onto Facebook and play Farmville, (or whatever app that sucks lots of your data at no cost), you might want to consider who is farming who.

There is just a few hours to go before Google changes to its new privacy policy to allow it to gather, store and use your personal information, so as a public service we will tell you how to delete all that damning Google Browsing History, as per the EFF:

1. Go to the google homepage and sign into your account.
2. Click the dropdown menu next to your name in the upper-right hand corner of your screen.
3. Click accounts settings
4. Find the "Services section"
5. Under "Services" there is a sub-section that reads "View, enable, disable web history." Click the link next to it that reads: "Go to Web History."
6. Click on "Remove all Web History"

By the way, its not just Google.....

This is a public service announcement. You have been publically served. Do it or you will be served on a platter, as you are the Free Lunch. Thank you.

(Update - as Steve G notes in the comments, if you do not have Web history turned on you are OK- but check tomorrow, I am not certain what will be "opt in auto" then.

Also, I see the EFF are advising you to clear your browser history stacks anyway, and to stay off Google or do searches in browser Incognito modes now)