Tech

By Johannes Ernst

https://reb00ted.org/tech/

  • 2020-01-13

    Downloading all your data and new security risks

    I’ve been playing around with the new data download features major on-line providers like Twitter, Facebook or Google have been forced to provide to us Californians since January 1, 2020, under the California Consumer Privacy Act.

    It’s amazing what kinds of data they have. For example, from the Facebook download I learned that dozens of car dealerships all over the country (like, say, in Texas, where I definitely have never gone car shopping) have my name and address. How – I have no idea.

    But speak about putting all your eggs in one basket. In Google’s case, a single ZIP file contains all your e-mail over a decade or more, your pictures, your private messages, your location history – everything you ever used any Google product for, and many things you never thought Google recorded about you.

    If this one file fell into the hands of somebody nefarious, you’d probably be in serious trouble – from possible financial fraud to blackmail on multiple levels, in particular in less-liberal countries, of which there are unfortunately more and more. The trouble would likely be much bigger than if somebody “merely” logged into your account: because all the info is there in one place, you don’t have to look for it, you can write scripts against it and immediately analyze it.

    As Andrew Carnegie, and then Mark Twain, said: “And Then Watch That Basket!”. The trouble is … do we? I mean … before I started jotting down this post, I don’t recall having seen a single discussion of this threat anywhere, and I usually pay attention to this kind of thing.

    It’s hard to secure that kind of access. To be sure, I’m all in favor of me and you being able to know every last bit of what big companies record about us, and get that data and use it somewhere else. But that power sure comes with a lot of potential dangers.

    I fully expect a wave of “GDPR” and “CCPA attacks” to occur, all focused on getting your full archive from major service providers and “monetizing” this in various ways, plus enabling whatever any secret police in some jurisdiction – and I use the word “juris diction” loosely here – can come up with.

    What’s the alternative? Well, those service providers not having all that data about me in the first place! Instead, they should only be “borrowing” it from me; well, the parts they need for something I agree to for as long as they actually need it. Then, no bulk upload or download is necessary, and we don’t have this high-risk security problem in the first place.

  • 2020-01-09

    Can you trust FaceBook? Who paid $40m for overstating their numbers by up to 900%?

    Sometimes we think it’s all overstated and a matter of opinion. Surely they can’t be so untrustworthy, otherwise they wouldn’t have a business?

    Well, this article with link to the settlement describes what Facebook calls an “error” in calculating how much time viewers spent watching certain videos on Facebook. As a result of which, I’m told, all sorts of media outlets moved their videos from YouTube to Facebook, and then promptly imploded because the numbers of views was much lower than expected.

    Between 150% and 900%. The error, of course, was in the “up” direction.

    Read.

  • 2020-01-07

    Personal Data Organization Landscape

    Personal data is becoming a thing in 2020. Not just startups, but also not-for-profit organiations have been popping up everywhere … by some count, there are now literally hundreds (!) that are involved in it somehow. It’s hard not to get lost.

    To order my own thoughts, and for the purposes of some organizations that I’m involved in, I’ve been working on a 2x2 or 3x3-style matrix diagram that similar to what many startups are using to position themselves with potential investors.

    Here is my currently best draft. Would love your feedback and ideas!

    The first question is: if we can only pick two axes by which to classify organizations, which are the most important ones? I’ve picked:

    • whether organizations are for-profit, or help building the commons. This is obviously a big difference. I’m also distinguishing between organizations working broadly across the space, or focused on a particular aspect of it.
    • who is the primary customer of the organization? As personal data touches both individuals and businesses (or Me’s and B’s as we call it in Me2BA), organizations might focus on either, or both, and that has many practical differences just like B2B and B2C businesses are different. For this diagram, “customers” mean the entities that provide money to the organization, through membership fees, or who buy the product or services. (They may also have benefits for the other side, but that’s probably common for most of them so it’s not shown here.)

    Now, let’s put some example organizations into the diagram and see how they fit.

    • MyData has both business and individual members. It is a very broad umbrella organization, and so I am putting it stretching from B to Me, with a somewhat fuzzy border between general and specific focus. (One could have specific tendrils going out and up in the diagram, like the recent MyData Operators group.)
    • The Sovrin Foundation, which runs the epynomous digital identity network, has only businesses as its members, so I put them on the left. It is focused on something much more specific than, say, MyData, and so it goes further up in the diagram.
    • Customer Commons is an advocacy organization for (non-business) customers. It has a specific focus in mission and only focuses on consumers, thus it is in the middle on the right.
    • The Me2B Alliance strives to improve the relationship between businesses and individuals, and – once its membership structure is fully defined – will have both business and individual members, so I put it in the middle.

    Does this make sense?