If you have not heard it, the above NPR Fresh Air interview by Dave Davies with Evan Osnos, a New Yorker Staff writer is well worth the listen.
Since that interview, we’ve had two more announcements of significance from Facebook.
October 11th, the evil empire announced that they’d disabled some 66 accounts or what Facebook described as:
dozens of accounts and profiles belonging to Russian database provider SocialDataHub
SocialDataHub provides analytical services to the Russian government. Facebook said SocialDataHub were “scraping” peoples information. Who knows how much information, how they used it, or who they sold it too. Facebook don’t. It looks live another 50-million accounts at least. [Check here if your account was compromised.]
The October 8th, Facebook announced their “Portal”, basically a tablet and web cam that allows you to make video calls to other Portal-users, and follows you around the room. Facebook of course says Privacy is
‘Very, Very, Very Important’
But let’s be honest, are you really willing to stay on facebook? Who in their right mind would allow facebook to live video them and not screw up the privacy, and even if they don’t, they’ll be analysing the Sh*t out of everything in every frame to identify things to sell to advertisers about you.
Can facebook do this securely and respecting your privacy? You bet your life not.
#DELETEFACEBOOK Start doing it now. #DELETFACEBOOK, and the women you will wow. (With apologies to Cole Porter).
Google+ is what happens when you try to take on an incumbent, don’t communicate your vision, and then leave the rotting carcass to fester and be eaten by the maggots. In this case the maggots were a
It turns out Google knew about the vulnerability back in March 2018, but decided not to disclose it as, as far they know, it hadn’t been exploited. If your data was upto date and complete, there was enough there to perform a rudimentary phishing attack.
In my case, my phone number, location and a number of other items were out of date, so I didn’t wait to find out what Google were going to do, I just went ahead and deleted my Google+ account. Google has also announced they will kill Google+ although it’s not clear completely what will be removed.
In the post Google+ world, it’s been clear for a while that Google is moving much of the community and information sourcing features into Google Maps.
Here is a link if you want to go ahead and delete your Google+ profile instead of waiting for Google to clean up the mess.
This is a good explanation of why it is way past time to stop using your Facebook ID to login to other sites. Personally while I still occasionally wish I could login to facebook to check on relatives, otherwise I don’t miss it at all.
No matter what facebook do, there will continue to be security and privacy breaches like this. Facebook wanted to become “the web” and along with that aspiration, they also became a focal point for all the hackers, scammers, and those wishing to game the system.
I recently had to go for x-rays on my hip. The imaging company called saying they’d received the “order” from my chiropractor for a knee arthrogram without contrast.
Apparently, this was both wrong and confusing. It’s wrong, because the “order” said hip, but they couldn’t read it; also it’s confusing because, well something to do with x-ray and contrast.
After a short discussion, it turned out the imaging company received the order by fax. Yes, real actual paper fax. The US medical profession still seems to run on faxes. My prior cardiology hospital sent my medical records to my new cardiology Dr via, yes, paper fax. Hospital-1 printed the records to a fax based printer driver, which sent them uing a fax protocol to Hospital-2. Apparently Hospital-2 receives as images in a variation of the TIFF file format.
In the case of my PT, no such luck. Handwritten, manually faxed, received by paper. Even if there had been no problem this created a HIPPA privacy and security cost. In this instance, the cost to clear up the confusion likely cost almost as much as the actual hip x-ray, as that was all that was needed.
While I know there are data interchange standards in the USA for medical records, or as they are called PHRs, it seems there still nothing that is universally adopted. When I contacted my new cardiology hospital and offered my PHR in (Epic Systems) Lucy format, they declined and asked for them to be faxed.
There are a growing number of apps for both ios and android that support EHRs (electronic health records) however, for the most part these are tied to a specific hospital and/or medical group. A good example is the Epic Systems MyChart app. It can read the data from my former cardiology provider, including details of my ER/and cardio surgery and the prescriptions I was given. I can export the data using the Hospital groups website, and that’s it.
Unless you choose your medical providers not on their medical excellence, but their ability to import your lucy records, this is no use at all.
The Big Boys are doing data interchange
My interest was sparked by the recent announcement from Google, Microsoft, Twitter and Facebook introducing the open-source Data Transfer Project (DTP). For the more technically interested, you can read the DTP Overview here.
I have to say, the use cases given for DTP are pretty weak. Conceptually, though there is much potential for this architected “Share…” facility. One of the key failings of DTP is that there is no ability to delete data, sure you can share your data to more sites/services but the DTP as specified doesn’t allow you to leave.
However, the most disappointing thing about this announcement is it’s aimed at allowing you to move your videos/photo’s, social media posts, and hopefully subscription platforms among the services supported.
To become a supported platform there are a few fairly simple architecture docs and then you have to build plugins or adapters to interface to the service to be able to send/receive data.
Ho hum. Boring. There is definitely space for big tech co’s to innovate around data interchange, but who cares about social media. I want to be able to pay for a PHR service, where I can store and control my medical record. Where I can grant access rights and authorise medical providers to retrieve my data, where I can see my medical records from across the providers etc.
I’m hoping that someone will point out this already exists, or that Nigel or Tom, who both now work in Helathcare will tell me why this isn’t a good idea. The USA is in desperate need for data interchange but it isn’t for social media.
Subtitle: How we get nice things and then they make them too expensive.
Recently contractors for Comcast/Xfinity have been all over Louisville drilling holes along the utility easement to lay conduit for fiber optic cabling for Internet and cable. The city has a brief here on the project which is supposed to be complete by the end of October 2018. Bad news if you are a customer in the service area, the city release says:
Comcast customers will experience an outage from 30 minutes to 6 hours with the typical outage being 2 ½ hours. Any outages for this kind of scheduled work is typically done between 7:00 AM and 4:00 PM.
Once the conduit/piping was laid at my house along the outside of back fence, things went quiet. Then today there were literally 15 trucks outside and across the street while they had a team meeting.
If you are stuck with little more than dial-up modem Internet speed, either because of cost, or because a faster service is not available to you, no doubt you’d think this is great. I already have CenturyLink 1Gbps fiber service, and this will likely be very good in the short term as competition drives down prices.
In the long term, this isn’t good news. The only winners will be Comcast.
They are playing the very long game. Initially lower prices until they either capture the CenturyLink market, or price them out of business and then prices will creep up every year as the bundle more and more services and offerings.
So while #cordcutting maybe a thing for now, they are betting that they’ll get the money back plus some since buy then they own enough content distribution, production and likely networking, we’ll be back to no choice. @TabloTV@CordCutters
There is no reason to believe the US Gov. Competition or anti trust will move to stop this and break up the too-big-to-fail media/internet companies and create a last mile marketplace.
I don’t know enough about the European Union General Data Protection Regulation (GDPR) but at least on basic reading it seems inadequate in meaningful individual action requirements and legislation that benefits the actual user/person whose information has been exposed.
I’ve been signed up for haveibeenpwned an excellent website by Troy Hunt. You enter your email, and it tells you what breaches your personal information has been found in.
I was going to say “if any”. But of course your data will be there, especially after breaches like the River City Media (RCM) “spammer gate” where 1.4 billion peoples’ email accounts, full names, IP addresses, and often physical address, were exposed. Suffice to say, my two primary email addresses have been exposed in more than 20-breaches.
haveibeenpwned was a great start. CapitalOne, at least among my financial providers, has stepped up the game significantly. Their creditwise arm has incorporated Credit & Identity Alerts in to the app and website. Numerous times recently I’ve received alerts, and while initially the alerts didn’t contain enough information to take action, the most recent alerts have had all the detail I needed.
Email alert from Creditwisevia website or app
Among the websites my data has been exposed this year include:
linkedin.com
kickstarter.com
ticketfly.com
bitly.com
myspace.com
last.fm
zomato.com
Some of these websites did individually send emails disclosing the breach. Of these, only ticketfly had any form of financial data that might have been breached. I have all my emails from them going back to 2012. Not a single word about a data breach or other exposure of my personal data.
The same is true for more sites than not. No notification. When you login to the site to at the very least, change your password to a new unique one, they more often than not also give you no indication. For many of them it’s also nearly impossible to find out how to delete your account. In the case of ticketfly, I submitted a trouble ticket asking how to delete my account but retain tickets for future events, so far nothing but a generic ‘we’ll get back to you’ response.
It’s time for legislation about what websites/businesses are required to do when they find a data breach. They must be held accountable, and not just through financial penalties that mostly just go into government coffers.
I’d like to see at a minimum:
Mandatory requirement to notify by email, and if the business has a real mail address, by mail.
A default opt-out and deletion period. At discovery, if data breached includes significant personal and/or financial data, the account must be deactivated. After notification, if the business has not heard from the user whose data is breached within 14-days, and the account is not already deactivated, it should be deactivated.
Recovery of a deactivated account should NOT depend on any data exposed in the breach.
When the user whose data is breached logs-in to their account following notification or during account recovery, they must be presented with clear information on what data was exposed. Two, they must be given a simple option at this point to permanently delete their account.
If the user opts to delete their account, any consequences of the deletion must be made obvious at that time. For example, in the case of ticketfly, where I’ve already paid for tickets to future events, those tickets must still be available to me, even after my account is deleted.
In the era of “big data” and “everything online” the only way these businesses/websites will really put privacy and security first is not fines. It’s the actual loss of the customer/user and their data. These companies are often over valued, and paying government fines is just moving magic money from one bucket to another. It has a short term impact on their profitability, their quarterly results, not much else.
You’d think given the proliferation of voice activated home technology like Alexa, Siri, Google Voice Assistant, Cortana etc. we’d be on the home stretch for voice activation in cars, where distraction is a real life threatening problem.
I don’t travel much now, I don’t drive more than 6k miles per year, which is a good thing based on today’s experience with Google. I’ll admit, I didn’t do any scientific research, I’ve no idea what other brands do, but I got stuck in traffic today heading into Boulder. I asked Google Assistant to read a web article from Vox.
My Google Pixel 2 phone is running android pie 9, I’m a Google ProjectFi cellphone network subscriber, and the phone is paired via Bluetooth to my 2013 Mercedes Benz. I switched the car audio via a car hardware button to Bluetooth. And asked Google Assistant to read what was on my screen.
It soon started to read out loud over bluetooth, HTML and CCS. This got pretty pointless, pretty quick. I switched back to FM Radio.
I called my wife using nothing but voice activation on the Mercedes with the paired bluetooth phone. While we were talking another call came in. I ignored it, it went to voicemail. When I’d finished talk to my wife, I pressed a button on the car to end the call.
I asked the Mercedes to “call voicemail” it did. The first thing the Project Fi voicemail system asked was for my voicemail PIN. There is no way around this, I sat there trying to get Fi to recognize the PIN by saying nine, seven, nine, six, nine, five(*1)
It was pointless… it wasn’t enabled for voice prompts. I pulled over, pressed the phone buttons for the PIN followed by the # key. I went straight to the options key-4, and there was no voice activation option.
Next-up, I tried the Google Assistant to try.
OK Google, call my voicemail
I said in my best English accent, with my best annunciation and trying not to sound “mockney“.
Google Assistant: calling
Project Fi: to access your voicemail, please enter your PIN. followed by the # key
ME: nine, seven, nine, six, nine, five
Suffice to say, it didn’t work.
Even if it had, worryingly, even when you use the keypad to logon and navigate your voicemail, after hearing individual voicemails, the only options are:
mark this message as read press 7
keep this message as new press 9
There is a more options, it’s just message details, and play message again.
If you press 7, you go back to the main menu, where the only option is 4, change your settings. No ability to re-hear messages marked as read.
All in all a pretty disappointing experience. Especially true given it’s a 100% Google experience, add in the heightened requirement to reduce distracted driving and the fact that touching your phone while driving is illegal in my cities, States and Countries.
I know for sure that 10-15 years ago, voicemail could be voice driven. To listen to your voicemail, press or say 1.
To delete the voicemail, press or say 3
etc. Yes, I do know that I can press the voicemail button on the phone app in Android, and that would bring up a screen like this with a voice to text translation of the voicemail, the ability to play the voicemail, and the ability to delete it… but that all requires physical interaction with the phone.
The questions that Zuckerberg never answered, including this:
How will you be remembered: As one the three big internet giants along with Steve Jobs and Bill Gates who have enriched our world, or as the genius who created a digital monster that is destroying our democracy and society?
As Facebook scramble to try to head off prohibitive legislation in the UK, Europe and the USA, it’s trying to reinvent it’s history and mission. I’m no Facebook historian, developer, professional watcher but it’s worth remembering some of it’s actual history, bugs, screw-ups and the often terrible defaults it implemented with new features.
I’d long imagined that Mark Zuckerberg was the embodiment of Zeke Hawkins character in the 1993 movie, Sliver. One of the things Hawkins said in the movies about his surveillance was the Google-esq:
We’ll do only good things.
All of the recent disclosures about access to Facebook data isn’t about hacking or other malicious activity, it is about poor design decisions; defaults in privacy that were good for Facebook but not for the user; and ultimately necessary for Facebook’s’ business model. They were not, as Facebook and Zuckerberg oft refer to them as data breaches.
As the voiceover says at the end of the Sliver trailer:
The view from the outside is nothing…. compared to the view…. inside.
My history with Facebook goes back to when it was “thefacebook”. I’d been a regular speaker and panelist at the Silicon Valley World Internet Center between 1998 and 2003 when I gave my last session on Open Source. The center was housed at Stanford University. Over my time there, I made contacts with many professional and personal contacts.
I started using livejournal as an emerging platform for “blogging” and tracking news for my then key triathlon interests in January 2004. That April, through one of the contacts I’d made at the World Internet Center, I was offered a userid to take a look at “thefacebook”. I didn’t spend much time on it, it was fascile, juvenille and voyeristic. I wasn’t surprised to hear that in 2003, the Harvard University administration had charged Zuckerberg with breach of security, violating copyrights, and violating individual privacy.
That set the path that Facebook has followed since then, their design decisions, their defaults, everything has been aimed at making your information publicly available, searchable and collectable. As I texted a few days ago, none of this need happened if Facebook actually cared about privacy. Each and every time they implemented a new feature, they did so by setting the user privacy to the least private allowed.
Great work, completely agree except the last paragraph opt-out. Want the feature? You need to opt-in. This is Facebook problem. Everytime they [Facebook] change something, they take the best default for them not the user, not privacy.
While Facebook claimed they were not selling data, which was probably legally true, but they were always selling access to the data. If privacy was really central to Facebooks management of data, then they would have made the defaults very different than they did.
All those infuriating apps and quizzes that your “friends” were playing Farmville, Candy Crush, etc. let alone the apps that wanted to know actual personal information, like where you’d travelled to etc. For a while in 2007 there was even a class at Stanford known as the “Facebook class” where students, many of whom went on to make hundreds of thousands of US Dollars, were instructed on how to make Facebook apps.
Lover of the Day was installed nearly a million times. If every user that installed it had at least one hundred “friends” on Facebook, that meant through a single app, four hundred million facebook users data could have been exposed and scraped. Even if “Lover of the Day” hadn’t overtly exploited this, it was totally naive rather than malicious.
By the end of 2010, there were hundreds of website scams that were, as far as I can see, just there to harvest your data, and that of your friends. There were numerous websites set up to track these, of which Facecrooks, was and still is one of the best.
When I got my Facebook data, before #DELETEFACEBOOK, I spent an hour searching through the data and my timeline to find interesting posts, pleas that I’d made to my friends about the lax controls, bad defaults and bad app choices they were making.In 2010 alone, I posted the following on my wall.
January 10th: “Well get used to it, the Facebook founder says your privacy is a relic of the past, everything should be public!”
March 2010: “So, not paying attention to the FB Privacy issue? Well last night the dumb ass’s made a change which made everyone’s email address public for about 30-mins even if you said not to or your settings… “
May 2010: “So yesterday Facebook blew their privacy yet again revealing private friend to friend conversations, allowing one friend to see outstanding friend requests of other friends…”
By 2011, music streaming startup, Spotify, was known to be aggressively using and promoting their business through facebook by exploiting the weak/lax Facebook privacy. If anything, the US Government Federal Trade Commision hearings lead to facebook changes that were in marketing speak “more transparent” but reality, more opaque. They made it easier to stop sharing, but harder to know what was being shared.
In 2015, the scraping of user data was still rampant, I found a number of examples of warnings, mostly in so called “Big company” giveaways.
March 2015: Friends don’t invite friends invite to the SW Airlines ticket give away. It’s scam, they are harvesting Facebook id’s, friends lists and email addresses and who knows what else!
It was followed by a long bullet list of ways you could tell if the giveaway was a scam. My post ended in
If don’t doesn’t have at least two of those it’s a scam… It’s not harmless, it’s like showing up at an orgy and not using a condom.
When Zuckerberg and Facebook try to rewrite history claiming these were a breach of trust, or they didn’t sell data, or they acted as soon as they were notified, I don’t know what the hell they are talking about. They knew, they just didn’t care until the politicians got hurt, and now the optics look really bad.
Yes, I do know that I can press the voicemail button on the phone app in Android, and that would bring up a screen like this with a voice to text translation of the voicemail, the ability to play the voicemail, and the ability to delete it… but that all requires physical interaction with the phone.
