Data privacy and why you should care

To commemorate today being Data Privacy day i made a writeup for OpenProducts on how we see the current situation. Since i think this is important stuff i also publish it here.


 

Users today have practically no control over their personal information. Most often they even have no clue on what information is gathered of them while they go on with their day to day life on the Internet, even less on how it is used. I say that its time that we take back control of our online presence and create a fairer Internet.

Preface

This is the first blog post in a series of articles discussing Internet privacy, data collection, and mass surveillance. In this first post we start by talking about the problem how the Internet works today, how most people use the it, and how they most often are being used by big data corporations and what could be done to mitigate these inequalities.

The current state of the Internet

Today most home users use either their local ISP at home connecting to the Internet or by using a smart phone or tablet connected to the Internet via an  3G/4G connection. Their day to day usage is typically centered around a few heavily used sites. Sites such as Facebook, Google with Gmail, Youtube, checking in at Foursquare etc. I would say that there are usually four or five major sites that the average end user visits daily.  Long gone are the diverse landscape of Internet of only a few years ago.

Using cloud services such as Google’s personal information management services, Facebook’s social network or Snapchat to keep in touch with friends, can be a pleasant experience. Point your browser to the service sign up page, or download the app to your smart device, register for an account and you are done. No purchase of hardware or software, no installation or configuration, no updates or other maintenance.  The best part of it all, it seems completely free of charge.

Most of us are aware that the sole reason the service is for free is that even though we don’t pay for the service in the normal sense, as in picking up our credit card and transfer a sum of money to the company providing the service, we surely still pay for it. I actually have had this conversation with some of my friends, why on earth Facebook and even more so Google can provide all these services without them having to shell up money to use it.

Despite what some might think these companies are not in the Social network business or in the business of providing cloud services, such as email, calendar or storage. They are in the business of advertising. All of them make their earnings by doing advertising and what they sell is you. They sell your attention by serving you targeted ads or simply by providing knowledge about you, or more specifically your profile, to interested parties.

The more these companies can learn about you, the more money you are worth for them.  What is your gender, age, location, civil state. How do you make your living? What is your occupation, your salary. What are your hobbies and  to what associations you belong?

This is Facebook’s golden treasure chest. It seems people can’t put enough information about themselves onto these social networks. Gladly entering all information about themselves, who they are, what they like, who they interact with and what they do together. It is no wonder that Facebook do whatever they can to tap in to this information well and in the same time trying to block businesses getting a free ride utilizing the viral effects by cheap likes and shares.

The other, perhaps biggest, behemoth on this stage, Google, have a bit different approach to its data collection methods. (Even though they have done there best trying to also enter the social network business) Google provides you with “free” services for your communication and information needs. While doing this they track your every move on the net and in real life. Looking over your shoulder to record what you search for, which sites you visit, who you communicate with (Be it by email, chat or voice) With whom you make plans with and where you are going.

Another aspect of Google that one should be very aware of is their presence in niches not directly apparently connected with the data collection business is their hardware and infrastructure offerings. Google fiber, Android smartphones, Chromecast media players and Chromebook computers, all scoping up information usage then collected by Google.

To limit the scope of this blog post, lets leave out all IOT gadgets tracking your physical existence and all other gadgets in your home. This is material for one of the later posts.

Let us return to why all this information is collected and what makes it so valuable. Currently the main source of revenue, is and have been for quite a while, for these companies are by the means of selling advertisements.

If you want to reach out to people on the Internet today you have a few options. One “easy” ways is to pay someone to get your information through to the intended audience, I.e. advertising. When doing this you of course want to target the right people. People that might actually be interested in what you have to say or sell.

In the infancy of the commercial Internet you would locate possible web sites that might have the audience you wanted to target. You then coughed up a large sum of money to put a banner on the site for a limited time and then hoped for the best. This was a bit like hunting blind folded with a shotgun, a rough aim and then fire.

What Google and Facebook offers today is more like a laser guided missile. You want to target single Latin American males aged 26 to 35 with an interest in Norwegian forest cats, enjoying tacos, expensive red wine and working as a car mechanic? No problem, what would you be willing to pay for such a user clicking on your link?

The more these companies know about you the better they can sell your attention to prospective ad buyers. Thus they will go out of their way to gather as much information possible on what kind of person you are. (Reading your email, connecting the dots between you and your high school sweetheart, map your check in habits on the local diner)

The problem

One could argue that this is completely okay, these companies are not breaking any laws. They only play by the book and do their best utilizing the opportunity they have. Doing a good job at it as well. Another common comment is that collecting information is okay when using the service, the user simply does not care and in most cases are not even aware of how the collected information is used. The information provided is just the price you pay for the service. I would however argue that the end user have little to gain in the longer term by using these services.

First off, providing this amount of information on one self to a single service provider simply give these players too much power. What conclusions could be derived from the collected information in the future we still have no knowledge of. Today the main usage of the information is to target ads but there is already a lot of possible uses. A popular reference here is the facebook relationship status predictor which says that Facebook can predict if your relationship is likely to end in the coming 60 days or not. How this information will be used in the coming years is hard to tell. I say that you should not trust any company with too much information about yourself.  If you think these companies have your interest at any priority you should think again. They answer solely to their shareholders and ultimately to the laws of the country in which they operate.

Next up. Many of these companies share information with third parties, used internally for other business areas, and of course governments, anonymized or not, that all depends on the EULA you accepted but never read. Information you never intended to disclose is now used for filtering you out for means you never even knew or thought about.

Even if they don’t share this information with third parties you sometimes still are forced to give your profile information up. Say to a presumptive employer, an insurance company, or maybe even a school you would like to attend. Not sharing this information will obviously put you in doubt on what you could possibly want to hide. It should of course be noted that this demand is illegal in some countries.

Not being in control over the service used also means that you don’t have anything to say, or at least it will require a lot of effort, if anyone decides that you no longer are eligible to use the service.  It might be the service provider them selves or a third party, i.e. a hacker, locking you out of the service. What do you do while this is being resolved? How do you mitigate any damage induced by malicious use of your account?

A further consequence of the enormous centralization of these Internet services, or more correctly silos, that we have today is that they more or less have an oligopoly on the market. Both in the sense that they hinder other possible actors and more so with regards for end user choice.

It is simply more or less not doable for new actors to compete commercially with these juggernauts. Establishing a competing service is more or less impossible. Just look at Google’s attempts to get a foothold in the social network business with Orkut and now Google+.

The other, possibly worse, consequence of the mass concentration of users of these services is that you most often are required to participate. “We use Google calendar in this association to plan gatherings”or “Let’s discuss this in the private Facebook group ‘John’s Stag party’ I created”.  When all your friends are Facebook members but you are not, you sure will miss a lot of planning and informal information exchanges. Simply not participating is a hard choice for which individual users are penalized.

Finally even if you decide not to participate on any of these networks you will still be subjected to the collateral damage done by people using these services, dragging you into them as well while they use them. A mention on a social network, a tag of a photo with your information. An email sent from a GMail address or even worse, you send an email to a person on a custom address that turns out to be hosted on Google. You simply have no way to tell in advance that this email with all its content and addresses will end up indexed and tagged by Google. You simply have no way to opt out.

What now?

To sum this up. Even if this was acceptable, I would say users are not compensated enough by a long stretch for the information they disclose to these networks. Sure they get a free service, some free storage and hey, all their friends are there as well. But in the same time they give up control over their information and have no insight in how its used. They are not even guaranteed access to the service to which they supply the information. It is all at the mercy of the service providers latest whim, change of policy or just a new direction of the company.

The solution to these problems is to make absolutely sure that the end user is in possession of their own private information. It should be the end user that have control and decides on how their information should be used not Facebook, not Google, and no other big corporation nor the local government.

If information is for some reason not stored under physical control of the end user it should always be locked down by encryption or other means that hinders unintentional access of the data. Further more the owner of the information should be the one in control of the locking device. Be it encryption keys or physical locks. Information should of course be safeguarded at all time by secure communications channels while in transit making sure that only the sender and the recipient can access the data.

The one solution I advocate is that users should be able to run their own devices and services under their own control. This would mean that we should fight to bring back the structure of the Internet as it was originally designed. Not the crippled distorted version we live with and use today.

This is an Internet where all peers were equal and information flowed effortless between users of the net. An Internet not hampered by filters inspecting traffic, an Internet free of ISP firewalls blocking all or part of  the communication,  an Internet without asymmetric broadband connections cementing a producer consumer structure leaving end users only consuming data centrally broadcast or requiring them to upload their data to central storage points with better bandwidth.

With such an environment the end user would be free to use the solution they saw fit. Be it running their own services at home, using a service provided by a friend, a relative, or paying a service provider to handle it for them in a way not leaking data.

This would be an environment onto which we could build a fair Internet and users would be able to reclaim their digital lives.

Disclaimer: I am the co-founder of OpenProducts a company which makes products which aims to let end users take back control over their private personal information. We however founded OpenProducts as a consequence of our personal belief that you should be in control over your digital life, and have no interest or intent to gather any personal information from our products.

Posted in Privacy | Leave a comment

Excito applied for bankruptcy

bubba-front-01So the cat had no more lives. An epoch has come to an end when Excito board of executives decided to apply for bankruptcy last week. What started some 12 years ago have come to an end.

Johannes have briefly mentioned this at Excito community forum.

I really hope that this could turn into something good. It would be really cool if we could turn the Bubba platform into an community effort saving some of the value.

Posted in Bubba, Excito | Leave a comment

OPI – Under the Hood

Under the Hood

I just wrote an article describing the internals of OPI. Could be an interesting read for anyone wanting to know more about OPI.

https://www.openproducts.com/2014/05/06/opi-under-the-hood/

Posted in Embedded, Linux, OpenProducts, Security | Leave a comment

OPI Crowdfunding campaign launched

OPIYesterday we, OpenProducts, launched an Indiegogo campaign to kickstart production of our new product OPI.

From the press release:

“Today OpenProducts started an international crowdfunding campaign in order to jump  start the production of OPI – OpenProducts Information Hub. The new product,  developed in Sweden, will help us to reclaim the control of our digital life.”

You can reach the campaign here  https://www.indiegogo.com/projects/opi-reclaim-your-digital-life

If you know anyone interested please share!

Posted in Hardware, Linux, OpenProducts | Leave a comment

Android, BlackBerry susceptible to Heartbleed attacks

And there you go, hot on the heels on my last post,
Vicious Heartbleed bug bites millions of Android phones, other devices

“The catastrophic Heartbleed security bug that has already bitten Yahoo Mail, the Canada Revenue Agency, and other public websites also poses a formidable threat to end-user applications and devices, including millions of Android handsets, security researchers warned.”

In the article over at Ars Marc Rodgers concludes “If you have a vulnerable device and there’s no fix available for you, I would be very cautious about using that device for sensitive data,”

Even though the security risk on the Android devices are mostly mitigated with the process sandboxing  the point still is that many users of these devices are most likely left on their own without security upgrades.

Posted in Hardware, Security | Leave a comment

Security on old devices

padlockHeartbleed made me pick up a thought I have had for some time now.

I own a few elderly Android devices. And by old i mean 2-3 years old which I know is eons in consumer electronics.

One big problem with the consumer device industry is that the makers quickly turn to newer products that can generate revenue for them. Maintaining old devices makes no money thus leaving these elderly devices to their own fate.  In this perspective Microsoft is a “model student” giving 10 years plus support on Windows XP.

The end result with this is that there are no security updates on these devices, be it my smart phone or DSL router for example. Leaving me exposed to all kinds of Internet hostility. Kernel exploits, SSL bugs you name it. Can it even be considered safe to use these devices on the Internet?

Further more there is very little I can do about this. The only way to keep the device somewhat safe is to reinstall it with something like CyanogenMod or OpenWRT which of course is something I could do. But how about, say for example my elderly parents, or other “normal” users? The odds for them even realizing the problem is slim.

Maybe, just as we in Sweden have legislated how long a manufacturer should provide guarantees on their products, there should be a mandatory security update responsibility, say for at least three years.

Even better would of course be to only use a completely open source ecosystem with an easy way to change providers of the software running on my systems.

I say that it’s time to take the smart devices of today and let their owners  take (back) control. And by this I of course don’t mean that everyone should do upgrades and alterations onto their devices. My point is that there should be a more open ecosystem with more alternatives.

The sole answer to a streamlined user experience is not increased lock down and stupidification.

Posted in Uncategorized | 1 Comment

A Cooperative cloud

 

With the commoditization of cloud infrastructure I just couldn’t resist playing with the thought of a cooperative cloud.

Lets say that you or your company has a need of a flexible IT department. The same goes for many of the peers in your network.

Instead of everyone of you hosting your applications at Rackspace, Amazon or your local supplier, you team up with your peers and rent a rack and a Gb-link onto the Internet at the “best” local colocation supplier.  Lease or rent the hardware to fill up the rack with cost effective hardware. Onto that hardware you then deploy something like OpenStack to most effectively use the said hardware.

To solve the economics use the systems built in functionality to record the usage, split the monthly cost between the parties involved according to their share of the usage. If the system is not used fully invite more peers or sell hosting to others. If running out of resources, rent more hardware.

The two main problems as i see it is, security and physical administration. Who should be allowed to access the controls of the cloud and how do you guarantee that information doesn’t somehow seep from one party to another. Clearly there has to be some adaptations be made to the administrative interface. But the biggest problem most likely is when the system needs manual assistance, breaks down or need repair for some reason.

Feasible or just plain stupid?

Posted in Uncategorized | Leave a comment

Time for some HDL

I read the excellent book The Elements of Computing Systems which is the text book of Nand to Tetris a while ago. And since I have nothing else todo 😀 I thought that it could be a good time to try some of those concepts on some “real” metal. Thus

Basys 2 FPGA devkitA Digilent Basys 2 FPGA devkit which seems to have good Linux support. Let’s hope that I can find some time to play with this toy then.

Posted in Hardware, Programming | Leave a comment

OpenProducts to take over Excito B3 product line

If everything goes according to plan and OpenProducts and Excito can resolve some of the minor details OpenProducts will take over the B3/bubba product line from Excito.

More details and further news here http://openproducts.se/

Posted in Bubba, Excito, Hardware, OpenProducts | 2 Comments

Interresting times ahead?

While digging into data sheets on power management circuits is only so funny. Recent discussions with other “customers” might turn into a surprising turn of events. Most likely more information shortly.

Posted in Excito, Hardware | 2 Comments