I finally had my first experience with the new backscatter x-ray machines at an airport security line last week. I was unable to see what the TSA saw as they looked through my clothes, though I did walk away with a few observations of my own.
First, as I was about to go through the usual metal detector device, a TSA agent asked to remove my belt. How this little piece of a belt buckle could take off a bottle cap, let alone take down an airliner is beyond me. Since I never proactively remove my belt, the time wasted and humiliation element of the experience notwithstanding, it is the inconsistency of the request that most disturbs me and shakes to the foundation my faith and trust in the staff at the TSA.
Since I admittingly gave the TSA agent a little bit of attitude for her asking me to remove my belt, (but allowed me to keep on my chunky, solid steel watch which in addition to weighing 5 times more than my belt buckle, could probably represent a weapon of mass destruction if thrown hard enough), she then asked me to step into the backscatter x-ray machine. The watch did not set off the metal detector by the way. Never does.
Second, though I (hopefully) do not represent an obvious threat to airline safety, as I possess none of the notable, empirical characteristics associated with would-be terrorists (except being a male): young, from middle-eastern or African descent, possibly Muslim, on a watch or do-not-fly list, possessing a one-way ticket, paid for ticket in cash, no checked luggage, sweating or fidgeting in line…I could go on. I am, in contrast, a frequent flyer, family man and in no possession of any radical views or positions (other than privatizing or otherwise banning the TSA.) Had any other terrorist ever boarded a flight with a Kindle?
So I took the request to go though the x-ray scanner as a purely punitive measure on the part of the TSA agent – not a random check, mind you, but a minor punishment as only a petty tyrant with no other power outlet than that at her disposal might inflict.
Finally, I had to remove everything – literally everything – out of my pockets including my wallet and 3 small vitamins before the scanner would work. Isn’t the point of the device to be able to detect stuff in my pocket or in my person?!?
In theory, I am not opposed to security measures to prevent or thwart terrorism on airplanes. I am one of the primary beneficiaries of security since I travel so much and am statistically more likely to incur an incident than your average American. What I do always question however, and I’ve said this before in previous posts, is the seeming lack of consistency and reason behind much the decision and apparatus in place. The response is that it is done intentionally so as not to allow terrorists to get comfortable with the TSA technique’s. Playing dumb so as to allow the enemy underestimate you? Fine. Classic move from the Art of War. I would love that idea if it could ever be true of the TSA.
Playing dumb, however, should not be an operational strategy for a business. It doesn’t work for me at my job, at home or anywhere else in the real world. The market severely punishes any company in the private sector if that is their approach – it does it all the time to drug companies that fail FDA tests or mischaracterize the benefits or uses of their drugs. And these kinds of events kill more people than terrorists have ever done!
Let’s privatize the TSA and hold them to the same standards as a private company. Once we make them play by the same rules and standards of transparency as the private sector, then we can begin to peel away the layers of charade and concentrate on the real measures of security that will ensure flyer’s safety without having to frustrate us into submission. And let us keep our clothes on and our dignity intact.
Thursday, December 23, 2010
Sunday, November 28, 2010
Have a 'pat down' this holiday season? Don't be afraid to invoke the "P" word for better security.
As the holiday travel schedule ramps up, so does the fervor and objections over pat downs and invasive screenings at airports in the United States. People recently subjected to these "love pats," as a Senator from Missouri innocuously (and ridiculously) referred to them, are in for quite a shock if they fly anywhere where else in the world except, say, Cincinnati or Des Moines.
As any frequent international traveler can corroborate, very intense and 'hands on' searches occur in almost every other international airport in the civilized world. Try flying through Frankfurt and not be subjected to a body search that even your family care doctor would find comprehensive. And these are not new procedures; I can remember the same thoroughness in place at Frankfurt, Heathrow and every Indian airport I have flown through for the last 5 years.
Why are Americans so indignant about the new procedures? Since when is flying a constitutional right? This is not healthcare; if you don't like the scrutiny you are subject to, you are welcome to use a car, train bus or boxcar. Inconvenient? Sure. But so is political correctness, it appears.
In this country we are so terrified to offend any person of any race, creed, religion or origin that we will go out of our way to inconvenience an almost total majority to show how fair and even-handed we are to any minority. This approach to security is 180 degrees different than the one the Israeli's take. You won't see any nuns, 80-year old grandmothers or 4-year olds being body searched. What you will see is a laser focus of their resources on the most likely and foreseeable risks to the safety of their citizens and the airlines. As I love to say, every decision you make is a microcosm of risk management.
In American and European airports, in particular significant volumes of traffic moving through them have required their associated security procedures to rely mainly on technology for screening luggage and detecting passengers with ill intent. Israel’s security philosophy, however, is based on a blend of advanced detection devices and personal interaction with the passengers. Granted, the primary airport in Israel, Ben-Gurion International, handles only about 12% a year of what U.S. airports handle annually, yet here are still some lessons we can learn.
Passengers are questioned from the time they drive up to the airport, until they are ready to board the plane. Usually, each person is questioned two or three times by different security agents, to ensure the story is consistent. Arab or Muslim passengers get extra-thorough screening, as do non-Jewish tourists. The Israeli method does not limit itself to only the profile of the 'typical' terrorist (if they exist anymore), but instead spend time questioning or searching anyone who appears nervous, flustered, inconsistent or just not right.
No airplane has ever been hijacked from Ben Gurion since the Israelis are not shy about deploying the "P" word - profiling. In the U.S. that word is such a hot button since it is typically associated with another taboo word - 'racial.' So when you add 'racial' and 'profiling' together, you have the most volatile term in the American lexicon - racial profiling.
For very good reasons, racial profiling is wrong, and more importantly for security and safety reasons, it is inefficient. Terrorists are not stupid; they have started recruiting other willing accomplishes who are not the once, tried and true terrorist profile: young, middle-eastern, Muslim males. If we continue to focus efforts solely on this cliché of a potential threat, we will always be chasing yesterday's news - with disastrous consequences.
Ironically, since early January of this year, the United States has in fact introduced new requirements based on a travelers’ country of origin or citizenship. Citizen's from 14 countries — including Afghanistan, Nigeria, Pakistan, Saudi Arabia, Yemen and Syria — are now required to undergo an extra search before getting on planes bound for the U.S. America. Profiling? Probably. Racial profiling? Definitely! I would argue that even enunciating and singling out these 14 countries is short-sighted and will ultimately be unproductive. If I was Al Qaeda, I would make sure that all of my next 100 recruits did not have passports from any of these countries. How easy would that be?
So what are your options this travel season? You can subject yourself to the patdowns or get your revealing full body scans (with you assuming the "I surrender" hands position), and "Say nope to the grope." Or, you can start to demand that we drop the inefficient, ineffective and politically correct way of American security screening: treating every traveler as if they were a possible terrorist. And instead, start to incorporate better and more efficient techniques from others who have learned and incorporate the art and techniques of risk management.
Sunday, November 14, 2010
India Gets Into The Identity Race
I have spent the last 10 days in India concluding my 12th visit in 7 years. I have seen quite a noticeable progress in the rickety infrastructure each and every time I go, as India walks away from the past and races to the future. However, this time I saw progress in a different, less obvious way.
Last month, the Indian government rolled out the first country-wide AADHAAR ('foundation' in Hindi ) to an Indian resident. This will be a unique 12-digit identification number, like a social security number that ultimately all Indians will possess. The government hopes to complete and issue at least 600 million IDs to its 1.2 billion citizens by 2014.
Currently, there exists a limited quasi-social security number in India, however the government is intending to reach out to the rural and less connected masses as part of the program. Formalizing and documenting the 'official' identity of millions of the rural poor will, among other things, help them bypass more expensive money-lenders and tap into the formal banking system. What is unique about this initiative though is the format and approach to the effort, and how it dramatically differs from the similar process in the United States.
In the US, as you know, all babies at birth are issued social security numbers, along with a snappy little bluish-white paper card (that some people still bizarrely carry around with them!?) printed with a unique nine-digit number. As easy as it is to counterfeit or replicate it, some places, believe it or not, still ask for the card as some legitimate proof of identification – think of the DMV as you try to renew your driver's license. No surprise there.
The AADHAAR, however, will be printed on a smartcard or other official document that will include 3 factors of identification unique to the person: an iris scan, a photograph and all ten fingerprints. To get a number, Indians will have to physically go to an enrollment agency and submit their credentials that will ultimately be collected in a central repository.
Orwellian fears and privacy concerns aside, what this will mean to the Indian economy is monumental. Soon, millions of Indians who are otherwise prevented from participating in the growth of the sizable economy will now be plugged into the system and able to leverage money and services that were never available to them before. In turn, millions, maybe billions of rupees in revenue that would have gone to the black market or otherwise unreported (and untaxed) can now be put to better use. Think of the number of new jobs that will be created to both implement and support this system once it is effected.
These new jobs won't all be the classic government-teat-sucking positions that you might think they'd be. Software has to be developed and supported; card readers will have to be created and deployed. All areas of the private sector will be prodded to build new ways to accommodate and authenticate their customers across a number different mediums. The US should take note here as the rest of the world moves to smartcard technology, while we stick with traditional magnetic strip technology and easily forged driver's licenses.
India will face many challenges as it attempts to implement a process like this, as it does with almost everything else that happens in that country. What will be most interesting to watch is how and if it is ever able to play catch-up and issue every citizen an AADHAAR. With a target rate of 10 million cards issued every four months, and a population growth of 4 million new people every quarter, it will be a very tough race to win.
Tuesday, October 12, 2010
Privacy & The Risks of Visibility
True story: a woman in New York tried to sue the manufacturer and distributor of an allegedly defective office chair after she fell out of the chair, claiming "serious permanent personal injuries." She alleged, among other things, that she had "pain and progressive deterioration with consequential loss of enjoyment of life."
Lawyers for the chair company were naturally suspicious because a recent photo of the Plaintiff on the internet showed her smiling and standing, without apparent assistance, instead of living the pain-filled existence she was asserting in her lawsuit. (She claimed she was confined largely to her bed and house.) Seems like she also took a recent trip to the Sunshine State, and appeared to be generally enjoying life. So then, where did the lawyers dredge up this seemingly damning evidence? Private investigators? GPS satellite photos? CSI? No. Where else? Facebook.
With good reason, lawyers for the chair company trying to determine if the case had any merit and if the injuries sustained were as severe as the plaintiff made them out to be, had trolled the internet. Finding evidence on Facebook (D’oh!) that the claim may not have as much merit as initially asserted, the chair company pressed a local NY judge to allow the company more access into the woman’s social media sites(!), Facebook and MySpace.
Essentially, the judge - Acting Justice Jeffrey Spinner of Suffolk County Supreme Court - told the plaintiff that she must allow the chair company access to her social media sites since “in light of the fact that the public portions of Plaintiff's social networking sites contain material that is contrary to her claims and deposition testimony, there is a reasonable likelihood that the private portions of her sites may contain further evidence….all of which are material and relevant to the defense of this action." Again, since someone posted something online contrary to their best interests, notwithstanding whatever privacy settings she thought she had on the sites, she now has practically incriminated herself.
Social media has really become the third rail of identity in the last 5 years. We have our professional online identities (and even places to post pictures of us in suits and ties – LinkedIn, Plaxo), our online personal identities (Friendster), and now the two big ones, Facebook and Twitter, that ever increasingly blur the line between personal and professional lives. Look at how sales people create Facebook pages, for example. The really good ones make it hard to differentiate who their friends are and who their customers are. Either way, they make it very convenient for other people to find them with lots of freely disclosed information.
Back in the old days, when you wanted publically available information on someone, you had to take laborious steps such as going to a county courthouse, or some other house of public records and spending the day looking up details in big, dusty official books. Each individual had to be investigated one by one. However, today, the internet, and specifically social media sites have now become the new public record. Instantly someone can search for info about you, not only across most public databases, but across other sites that you have voluntarily input data to be collated and analyzed, usually to your detriment.
Think about how human resource departments typically work. They get a hundred resumes for one job opening. In theory, they are looking for the right person; in reality, they are looking to weed out the wrong people. Though they could not admit it, they use social media tools and Google searches to build or justify a hunch, prejudice or bias against you as a candidate. It makes sense from their perspective. You cannot really blame them; it is just their way of doing a risk assessment on an unknown risk, you.
Lawyers for the chair company were naturally suspicious because a recent photo of the Plaintiff on the internet showed her smiling and standing, without apparent assistance, instead of living the pain-filled existence she was asserting in her lawsuit. (She claimed she was confined largely to her bed and house.) Seems like she also took a recent trip to the Sunshine State, and appeared to be generally enjoying life. So then, where did the lawyers dredge up this seemingly damning evidence? Private investigators? GPS satellite photos? CSI? No. Where else? Facebook.
With good reason, lawyers for the chair company trying to determine if the case had any merit and if the injuries sustained were as severe as the plaintiff made them out to be, had trolled the internet. Finding evidence on Facebook (D’oh!) that the claim may not have as much merit as initially asserted, the chair company pressed a local NY judge to allow the company more access into the woman’s social media sites(!), Facebook and MySpace.
Essentially, the judge - Acting Justice Jeffrey Spinner of Suffolk County Supreme Court - told the plaintiff that she must allow the chair company access to her social media sites since “in light of the fact that the public portions of Plaintiff's social networking sites contain material that is contrary to her claims and deposition testimony, there is a reasonable likelihood that the private portions of her sites may contain further evidence….all of which are material and relevant to the defense of this action." Again, since someone posted something online contrary to their best interests, notwithstanding whatever privacy settings she thought she had on the sites, she now has practically incriminated herself.
Social media has really become the third rail of identity in the last 5 years. We have our professional online identities (and even places to post pictures of us in suits and ties – LinkedIn, Plaxo), our online personal identities (Friendster), and now the two big ones, Facebook and Twitter, that ever increasingly blur the line between personal and professional lives. Look at how sales people create Facebook pages, for example. The really good ones make it hard to differentiate who their friends are and who their customers are. Either way, they make it very convenient for other people to find them with lots of freely disclosed information.
Back in the old days, when you wanted publically available information on someone, you had to take laborious steps such as going to a county courthouse, or some other house of public records and spending the day looking up details in big, dusty official books. Each individual had to be investigated one by one. However, today, the internet, and specifically social media sites have now become the new public record. Instantly someone can search for info about you, not only across most public databases, but across other sites that you have voluntarily input data to be collated and analyzed, usually to your detriment.
Think about how human resource departments typically work. They get a hundred resumes for one job opening. In theory, they are looking for the right person; in reality, they are looking to weed out the wrong people. Though they could not admit it, they use social media tools and Google searches to build or justify a hunch, prejudice or bias against you as a candidate. It makes sense from their perspective. You cannot really blame them; it is just their way of doing a risk assessment on an unknown risk, you.
Thursday, September 9, 2010
Security through stupidity.....still! Thank God!
Did your company suffer through the "Here you have'' virus, as it is now being called? It was one of the few exciting security events to happen to us guys in a number of years.
Good news: these inconveniences are becoming fewer and farther between as our technological defenses are getting better and smarter.
Bad news: we still are relying on the human element as the last bastion of protecting ourselves against basic attacks like this.
Worse news: even at the human level, the reason that many attacks don't make it is because the attackers are still seemingly unable to both spellcheck and put proper punctuation in sentences...the dead giveway to a bogus e-mail....still.
Look at an excerpt from the 'Here you have' example:
"This is The Document I told you about,you can find it Here."
See the mistakes? Capitalized words in the middle of a sentence, sloppy and incorrect punctuation, etc. Either the bad guys in this situation are either not native English speakers, or they were just stupid or lousy students who goofed off in English class.
Either way, we will only have a short period of time until these types finally get their act together and learn how to use that super-sophisticated advanced technology tool known as 'spellcheck.'
Good news: these inconveniences are becoming fewer and farther between as our technological defenses are getting better and smarter.
Bad news: we still are relying on the human element as the last bastion of protecting ourselves against basic attacks like this.
Worse news: even at the human level, the reason that many attacks don't make it is because the attackers are still seemingly unable to both spellcheck and put proper punctuation in sentences...the dead giveway to a bogus e-mail....still.
Look at an excerpt from the 'Here you have' example:
"This is The Document I told you about,you can find it Here."
See the mistakes? Capitalized words in the middle of a sentence, sloppy and incorrect punctuation, etc. Either the bad guys in this situation are either not native English speakers, or they were just stupid or lousy students who goofed off in English class.
Either way, we will only have a short period of time until these types finally get their act together and learn how to use that super-sophisticated advanced technology tool known as 'spellcheck.'
Monday, September 6, 2010
The Social Engineering Attack: Men vs. Women.
As summer fades to a close, and we mentally resign ourselves to getting back into work, I am interested in a recent contest that was just held about social engineering and how men and women fare differently against social engineering attacks.
For those of you who don’t know what social engineering is (it also called ‘pretexting’), think about when you have ever used any degree of charm, persuasion, eyelash batting or a glimpse of excess cleavage to get yourself bumped up to first class in an airplane, get into a crowded event, get out of a speeding ticket or just generally get something that you may not on the surface deserve. That is, you have ‘engineered’ your audience into doing your will. This is what the most skilled and devious thieves do to us – get information from us that helps them do bad things. It is the toughest attack to fend off and against, as our nature is to be helpful and help a brother out.
This recent social engineering contest consisted of calling 135 employees from Fortune 500 companies, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola to be targeted by social engineering hackers, trying to get the employees to divulge or reveal they information that could be misused by the attackers, such as what operating system, antivirus software, and which browser the companies used. The ’bad guys’ also tried to talk the ‘victims’ into visiting unauthorized web sites. Most of the information compromised in the contest was gotten by the hackers pretending to be insiders who were doing audits or consultants filling out surveys.
But here is the really interesting part: only five of the group of 135 refused to give up any corporate information at all. And all of the five were women.
The team that held the contest was unsure as to why it was only women who failed to reveal any data, but there are some other common traits. Three of the five women who shut down contestants were managers, and female managers are generally the least likely to fall for social engineering attacks. A security consultant who commented on the contest stated that the findings make sense, as female managers are “going to be the least trusting, the most suspicious."
This contest also points out another important factor: when it comes to the social attack, you cannot simply train for a particular attack, like getting a flu shot for a specific strain, for example. You must constantly train on the need for heightened awareness and alertness by your employees. The possible scenarios that bad guys could come up with to get your employees to divulge information is infinite and impossible to thoroughly prepare them for. You have to simply make them aware of the possibility of these kinds of attacks and get them to keep thinking strategically and out of the box. Because the bad guys will as well.
Finally, I thought I would end with this little, possibly relevant nugget: at my company, it is impossible to know everyone by name or face since we have thousands of employees, yet every time and any time I have ever been asked if I have my badge as I am trying to enter the side door on some morning, the questioner has invariably been a woman....
For those of you who don’t know what social engineering is (it also called ‘pretexting’), think about when you have ever used any degree of charm, persuasion, eyelash batting or a glimpse of excess cleavage to get yourself bumped up to first class in an airplane, get into a crowded event, get out of a speeding ticket or just generally get something that you may not on the surface deserve. That is, you have ‘engineered’ your audience into doing your will. This is what the most skilled and devious thieves do to us – get information from us that helps them do bad things. It is the toughest attack to fend off and against, as our nature is to be helpful and help a brother out.
This recent social engineering contest consisted of calling 135 employees from Fortune 500 companies, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola to be targeted by social engineering hackers, trying to get the employees to divulge or reveal they information that could be misused by the attackers, such as what operating system, antivirus software, and which browser the companies used. The ’bad guys’ also tried to talk the ‘victims’ into visiting unauthorized web sites. Most of the information compromised in the contest was gotten by the hackers pretending to be insiders who were doing audits or consultants filling out surveys.
But here is the really interesting part: only five of the group of 135 refused to give up any corporate information at all. And all of the five were women.
The team that held the contest was unsure as to why it was only women who failed to reveal any data, but there are some other common traits. Three of the five women who shut down contestants were managers, and female managers are generally the least likely to fall for social engineering attacks. A security consultant who commented on the contest stated that the findings make sense, as female managers are “going to be the least trusting, the most suspicious."
This contest also points out another important factor: when it comes to the social attack, you cannot simply train for a particular attack, like getting a flu shot for a specific strain, for example. You must constantly train on the need for heightened awareness and alertness by your employees. The possible scenarios that bad guys could come up with to get your employees to divulge information is infinite and impossible to thoroughly prepare them for. You have to simply make them aware of the possibility of these kinds of attacks and get them to keep thinking strategically and out of the box. Because the bad guys will as well.
Finally, I thought I would end with this little, possibly relevant nugget: at my company, it is impossible to know everyone by name or face since we have thousands of employees, yet every time and any time I have ever been asked if I have my badge as I am trying to enter the side door on some morning, the questioner has invariably been a woman....
Wednesday, June 23, 2010
Update: Is this the Roe v. Wade of Privacy Cases?
To follow up on my post of April 16th about a police officer, Jeff Quon, in Ontario, CCalifornia who was suing his employer for reviewing his personal texts on a company-owned and issued pager, The Supreme Court, amazingly, ruled 9-0 in favor of the Ontario Police chief, claiming that because there was reason to believe a work policy was being violated, his search of Quon’s texts did not violate Quon’s 4th amendment right against illegal search and seizure; the court ruled that the search was reasonable. Did I mention that the texts were sexually explicit? And were to his girlfriend, ex-wife, and another colleague?! (Women must love a man in uniform.)
This case is interesting for two reasons: secondarily, it is reportedly the first case on record to involve privacy issues regarding texting at work on a company-issue device.
But the main reason this case strikes me as revolutionary is that I don't think people realize just how close to Armageddon we really were if the decision had gone the other way...can you imagine the nightmare for IT, and for Legal if they had to try and perform discovery on company-owned devices that were constitutionally protected? This is the very model of privacy that Europe has today where the employee's privacy takes precedence, as opposed to the U.S. where there is no expectation of privacy in the workplace (usually). If the decision were for Quon than we would have seen a slew of other cases that would have fundamentally changed the way IT and Legal administer hardware and access in the workplace.
I feel like Earth just dodged a huge asteroid, but most people were distracted watching World Cup....
This case is interesting for two reasons: secondarily, it is reportedly the first case on record to involve privacy issues regarding texting at work on a company-issue device.
But the main reason this case strikes me as revolutionary is that I don't think people realize just how close to Armageddon we really were if the decision had gone the other way...can you imagine the nightmare for IT, and for Legal if they had to try and perform discovery on company-owned devices that were constitutionally protected? This is the very model of privacy that Europe has today where the employee's privacy takes precedence, as opposed to the U.S. where there is no expectation of privacy in the workplace (usually). If the decision were for Quon than we would have seen a slew of other cases that would have fundamentally changed the way IT and Legal administer hardware and access in the workplace.
I feel like Earth just dodged a huge asteroid, but most people were distracted watching World Cup....
Sunday, May 9, 2010
One Step Forward...Two Backwards...
The Step Forward….
Based on how young people use the Internet these days and what they deem fit for universal public consumption and disclosure, I have believed that for a very long time that they do not fully understand the implications of privacy and what it might mean to their personal and professional lives in the near and long term. Like impetuous youth, many do not think beyond the 30 minutes their attention spans can handle most days.
However, a recent story I read in the New York Times gave me some renewal of faith in the ‘yutes’ of the world as they begin to realize that self-censorship might be one of the most beneficial actions they can undertake in the protection and advancement of their current and future professional lives.
What many of these young people are quickly realizing is that not only are future and prospective employers trolling social media sites like Facebook, MySpace and search engines like Google for evidence of the candidate’s character, or other activity that may be representative of action ‘unbecoming of an officer’, but college admission offices are doing the same as well.
As an employee, you publicly represent the company; as a student, you are also a public representative of a college too. And as any business, (with the possible exception of the Hell’s Angels, I would imagine), public relations is a key element in the continued success of the college as it aims to turnout fine, exemplary products who represent the best of what the institution has to offer. So in addition to removing from their social media profiles any incriminating or questionable pictures, links, group associations and even political affiliations, some very canny students are starting to change the names of their Facebook profiles as early as Junior year so as to throw off the scent of the college admission snoop who is trying to determine if little Suzy is a collegiate candidate worth of the Ivy League institution’s hallowed sheepskin.
The Two Steps Back part…
Obscuring the details of one’s online avatar seems like a lot of work and possibly hardly worth the effort considering the risk to your privacy that someone might actually find you online. If you think that you will fall way under the radar of such important and busy people to waste their time in trying to find out if you have any drunken Mardi Gras pictures on your Facebook page or not, consider this website: www.peopleofWalMart.com. This website features pictures of actual customers of Wal-Mart taken by other customers and then uploaded to this site – without their permission or knowledge. The site claims itself to be a “satirical social commentary of the extraordinary sights found at America’s favorite store”.
Forget worrying about if your online privacy is being encroached upon or used as a factor in deciding your future, what this site tells me is that you cannot even take a quick trip to Wal-Mart in your scurvy, old pajamas to pick up a box of Q-Tips or Shake ‘n Bake without escaping the Black Hole of the ‘public domain’.
Based on how young people use the Internet these days and what they deem fit for universal public consumption and disclosure, I have believed that for a very long time that they do not fully understand the implications of privacy and what it might mean to their personal and professional lives in the near and long term. Like impetuous youth, many do not think beyond the 30 minutes their attention spans can handle most days.
However, a recent story I read in the New York Times gave me some renewal of faith in the ‘yutes’ of the world as they begin to realize that self-censorship might be one of the most beneficial actions they can undertake in the protection and advancement of their current and future professional lives.
What many of these young people are quickly realizing is that not only are future and prospective employers trolling social media sites like Facebook, MySpace and search engines like Google for evidence of the candidate’s character, or other activity that may be representative of action ‘unbecoming of an officer’, but college admission offices are doing the same as well.
As an employee, you publicly represent the company; as a student, you are also a public representative of a college too. And as any business, (with the possible exception of the Hell’s Angels, I would imagine), public relations is a key element in the continued success of the college as it aims to turnout fine, exemplary products who represent the best of what the institution has to offer. So in addition to removing from their social media profiles any incriminating or questionable pictures, links, group associations and even political affiliations, some very canny students are starting to change the names of their Facebook profiles as early as Junior year so as to throw off the scent of the college admission snoop who is trying to determine if little Suzy is a collegiate candidate worth of the Ivy League institution’s hallowed sheepskin.
The Two Steps Back part…
Obscuring the details of one’s online avatar seems like a lot of work and possibly hardly worth the effort considering the risk to your privacy that someone might actually find you online. If you think that you will fall way under the radar of such important and busy people to waste their time in trying to find out if you have any drunken Mardi Gras pictures on your Facebook page or not, consider this website: www.peopleofWalMart.com. This website features pictures of actual customers of Wal-Mart taken by other customers and then uploaded to this site – without their permission or knowledge. The site claims itself to be a “satirical social commentary of the extraordinary sights found at America’s favorite store”.
Forget worrying about if your online privacy is being encroached upon or used as a factor in deciding your future, what this site tells me is that you cannot even take a quick trip to Wal-Mart in your scurvy, old pajamas to pick up a box of Q-Tips or Shake ‘n Bake without escaping the Black Hole of the ‘public domain’.
Friday, April 16, 2010
Is this the Roe vs. Wade of Privacy cases?
If this isn't the Roe vs. Wade, or Brown vs. Board of Education-type of landmark case for privacy rights, then I don't know what is...
Here's the story: A police department in Ontario, Calif., issued two-pagers pagers to its SWAT team, and initially told the team that any messages sent via the pagers would be treated just like computer e-mail is, with no expectation of privacy for the contents.
After a few months, the Police department lieutenant then reversed his position and told his subordinates that the department would consider any messages sent via the pagers private and would not review them only if the officers paid for any personal messages beyond a monthly character limit of 25,000.
A few months later, the police department decided to review its policy to determine if it needed to increase its monthly limit. The department reviewed the transcripts of one of the users with the most texts, a Sgt. Jeff Quon. What they found when they reviewed the messages was that Quon had exchanged hundreds of (what else?) sexually explicit messages with his estranged wife, his girlfriend and another member of his team (I guess there is no crime in Ontario with all this free time.). The Sergeant paid for all of the messages he sent, but he was eventually cited and reprimanded for using department-owned property for both personal use on the job, and for using obscene language on the device, which is a violation of department rules.
Quon, along with the ex-wife, girlfriend, and fellow officer involved with the messaging, all brought suit against the department for privacy violations.
The U.S. Supreme Court takes up the case next week.
The question is this: is the general expectation of privacy inviolate enough to rule in favor of the Sergeant. Or, should the US-oriented policy of ‘there is no expectation of privacy on any company-owned or issued equipment’ rule the day in favor of the police department?
This the first real, substantive case to test privacy rights in the Internet era The issue at the heart of the matter is whether personal messages are indeed private when transmitted by an electronic device provided by an employer. But here is why this case really matters in the long run: texting on a pager aside, what happens if you are using e-mail or Facebook or Instant Messenger to communicate with parties outside of your employer? Should those messages be the property of the company since they were transmitted using company-owned devices? What about the privacy rights of the parties that you are messaging? They do not work for the company so why should their privacy rights be infringed upon by the employer of the sender?
Next week’s decision could be a simple reaffirming decision of individual rights being protected, or a very ominous sign about the impending and continual loss of rights and privacy in the digital age. Either way, you should pay attention.
Here's the story: A police department in Ontario, Calif., issued two-pagers pagers to its SWAT team, and initially told the team that any messages sent via the pagers would be treated just like computer e-mail is, with no expectation of privacy for the contents.
After a few months, the Police department lieutenant then reversed his position and told his subordinates that the department would consider any messages sent via the pagers private and would not review them only if the officers paid for any personal messages beyond a monthly character limit of 25,000.
A few months later, the police department decided to review its policy to determine if it needed to increase its monthly limit. The department reviewed the transcripts of one of the users with the most texts, a Sgt. Jeff Quon. What they found when they reviewed the messages was that Quon had exchanged hundreds of (what else?) sexually explicit messages with his estranged wife, his girlfriend and another member of his team (I guess there is no crime in Ontario with all this free time.). The Sergeant paid for all of the messages he sent, but he was eventually cited and reprimanded for using department-owned property for both personal use on the job, and for using obscene language on the device, which is a violation of department rules.
Quon, along with the ex-wife, girlfriend, and fellow officer involved with the messaging, all brought suit against the department for privacy violations.
The U.S. Supreme Court takes up the case next week.
The question is this: is the general expectation of privacy inviolate enough to rule in favor of the Sergeant. Or, should the US-oriented policy of ‘there is no expectation of privacy on any company-owned or issued equipment’ rule the day in favor of the police department?
This the first real, substantive case to test privacy rights in the Internet era The issue at the heart of the matter is whether personal messages are indeed private when transmitted by an electronic device provided by an employer. But here is why this case really matters in the long run: texting on a pager aside, what happens if you are using e-mail or Facebook or Instant Messenger to communicate with parties outside of your employer? Should those messages be the property of the company since they were transmitted using company-owned devices? What about the privacy rights of the parties that you are messaging? They do not work for the company so why should their privacy rights be infringed upon by the employer of the sender?
Next week’s decision could be a simple reaffirming decision of individual rights being protected, or a very ominous sign about the impending and continual loss of rights and privacy in the digital age. Either way, you should pay attention.
Sunday, March 28, 2010
The Privacy Premium....a.k.a. the 'Privacy Tax'
To continue in the vein of my last post, I wanted to dilate a bit on the idea of the privacy premium. As I started earlier, I don’t think it is too unreasonable to imagine a society in the not too distant future where privacy and security, or the privilege of it, becomes monetized enough to the point that it is not just marketed as a competitive advantage, but as an added ‘feature’ that company will charge you to implement.
We have had for years small examples of this idea in practice. Think about the security on your house; you have locks on the windows and doors but that’s about where it ends. For an additional cost, you can contract with a security service that will provide additional security piece of mind over-and-above what you practically get for free now. Recall my previous blog example of how today you pay an extra cost for not having your name in the phone book. Think about that for a second – we actually pay extra so that people can’t find us! See what I mean? What was once a status symbol, has become a privacy albatross.
At the far end of this spectrum will exist a service that erases all of your digital existence from any and every site or network you ever used or registered. So, no Google or Bing search will ever bring back any indication that you ever even looked at a computer. All for a fee.
Today, we already have two very stringent state data security laws, Massachusetts and Nevada, which call for, among other things, encryption of sensitive on any devices that are portable (what device isn’t these days?). Any size company that holds or processes the data of the residents of these two states are impacted, regardless of whether or not they are a ‘financial institution.’ Encrypting data is not easy; and it is not cheap. Small companies will inevitably be unduly burdened. The extra costs that these companies incur will have to be passed on somehow. Where and how do you think the costs will go and in what form? Higher costs of goods and services to the end users, of course. Translation: a privacy tax.
How does this sound for a marketing pitch? “We back-up all of our customer’s data on media that goes offsite every week to ensure continuity of business. Want to ensure that your data is truly private and secure, and from the threat of being lost or stolen? Of course. You will want to ensure that you select the “Assurity” option when you enroll in our program. For only an additional $5.95 a month, you will have the piece of mind of knowing that your personal information is put onto our secure, AES 256-bit encrypted tapes which reside in a hardened vault, safe and secure from prying eyes….”
We have had for years small examples of this idea in practice. Think about the security on your house; you have locks on the windows and doors but that’s about where it ends. For an additional cost, you can contract with a security service that will provide additional security piece of mind over-and-above what you practically get for free now. Recall my previous blog example of how today you pay an extra cost for not having your name in the phone book. Think about that for a second – we actually pay extra so that people can’t find us! See what I mean? What was once a status symbol, has become a privacy albatross.
At the far end of this spectrum will exist a service that erases all of your digital existence from any and every site or network you ever used or registered. So, no Google or Bing search will ever bring back any indication that you ever even looked at a computer. All for a fee.
Today, we already have two very stringent state data security laws, Massachusetts and Nevada, which call for, among other things, encryption of sensitive on any devices that are portable (what device isn’t these days?). Any size company that holds or processes the data of the residents of these two states are impacted, regardless of whether or not they are a ‘financial institution.’ Encrypting data is not easy; and it is not cheap. Small companies will inevitably be unduly burdened. The extra costs that these companies incur will have to be passed on somehow. Where and how do you think the costs will go and in what form? Higher costs of goods and services to the end users, of course. Translation: a privacy tax.
How does this sound for a marketing pitch? “We back-up all of our customer’s data on media that goes offsite every week to ensure continuity of business. Want to ensure that your data is truly private and secure, and from the threat of being lost or stolen? Of course. You will want to ensure that you select the “Assurity” option when you enroll in our program. For only an additional $5.95 a month, you will have the piece of mind of knowing that your personal information is put onto our secure, AES 256-bit encrypted tapes which reside in a hardened vault, safe and secure from prying eyes….”
Tuesday, March 2, 2010
Privacy À La Carte
Maybe you've already heard of a recent incident in a Philadelphia suburb where a school district gave a student a laptop to take home and use. What the student did not know was that the web cam on the laptop could be remotely activated and images could be captured and viewed by teachers. (Ostensibly, the laptop was configured to capture images of the machine’s user if it was lost or stolen.) The way the student found out that something was wrong was that a teacher reprimanded him for “inappropriate behavior” – at home! (Via the webcam, the teacher thought the student was taking pills, but it tuned out to be Mike & Ike’s candy. I know, I know…happens to me all the time, too.)
The lack of boundaries of privacy has only been exemplified with this web cam issue. The lines are increasingly grayed between where one’s responsibilities end and another’s privacy begins. Technology has all but shattered the partitions that used to exist in society used to areas of black and white. What is curious though is that the boy and his family are screaming about his privacy violatd, but he and his entire family have already begin the media tour, appearing on CBS' The Early Show the Saturday after it happened. (Translation: We value our privacy, unless we can extract some value out of it....)
The genie is out of the proverbial bottle with the state of privacy we once enjoyed. I envision a near future where privacy is no longer the quasi-right that people think it is today (BTW, the word ‘privacy’ is not mentioned even once in the Constitution); it is or will be a monetized privilege. Sort of like a drivers’ license is. Consider privacy as a ‘pay for service in future. You want privacy? You pay extra – like the extra cost you incur for not having your name in the phone book.
As we surrender ourselves evermore to the Siren’s call of convenience that technology sings to us, you either plug your eyes and ears (that is, stay off the grid, or at least off Facebook, Twitter, MySpace or any reality show), or do what Ulysses did when he and ship passed the island of the Siren’s; he had his crew tie him to the mast and refuse to let him go no matter what he said.
That is, he dealt with it
Note: Wikipedia notes that “the term "siren song" refers to an appeal that is hard to resist but that, if heeded, will lead to a bad result”.
The lack of boundaries of privacy has only been exemplified with this web cam issue. The lines are increasingly grayed between where one’s responsibilities end and another’s privacy begins. Technology has all but shattered the partitions that used to exist in society used to areas of black and white. What is curious though is that the boy and his family are screaming about his privacy violatd, but he and his entire family have already begin the media tour, appearing on CBS' The Early Show the Saturday after it happened. (Translation: We value our privacy, unless we can extract some value out of it....)
The genie is out of the proverbial bottle with the state of privacy we once enjoyed. I envision a near future where privacy is no longer the quasi-right that people think it is today (BTW, the word ‘privacy’ is not mentioned even once in the Constitution); it is or will be a monetized privilege. Sort of like a drivers’ license is. Consider privacy as a ‘pay for service in future. You want privacy? You pay extra – like the extra cost you incur for not having your name in the phone book.
As we surrender ourselves evermore to the Siren’s call of convenience that technology sings to us, you either plug your eyes and ears (that is, stay off the grid, or at least off Facebook, Twitter, MySpace or any reality show), or do what Ulysses did when he and ship passed the island of the Siren’s; he had his crew tie him to the mast and refuse to let him go no matter what he said.
That is, he dealt with it
Note: Wikipedia notes that “the term "siren song" refers to an appeal that is hard to resist but that, if heeded, will lead to a bad result”.
Saturday, February 20, 2010
Is Privacy dead? Or just Modesty?
As I have noted before, Sun Microsystems co-founder Scott McNealy was famously quoted saying: "You have zero privacy anyway. Get over it." But that was said way back in 1999!! Back then, there was no Facebook, no MySpace, no Twitter, nor LinkedIn; Google was barely a year old.
And privacy was already dead?!? (Where was I?)
Mark Zuckerberg, CEO and founder of Facebook recently said in an interview that "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time." And then went on to say that “ …we view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are," he said.
Interesting. So is Facebook and other social networking sites only reflections of what is currently acceptable in society at this point in time? If that is the case, then why must there be laws, for example, against drunk driving if people should know when to quit (the social norm) and not to do something dangerous like get behind the wheel after too many cocktails? Yet we have had to put laws in place that actually define what is drunk in the legal sense (i.e. blood alcohol level). Self-regulation, at least in this instance of personal behaviour, does not universally work out so well.
So what drives what? Does Facebook reflect the new normalcy of openness or does it merely provide an outlet for pent–up desire for everyone to engage in a community, share some intimate details with friends (but mostly acquaintances), and attempt to parse the much desired 15 minutes of fame into smaller, longer bits. Are our egos crowding out the sense of Victorain modesty that used to prevail in company of strangers, or even friends? With 350 million users now on Facebook, it is difficult to believe that only the extroverts have inherited the Earth…..
The question is: are sites like Facebook (not the only enabler here) simply the exploitation tool that drives the users to reveal more private detail, or rather, just the medium? Social networking sites like FB can be no different than videos like “Girls Gone Wild.” This outlet more than enables bad behavior; it rewards it with some kind of validation and exposure. But then again, should I be able to blame the New Jersey Turnpike for me being caught going 100 miles an hour…..?
And privacy was already dead?!? (Where was I?)
Mark Zuckerberg, CEO and founder of Facebook recently said in an interview that "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that has evolved over time." And then went on to say that “ …we view it as our role in the system to constantly be innovating and be updating what our system is to reflect what the current social norms are," he said.
Interesting. So is Facebook and other social networking sites only reflections of what is currently acceptable in society at this point in time? If that is the case, then why must there be laws, for example, against drunk driving if people should know when to quit (the social norm) and not to do something dangerous like get behind the wheel after too many cocktails? Yet we have had to put laws in place that actually define what is drunk in the legal sense (i.e. blood alcohol level). Self-regulation, at least in this instance of personal behaviour, does not universally work out so well.
So what drives what? Does Facebook reflect the new normalcy of openness or does it merely provide an outlet for pent–up desire for everyone to engage in a community, share some intimate details with friends (but mostly acquaintances), and attempt to parse the much desired 15 minutes of fame into smaller, longer bits. Are our egos crowding out the sense of Victorain modesty that used to prevail in company of strangers, or even friends? With 350 million users now on Facebook, it is difficult to believe that only the extroverts have inherited the Earth…..
The question is: are sites like Facebook (not the only enabler here) simply the exploitation tool that drives the users to reveal more private detail, or rather, just the medium? Social networking sites like FB can be no different than videos like “Girls Gone Wild.” This outlet more than enables bad behavior; it rewards it with some kind of validation and exposure. But then again, should I be able to blame the New Jersey Turnpike for me being caught going 100 miles an hour…..?
Subscribe to:
Posts (Atom)