The Stolen iPhone

Look, barely a week is up and I'm already fudging on this idea of the blog being over. =] Well, I guess that's just good news for you readers. The reason I'm writing is less because I happened across any spectacular new invention, and more because I had this idea of LBS being dangerous brought home.

As I was heading home for Thanksgiving break this past week, I encountered a little bad luck. To my dismay, I arrived at the airport and realized my phone had been stolen. "You probably just lost it," you shrug, but unfortunately no, my fully charged phone was turned off after 2 calls. Despite the many calls to super shuttle and a scouring of the nearby area, the phone refused to materialize. A crime of chance from a shuttle cushion or a stealthy pick pocket? I guess I'll never know. I was immediately reminded of our Stolen Sidekick reading from earlier this year, and would quickly like to explain that I am not looking to punish whoever stole my phone or demand it's return. That ship has sailed. However once I accepted that my beautiful iPhone was actually stolen, I started calculating what I had lost.....and someone else had gained.

On that phone were my facebook and e-mail accounts, both of which were not password protected from inside my own phone. I also had a wells fargo app, which luckily had a password component (I believe =/). Notes detailed my drivers license number from the one occasion I had lost it, and also my new college address. My contact and text messaging history contained many of my personal views on various issues, none of which I wanted this thief reading. My various bookmarks on google maps indicate my house and school, and I am sure there is locational information stored elsewhere on the phone that reveals far too much about who I am and what I do. Not only was there a pure monetary loss, but all this information is now in the hands of some invisible criminal!

This was a side of the technology I had never fully contemplated. I knew of credit cards unlocking identity theft, but never phones. Now these small pieces of technology hold far more that is safe. When we say "my life is on that phone (or computer)" we don't realize quite how literally true it is. I mostly addressed how people could access the data from the outside in this blog, but one lost or stolen phone lends a whole new depth to the informational vulnerability.

An interesting thing to think on. What could we do to change it? I recommend password protecting to all those who don't already. That is certainly not something I will ever overlook again! I guess I will never know if the crook would have just set the phone down if there had been a password. But thats not a mistake anyone should have to learn the hard way. Take my advice, it's worth it.

Location-Based Services: The Here And Now

Over the past posts I have explored the emerging field of location-based services, and their implications for users, corporations, and marketers. Readers, I'm sorry to say that this will be my last official post for this Quarter. If I come across anything new or exciting, I will make sure to update you, however this is the end of my weekly posts. That being said, I wanted to leave you with a rather overall view of the technology, encompassing the ideas I have presented over the past few months. I was directed to such an article recently and would like to share with you the interesting but disturbing news I gleaned.

First off, the worries I have been addressing, the location-based services that collect and aggregate locational information, are no longer a "future" technology. They are here, front and center. While many of my previous posts have addressed the technology in relation to specific phone applications that are debatably popular and usually restricted to smart-phones. This article went farther, explaining that any phone could be tracked using cell-tower triangulation. Blackberries even send heartbeats to the mobile operator, while GPS and Wi-Fi make your position even more accurate. Even scarier, this data is already being provided to third-parties for analysis!

Every destination is now tracked, and therefore addresses of your home, work, school, or gym become public knowledge. These corporations, often advertisers, know every frequent or infrequent location that you take your phone or GPS unit on. The interesting part is prediction. The data holder can predict where you will be at any certain time, from location, to route, to the people that join you. The ramifications are huge, with an intricate web of advantages and disadvantages that can no longer be avoided.

Naturally, these services are USEFUL, helping citizens go about their lives more efficiently and companies market their products more effectively. But at the same time we are LOOSING something when we surrender our privacy for this benefit.

One of the main points that has wavered between convincing me and providing no comfort is the idea of giving less data to the service provider. Based on my reading of Blown to Bits, it is evident that de-identified data can be re-identified, however it seemed logical that if only the locational data were provided, without the name or address, the system would be safe. Unfortunately, this article explains how even by assigning a number to a user's transactions, a home and work address can become evident and from there other personal data can be inferred. This aggregation and use of data is still expanding, however organizations are learning to process more data faster, enabling the technology while degrading the user's privacy. Especially because this information is often put online, it becomes available to even more sources and therefore able to be copied into permanence.

The solutions to this problem seem insufficient, however they are certainly better than nothing. Asking users to stop using mobile devices, or only use them at work is unreasonable, while disposable devices are wasteful and not cost-effective. Unwilling to be inconvenienced in this way, many customers will continue using the devices and services, but hopefully the proliferation of articles and posts such as these will enlighten them as to the dangers of the technology. While enlightenment won't solve any problems directly, knowledge of the data that service providers can collect gives users the chance to decide whether to opt out of the service or not.

And for now, that is the message I leave you with. Keep sharing the truth about location-based services and privacy. Stay aware, read privacy agreements, and be responsible about your use of location-based services and devices. Looking into the future, the ability to protect privacy through design is the ideal option to protect our individual liberty and security. The designers of new technology have the option of creating these new protections, which is one of our best hopes for privacy protection in modern life.

Source: http://jeffjonas.typepad.com/jeff_jonas/2009/08/your-movements-speak-for-themselves-spacetime-travel-data-is-analytic-superfood.html

Location Gone Loopy

Loopt, a location-based iPhone app, is used to interact with friends in a locational context. Friends on Loopt provide updates on where they are and what they are doing, somewhat like twitter, and share that with a set group of contacts. Their friends visually appear as face bubbles on an interactive map of their location (be it city or country or suburb).

Apple recently released Loopt 2.0, which added in other location-based services to the social networking site. A new emphasis of the service is on places and events, providing ads and coupons for nearby businesses, events, and stores. Ratings from both Zagat and other Loopt users appear with the location, and directions, phone number, and web link are easily accessible. Loopt 2.0 also includes an "always-on location sharing feature," which it negotiated with AT&T.

Technology Worries

This technology perfectly demonstrates many of the location-based services I had referred to as a "future" or "coming" development. Now those technologies are here, and it is interesting to think about their effects:

"NAVTEQ LocationPoint™ Advertising enables Loopt to provide highly targeted and relevant offers and promotions in a mobile environment when and where consumers are making shopping and purchasing decisions. " Here we have location-based advertising, allowing retailers to target nearby shoppers and influence them at the moment of purchase. This is admittedly beneficial for both sides, however Loopt therefore collects, maintains, and uses your location information in order to provide these new services. Even when the application isn't actively open and running, Loopt can continue collecting and tracking locational data, though it will not be displayed to friends unless you specifically ask it to.

One way that Loopt tries to protect privacy is by maintaining "for its use only each User's most recent location fix." This is it's effort to try and prevent the aggregating of data that can be used to plot trends and therefore infer a variety of things.

Related to the advertising effort, "Loopt discloses some personally identifiable, registration, profile, or location information to subsidiaries, affiliated companies, or other businesses or persons to: (a) provide certain features; (b) serve relevant advertisements in support of the Loopt Services; and (c) process such information on our behalf." While Loopt itself might not store the data, what is to say that these subsidiaries aren't tracking and aggregating the data? Users have no contract with these other companies, and therefore have no control. To help prevent malicious uses, Loopt mandates that these partners agree to "use appropriate confidentiality and security measures" and also try and limit their use of the data. By controlling their own use of the data as well as the subsidiaries' uses, Loopt attempts to protect their customers, but with debatable results.

Unfortunately, drawing on our reading of Blown to Bits, where data was able to be re-identified given only a few characteristics, "Loopt discloses aggregate, anonymous log file and usage information in reports to interested third parties to assist those parties in understanding the usage patterns and perfomance results of certain advertisements, content, services, promotions, or features." This is unfortunate if enough information is included for the data to be re-identified, because it jeopardizes the user's privacy and freedom.

Given these privacy worries, users should be cautious of their use of Loopt 2.0, seriously considering if the privacy concerns that Loopt only partially mitigates are worth the service of providing easily accessible information.

Sources:

http://www.macworld.com/article/143878/2009/11/loopt_2.html

http://www.loopt.com/pressreleases/loopt-unveils-major-update-that-unites-mobile-social-and-local-discovery

http://www.loopt.com/about/privacy-security

https://app.loopt.com/loopt/privacyNotice.aspx

SmartMetric: How Smart Are They?

An interesting trend that I have noticed and commented on is the fact that many of these articles enumerate no method for user-privacy protection. Reading some of the newest articles, I have come to the realization that such information is not included because marketers and reporters don't think consumers would be interested, not because those features don't exist.

Looking at a recent article on SmartMetric, a fingerprint activated ID card provider, it mentions briefly "storing a wide variety of personal information while protecting you against identity theft and fraud," however from there it doesn't elaborate in the slightest as to HOW.

Even on the company's webpage, privacy is implied, but never explained. After extensively searching the site, I find a statement seemingly regarding privacy, saying "all your personal information is stored on the card, not on a central database. You are protected from hacking and unauthorized accesses because only you can unlock the information" by passing in your fingerprint. My main questions now are: what happens to that information once it is transmitted? and what happens if that card falls into the wrong hands?

The question of what happens if the card is lost or stolen isn't addressed throughout the entirety of the company's website. Now I expect that there are various protections against users without matching fingerprints getting data off the card, it might be possible for criminals to breach the card's security if they can physically get their hands on it. If that were possible, they would seemingly have stolen the user's identity, money, intellectual property and history. By consolidating all this information into one handy card, it also increases the cost if the card is lost or stolen. Now in all likelihood, technological masterminds aren't going to go around beating up businessmen for identity cards, however it is enough to make someone nervous. It is like Britain consolidating its tax histories on one disk, it increases the penalty if the card is lost.

Regarding the information once it is submitted, there is no hint of explanation and it is harder to suppose answers because of the number of available solutions. Perhaps the data is encrypted and sent to the receiver of the biometric data (in most cases an employer or the other party in a funds transfer). But without any information on the website, how would a consumer of this technology know? To the best of their knowledge, this device could be 100% secure up until the moment your fingerprint was scanned and suddenly *bloop* your personal, biometric, financial, locational, and corporate information was just sent to the receiver, but 84 other people in the surrounding area with RFID readers also got a copy.

It may be "one of the most advanced portable identity authentication solutions in the world today," however not only are it's privacy protections unarticulated, but it is bound to the same control issues as other technologies I have mentioned before. SmartMetric supports itself, stating "the company believes that the transmission security offered through its SmartCard and integrated biometric technologies are superior to that of automated teller machines." However again, no mention of how. Further, the company brightly chirps "perfect for keeping track of the population within a given space for government or corporate use." Enabling employers to track and control their employees, that is a good thing? Well perhaps in balance with security it is, however giving that control to the government by putting the passes in passports, drivers licenses, or health insurance cards allows the government to perform "tracking of an individual within a building" or "location of persons electronically." It sounds now like this technology is designed specifically to help employers become "masters".

Given the unarticulated privacy protections and worrisome suggested uses, this technology embodies the consumer's worries about location-based technologies. Without better protection from both interception of data and misuses of the technology, this technology will find no audience with privacy concerned consumers. On a higher level, it is the duty of good reporting to provide information of concern to the audience, and the protection of our fundamental right to privacy is certainly of concern to consumers.


Sources:
http://money.cnn.com/news/newsfeeds/articles/marketwire/0556805.htm

http://smartmetric.com/index.html

http://smartmetric.com/government/government.html#Passports

FACEBOOK- current privacy settings and what they might mean for the future incorporation of location-based services.

http://www.techcrunch.com/2009/10/29/facebook-rewrites-privacy-policy-foreshadows-location-based-services/

Given the fact that Facebook seems to be planning to adapt a location-based side to their platform and services, I thought it was important to address how facebook currently operates within their privacy settings, how easy it was to change those settings, and how transparent the information was. While the locational information isn’t already included in the privacy settings, the current settings provide a model for what is likely to come. The trends I found were both encouraging and somewhat disheartening, because based on my research Facebook is highly committed to transparency, however it seems that users aren’t taking advantage of the opportunity to track the information about themselves being distributed. This interesting situation is a good marker for how location-based services might be handled in the future.

Facebook has proposed changes to their privacy policy, especially concerning location-based information. This new shift protects Facebook from any liability and reminds users that if they share information with “everyone” it can be collected by a third party and be impossible for Facebook to delete. The article details the major changes in the policy, and commends Facebook on making their terms clearer and easier to read.

Given the interesting changes in the article, I took the time to check my own Facebook settings to see how where I currently stood and how easy it was to change the settings. I was shocked to find that my security settings were completely different from what I had expected and believed I had programmed at the conception of my account. While I had believed my profile to be private to my friends, it was actually open to my whole network, not to mention my pictures and groups were visible if someone were to search my name. After navigating through a variety of different settings, I came to a page that informed me that Facebook ads had actually been using my information in ads to my friends, and even including my profile picture occasionally. Additionally, without my knowledge a public search listing was created for me the moment I turned 18. The information on applications was less of a surprise but still worrisome. I had noticed from the beginning that the “I Agree” boxes at the beginning of applications seemed rather all-encompassing, therefore I often avoided or used then deleted any application I came across. However the idea that if one of my friends authorized an application, they could use all the information on my profile available to that friend was shocking! What these applications could see included my: current location, relationship status, profile status, personal information, wall posts I had made, and my work and educational history. I actually had to go through and de-select every item that I didn’t want shared with an outside application.

On the one hand, it is technically the user’s job to check and modify their own privacy settings. However the amount of information available to third-parties because of these little checked boxes hidden away in my privacy settings was frightening. Without reminders to check your privacy settings or notifications of modifications, users could easily be constantly sharing a different amount of information than they expected. This situation requires the user to fight for their privacy instead of opt-out of it if they were less concerned about privacy issues. Users might, and often do, enjoy ads specifically tailored to their interests, however might be less thrilled to appear in ads to their friends. Given the importance if this distinction, it seems reasonable for Facebook to alert the user on occasion (either every few months or each time the user agreement is changed) to update their privacy settings. Especially as Facebook integrates location-based services into their setup, it will be increasingly important for them to be very transparent about what information is public, what is private, and the definition of those two terms.

Despite things that Facebook could do better, they are already doing a lot right. A clear and transparent setup on the Site Governmance page with easy to navigate links to more information gives the user the basics with quick access to depth. By personally investigating reported misuse and promising to act accordingly, they accept the burden of policing the site and keeping both other users and third-parties from abusing the platform. Their third party advertisements are designed in a way that the advertiser chooses specific characteristics of users he wants his advertisement displayed to and Facebook does the distributing of ads from there. This is a much better system than releasing the information to advertising companies for them to choose from. It releases less information, allows Facebook to censor inappropriate content from advertisers, and helps them take the user’s privacy settings into account.

Unfortunately, the majority of users never read the privacy agreements or visit the Facebook Site Governance page to check any new developments or how their information is being used; but if they did, they would find a well organized, easy to navigate site that clearly spells out the inner working of Facebook’s privacy settings. Every user could benefit from keeping better track of their personal information online, especially when location is about to be added to the mix. In this situation, it is hard to fault the creators of this straightforward site, showing that the responsibility truly falls on the user to make the effort to check their settings now and again.