Your “cookie disclaimer” is not enough

With various legal directives in place throughout the world, website owners are “off the hook” by providing a cookie disclaimer and the possibility for the visitor to “opt out”. Some websites have a rather odd approach where they refer you to a page with a vast amount of information abou their “data partners” and invite you to “opt out” on their partners’ page(s). It goes without saying that many people don’t bother because it’s just too much work (which is exactly the purpose).

But when your website designer relies on “web fonts” and/or resources from a content distribution network (CDN) like Javascript libraries, you are also, indirectly leaking some visitor data to the companies hosting such resources. Granted, you’re not “leaking as much data”, but with analytical AI and the huge amounts of data many of these “analytical companies” already have on your visitors, you’re simply providing one more piece of the puzzle to them. Free of charge.

The cost of free is perhaps hard to measure for you and me, but Google and others know exactly how much the data about your visitors is worth.

Ain’t that something.

New Cookie Disclaimer-proposal:

“By continuing to our site, you are agreeing to the collection of data about yourself beyond your wildest imagination and possible comprehension. We could explain it, but you wouldn’t get it anyway.  [OK]”

PS. Hosting external libraries and web fonts on CDN is not always such a grand idea when it comes to website performance. For each and every different such external “site address”, a new session handshake (SSL/TLS/etc) between the visitor’s web browser and the CDN is required.

Cookies in the jar turns into whiskey in the jar

For almost as long as “cookies” have existed on the Internet, companies have made a habit out of using them to track you, your “behavior” on the Internet, and to turn you into something “measurable”. For almost as long, there have been countermeasurements: “cookie blockers”, “ad blockers”, “privacy shields”, and so on. Cookies are, of course, only one of many data points being collected about you while using the Internet.

Companies using third-party service for anything from payment solutions to advertising and the collecting of statistics often don’t fully understand the implications of their choosing one service over another. And for the past several years, this has turned into a rat race.

On one side of the fence, there are companies like Facebook, Google, Quantcast, Amazon, Cambridge Analytica, and other, that want to know everything about you at almost any cost, and on the other side of the fence we have tools to “protect our privacy” during our online experience such as VPN, “ad blockers”, “privacy shields”, “Facebook containers”, “Privacy Badger”, and so on. (None of these tools will prevent you from being tracked by those to make it their business to track you, they are way ahead of such trivial attempts.)

So now people are blocking sites, all kinds of sites without necessarily understanding the implications of their actions. What makes it harder to distinguish “good sites” from “bad sites” is that quite a few of these “trackers” and “cloud asset sites” use sub-domains, like aj38305.trackyourcookies.com, so we end up blocking everything from “*.trackyourcookies.com”.

A company’s e-commerce site using third-party services to collect statistics and “web insights” can quite easily shoot itself in the foot, as the same services are also used in the payment verification process. I have had countless “Verfied by Visa” and “Secure Checkout” transactions fail because I choose to block certain sites, or prevent them from setting cookies. So this actually leads to poor sales performance, rather than enhancing it.

Companies using third-party services for e-commerce checkout solutions need to ask the service provider the question: Will your payment solution work with “ad blockers” and “privacy shields” before using them, or risk losing customers who find far less privacy intrusive services.

The tip of the iceberg: Cambridge Analytica and Facebook

The short version of this post: Wake the fuck up and smell the maple nut crunch!

The somewhat longer version follows.

The Netflix “documentary”, “The Great Hack”, is a great beginning of something that will take years to be argued, debated, and (mis)understood. Thinking that Cambridge Analytica is the “bad guy”, and “it’s going to be alright now that we know” is all too comfortable (and all too easy).

One serious issue with this and the people that are in charge of making sure it doesn’t happen is that they don’t understand, don’t want to understand, or are actually paid by people who have as their prime interest that they do not understand.

How the United Nations (UN) and other organizations cannot consider ownership of personal information to be a basic and fundamental human right is beyond me, but it also goes to show how slowly the “democratic” machinery works and how easily the system is manipulated by those who understand.

Getting clowns elected as “the ruler” of a nation, or deeply influencing referendums one way or the other, while sinister and non-democratic, is arguably, less dangerous than standing in the way of science in, perhaps, the most important question of our time; the climate debate.

When “data points” can be used to, in the best interest of fossil energy companies, manipulate people and nations to prevent science, common sense, and logic to have its way … we’re truly skating on thin ice; and, it’s melting.

Oh, and you seriously don’t think Google (and others) aren’t doing the same thing? Bwahahaha … that’s good comedy right there.

“War Pigs” and “The Dogs of War” (look them up) have more truth to them than we’d like to think.

The Great Hack (Netflix), IMDB:
www.imdb.com/title/tt9358204

Spotify. Privacy Policy. Oxymoron.

Privacy_smallSo Spotify’s new “Privacy Policy” (an oxymoron by the way), dated Aug 17 2015, all of a sudden allows the company and possibly its partners to utilize things like media files and photos stored on your phone. “With your permission”, according to Spotify.

Some posts on the Internet claims “There’s nothing you can do about this.” and others say that “This is the price you pay for free and/or ad based services.” I disagree with both statements. One such post is WIRED.COM’s by Gordon Gottsegen: http://www.wired.com/2015/08/cant-squat-spotifys-eerie-new-privacy-policy

The second statement is interesting in itself because Spotify uses the same “Privacy Policy” (did I say this was an oxymoron?) for paying customers as they do for users of their “free” services. So it’s not the price we pay for free and/or ad based services. It’s the “price” we pay for using Spotify. Period.

The first statement is incorrect as well. I can think of two solutions:

  • Stop using Spotify. There are other services. If you have a ton of legally acquired music in your collection, walk on over to Google Music and upload some 25000 tracks to it and off you go. Or store the music on your device as mp3s or listen to streaming radio stations 🙂 I am by no means suggesting that Google knows any more about Privacy and Integrity than Spotify does.

(By the way, Sonos has Spotify support built-in if you’re a Premium user, I don’t think Spotify can get a hold of your images and contact data that way 🙂

Oxymoron_SmallOn with the show, so what is the big deal with giving up this particular piece of privacy?

Well for starters, it’s none of Spotify’s business what I store on my phone.

Maybe I have Spotify on my one and only smartphone that I also happen to use for business. So I’m in a project meeting, I shoot some snapshots of a whiteboard, and this becomes available to Spotify?!

Or I happen to have contacts in my address book that do not want their details shared with Spotify and Spotify make me responsible for obtaining that permission.

This is – of course – ridiculous.

I understand obvious data sharing, as in if you choose to connect your Facebook and Spotify accounts. I do not understand intrusive and unauthorized use of private data.

Note that Spotify claims that they will only use this information “with your permission”. They do not, however, state how they will obtain that permission. As is quite common these days, you sign away all your rights when you begin using a service and/or app. So perhaps they’ve already received said permission. It’s an extremely loaded construct from a legal point of view, and I’m quite sure Spotify has done this on purpose.

If you don’t have a problem with that, by all means, keep using Spotify.

If you do have a problem with it, maybe this post will help: Unsocial 2.0, keep your family jewels out of the privacy grinder

 

Unsocial 2.0, keep your family jewels out of the privacy grinder

Given the number of online services, Smartphone suppliers, app developers, and the amount of data we “leak” to all kinds of companies, it comes as no surprise that it is nearly impossible to keep things separated.

Photos you take of your children, family, or colleagues can be tagged, used, stored, and seen by companies all over the world – and their employees. Photos you take of the whiteboard after that awesome project meeting can and will be used in a similar manner, you can count on it.

Combine this with location data and timestamps, and it’s pretty obvious that there are few things “they” cannot find out about you.

SecurityAlarm

The rest of the data, we willingly give away for free. And we do this because we always get something “for free”, right? We get 15GB of Google photo storage, we get 2GB of Dropbox space, we get to listen to Spotify’s music, and we get to post our project drawings, mockups, and source material for permanent cloud storage.

Some may argue that we’ve been doing this long before Google, Android, iPhone, and Apple. And they’d be right. Credit Card companies “bleed” or “leak” information to various partners. Shops personalize their offerings and discount coupon based on what you have previously purchased, etc.

And perhaps this is simply the way it works. Privacy and Information Integrity isn’t ours to have any more if we want to “participate online” in one form or other. The concept of “my private space” is an extremely confusing topic if you ask any given person born after 1990.

You can actually make it somewhat harder for your data to end up in the wrong place. But it does require an effort where it shouldn’t and it does come at a price. But you’re already paying a price, so what’s a few extra minutes of your time, right?

Use two completely separate identities using two completely separated devices of the same kind. I am not talking about separating your personal life from your professional life. There’s very little difference for many today. I’m talking about keeping your actual communication “safe” from the “social mind” or “global awareness pool”.

The market is over flooded with inexpensive and/or second-hand smartphones and tablets, regardless of your preferences. Get one that you only use for Facebook, Google+, Spotify, and other similar companies/services that don’t have the first clue nor interest in your right to privacy.

The idea of separating your identities is called compartmentation.

  • On your “scrap device”, use a nondescript e-mail address, which is typically used as a common key between various services.
  • On your “scrap device”, don’t take pictures that you don’t want “leaked” or store any useful e-mails.
  • On your “scrap device”, don’t store any useful contact information.
  • Needless to say, when signing upp for new services, etc. that you want to keep separate, you do it with the e-mail address used on the “scrap device”.

This isn’t all that hard actually. And if you want to share something from your “actual” device to your “scrap device” (like posting the latest photo of your dog on Facebook or sharing the coolest party photo on Google+), send it by e-mail (or Bluetooth, or NFC) to the “scrap device”.

Yes. It adds one step to the process. Perhaps that can also act as a useful filter so we can put an end to all these images of half-eaten food on social networks.

It would be interesting if a manufacturer could actually put out a device that was two devices in one, physically separated with the ability to switch the display from one to the other with a simple press of a button. Think “Dual SIM cards”, but going all the way.

SpyFlashMost smartphone and tablet devices today are way too powerful for most users to harness all of their capacity, trust me, you don’t need octacore and 4K HD resolution to scroll through your Facebook feed or read the latest gossip on Twitter.

If your boss at work doesn’t get this, ask her or him if it’s OK that the latest project whiteboard photos are sent to Spotify. Your boss may change her/his mind.