Blogroll update

It has been a while since I strolled through my own Blogroll… there is always good content in there worth sharing.

• Mark Dixon is back blogging — here’s a great post on how to make a bad fake ID…
• Patrick Harding has an interesting write-up on ADFS vs Ping terminology.  Interesting (to me) given that I’ve been working on an ADFS v2.0 project lately…
• Kim Cameron also returns to blogging with a a new post — a video interview that delves into Identity Federation and the cloud.
• Jeff Bohren has some criticism of Apple’s handling of the iPhone 4 reveal by Gizmodo.  Seems the ‘iPolice’ are confiscating first and asking questions later…
• David Fraser the Canadian privacy lawyer offers up a balanced view of StreetView and privacy non-issues.

And finally:

• Paul Madsen enlists the help of Bart Simpson to show us that Facebook really, really does not get that whole privacy thing…

Mike

Facebook’s latest privacy troubles

After years of controversy, Facebook may well end up in a Canadian Federal court this fall.

In August last year, Canada’s privacy watchdog, Jennifer Stoddart, announced that Facebook had agreed to improve its privacy protocols to be compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA).

But instead of working to address the concerns, last December Facebook implemented changes that effectively further reduced user privacy.  These changes effectively required users to manually modify settings to avoid friends, personal information and photos from being shared.  According to the Wikipedia entry Critcism of Facebook:

… a user whose “Family and Relationships” information was set to be viewable by “Friends Only” would default to being viewable by “Everyone” (publicly viewable). That is, information such as the gender of partner you are interested in, relationship status, and family relations became viewable to those even without a Facebook account.

Facebook clearly have decided that the increased revenue possible from sharing personal information is worth battling government privacy commissioners and lawyers.  And that’s fine — so long as our government continues to enforce our laws and bring violators to account, we can play that game too.

I’ve never had a Facebook account.  I can be patient.

But those that still trust Facebook with personal information — and haven’t bothered to examine the minutia of the site’s privacy settings — will continue to have their personal information shared with 400 million users and thousands of advertisers, data aggregators and, well, pretty much anyone else on the Internet.  At least until the wheels of justice grind to conclusion…

Mike

Top 10 identity attributes

There is a really interesting discussion going on at the LinkedIn Identity Management Specialists group about the top 10 identity attributes.

My contribution:

• First Name
• Last Name
• Date of Birth
• Gender
• Former Last Name (at Birth)
• Location of Birth
• Passport number
• Drivers licence (or state/province) ID number
• Professional or trade registration number
• Bank account number

If you have a LinkedIn account this group is worth following. And for Canadian readers, check out Canadiam – IAM in Canada.

Mike

UK backing down on identity cards

With the change in government, there appears to be a shifting in attitudes towards privacy as evidenced by the cancellation of the UK identity card program.

Citizens may celebrate this minor return to sanity, but that country still has a long way to go before it shakes its reputation of being a surveillance state.

Mike

Google’s latest privacy troubles

Update 05/27: Kim Cameron has an excellent post on this issue (and a clarification here) that illustrates the identity impacts of Google’s wifi scanning.

It would appear that Google’s Street View cars were actively collecting data from unprotected home wifi networks over the past several years.  According to the New York Times article:

After being pressed by European officials about the kind of data the company compiled in creating the archive — and what it did with that information — Google acknowledged on Friday that it had collected snippets of private data around the world. In a blog post on its Web site, the company said information had been recorded as it was sent over unencrypted residential wireless networks as Google’s Street View cars with mounted recording equipment passed by.

I’m not sure how to react to this but it sure raises some questions:

• Why would the Street View cars be scanning for unprotected networks in the first place? The company has said it helps to improve geo-location but given the other tools at its disposal, I suspect they weren’t relying on home network MAC addresses to keep their location data accurate.
• Why would they then record user data — web sites visited, emails sent, etc. — and subsequently store it on central servers? How can this be classified as a  ‘programming error’? Perhaps that explanation could fool some of the less technical authorities, but let’s get real here — systematic recording of user generated data when only the MAC address is needed IS NOT a programming ‘error’.  It is a ‘function’.
• Why would this only come to light after four years and why did it take a demand from a German official to inspect the car’s missing hard drive for this to become public at all?
• Are we getting the full goods from Google, a company known for its privacy transgressions?

Companies like Google (and Facebook, a company with privacy troubles of its own) are successful because of the goodwill and trust extended to them by us.  There are other search engines and cloud services out there we can use.

Breaches like this are bad enough — the pithy excuses and blatant PR spin when caught are even worse.

Mike