Slashdot Mirror
Why Online Privacy Is Broken
Trailrunner7 writes "One of the more trite and oft-repeated maxims in the software industry goes something like this: We're not focusing on security because our customers aren't asking for it. They want features and functionality. When they ask for security, then we'll worry about it. Not only is this philosophy doomed to failure, it's now being repeated in the realm of privacy, with potentially disastrous effects. A quick search of recent news on the privacy front reveals that just about all of it is bad. Facebook is exposing users' live chat sessions and other data to third parties. Google is caught recording not only MAC address and SSID information from public Wi-Fi hotspots, but storing data from the networks as well. But the prevailing attitude among corporate executives in these cases seems to be summed up by Google CEO Eric Schmidt, who famously said this not too long ago: 'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.' If you look beyond the patent absurdity of Schmidt's statement for a minute, you'll find another old maxim hiding underneath: Blame the user. You want privacy? Don't use our search engine/photo software/email application/maps. That's our data now, thank you very much. Oh, you don't want your private chats exposed to the world? Sorry, you never told us that."
If we had continued improving on P2P instead of giving in to centralized servers we wouldn't be there...
I would think (and hope) that customers aren't asking for it because they're not aware of the risks, not because they don't care. Like when people stop using debit cards everywhere only after their card gets duplicated.
"Government is like fire; a handy servant, but a dangerous master." -- George Washington
The actions made by these companies, right or wrong, are legal. You can't expect companies (or governments... or individuals) to stop doing this if it is convenient, profitable, and legal. We need some legislation that basically says that they can't publish, transmit, or sell personal information without prior consent. And that any such release - intentional or accidental - must be reported to the individual.
In the US, we have such legislation but it only applies to medical information. That is silly - there's just no reason for companies to be giving this stuff out.
Actually, let me go a step further -- they shouldn't even store this information. I walked into Target and returned some merchandise. It was really simple -- because they kept my credit card on file. I never told them they could do that. As I walked away, they said "Thank you [my name]" so they knew that too. Why is it okay for a store clerk to have this? Why did my credit card company give out the credit card number and name? They don't need that. They need to know "User 81234756897 authorized purchase for $57.34 to vendor 9234857 on 2010/05/23 17:24 with authorization #239485768934." That's it. It should have been illegal for my credit card company to even give the information. Then for Target to store it. As a nice side-benefit, this also prevents fraud since no one in the chain can use my credit card.
There is no online privacy, anything you do online is public. If you would not say it in public do not say it online.
One of the more trite and oft-repeated maxims in the software industry goes something like this: We're not focusing on security because our customers aren't asking for it. They want features and functionality. When they ask for security, then we'll worry about it.
Let me counter that with one the more trie and oft-repeated maxims from businessmen in the 80s: Don't you worry about security, let me worry about blank.
Not only is this philosophy doomed to failure, it's now being repeated in the realm of privacy, with potentially disastrous effects.
And yet Facebook thrives and not until last week did Google offer secure searching and they're a giant. Sounds to me like companies that don't worry about privacy are doing pretty well -- maybe even the industry leaders. Maybe they're on to something about it being unimportant to the consumer?
A quick search of recent news on the privacy front reveals that just about all of it is bad.
Oh give me a break. Ninety percent of news stories are negative. Because it sells eyeballs. Really, do you expect a news article about the really great privacy that Slashdot offers Anonymous Cowards to appear? When privacy works, it's not news. Hell, when privacy is kept intact people don't even know. Your reasoning here is severely flawed.
Facebook is exposing users' live chat sessions and other data to third parties.
Yep, marketing's a bitch, ain't it? But then again, we're getting Facebook for free and I don't think there's been any case of someone suffering serious harm from Facebook dumping a chat to marketing. Certainly unsettling but has there been any sort of actual case of abuse and harm to the user? I use Facebook and I don't care much. I'm putting my data on their servers and they had me agree to some BS impossible to read ToS so I just mitigate that by keeping anything sensitive off it. If Diaspora takes off -- hey, great -- but until I can communicate with all my friends and family on it who are half a continent away no thanks.
Google is caught recording not only MAC address and SSID information from public Wi-Fi hotspots, but storing data from the networks as well.
"Caught?" That's funny. If you don't want to "catch" people "recording" your shit, stop broadcasting it and put some encryption on it and use a hidden SSID. You know, like the hundred or so Slashdot posts have pointed out.
But the prevailing attitude among corporate executives in these cases seems to be summed up by Google CEO Eric Schmidt, who famously said this not too long ago: 'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.'
"Prevailing?" So prevailing that you need to reference a half a year old quote that is about all we have of that attitude. That's the predominant force out there? Care to come up with more companies using that sentiment? Care to put that quote into context for me? Put the pressure on them and the companies will change. Fact is that nobody's putting any pressure on them so why should they stop doing something which allows them to better market to you with ads and make more money?
If you look beyond the patent absurdity of Schmidt's statement for a minute, you'll find another old maxim hiding underneath: Blame the user. You want privacy? Don't use our search engine/photo software/email application/maps. That's our data now, thank you very much. Oh, you don't want your private chats exposed to the world? Sorry, you never told us that.
[citation needed] Prosecutor is leading the witness. Seriously, you're putting words into their mouths. Evil, yes they are. Saying that they claim your data is now theirs by way of their actions is ridiculous. Then from there y
My work here is dung.
Google CEO Eric Schmidt, who famously said this not too long ago: 'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.
There are very few things that I don't want anyone to know, there are a host of things that I don't want everyone to know.
Both the Facebook chat bug and the Google recordings are unintentional mistakes. If they show anything, it's that completely bug free engineering is hard to do. I think we knew that already.
The Schmidt quote is just a statement about how this flawed world is, not how it should be.
The concept of privacy in these times and the future is a very interesting topic, but this post is just a whiny mini rant, not a serious attempt to understand the real issues.
The whole idea of "if you don't want it public, don't put it on the internet" always reminds me of this Onion video:
Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village
http://www.theonion.com/video/google-opt-out-feature-lets-users-protect-privacy,14358/
There's no reason that we can't have a reasonable expectation of privacy, even in our online lives. Especially from a technical standpoint. If I share some photos with 10 people, and one of those people decides to copy that photo into an email and send it off to 100 people, then that's a social failure, not a technical one. People I trusted betrayed my trust, on a social level.
But on a technical level, I should be able to share videos or photos or journal posts with a small group of trusted people, and be reasonably secure in the idea that only they will see them. That advertisers won't have access to that photo, that an api won't be able to pull the data without permission, etc. There's nothing extraordinary about that requirement, and that it's treated as absurd and unreasonable shows how far we've fallen from a basic perspective on internet privacy.
Open source can fill the gap. Our incentive, as open source software developers, is to provide the best software possible, and to not skimp on important features like privacy and security. We aren't trying to cater to advertisers, or to build empires based on fads and hype. I've been working on an open source, distributed social networking alternative to Facebook (and Myspace and other "walled gardens") that called Appleseed that focuses on strong privacy.
http://opensource.appleseedproject.org/
But most of all, by distributing these services, and allowing users to cancel their profile on one site, sign up for another site, and plug right back into the network they lost, it creates a level of competition so that social networking sites *have* to listen to the concerns of their users. They can't take them for granted. Not just in social networking, if we can continue push for open standards, open protocols, open platforms, etc., it means we have some leverage when a popular service decides to privilege it's revenue stream over the privacy of it's users.
When are we going to start taking responsibility for our own privacy? If it's a concern to you then do what's necessary to protect yourself.
I just don't get why this is suddenly such a big deal. What exactly did Google do that other's couldn't have? If you leave your wi-fi unencrypted and someone accesses it it's somehow THEIR fault???
If you don't want people to know your business start by not announcing everything you do in a public forum.
I guess I'm just not seeing what the big deal is with Google scanning and recording MAC addresses and SSID's. These are being broadcast in the open such that anyone driving by can see them. How is this an infringement of privacy? It is akin to undressing while standing in your front yard and then complaining when the neighbors watch you.
Sorry, but please take some responsibility for yourself. If in fact there is something so important that you don't want anyone to know, then don't do it online, PERIOD. This is nothing new and there are very few if any technological measures that can ever be deployed that will guarantee that your privacy / security will ever be secure. The level of hassle involved with making really improbable-to-break security is really hard and requires diligence on the part of the individual. If Vista taught us anything, it is that users do NOT want real security. They want to do what they want and not worry about how the system does it. Well guess what? The system isn't perfect and neither is the security. We live with the imperfection for the sake of simplicity.
"Facebook is exposing users' live chat sessions"
This was a defect in their IM system. This could happen in EVERY SINGLE store and forward based messaging system (AKA basically all of them).
If you expect each facebook user to generate their own Public/Private key then you're diluted (plus it breaks the online chat thing unless you're sharing your private key with facebook which would defeat the purpose).
If you expect software to be perfect then you're an idiot.
"and other data to third parties"
You agree to this when you clicked through their EULA (which is your fault).
"MAC address and SSID information from public Wi-Fi hotspots ..."
Data was wide open (which is your fault) and the company erroneously captured it.
Bye!
...Statements of Privacy Policy do. When a site gives explicit guidelines, to which you agree, and THEN they erode or drop the wall that THEY TOLD YOU was there, THAT is evil.
I'm looking at you, Facebook.
Google is an advertising/marketing company. Their motives and actions are consistent with advertising/marketing companies. They seem to be more "generous" than many other advertising/marketing companies in that they give away better "swag" but they are still an advertising/marketing company... and a very successful one at that.
Within their motives you can determine your expectations of them... and altruism isn't one of them.
If we had continued improving on P2P instead of giving in to centralized servers we wouldn't be there...
Alright, I know that a few projects like Diaspora are supposed to utilize this but I am still largely confused by this. Peer to peer implies that by owning my own personal data, it is on my home computer or laptop. Some people only have a laptop and some people like to power down their machines when they're away. So this seems to imply that you need to either have this disseminated to other peers in order for people to access it while you're offline. On top of that if you're disseminating photos or videos, this could get crazy for upload speed. So then your stuff is on another person's machine and who knows if they didn't just take and modified the Diaspora code to record all your stuff. Can you trust their node anymore than Facebook? Sure, it might be encrypted but it's hard to believe that it wouldn't be susceptible to a man in the middle attack or eventually crack the encryption by brute force. So you're kind of at that point back to the same problem as you are with entrusting Google or Facebook with your data. Otherwise you need to pay for a dedicated hosting server and they're not going to be cheap if you're miss popular with thousands of photos and that's not really P2P.
So how was P2P supposed to fix this problem? Especially for people with just a laptop or even like my parents who have a dial up connection out on a farm house with very tiny upload bandwidth. I'm just not getting a clear picture of how the average person would handle this.
My work here is dung.
Federal safety standards are pitiful compared to insurance company standards.
Federal standards mandate airbags, but only for the driver, not the passenger or side airbags they've been putting in. All of that is coming from the insurance industry - and except for the fact that all drivers must have insurance, it's completely free market. Things like better crumple zones and such are all designed to boost their ratings with insurance companies, because people look at how much the insurance is going to cost them when they think about buying a car.
Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
No he's not, at least not when taken out of context. There are a lot of things I don't want people to know. I color my hair, for example. I'd rather people just think I'm not quite as old as I am (or conversley, I'd rather people not think I'm older than I really am). Hair coloring isn't an illegal act, or even immoral for that matter.
Put into context:
If you shouldn't do something, or don't want people to know about something, you probably shouldn't do it in public.
Now, if you were to substitute "public web site" or "public places on the internet" or even "in a business establishment" for public, you'd be talking about the same thing. See, these are public places, and there's really no expectation of privacy except a wink and a nod.
Now, lets change that and make it a place you own. Your own bedroom. Your own living room. Your cabin in the mountains. Your own server. You can do just about anything you want. Clip that ugly toenail. Watch Glee. Revel in mounted animal heads. Store all your balloon porn. But if you're going to go do those things in the local pub, you probably shouldn't be thinking that they are private.
See, most of these sites are "free" (as in beer). Even if they didn't make money on selling your eyeballs and preferences for marketing, they still wouldn't be private places. There are places on the internet which are private. You can sign up and encrypt all your stuff, and keep the key. But they're not convenient for sharing. Just as drinking a fifth of Jack in your kitchen isn't nearly as much fun as drinking it in a bar with fifty friends.
Privacy isn't dead, it just needs a bit of explaining. Just remember - if you didn't pay for it, it's probably not a private place.
Is it just my observation, or are there way too many stupid people in the world?
Why should they have to ask for it?
Why isn't our private information considered intellectual property? Corporations try to make every aspect of their business protected, why should consumers do the same? I guess it would require a Supreme Court that not only are corporations considered "people" but that people are considered people.
A corporation can distribute data on a DVD or CD and yet claim that it should be illegal for me to copy and pass that data along. Why shouldn't I be able to give my private information to companies that I want to do business with and expect the same sort of protections?
I'm proposing the People Are Almost As Important As Corporations Act of 2010. I wonder how many legislators I'd be able to get to sign on as co-sponsors.
You are welcome on my lawn.
It's not online privacy that's broken. All that's changing is people's awareness (or more importantly lack of) of what privacy means in the digital connected world.
Street view is a good example, no one bothered to drive around the world taking 360 pictures of everything and logging the gps coords, so before Google did it, that information just wasn't accessible but more importantly it wasn't private either. By making it easily accesible to all, made people jump to outragous claims of privacy invasions. But afaik there isn't a single country where the roads aren't owned by the 'public'. So everyone has the right to go down a street and 'look' and so the drunks, cats in windows and people leaving sex stores with Black Mamba dongs where doing so in public and could have been seen by anybody. Just because Google 'looked' and stored what they saw, doesn't change this fact. If you don't want Google or anybody else to see what your doing, don't do it in a public or publicly visible space. You've never had the right to stop people looking through your windows, but you do have the right to block those windows, that's your choice.
The wifi mac/ssid issue is similar, you are publicly broadcasting those bits of information, anybody can retrieve them from the 'public' electromagnetic waves and store it. You decided to make those bits of data public when you chose to use WiFi tech, the fact you (and a lot of others) don't understand or care how WiFi works is irrelevant. Again you have the choice not to use WiFi.
Similar with FaceBook, you are choosing to publish information to a third-party. At the end of day it doesn't matter what privacy you thought you'd agreed to when you hit 'submit'. You've choosen to make it less private.
I think it boils down to: "People are slowly realising just because no-one gathered or analysed the information before, doesn't make that information private."
----- I refuse to have an argument with an unarmed person