Tag Archives: privacy

Well, Scoot

Posted on by

For anyone who hoped the Era of Disruption was almost over, I have one piece of advice: don’t hold your breath.

We’ve made some progress, but far from backing off on the importance of disruption in defining business models, today’s corporate warriors are doubling down.

That’s right, we’ve left the first period of the era and entered the second: the Period of Meta-disruption. We’re now seeing the disruptors disrupted. Nowhere is this clearer than in San Francisco.

Uber, Lyft, and their various brethren set out to disrupt the taxi industry, and in large part they’ve succeeded, especially here in the Bay Area. But now we’re getting a wave of companies out to disrupt the ride-hailing business model.

Three companies–Bird, LimeBike, and Spin–are pushing motorized scooters as superior to ride-hailing over short distances or when traffic is congested–and when is it not?

San Francisco was late in regulating ride-hailing (just as they were late in regulating short-term rentals) and the Board of Supervisors is determined to get ahead of the curve on scooter rentals.

Frankly, they don’t have a choice.

The model all three companies are pursuing is “convenience”. They want to be sure there’s always a scooter nearby. That means depositing caches of them in high-traffic areas and encouraging users to spread them around by leaving them at the end of their rides.

Which is great for the companies, of course, but not so great for the general public who wind up dodging scooters left on the sidewalk, in bus zones, truck loading zones, doorways, and basically anywhere there’s enough room for them.

And that’s without even considering the impracticality of forcing riders to abide by state and city laws requiring helmets and forbidding riding on the sidewalk. After all, if the app won’t unlock the scooter if the customer isn’t wearing a helmet, nobody would bother with the service.

I do agree that it’s not the rental companies’ job to enforce the law, but they could certainly do a better job of reminding riders that they shouldn’t ride on the sidewalk. Give ’em a great big warning–a sticker on the footboard, or a click-through screen in the app–and let the police take it from there.

On the other hand, it shouldn’t be necessary to get law enforcement involved on the parking end. It should be technologically possible to use the phone’s camera to take a picture of the parked scooter and then use a bit of AI to determine whether it’s been left in a safe spot. If not, just keep billing the user until they move it*. At fifteen cents a minute, people will figure out fairly quickly that it behooves them to not leave the thing where someone will trip over it.

* Or until someone else rents it, of course. Double-charging would be unethical.

All that said, despite the back-and-forth in the press between City and companies, I haven’t seen anyone address the question of privacy.

By design, the apps have to track users: where did they pick up the scooter, where did they leave it, where did they go, and how long did it take? All tied solidly to an identity (or at least to a credit card).

Who gets access to that information? Do the companies sell information to advertisers? Do the apps continue to track customers between scooter rentals?

Don’t forget, these companies think the way to launch their businesses is to dump a bunch of scooters on the street and let the market sort things out. Do you really want them knowing you used your lunch hour to visit a doctor? A bar–or maybe a strip club? How about a political demonstration?

Uber has certainly been tagged for over-zealous information collection. What safeguards do LimeBike, Spin, and Bird have in place to protect your identity?

Word Outta Redmond

Posted on by

Multiple sources are reporting that Microsoft has released a pricetag for upgrading to Windows 10 when the current free upgrade offer expires at the end of July.

The cost? A mere $119.

Color me skeptical.

Not that I doubt that will be the official price. But consider that, as Ars notes, there are currently three times as many Windows 7 systems out there than Windows 10. Does anybody really believe that Microsoft sincerely thinks users who haven’t upgraded at no cost will pay for the privilege?

And remember, it’s greatly to Microsoft’s benefit to convince everybody to upgrade. Not only are there the cost savings for them in reducing their support burden for older OSes, but there’s also a significant income opportunity for them in monetizing the user information they get from Cortana and the OS in general.

So I suspect that Microsoft will find continuing opportunities to reduce or eliminate the upgrade fee after July 29th. For example, “To celebrate the release of the Windows 10 Anniversary Update on July 30th, we’re offering a free upgrade to users of Windows 7 and Windows 8!”

OK, I’m not an advertising copywriter. But I’m sure Microsoft has several of them on staff, fully capable of making the same thing Microsoft has been doing for a year sound fresh and exciting.

Am I changing my recommendation to those of you still running 7 and 8 that you should upgrade before the end of July? No. Microsoft has fooled the experts in the past, and it could happen again. And, realistically, the user experience in Windows 10 is miles ahead of 8. It’s more of a wash compared with Windows 7, but even there once you get to the top of the learning curve, it’s no worse.

And there’s one other thing to consider: If you upgrade to 10 and decide you absolutely can’t stand it, you can still downgrade back to your previous operating system. But that does not invalidate the Windows 10 license you got when you upgraded. So you would still have the option of waiting a year or two, seeing where Microsoft goes with Windows 10, and then re-upgrading when support for 7 and 8 runs out.

One final note. I mentioned the monetization of user data earlier. It’s true that Windows 10 collects a lot of information about what you’re doing. It’s also true that you can’t turn it all off. But you can take a few steps to minimize it.

Number One is Cortana. If you’re trying to cut down on how much Microsoft knows about you, don’t use Cortana. Turn her off.

And while you’re at it, turn off a few other things:
Open the Privacy Settings dialog (the easiest way to find it is to type “privacy” in the search field at the left end of the task bar). Work your way down the left menu and turn off everything you can live without. Everything on the “General” screen–although if you use Microsoft’s Edge browser, you should probably leave the “SmartScreen Filter” on.

Turn off Location, turn off the camera or strictly limit the apps that are allowed to use it, and ditto for the microphone.

“Speech, inking, & typing” is, by and large, Cortana.

Strictly limit the apps that have access to your Account Info, Contacts, Calendar, Call history, Email, and Messaging. Radios and “Other devices” should be under tight control too.

Feedback & diagnostics is an interesting one. You can set Feedback frequency to “Never” to prevent Microsoft from occasionally asking you questions about your “Windows experience”. But you can’t turn off Diagnostic and usage data. If a program crashes, Microsoft will be told about it, and they will collect at least some information about what applications you’re using. The best you can do is select “Basic” to minimize what they get.

Don’t forget to review which apps have permission to run in the background. You probably want the calendar running in the background, but do you really want Edge running, downloading whatever Microsoft thinks you might want to see–or more importantly, whatever Microsoft wants you to see?

And one last thing to check: The privacy implications are somewhat limited, but it’s especially important for those of you who have slow network connections or are charged by the amount you use your connection.

Go to the Windows Update settings, click “Advanced options” and then “Choose how updates are delivered”. Turn OFF “Updates from more than one place”. Yes, that’s right. Microsoft is using every Windows 10 computer that leaves the default settings in place as part of the Windows Update delivery system. How charming.

I’ve heard that it works like bittorrent software, in that there’s no central registry of which computers have what updates available, but even so, do you really want your computer advertising that it hasn’t yet installed the latest security fixes?

What a Waste

Posted on by

Lots of interesting news at the intersection of privacy and security these days. The ongoing Apple/FBI feud is only a tiny piece of it.

Consider, for example, the case of Paytsar Bkhchadzhyan. It seems that not all locking methods are created equal in the eyes of the law.

Things you know, such as a password, are legally protected: you can’t be forced to give them up because that would infringe on your constitutional right not to testify against yourself.

But things you own, like a PIN fob, or things you are, like a fingerprint, are not protected.

Accordingly, a court has ordered Ms. Bkhchadzhyan to give investigators her fingerprint along with her iPhone. It’s unclear whether they’re holding her fingerprint–and presumably her finger–while searching the phone.

Mind you, there’s still some wiggle room in the legal interpretation. Ars also has a report on a man who’s been held in jail for seven months for refusing to supply the password to decrypt a pair of hard drives.

His lawyer has invoked the Fifth Amendment privilege against self-incrimination, but to date the legal system appears to believe that the now-infamous All Writs Act–the same law the FBI was trying to use against Apple–supersedes the Constitution.

So, pending the result of the current appeal, using a passcode doesn’t seem much safer than a fingerprint.

Not all the news is bad, however. In a case that will mostly be of interest to residents of Washington State, a King County judge has ruled that sanitation workers cannot dig through trash while collecting it.

Seattle required workers to inspect trash to ensure that food waste went into compost bins instead of trash. However, the judge held that amounted to a warrantless search, and was forbidden under the privacy provisions of the Washington State Constitution.

It’s a minor victory for privacy, yes. And sanitation workers can–and will–still check for compostable materials “in plain view.” But at least they won’t be able to open garbage bags and dig through them checking for compliance.

We’ll take our victories where we can find them.

Crack!

Posted on by

A federal court has made it official. We knew it was coming, but I don’t think any of us expected it to arrive this promptly. Now we know: as far as the Federal Government is concerned, your right to “life, liberty, and the purfuit of happineff” doesn’t include privacy.

I’m not going to write about it at length. It’s a rainy day, the turkeys are arguing about something incomprehensible outside my window, and I already said most of what I think last Tuesday. Why should I take out my frustration on you?

Bottom line: it’s still worth the time it takes to encrypt your electronic devices, but not by as much as it was last week. And don’t expect it to do you any good if any police officer anywhere takes an interest in you for any reason.

If you want any detail, go read Ars’ take on the news.

Then you can come back here for something slightly more cheerful.

Back? OK, good.

Baseball is back!

OK, OK, so far it’s just pitchers and catchers reporting to Spring Training, but we’ll take it. Position players will be showing up over the next week, and we can look forward to the usual slew of articles telling us which athletes are in “the best shape of their lives” and which ones let themselves go over the off-season.

More importantly, we’re less than two weeks away from the first Spring Training game–as previously noted, between the Phillies and the University of Tampa Spartans*–and that means it’s time to start warming up your MLB app for the season’s radio and TV broadcasts.

* I’ll skip the jokes about “picking on someone your own size,” mostly because I’m not sure who those jokes should be aimed at.

There’s some good news about MLB.TV, too. According to the renewal reminder I received a couple of days ago, the full-season package is $20 cheaper than last year. Even better, if you’re only interested in one team, you can get a “Single Team Package” for $25 less than the regular package.

A price drop? Customer-friendly features? Is anyone surprised that the changes are the result of a lawsuit?

To nobody’s surprise, the changes are part of a legal settlement. In essence, MLB agreed to lower the price of the “Premium” package and introduce the “Single Team Package” to avoid the risk of going to trial and potentially be forced to modify their obnoxious blackout policy.

The Single Team Package is only available for out of market fans–Giants fans in the Bay Area, for example, can’t buy the package to follow their team unless they can prove to MLB that they can’t get satellite or cable TV in their home. That’s “can’t get,” not “don’t want”.

As in years past, out-of-market teams’ games against in-market teams will be blacked out. So if our hypothetical Giants fan moves to LA, he can watch the Giants via either a Single Team or Premium package, except when the Giants are playing the Dodgers or Angels–even if the game is in SF. Interestingly, MLB.TV is offering a limited exception to the blackout rule*. For $10, our Giants fan can also watch the Giants’ broadcasts when they play the Dodgers and Angels. But he’s out of luck if he’s also an As fan. The exemption is only good for a single team. There are also a couple of significant limitations to which fans can purchase the add-on. It can’t be added to a Single Team Package, only the full Premium Package, and it can only be purchased if the fan gets the in-market teams’ games if he subscribes to Comcast cable or DIRECTV satellite service with a package that includes the local teams’ broadcasts. If our Giants fan has satellite service from DISH, or if Comcast drops the Dodgers’ games, he’s SOL.

* This is, IMNSHO, the most significant change MLB agreed to in the settlement. It’s the first, faint hint that MLB might be willing to think about considering the possibility of down-scaling the tight relationship with their BigMedia sponsors.

So, all-in-all, the good news is limited. But fans are certainly no worse off than they were last year, with faint hints of improvement ahead. In today’s climate of lowered expectations, that has to count as a victory.

Eye on the Prize

Posted on by

As you might have expected, my ability to remain relentlessly cheery lasted about a week. Not that I’m going full-on depressing again, but today’s piece is a downer.

Remember last year’s Jeep security fiasco? The one where a couple of researchers found a way to use cellphones to take over any Cherokee and drive it remotely?

Alison Chaiken used that story as an example of how the automotive industry is heading in the wrong direction when it comes to security. Linux Weekly News has a good writeup of her presentation, but unfortunately, it’s “subscribers only”*. The slide deck is here, albeit without a lot of useful context.

* LWN does allow linking of subscribers only articles, but for economic reasons asks that such links not be made publicly-available. If you want to read this piece, drop me an e-mail and I’ll see what I can do.

The gist is that not only are automakers emphasizing “gosh-wow” features over security, but regulators are focusing on the wrong things. The result is that nobody is paying attention to serious questions of privacy and security.

For example, Ms. Chaiken notes that the US National Highway Traffic Safety Administration requires that infotainment* systems that have a rear-view camera must boot within two seconds. That number was, she says, chosen arbitrarily and proved extremely difficult to attain. Allowing three seconds would have saved “countless hours and costs” that could have been used better elsewhere.

* Can we agree that, the word “infotainment” is at least as obnoxious as “phablet”? But that it’s equally well-embedded in the vernacular and unlikely to go away? If we can agree, I’ll spare you the five hundred word rant I trimmed from the first draft of this post.

More critically, where regulations are being made with an eye towards safety, regulators aren’t giving sufficient thought to privacy. Ms. Chaiken cites rules covering what data must be recorded by “black boxes” for analysis of accidents. The rules don’t prevent using the same information for other purposes, so consumers have been denied warranty coverage (and, I believe, insurance coverage) based on non-accident-related information captured by the black boxes in their cars.

In cases where regulations haven’t been made yet, manufacturers aren’t considering privacy either. The push in infotainment systems is to provide access to more and more different services. Some of those services will inevitably require user information–hell, some of them already do: Pandora, for example, needs to know who you are so it can offer your customized stations. Sooner or later, some apps will store un- or lightly-encrypted passwords, GPS presets and trip data, credit card numbers, and other NPI. What happens when your infotainment system is stolen? For that matter, what happens when you sell your car? As far as I can tell, none of the systems offer a way to securely wipe the storage, even in cases where they allow some form of “reset to defaults”.

Fun times ahead.

That said, as Ms. Chaiken points out, there are positive signs. Publication of the Jeep Cherokee issue and other automotive security failures are forcing manufacturers to design more secure systems. (Although it should be noted that the DMCA makes it risky for security researchers to study automotive electronics.)

The California Department of Transportation is currently writing rules to cover self-driving vehicles. There’s a window in which they can be encouraged to build in privacy and security coverage. Of course, this is Caltrans we’re talking about… Keep your fingers crossed–and get involved. This is a great opportunity to drop a note to your state representative.

Change You Won’t See

Posted on by

It’s that time of year when blogger’s thoughts turn to change. Seems like everyone is talking about it. Change for the better, change for the worse. Far be it for me to neglect a tidal wave of interest. But naturally, I have to put my own cynical spin on it.

Herewith, my top five list of things that need to change in 2015, but won’t.

5. BART’s mañana attitude. Not just waiting until the last minute and beyond to negotiate with the unions–really, guys, it’s not too early to start working on the 2017 contract, honest–but in general. Cars are increasingly overcrowded; by the time the new cars with more space are delivered in 2016 and 2017, they’ll be packed just as tight as the old cars are now. And yet, we keep hearing that BART can’t start thinking about increasing capacity until after the cars are delivered.

4. Caltrans’ “It doesn’t need to be tested” attitude. Do I even need to elaborate on this? It’s not just the Bay Bridge: everything we’re hearing suggests that Caltrans needs to make a significant change in its corporate culture. Consider future needs. Don’t take it for granted that construction has been done to standard. Recognize that budgets are not infinitely flexible.

3. Government’s belief that citizens have no right to privacy. Did you notice that the NSA chose Christmas Eve to release a pile of audit reports, hoping that nobody would pay attention? Bloomberg’s report makes it obvious that nobody is exercising any control over the NSA. If there are no processes–or software controls–in place to prevent analysts from conducting surveillance without authorization, it means the organization is relying on self-policing. And if an analyst can accidentally submit a request for surveillance on himself, it’s a pretty good sign that self-policing isn’t working. And yet, the NSA wants more access to record and monitor everything that everyone does. Oh, and let’s not forget the FBI, which continues to claim that North Korea is reponsible for the Sony hack, despite significant evidence that the crackers were Russians, possibly assisted by an employee or ex-employee.

2.5 The increasing militarization of local police. As long as police departments are free to buy new and increasingly lethal toys, no one will be able to make any progress in decreasing the fear and distrust between police and the general public. Drone flights won’t make the public feel safer, and the increased resentment will easily flash over into more threats against the police. And body cameras are not and will never be the answer. They’re too easily forgotten, damaged, misinterpreted, or outright ignored.

2. The endless waffling and squabbling by MLB and the As. Just make a decision, people. Yes, O.co is a literal cesspool, but the As aren’t going to make any effort to improve the situation while the possibility exists that they could skip town. The costs of San Jose’s lawsuit are increasing, and MLB’s anti-trust exemption–already cracked by recent court decisions on the NFL’s blackout rules–is at risk. Regardless of your opinion of the exemption as a whole, having it revoked or struck down would open the door to levels of team movements that haven’t been seen since the 1890s. MLB needs to–ahem–shit or get off the pot before someone yanks the pot out from under them.

1. Phones getting bigger. Remember how bad the RSI epidemic was before we started to figure out how hard on the wrists sitting and typing all day was? I’m increasingly of the opinion that we’re treading the same path here. People are holding larger, heavier phones all the time. Bluetooth headsets aren’t a cure: you still need to hold your phone to play games, watch videos, and read and write all but the simplest e-mails. I fully expect 2015 to be the year of the sprained wrist, as Android phone-makers rush out models to increase their size lead over Apple. 2016 will be even worse when Apple catches up with an iPhone 7 that–projecting the trend–will require a personal crane to lift. Not that all of the blame can be assigned to device manufacturers. Several studies that I just made up indicate that all of the screen protectors, fancy cases, and assorted bling that consumers slather on their phones increase the weight by at least twenty-five percent.

0. Happy New Year!