Tuesday, 20 December 2011

Facebook's new timeline: privacy worries explained - it's all about choice & control (or lack thereof)

Since writing about Facebook Timeline some, having read my earlier post explaining Timeline, have asked me whether there really is a privacy concern, or whether people just need to get used to the fact the information they chose to share is out there.

This is a legitimate challenge.  The question gets to the nub of what privacy in a digital world means to people, and indeed what is meant by sharing, especially when sharing is amongst friends.

A key plank of privacy is providing users with clarity on how their personal stuff will be used, choice, and ease of control over information they choose to publish.

Facebook doesn't bill itself primarily as a publishing platform.  It sells itself as a social network and, as such, encourages candid disclosure amongst friends.  Yet the Facebook timeline makes your digital exhaust - stretching back years - easily visible and searchable without providing all the tools necessary to bulk-manage older posts. 

Privacy concerns about Timeline aren't about public versus "private", the new feature doesn't alter the privacy settings of old posts - although many people are now using tighter privacy settings than they were when they first joined Facebook. 

The issue is, literally, amongst friends.

Most of us have added a lot of new friends over the years.  Old posts were written with a different audience in mind and we perhaps don't want to have e.g. updates from years ago relating to a previous partner flaunted in front of our new love.

Friday, 16 December 2011

Facebook's new timeline - laying out your past, and there's no going back from this privacy minefield

You might want to think very carefully before upgrading to Facebook's new timeline.

It brings additional visibility to older posts, sometimes from many years ago.

No problem, you might think.  But you better be sure, for once users sign up to the new timeline it's a one-way street. Facebook gives you 7 days to manage old posts before they become visible, and we found no way of delaying or stopping this process; but you can, of course, speed it up.

UPDATE: privacy worries explained - it's all about choice & control.

One thread on Facebook's Help Centre has (at the time of writing) 380 responses to a request to turn the feature off, many pleading for an answer.

Timeline "preview" - you have 7 days to sort your past.
On the surface the new feature doesn't sound too problematic. It provides a neat way of scrolling back through a user's older posts. It doesn't alter the privacy settings of those posts, and in some respects the information's already 'out there', so there's no problem, right?

Not quite. The Timeline feature brings your past to the present. Facebook automatically selects a collection of pictures and updates from each year and presents them as "highlights". One click and I'm back to 2007 and a selection of pictures before I got married.

It's up to the user to manage what's shown - if you have the time to do this. Before you know it, your digital exhaust stretching back many years is easily browsable and visible to friends - and possibly everyone, depending on your privacy settings.

Thursday, 15 December 2011

The difference between privacy and "personal data"

It's not what you choose to read, it's where you choose to read it...

Notable from the "privacy" debate around media ethics is the number of times I hear people say, "this information is private" when they actually mean personal.  From judges to MPs, lawyers, celebrities and journalists conflate the two issues.

Privacy is about choice; finding a private space where you're free to act unobserved.  Privacy is critical to personal and social development.

Private spaces are necessary to learn and practice without the threat of humiliation or outside criticism.  Without such spaces our entire lives would be open to outside scrutiny, making life oppressive for all but a lucky outgoing few able to withstand the pressure of constant monitoring.

Private spaces are also incredibly important to the formation of social and family bonds.

"Personal data" is commonly defined in legislation marking out certain classes of information that are deemed to be confidential.  Such classes typically include political views, religion and sexual preference and are specified in laws such as the UK Data Protection Act.

Tuesday, 13 December 2011

The privacy outlook 2011->2012 part 1: key themes

This is part 1 of a 3-part series

After a lot of time looking at the great digital copyright challenge and a brief foray into 4G mobile data"adult" content blocking and social media injunctions I spent the last week firmly back on digital privacy. A greater challenge even than copyright, and with perhaps greater significance.

Two seminars in 6 days and a lot of meetings and web chats later some key themes are emerging:
  1. The "can't do that because of privacy" argument is losing any sway it once had. Governments now hold aloft useful services reliant on private data that people willingly use - Foursqare, Facebook, Amazon recommends - to attempt to discredit arguments like "it's my data, you can't have it."  Don't shout all at once, I know such a rebuttal is flawed; I'm just explaining the situation as I see it.  As a speaker said at a recent privacy seminar, government policy is not driven by proven fact and rational argument but by the headlines in the Daily Mail.  A valid political argument is one that washes with the public.
  2. Enforcement of do's and don'ts through the law is a pipe dream.  Data is everywhere, we have a massively distributed problem; and the problem is relatively knew, technology - and the markets - in many respects needs time to catch up with themselves.  Many data protection laws and regulations are nothing more than best practice - in reality prosecutions are expensive, time consuming and data regulators have relatively low capability, are under-resourced, have limited power and as a consequence are of little deterrent.  (If they had more power there'd be a risk of encroachment into free speech and free press territories!) Regulation needs to aim at a enforcing a few high level principles - setting the red lines on the harm spectrum - and leave the rest to technology and the markets to solve.
  3. Privacy is still a debate driven by fear.  Not just the odious McMullen with "privacy is for paedos" (perhaps belying McMullen's own fear of the privacy brigade) but fear by citizens not understanding the privacy implications of their actions, whipped up into a frenzy only when the Daily Mail tells them to be angry; and fear within corporations afraid of a privacy backlash - a rare but devastating event.  Corporations and government officials trying to do the right thing are walking afraid, whilst the general public is at risk of walking blindly into traps, willingly disclosing too much personal data.  Meanwhile private organisations who either don't give a hoot or justify their behaviour using their own moral code continue to make money out of profiling the population.
  4. Transparency is crucial.  More crucial perhaps than any other data protection principle, regulation or law.  But companies and governments don't want to be transparent, mainly because of (3) above, but also because of (1) - they don't want to be told they "can't" do something; and, (2) - being transparent about what they're doing makes them an easy target for the under-resourced regulator.
I'll be exploring around these themes in two follow-up posts.

Monday, 12 December 2011

Solution for GCHQ '_Can you crack it' cyber challenge

Okay, the GCHQ cyber challenge canyoucrackit.co.uk has just closed seems to have re-opened... Is it on a loop? Anyhow, here's the solution.  We can report that the challenge, described in the Telegraph as 'fiendishly difficult', is... fiendishly difficult!

Here's a 30-minute video to guide you through, there are actually 3 stages - see below for more info. Best watched full screen HD (and even then, apologies some of the screen text is not fully readable and apologies again for occasional bumbling):

The stages

Stage 1: combine the machine code instructions displayed on the website with additional bytes encoded in a comment field of the PNG image.  The bytes in the comment field are base64 encoded.  Create an executable wrapper and execute the routine (I did this on a virtual machine just in case there was any malware inside).  Search the stack and find a URL which retrieves stage 2 from the canyoucrackit.co.uk website.

Open Digital files for stage 1:
 - 'C' wrapper to make an executable (compiles using gcc on a 32-bit linux machine)
 - (roughly) disassembled assembler for the routine provided by the challenge website

Stage 2: write a software implementation of a CPU (a virtual machine) and execute the provided software on the virtual machine you've just written.  The routine decrypts part of the provided memory and results in another URL which retrieves stage 3 from the challenge site.

Here's a copy of the starting point (.js) (in case it doesn't work not the challenge has closed) and our solution (.js).  Or a web page which will run our solution.

Stage 3: use the Linux 'strings' command and a good disassembler (I used PE Explorer) to work out what the executable does.  Turns out you don't need to actually run it.  Find a mystery string which looks like an encrypted word and hunt 3 mystery 4-byte words, 1 from stage 1 and 2 from stage 2.  Plug them all together and use the resultant URL to retrieve a keyword from the challenge website.

Put the keyword into the front page of canyoucrackit.co.uk and apply for your job at GCHQ!

Here's the disassembled stage 3 executable "keygen.exe"


Tuesday, 6 December 2011

Balance on lobbying - the view of a lobbyist

Whether I like it or not, I spend a lot of my time lobbying Government and Parliament.  I started doing this about 2 years ago because (i) the government seemed to be making a complete hash of IT and internet policy; and, (ii) the loudest voice heard by government was from vested commercial interests who could afford to pay full-time lobbyists and hire specialist lobby firms - few people were providing a counter-view from small businesses or the online community.

To my surprise the world of lobbying isn't as closed as some make out.  Many parliamentarians especially go out of their way to bring outside knowledge into parliament, and all seem to thrive on interacting with "ordinary voters" with a well-thought-out perspective.

But of course there's the inevitable vapour shields.  MPs are wary about politically-motivated attacks and misinformation, Government has a formidable barrier to protect itself from the "noise" of discontented citizens.  If it was as easy as walking up to the Cabinet Office to register one's discontent in person with the Minister, the queue would stretch from Downing Street to Aberdeen I'm sure!

It shouldn't come down to who you know, but of course Ministers, MPs, policy advisers and senior civil servants are just people with friends, family and a long queue of people with vested interests itching to get a message to them.  The most powerful arguments come from people with whom those in power have an existing relationship; people they've got to know.

You need to know a little bit about someone to understand where they're coming from; what motivates them, and why they're making the demands they're making.

Essentially, there's nothing wrong with the idea of lobbying.  If a government isolated itself fully behind official channels, and those channels are anything less than perfect at gauging opinion, that government will become ill-informed and deficient.

Government needs a balanced mix of contact with the public, industry and other bodies such as libraries and educational establishments.  Yes, big libraries, universities and charities have lobbyists too!

The problem comes about when money starts to tip the balance, corrupting the system.  When people have no moral qualms about pushing the interests of the highest bidder, whoever that might be.

Monday, 5 December 2011

New round of ministerial meetings on digital copyright enforcement partially opened-up

Update: read a report from the meeting here.

Open Digital has been invited to attend a new round of ministerial meetings on digital copyright enforcement, hosted by Ed Vaizey at the Department for Media, Culture and Sport.

This time the attendee list will be wider, bringing representatives from across the industry.  The first meeting is scheduled for this Wednesday, 7th December, and will feature representatives from:
  • Featured Artists Coalition
  • Google
  • EMI Music UK & Ireland
  • BPI (British Phonographic Industries)
  • Publisher's Association
  • Warner Music
  • Music Publisher's Association
  • Yahoo!
  • Ofcom
  • UKIE (UK Interactive Entertainment)
  • ISPA (Internet Service Providers Association)
  • PRS (Performing Rights Society)
  • Talk Talk
  • Open Digital Policy Organisation
  • Open Rights Group
  • Universal Music
  • Beggars Group
  • UK Music
  • Premier League
  • BSkyB
  • MPAA (Motion Picture Association of America)
  • Virgin Media
  • Sony Music
  • IAB (Internet Advertising Bureau)
  • Consumer Focus
  • Officials from the DCMS
We welcome the Minister taking the significant step of widening the invite list for meetings previously held behind closed doors.

Whilst we appreciate there is still some way to go to bring this discussion fully into the public arena - where it ultimately needs to be - both the Open Rights Group and Open Digital made it clear that our attendance was on condition that:
"discussions can be open and on the record" and we "would not want to find that elements of the discussion or papers at the meeting were deemed to be confidential."
A member of Ed Vaizey's office replied:
"Thanks for your emails - I completely understand.
 We look forward to seeing you on the 7th." 
We are therefore in a position to openly report on the meeting, bringing some scrutiny to a closed process.

If the scope of such meetings enters the territory of new legislation we will be the first people to suggest that such meetings be open to full public scrutiny in the form of a parliamentary [draft bill] committee and a public consultation.  Public policy should not be forged in private.

Friday, 2 December 2011

The GCHQ Cyber Challenge: hqDTK7b8K2rvw

UPDATE 11th Dec (11:59!): Solution here on the Open Digital Blog

.We used a few spare hours in the office yesterday and today to have a go at the GCHQ cyber challenge _Can you crack it? 

Using a combination of Linux and Windows machines, a bit of JavaScript knowledge and 25 years' programming experience we got to stage 2 of 3.   We hope to bring you the full low down of how to solve it if we get there, however we don't want to spoil the fun for those still doing it so we won't say anything until the competition closes, bar this: hqDTK7b8K2rvw  - just to prove we got to where we did, when we did!

Hope to have the full explanation for you a week on Monday!

UPDATE 4th Dec: Just cracked it!