How To Properly Erase A Hard Drive

A prior post covered a humor story about how to destroy a hard drive in 5 seconds. At that time I was discarding an old computer. In its year-in-review, ZDNet lists the "How to Really Destroy a hard Drive" post by Robin Harris as one of its most popular posts. I found it highly informative:

"You may already know that “deleting” a file does nothing of the sort. But did you know that your disk drive has a built-in system for the secure erasure of data? No? Then read on... if you keep business, medical, or personal financial information on disks, simple deletion isn’t enough to protect the data when disposing of the equipment.... Something called Secure Erase, a set of commands embedded in most ATA drives built since 2001."

Robin's post explains how you can download and use the Secure Erase utility to fully wipe your old hard drive clean. The instructions are for intermediate to experienced computer users.

A New Service Idea From Comcast

About a week ago, the I've been Mugged blog explored the consumer data security issues with behavioral advertising: companies want to serve online ads by tracking all of the web sites you have visited and the keywords you entered at search engine web sites. The NewTeeVee blog reported this new service idea from Comcast:

"At the Digital Living Room conference today, Gerard Kunkel, Comcast’s senior VP of user experience, told me the cable company is experimenting with different camera technologies built into devices so it can know who’s in your living room. The idea being that if you turn on your cable box, it recognizes you and pulls up shows already in your profile or makes recommendations. If parents are watching TV with their children, for example, parental controls could appear to block certain content from appearing on the screen. Kunkel also said this type of monitoring is the “holy grail” because it could help serve up specifically tailored ads. Yikes."

Comcast claims that the cable box camera won't actually use facial recognition and take a picture of you. Instead it would just take a picture of the "form" of viewers: one, several, and their relative sizes.

Yeah, right.

Yikes, indeed! This is a really bad idea... a stupid one, too. I see "mission creep" as any cable box camera might start with the viewers' "form" and migrate to actual photos using facial recognition. This invasion of privacy is not worth any amount of convenient, free, or relevant ads promised by any network/cable television provider.

My impression... Comcast executives have concluded that since the NSA, FBI, and phone companies already spy on citizens by tracking the web sites consumers visit, e-mails and text messages sent, and phone calls made, then Comcast can make more money by tracking viewers sitting in the privacy of their living room and charge advertisers more for this new service.

And this new idea from Comcast was preceded by a comment from an IBM executive that a total surveillance society is inevitable. Seems to me like many corporations are ready to make money by exploiting our country's focus on security after 9-11.

What do you think? Share your comments below. I hope that you will also write to your elected officials today and tell them your privacy concerns.

A Free And Easy Way To Test The Security Of Your Wireless Home Network

At the ZD Net SOHO Networking blog (Small Office Home Office), Rik Fairlie provided a really good tip for consumers to check the security on their home wireless (WiFi) network. Security is important because we all (or at least many of us) do online banking, access our financial accounts online, and want to protect our personal data from abuse by both spammers and identity theives.

Rik tested his home wireless network with the Network Magic management tool by Pure Networks. Network Magic has a free diagnostic scan that provides a report on the security status of your home wireless network:

The Pure Networks Security Scan tool, which works only with Internet Explorer 6 or later, is clearly bait for Network Magic... Run the scan, and the resulting scorecard provides a summary status of network devices, the router and network, wireless security, and the computer on which you ran the scan. It advises you of the number of issues tested for each category, alerts you to any worrisome issues found... Some of the items it tests under Router and Network include whether you are running a hardware firewall, if your password is strong (and, of course, changed from the factory default), and whether your router firmware is up to date... This Computer tab tells you whether your PC contains malware that redirects Web sites, as well as whether file and printer sharing are correctly activated, what kind of software firewall (if any) you’re running, and if your antivirus software is up to date.

Sounds like a valuable tool for consumers to improve the security of their home wireless networks, and protect sensitive data.

Behavioral Advertising: The Role Of Internet Service Providers (Part Three)

Monday's post discussed the benefits of behavioral advertising, and the proposed rules by the FTC. Tuesday's post listed the leading companies that collect consumer data for behavioral advertising.

In December 2007, the Wall Street Journal profiled CenturyTel Inc., a Louisiana phone company, and its attempt to enter the Internet Service Provider (ISP) business. Along the way, CenturyTel decided to also enter the online advertising business:

"The technology it's using could change the way the $16.9 billion Internet ad market works, bringing in a host of new players -- and giving consumers fresh concerns about their privacy. CenturyTel's system allows it to observe and analyze the online activities of its Internet customers, keeping tabs on every Web site they visit. The equipment is made by a Silicon Valley start-up called NebuAd Inc. and installed right into the phone company's network."

Pretty soon, advertisers will no longer need to install software or use the HTTPs cookies file on consumers' computers to perform behavioral advertising (a/k/a behavioral targeting). Instead, they can get all the consumer data they'd ever want from ISPs -- who are happy to install the behavioral targeting software and equipment on their servers for a piece of the new revenue stream. How it will work:

"NebuAd takes the information it collects and offers advertisers the chance to place online ads targeted to individual consumers. NebuAd and CenturyTel get paid whenever a consumer clicks on an ad."

The description of the new server software and equipment:

"The newer form of behavioral targeting involves placing gear called "deep-packet inspection boxes" inside an Internet provider's network of pipes and wires. Instead of observing only a select number of Web sites, these boxes can track all of the sites a consumer visits, and deliver far more detailed information to potential advertisers."

Companies already see the new revenue opportunity:

"... new companies are rushing in. Both wireless and wireline Internet-access providers such as CenturyTel, Rochester Telecom Systems Inc. and Embarq Communications Inc., among others, have entered the advertising gold rush. And they've tapped Internet equipment companies like NebuAd, Front Porch Inc., and Phorm Inc. to provide the gear to help them along."

Well, this is just peachy. Every ISP knows a lot about its subscribers... personally identifiable information such as name, address, birth date, phone, credit card, e-mail address, IP address, and in some cases Social Security Number. It doesn't take much effort to match this personally-identifiable data to a subscriber's web surfing activity.

This new technology fundamentally changes the relationship between ISPs and their subscribers. As ISPs get more or most of their revenue from advertising, and a decreasing amount from subscribers' fees, it logical to question whether ISPs will continue to operate in the best interests of consumers. In a weird way, ISPs can now make (a lot of) money through surveillance.

This makes it more important now for consumers to express their privacy and data security concerns. It is reasonable for consumers to demand legislation requiring ISPs to provide clear, easy, free, opt-in mechanisms for consumers who wish to participate in that ISP's behavioral advertising program.

Now is also an opportunity for consumers to specify the data they consider sensitive and should be excluded from any ISP behavioral advertising programs. See these prior posts about why consumers' IP addresses should be considered sensitive personal data, and why consumers' personal data should be treated (and protected) like nuclear fuel.

Behavioral Advertising: Leading Collectors of Consumer Data (Part Two)

Yesterday's post was the first in a series. Today's post looks at how much data selected companies already collect about consumers. From yesterday's New York Times:

Behavioral Advertising: What It Is And The Proposed FTC Rules (Part One)

This is a subject I probably should have written about sooner. On November 1 and 2, 2007, the FTC hosted a conference entitled “Ehavioral Advertising: Tracking, Targeting, and Technology.” The event included consumer advocates, industry representatives, technology experts, and academics to address consumer protection issues.

In December 2007, the U.S. Federal Trade Commission (FTC) released its proposed rules document for companies who wish to engage in behavioral advertising (also called behavioral targeting). I am not discussing in this post whether or not behavioral advertising works. There are several case studies where companies have evaluated how best to perform behavioral advertising. Rather, this post explores some of the consumer privacy and data security issues.

When you visit web sites today, many companies display ads related to the content of the site pages you view. Some companies include software that saves information to the HTTP cookies file on your computer, which is used by your web browser software. We consumers have the choice about how we surf the web. You can set your web browser software to accept or prohibit web sites from accessing the HTTP cookie file. It's been this way for many years.

Behavioral advertising is not new. A few companies and newspapers have used behavioral targeting for years. Of course, there also are advertising networks which focus on behavioral targeting, including NebuAd's offering for ISPs. You can read several blogs about behavioral advertising.

Previously, companies have used behavioral advertising based on the pages you visit within a single web site. What's changing is that companies plan to use behavioral advertising based on both the pages you visit within a single web site (e.g., On-site targeting) and across several web sites (e.g., Network targeting), plus the search keywords you enter at search engine web sites.

So participants at the above conference discussed with the FTC possible rules to keep things manageable. In its proposed rules document, the FTC defined behavioral advertising as:

"... the tracking of a consumer’s activities online – including the searches the consumer has conducted, the web pages visited, and the content viewed – in order to deliver advertising targeted to the individual consumer’s interests."

In my opinion, the Decision Science News blog offers a better definition:

"Behavioral Targeting is the ability to deliver ads to consumers based upon their recent behavior viewing web pages, shopping online for products and services, typing keywords into a search engine or a combination of all three. 'Interest-Based Targeting allows large-brand advertisers… to target more precisely the audience they are trying to reach with the message they are trying to convey'..."

In its proposed rules document, the FTC described the benefits as:

"... behavioral advertising provides benefits to consumers in the form of free web content and personalized ads that many consumers value... The benefits include, for example, access to newspapers and information from around the world, provided free because it is subsidized by online advertising; tailored ads that facilitate comparison shopping for the specific products that consumers want; and, potentially, a reduction in ads that are irrelevant to consumers’ interests and that may therefore be unwelcome."

The FTC proposed several rules to solve several concerns:

Concern	Proposed FTC Rule
1. Transparency and consumer control: many criticize existing disclosures as difficult to understand, inaccessible, and overly technical and long. They also stated that, with clearer disclosures, consumers can make more informed decisions about whether or not they want personalized advertising or, alternatively, whether they would prefer not to do business at particular websites.	Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.
2a. Reasonable security, and limited data retention, for consumer data: many expressed concerns that data collected for behavioral advertising may not be adequately secured and could find its way into the hands of criminals or other wrongdoers.	Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.
2b. Reasonable security, and limited data retention, for consumer data: many expressed concerns about the length of time that companies retain consumer data collected for behavioral advertising. The longer that data is stored in company databases, the greater the risks to the data.	Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.
3. Affirmative express consent for material changes to existing privacy promises: the privacy policy – a set of commitments about how information is handled – not only is an important tool for providing information to consumers, but also serves to promote accountability among businesses.	A company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.
4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising: the use of sensitive data (for example, information about health conditions, sexual orientation, or children’s activities online) to target advertising, particularly when the data can be traced back to a particular individual. They state that consumers may not welcome such advertising even if the information is not personally identifiable; they may view it as invasive or, in a household where multiple users access one computer, it may reveal confidential information about an individual to other members.	Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.
Using tracking data for purposes other than behavioral advertising: consumer tracking data collected and stored for behavioral advertising could be used for other potentially harmful purposes. To the extent that the collection of data for behavioral advertising is invisible to consumers, such secondary uses of the data may be especially so.	FTC staff seeks additional information about the potential uses of tracking data beyond behavioral advertising and, in particular: (1) which secondary uses raise concerns, (2) whether companies are in fact using data for these secondary purposes, (3) whether the concerns about secondary uses are limited to the use of personally identifiable data or also extend to non-personally identifiable data, and (4) whether secondary uses, if they occur, merit some form of heightened protection.

The FTC has extended the deadline for submissions to April 11, 2008. Comments can include any concerns you have, changes you feel are necessary to the proposed FTC rules, the types of consumers' personal data you believe should be considered sensitive, and anything else you feel is relevant. Send your comments to the FTC at:
Secretary
Federal Trade Commission
Room H-135 (Annex N)
600 Pennsylvania Avenue, NW
Washington, DC 20580

You can also submit comments to the FTC online via BehavioralMarketingPrinciples@ftc.gov. Some public comments are already available online at the FTC web site.

More About Sidejacking

After I wrote my first post about sidejacking, I did some more online research. A post at The Consuming Experience blog offered information about sidejacking:

"You're at risk from sidejacking when you use the internet via a free, or even paid-for, unsecured public wi-fi or WLAN (wireless networking) hotspot. That could include just accessing your Hotmail or other webmail, or your Facebook or MySpace or other social networking account, your Amazon account, etc. An attacker on the same wifi network could "sniff", steal and use login details and info of users of that open WLAN - such as "AIM buddy list, their DNS requests, alternate e-mail addresses they use, and so forth."

Since many web sites do not encrypt every site page, identity thieves can:

"... intercept the unencrypted information, particularly the "cookie" files saved with your browser and sent between it and the site - and which are often used to log you in."

And there are other ways your laptop can disclose your personal data:

"... all sorts of other unencrypted info can be intercepted and copied, and used to deduce details about you or your accounts which can then be used by the thief... when you power-on your computer. It will broadcast to the world the list of WiFi access-points you've got cached on your computer, the previous IP address you used (requested by DHCP), your NetBIOS name, your login ID, and a list of servers (via NetBIOS request) you want connections to."

What's a person to do to keep your personal information safe?

"Before you login to a website, at least make sure that the page where you enter your details, the one with the boxes for your login info before you hit Submit or OK, is a secure page - i.e. starts with "https". But that's not enough, it has to be SSL all the way."

The post at The Consuming Experience blog post offers more tips and solutions, for people who are technology-savvy and for those that aren't. There are also some solutions in my prior post about sidejacking.

California Senate Votes For Anti-Skimming Bill (RFID)

The InformationWeek blog reported:

"The California State Senate voted to make it a crime to skim information stored on RFID tags. The Senate voted 36 to 3 to pass the bill, introduced by State Sen. Joe Simitian (D-Palo Alto). The bill, SB 31, goes to the California State Assembly."

The sentiment of the proposed law is nice, but I wonder how it will actually prevent skimming. The law makes it clear what the penalties are for skimmers who are caught, but as with most identity theft thieves seem to never get caught. Hence, the popularity of this crime.

Want to learn more about RFID and identity theft? Start here.

Sidejacking: What It is and How to Protect Yourself

We all know what carjacking is. Sidejacking is when an identity thief spies on your Internet session while you use your laptop at a public, unsecured WiFi connection to the Internet, or "hotspot." Common hotspot locations are airports, coffee shops, hotels, and some downtown city locations.

So, if you use your laptop at public hotspots, this CNN video is a must-see. Colburn suggests the following to protect yourself:

• Don't use a public hotspot if you don't have to
• If you must use hotspots, surf the web but don't sign in to secure sites (e.g., bank accounts, e-mail, etc.)
• If you use hotspots frequently, consider installing a hotspot shield on your laptop

I have not used the product from Anchorfree.com, nor do I have any relationship with Anchorfree.com or with CNN. So I cannot provide an opinion on the effectiveness of the Anchorfree.com software. If you have used this or another brand of wireless VPN software, please share your experience below in the comments section. As with any other software purchase, check the software specifications to make sure it runs on your laptop. Shop around and research Anchorfree.com before a purchase.

Want to learn more about sidejacking? You can start reading here.

The New U.S. Passports (RFID)

In a prior post, I discussed the new RFID technology and its data security and privacy issues. There is an excellent Los Angeles Times article which questions just how secure the U.S. State Department's new RFID passports are. Here's how the new U.S. passports work:

"The chip on your passport stores your name, gender, birth date and place; your passport number, its issue and expiration dates; and a digital version of your ID photo. It broadcasts this data when its antenna is activated by signals from a government reader at a border crossing. The security of this broadcast is the crux of the debate. The State Department says the chip's range is about 4 inches and that it cannot be read when the passport book is fully closed. But with the right equipment, early critics said, people several feet away or more could secretly access the data and use it to identify Americans, track their movements and steal their personal information. The chip could also be copied or altered to make phony passports..."

To respond to the threat, the State Department modified its new passports:

• "To block radio signals, it put metallic material in the passport's front cover and spine.
• To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip's data. (Officials note Social Security number and address are not on the chip.)
• To prevent tracking, it installed a "randomized unique identification" system that presents a different ID to a reader each time the chip is accessed.
• To counter fraud, it installed a digital signature that flags chips that have been altered."

Are the new passports 100% safe? Nobody knows. I hope that these identity protection measures work. There's an awful lot at stake.

Top 10 Technology Flops of 2007

Now that 2007 has come and gone, the TechRepublic blog listed the Sanity check: The 10 biggest technology belly flops of 2007. The highlight is that a company's data breach was number one on the list. Guess which company? Before you rush out and buy your favorite DVD movie on the Blu-Ray format, see number 10 in the list.

Computer Virus Hits Nokia Mobile Phones

Well, it has finally happened. PC World magazine reported yesterday:

"Security vendor Fortinet has uncovered a malicious SymbianOS Worm that is actively spreading on mobile phone networks. Fortinet's threat response team warned on Monday that the worm, identified as SymbOS/Beselo.A!worm, is able to run on several Symbian S60 enabled devices. These include handsets such as Nokia 6600, 6630, 6680, 7610, N70 and N72 handsets. The malware is disguised as a multimedia file (MMS) with an evocative name: either Beauty.jpg, Sex.mp3 or Love.rm. Fortinet warned this is deceiving users into unknowingly installing the malicious software onto their phones."

The worm seems to be spreading in the EMEA (Europe, Middle East, and Africa) region. Up until now, mobile malware (e.g., computer viruses) has been rare.

"After installation, the worm harvests all the phone numbers located in the phone's contact lists and targets them with a viral MMS carrying a SIS-packed (Symbian Installation Source) version of the worm. In addition to harvesting these numbers, the malware also sends itself to generated numbers as well. Interestingly, all these numbers are located in China so far and belong to the same mobile phone operator."

What should mobile phone users do? Practice safe mobile phone use just like you do with your computer. Don't accept or open files from people you don't know. Be careful who you share your mobile phone number and text messaging address with. Contact your mobile phone manufacturer or mobile network provider for assistance.

New Wireless Identity Protection Product: Armadillo Dollar

Many of us already have Radio Frequency Identification (RFID) cards in our wallets or purses. You have an RFID card if it's a card that you wave near (about 2 inches) a wall- or table-mounted reader. RFID cards are supposedly easier to use because the RFID card and the RFID reader don't have to physically touch. They just have to be close enough -- a few inches -- for the reader to access the information stored on the RFID card. Some credit cards, debit cards, and store charge cards are RFID cards.

I have two RFID cards. One is the security badge to enter the office building and my employer's offices. The second is my Charlie Card to ride Boston's MBTA mass-transit system. When I worked in London in 2004, my Tube pass was an RFID card.

While I realize that RFID is here to stay, I am not wildly excited about the technology because it's security gaps are well known, and are dependent upon the issuer properly encrypting the sensitive personal data stored on each RFID card. Identity thieves can use a portable RFID reader to collect personal data from unsuspecting RFID cardholders: a process called a "skimming." The thieves can then create, use, and sell duplicate, bogus RFID cards. And, it's almost impossible for the average user to know when an identity thief has used a skimmer to steal your personal data from an RFID card.

With this in mind, I was curious to read this TrustedID blog post:

"Armadillo Dollar, a new product created by Wisteria House Products, offers protection against this new wireless identity theft and RFID monitoring. Users place the product in their wallet, and it blocks the transmission of sensitive private information from RFID (Radio Frequency Identification) enabled debit/credit cards or employee badges. The user can move around undetected by RFID readers, and wireless identity thieves."

If you want to learn more about the RFID technology, read the RFID Journal, the RFID blog, or visit armadillodollar.com. I haven't yet tried the Armadillo Dollar product, so I can't speak to how effective it is. If any I've Been Mugged readers already use the product, please share your experiences.

Some Sanity Amidst Facebook's Beacon Debacle: TRUSTe

In prior posts, I discussed Facebook's bumbling of its Beacon program. I was pleased to read this in the TRUSTe blog:

TRUSTe has been working closely with Facebook during the Beacon launch, and the subsequent change to opt-in user control. In addition to oversight regarding updates to the Facebook privacy statement, we announced today model privacy statement language for Beacon partners which plainly explains to consumers what information is collected, and how to exercise their options for control. Websites that are Beacon partners are also responsible for disclosing when and how their customer data might be used.

See the above blog entry for details. Who is TRUSTe? TRUSTe describes itself as:

"... an independent, nonprofit enabling trust based on privacy for personal information on the internet. We certify and monitor web site privacy and email policies, monitor practices, and resolve thousands of consumer privacy problems every year."

TRUSTe works to promote both consumer privacy and business growth. I like that. TRUSTe has about 2,500 seal-holders in 56 countries; companies that meet TRUSTe's strict guidelines for maintaining consumers' data privacy, e-mail opt-in methods, and disclosure copy for online shopping.

I hope that the executives at Facebook listen to and use the advice TRUSTe is offering.

Is Twitter Really Dangerous?

At ZDNet's IT Project Failures blog, there is a good discussion about whether or not Twitter is dangerous. I can see why corporate IT professionals probably view Twitter as dangerous, since it is another (new) way in which sensitive company data can easily be divulged by employees. To me, Twitter is no different than other computing technologies (e.g., instant messaging, e-mail, flash drives, etc.) which employees can use properly or abuse (e.g., share sensitive company data with people who shouldn't access to that data).

Companies exist by meeting the needs of their customers. If their customers use Twitter, then the company should use it, too. It is always wise to, "fish where the fish are" -- for companies to communicate with their customers based on their customers' communication preference. If their customers use Twitter, then it's the wise company that Twitters to read what their customers are saying about their brand.

Regarding data security, the bigger issue is corporate training. Several readers of the IT Project Failures post have correctly commented that since employees have signed confidentiality agreements, this should be a protection. I agree: should be. There's a big difference between signing a confidentiality agreement on day one of their employment vs. complying with agreement years later as new technologies emerge.

I see no problem with students or home users who Twitter. Just like home computer users need to learn good data security habits to protect their identity data, corporate employees need to be trained on data security threats and how to practice good data security habits at work. The large number of data breaches involving laptops is one indicator that many employees don't practice good data security habits. And, that employee training should include new technologies like Twitter for both corporate employees and corporate IT staff.

Since this blog is about identity theft and corporate responsibility, I write mostly about consumers, who are either employees or former employees affected by corporate data breaches. I can think of several good applications where Twitter is appropriate and beneficial. For example, an activist blogger can use twitter to highlight or to document their experience or a problem. Another example: a company can use Twitter as another method for customers to interact with its brands. Twitter isn't for everyone as this Twitter 101 post and Matt Dickman's video explain.

What's dangerous are companies that don't enforce effective data security policies and processes... when a company loses backup data tapes, or when databases become corrupted. What's dangerous are employees that don't enforce good data security habits.

I don't see Twitter as a problem since there are so many other ways companies lose thousands of employee and customer records during data breaches. What's dangerous are companies that suffer repeated data breaches. What's dangerous are companies that don't inform identity theft victims promptly of the data breach. What's dangerous are companies that offer free credit monitoring services to ID-theft victims, while that offer duration doesn't match the risk period created by the company's data breach.

Not Your Grandparents' AT&T

Recently, InformationWeek reported:

"AT&T on Wednesday began providing radio-frequency identification and GPS-based products and services that schools can use to track students, assets, visitors, and their staff. AT&T's RFID application is designed to work in conjunction with GPS-based mobile resource management services, as well as the carrier's wireless data network and hosted applications. With AT&T's offering, schools can track people or assets by placing Wi-Fi-based RFID tags on ID badges attached to equipment, bracelets, shirt pockets, or book bags."

I have no problem with tracking assets or things. There are many valid business reasons for asset tracking. Tracking people is another issue. Tracking of people is another piece of sensitive personal data companies compile and archive about employees (and former employees). This sensitive data needs to be vigorously protected by companies. With any new technology like this, there's always the promise of security:

"The mobile resource management system would then relay the location of the tagged person or asset over AT&T's wireless data network to a secure Web site portal."

The reality is often something else. With the large number of data breaches and especially wireless data breaches, it's unclear to me that companies will protect this new RFID-location data rigorously or adequately, as we've seen wireless data security failures previously.

And yes, this is the same AT&T that worked secretly with the NSA to compile a database of U.S. citizens' phone calls. Since it's 2005 acquisition by SBC, AT&T has behaved in ways that give the impression it is no longer the trustworthy AT&T I've known. It definitely seems like time to switch my phone service.

RoboScalpers: Somewhere (Online) There Is a Crime Happening

It's the holidays and you want to see your favorite theater show, concert, or sports event. As soon as tickets are available, you try to buy them online but the event is already sold out. Have you ever wondered why this happens? According to a recent post at the Consumerist blog:

"Ticketmaster is suing RMG Technologies for selling lecherous software that instantly sucks up tickets to everyone's favorite concerts and sporting events. Groups like RMG are the reason tickets sell out just minutes after going on sale, only to mysteriously reappear at outrageously marked up prices on ticket resale sites like StubHub."

When consumers buy tickets online, there is an implicit level of trust that everyone has equal access to tickets. Consumer trust that they and other humans are buying tickets, and are not competing against machines for tickets. Obviously, this is not the case and the consumers' trust is being abused. The Consumerist post clearly describes how ticket-resellers acquire tickets, which some call "RoboScalping":

"How brokers can jump to the front of the line is described in supplemental documents filed in Ticketmaster v. RMG Technologies, an active Federal District Court case asserting that the defendant's automated ticket-buying software violated the Ticketmaster Web site's terms of use. The papers describe a subterranean world of software designed to enter Ticketmaster's online ticket-purchasing system at will and to scoop up tickets without limits."

What does this have to do with identity theft and corporate responsibility? Plenty. The process of RoboScalping costs consumers plenty. We lose the opportunity to buy tickets at or near face value; we pay higher ticket prices from ticket-resellers, or we miss attending the event. To buy large quantities of tickets, the RoboScalpers use automated software to pretend they are humans. And the companies involved go along with this deception because there is money to be made.

To learn more, read this SF Weekly article.

Facebook's Online User Survey About Beacon

In his Between the Lines blog, Larry Dignan describes his experience with Facebook's online survey. If many users' survey responses mirror Larry's response, Facebook has lost a lot of user trust.

When asked how often he uses Facebook, Larry wrote:

"About once a week maybe twice. In the early going, I hit Facebook a lot more. I don’t have the urge to go there more often than I do."

When asked how satisfied he is with Facebook, Larry wrote:

"I was neutral. I was never in the 'I love Facebook' camp. It’s a fine utility, but it’s also one that could be applied elsewhere. Maybe Facebook is a destination. It could also be a feature. Perhaps Ning has been more useful to me."

When asked if he would recommend facebook to others, Larry wrote:

"Probably not. I’m just not much of an evangelist."

When asked if he'd heard about Facebook beacon, Larry wrote:

"Yes of course. I couldn’t help but wonder how transparent this poll was and what Facebook was trying to get at. It’s called damage control and Beacon should have been in the first five questions since we all know that’s why this poll exists."

Software Viruses Found On New Hard Drives

While browsing the ZDNet Gear For Geeks blog, I found a post about software viruses found on new computer hard drives. Yes, you read that correctly. Not used hard drives but new hard drives.

I guess that virus-infected hard drives came from China shouldn't be a surprise, since we've already experienced tainted children's toys made in China, tainted toothpaste, and mad-cow beef from Europe.

Anyway, most of the post focused on issues for business computer users and IT (Information Technology) professionals, since most of the infected drives were large-capacity drives bought by government agencies for large databases. However, the end of the post presented some good advice both consumers and business computer users should follow:

"However, there’s a moral to this story.  Practice “safe sectors” and scan, or preferably wipe, all drives... Don’t assume that a drive is going to be blank and malware free. Trust no one. Same goes for USB flash drives - you never know what’s been installed on them."

I'd never thought about scanning my flash drives for viruses. I will from now on.

Facebook: Beacon Of Light Or Darkness?

Over at the Just an Online Minute blog, Wendy Davis has highlighted some very valid and disturbing web site usability practices at the Facebook.com site. From a November 26 post:

"It’s glaringly obvious that the new program — which alerts people’s friends of their online purchases — violates users’ privacy. And, while Facebook argues that the program poses no threat because users can always opt out of it, it’s now come to light that the opt-out mechanism itself is seriously flawed... That’s because the opt-out mechanism consisted of a small pop-up that vanishes 20 seconds after it appeared. After the window disappears, so does the user’s chance to opt out."

A quickly vanishing opt-out mechanism? That doesn't sound right nor acceptable. Reportedly, about 44 companies participate in Facebook's Beacon program. Notables include Fandango, Travelocity, and Zappos. What business wants their name associated with Facebook's foolishness?

If you have followed I've Been Mugged posts, then you know that opt-out mechanisms are a critical tool are for consumers. Consumers want and demand control over who has access to their personal information.

Since I don't use Facebook, I have not experienced the problems Davis reported with Facebook. I use LinkedIn, since the professional people I need to stay in contact with use LinkedIn. It's always been clear to me that sound business rule is to give your customers what they want. Facebook seems to insist on giving users an unwanted feature.

In a November 27 post, Davis responds to Facebook's claim that Facebook has fixed the problem. Perhaps not. The bottom line according to Davis:

"If Facebook wants to implement a real fix here, it will listen to the 25,000-plus users who have joined the MoveOn protest group, “Petition: Facebook, stop invading my privacy!” and stop telling members’ friends about their purchases when there’s any doubt about whether the members want to share that information."