Expert Texture Home Contact me About Subscribe Digipede Connect on LinkedIn rwandering on Twitter rwandering on FriendFeed

rwandering.net

The blogged wandering of Robert W. Anderson

Digital Signatures != Notary Public

I am in the “pro email encryption” camp. If encrypting all email communications was easy enough, I would do it. I won’t get into “easy enough” here, but the issue is really about encrypting for a particular recipient, most of whom don’t care about encryption in the first place. I used to routinely digitally sign my emails as well, but stopped doing that for the same reason — most recipients didn’t know what to make of it.

Anyway, I’m coming to this topic now indirectly because of Google’s new “End to End” product / plugin / stance.   Sounds cool, and I’m sure I’ll check it out.

In A World without Hearsay, Jon Udell tackles the question of why he used to digitally sign his emails and then discusses an argument made by Yaron Goland in a post with a very long title: Why Google’s support of PGP Mail might not be such a brilliant idea – Or, why I don’t like digital signatures for social networking and how Thali addresses this

In that post, the author likes digital signatures to a roving notary public:

A digital signature is intended to be an authenticator, a way for someone other than us to prove that we did/said something. When we use digital signatures for momentous things that should be on the public record, like mortgage documents perhaps, then they serve a good purpose. But with PGP Mail we suddenly sign… well… everything[2]. It’s like having a notary public walking behind you all day long stamping every statement, note, mail, etc. as provably and irrevocably yours.

I don’t think we want such records to exist. I think we want a much more ephemeral world where the bulk of what we do just quietly vanishes into the ether leaving as little of a trail as possible.

I completely agree that we would be better off in a more ephemeral world, but the notary public analogy is completely wrong.

A notary public does in fact record (in a physical record book) every action, along with a physical signature and a fingerprint (noting that the specifics may differ across jurisdictional boundaries).  Signing one’s own email does no such thing.  It does not create a record, and does not make cause the email to become more permanent than it was without a signature.

It may be harder to deny that you wrote it; however, the more automated (or easy) it is to make such signatures, the less likely that such emails will have any weight over a non-signed email in a court of law.

To be clear, I’m not harshing on Thali — I have no opinion on that right now — I just don’t think the signature/notary argument has merit.

 

Tags: ,

Recording your Energy Attention

Attention applied to Internet and media use has come to mean the what, where, and how you do and don’t spend time.  For example, are you reading your news on Google or NYT? Do you use a portal like MSN or Yahoo? What do you do on Facebook?  Such information, or attention data, can be quite valuable, especially when correlated with other information.  Many companies rely on this concept, both implicitly and explicitly.

This use of the word attention, though, doesn’t apply only to the Internet and media.  It also applies to plain-old products too – which cereal you eat and where you vacation, etc. – in fact, it can apply to everything.

So, it follows, that energy attention is the subset of your attention as it applies to energy:  what, where, and how, you do and don’t use energy.  Just like the more general attention data, such data can also be quite valuable, both to you in reducing your energy use and costs, but also to third-parties for marketing and sales purposes (note that carbon attention overlaps with energy attention, but I am not going into that now).

Electric and Gas utilities record one major aspect of your energy attention today:  your electricity and gas usage data.  Most utilities provide these data back to their customers in summary form on bills, and many provide it in more detail.  My local utility, PG&E, provides me with hourly electricity and gas usage data through their Web portal.

While functional, I wanted real-time usage data.  My first thought was to use the GE SmartMeter that PG&E installed.  While the data could be retrieved from there, my access to it is on an unknown schedule with an unknown feature set.  The California Public Utilities Commission, utilities, vendors, and other stakeholders have been wrangling over issues central to the ownership and sharing of such energy attention data.  Both the Commission and PG&E have good reasons to be careful with this data:  PG&E installed and owns that meter and paid for it with rate-payer monies.  There is a decent (though somewhat dated) overview at Giga OM.  And while the Commission released an update to their proposed decision (PD) yesterday (here), the wrangling isn’t over.

So instead of waiting for this to all get resolved, I followed Jon Udell’s lead and installed The Energy Detective 5000 (TED 5000).  This monitors my home electricity usage in real time, giving me immediate access to my own energy attention data.  This to me, is exactly in the spirit of the Attention Trust (AT), an organization that I did some pro-bono work for in the past along-side of Steve Gillmor.

Now what does this have to do with attention and the AT?

Back in 2005, the AT was formed to assert user rights over attention data, specifically as it related to that data collected by Internet  services.  For example, Google tracks user attention (through clicks and time on pages, etc.) and uses that  information for operating their various services.  You consent to their right these data  through their Terms of Service (TOS).   The AT asserted that the user also owns these data.  To assert this ownership, the AT provided the Attention Recorder with which a user could record their own attention data from the browser.  The act of capturing such data from the user side of the firewall ended the discussion of who owned the data.  Yes, the Internet service has their copy and can use it based on the TOS, but the user owns the data too.

So, the TED 5000 is my own personal Energy Attention Recorder.  I assert ownership over the data and authority to do anything I want with it – including exposing it to any third-party service I so choose.

Interestingly, the PD issued yesterday names the TED 5000 specifically (although in reference to a utility comment).  This is in response to one of the CPUC questions (paraphrased):

Does the Commission have authority over entities that receive information on a consumer’s energy usage from meter sources other than a utility?

While the Commission has deferred this question, it is clear that they will face an up-hill battle on protecting consumers from their own
actions.

I, for one, claim ownership of my own energy attention.

Tags: , , , ,

Gillmor Gang Returns at 1PM today

It will (likely) be here http://www.building43.com/realtime/.  While I won’t be on the show, something I have been working on should surface there. 

That is as much of a pre-announcement as I can make . . . vague and conditional as it is.

Tags: , ,

Facebook backs down

Yesterday I posted about the change in Facebook’s TOS.  I thought they might back down, but I didn’t think it would be this fast.

The old terms are back in effect: delete your account and so goes your data.

A minor success for users everywhere – even those who don’t think this stuff matters.

Tags: , ,

User-beware of Facebook

Plenty of people are up in arms about the recent Facebook TOS change. 

The change?  Before Facebook relinquished their rights to your data if you deleted your account.  Now they don’t. 

I don’t have a problem with this new policy.  I do have a problem with the new part.

Of course, I’m not arguing whether Facebook can legally make this change, but it does violate their user contract.  I’m not talking about a legal TOS, but of an understanding with their users.  What is the problem?

  • Facebook has just asserted ownership to something that they didn’t claim ownership to before.  And this isn’t future data, this is past data.  Data you already contributed to Facebook with an understanding that they wouldn’t keep it.

This is another example of what I call the user-beware contract – where the TOS can change at any time without notification. 

So, what is the user-aware way to make such a change?

  • Maintain their old policy for data in Facebook before the change.  This bifurcates user data between before and after the policy. Delete your account?  Old data goes away, new data does not.

OK, but this is still a user-beware contract.  What else should they do?

  • Require users to opt-in to the new policy.  If they opt out, either delete them or let them continue the old policy.

I’m sure Facebookians (and any one hosting a large service) is rolling their eyes at this point.  But just because being user-aware is inconvenient doesn’t make it infeasible.

And a shout out to Ned Sykes for prompting this post: no, I’m not concerned about Facebook stealing my tweets, but as a voice in user rights, I am interested in promoting TOS that are pro user.

BTW: The user-beware/user-aware terms are defined in my post User Contracts – Part II: User Beware.

Tags: ,

Google Reader Misappropriated Our Shared Items

image_thumb[1]Earlier in the week I stopped using Google Reader for a few days.  Every time I started it, I would be reminded of their new sharing features (see the dialog on the left).  Then I would close the browser tab. Why?

Google changed the Reader user-contract with no notice.  This rankles me.  I’ve lost control of my shared items.  This is a dramatic change with only the weakest of opt-outs.  What’s more, any opt-out is too late.  My items have already been shared.  What kind of opt-out is that?

Oh, but there are more options.  They give us the ability to manage who gets to see our shared items.  But only after others have a chance to read them.  For example, I can hide my items from my “friends” who are on Google Reader.  Other “friends” that start using Google Reader will get to read my shared items immediately.  The onus is on me to make sure I actively manage the list. 

And the icing on the cake?  “Friends” wasn’t a word in use by Google Reader before.  Now it has been defined to mean my Google Talk contacts.  No fair.  This is not analogous to Facebook “friends”.  In Facebook, I accepted people as “friends” based on the Facebook definition.  Now my Google Talk contacts are my “friends” based on Google’s new definition.  This is clearly backwards. 

Is Google breaking their terms of service?  Almost definitely not, but they are changing a basic part of the user-contract: that user data won’t become more public without user consent. This is a perfect example of the “User-Beware contract“, summed up as: “we’ll change the user contract whenever we feel like it.”

What’s next? 

Your email contacts have been shared with your friends

Your emails have been shared with our advertisers

You calendar entries have been shared with your . . .

You get the idea.  This may seem like a joke, but frankly I don’t know what is in store for the user contract.

Steve Gillmor suggests this is arrogance on Google’s part, and he’s probably right.  Yet mostly people are ignoring this or don’t get it (e.g., Scoble doesn’t seem to get why anyone would care). 

Why is the blogosphere giving Google a free pass on this one? 

Tags: , , , , , ,

With Beacon, Facebook is not the problem

Unless you live under a rock (or don’t follow the social space) you know that there has been a big uproar of Facebook’s Beacon.  This is the feature that enables 3rd party web sites to transmit your actions (or “stories” in Facebook lingo) to Facebook. 

If you want to know more about how it works, Jay Goldman wrote the excellent post: Deconstructing Facebook Beacon JavaScript.  The title belies the fact that the article gives a good overview too (it isn’t just for developers).

An innovative idea — one that reminds me much of the GestureBank work conceived by Steve Gillmor and myself.  Given that, it should be no surprise that I don’t think Facebook did anything “evil” here. 

Now, they could have done a better job with it.  From the get-go, I would have preferred if they had

  • been more public about how it works; and
  • required that users “opt-in” to the whole program.

Not surprisingly, there was a backlash and Facebook made some changes (Official- Facebook Flips On Beacon).  Great.  I don’t think what they did violated their user contract, but the changes are more user-friendly.  I would prefer my User Aware contract, though this is a User Beware contract (User Contracts – Part II- User Beware). 

But, the problem isn’t with Facebook or their user contract.  If you don’t like the service (in total), don’t use it.

What I don’t understand is all the focus on Facebook here.  Like all silos they are capturing data, data, data.  That is what Facebook is all about.  

Why isn’t the focus on the 3rd parties who submit your stories?  They are the ones pouring user stories into Facebook. There have been reports of users not having approved their stories.  This is a bad thing, and maybe a technical flaw in Beacon, but ultimately it is the responsibility of the 3rd party to protect your data.

They should give the users control over their Beacon settings:

  1. Never send stories to Facebook
  2. Approve each story before it is sent to Facebook.
  3. Always send stories to Facebook.

If anything, Facebook should require this of its Beacon partners.

So, why aren’t people up in arms over the eBays, TripAdvisors, Yelps, Fandangos, Epicureans, etc.?

But, hey, if you don’t like the way these sites are spraying your data over the Internet, then stop using them.  

Tags: , , , , , ,

OpenSocial payback?

Many are calling Google’s OpenSocial play an apparent retaliation against Facebook for their recent Microsoft deal.  The reasoning is that both Microsoft and Google were bidding for a Facebook ad deal.  Microsoft won, so Google is going to make Facebook, and by extension Microsoft, pay.

Perhaps it is payback, but certainly the OpenSocial strategy predates the Microsoft agreement.  Not even Google could pull this whole thing off in just a few weeks.

This begs some questions:

  • Did the losing proposal from Google include OpenSocial?  Did it require that Facebook adopt the APIs?  Did that push Facebook to Microsoft?
  • Alternatively, was Facebook threatened with OpenSocial as a retaliation?  That is, did Google offer to shelve OpenSocial if Facebook accepted a Google deal?

It isn’t yet clear (to me anyway) whether or not Facebook was briefed on OpenSocial.  Google said yes, then no.  Facebook said no, but some evidence points to them actually having known. 

  • Are these differing stories rooted in non-disclosure agreements dating from the failed negotiation between Google and Facebook?

Final question:

  • Does anyone really believe that Google would have shelved the OpenSocial strategy just for an ad deal with Facebook? 

I for one do not.

For an excellent post on Facebook / OpenSocial, read Dan Farber.

Tags: , , , ,

User Contracts — Part I: Cluztr

User contracts are the proof behind user in charge business models.  I took Steve Gillmor’s challenge to go and take a look at attention startups in search of a user contract I could stomach.  First up, Cluztr.  I suppose this is pronounced clusterApologies to my distributed computing readership — this is not a clustering company.

The interesting part of their user contract is in their privacy policy.  I call out some parts of it (out of order).

Adherence to the principle of Property

Most importantly in this context, the principle of property:

Property – You own your attention and can store it wherever you wish. You have CONTROL.

A critical corollary to this is that you can delete your attention data too.  They have this covered in the following:

Cluztr collects clickstream data by means of a browser add-on that tags your use of the Internet. We do not track Internet usage on a secure website, or capture username or password information at any time. You have full control over your clickstream data and can delete or purge our database at anytime.

Note to legal: tighten up that language.  This really should say “purge your attention data from our database” instead of offering users the right to completely delete the entire Cluztr database.

So far, so good.

Changing the policy without notice

And then we have some sticky language about changing this policy.  Granted, this is common in its user unfriendliness:

By submitting your information you consent to the use of that information as set out in this Policy. If we change our Privacy Policy we will post the changes on this page, and may place notices on other pages of the web site, so that you may be aware of the information we collect and how we use it. Continued use of the service will signify that you agree to any such changes.

In other words (my words):

You own and control your clickstream data unless we decide that you don’t.  This privacy agreement is the only place we are obligated to tell you this.

Not good.

Change of ownership

And finally, their sale caveat:

Unless otherwise stated in this Privacy Policy data relating to you will not be disclosed to any third party unless you have specifically given your consent. We will not rent or sell your personal information without your permission (other than as part of a sale of the whole or a substantial part of the assets of Cluztr).

This language makes me nervous because it appears to mean:

You own your data unless we need it as an asset to sell the company in which case we own your data.  For all intents and purposes, we own your data.

To be kind, they may mean here that your contact info (like email address) is owned by them, but your clickstream is not. If they are purchased, that contact info would be passed to a new owner.  OK, but the ownership of the clickstream should not change and, if that is their intention, they should state it.

Conclusion

Cluztr has made a good start at a user-friendly contract but then mucked it up by over reaching on rewriting the policy and on the company sale.

I wouldn’t sign up with an Attention service with such a policy.

Next up on this topic:

  1. the GBX2 broadcasting user licenses
  2. a better user contract (what I currently call triggered-opt-in)
  3. other Attention companies and their user contracts

 

Tags: , , , , , ,

The AT has a new design

New site design at the Attention Trust. 

http://www.attentiontrust.org/

Good job guys.  A little too much Latin, but that will get sorted out. 

Looks good. 

Tags: , ,

Next entries »