I treat all ‘security questions’, especially weak ones like ‘your mother’s maiden name’ (which in my case is also a few characters short of your Deutsche Bahn example’s limit) as password fields. So I provide unique answers per website asking for them, which are generated by my password generator, and store them in my password manager. It’s an act of information hygiene, imo.

Replied to Reply to a Tweet by Eric Eggert // Sebastian Greger (sebastiangreger.net)

“Periodic reminder that not everyone has a ‘first name’ and a ‘last name'” ..and that not all names consist of six or more characters

Do you lie enough? You probably need to lie more often!
When filling out online forms that is.

Since the GDPR, the EU data protection rules, came into effect last year, many companies struggled with getting their online forms compliant. Some don’t really try, others think they’ve done it well but really haven’t, and a tiny minority actually really adapted their order flows and forms to adjust for the GDPR. (Although GDPR mostly aren’t new rules, btw, it’s just that non-compliance costs a lot more).

Since not all forms are fully compliant, I routinely fill in false information. If they don’t limit their data collection, I will take the responsibility on myself to create as much noise in their data as is prudent.

Yesterday I ordered something from an on-line retailer. The form that asked for where to send my order didn’t indicate which fields were mandatory, but clearly contained fields that weren’t GDPR compliant if they were.

I filled out only the things needed to complete the transaction, which is the delivery address, and an e-mail address or phone number to keep me informed of the process. They also asked for my birthday (we’ll send you a birthday greeting!), which at least wasn’t mandatory, and shouldn’t really be asked for such a frivolous reason.

Turns out the name (first and last name fields) of the addressee was mandatory. Not entirely unexpected, to ensure the right person at the address provided receives the package. This was after payment, and meant for the fulfilment partner. So they don’t really need a mandatory field for first name, nor a proper last name, as long as the receiver knows for who a package is.

I opted for the initials A.V.G. (the Dutch abbreviation for GDPR). And a last name that was incorrectly spelled. Previously I filled out a mandatory department name in my company as ‘Read the GDPR this form sucks‘.

20191003_100823

We probably all need to lie way more when filling out forms. Here’s the recipe.

For each field in a form

  • If it is not mandatory don’t fill it out. They are trying to get more data about you voluntarily. Unless you perceive a clear need for yourself (e.g. you want them to SMS you when the delivery van is 30 minutes away)
  • If it is mandatory, ask yourself how needed it truly is
    • if it concerns contractual aspects, your real name etc is needed. So you can rely on it later concerning warranty, tax purposes etc.
    • if there is no perceivable need, then lie, obfuscate or provide info that when read by a human is a reminder they should change their forms. “read the GDPR”… etc.

I have a Google Alert set up for my name, to find new mentions of it online. Today I received a mail that my name came up in an article in the South China Morning Post (SCMP), as part of a photo credit. This made me curious.

An article on the amount of time elderly US citizens spend behind their computer screens published August 25th, uses a photo I made it turns out.

My mom is in a Hong Kong newspaper

The photo is from 2008, and shows my mom trying her first steps on a laptop, which we gave her for her 71st birthday when she started having mobility problems. E’s hand is pointing out things in the Gmail interface. This image is available in my Flickr account, and that is how the SCMP ended up finding it (it says as much in the photo credit). They likely used the Flickr’s search filter and had it set to ‘any Creative Commons license’. And that’s where it went wrong.

SCMP is a commercial company, and my photo is licensed with Creative Commons Attribution, Non-Commercial, Share Alike. Creative Commons is a way for copyright holders to preemptively state which uses of a work are always permitted. I license all my photos, and using Creative Commons give permission for any use that isn’t commercial, as long as the result is shared the same way, and as long my name is mentioned as the author.

SCMP did mention my name (which is how I found the article), but cannot comply with the non-commercial part of the Creative Commons license, and thus should have asked for my permission before using the image. Now I’ve sent them an e-mail with an invoice, for using my photo, and another 100% added for using it without permission. Payable in 15 business days.

To my pleasant surprise the SCMP’s photo editor (whom I mailed), responded within 20 minutes apologising and promising payment.

(full disclosure: I’m a board member for Open Nederland, the association of Dutch makers that serves as the Dutch chapter for Creative Commons.)

Amexus is organising a conference on digitisation in the energy sector, and more specifically in the energy transition. Earlier this week I was interviewed at home about the role of open data in energy transition and my work with Dutch provinces on this topic.

The video, in German, has already been made available.

This from Wendy Grossman hits the nail quite precisely on its head.

The problem isn’t privacy,” the cryptography pioneer Whitfield Diffie said recently. “It’s corporate malfeasance.”

This is obviously right. Viewed that way, when data profiteers claim that “privacy is no longer a social norm”, as Facebook CEO Mark Zuckerberg did in 2010, the correct response is not to argue about privacy settings or plead with users to think again, but to find out if they’ve broken the law.

I think I need to make this into a slide for my stock slide deck. It’s also I think why the GDPR focuses on data protection and the basis for data usage, not on privacy as such.

(Do add Wendy Grossman’s blog net.wars to your feedreader.)

Read net.wars: Hypothetical risks

Yesterday we had our monthly all hands meeting at my company. In these meetings we allocate some time to various things to increase our team’s knowledge and skills. This time we looked at information security, and I gave a little intro to start a more long term discussion and effort to raise information security in our company.

When people discuss information security it’s often along the lines of ‘if you want to do it right I’d have to go full paranoid, and that is completely over the top, so I won’t bother with it at all’. This is akin to saying that because it makes no sense to turn your home into an impenetrable fortress against invaders, you’ll just leave the door standing open. In practice you’ll do something in between those two extremes, and have locks on the door.

Impregnable Fortress The Magic Door
doorLock
Fortress or open door? That’s a false dilemma. (fortress by Ryan Lea, CC-BY, open door by Hartwig HKD, CC-BY-SA and locked door by Robert Montalvo CC-BY)

You know the locks on your door won’t keep out very determined burglars or say a swat team, but it will raise the time and effort needed for less determined invaders to a point they will be discouraged.
At the same time keeping the door closed and locked isn’t just useful to keep out burglars but also serves as a way to keep out the wind, rain and leaves and dust blowing in from the street.
Similarly in information security you won’t keep out determined government three letter agencies, but there too there are basic hygiene measures and a variety of measures to raise the cost of more casual or less determined attacks. Like with preventative measures at home, information security can be viewed in layers on a spectrum.

I tried to tease out those layers, from the most basic to the most intensive:

  1. hygiene
  2. keeping your files available
  3. basic steps against loss or theft, also on the road
  4. protect client information, and compliance
  5. secure communication and exchanges
  6. preventing danger to others
  7. traveling across borders outside of the Schengen area
  8. active defence against being targeted
  9. active defence against being targeted by state actors

For each of those levels there are multiple dimensions to consider. First of all in recent years a new group of actors interested in your data has clearly emerged. The tech companies for whom adtech is their business model started tracking you as much as they can get away with. This adds the need for measures to all but the most intensive levels, but especially means the basic levels intensify.
Then there’s the difference between individual measures, and what can be arranged at the level of our organisation, and how those two interplay.

Practically each level can be divided first along the lines of our two primary devices, laptop and phone. Second, there’s a distinction between technological measures, and behaviour (operational security).

the list of levels, and the distinction in dimensions as I showed them yesterday

I provided examples of how that plays out on the more basic levels, and on the most intensive level. E.g. on the level of hygiene, technological measures you can think of are firewalls, spam and virus filters, a privacy screen, ad blockers and tracker blockers, using safer browsers. Behavioural measures are not clicking links before checking what they lead to, recognising phishing attempts, not plugging in usb sticks from others, using unique user names and passwords, using different browsers for different tasks, and switching off wifi, bluetooth and gps (on mobile) when you’re not specifically using them.

Over the years working on open data I’ve increasingly become aware of and concerned about information security, and since early 2014 actively engaging with it. I’m more or less at level 7 of the list above, and with the company I think we need to be at level 5 at least, whereas some of us haven’t quite reached level 1 at the moment. From the examples I gave, and showing some of the (simple) things I do, we had a conversation about the most pressing questions and issues each of us has. This we’ll use to sequence steps. We’ll create short faq’s and/or how-to sheets, we’ll suggest tools and behavioral measures, suggest what needs a collective choice, and provide help with adoption / implementation. I feel with this we have a ‘gentle’ approach, that avoids overwhelm that leads to not taking measures at all.

The first things people mentioned because they were worried about it are: usernames/passwords, e-mail, trackers, vpn, and handling copies of ID’s.
So we’ll take those as starting points.

If you want to read up on information security and operational security around your devices, dearly missed Arjen Kamphuis’s book on information security for journalists is a very useful resource. My approach as described is more geared to the actual context of the people involved, and what I know about their habits and routines, and to the context of our work and typical projects.