Got a new phone (after selecting a new plan with some effort). As I don’t allow my phone to back-up everything to the (google) cloud, it took a few hours to get the new one ready: installing apps, and logging into all the associated accounts (using 1password). On the upside, it means a lot of unnecessary stuff accumulated over the last 2 years has been left behind on the old device.
Some links I thought worth reading the past few days
- Initial circumstances mostly trump intrinsic capabilities. Basically the evolutionary space available. Delayed gratification is based on affluence at the outset, not indicative of doing better in future: Why Rich Kids Are So Good at the Marshmallow Test
- Can’t afford it, society without social contract, techno-determinism, salvationism, denial. Five kinds of stooopid: Umair Haque on The Age of the Imbecility and how not to join it
- “Embrace and Extend” usually means “embrace and smother” in the context of organisations like Microsoft, and I expect lots of devs to head for the exit, though some see it in a positive light: Microsoft buying GitHub
- Allow proper citing of blogs, added to the ‘someday’ project list: Joi Ito adds a citation widget to his blog
- An analysis of the proliferation of Internet of Things Manifestos: A CHI 2018 paper, Calling for a Revolution
- This isn’t about open data, despite the original title, but controlled sharing in defined ecosystems: In Japan, Mitsubishi Estate and Fujitsu put blockchain in the service of shared data
- If you can answer this letter, you can likely handle anything GDPR related: So You Received the Nightmare GDPR Letter
- Why Doc Searls is probably right about GDPR popping the adtech industry, and why consent in the ePrivacy Directive is to be interpreted as GDPR style consent: Personal Data Processing for Behavioural Targeting needs unambiguous consent
- Networked agency is not about enabling individuals but people in their meaningful social context. So yes, open tools need to have the networked effect built in : To bring people to the open web it needs to be the best version of the web.
To celebrate the launch of the GDPR last week Friday, Jaap-Henk Hoekman released his ‘little blue book’ (pdf)’ on Privacy Design Strategies (with a CC-BY-NC license). Hoekman is an associate professor with the Digital Security group of the ICS department at the Radboud University.
Data protection by design (together with a ‘state of the art’ requirement) forms the forward looking part of the GDPR where the minimum requirements are always evolving. The GDPR is designed to have a rising floor that way.
The little blue book has an easy to understand outline, which cuts up doing privacy by design into 8 strategies, each accompanied by a number of tactics, that can all be used in parallel.
Those 8 strategies (shown in the image above) are divided into 2 groups, data oriented strategies and process oriented strategies.
Data oriented strategies:
Minimise (tactics: Select, Exclude, Strip, Destroy)
Separate (tactics: Isolate, Distribute)
Abstract (tactics: Summarise, Group, Perturb)
Hide (tactics: Restrict, Obfuscate, Dissociate, Mix)
Process oriented strategies:
Inform (tactics: Supply, Explain, Notify)
Control (tactics: Consent, Choose, Update, Retract)
Enforce (tactics: Create, Maintain, Uphold)
Demonstrate (tactics: Record, Audit, Report)
All come with examples and the final chapters provide suggestions how to apply them in an organisation.
At least I think it is…. Personal blogs don’t need to comply with the new European personal data protection regulations (already in force but enforceable from next week May 25th), says Article 2.2.c. However my blog does have a link with my professional activities, as I blog here about professional interests. One of those interests is data protection (the more you’re active in transparency and open data, the more you also start caring about data protection).
In the past few weeks Frank Meeuwsen has been writing about how to get his blog GDPR compliant (GDPR and the IndieWeb 1, 2 and 3, all in Dutch), and Peter Rukavina has been following suit. Like yours, my e-mail inbox is overflowing with GDPR related messages and requests from all the various web services and mailing lists I’m using. I had been thinking about adding a GDPR statement to this blog, but clearly needed a final nudge.
So I used that to write a data protection policy for this site. It is rather trivial in the sense that this website doesn’t do much, yet it is also surprisingly complicated as there are many different potential rabbit holes to go down. As it concerns not just comments or webmentions but also server logs my web hoster makes, statistics tools (some of which I don’t use but cannot switch off either), third party plugins for WordPress, embedded material from data hungry platforms like Youtube etc. I have a relatively bare bones blog (over the years I made it ever more minimalistic, stripping out things like sharing buttons most recently), and still as I’m asking myself questions that normally only legal departments would ask themselves, there are many aspects to consider. That is of course the whole point, that we ask these types of questions more often, not just of ourselves, but of every service provider we engage with.
The resulting Data Protection Policy is now available from the menu above.
Given how company websites ask you for more info than they should, and aren’t GDPR compliant that way, filling out forms with incorrect information is acceptable civic resistance to data hungry websites. And my default tactic.
Funny how #datagovernance companies publishing #gdpr compliance guides aren’t compliant themselves when asking personal data for downloads: no explicit opt-ins, hidden opt-ins (such as hitting download also subscribes you to their newsletter), no specific explanations on what data will be used how, asking more personal information than necessary.
Yesterday my colleague Paul and I visited the annual conference organized by the Flemish government’s information management / IT office. We were there to speak about the open data experiences of the Netherlands.
The upcoming GDPR, Europe’s new privacy regulations, was mentioned and discussed a lot. Such pan-European laws suggest that there is a generic way to approach a topic like privacy, or even an objective one. Nonetheless the actual perception of privacy is strongly culturally determined as well, Toon van Agt remarked during his presentation, and pointing to us Dutchies sitting on the front row. He gave the example of how in the Netherlands real estate transaction prices and mortgages on a house are publicly available (if not yet as open data I must add. Transaction prices are available as open data in the UK, afaik). Where in the Netherlands this is regarded as necessary to be able to determine who you’re dealing with if you buy or sell a house, in Belgium it would be unthinkable. In my own presentation I showed how open data from the license plate register is used in the Netherlands to prevent theft of petrol at gas stations. Again unthinkable in Belgium, mostly because of the fundamental difference that license plates in the Netherlands are connected to a car (and the car to an owner), and in Belgium to the car owner (and the owner to a car). Calvinism was put forward as a determining difference, resulting in Dutch window curtains being open, so everyone can see a) we have nothing to hide and/or b) we have the coolest stuff in the street :). Similarly the tax amounts and incomes of Norwegians are famously public, whereas in the Netherlands asking how much someone earns or even worse touting how much you earn yourself, is frowned upon and not suitable for polite conversation.
It would be interesting to create an overview of socially acceptable and unacceptable forms of transparency across Europe. To learn where further opportunities for open data are to be found, as well as to see where social barriers can be expected.
Some disturbing key data points, reported by the Guardian, from a Congressional hearing in the US last week on the usage of facial recognition by the FBI: “Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people.” It makes you wonder how many false positives have ended up in jail because of this.
I am in favor of mandatory radical transparency of government agencies. Not just in terms of releasing data to the public, but also / more importantly specifying exactly what it is they collect, for what purpose, and what amount of data they have in each collection. Such openness I think is key in reducing the ‘data hunger’ of agencies (the habit of just collecting stuff because it’s possible, and ‘well, you never know’), and forces them to more clearly think about information design and the purpose of the collection. If it is clear up-front that either the data itself, or the fact that you collect such data and in which form you hold them, will be public at a predictable point in time, this will likely lead to self-restraint / self-censorship by government agencies. The example above is a case in point: The FBI did not publish a privacy impact assessment, as legally required, and tried to argue it would not need to heed certain provisions of the US Privacy Act.
If you don’t do such up-front mandatory radical transparency you get scope creep and disturbing collections like above. It is also self-defeating as this type of all encompassing data collection is not increasing the amount of needles found, but merely enlarging the haystack.
Getting a SSL/TLS-certificate for your website has always been a hassle as well as costly. However increasing the amount of default encrypted web traffic is important both in terms of website safety as well as in terms of privacy (when you submit information to websites). The cost and hassle kept most non-commercial websites from using certificates however. Until now. Because now there is Let’s Encrypt, which makes it very easy to add certificates to your website. For free.
When I started using a VPS two years ago to serve as my cloud and as a Dropbox replacement, I needed a certificate to make sure the traffic to my cloud was encrypted. The VPS originally came with one, but that expired after a year. Since then I’ve added a renewing certificate from Comodo (the largest provider at the moment), which I got for a one-time payment as a lifetime service from my VPS provider. But for a range of other domains I use, both hosted on my VPS as well as in various hosting packages with a Dutch hosting provider, I never bothered getting a https certificate, because it was too much work and too expensive to keep up. There already were free certificates available, such as through the Israeli StartCom which I used for one or two domains, but I never felt certain it was secure as a service (it turns out it’s small buth 7th globally, and has received some serious criticism).
Let’s Encrypt changes all that. Because they are strongly community driven, amongst other with support by the Electronic Frontier Foundation, and because they are going the route of getting their root certificate independently recognized and be a full certificate authority. Currently they use IdenTrust’s (5th globally) existing trusted root certificates, but the Let’s Encrypt root certificate has now been recognized by Mozilla, and they’re working to get it recognized by Google, Apple, Microsoft, Oracle et al. This would increase the independency of Let’s Encrypt. Let’s Encrypt says the growth rate of https traffic has quadrupled since the end of 2015, in part through their efforts. Their certificates are used at over 8 million websites now.
I’ve added a range of my own sites to those 8 million. For the domains on my own VPS that didn’t have valid certificates yet, they were easy to install. I used SSLforFree to generate the Let’s Encrypt certificates, based on me providing proof I have full control over the domains I seek to protect. Then I added the certificates to the domains using the WHM control panel of my server. Certificates are valid for 90 days, but I can set them to auto-renew, although I haven’t done that yet.
For the domains not hosted on my VPS, such as this one for my blog, I depend on my Dutch hosting provider (as I don’t have root access to install certificates myself, although I have full control over the domains such as its DNS settings.) Luckily recently they have started offering auto-renewing Let’s Encrypt certificates (link in Dutch) as a free service for each of the domains you host with them, because they recognize the importance of secure web traffic. All it took was opening a ticket with them, listing the domains I was requesting certificates for. Within two hours eleven certificates were created and installed.
So, from now on you can get my blogpostings from https://zylstra.org/blog.
Wuala, the Swiss cloud storage service, is closing down. You need to switch services by 30 September when Wuala will become read-only, and remove all your data by 15 November when Wuala will shut down. If you need to move and want an alternative that is end-to-end encrypted (and you should) then Wuala suggests another Switzerland based company, Tresorit.
Last year I briefly contemplated and tested Wuala when I wanted to get out of Dropbox (which is unencrypted and under US law). At the time I wrote
“Wuala, incorporated in Switzerland, is owned by LaCie (incorporated in France) which in turn is owned by Seagate (incorporated in Ireland). Their data centers are geo-redundant and in France, Switzerland and Germany. Although that looks good on paper Seagate HQ is in the US, placing Seagate under the Patriot Act, and thus Wuala ultimately too. Wuala for the desktop requires Java, which is a bad thing. Their encryption and syncing however are a plus, as is the ability to work in teams.”
Wuala was my first two steps away from Dropbox, as it provided client side encryption removing most of the key privacy concerns:
For now I have started using Wuala, as it is at least two steps up from Dropbox because of its encryption and their data centers in Switzerland, Germany and France. Their service is not ‘patriot act proof’ (and they know it, judging by their consistently vague and indirect answers in support fora), but the encryption helps address that. Of course there is no real way to check their encryption either.
My Wuala use lasted all of 1 week. Then I switched to OwnCloud through an Austrian provider, OwnCube, and a month later I started running my own VPS with OwnCloud on it, removing me from using third party services except for the server itself. (I must say OwnCloud does not support end-to-end encryption yet, and uses server side encryption. Hoping to see that change in the future.)
Sometimes it is ok if your government wants to store your fingerprints. Like, when they use them as artwork on city hall.
Last weekend Elmine and I strolled an afternoon through Deventer an old Hanseatic city in the eastern part of the Netherlands. We came across a shop window where a group of people were busy making clay moulds, which had us intrigued.
The clay moulds, it turned out, were made from finger prints, to be cast in metal and then used on the facade of the new city hall as window covers/decorations. A project by local artist Loes ten Anscher.
The finger prints are from citizens in Deventer themselves. One in every forty-three, from the city and surrounding villages, from every age, has been asked to provide a finger or toe print, to be cast in metal. The 2.300 prints are cast in metal and used on the newly built city hall. Every metal cast has a number, and the person providing the finger print gets a pendant with that number. They will know where their finger print is on the building, but noone else.
I really love this project, making citizens part of the building where those that provide public service work, and involving them up to the level where they have their fingerprints all over local government. One example where I think government storing my finger prints is actually not so bad!
While for me, and possibly for you, a lot of what we do on the internet is currently uncontroversial (which in no way means we should not be concerned), for a lot of people around the world their safety, and lives, quite literally depend on knowing how to be more secure on the internet.
Upon a first internet search of safety measures you very quickly get to all kinds of arcane tech details you can’t really be bothered with if you’re not in the tech scene. Or you may simply lack the knowledge about what you should be aware of in the first place.
The Berlin based Tactical Technology Collective makes sure journalists, citizen activists and NGO’s do have access to the required knowledge. They make both the explanations and the tech instructions on what to do available in easy and beautifully designed ways.
I took a bunch of their leaflets and bought two of their internet security instruction kits for dissemination and personal use.
Why? Maybe not directly for myself. But there is something to be said to make sure that the ones who need protection do not stand out because they are the only ones taking precautions. That would make them targets by default. Privacy is not a crime, was a t-shirt I saw today at the conference, and that applies here. If only the ones who are under threat wear rain coats they are easy to spot. If more of us wear them, the cost of surveillance rises, and those that need protection have a bit of additional safety in the herd.
Today I changed the way we use e-mail addresses for identification on-line.
Over time my e-mail address(es) has (have) become the carrier of a lot of important stuff. It’s not just a way to communicate with others, but also serves as generic user name on countless website accounts. And likely quite a few of those have had their security breached over time, or are unscrupulous (or even malicious) in their own right.
As part of a talk on privacy by Brenno de Winter (Dutch investigative journalist) that we went to this weekend (see previous posting), he mentioned using unique e-mail addresses (and pw’s of course) for every site you use. Or disposable e-mail addresses for sites you visit only once. That way when one site gets compromised there is no risk of your user credentials being used elsewhere, and if one site sells your email addresses on it is immediately apparent to you who did that.
I have been aware of this advice for a long time, but never saw an easy way to act on it:
What I actually need is:
So today I decided to investigate further and act on it.
This is the solution I came up with:
This is not a free solution, but it is cheap. The registration of two domains, plus a service package so I can set my own DNS settings, with our regular hoster comes to 45 Euro or so. 33mail charges 8 or 9 Euros for a premium account, which is needed to add your own domain name to their service, and I created a premium account for each of us, as we will be using two seperate domain names. Total cost: 65 Euro/yr.
Here’s a drawing of the full set-up:
We went to hear an interesting talk by Dutch investigative journalist Brenno de Winter on privacy and related issues this weekend. It is part of a series of privacy related talks and workshops held in our town in this and coming weeks.
To me, as I blogged in 2006 after that year’s Reboot Conference privacy is a gift by the commons to the individual, and not so much an intrinsic individual thing. It allows the individual to be part of the commons, to act in the public sphere. It also means to me that privacy is part of what makes the commons work: withouth a certain expectation of privacy no-one can participate in the commons, resulting in the absence of commons.
Privacy in Public, photo by Susan Sermoneta, CC-BY
That doesn’t mean privacy can do without protection. The commons collapses easily, especially when your information is disconnected from your physical presence, as is usually the case in our digital age. Where the commons collapses, because i.e. the social distance increases, or contexts change or fully drop away, there rules and instruments are needed.
In that light Brenno shared a few notions I wanted to capture and put in this context of the commons:
All of these points are relevant to the question of how to maintain or extend the commons with rules and instruments, so that the gift of privacy can be given. By making sure the ‘infringing’ party is under similar social pressures to behave. By making sure we maintain a realistic balance when privacy needs to be temporarily eroded for the sake of the commons (that is the source of privacy).
When privacy breaks down also the commons itself breaks down, as privacy is the pathway and the trust base for taking part in the public sphere.