Evernote Makes Employee Reading of Messages Opt-in

Evernote has been through the wringer with its decision to add machine learning to its repertoire, effectively trying to pave the way to added services based on scanning the contents of users’ notes. Users were not happy, not least because Evernote made it opt-out. The settings looked like this: 

Screenshot 2016 12 15 06 23 04

Evernote has now had a change of heart, rather coyly calling it Evernote Revisits Privacy Policy Change in Response to Feedback: No longer would it implement the planned Privacy Policy changes for January 23.

“Instead, in the coming months we will be revising our existing Privacy Policy to address our customers’ concerns, reinforce that their data remains private by default, and confirm the trust they have placed in Evernote is well founded. In addition, we will make machine learning technologies available to our users, but no employees will be reading note content as part of this process unless users opt in. We will invite Evernote customers to help us build a better product by joining the program.”

It’s probably the best solution in the circumstances, but it was poorly handled, and reflected a lack of understanding, once again, of what the product is. Evernote is simply that: a place where you can store your notes forever. That needs to be paramount. Anything else needs to support that, and not undermine it. 

Users’ reaction was becaues they prized privacy and security above other layers of features and services that may arise from running semantic engines and whatnot over Evernote. And certainly doing it via opt-out, and a privacy policy that raised suspicions.

I personally would love to see more done with my notes — complex search is still poor, finding similar notes is still poor — but I need, and I’m sure I’m not alone — to be confident Evernote isn’t going to do anything weird with my stash without my permission. Especially have employees poring over them. 

Turn off location in iOS, and Uber doesn’t work

(Update: Uber say they are looking into it.) 

Buzzfeed says Privacy Advocates Want Uber To Stop Tracking Users After Rides End but Uber responds that “by offering the option of manually entering pick-up locations, the company is giving users a choice to be tracked or not.”

It quotes Kurt Opsahl, deputy executive director and general counsel at EFF, as saying that this ‘takes away a lot of the usability.’ Part of Uber’s appeal is how easy it is to open the app and let GPS pinpoint your location for a driver. ‘As you’re trying to get picked up by the side of the road, you might not know what address you’re at,’ Opsahl said. ‘I guess you could turn it on and off again…but that’s pretty clunky as well.’”

I’d agree, and have found in my tests that it’s worse than that: turn location off, and the app no longer works. 

First off, here are the options, as described in settings in iOS:

2016 12 06 18 10 15

So it’s either Always or Never. Nothing in between. Turn to Never and things not only get clunky — meaning that you’re prompted by dire warnings every few minutes, but after a day or two you start to get blank screens, like these when you try to book an Uber. 

2016 12 06 18 09 38

2016 12 06 17 10 20

I’ve reached out to Uber for an explanation. 

I’m An Airline, Fly Me

This an email from a bona fide airline: 

Dear Sir/Madam,

Please be informed that your transaction with [international carrier] has been confirmed. Due to fraud prevention procedure against Credit Card transaction, we would like to validate your recent transaction with [international carrier] by filling information below :

Passenger(s) name :
Route :
Date of Travel :
Cardholder name :
Address :

Also, we need to confirm and validate your name and last four digit of your card number. Please kindly provide scanned/image of your front side credit card that used to buy the ticket. You may cover the rest information on the card. Please reply in 8 hours after received this email or we will cancel the reservation.

Thank you for your cooperation.

Best Regards,
Verification Data Management

The Facebook Experiment: Some Collated Views

A few pieces in the Facebook Experiment. I’m still mulling my view. 

Paul Bernal: The Facebook Experiment: the ‘why’ questions…:

 Perhaps Facebook will look a little bad for a little while – but the potential financial benefit from the new stream of advertising revenue, the ability to squeeze more money from a market that looks increasingly saturated and competitive, outweighs that cost.

Based on the past record, they’re quite likely to be right. People will probably complain about this for a while, and then when the hoo-haa dies down, Facebook will still have over a billion users, and new ways to make money from them. Mark Zuckerberg doesn’t mind looking like the bad guy (again) for a little while. Why should he? The money will continue to flow – and whether it impacts upon the privacy and autonomy of the people on Facebook doesn’t matter to Facebook one way or another. It has ever been thus….

(Via Paul Bernal’s Blog)

A contrarian view from Rohan Samarajiva: Confused objections to Facebook emotional contagion research:

I am puzzled by the predominantly negative reaction to the manipulation of Facebook content, in the recent published research article in the mainstream media (MSM), though perhaps less in blogs and such.

It seems to me that MSM’s reaction is hypocritical. They manipulate their content all the time to evoke different emotional responses from their readers/viewers/listeners. The difference is that conducting research on resultant emotional changes on MSM is not as easy as on Facebook. For example, magazines have used different cover images, darkening or lightening faces and so. Their only indicator of success is whether version A sold more than version B. Not very nuanced.

(Via LIRNEasia)

And Ed Felten: Privacy Implications of Social Media Manipulation:

To be clear, I am not concluding that Facebook necessarily learned much of anything about the manipulability of any particular user. Based on what we know I would bet against the experiment having revealed that kind of information about any individual. My point is simpler: experiments that manipulate user experience impact users’ privacy, and that privacy impact needs to be taken into account in evaluating the ethics of such experiments and in determining when users should be informed.

(Via Freedom to Tinker)

And finally from Robin Wilton: Ethical Data Handling and Facebook’s “Emotional Contagion” Study:

Once, in a workshop, while discussing mechanisms for privacy preference expression, I said I would be happier for data subjects to have some means of expressing a preference than none. An older, wiser participant made the following wry remark: “That only brings a benefit if someone is prepared to give weight to their preference. If not… well, ten million times zero is still zero”. And that’s the weight Facebook appears to have given to the legitimate interests of its data subjects.

(Via Internet Society Blog Feed)

We’re Not in the Business of Understanding our User

Za-tray2

A few years ago I wrote about sometimes your product is useful to people in ways you didn’t know—and that you’d be smart to recognise that and capitalize on itn (What Your Product Does You Might Not Know About, 2007).

One of the examples I cited was ZoneAlarm, a very popular firewall that was bought by Check Point. The point I made with their product was how useful the Windows system tray icon was in that it doubled as a network activity monitor. The logo, in short, would switch to a twin gauge when there was traffic. Really useful: it wasn’t directly related to the actual function of the firewall, but for most people that’s academic. If the firewall’s up and running and traffic is showing through it, everything must be good.

The dual-purpose icon was a confidence-boosting measure, a symbol that the purpose of the product—to keep the network safe—was actually being fulfilled.

Not any more. A message on the ZoneAlarm User Community forum indicates that as of March this year the icon will not double as a network monitor. In response to questions from users a moderator wrote:

Its not going to be fixed in fact its going to be removed from up comming [sic] ZA version 10
So this will be a non issue going forward.
ZoneAlarm is not in the buiness [sic] of showing internet activity.
Forum Moderator

So there you have it. A spellchecker-challenged moderator tells it as it is. Zone Alarm is now just another firewall, with nothing to differentiate it and nothing to offer the user who’s not sure whether everything is good in Internet-land. Somebody who didn’t understand the product and the user saved a few bucks by cutting the one feature that made a difference to the user.

Check Point hasn’t covered itself in glory, it has to be said. I reckon one can directly connect the fall in interest in their product with the purchase by Check Point of Zone Labs in December 2003 (for $200 million). Here’s what a graph of search volume looks like for zonealarm since the time of the purchase. Impressive, eh?

image

Of course, this also has something to do with the introduction of Windows’ own firewall, which came out with XP SP2 in, er, 2004. So good timing for Zone Labs but not so great for Check Point.

Which is why they should have figured out that the one thing that separated Zone Alarm from other firewalls was the dual purpose icon. So yes, you are in the business of showing Internet activity. Or were.

(PS Another gripe: I tried the Pro version on trial and found that as soon as the trial was over, the firewall closed down. It didn’t revert to the free version; it just left my computer unprotected. “Your computer is unprotected,” it said. Thanks a bunch!)

Carrier IQ’s Opt-Out Data Collection Patent

ZDNet writes here about an Carrier IQ patent that outlines keylogging and ability to target individual devices . Which is interesting. But Carrier IQ owns a dozen patents, including this one, which to me is much more interesting. This patent indicates what Carrier IQ software could do—not what it does—but it is revealing nonetheless:

A communication device and a data server record and collect events and event-related data to create an activity record. A user of the communication device may request that events and related data be recorded and collected using a configuration option on the communication device or through an interaction with the data server. Data are grouped into data sets and uploaded to the data server either automatically or upon user approval. The data server uses the uploaded data to create an activity record which the user may access through a website. The user uploads additional data which are associated with the activity record. In some instances, the data server embeds a link pointing to the additional data in an entry in the activity record corresponding to an event associated with the additional data.

Basically this patent offers a way for a “user”—which could be either the user of the device or the service—to have a record of everything they do:

image

While most of the patent is clearly about a product that would create a ‘lifestream’ for the user—where they can access all the things they’ve done with the device, including photos etc, in one tidy presentation, there’s clearly more to it than that. Buried in the patent are indications that it could do all this without the user asking it to. It’s paragraph 0023 which I think is most interesting:

A user of a mobile device requests that events and event-related data be collected by a data server and data collection begins. Alternately, data collection may be a default setting which is turned off only when the device user requests that data collection not occur. In yet another embodiment, a request from a server can initiate, pause, or stop data collection. The mobile device is configured to record events performed by the mobile device as well as event-related data. Typical events that the mobile device records include making or receiving a phone call; sending or receiving a message, including text, audio, photograph, video, email and multimedia messages; recorded voice data, voice messages, taking a photograph; recording the device’s location; receiving and playing an FM or satellite radio broadcast; connecting to an 802.11 or Bluetooth access point; and using other device applications. The data most often related to an event include at least one of: the time, date and location of an event. However, other event-related data include a filename, a mobile device number (MDN) and a contact name. Commonly, the mobile device records events and provides a time, date and location stamp for each event. The events and event-related data can be recorded in sequence and can be stored on the mobile device.

This seems to suggest that

  • basically all activity on the phone can be logged
  • the software can be turned on by default
  • the software can be turned on and off from the server

All this information would be grouped together and uploaded either with the user’s permission or without it:

[0025] The mobile devices may be configured to store one or more data sets and upload the data sets to the data server. In one embodiment, the data sets are uploaded automatically without user intervention, while in other embodiments the mobile device presents a query to the user beforehand. When the mobile device is ready to upload one or more sessions to the data server, a pop-up screen or dialog may appear and present the user with various options. Three such options include (1) delete session, (2) defer and ask again and (3) upload now. The user interface may present the query every time a session is ready to upload, or the user may be permitted to select multiple sessions for deletion, a later reminder or upload all at once. In another embodiments, the uploading of sessions may occur automatically without user intervention. Uploads may also be configured to occur when the user is less likely to be using the device.

This point—about the option to collect such data without the user’s say-so—is confirmed in [0030]:

Although typically the device and the server do not record, upload and collect data unless the user requests it, in other embodiments the communication device and the server automatically record, upload and collect data until the user affirmatively requests otherwise.

And in [0046]:

In embodiments where participation in the data collection services is the default configuration for a mobile device (e.g., an “opt-out” model), it is not necessary to receive a request from a user prior to recording data.

An ‘opt-out’ model is hard to visualize if this is a product that is a user-centric lifestream.

While patents only tell part of the story, there’s no evidence of any such consumer-facing product on Carrier IQ’s website, so one has to assume these capabilities have been, or could be, wrapped into their carrier-centric services. In that sense, I think there’s plenty of interest in here.

Deconstructing Carrier IQ’s Press Release

I couldn’t find this press release on their website, and it’s a couple of weeks old, but I thought it worth deconstructing anyway. My comments in quotes. The rest is from the release. I don’t pretend to have got anything right here, but these might be the starting points for deeper questions.

Carrier IQ Says Measuring Mobile User Experience Does Matter! – MarketWatch:

MOUNTAIN VIEW, Calif., Nov 16, 2011 (BUSINESS WIRE) — Carrier IQ would like to clarify some recent press on how our product is used and the information that is gathered from smartphones and mobile devices.

Carrier IQ delivers Mobile Intelligence on the performance of mobile devices and networks to assist operators and device manufacturers in delivering high quality products and services to their customers. We do this by counting and measuring operational information in mobile devices — feature phones, smartphones and tablets.

operational information is a very vague term. And it’s clear from this comment that it’s not just smart phones that have the software installed. Feature phones and tablets also have it.

This information is used by our customers as a mission critical tool to improve the quality of the network, understand device issues and ultimately improve the user experience. Our software is embedded by device manufacturers along with other diagnostic tools and software prior to shipment.

It calls it a diagnostic tool, but most people’s understanding of a diagnostic tool is one that runs in diagnostic mode. This doesn’t. It runs all the time–even on WiFi and airplane mode. But this comment also hints that there are other tools and software installed by manufacturers too.

While we look at many aspects of a device’s performance, we are counting and summarizing performance, not recording keystrokes or providing tracking tools.

‘Recording’ keystrokes could be as it looks, or it could be weasel language, given the fact that keystrokes are definitely logged. Logging could be considered different to recording in this context.

The metrics and tools we derive are not designed to deliver such information, nor do we have any intention of developing such tools.

But they clearly do, so is that a bug? Is the word deliver here key, as in not designed to deliver such information to certain parties?

The information gathered by Carrier IQ is done so for the exclusive use of that customer, and Carrier IQ does not sell personal subscriber information to 3rd parties.

This doesn’t really help. Not only was it not really the issue that Carrier IQ was selling the data–it was assumed the carrier would be, if anyone was–and the term personal subscriber information is quite possibly a weasel term, as personal has tended to mean to include the actual subscriber’s name. But we know now that even anonymized data can be mined so it is quickly connected to a specific person.

The information derived from devices is encrypted and secured within our customer’s network or in our audited and customer-approved facilities.

I don’t know enough about this, but I’m guessing these are weasel words too. The key word is within. It seems pretty clear that most if not all of the Carrier IQ data is in plain text, so presumably the encryption and securing is only when that data reaches the customer’s network (i.e. this doesn’t include the external network, but the customer’s own computer network.) It also makes clear that the data, whether encrypted or not, also resides within Carrier IQ’s systems.

Our customers have stringent policies and obligations on data collection and retention. Each customer is different and our technology is customized to their exacting needs and legal requirements.

Except that at  no point was any customer, as far as we know, actually asked whether they approved this data being collected about them. In fact, we don’t even know who those customers are in order to be able to verify this.

Carrier IQ enables a measurable impact on improving the quality and experience of our customer’s mobile networks and devices. Our business model and technology aligns exclusively with this goal.

Don’t get me started on the word ‘experience.’ It covers a multitude of sins and can mean more or less anything. My experience of call dropouts? Yes, sure, fix that. My experience of what services I use, how many times I enter my password, whether I’m buying something in Starbucks or Coffee Bean, how many people are in my address book etc. No. Not what I want you to log.

I think there’s another element at play here. Clearly the device manufacturers have allowed this to happen since the software is installed at the point of manufacturer. A carrier can use the service because whatever device their customer uses, they can be pretty confident that the Carrier IQ software is embedded. So one has to ask what data are being shared between carrier, Carrier IQ and manufacturer? And how does this work?

SOURCE: Carrier IQ

AboutFacebook

This is a copy of my weekly Loose Wire Service column for newspapers, hence the lack of links.

By Jeremy Wagstaff

A few weeks ago I talked about Facebook’s brave new world of connecting your profile to all the other bits and pieces you leave on websites. I erred, and I apologize.

I thought that people wouldn’t mind the reduction in privacy that this would involve. At least I didn’t think they’d mind as much as a couple of years ago, when Facebook tried something similar.

But people did. And Facebook has been forced to respond, simplifying the procedures that allow users to control who can see what of the stuff they put on Facebook.

So was I really wrong? Do people still care so deeply about privacy?

Hard to say. Back then I said that we have gone through something of a revolution in our attitudes to privacy, and I think I’m still right about that. But I hadn’t taken into account that just because our attitudes have gone through wrenching changes doesn’t mean we’re comfortable with them.

Social networking—itself only a few years old—has forced us to shift our approach. When the Internet was just about email, that was pretty simple. We might balk at giving our email address out to weirdoes at parties with hair growing out of their ears, but that was no different than handing out our phone numbers, or home address.

But social networking is different. By definition the barriers are down, at least partially, because the network demands it. Networks require nodes, and that means that Facebook and every network like it needs to make it easy for people to find other people—including your folically resplendent stalker.

So already we’re talking a question of degree of privacy. And of course, we insist on these services being free, so the relationship we have with the purveyor of the social network is an odd one: Our investment in it is one of time, not money.

But nowadays many of us value time more highly than money, so we feel oddly possessive about our social networks. It’s not, I hasten to add, that we wouldn’t take our business elsewhere, as we did with MySpace and Friendster, but Facebook is somewhat different.

For one thing, the numbers are astonishing. Facebook has more than 400,000 active users—half of them logging on at least once a day. In other words, for many people Facebook has become email.

This has forced changes in privacy, because it’s impossible not to be private and be an active Facebook user. Unlike email, most Facebook activity is visible to other people. So I can, if I want (and I don’t, but can’t really help it), find photos of my nephew caressing a female friend, something I would have been horrified to allow my uncle to see when I was his age.

In part it’s a generational thing. We adults have no idea what it must be like to surrounded by cameras, transmission devices, mass media—an all-embracing Net–from our early years.

But does that mean that younger people are just more relaxed about privacy, or that they just haven’t learned its value? Much of us older folks’ understanding of privacy comes from having lived under snooping governments, or knowing they exist on the other side of iron or bamboo curtains. Or we read and could imagine 1984.

Or, simply, that we’ve had something private exposed to the public. I once had some love poems I had written at school to two sisters read out in front of the school when I foolishly left them behind on a desk. Since then I lock up all my love poems to people related to each other under lock and key.

Younger people, it’s thought, don’t care so much about this. They grow up in a world of SMS, of camera phones recording every incident, of having one’s popularity, or lack of it, measured publicly via the number of friends one has on Facebook.

This is all true, of course. And while employers may still be Googling potential employees, and looking askance at images of them frolicking, this is going to get harder to do when all their potential employees are on Facebook, and all sport photos of them frolicking.

This is part of a new world where the notion of privacy is balanced by transparency: Online is no longer a mirror image of offline, in the way email was just a more efficient postal service.  It’s now a place that one shares with lots of other people, and to play a role in it entails a certain visibility.

This is both the price and the reward of being online. There are bound to be things we’d rather keep to ourselves but we also recognize an advantage in such public access. Just as people can discover things about us, so can we discover things about them. A rising tide, as they say, lifts all boats. If you have an Internet connection.

In some ways this is deeply subversive, since it undermines the traditional structures of society. A teacher or speaker can be subverted by a back channel of comments among the class or audience to which he is not privy. Reality gets distorted, and traditional dominance undermined.

I was sitting in a hearing the other day where those being grilled by the legislators were maintaining a quite noisy twitter presence that stood in contrast to their respectful tone in the session. Two channels, both of them public, but both of them trains running on parallel tracks. Which of them is real?

Technology is moving ahead, and we’re catching up. But we’re catching up at different rates.

If an employer can’t make a distinction between an employee’s office persona and their, for want of a better expression, their personal persona, then they’re probably not very good employers.

Still, there are limits. The British man who joined a rampaging mob in Thailand and yelled at a passing citizen journalist hadn’t considered the consequences should that video clip end up on YouTube. Which it did and he now faces a lengthy time in jail.

Adolescents who share racy photos of themselves by cellphone are discovering the limits to transparency when those photos spread like wildfire. And one can’t help but suspect that not all school kids feel comfortable with the intensity of digital interactivity.

Which brings us back to Facebook.

Facebook is the thin end of a big wedge. We’ll probably look back and wonder what all the fuss was about, but that doesn’t mean we’re wrong in questioning Facebook’s actions or its motives.

But we’d be smarter if instead of putting Mark Zuckerburg in the stocks, we took stock of what we really want out of these services, and what we really want to share and what we don’t. I suspect that we simply haven’t done that yet, and so we lash out when such moves force us to confront the new reality: that definitions of privacy and openness have changed, are changing, very radically and very quickly.

The Gist of Things

(This is a copy of my Loose Wire Sevice column, produced for newspapers and other print publications. Hence the lack of links.)

By Jeremy Wagstaff

It’s interesting to see how we’ve changed in the past few years.

If you had predicted that we could follow someone’s activities by accessing a single page, right down to where they were, what restaurant they’d visited, where they’d been on holiday, what they were reading, what they were listening to, their employment history, what had made them laugh or cry, the reaction would probably have been somewhat negative.

Back then we had a different idea of privacy.

We basically saw privacy as a garden fence. Only neighbors could look in—unless they’ve got telescopes and twitching curtains. Our privacy wasn’t exactly a massive wall, but a shared understanding that there was a kind of wicker fence, or hedge, between us and the outside world.

Nowadays—maybe five years on—our views have changed. Well, they haven’t really changed, because I don’t think we really ponder it too much. Perhaps we’ve just tacitly accepted that the garden fence no longer exists.

This is probably because the benefits of accepting this outweigh the disadvantages.

Let’s look at the first bit again. If we befriend people on Facebook, we share with them tonnes of personal information, from our birthdays to our kids’ photos to our views and thoughts on the world, revealing either directly or indirectly all sorts of things about our lives.

Two friends died recently and Facebook was the vector for not only that information but for the grieving process of all their friends and relatives.

What was private or intimate is now public or semi-public.

LinkedIn blasts our CVs out there for everyone to see. What we once treated as confidential is now public—including our yearnings for another job. If you doubt me, scroll down to the bottom of a LinkedIn page and you’ll see how many people have opted to include the line “interested in career opportunities”. I’m surprised this doesn’t put more bosses’ noses out of joint.

Then there’s twitter: Every thing we feel, think, or get irked by is out there for everyone to see.

Music sites like Last.fm and Pandora share what you’re listening to, while Google Latitude and foursquare share your location.

You can get a sense of how all this fits together—and why, perhaps, it’s not such a bad thing—when you try out services like Gist. Gist assembles all the people in your address book and creates sort of virtual pages for them, populating each with whatever it can find on the Internet about them.

So, their LinkedIn page, their twitter feed, their MySpace page, their blog, any mentions of them in the media, are all collected together, alongside your email exchanges with them and other people involved in those email exchanges. Calendar entries, and email attachments, are all there easily found and reconciled.

The result is a somewhat disconcerting, but very useful, page which tells you everything you need to know about that person in order to remain in contact.

Indeed, that’s the purpose of Gist: to turn business networking into more of a science and less an art. You can see when you last communicated with them—and whether you should ping them to keep things bubbling.

Gist has even bought a service that flashes photos of your contacts at you to help you remember who they are.

From a privacy point of view, it’s unnerving to see your details so readily collated in someone else’s address book. And from a human point of view, it’s scary to see the personal reduced to a few algorithms and search spiders.

But it’s actually very useful, and turns our familiar tools of email and contact books into something more dynamic.

I don’t care so much about staying in touch with business contacts; I do, however, like to be able to see what my friends and colleagues have been talking about. And to be able to see all that on one page is a boon.

It bypasses both my address book and my email service. Gist finds pictures of the people I’m corresponding with before I’ve even met them. (Some surprises are in store: Not everyone is the gender you think they are.)

This, in short, is what has happened to our notions of privacy. What once would have been considered somewhat creepy stalking is now considered a valid means of staying on top of all the people and bits and pieces in your professional life.

No more garden fences. Now it’s more like a permanent open house cum garage sale, where anyone can poke around as much as they like.

And maybe offer you a job.

Art, the Internet and the Rise of Symbiosis

Great piece from the NYT on the decline of mystery and the rise of symbiosis for artists, who find there’s a living of sorts to be made by engaging with fans online and allowing the community that emerges to choose the direction their musical careers take — even to the point of how much to charge for their creations. But it leaves some doubts:

clipped from www.nytimes.com

“I vacillate so much on this,” Tad Kubler told me one evening in March. “I’m like, I want to keep some privacy, some sense of mystery. But I also want to have this intimacy with our fans. And I’m not sure you can have both.”