In my recent post, I made this observation:

[Facebook and Google] are essentially advertising channels, whose real customers are not those of us who visit their sites, but the advertisers who pay them money.

That is where Intent comes in.  The most valuable commodity Google and Facebook can sell to their advertising customers is the Intent of the people who visit their sites – the Intent to explore, to examine, and ultimately, to buy. The better either company can be at determining the Intent of their users, the better they are prepared to rake in the bucks from companies who advertise with them.

From that perspective, I have been fascinated by the recent big news that Facebook has settled charges with the FTC over charges the Facebook deceived users about privacy. As reported by the Daily Beast,

… Facebook promises to stop making “deceptive privacy claims” and get users’ permission before changing the way it shares their information. The social-media company must also submit to privacy audits for 20 years. …

Acknowledging this settlement, Mark Zuckerberg posted a lengthy statement on the Facebook blog:

… I’m the first to admit that we’ve made a bunch of mistakes. In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done. … But we can also always do better. I’m committed to making Facebook the leader in transparency and control around privacy. …

Not all pundits accepted Zuckerberg’s contrite response.  Dan Lyons of the Daily Beast posted a cynical article entitled, “The Truth About Facebook Privacy—if Zuckerberg Got Real.”

The social network just settled privacy charges with the FTC, and its CEO posted a lengthy non-apology on the company blog. But here’s what Mark Zuckerberg might have said if he dared to be brutally honest. …

Let’s skip to the meat of Dan’s article (his view of what an truly candid Zuckerberg would have said:

 … The truth is, we have no interest in protecting your privacy, and if you still believe that we do, then you are stupider than we thought, and believe me, we already thought you were pretty stupid. Think about it. The only way our business works is if we can track what you do and sell that information to advertisers. Did you honestly not realize that?

You are not our customer. You are the product that we sell. For us to say we’re going to protect you is like the poultry industry promising to create more humane living conditions for chickens. Sure, they say that. But you know they don’t mean it.

Same with us. We will never, ever stop trying to pry data out of you. How could we? We’re a business. We’re doing this to make money. And our investors would like it very much if we can make absolutely as much money as possible. It’s simply not in our nature to stop. You know the fable about the scorpion and the frog? Yeah. It’s like that. …

Pretty harsh? Yep! But there are glimmers of truth in there. Just remember the next time you visit Facebook (which I have already done several times already today), “You are the product that we sell.”

The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices. The forum is led by Internet privacy experts Jules Polonetsky and Christopher Wolf and includes an advisory board comprised of leading figures from industry, academia, law and advocacy groups. FPF was launched in November 2008, and is supported by Adobe, American Express, AOL, AT&T, Bering Media, The Better Advertising Project, BlueKai, BrightTag, Comcast, comScore, Datran Media, Deloitte, DoubleVerify, eBay, Facebook, General Electric, Google, Intel, Intuit, LexisNexis, Lockheed Martin, Microsoft, The Nielsen Company, Procter & Gamble, Qualcomm, Reputation Defender, Time Warner Cable, TruEffect, TRUSTe, Verizon, Yahoo! and Zynga.

ApplicationPrivacy.org is a project of the Future of Privacy Forum intended to provide application developers with the tools and resources needed to implement trustworthy data practices. The Future of Privacy Forum (FPF) is a Washington, DC based think tank that seeks to advance responsible data practices.

When I hear a message that begins, “We’re from the government, and we’re here to help,” I am naturally suspicious.  My political philosophy, based on personal freedom, individual responsibility and natural consequences, is all too often infringed upon by over-reaching, even if well-intentioned, government mandates.  So, when I first learned of the “National Strategy For Trusted Identities In Cyberspace,” I quite naturally envisioned the typical government movement towards stronger control, greater regulation and reduced freedom.

These goals will require the active collaboration of all levels of government and the private sector  The private sector will be the primary developer, implementer, owner, and operator of the Identity Ecosystem, which will succeed only if it serves as a platform for innovation in the market. The Federal Government will enable the private sector and will lead by example through the early adoption and provision of Identity Ecosystem services. It will partner with the private sector to develop the Identity Ecosystem, and it will ensure that baseline levels of security, privacy, and interoperability are built into the Identity Ecosystem Framework.

That said, I include here some key points from the document.  A user-centric “Identity Ecosystem” is proposed – an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities—and the digital identities of devices. 

I first read the news about Apple’s secretive location tracking capability in the Kaspersky Labs Threat Post article, “Secret iPhone Feature Tracks Owners’ Whereabouts“:

Security researchers have discovered a hidden iPhone feature that secretly tracks and saves the meanderings of the phone – and presumably its owner.

The tracking feature was described in a presentation at the Where 2.0 Conference in San Francisco on Wednesday. According to the researchers, Pete Warden, founder of Data Science Toolkit and Alasdair Allan a researcher at Exeter University in the UK, the tracking feature records the phone’s movements, including what cell phone towers and Wifi hotspots it connects to, when and where. While that information isn’t shared with Apple, it is retained even when iPhone users update their hardware, suggesting that Apple had plans to use the data at a later time.

Was I surprised?  No.  Irritated?  Yes.  We have one more piece of evidence, that when power is concentrated in the hands of a few, abuses tend to occur.

After reading the O’Reilly Radar article, “Got an iPhone or 3G iPad? Apple is recording your moves“, I followed a link to an application to see for myself:

How can you look at your own data?

We have built an application that helps you look at your own data. It’s available at petewarden.github.com/iPhoneTracker along with the source code and deeper technical information.

The broad view clearly showed the four states in which I have used my month-old iPad:

But the real interesting view was of my supposed meanderings in Arizona:

I can easily explain three of the four major clumps of usage in the Phoenix metropolitan area – my home, the Phoenix airport, and a client site. But I have never taken my iPad to the fourth area of supposed heavy use.

All the outliers are even more problematic.  I used the iPad once in a mountainous area northeast of Phoenix, but all the other outliers?  My only explanation is that I must have forgotten to place the iPad in “Airplane Mode” on one or more more of my flights (heaven forbid!).  The iPad must have connected with dozens of cell towers as we flew over.

My message to Steve Jobs?  Please, just call. I’d gladly invite you over for dinner or take you to my favorite restaurant, where we could discuss the things that are important to me in my life.  But these shenanigans?  Really tawdry for a supposely high class company.

I am anxious for the time when I can buy groceries or pay for a meal with my iPhone.  According to Juniper Research, that time may be be closer than you would think.

As reported by GigaOM, Juniper Research predicts that 1 in 5 Smartphones Will Have NFC by 2014.  NFC, or “Near Field Communication,” is a technology that allows a payment to be made by holding a device, such as a mobile phone, in close proximity to a NFC-capable point of sale terminal.

I think it would be great to use a mobile wallet on my iPhone, working in concert with an NFC chip embedded within my iPhone, to make a payment.

The GigaOM article states:

Juniper said the increasing momentum behind NFC, with a stream of vendor and carriers announcements in recent months, is helping boost the prospects of NFC. North America will lead the way, according to Juniper, with half of all NFC smartphones by 2014. France, in particular, is off to a quick start, with 1 million NFC devices expected this year.

Of course, there is more than just putting moble wallet apps and NFC chips on smartphones.

But the NFC ramp-up will still faces challenges. With so many players involved, from merchants, operators, manufacturers and web giants like Google, service complexity will be an issue. The industry also needs to work out business models around NFC while ensuring strong security for consumers unfamiliar with the concept of a mobile wallet, said Howard Wilcox, the author of the report.

Which smart phone vendor will be first to the races with a mainstream NFC-equipped device? Will the next iPhone be NFC-equipped?  I hope so, but I had also hoped for that in the iPhone 4.  Time will tell.  I’m just hoping for sooner, rather than later.

And, by the way, Identity Management and Information Security are crucial to an overall solution. Knowing who the user is and that user wants to do, and making sure their information is absolutely safe, are critical components of the mobile payments infrastructure that must be built. In that vein, its great to be in the industry that is making this all happen.

My last post highlighted the well-publicized Epsilon data breach that affected so many consumers like me.

But what if a company forgets to tell its customers?

That may have happened to me. Our family probably does over 80% of our grocery shopping at Fry’s Food Stores, owned by The Kroger Co. I’m quite sure they have my email address, because of their store affiliate card program. However, when Kroger was victimized by the Epsilon data breach, I did not get a notification or apology from Kroger.

Does that mean they don’t care, or by some stroke of luck, my email address wasn’t compromised? I may never know … but will wonder.

On April 4th, I received apology letters from my bank, a major retailer, a large pharmaceutical chain, and three hotel companies.  All of the apologies were similar, but I’ll share just one:

Dear Ritz-Carlton Customer,

We were recently notified by Epsilon, a marketing vendor The Ritz-Carlton Hotel Company uses to manage customer emails, that an unauthorized third party gained access to a number of their accounts including The Ritz-Carlton email list. We want to assure you that the only information obtained was your name and email address. Your account and any other personally identifiable information are not at risk.

Please visit our FAQ to learn more.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that The Ritz-Carlton does not send emails requesting customers to verify personal information.

It must have really hurt Ritz Carlton, that paragon of sophistication and propriety, to fall on its virtual knees and send out thousands for such emails.

I subsequently learned that USA Today reported:

With the possible theft of millions of e-mail addresses from an advertising company, several large companies have started warning customers to expect fraudulent e-mails that try to coax account login information from them.

Perhaps the Wall Street Journal wanted to make me feel special, one of select few:

Alliance Data (parent of Epsilon) reiterated that social-security and credit-card numbers were not stolen. It also said that only 2% of its more than 2,500 customers were affected.

I have yet to know whether there will be a harmful personal affect from this data breach. But it does illustrate that we are all vulnerable, whenever we trust any confidential information to someone else.

Technorati Tags: Identity Theft, Information Security, Privacy

Triggered by Dave Kearn’s article today, “What is Privacy, Really,” I spent a few minutes this afternoon with my good friend dictionary.com.  It is amazing what one can learn about word meanings by (virtually) flipping through the pages of a dictionary.

Privacy: the state of being free from intrusion or disturbance in one’s private life or affairs: the right to privacy.

This was a bit circular in its reasoning, so I looked up “private”:

Private: confined to or intended only for the persons immediately concerned; confidential: a private meeting.

These meanings match well Dave’s desire to exercise control over when he divulges personal information:

I can see no reason to cough up details of my business, number of employees, target date for purchase, types of computers, operating systems, applications, etc., simply to read a high-class marketing document

A related term is confidential – again related to the ability to keep information private:

Confidential: spoken, written, acted on, etc., in strict privacy or secrecy; secret: a confidential remark.

For example, I can assure you that there are details of my personal life that nobody but my wife knows.  We intend to keep it that way, even if powers like Facebook and Google would have it otherwise.

The Wall Street Journal reported today:

The Supreme Court ruled unanimously that personal-privacy rights don’t apply to corporations under the Freedom of Information Act.

Tuesday’s ruling was a defeat for AT&T Inc., which was seeking to block the disclosure of emails and other potentially embarrassing documents it provided to the Federal Communications Commission during a 2004 investigation by the agency of whether the telecommunications giant overbilled the New London, Conn., public schools.

I am not a legal scholar by any means, but it seems that the courts often split hairs, sometimes treating corporations as persons and other times as non-persons.  In this case, non-personhood prevailed.

The court, in an opinion written by Chief Justice John Roberts, said corporations don’t get to enjoy certain personal-privacy exemptions included in FOIA, a disclosure law that allows the public to gain access to some documents filed with the government.

"The protection in FOIA against disclosure of law-enforcement information on the ground that it would constitute an unwarranted invasion of personal privacy does not extend to corporations," Chief Justice Roberts wrote. "We trust that AT&T will not take it personally."

That last comment by Chief Justice Roberts is an interesting play on words.  According to his judgment, AT&T couldn’t take it “personally”.  They had to take it “corporately.”

How will it affect us?  Opinions vary:

News-industry groups and open-government advocacy organizations argued that AT&T’s position could place a wide range of records on corporate-behavior off limits to the public.

Several business groups backed AT&T. The U.S. Chamber of Commerce said the threat of public disclosure could have a chilling effect on corporations’ willingness to cooperate with law-enforcement authorities.

It will be interesting to watch where this leads.